D-Link DFL-500 User Manual

D-Link DFL-500

Network Security Firewall

Manual

DFL-500 User Manual

Building Networks for People

No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of D-Link Systems, Inc.

DFL-500 User Manual 2 July 2002

Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders.

Regulatory Compliance FCC Class A Part 15 CSA/CUS

DFL-500 User Manual

Table of Contents

Introduction ....................................................................................................8

NAT/Route mode and Transparent mode............................................................ ...........................................8

NAT/Route mode............................................ .... .... .... .... ... .... .... .... ....... .... .... ... .... .... .... .... ... ........................8

Transparent mode .................................................. .... ....... .... .... .... ... .... .... .... .... ....... .... .... ... ........................8

About this document........................................................... ... .... .... ....... .... .... .... ... .... .... .... ...............................8

For more information.............................................................. .... .... .... ... .... .... .... ... ........ .... ...............................9

Customer service and technical support.............................................................................. ...........................9

Getting started.............................................................................................. 10

Package contents .................................... .... .... ... .... .... .... ....... .... .... .... ... .... .... .... ... .... .... .... .............................10

Mounting .......................................................................................................................................................10

Powering on.................................................................................................................... ..............................11

Initial configuration........................................................................................................................................12

Connecting to the web-based manager........................................................................................................12

Connecting to the command line interface (CLI)............................................................. .............................13

Next steps.....................................................................................................................................................14

NAT/Route mode installation ......................................................................15

Preparing to configure NAT/Route mode.............................................. .... .... .... ... .... .... .... .... ... ........ ..............15

Using the setup wizard..................................................................................................................................16

Starting the setup wizard..........................................................................................................................16

Reconnecting to the web-based manager................................................................... .............................16

Using the command line interface ................................................................................................................16

Configuring the DFL-500 NPG to run in NAT/Route mode ......................................................................16

Connecting to your networks........................................................................................................................17

Configuring your internal network.................................................................................................................18

Completing the configuration........................................................................................................................18

Setting the date and time..........................................................................................................................18

Transparent mode installation.................................................................... 19

Preparing to configure Transparent mode....................................................................................................19

Using the setup wizard..................................................................................................................................19

Changing to Transparent mode................................................................ .... ... .... ........ .... ... .... .... . .............19

Starting the setup wizard..........................................................................................................................20

Reconnecting to the web-based manager................................................................... .............................20

Using the command line interface ................................................................................................................20

Changing to Transparent mode................................................................ .... ... .... ........ .... ... .... .... . .............20

Configuring the Transparent mode management IP address ..................................................................20

Configure the Transparent mode default gateway ................................... .... ....... .... .... .... ... .... .... .... ... .......21

Setting the date and time..............................................................................................................................21

Connecting to your network..........................................................................................................................21

DFL-500 User Manual

Firewall configuration.................................................................................. 23

NAT/Route mode and Transparent mode............................................................ .........................................24

NAT/Route mode............................................ .... .... .... .... ... .... .... .... ....... .... .... ... .... .... .... .... ... ......................24

Transparent mode .................................................. .... ....... .... .... .... ... .... .... .... .... ....... .... .... ... ......................24

Changing to Transparent mode................................................................ .... ... .... ........ .... ... .... .... . .............24

Changing to NAT/Route mode............................................... .... .... ... .... .... .... ....... .... .... ... .... .... .... ..............24

Adding NAT/Route mode policies.................................................. ............................................. ..................24

Adding Transparent mode policies...............................................................................................................27

Configuring policy lists..................................................................................................................................29

Policy matching in detail...........................................................................................................................29

Changing the order of policies in a policy list ...........................................................................................30

Enabling and disabling policies.................................................................................................................30

Addresses.....................................................................................................................................................30

Adding addresses.....................................................................................................................................31

Deleting addresses...................................................................................................................................31

Organizing addresses into address groups..............................................................................................32

Services ........................................................................................................................................................32

Predefined services..................................................................................................................................33

Providing access to custom services.................................................................................. .... .... ..............33

Grouping services.....................................................................................................................................33

Schedules ....................................................................... ............................................. .................................34

Creating one-time schedules....................................................................................................................34

Creating recurring schedules....................................................................................................................35

Adding a schedule to a policy...................................................................................................................35

Virtual IPs............................................................................... .... .... ....... .... .... .... ... .... .....................................35

Adding static NAT virtual IPs...................................... ..............................................................................36

Using port forwarding virtual IPs.............................................................................. .... .... ....... ..................37

Adding policies with virtual IPs .................................................................................................................38

IP pools.......................................................................................... ...............................................................39

IP/MAC binding.............................................................................................................................................40

Configuring IP/MAC binding for packets going through the firewall.........................................................40

Configuring IP/MAC binding for packets going to the firewall..................................................................41

Adding IP/MAC addresses........................................................................................................................41

Viewing the dynamic IP/MAC list..............................................................................................................42

Enabling IP/MAC binding..........................................................................................................................42

Users and authentication ............................................................................ 43

Setting authentication time out......................................................................................................................43

Adding user names and configuring authentication......................................................................................43

Adding user names and configuring authentication..................................................................................43

Deleting user names from the internal database................................................. .....................................44

Configuring RADIUS support........................................................................................................................45

Adding RADIUS servers...........................................................................................................................45

