Download Print this page

D-Link NetDefend SOHO DFL-160 User Manual

Netdefend soho utm firewall
Hide thumbs

Advertisement

Quick Links

UTM Firewall
SOHO
User Manual
DFL-160
Security
Security
Ver 2.27.00
Network Security Solution http://www.dlink.com.tw

Advertisement

loading

  Related Manuals for D-Link NetDefend SOHO DFL-160

  Summary of Contents for D-Link NetDefend SOHO DFL-160

  • Page 1 UTM Firewall SOHO User Manual DFL-160 Security Security Ver 2.27.00 Network Security Solution http://www.dlink.com.tw...
  • Page 2: User Manual

    User Manual D-Link DFL-160 Firewall NetDefendOS Version 2.27.00 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2010-05-24 Copyright © 2009...
  • Page 3 D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE...
  • Page 4: Table Of Contents

    Table of Contents 1. Product Overview ....................6 1.1. The DFL-160 Solution ................6 1.2. Ethernet Interfaces ................... 8 1.3. The LED Indicators ................10 2. Initial Setup .....................12 2.1. Unpacking ....................12 2.2. Web Browser Connection ................14 2.3. Browser Connection Troubleshooting ............19 2.4.
  • Page 5 User Manual B. Windows XP IP Setup ..................121 C. Windows Vista IP Setup .................. 123 D. Windows 7 IP Setup ..................125 E. Apple Mac IP Setup ..................127 Alphabetical Index ..................... 129...
  • Page 6: Product Overview

    The DFL-160 and the NetDefendOS Software The term DFL-160 refers to the physical hardware that is provided with the NetDefend SOHO UTM product. The operating system software that drives the hardware is a purpose built networking operating system called D-Link NetDefendOS.
  • Page 7 DMZ traffic"). Note: No inbound traffic is initially allowed When a DFL-160 is started for the first time, no inbound traffic is allowed so the administrator should decide what inbound traffic will be allowed as one of the first setup steps.
  • Page 8: Ethernet Interfaces

    1.2. Ethernet Interfaces Physical Interface Arrangement The DFL-160 has a number of physical Ethernet interfaces which can be used to plug into other Ethernet networks. The image below shows these interfaces at the back of the hardware unit. Interface Network Connections The illustration below shows the typical usage of network connections to the DFL-160 interfaces.
  • Page 9 DFL-160. Interfaces LAN1 to LAN4 are connected together via a switch fabric in the DFL-160 which means that traffic travelling between them will not be subject to the control of NetDefendOS.
  • Page 10: The Led Indicators

    Ethernet Ports On the right hand side of the front of the DFL-160 there is a line of LED lights that show the status of the different Ethernet interfaces by showing a flashing or solid light in orange or green. The image below shows these LED status indicators.
  • Page 11 1.3. The LED Indicators Chapter 1. Product Overview...
  • Page 12: Initial Setup

    A CD ROM containing essential product documents and useful software utilities. Location of the Hardware The DFL-160 unit is designed for table mounting only. The product can be mounted on any appropriate stable, flat, level surface that can safely support the weight of the unit and its attached...
  • Page 13 Power Consumption Under 20 Watts Heat Flow Considerations The DFL-160 is a low power device that generates a modest amount of heat output during operation. The following precautions should be taken to allow this heat to dissipate: • Do not install the DFL-160 in an environment where the operating ambient temperature might come close to or go beyond the recommended operating temperature range (as stated in the table above, the operating range is from 0°C to +50°C).
  • Page 14: Web Browser Connection

    Once power is connected, NetDefendOS will take a couple of seconds to boot up. When this process is complete, the Status front panel light is lit and the DFL-160 is ready to be managed through a web browser.
  • Page 15 2.2. Web Browser Connection Chapter 2. Initial Setup 4. Connect to the DFL-160 by Surfing to the IP address 192.168.10.1 Using a web browser (Internet Explorer or Firefox is recommended), surf to the IP address 192.168.10.1. This can be done using either HTTP or the more secure HTTPS protocol in the URL.
  • Page 16 Now login with the username admin and the password admin. The full web interface will now appear as shown below and you are ready to begin setting up the initial DFL-160 configuration. This initial web interface page after login always displays the System option in the Status menu, as shown above.
  • Page 17 Connecting to the Internet In the typical DFL-160 installation the next step is to connect to the public Internet. To do this the WAN interface should be connected to your Internet Service Provider (ISP). This is usually done through other equipment such as a broadband modem.
  • Page 18 2.2. Web Browser Connection Chapter 2. Initial Setup features of the product and bring into use those which meet the needs of a particular installation. It is recommended that administrators familiarize themselves with the web interface by clicking on the main menu options and exploring the individual options available with each. The later part of this manual has a structure which reflects the naming and order of these menu options.
  • Page 19: Browser Connection Troubleshooting

