D-Link DFL-1100 Manual

Download or browse on-line these Manual  for D-Link DFL-1100 - Security Appliance Desktop, Firewall.

D-Link DFL-1100 - Security Appliance Manual Information:

This manual for D-Link DFL-1100 - Security Appliance, given in the PDF format, is available for free online viewing and download without logging on. The guide contains 91 pages, and the size of the file at download is . The document type is Manual .

Download Manual

More Manuals:

In case you failed to obtain relevant information in this document, please, look through related operating manuals and user instructions for D-Link DFL-1100 - Security Appliance. Just click one of the links below to go to the selected manual:

Summary of Contents:

[Page 1] D-Link DFL-1100 - Security Appliance

D-Link DFL-1100 Network Security Firewall Manual Building Networks for People ...

[Page 2] D-Link DFL-1100 - Security Appliance

2 Contents Introduction ....................................................................................6 Features and Benefits ........................................................................... 6 Introduction to Firewalls .............

[Page 3] D-Link DFL-1100 - Security Appliance

The synchronization interface ...................................................................25 Setting up a High Availability cluster..........................................................26 Logging ............................................

[Page 4] D-Link DFL-1100 - Security Appliance

4 Adding IP Protocol ....................................................................................50 Grouping Services.....................................................................................50 Protocol-independent settings........

[Page 5] D-Link DFL-1100 - Security Appliance

Restoring the DFL-1100’s Configuration....................................................68 Restart/Reset ...................................................................................... 69 Restarting the DFL-1100 ...........................

[Page 6] D-Link DFL-1100 - Security Appliance

6 Introduction The DFL-1100 provides four 10/100MB Ethernet network interface ports, which are (1) Internal/LAN, (1) External/WAN, (1) DMZ port and (1) port that can be configured as High Availability Sync port or as ETH4 port. It also provides e...

[Page 7] D-Link DFL-1100 - Security Appliance

Introduction to Local Area Networking Local Area Networking (LAN) is the term used when connecting several computers together over a small area such as a building or group of buildings. LAN’s can be connected over large areas. A collection of LA...

[Page 8] D-Link DFL-1100 - Security Appliance

8 LEDs & Physical Connections WAN, LAN, DMZ & ETH4/Sync: Ethernet Link port indicators, Green. The Act LED flickers when the ports are sending or receiving data. Power: A solid light indicates a proper connection to the power supply. S...

[Page 9] D-Link DFL-1100 - Security Appliance

Package Contents Contents of Package: • D-Link DFL-1100 Firewall • Manual and CD • Quick Installation Guide • Power cord If any of the above items are missing, please contact your reseller. System Requirements • Compute...

[Page 10] D-Link DFL-1100 - Security Appliance

10 Managing D-Link DFL-1100 When a change is done to the configuration a new icon named Activate Changes will appear. When all changes and administrator would like to do is done the changes need to be saved and activated to take effect, thi...

[Page 11] D-Link DFL-1100 - Security Appliance

Administration Settings Administrative Access Ping – If enabled, specifies who can ping the interface IP of the DFL-1100. Default if enabled is to allow anyone to ping the interface IP. Admin – If enabled allows all users with admin access ...

[Page 12] D-Link DFL-1100 - Security Appliance

12 Add ping access to an interface To add ping access click on the interface you would like to add it to. Follow these steps to add ping access to an interface. Step 1. Click on the interface you would like to add it to. Step 2. Enable the Ping ...

[Page 13] D-Link DFL-1100 - Security Appliance

Add Read-only access to an interface To add read-only access click on the interface you would like to add it to, note that if you only have read-only access enable on an interface all users only get read-only access, even if they are administrator...

[Page 14] D-Link DFL-1100 - Security Appliance

14 System Interfaces Click on System in the menu bar, and then click interfaces below it. Change IP of the LAN, DMZ or ETH4 interface Follow these steps to change the IP of the LAN or DMZ interface. Step 1. Choose which interface to view or ch...

[Page 15] D-Link DFL-1100 - Security Appliance

WAN Interface Settings – Using Static IP If you are using Static IP you have to fill in the IP address information provided to you by your ISP. All fields are required except the Secondary DNS Server. You should probably not use the numbers d...

[Page 16] D-Link DFL-1100 - Security Appliance

16 WAN Interface Settings – Using PPPoE Use the following procedure to configure the DFL-1100 external interface to use PPPoE (Point-to-Point Protocol over Ethernet). This configuration is required if your ISP uses PPPoE to assign the IP add...