Deleting RADIUS servers.........................................................................................................................45

DFL-500 User Manual

Configuring user groups.............................................. ............................................. .....................................46

Adding user groups..................................................... ..............................................................................46

Deleting user groups.................................................................................................................................47

IPSec VPNs...................................................................................................48

Interoperability with IPSec VPN products.....................................................................................................48

Configuring AutoIKE key IPSec VPN............................................................................................................49

Configuring manual key IPSec VPN.............................................................................................................50

Configuring dialup VPN.............................................................................................................................. ...50

Configuring a VPN concentrator for hub and spoke VPN.............................................................................50

Configuring the VPN concentrator............................................................................................................51

Configuring the member VPNs.................................................................................................................51

Configuring IPSec redundancy.....................................................................................................................52

Adding a remote gateway.............................................................................................................................53

About dialup VPN authentication....................................... ............................................. ..........................54

About DH groups......................................................................................................................................56

About the P1 proposal..............................................................................................................................56

About NAT traversal .................................................................................................................................57

Adding an AutoIKE key VPN tunnel..............................................................................................................57

About the P2 proposal................................................ ... .... .... .... .... ... .... .... .... ... .... .... .... .... ... ......................58

About replay detection..............................................................................................................................58

About perfect forward secrecy (PFS) .......................................................................................................59

Adding a manual key VPN tunnel............................... ..................................................................................59

Adding a VPN concentrator .......................................................................... .................................. ..............60

Adding an encrypt policy......................................................................................................... ......................61

Viewing VPN tunnel status............................................................................ ................................................63

Viewing dialup VPN connection status.........................................................................................................64

Testing a VPN...............................................................................................................................................64

PPTP and L2TP VPNs ..................................................................................66

PPTP VPN configuration............................................. .... ... .... .... .... .... ... .... .... ........ ... .... .... .... .........................66

Configuring the DFL-500 NPG as a PPTP gateway.................................................................................67

L2TP VPN configuration ..................................... ........ .... ... .... .... .... .... ... ........ .... .... ... .... .... .... .........................69

Configuring the DFL-500 NPG as an L2TP gateway...................................................................... ..........69

Web content filtering.................................................................................... 71

Enabling web content Filtering........................................................... ... .... .... .... ... .... .... .... ... .... ......................71

Blocking web pages that contain unwanted content........................................................ .... ... .... ..... ... ..........71

Configuring content filtering.................................................................................................... ..................71

Clearing the banned word list...................................................................................................................72

Changing the content block message ...................................................... .... ... .... .... .... .... ... .... .... ..............72

Backing up and restoring the banned word list.........................................................................................72

Blocking access to URLs....................................................... .... .... .... ... .... .... .... ... .... .... ........ .........................73

Configuring URL blocking.........................................................................................................................73

Clearing the URL block list .......................................................................................................................74

DFL-500 User Manual

Changing the URL block message.................................... .... .... ... .... .... ........ .... ... .... .... .... ... .... .... ..............74

Downloading the URL block list................................................................................................................74

Uploading a URL block list..................................................... .... .... ....... .... .... ... .... .... .... .... ... ......................74

Removing scripts from web pages................................................................................................................75

Exempting URLs from content or URL blocking...........................................................................................75

Adding URLs to the Exempt URL List ......................................................................................................76

Clearing the Exempt URL list....................................................................................................................76

Downloading the Exempt URL list.......................... ..................................................................................76

Uploading an Exempt URL list..................................................................................................................77

Logging and reporting................................................................................. 78

Configuring Logging......................................................................................................................................78

Recording logs on a remote computer ...................................... ............................................. ..................78

Recording logs on a WebTrends server...................................................................................................78

Selecting what to log................................................................................................ .................................79

Configuring alert email..................................................................................................................................79

Configuring alert email......................................................................................... .....................................80

Testing alert email ....................................................................................................................................80

Enabling alert email........................................................... .......................................................................80

Administration.............................................................................................. 81

System status................................................................................................................................................81

Upgrading the DFL-500 NPG firmware ....................................................................................................82

Displaying the DFL-500 NPG serial number ................................................... .........................................84

Backing up system settings......................................................................................................................84

Restoring system settings.............................................................. ... .... .... .... ... ........ .... .... ... ......................84

Restoring system settings to factory defaults............................................................................. .... . .........84

Changing to Transparent mode................................................................ .... ... .... ........ .... ... .... .... . .............85

Changing to NAT/Route mode............................................... .... .... ... .... .... .... ....... .... .... ... .... .... .... ..............85

Restarting the DFL-500 NPG................................................. .... .... ... .... .... .... ... .... .... .... .... ... ......................86

Shutting down the DFL-500 NPG.................................................................... .........................................86

System status monitor..............................................................................................................................86

Network configuration............................................. .... .... ... ........ .... .... ... .... .... .... .... ... .... .... .............................87

Configuring the internal interface..............................................................................................................88

Configuring the external interface.............................................................................................................88

Configuring the management interface (Transparent mode) ...................................................................92

Setting DNS server addresses ................................... ..............................................................................92

Configuring routing........................................................................................................................................92

Adding routing gateways ..........................................................................................................................92

Adding a default route...............................................................................................................................93

Adding routes to the routing table.............................................................................................................93

Configuring the routing table.....................................................................................................................94