    If the Input counters in the hardware section of the output are not increasing then the error is likely to be in the cabling. However, it may simply be that the packets are not getting to the DFL-160 in the first place. This can be confirmed with a packet sniffer if it is available.
  • Page 20: Console Port Connection

    Chapter 2. Initial Setup 2.4. Console Port Connection Initial setup of the DFL-160 can be done using only the web interface but DFL-160 also provides a Command Line Interface (CLI) which can be used for certain administrative tasks. This is accessed through a console connected directly to the unit's RS232 COM port, which is shown below.
  • Page 21 This buffer limit means that a single large volume of console output may be truncated. This happens rarely and only with certain commands. The DFL-160 USB Port Next to the RS232 port is a USB port. This port is not used with the current version of NetDefendOS.
  • Page 22 2.4. Console Port Connection Chapter 2. Initial Setup...
  • Page 23: The System Menu

    The sections that follow describe the options in this menu in the order they appear. 3.1. Administration The options on this page deal with administrator access to the DFL-160 through one of the Ethernet interfaces. The page is divided into 3 sections: A.
  • Page 24 By default, the administrator username admin with a password admin exists when a brand new DFL-160 is started for the first time. It is recommended, at a minimum, to change the password of this user as one of the first steps during initial setup.
  • Page 25 Management Through the Serial Console Some administration tasks can be carried out through a console device attached directly to the serial port of the DFL-160 which is described in Section 2.4, “Console Port Connection”. There are two administration options when using the console port: •...
  • Page 26: Internet Connection

    D. PPTP Connection A. DHCP Setup The DHCP protocol is a means for a network device, such as the DFL-160, to retrieve all required IP addresses automatically from a DHCP server. In this case, the ISP provides the IP addresses from its DHCP server, provided that the Ethernet connection to the ISP is functioning.
  • Page 27 3.2. Internet Connection Chapter 3. The System Menu The Idle Timeout is the length of time with inactivity that passes before PPPoE disconnection occurs if the Dial-on-Demand is selected. DNS servers are set automatically after connection with PPPoE. D. PPTP Connection With this option, the username and password supplied by your ISP for PPTP connection should be entered.
  • Page 28: Lan Settings

    Section 1.2, “Ethernet Interfaces”, these are connected together by a switch fabric in the DFL-160 so they act as a single logical interface called LAN. This manual, therefore, refers only to the LAN logical interface and the rules applied to LAN apply to all four physical interfaces but not the traffic flowing between them.
  • Page 29 • Transparent Mode This mode is used if the DFL-160 is to be placed between the LAN and WAN interface in a transparent way. This means that no IP addresses need to be changed in either network, but the traffic flowing between the interfaces is still subject to the rules and controls imposed by NetDefendOS.
  • Page 30 3.3. LAN Settings Chapter 3. The System Menu With this option enabled, a range of IP addresses can be allocated which can then be allocated out to hosts on the network that need them. The presentation of the DHCP server options in the web interface is shown below.
  • Page 31: Dmz Settings

    Chapter 3. The System Menu 3.4. DMZ Settings The settings in this part of the management web interface determine how the DFL-160's DMZ interface operates. These settings are very similar to the corresponding page for the LAN interface (see Section 3.3, “LAN Settings”).
  • Page 32 • Transparent Mode This mode is used if the DFL-160 is to be placed between the DMZ and WAN interface in a transparent way. This means that no IP addresses need to be changed in either network, but the traffic flowing between the interfaces is still subject to the rules and controls imposed by NetDefendOS.
  • Page 33 3.4. DMZ Settings Chapter 3. The System Menu clicked to delete the entry. This feature allows the same IP address to be always allocated to a particular DHCP client. Transparent Mode and the Interface IP Address There are some considerations that should be noted with the DMZ IP address when transparent mode is enabled: •...
  • Page 34: Logging

    NetDefendOS or on an external SysLog server. A list of all event messages can be found in the DFL-160 Log Reference Guide. That guide also describes the design of event messages, the meaning of severity levels and the various attributes available.
  • Page 35 3.5. Logging Chapter 3. The System Menu messages generated by NetDefendOS. By enabling this option, these log messages will be included. C. Email Alerts NetDefendOS can be configured to send emails to up to three email addresses when log messages are generated that are equal to or exceed a defined threshold.
  • Page 36: Date And Time