[Page 17] D-Link DFL-1100 - Security Appliance

WAN Interface Settings – Using PPTP PPTP over Ethernet connections are used in some DSL and cable modem networks. You need your account details, and possibly also IP configuration parameters of the actual physical interface that the PPTP tun...

[Page 18] D-Link DFL-1100 - Security Appliance

18 WAN Interface Settings – Using BigPond The ISP Telstra BigPond uses BigPond for authentication; the IP is assigned with DHCP. • Username – The login or username supplied to you by your ISP. • Password – The password supplied t...

[Page 19] D-Link DFL-1100 - Security Appliance

MTU Configuration To improve the performance of your Internet connection, you can adjust the maximum transmission unit (MTU) of the packets that the DFL-1100 transmits from its external interface. Ideally, you want this MTU to be the same as the...

[Page 20] D-Link DFL-1100 - Security Appliance

20 VLAN Click on System in the menu bar, and then click VLAN below it, this will give a list of all configured VLANs, it will look something like this: Add a new VLAN Follow these steps to add a new route. Step 1. Go to System and VLAN. St...

[Page 21] D-Link DFL-1100 - Security Appliance

Routing Click on System in the menu bar, and then click Routing below it, this will give a list of all configured routes, it will look something like this: The Routes configuration section describes the firewall’s routing table. DFL-1100 uses ...

[Page 22] D-Link DFL-1100 - Security Appliance

22 Add a new Static Route Follow these steps to add a new route. Step 1. Go to System and Routing. Step 2. Click on Add new in the bottom of the routing table. Step 3. Choose the interface that the route should be sent trough from the dropdown ...

[Page 23] D-Link DFL-1100 - Security Appliance

High Availability D-Link High Availability works by adding a back-up firewall to your existing firewall. The back-up firewall has the same configuration as the primary firewall. It will stay inactive, monitoring the primary firewall, until it deem...

[Page 24] D-Link DFL-1100 - Security Appliance

24 IP Addresses explained For each cluster interface, there are three IP addresses: • Two "real" IP addresses; one for each firewall. These addresses are used to communicate with the firewalls themselves, i.e. for remote control and ...

[Page 25] D-Link DFL-1100 - Security Appliance

Cluster heartbeats A firewall detects that its peer is no longer operational when it can no longer hear "cluster heartbeats" from its peer. Currently, a firewall will send five cluster heartbeats per second. When a firewall has "m...

[Page 26] D-Link DFL-1100 - Security Appliance

26 Setting up a High Availability cluster First of all, the two DFL-1100 needs to be setup so far that you can manage them over the web interface. In this example the two units are configured as follow, the master DFL-1100 will be configured with...

[Page 27] D-Link DFL-1100 - Security Appliance

When this is done you should click on Apply. Now login to the slave firewall and click on System in the menu bar, and then click HA below it; in this screen you will click on Receive configuration from first unit. This will show the screen below; ...

[Page 28] D-Link DFL-1100 - Security Appliance

28 Logging Click on System in the menu bar, and then click Logging below it. Logging, the ability to audit decisions made by the firewall, is a vital part in all network security products. The D-Link DFL-1100 provides several options for logging...

[Page 29] D-Link DFL-1100 - Security Appliance

configurable. It’s also possible to have E-mail alerting for IDS/IDP events to up to three email addresses. Enable Logging Follow these steps to enable logging. Step 1. Enable syslog by checking the Syslog box. Step 2. Fill in your first syslo...

[Page 30] D-Link DFL-1100 - Security Appliance

30 Time Click on System in the menu bar, and then click Time below it. This will give you the option to either set the system time by syncing to an Internet Network Time Server (NTP) or by entering the system time by hand. ...

[Page 31] D-Link DFL-1100 - Security Appliance

Changing time zone Follow these steps to change the time zone. Step 1. Choose the correct time zone in the drop down menu. Step 2. Specify your daylight time or choose no daylight saving time by checking the correct box. Click the Apply button b...

[Page 32] D-Link DFL-1100 - Security Appliance

32 Firewall Policy The Firewall Policy configuration section is the "heart" of the firewall. The policies are the primary filter that is configured to allow or disallow certain types of network traffic through the firewall. The policie...

[Page 33] D-Link DFL-1100 - Security Appliance

Source and Destination Filter Source Nets – Specifies the sender span of IP addresses to be compared to the received packet. Leave this blank to match everything. Source Users/Groups – Specifies if an authenticated username is needed for this ...