Enabling RIP server support.....................................................................................................................94

Adding routes (Transparent mode)...........................................................................................................94

Providing DHCP services to your internal network.......................................................................................95

DFL-500 User Manual

System configuration ....................................................................................................................................96

Setting system date and time ......................................................................................................... ..........97

Changing web-based manager options........................................................................... ... .... ........ ..........98

Adding and editing administrator accounts...............................................................................................98

Configuring SNMP....................................................................................................................................99

Glossary......................................................................................................101

Index............................................................................................................104

Technical Support...................................................................................... 116

Limited Warranty........................................................................................ 119

Registration ................................................................................................122

DFL-500 User Manual

Introduction

The DFL-500 Network Protection Gateway (NPG) is an easy-to-deplo y and easy-to-administer solution that delivers exceptional value and performance for sma ll

office and home office (SOHO) appli cations. Your DFL-500 is a dedicated easily managed security device that delivers a full suite of capabilities that include firewall, VPN, traffic shaping, and web content filtering.

NAT/Route mode and Transparent mode

The DFL-500 can operate in NAT/Route mode or Transparent mode.

NAT/Route mode

In NAT/Route mode, the DFL-500 is installed as a privacy barrier between the internal network and the Internet. The firewall provides network address translation (NAT) to protect the inter nal private network. You can control whether firewall policies run in NAT mode or route mode. NAT mode policies route allowed connections between firewall interfaces, performing network address translation to hide addresses on the protected internal networks. Route mode policies route allowed connections between firewall interfaces without performing network address translation.

Transparent mode

Transparent Mode provides firewall protection to a pre-existing network with public addresses. The internal and external network interfaces of the DFL-500 NPG must be in the same subnet and the DFL-500 NPG can be inserted into your network at any point without the need to make any changes to your network.

About this document

This user manual describes how to install and configure the DFL-500 NPG. This document contains the following information:

• Getting started

•

NAT/Route mode installation

running it in NAT/Route mode.

• Transparent mode installation

running it in Transparent mode.

• Firewall configuration

• IPSec VPNs

• PPTP and L2TP VPNs

and a Windows client.

•

Web content filtering

from passing through the DFL-500 NPG.

•

Logging and reporting

DFL-500 NPG.

describes unpacking, mounting, and powering on the DFL-500 NPG.

describes how to install the DFL-500 NPG if you are planning on

describes how to configure firewall policies to enhance firewall protection.

describes how to configure DFL-500 IPSec VPN.

describes how to configure PPTP and L2TP VPNs between the DFL-500 NPG

describes how to configure web content filters to prevent unwanted web content

describes how to configure logging and reporting to track activity through the

DFL-500 User Manual

•

Administration

•

The Glossary

describes DFL-500 management and ad mi nis t ra tive tas k s .

defines many of the terms used in this document.

For more information

In addition to the DFL-500 User Manual , you have access to the following DFL-500 documentation:

• DFL-500 QuickStart Guide

• DFL-500 CLI Reference Guide

• DFL-500 online help

Customer service and technical support

For updated product documentation, technical support information, and other resources, please visit D-Link local web site.

You can contact D-Link Technical Support at your local D-Link office:

• See Technical Support

To help us provide the support you require, please provide the following information:

• Name

• Company Name

• Location

•

Email address

•

Telephone Number

•

Software Version

•

Serial Number

•

Detailed description of your problem

DFL-500 User Manual

Getting started

This chapter describes unpacking, setting up, and powering on your DFL-500 NPG. When you have completed the procedures in this chapter, you can proceed to one of the following:

•

If you are going to run your DFL-500 NPG in NAT/Route mo de, go to NAT/Route mode installation

•

If you are going to run your DFL-500 NPG in Transparent mode, go to Transparent mode installation

This chapter includes:

•

Package contents

• Mounting

• Powering on

• Initial configuration

• Connecting to the web-based manager

• Connecting to the command line interface (CLI)

• Next steps

Package contents

The DFL-500 package contains the following items:

•

the DFL-500 NPG

•

one orange cross-over ethernet cable

•

one gray regular ethernet cable

• one null-modem cable

• DFL-500 QuickStart Guide

• A CD containing this DFL-500 User Manual and the DFL-500 CLI Reference Guide

• one AC adapter

DFL-500 package contents

Mounting

The DFL-500 NPG can be installed on any stable surfa ce. Make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

DFL-500 User Manual

Dimensions

• 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm)

Weight

• 1.5 lb. (0.68 kg)

Power requirements

• DC input voltage: 5 V

•

DC input current: 3 A

Environmental specifications

• Operating temperature: 32 to 104°F (0 to 40°C)

•

Storage temperature: -13 to 158°F (-25 to 70°C)

•

Humidity: 5 to 95% non-condensing

Powering on

To power on the DFL-500 NPG:

• Connect the AC adapter to the power connection at the back of the DFL-500 NPG.

• Connect the AC adapter to a power outlet.

The DFL-500 NPG starts up. The Power and Status lights light. The Status light flashes while the DFL-500 NPG is starting up and remains lit when the system is up and running.