    A variety of NetDefendOS functions depend on the system date and time being set correctly for the DFL-160. It is therefore recommended to set the correct time and date as soon as possible. There are three time and date options: A.
  • Page 37 When usage of time servers is enabled, NetDefendOS will poll them on a regular basis and then adjust the DFL-160 system clock with the exact time. If the time server and the current time differ by more than one hour (60 minutes) then the time...
  • Page 38: Dynamic Dns Settings

    A DNS feature offered by NetDefendOS is the ability to explicitly inform DNS servers when the external IP address of the DFL-160 has changed. This is sometimes referred to as Dynamic DNS (DDNS) and is useful where the DFL-160 has an external IP address that can change.
  • Page 39 3.7. Dynamic DNS Settings Chapter 3. The System Menu...
  • Page 40: The Firewall Menu

    The options in the Firewall menu allow the administrator to control and manage the features of the DFL-160 that are specific to a firewall. A firewall, as the name suggests, is a capability that provides a protective barrier against a range of potential threats that can be transported by the public Internet towards sensitive internal networks.
  • Page 41: Outbound Lan Traffic Options

    The Meaning of Outbound These options determine what types of traffic can pass between the LAN network on the protected "inside" of the DFL-160 and the WAN interface when the connection is initiated by a client or host on the LAN network.
  • Page 42 4.1. Outbound LAN Traffic Options Chapter 4. The Firewall Menu By clicking the Custom Traffic tab and then selecting Add > Custom Traffic it is possible to allow through a protocol not specified in the pre-defined list. For a custom protocol it is necessary to specify if the protocol uses TCP or UDP connections or both and to specify the port number the protocol will try and connect to at the other end of the connection.
  • Page 43: Outbound Dmz Traffic Options

    4.2. Outbound DMZ Traffic Options Chapter 4. The Firewall Menu 4.2. Outbound DMZ Traffic Options The Meaning of Outbound These options determine what types of traffic can pass between the DMZ network and the WAN interface when the connection is initiated by a client or host on the DMZ network. For instance, the retrieval of data from a web server on the public Internet is still considered part of outbound traffic if the retrieval request is initiated by a web surfer sitting on the DMZ network.
  • Page 44 4.2. Outbound DMZ Traffic Options Chapter 4. The Firewall Menu Specifying a Schedule A named Schedule can be defined through the Firewall > Schedules menu option and this can then be used with any individual protocol allowed for outgoing traffic from the LAN interface. Schedules specify a period of time when a particular selection is valid.
  • Page 45: Inbound Traffic Options

    Internet on the WAN interface. These connections are typically made to access some resource that sits behind the DFL-160, such as an HTTP server that is sitting on the DMZ network. By default, NO SUCH CONNECTIONS ARE ALLOWED and the administrator must explicitly allow individual protocols by ticking one or more of the checkboxes on this page of the web interface.
  • Page 46 4.3. Inbound Traffic Options Chapter 4. The Firewall Menu application that typically makes use of multicast data transfers. C. Custom Traffic If a particular protocol does not appear in the standard list of protocols then a Custom Traffic "rule" can be created which allows incoming TCP or UDP traffic through on a specified port. As explained above, the custom rule must have a destination IP address specified which either an internal IP address if NAT is being used of a public IP if NAT is not being used.
  • Page 47: Vpn Options

    There are two common scenarios where VPNs are used: LAN to LAN connection - Where two internal networks need to be connected together over the internet. In this case, each network is protected by an individual DFL-160 and the VPN tunnel is set up between them.
  • Page 48: Ipsec

    Chapter 4. The Firewall Menu In summary, a VPN allows the public Internet to be used for setting up secure communications or tunnels between DFL-160s or between a DFL-160 and other security gateway devices or clients. VPN with the DFL-160...
  • Page 49 A PSK can be any alphanumeric character string. Security using digital certificates is not possible with the DFL-160 but is possible with higher-end D-Link NetDefend products.
  • Page 50 Advanced The advanced options provide a way to customize some of the parameters used by IPsec. This may be necessary in certain scenarios where the DFL-160 must communicate with an IPsec peer that expects certain conventions to be used. The advanced options are as follows: A.
  • Page 51 4.4.1. IPsec Chapter 4. The Firewall Menu another phase-2 negotiation. There is no need to do another phase-1 negotiation until the IKE lifetime has expired. It is recommended that the lifetimes not be shorter than the following: • IKE lifetime - 600 seconds (10 minutes) •...
  • Page 52: L2Tp/Pptp Client