[Page 34] D-Link DFL-1100 - Security Appliance

34 the system administrators if email alerting is converted. D-Link updates the attack database periodically. There is two modes that can be configured, either Inspection Only or Prevention. Inspection Only will only inspect the traffic and if the...

[Page 35] D-Link DFL-1100 - Security Appliance

Add a new policy Follow these steps to add a new outgoing policy. Step 1. Choose the LAN->WAN policy list from the available policy lists. Step 2. Click on the Add new link. Step 3. Fill in the following values: Name: Specifies a symbolic na...

[Page 36] D-Link DFL-1100 - Security Appliance

36 Change order of policy Follow these steps to change order of a policy. Step 1. Choose the policy list you would like do change order in from the available policy lists. Step 2. Click on the Edit link on the rule you want to delete. Step 3. C...

[Page 37] D-Link DFL-1100 - Security Appliance

Configure Intrusion Prevention Follow these steps to configure IDP on a policy. Step 1. Choose the policy you would like have IDP on. Step 2. Click on the Edit link on the rule you want to delete. Step 3. Enable the Intrusion Detection / Preventi...

[Page 38] D-Link DFL-1100 - Security Appliance

38 Port mapping / Virtual Servers The Port mapping / Virtual Servers configuration section is where you can configure virtual servers like Web servers on the DMZ or similar. It’s also possible to regulate how bandwidth management, traffic shapi...

[Page 39] D-Link DFL-1100 - Security Appliance

Delete mapping Follow these steps to delete a mapping. Step 1. Choose the mapping list (WAN, LAN or DMZ) you would like do delete the mapping from. Step 2. Click on the Edit link on the rule you want to delete. Step 3. Enable the Delete mapping ...

[Page 40] D-Link DFL-1100 - Security Appliance

40 Administrative users Click on Firewall in the menu bar, and then click Users below it. This will show all the users, and the first section is the administrative users. The first column show the access levels, Administrator and Read-only ...

[Page 41] D-Link DFL-1100 - Security Appliance

Change Administrative User Access level To change the access lever of a user click on the user name and you will see the following screen. From here you can change the access level by choosing the appropriate level from the drop-down menu. Acce...

[Page 42] D-Link DFL-1100 - Security Appliance

42 Delete Administrative User To delete a user click on the user name and you will see the following screen. Follow these steps to delete an Administrative User. Step 1. Click on the user you would like to change level of. Step 2. Enable the...

[Page 43] D-Link DFL-1100 - Security Appliance

Users User Authentication allows an administrator to grant or reject access to specific users from specific IP addresses, based on their user credentials. Before any traffic is allowed to pass through any policies configured with username or gro...

[Page 44] D-Link DFL-1100 - Security Appliance

44 Enable User Authentication via HTTP / HTTPS Follow these steps to enable User Authentication. Step 1. Enable the checkbox for User Authentication. Step 2. Specify if HTTP and HTTPS or only HTTPS should be used for the login. Step 3. Speci...

[Page 45] D-Link DFL-1100 - Security Appliance

Add User Follow these steps to add a new user. Step 1. Click on add after the type of user you would like to add, Admin or Read-only. Step 2. Fill in User name; make sure you are not trying to add one that already exists. Step 3. Specified...

[Page 46] D-Link DFL-1100 - Security Appliance

46 Delete User To delete a user click on the user name and you will see the following screen. Follow these steps to delete a user. Step 1. Click on the user you would like to change level of. Step 2. Enable the Delete user checkbox. Click...

[Page 47] D-Link DFL-1100 - Security Appliance

Schedules It is possible to configure a schedule for policies to take affect. By creating a schedule, the DFL- 1100 is allowing the firewall policies to be used at those designated times only. Any activities outside of the scheduled time ...

[Page 48] D-Link DFL-1100 - Security Appliance

48 Add new one-time schedule Follow these steps to add new recurring schedule. Step 1. Go to Firewall and Schedules and choose Add new. Step 2. Choose the starting and ending date and hour when the schedule should be active. Step 3. Use the chec...

[Page 49] D-Link DFL-1100 - Security Appliance

Services A service is basically a definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80. Services are simplistic, in that they cannot carr...

[Page 50] D-Link DFL-1100 - Security Appliance

50 Adding IP Protocol When the type of the service is IP Protocol, an IP protocol number may be specified in the text field. To have the service match the GRE protocol, for example, the IP protocol should be specified as 47. A list of some define...

[Page 51] D-Link DFL-1100 - Security Appliance

Protocol-independent settings Allow ICMP errors from the destination to the source – ICMP error messages are sent in several situations: for example, when an IP packet cannot reach its destination. The purpose of these error control messages is ...