DFL-500 LED indicators

LED State Description

Power

Status

Internal External (Front)

Internal External (Back)

Green The DFL-500 NPG is powered on. Off The DFL-500 NPG is powered off. Flashing Green The DFL-500 NPG is starting up. Green The DFL-500 NPG is running normally. Off The DFL-500 NPG is powered off. Green The correct cable is in use, and the connected equipment has power. Flashing Green Network activity at this interface. Off No link established. Green The correct cable is in use, and the connected equipment has power. Flashing Amber Network activity at this interface. Off No link established.

DFL-500 User Manual

Front and back view of the DFL-500 NPG

Initial configuration

When the DFL-500 NPG is first powered on, it is running in NAT/Route mode and has the basic configu ration listed in DFL-500 NPG initial power on settings

DFL-500 NPG initial power on settings

Operating mode:

Administrator account:

Internal interface:

External interface:

NAT/Route User name: admin Password: (none) IP: 192.168.1.99 Netmask: 255.255.255.0

Manual:

IP: 192.168.100.99 Netmask: 255.255.255.0 Default Gateway: 192.168.100.1 Primary DNS Server: 207.194.200.1 Secondary DNS Ser ver: 207.194.200.129

Connecting to the web-based manager

The web-based manager is the primary tool for installing and configuring your DFL-500 NPG. Configuration changes made with the web-based manager are effective immediately wi tho ut the need to reset the firewall or interrupt service.

To connect to the web-based manager you need:

•

a computer with an ethernet connection,

•

Internet Explorer version 4.0 or higher,

•

a crossover cable or an ethernet hub and two ethernet cables.

To connect to the web-based manager:

• Set the IP address of the computer with an ethernet connection to the static IP address 192.168.1.2 and a netmask of 255.255.255.0.

DFL-500 User Manual

•

Using the crossover cable or the ethernet hub and cables, connect the Internal interface of the DFL500 NPG to the computer ethernet connection.

• Start Internet Explorer and browse to the address https://192.168.1.99 . The DFL-500 login appears.

•

Type admin in the Name field and select Login. The Register Now window appears. Use the information on this window to register your DFL-500

NPG. Register your DFL-500 NPG so that D-Link can contact you for firmware updates.

DFL-500 login

Connecting to the command line interface (CLI)

As an alternative to the web-based manager, you can install and configure the DFL-500 NPG using the CLI. Configuration changes made with the CLI are effecti ve immediately without the need to reset the firewall or interrupt service.

To connect to the DFL-500 CLI, you need:

•

a computer with an available communications port,

• the null modem cable included in your DFL-500 package,

• terminal emulation software such as HyperTerminal for Windows.

The following procedure describes how to connect to the DFL-500 CLI using Windows HyperTerminal software. You can use any terminal emulation program.

•

Connect the null modem cable to the DFL-500 Console connector and to the available communications port on y our computer.

•

Make sure that the DFL-500 NPG is powered on.

•

Start HyperTerminal, enter a name for the connection, and select OK.

•

Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the null modem cable and select OK.

• Select the following port settings and select OK.

Bits per second

9600

DFL-500 User Manual

Data bits Parity Stop bits Flow control

•

Press Enter to connect to the DFL-500 CLI.

8 None 1 None

The following prompt appears: DFL-500 login:

• Type admin and press Enter. The following prompt appears:

Type ? for a list of commands.

For information on how to use the CLI, see the DFL-500 CLI Reference Guide .

Next steps

Now that your DFL-500 NPG is up and running, you can proceed to configure it for operation:

• If you are going to run your DFL-500 NPG in NAT/Route mo de, go to NAT/Route mode installation

• If you are going to run your DFL-500 NPG in Transparent mode, go to Transparent mode installation

DFL-500 User Manual

NAT/Route mode installation

This chapter describes how to install your DFL-500 NPG in NAT/Route mode. If you want to install the DFL500 NPG in Transparent mode, see Transparent mode installation

This chapter includes:

•

Preparing to configure NAT/Route mode

•

Using the setup wizard

•

Using the command line interface

• Connecting to your networks

• Configuring your internal network

• Completing the configuration

Preparing to configure NAT/Route mode

Use NAT/Route mode settings to gather the information that you need to customize NAT/Route mode settings.

NAT/Route mode settings

Administrator password:___________________________

Internal interface:

IP: Netmask:

_____._____._____._____ _____._____._____._____

External interface:

Internal server settings:

DHCP server settings:

IP: Netmask:

Manual:

DHCP:

PPPoE:

Web Server: SMTP Server: POP3 Server: IMAP Server: FTP Server: To allow Internet access to a Web, SMTP, POP3, IMAP or FTP server installed on your

internal network add the IP addresses of the servers above. Starting IP:

Default Gateway: Primary DNS Server: Secondary DNS

Server: If your Internet Service Provider (ISP) supplies you with an IP address using

DHCP no further information is required. User name:_______________________ Password:________________________ If your ISP supplies you with an IP address using PPPoE, record your

PPPoE user name and password.

_____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____

_____._____._____._____

_____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____ _____._____._____._____

_____._____._____._____

DFL-500 User Manual

Ending IP:

_____._____._____._____

Netmask: Default Route: DNS IP: The DFL-500 NPG contains a DHCP server that you can configure to automatically set

the addresses of the computers on your internal network.