    4.4.2. L2TP/PPTP Client This option allows a tunnel to be set up where the DFL-160 acts as a L2TP or PPTP client. In this mode, a tunnel is set up where the DFL-160 connects to an L2TP or PPTP server.
  • Page 53: L2Tp/Pptp Server

    The Idle Timeout is the length of time with inactivity that passes before tunnel disconnection occurs. 4.4.3. L2TP/PPTP Server This option allows VPN tunnels to be set up based on the L2TP protocol, where the DFL-160 acts as a L2TP or PPTP server, receiving connection requests from external clients. Such clients are sometimes called roaming clients since they might not have a fixed IP address and might connect through temporary connection to a remote network.
  • Page 54 DFL-160 using this tunnel. Relaying of DNS queries means that URL resolution requests are relayed to a DNS server. This will require that the DFL-160 to have at least one DNS server defined. C. Authentication This section specifies how authentication is done with connecting clients.
  • Page 55: Vpn Users

    The NetDefendOS user authentication database is used only with VPN. When external clients connect through a VPN link to resources protected by the DFL-160, they can be required to provide a unique combination of a userid and a password (access without any authentication is also possible).
  • Page 56: Web Content Filtering

    WCF is a subscription based service and a one year subscription can be purchased as a license add-on from your D-Link agent. The buy license link here will open a D-Link window in your browser so that you can find your local agent. Alternatively you can click the link here:...
  • Page 57 4.6.1. Options Chapter 4. The Firewall Menu B. Web Content Filter The option here is to enable or disable web content filtering. Note that HTTP and HTTPS traffic (or all traffic) should be allowed in the outgoing traffic options for the LAN or DMZ interfaces for clients on those networks to able to reach the public Internet.
  • Page 58: The Content Categories

    4.6.2. The Content Categories Chapter 4. The Firewall Menu It is possible to explicitly allow or explicitly block certain URLs by adding one or more Static URL Filters. This is also referred to as whitelisting and blacklisting and the URLs specified in such filters are not looked up by the WCF subsystem.
  • Page 59 4.6.2. The Content Categories Chapter 4. The Firewall Menu online news publications and technology or trade journals. This does not include financial quotes, refer to the Investment Sites category (11), or sports, refer to the Sports category (16). Examples might be: •...
  • Page 60 4.6.2. The Content Categories Chapter 4. The Firewall Menu form of entertainment that is not specifically covered by another category. Some examples of this are music sites, movies, hobbies, special interest, and fan clubs. This category also includes personal web pages such as those provided by ISPs. The following categories more specifically cover various entertainment content types, Pornography / Sex (1), Gambling (4), Chatrooms (8), Game Sites (10), Sports (16), Clubs and Societies (22) and Music Downloads (23).
  • Page 61 4.6.2. The Content Categories Chapter 4. The Firewall Menu A web site may be classified under the E-Banking category if its content includes electronic banking information or services. This category does not include Investment related content; refer to the Investment Sites category (11). Examples might be: •...
  • Page 62 4.6.2. The Content Categories Chapter 4. The Firewall Menu Category 18: Violence / Undesirable A web site may be classified under the Violence / Undesirable category if its contents are extremely violent or horrific in nature. This includes the promotion, description or depiction of violent acts, as well as web sites that have undesirable content and may not be classified elsewhere.
  • Page 63 4.6.2. The Content Categories Chapter 4. The Firewall Menu A web site may be classified under the Music Downloads category if it provides online music downloading, uploading and sharing facilities as well as high bandwidth audio streaming. Examples might be: •...
  • Page 64 4.6.2. The Content Categories Chapter 4. The Firewall Menu Category 29: Computing/IT A web site may be classified under the Computing/IT category if its content includes computing related information or services. Examples might be: • www.purplehat.com • www.gnu.org Category 30: Swimsuit/Lingerie/Models A web site may be categorized under the Swimsuit/Lingerie/Models category if its content includes information pertaining to, or images of swimsuit, lingerie or general fashion models.
  • Page 65: Anti-Virus

    DFL-160. Once a virus is recognized in the contents of a file, the download can be terminated before it completes.
  • Page 66 NetDefendOS Anti-Virus scanning is a subscription based service and yearly subscriptions can be purchased from your local D-Link agent. After purchase, you will receive a code which is then used for activating IDP.
  • Page 67 4.7. Anti-Virus Chapter 4. The Firewall Menu the exclusion list such a file might not be scanned. To avoid this situation, NetDefendOS always performs MIME checking where it looks inside the file to determine what the true filetype of the data is.
  • Page 68: Idp Options