[Page 52] D-Link DFL-1100 - Security Appliance

52 VPN This chapter introduces IPSec, the method, or rather set of methods used to provide VPN functionality. IPSec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at...

[Page 53] D-Link DFL-1100 - Security Appliance

IPSec VPN between two networks In the following example users on the main office internal network can connect to the branch office internal network vice versa. Communication between the two networks takes place in an encrypted VPN tunnel that co...

[Page 54] D-Link DFL-1100 - Security Appliance

54 IPSec VPN between client and an internal network In the following example users can connect to the main office internal network from anywhere on the Internet. Communication between the client and the internal network takes place in an encrypt...

[Page 55] D-Link DFL-1100 - Security Appliance

VPN – Advanced Settings Advanced settings for a VPN tunnel is used when one need change some characteristics of the tunnel when using for example trying to connect to a third party VPN Gateway. The different settings to set per tunnel is the fo...

[Page 56] D-Link DFL-1100 - Security Appliance

56 Proposal Lists To agree on the VPN connection parameters, a negotiation process is performed. As the result of the negotiations, the IKE and IPSec security associations (SAs) are established. As the name implies, a proposal is the starting poi...

[Page 57] D-Link DFL-1100 - Security Appliance

Certificates A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used to authenticate individual users or other entities. These types of certificates are commonly called e...

[Page 58] D-Link DFL-1100 - Security Appliance

58 Note: If the uploaded certificate is a CA certificate, it will automatically be placed in the Certificate Authorities list, even if Add New was clicked in the Remote Peers list. Similiarly, a non-CA certificate will be placed in the Remote Peer...

[Page 59] D-Link DFL-1100 - Security Appliance

Content Filtering DFL-1100 HTTP content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. If a match is found between a URL on the URL block the DFL-1100 blocks the web page. You can configur...

[Page 60] D-Link DFL-1100 - Security Appliance

60 Edit the URL Global Blacklist Follow these steps to add or remove a url. Step 1. Go to Firewall and Content Filtering and choose Edit global URL blacklist Step 2. Add/edit or remove the URL that should be checked with the Content Fil...

[Page 61] D-Link DFL-1100 - Security Appliance

Active content handling Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip. For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects. It’s possible t...

[Page 62] D-Link DFL-1100 - Security Appliance

62 Servers DHCP Server Settings The DFL-1100 contains a DHCP server; DHCP (Dynamic Host Configuration Protocol) is a protocol that lets network administrators to automatically assign IP numbers to computers on a network. The DFL- 1100 DHCP Serve...

[Page 63] D-Link DFL-1100 - Security Appliance

Enable DHCP Server To enable the DHCP Server on an interface, click on Servers in the menu bar, and then click DHCP Server below it. Follow these steps to enable the DHCP Server on the LAN interface. Step 1. Choose the LAN interface from the Avai...

[Page 64] D-Link DFL-1100 - Security Appliance

64 DNS Relayer Settings Click on Servers in the menu bar, and then click DNS Relay below it. The DFL-1100 contains a DNS relayer that you can be configured to relay DNS queries from the internal LAN to the DNS servers used by the firewall itself....

[Page 65] D-Link DFL-1100 - Security Appliance

Disable DNS Relayer Follow these steps to disable the DNS Relayer. Step 1. Disable by un-checking the Enable DNS Relayer box. Click the Apply button below to apply the setting or click Cancel to discard changes. ...

[Page 66] D-Link DFL-1100 - Security Appliance

66 Tools Ping Click on Tools in the menu bar, and then click Ping below it. This tool is used to send a specified number of ICMP Echo Request packets to a given destination. All packets are sent in immediate succession rather than one per second...

[Page 67] D-Link DFL-1100 - Security Appliance

Dynamic DNS The Dynamic DNS (require Dynamic DNS Service) allows you to alias a dynamic IP address to a static hostname, allowing your device to be more easily accessed by specific name. When this function is enabled, the IP address in Dynamic DN...

[Page 68] D-Link DFL-1100 - Security Appliance

68 Backup Click on Tools in the menu bar, and then click Backup below it. Here a administrator can backup and restore the configuration. The configuration file stores system settings, IP addresses of Firewall’s network interfaces, addre...

[Page 69] D-Link DFL-1100 - Security Appliance

Restart/Reset Restarting the DFL-1100 Follow these steps restart the DFL-1100. Step 1. Choose if you want to do a quick or full restart. Step 2. Click Restart Unit and the unit will restart. Restoring system settings to factory defaults Use t...