_____._____._____._____ _____._____._____._____ _____._____._____._____

Using the setup wizard

From the web-based manager, you can use the setup wizard to create the initial configura tion of your DFL500 NPG. To connect to the web-based manager, see Connecting to the web-based manager

Starting the setup wizard

• Select Easy Setup Wizard (the middle button in the upper right corner of the web-based manager).

• Use the information that you gathered in NAT/Route mode settings

the Next button to step through the wizard pages.

• Confirm your configuration settings on the last wizard page and Select Finish and Close.

If you use the setup wizard to configure internal server settings, the DFL-500 NPG adds port forwarding virtual IPs and firewall policies for each server that you configure. For each server located on your internal netw ork the DFL-500 NPG adds an Ext -> Int policy.

to fill in the wizard fields. Select

Reconnecting to the web-based manager

If you changed the IP address of the internal interface using the setup wizard, you must reco nn ect to the webbased manager using a new IP address. Browse to https:// followed by the new IP address of the internal interface. Otherwise, you can reconnect to the web-based manager by browsing to https://192.168.1.99.

You have now completed the initial configuration of your DFL-500 NPG, and you can proceed to connect t he DFL-500 NPG to your network using the information in Connecting to your networks

Using the command line interface

As an alternative to the setup wizard, you can co nfigure the DFL-500 NPG using the command line interface (CLI). To connect to the CLI, see Connecting to the command line interface (CLI)

Configuring the DFL-500 NPG to run in NAT/Route mode

• Log into the CLI if you are not already logged in.

• Set the IP address and netmask of the internal interface to the internal IP address and netmask that

you recorded in NAT/Route mode settings

set system interface internal static ip <IP address> <netmask>

Example

set system interface internal static ip 192.168.1.1 255.255.255.0

. Enter:

DFL-500 User Manual

•

Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in NAT/Route mode settings

To set the manual IP address and netmask, enter:

set system interface external static ip <IP address> <netmask>

Example

set system interface external static ip 204.23.1.5 255.255.255.0 To set the external interface to use DHCP, enter:

set system interface external dhcp connection enable To set the external interface to use PPPoE, enter:

set system interface external pppoe username <user name> password <password> connection enable

Example

set system interface external pppoe username user@domain.com password mypass connection enable

• Confirm that the addresses are correct. Enter:

get system interface

The CLI lists the IP address, netmask and other settings for each of the DFL-500 NPG interfaces as well as the mode of the external interface (manual, DHCP, or PPPoE).

• Set the default route to the Default Gateway IP Address that you recorded in NAT/Route mode

settings (not required for DHCP and PPPoE). Enter:

set system route number <number> gw1 <IP address> Example

set system route number 1 gw1 204.23.1.2

You have now completed the initial configuration of your DFL-500 NPG and you can proceed to connect the DFL-500 NPG to your network using the information in Connecting to your networks

Connecting to your networks

When you have completed the initial configuration, you can connect your DFL-500 NPG between your internal network and the Internet.

There are two 10/100 BaseTX connectors on the DFL-500 NPG:

•

Internal for connecting to your internal network,

•

External for connecting to the Internet.

To connect the DFL-500 NPG:

• Connect the Internal interface to the hub or switch connected to your internal network.

• Connect the External interface to the Internet.

Connect to the public switch or router provided by your Internet Service Provider. If you are a DSL or cable subscriber, connect the External interface to the internal or LAN connection of your DSL or cable modem.

DFL-500 User Manual

DFL-500 NPG network connections

Configuring your internal network

If you are running the DFL-500 NPG in NAT/Route mode, your inter nal network must be configured to route all internet traffic to the address of the internal interface of the DFL-500 NPG. This means changing the default gateway address of all computers connected directly to the internal network.

If you are using the DFL-500 NPG as the DHCP server for your internal network, configure the computers on your internal network for DHCP.

When the DFL-500 NPG is connected, make sure that it is functioning properly by connecting to the Internet from a computer on your internal network. You should be able to connect to any Internet address.

Completing the configuration

Use the information in this section to complete the initial configuration of the DFL-500 NPG.

Setting the date and time

For effective scheduling and logging, the DFL -500 NPG date and time should be accurate. You can either manually set the DFL-500 NPG time or you can configure the DFL-500 NPG to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server.

To set the DFL-500 NPG date and time , see Setting system date and time

DFL-500 User Manual

Transparent mode installation

This chapter describes how to install your DFL-500 NPG in Transparent mode. If you want to install the DFL500 NPG in NAT/Route mode, see NAT/Route mode installation

This chapter includes:

•

Preparing to configure Transparent mode

•

Using the setup wizard

•

Using the command line interface

• Setting the date and time

• Connecting to your network

Preparing to configure Transparent mode

Use Transparent mode settings to gather the information you need to customize Transparent mode settings.

Transparent mode settings

Administrator Password:

IP:

_____._____._____._____

_____._____._____._____ _____._____._____._____

_____._____._____._____

Management IP:

DNS Settings:

Netmask: Default Gateway: The management IP address and netmask must be valid for the network from which you will

manage the DFL-500 NPG. Add a default gateway if the DFL-500 NPG must connect to a router to reach the management computer.

Primary DNS Server:

Secondary DNS Server:

Using the setup wizard

From the web-based manager you can use the setup wizard to create the initial configuration of your DFL-500 NPG. To connect to the web-based manager, see Connecting to the web-based manager

Changing to Transparent mode

The first time that you connect to the DFL-500 NPG it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager:

•

Go to System > Status .