    With the DFL-160, servers that are accessed from the public Internet are typically situated on the network connected to the DMZ interface. This provides one form of defense against intrusions by isolating any server infection away from the most sensitive "inside"...
  • Page 69 It is recommended to scan the minimum number of protocols required. For example, if there is only an SMTP server in the DMZ network, then enabling the SMTP checkbox only is recommended. IDP scanning can consume the processing resources of the DFL-160 and it is therefore best to keep the scanning requested to a minimum.
  • Page 70 Both can be particularly useful when used for periods of time in log only mode to determine if IDP is indicating that a DFL-160 installation is being targeted by external intrusions.
  • Page 71: Traffic Shaping

    4.9. Traffic Shaping Chapter 4. The Firewall Menu 4.9. Traffic Shaping Traffic Shaping allows the administrator to control the level of flows for different types of traffic between the public Internet connected to the WAN interface and hosts on the LAN and DMZ networks.
  • Page 72 4.9. Traffic Shaping Chapter 4. The Firewall Menu Specifying Rules Each rule is given a name for display purposes and then the Service associated with the rule can be specified. The Service corresponds to a protocol such as FTP. The predefined services are shown below.
  • Page 73 4.9. Traffic Shaping Chapter 4. The Firewall Menu • Guarantee - Specify the guaranteed bandwidth only. • Max and Guarantee - Specify both the maximum and guaranteed bandwidth. The entry fields for the bandwidth are enabled in the interface according to the option chosen. The term Upstream means traffic leaving the WAN interface going towards the public Internet.
  • Page 74: Schedules

    4.10. Schedules Chapter 4. The Firewall Menu 4.10. Schedules Schedules are used to determine when certain features in NetDefendOS are enabled. For instance, it may be decided to allow web surfing from clients on the LAN interface only at certain times of the day. In this case, we would create a schedule that contained the times when surfing is allowed and then associate the schedule with the enabled HTTP option of Outbound LAN Traffic in the Firewall menu options.
  • Page 75 4.10. Schedules Chapter 4. The Firewall Menu The comments field allows some text explanation to be added to the schedule. It serves only as a reminder to the administrator what the schedule was intended for.
  • Page 76 4.10. Schedules Chapter 4. The Firewall Menu...
  • Page 77: The Tools Menu

    Chapter 5. The Tools Menu • Ping, page 77 The Tools menu provides access to features which can be helpful in overall system operation. The sections that follow describe the options in this menu in the order they appear. 5.1. Ping The ICMP ping protocol provides a simple query/response tool to determine if a particular network component is alive.
  • Page 78 5.1. Ping Chapter 5. The Tools Menu...
  • Page 79: The Status Menu

    • User Authentication Status, page 90 • Routes, page 91 • DHCP Server Status, page 92 The Status menu of the DFL-160 web interface provides various views of the current status, performance and loading of the various subsystems that make up NetDefendOS. Filtering Output...
  • Page 80: System Status

    B. UTM Statistics C. Log History A. System Resources Various graphical displays and numerical values show the current status of the DFL-160 system and how its resources are being used. B. UTM Statistics Unified Threat Management (UTM) consists of the 3 components: Anti-Virus, IDP and Web Content Filtering.
  • Page 81 6.1. System Status Chapter 6. The Status Menu Clicking the More... link in the display will take you to the Logging option in the System menu for a more complete list of recent events and the filters to analyze them. The details of NetDefendOS logging can be found in Section 3.5, “Logging”.
  • Page 82: Logging Status

    Various events that occur in NetDefendOS cause log messages to created. All possible log messages generated are documented in the accompanying DFL-160 Log Reference Guide. An external SysLog server can be configured to receive these events, as described in Section 3.5, “Logging”. That section also describes setting up email alerts for certain events.
  • Page 83: Anti-Virus Status

    6.3. Anti-Virus Status Chapter 6. The Status Menu 6.3. Anti-Virus Status This page of the web interface provides the ability to view and filter out the last 500 log messages generated by just the Anti-Virus subsystem. These same messages can also appear mixed in with other messages in the Logging page in the Status menu (described in Section 6.2, “Logging Status”).
  • Page 84: Web Content Filtering Status

    6.4. Web Content Filtering Status Chapter 6. The Status Menu 6.4. Web Content Filtering Status This page of the web interface provides the ability to view and filter out the last 500 log messages generated by just the Web Content Filtering (WCF) subsystem. These same messages can also appear mixed in with other messages in the Logging page in the Status menu (described in Section 6.2, “Logging Status”).
  • Page 85: Idp Status

    6.5. IDP Status Chapter 6. The Status Menu 6.5. IDP Status This page of the web interface provides the ability to view and filter out the last 500 log messages generated by just the IDP subsystem. These same messages can also appear mixed in with other messages in the Logging page in the Status menu (described in Section 6.2, “Logging Status”).
  • Page 86: Connections Status

    6.6. Connections Status Chapter 6. The Status Menu 6.6. Connections Status A connection in NetDefendOS refers to either a normal TCP/IP connection set up to perform a transfer of data or a UDP packet based "connection", where a stream of packets is being sent from a sender to a receiver (such as in a streaming video transfer).
  • Page 87: Interfaces Status

    Chapter 6. The Status Menu 6.7. Interfaces Status This option can show the current status for each of the DFL-160 interfaces. When one of the interfaces is selected from a drop-down box in this page, information about the interface's status is displayed, both in numerical and graphical form.
  • Page 88 6.7. Interfaces Status Chapter 6. The Status Menu Secondly, the statistics for received (incoming) traffic are shown over the last 24 hours. An example is shown below (the image is also truncated on the right side).
  • Page 89: Ipsec Status

    6.8. IPsec Status Chapter 6. The Status Menu 6.8. IPsec Status List VPN Interfaces This option (the default) shows all the currently established VPN tunnels (also known as VPN interfaces). An example of this display is shown below. List all active IKE SAs An IKE Security Association (SA) is an entity that defines the encryption methods and other parameters that will be used for data flowing from one end of an IPsec tunnel to the other.
  • Page 90: User Authentication Status

    6.9. User Authentication Status Chapter 6. The Status Menu 6.9. User Authentication Status This page of the web interface displays the users who have been authenticated and are using a VPN tunnel. An example of the user authentication display is shown below. The Forcibly Logout Option For each user, the administrator has the option to force a logout of a user with this option.
  • Page 91: Routes

    The traffic forwarding function performed with the help of the routing table is the primary task of any device which is called a router. It is also one of the primary tasks of the DFL-160 and in most cases the routes in the NetDefendOS routing table are created automatically without intervention from the administrator.
  • Page 92: Dhcp Server Status

    6.11. DHCP Server Status Chapter 6. The Status Menu 6.11. DHCP Server Status As explained in Section 3.3, “LAN Settings” and Section 3.4, “DMZ Settings”, the LAN and DMZ interfaces can be configured to act as DHCP servers, allocating IP addresses from a predefined IP range to any users or hosts that require them.
  • Page 93 6.11. DHCP Server Status Chapter 6. The Status Menu...
  • Page 94: The Maintenance Menu

    These options allow the frequency of the update interval to be determined. The recommendation is to select a time during a day when there is little user activity through the DFL-160. Typically, this might be in the early hours of the morning.
  • Page 95 7.1. The Update Center Chapter 7. The Maintenance Menu The default interval is Daily and this is recommended to keep the databases updated with the latest releases. It is not often that the databases are updated more than once in a day. C.
  • Page 96: Licenses

    DFL-160 is initially delivered it comes with a standard license preinstalled which determines the capabilities of the system. Add On Services It is possible to expand the capabilities of the DFL-160 by purchasing a license for any of the following features: •...
  • Page 97 7.2. Licenses Chapter 7. The Maintenance Menu • PPP Tunnels The maximum number of PPP tunnels which terminate at the WAN interface that can be created. To expand the capabilities of the standard product license, consult with your local D-Link representative.
  • Page 98: Backups

    NetDefendOS version is upgraded. To restore a backup file, the administrator should upload a backup file to the DFL-160. The name of the file does not really matter since NetDefendOS will read a header in the file to determine what it Backups Do Not Contain Everything Backups include only static information from the NetDefendOS configuration.
  • Page 99: Reset To Factory Defaults

    Performing a Reset Manually An alternative way to reset the DFL-160 is to push in the reset button at the rear of the unit for 10 to 15 seconds while powering it on. After that, release the reset button and the unit will continue to load and start up in default mode as though it were brand new and had never been configured.
  • Page 100: Upgrades

    7.5. Upgrades New releases of NetDefendOS are routinely made available by NetDefendOS. These releases are available as a single file which can be uploaded to the DFL-160 through this page in the web interface. NetDefendOS upgrades can be downloaded for free from your local D-Link site or from the D-Link...
  • Page 101: Technical Support

    After clicking on the button Download support file, a file is automatically generated by the NetDefendOS and downloaded to the web interface and can be saved to the local disk. The techsupport CLI Command This file contains the same information that can also be generated on a console with the CLI command: DFL-160:/> techsupport...
  • Page 102 7.6. Technical Support Chapter 7. The Maintenance Menu...
  • Page 103: The Console Boot Menu