•

Select Change to Transparent Mode.

•

Select Transparent in the Operation Mode list.

•

Select OK. The DFL-500 NPG changes to Transp arent mo de.

To reconnect to the web-based manager, change the IP address of your management computer to 10.10.10.2. Connect to the DFL-500 NPG internal interface and browse to https:// followed by the transparent mode management IP address. The default transparent mode Management IP address is 10.10.10.1.

DFL-500 User Manual

Starting the setup wizard

• Select Easy Setup Wizard (the button in the upper right corner of the web-based manager).

• Use the information that you gathered in Transparent mode settings

the Next button to step through the wizard pages.

• Confirm your configuration settings and then select Finish and Close.

to fill in the wizard fields. Select

Reconnecting to the web-based manager

If you changed the IP address of the management interface while you were using the setup wizard , you must reconnect to the web-based manager using a new IP address. Browse to https:// followed by the new IP address of the management interface. Otherwise, you can re connect to the web-based manager by browsing to https://10.10.10.1. If you connect to the management interface through a router, make sure that you have added a default gateway for that router to the management IP default gateway field.

Using the command line interface

As an alternative to the setup wizard, you can co nfigure the DFL-500 NPG using the command line interface (CLI). To connect to the CLI, see Connecting to the command line interface (CLI) you gathered in Transparent mode settings

to complete the following procedures.

Changing to Transparent mode

•

Log into the CLI if you are not already logged in.

•

Switch to Transparent mode. Enter: set system opmode transparent After a few seconds, the following prompt appears: DFL-500 login:

•

admin

Type The following prompt appears:

Type ? for a list of commands. Confirm that the DFL-500 NPG has switched to Transparent mode. Enter:

get system status The CLI displays the status of the DFL-500. The last line shows the current operation mode.

Version:DLINK-500 2.36,build075,030604 Serial Number:FGT-502801021075 Operation mode: Transparent

and press Enter.

. Use the information that

Configuring the Transparent mode management IP address

• Log into the CLI if you are not already logged in.

•

Set the IP address and netmask of the Management IP to the IP address and netmask that you recorded in Transparent mode settings

set system management ip <IP address> <netmask>

Example

set system management ip 10.10.10.2 255.255.255.0

• Confirm that the address is correct. Enter:

get system management

DFL-500 User Manual

. Enter:

The CLI lists the Management IP address and netmask.

Configure the Transparent mode default gateway

•

Set the default route to the Default Gateway that you recorded in Transparent mode settings

set system route number <number> gateway <IP address>

Example

set system route number 1 gateway 204.23.1.2

You have now completed the initial configuration of the DFL-500 NPG and you can proceed to the next section.

. Enter:

Setting the date and time

For effective scheduling and logging, the DFL -500 NPG date and time should be accurate. You can either manually set the time or you can configure the DFL-500 NPG to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server.

To set the DFL-500 NPG date and time , see Setting system date and time

Connecting to your network

When you have completed the initial configuration, you can connect the DFL-500 NPG bet ween your internal network and the Internet.

There are two 10/100 BaseTX connectors on the DFL-500 NPG:

• Internal for connecting to your internal network,

• External for connecting to the Internet.

To connect the DFL-500 NPG:

•

Connect the Internal interface to the hub or switch connected to your internal network.

•

Connect the External interface to the Internet. Connect to the public switch or router provided by your Internet Service Provider.

DFL-500 User Manual

DFL-500 network connections

DFL-500 User Manual

Firewall configuration

By default, the users on your internal n etwork can connect through the DFL-500 NPG to the Internet. The firewall blocks all other connections. The firewall is configured with a default policy that matches any connection request received from the internal network and instructs the firewall to forward the connection to the Internet.

Default policy

Policies are instructions used by the firewall to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to e xtract its source address, destination address, and service (port number).

For the packet to be connected th rough the DFL-500 NPG, you must have added a policy that matches the packet's source address, destination address, and service. The policy directs the action that the firewall should perform on the packet. The action can be to allow the connection, deny the connection, require authentication before the connection is allowed, or process the packet as an IPSec VPN packet.

You can enable and disable policies. You can add schedules to policies so that the firewall can process connections differently depending on the time of day or the day of the week, month, or year. You can also enable web content filtering for policies that control the HTTP service.

Use Int -> Ext policies to control how users on your internal network access the In ternet. You can use these policies to apply web content filtering to protect users on your internal net work from downloading unwanted content from the Internet. You can also use these policies to control IPSec VPN connections through the firewall.

Use Ext -> Int policies to control connections from the Internet to your internal network. You can use these policies to apply web content filtering. You can also use these policies to allow remote users to connect to your internal network using PPTP and L2TP VPN.

This chapter describes:

•

NAT/Route mode and Transparent mode

•

Adding NAT/Route mode policies

•

Adding Transparent mode policies

•

Configuring policy lists

•

Addresses

•

Services

•

Schedules

•

Virtual IPs

•

IP pools

•

IP/MAC binding

DFL-500 User Manual

NAT/Route mode and Transparent mode

The first step in configuring firewall policies is to configure the mode for the firewall. The firewall can run in NAT/Route mode or Transparent mode.