    DFL-160 (see Section 2.4, “Console Port Connection”). The boot menu can be accessed through the console port after the DFL-160 is powered up and before NetDefendOS is ready. After powering up, there is a 3 second interval before NetDefendOS fully starts up and in that time the message Press any key to abort and load boot menu is displayed, as shown below.
  • Page 104 Chapter 8. The Console Boot Menu A password should be set for console access. If a password is not set, anyone can use the console. After it is set, the console will prompt for the password before access is allowed to either the boot menu or the command line interface (CLI) (more on the CLI can be found in Appendix A, CLI Reference).
  • Page 105: Troubleshooting

    Chapter 9. Troubleshooting When the DFL-160 does not behave as expected, the following CLI tools are available to troubleshoot problems. The stat CLI Command If a serious NetDefendOS problem is suspected then the first step should be to use the console command: >...
  • Page 106 Chapter 9. Troubleshooting Although dconsole output may be difficult to interpret by the administrator, it can be emailed to D-Link support representatives for further investigation. The dconsole command supersedes the crashdump command found in earlier versions of NetDefendOS. Restarting If a system is in a non-functional "frozen" state then system restart can offer a simple way to clear all error conditions.
  • Page 107: Cli Reference

    RS232 console port on the DFL-160. Details of how to connect up a console device to the console COM port on the DFL-160 can be found in Section 2.4, “Console Port Connection”. Once the connection is made and NetDefendOS...
  • Page 108 By analyzing the contents of the buffers, it is possible to determine whether such traffic is making it to the DFL-160 at all. Syntax: buffers Brings up a list of most recently freed buffers.
  • Page 109 Connections Shows the last 20 connections opened through the DFL-160. Connections are created when traffic is permitted to pass via Allow or NAT rules. Traffic permitted to pass under FwdFast is not included in this list. Each connection has two timeout values, one in each direction. These are updated when the firewall receives packets from each end of the connection.
  • Page 110 Options: -renew - Force interface to renew its lease. -release - Force interface to release its lease. Example: DFL-160:/> dhcp -renew wan DHCPServer Show the contents of the DHCP server configuration section and active DHCP leases. Syntax: dhcpserver [options] Options: -rules - Shows dhcp server rules.
  • Page 111 Options: -list - List pending DNS queries. -query=<domain-name> - Resolve domain name. -remove - Remove all pending DNS queries. Example: DFL-160:/> dns DNS client is initialized. Using servers: DNS Server 0 : 10.5.0.19 DNS Server 1 : Not set DNS Server 2 : Not set Frags Shows the 20 most recent fragment reassembly attempts.
  • Page 112 PPTP tunnel to 192.168.23.1 Syntax: ifstat <interface> Shows hardware and software statistics for the specified NIC. Example: DFL-160:/> ifstat lan Iface lan Builtin e1000 - Intel(R) PRO/1000 T Server Adapter Slot 2/1 IRQ 5 Media : "1000BaseTx" Speed : 1000 Mbps Full Duplex...
  • Page 113 Display connected IPsec VPN gateways and remote clients. Syntax: ipsecstats <options> Options: -u - Append SA usage. -num <connection-number> - Show this connection number. Example: DFL-160:/> ipsecstats --- IPsec SAs: Displaying one line per SA-bundle VPN Tunnel Local net Remote net Remote GW...
  • Page 114 Appendix A. CLI Reference Killsa Kills all IPsec and IKE SAs for the specified IP-address. Syntax: killsa <ipaddr> Example: DFL-160:/> killsa 192.168.0.2 Destroying all IPsec & IKE SAs for remote peer 192.168.0.2 License Shows the content of the license-file. Syntax: license Lockdown Sets local lockdown on or off.
  • Page 115 Appendix A. CLI Reference using PBR table "main". Echo reply from 192.168.12.1 seq=0 time= 10 ms TTL=255 DFL-160:/> ping 192.168.12.1 -v Sending 1 ping to 192.168.12.1 from 192.168.14.19 using PBR table "main"..using route "192.168.12.0/22 via wan, no gw" in PBR table "main"...
  • Page 116 - DHCP (Dynamic Host Configuration Protocol) Settings - Log Settings Misc - Miscellaneous Settings Syntax: settings <group_name> Shows the settings of the specified group. Example: DFL-160:/> settings arp ARP (Address Resolution Protocol) Settings ARPMatchEnetSender : DropLog ARPQueryNoSenderIP : DropLog ARPSenderIP...
  • Page 117 If the <seconds> parameter is not specified then the default value is 5 seconds. Options: -normal - Perform a normal shutdown (the default). -reboot - A reboot occurs automatically. Example: DFL-160:/> shutdown Shutdown NORMAL. Active in 5 seconds. Shutdown reason: Shutdown due to console command Stats Shows various vital stats and counters.
  • Page 118 -servers - show information about autoupdate servers. -debugtestidp - invokes IDP test code (CAUTION: this sometimes may cause the hardware to freeze). Example: DFL-160:/> updatecenter -status Antivirus Signature Database Database Version: 2 2008-01-22 15:02:27 HW Support: lc2350a Hardware DB Version: Latest Full:2008-01-22 15:02:27 Patch:N/A...
  • Page 119 Options: -l - Displays a list of all authenticated users. -p - Displays a list of all known privileges (usernames and groups). -r <ip> - Removes an authenticated user (=logout). Example: DFL-160:/> userauth -l Login IP Address Interface Timeouts Privileges...
  • Page 120 LocalUsers DFL-160:/> userdb LocalUsers Contents of user database LocalUsers: Username Groups Static IP Remote Networks --------- ------- --------- --------------- sales alice tech DFL-160:/> userdb LocalUsers bob Information for bob in database LocalUsers: Username : bob Groups : sales Networks :...
  • Page 121: Windows Xp Ip Setup