NAT/Route mode

Run the DFL-500 NPG in NAT/Route mode to protect a private network from a public network. When the DFL-500 NPG is running in NAT/Route mode, you can conne ct a private ne twork to the internal inte rface and a public network, such as the Internet, to the external interface. Each of these networks must have a different subnet address. You create policies to control how the firewall routes packets between interfaces, and therefore between the networks connected to the interfaces.

In NAT/Route mode, you can create NAT mode policies and Route mode policies.

• NAT mode policies use network address translation to hide the addresses of a more secure network from users on a less secure network.

•

Route mode policies control connections between networks without performing address translation.

Transparent mode

Run the DFL-500 NPG in Transparent mode to provide firewall protection to a network with pub lic addresses. The DFL-500 NPG can be inserted into your network at any point wi thout the need to make changes to y our network or any of its components.

In Transparent mode, you add policies to accept or deny connections between interfaces. The DFL-500 NPG applies policies to control network traffic without modifying the packets in any way.

Changing to Transparent mode

Use the procedure Changing to Transparent mode to switch the DFL-500 NPG from NAT/Route mode to Transparent mode.

Changing to Transparent mode deletes all NAT/Route mode policies and addresses. In addition any routing set in NAT mode is also deleted. This includes the default route that is part of the default NAT configuration.

Changing to NAT/Route mode

Use the procedure Changing to NAT/Route mode to switch the DFL-500 NPG from Transparent mode to NAT/Route mode.

Changing to NAT/Route mode deletes all Transparent mode policies and addresses. In addition any routing set in NAT mode is also deleted. This includes the default route that is part of the default NAT configuration.

Adding NAT/Route mode policies

Add NAT/Route mode policies to control connections and traffic between DFL-500 interfaces. If you have configured the DFL-500 NPG for NAT/Route mode operation, you can use the following procedure to add NAT/Route mode policies:

•

Go to Firewall > Policy .

•

Select the policy list tab to which you want to add the policy.

•

Select New to add a new policy.

DFL-500 User Manual

You can also select Insert Policy before on a policy in the list to add the new policy above a specific policy.

•

Configure the policy:

Source

Destination

Schedule

Service

Action

DENY

ENCRYPT

NAT

Dynamic IP Pool

Fixed Port

VPN Tunnel

Allow inbound

Allow outbound

Inbound NAT

Outbound NAT

Log Traffic

Authentication

Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. To add an address, see

Addresses

Select an address or address group that matches the destination address of the packet. Before you can add this address to a policy, you must add it to the source interface. To add an address, see Addresses

For an Ext -> Int NAT mode policy, the destination can also be a virtual IP that maps the destination address to a hidden destination address on the internal network. See Virtual IPs

Select a schedule that controls when the policy is available to be matched with connections. See

Schedules

Select a service that matches the service (or port number) of the packet. You can select from a wide range of predefined services or add custom services and service groups. See Services

Select how the firewall should respond when the policy matches a connection attempt. Accept the connection. If you select ACCEPT, you can also configure NAT and Authentication for

the policy. Deny the connection. Make this policy an IPSec VPN policy. If you select ENCRYPT, you can select an AutoIKE key or

Manual Key VPN tunnel for the policy and configure other IPSec settings. For ENCRYPT policies, service is set to ANY and authentication is not supported

Configure the policy for NAT. NAT translates the source address and the source port of packets accepted by the policy. If you select NAT, you can also select Dynamic IP Pool and Fixed Port.

Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP pool added to the destination interface of the policy. To add IP pools, see IP pools

You cannot select Dynamic IP Pool for Int -> Ext policies if the external interface is configured using DHCP or PPPoE.

Select Fixed Port to prevent NAT from translating the source port. Some applications do not function correctly if the source port is changed. If you select Fixed Port, you must also select Dynamic IP Pool and add a dynamic IP pool address range to the destination interface of the policy. If you do not select Dynamic IP Pool, a policy with Fixed Port selected can only allow one connection at a time for this port or service.

Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or Manual Key tunnel.

Select Allow inbound so that users behind the remote VPN gateway can connect to the source address.

Select Allow outbound so that users can connect to the destination address behind the remote VPN gateway.

Select Inbound NAT to translate the source address of incoming packets to the DFL-500 NPG internal IP address.

Select Inbound NAT to translate the source address of outgoing packets to the DFL-500 NPG external IP address.

Select Log Traffic to write messages to the traffic log whenever the policy processes a connection. Select Authentication and select a user group to require users to enter a user name and password

before the firewall accepts the connection. Select the user group to select the users that can authenticate with this policy. To add and configure user groups, see Users and authentication must add user groups before you can select authentication.

. You

DFL-500 User Manual

Telnet, or FTP. For users to be able to authenticate you must add an HTTP, Telnet, or FTP policy that is configured for authentication. When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password.

If you want users to authenticate to use other services (for example POP3 or IMAP) you can create a service group that includes the services for which you want to require authentication as well as HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service.

In most cases you should make sure that users can use DNS through the firewall without authentication. If DNS is not available users cannot connect to a web, FTP, or Telnet server using a domain name.

Enable web filter content filtering for traffic controlled by this policy. You can select Web filter if Service is set to ANY or HTTP or to a service group that includes the HTTP service.

Web filter

For web filter content filtering to take effect, you must configure web content filtering. See Web

content filtering.