    Traffic must be able to flow between the designated PC Ethernet interface and the DFL-160 LAN interface so they must be on the same IP network. This means the PC's interface should be assigned the following static IP addresses: •...
  • Page 122 Appendix B. Windows XP IP Setup The assigned IP address 192.168.10.30 could, in fact, be another address from the 192.168.10.0/24 network. However, 192.168.10.30 is normally used by D-Link as a convention.
  • Page 123: Windows Vista Ip Setup

    Appendix C. Windows Vista IP Setup A Windows Vista based PC can be used as the management workstation for setup of a DFL-160. Usually, configuration of the IP address of the PC's chosen Ethernet interface should not be needed since the DFL-160 automatically assigns the address using DHCP. If DHCP cannot be used, the workstation IP address should be configured manually.
  • Page 124 Appendix C. Windows Vista IP Setup Select and display the properties for Internet Protocol Version 4 (TCP/IPv4). In the properties dialog, select the option Use the following IP address and enter the following values: • IP Address: 192.168.10.30 • Subnet mask: 255.255.255.0 •...
  • Page 125: Windows 7 Ip Setup

    Appendix D. Windows 7 IP Setup A Windows 7 based PC can be used as the management workstation for setup of a DFL-160. Usually, configuration of the IP address of the PC's chosen Ethernet interface should not be needed since the DFL-160 automatically assigns the address using DHCP. If DHCP cannot be used, the workstation IP address should be configured manually.
  • Page 126 Appendix D. Windows 7 IP Setup Select and display the properties for Internet Protocol Version 4 (TCP/IPv4). In the properties dialog, select the option Use the following IP address and enter the following values: • IP Address: 192.168.10.30 • Subnet mask: 255.255.255.0 •...
  • Page 127: Apple Mac Ip Setup

    Appendix E. Apple Mac IP Setup An Apple Mac can be used as the management workstation for setup of a DFL-160. Usually configuration of the IP address of the MAC's chosen Ethernet interface should not be needed since the DFL-160 automatically assigns the address using DHCP. If DHCP cannot be used, the workstation IP address should be configured manually.
  • Page 128 Appendix E. Apple Mac IP Setup Now set the following values: • IP Address: 192.168.10.30 • Subnet Mask: 255.255.255.0 • Router: 192.168.10.1 Click Apply to complete the static IP setup. Note: Different MacOS versions Some versions of MacOS may differ slightly from the screenshots shown above but the setup should be almost the same.
  • Page 129: Alphabetical Index

    Alphabetical Index FireFox usage, 15 firewall menu, 17, 40 frags CLI command, 111 about CLI command, 107 administration, 23 username, 24 heat flow considerations, 13 anti-virus, 65 httpposter CLI command, 38, 111 status, 83 apple MAC IP setup, 127 arp CLI command, 107 arpsnoop CLI command, 107 audit username, 24 options, 68...
  • Page 130 Alphabetical Index uarules CLI command, 118 unpacking, 12 update center, 94 operating parameters, 13 updatecenter CLI command, 118 outbound connections, 17 upgrades, 100 outbound DMZ traffic options, 43 urlcache CLI command, 119 outbound LAN traffic options, 41 USB port, 21 userauth CLI command, 119 user authentication status, 90 user database, 55...