You can select show settings to display the current web filter content filtering settings for the DFL500 NPG.

• Select OK to add the policy. The policy is added to the selected policy list.

•

Arrange policies in the policy list so that they have the results that you expect. See Configuring policy lists

for more information.

DFL-500 User Manual

Adding a NAT/Route Int -> Ext policy

Adding Transparent mode policies

Add Transparent mode policies to control the net work traffic that is allowed to pass through the firewall when you are running the it in Transparent mode.

• Go to Firewall > Policy .

• Select a policy list tab.

• Select New to add a new policy.

You can also select Insert Policy before specific policy.

• Configure the policy:

Source

Destination

Schedule

Service

Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. To add an address, see

Addresses

A schedule that controls when this policy is available to be matched with connections. See

Schedules

A service that matches the service (port number) of the packet. You can select from a wide range of predefined services, or add custom services and service groups. See Services

on a policy in the list to add the new policy above a

DFL-500 User Manual

Action

Log Traffic

Authentication

Web filter

Select how the firewall should respond when the policy matches a connection attempt. You can configure the policy to direct the firewall to ACCEPT the connection or DENY the connection. If you select ACCEPT, you can also configure Authentication for the policy.

Select Log Traffic to write messages to the traffic log whenever the policy processes a connection.

Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection. Select the user group to select the users that can authenticate with this policy. To add and configure user groups, see Users and

authentication. You must add user groups before you can select authentication.

You can select Authentication for any service. Users can authenticate with the firewall using HTTP, Telnet, or FTP. For users to be able to authenticate you must add an HTTP, Telnet, or FTP policy that is configured for authentication. When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password.

Enable web filter content filtering for traffic controlled by this policy. You can select Web filter if Service is set to ANY or HTTP, or to a service group that includes the HTTP service.

For web filter content filtering to take effect, you must configure web content filtering. See Web

content filtering

You can select show settings to display the current web filter content filtering settings for the DFL500 NPG.

• Select OK to add the policy. The policy is added to the selected policy list.

• Arrange policies in the policy list so that they have the results that you expect. Arranging policies in a policy list is described in Configuring policy lists

DFL-500 User Manual

Adding a Transparent mode Int -> Ext policy

Configuring policy lists

The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general.

For example, the default policy is a very general policy because it matches all co nnection attempts. To cre ate exceptions to this policy, they must be added to the policy list above the default policy. No policy below the default policy will ever be matched.

This section describes:

• Policy matching in detail

• Changing the order of policies in a policy list

• Enabling and disabling policies

Policy matching in detail

When the firewall receives a connection attempt at an interface, it must matc h the connection attempt to a policy in either the Int -> Ext or Ext -> Int policy list. The firewall starts at the top of the policy list for the interface that received the connection attempt and searches do wn the list for the first policy that matches the connection attempt source and destination addresses, service port, and time and date at which the connection attempt was received. The first policy that matches is applied to the connection attempt. If no policy matches, the connection is dropped.

The default policy accepts all connection a ttempts from th e internal network to the Inter net. From the internal network, users can browse the web, use POP3 to get ema il, use FTP to download files through the firewall, and so on. If the default policy is at the t op of the Int -> Ext policy list, the firewall allo ws all connections from the internal network to the Internet because all connections match the default policy.

A policy that is an exception to the default po licy, for example, a policy to block FTP connections, must be placed above the default policy in the Int -> Ext policy list. In this exam ple, all FTP connection attempts fr om the internal network would then match the FTP policy and be blocked. Connection attempts for all other kinds of services would not match with the FTP policy but they would match with the default policy. Ther efore, the firewall would still accept all other connections from the internal network.

DFL-500 User Manual

Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the policy that does not require authentication is selected first.

Changing the order of policies in a policy list

• Go to Firewall > Policy .

• Select the tab for the policy list that you want to rearrange.

• Choose a policy to move and select Move To

• Type a number in the Move to field to specify where in the policy list to move the policy and select OK.

• Select Delete

to remove a policy from the list.

to change its order in the policy list.

Enabling and disabling policies

You can enable and disable policies in the policy list to control whether the policy is active or not. The firewall matches enabled policies but does not match disabled policies.

Disabling a policy

Disable a policy to temporarily prevent the firewall from selecting the policy.

• Go to Firewall > Policy .

• Select the tab for the policy list containing the policy to disable.

• Clear the check box of the policy to disable.

Enabling a policy

Enable a policy that has been disabled so that the firewall can match connections with the policy.

•

Go to Firewall > Policy .

•

Select the tab for the policy list containing the policy to enable.

•

Select the check box of the policy to enable.

Addresses

All policies require source and destination addresses. To add an address to a policy between two inter faces, you must first add addresses to the address list for each interface. Thes e addresses must be valid addresses for the network connected to that interface.

By default, the firewall includes two addresses that cannot be edited or deleted:

• Internal_All on the internal address list represents the IP addresses of all computers on your internal network.

• External_All on the external address list represents the IP addresses of all computers on the Internet.

You can add, edit, and delete all o ther addresses as required. You can also organize related addre sses into address groups to simplify policy creation.

This section describes:

•

Adding addresses

•

Deleting addresses

•

Organizing addresses into address groups

DFL-500 User Manual

+ 92 hidden pages