[Page 70] D-Link DFL-1100 - Security Appliance

70 Follow these steps reset the DFL-1100 to factory default. Step 1. Under the Tools menu and the Reset section, click on the Reset to Factory Defaults button. Step 2. Click OK in the dialog to reset the unit to factory default, or press Cancel...

[Page 71] D-Link DFL-1100 - Security Appliance

Upgrade The DFL-1100’s software, IDS signatures and system parameters are all stored on a flash memory card. The flash memory card is re- writable and re-readable. Upgrade Firmware To upgrade the firmware first download the correct fir...

[Page 72] D-Link DFL-1100 - Security Appliance

72 Status In this section, the DFL-1100 displays the status information about the Firewall. Administrator may use Status to check the System Status, Interface statistics, VPN, connections and DHCP Servers. System Click on Status in the menu bar...

[Page 73] D-Link DFL-1100 - Security Appliance

Interfaces Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the interfaces in the DFL-1100. By default information about the LAN interface will be show, to see another one click ...

[Page 74] D-Link DFL-1100 - Security Appliance

74 HA Click on Status in the menu bar, and then click HA below it. A window will appear providing information about the HA Cluster configured in the DFL- 1100. Status - Status of the cluster, will show if the unit is active or inactive. Clus...

[Page 75] D-Link DFL-1100 - Security Appliance

VLAN Click on Status in the menu bar, and then click VLAN below it. A window will appear providing information about the virtual interfaces configured in the DFL-1100. VLAN Interface – Name of the virtual interface shown. VLAN ID – ID ...

[Page 76] D-Link DFL-1100 - Security Appliance

76 VPN Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the VPN connections done in the DFL-1100. By default information about the first VPN tunnel will be show, to see another ...

[Page 77] D-Link DFL-1100 - Security Appliance

Connections Click on Status in the menu bar, and then click Connections below it. A window will appear providing information about the content of the state table. Shows the last 100 connections opened through the firewall. Connections are cre...

[Page 78] D-Link DFL-1100 - Security Appliance

78 DHCP Server Click on Status in the menu bar, and then click DHCP Server below it. A window will appear providing information about the configured DHCP Servers. By default information about the LAN interface will be show, to see another one c...

[Page 79] D-Link DFL-1100 - Security Appliance

How to read the logs Although the exact format of each log entry depends on how your syslog recipient works, most are very much alike. The way in which logs are read is also dependent on how your syslog recipient works. Syslog daemons on UNIX serv...

[Page 80] D-Link DFL-1100 - Security Appliance

80 Oct 20 2003 09:47:56 gateway EFW: CONN: prio=1 rule=Rule_8 conn=open connipproto=TCP connrecvif=lan connsrcip=192.168.0.10 connsrcport=3179 conndestif=wan conndestip=64.7.210.132 conndestport=80 In this line, traffic from 192.168.0.10 on the ...

[Page 81] D-Link DFL-1100 - Security Appliance

Appendixes Appendix A: ICMP Types and Codes The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field; many of these ICMP types have a "code" field. Here we list the types with their assig...

[Page 82] D-Link DFL-1100 - Security Appliance

82 1 Redirect Datagram for the Host RFC792 2 Redirect Datagram for the Type of Service and Network RFC792 3 Redirect Datagram for the Type of Service and Host RFC792 8 Echo 0 No Code RFC792 9 Router Advertisement 0 Nor...

[Page 83] D-Link DFL-1100 - Security Appliance

Appendix B: Common IP Protocol Numbers These are some of the more common IP Protocols, for all follow the link after the table. Decimal Keyword Description Reference 1 ICMP Internet Control Message RFC792 2 IGMP Internet Group Management ...

[Page 84] D-Link DFL-1100 - Security Appliance

LIMITED WARRANTY D-Link provides this limited warranty for its product only to the person or entity who originally purchased the product from D-Link or its authorized reseller or distributor. Limited Hardware Warranty: D-Link warrants that the ...

[Page 85] D-Link DFL-1100 - Security Appliance

What You Must Do For Warranty Service: Registration Card . The Registration Card provided at the back of this manual must be completed and returned to an Authorized D-Link Service Office for each D-Link product within ninety (90) days after t...

[Page 86] D-Link DFL-1100 - Security Appliance

EXCEPT AS EXPRESSLY COVERED UNDER THE LIMITED WARRANTY PROVIDED HEREIN, THE ENTIRE RISK AS TO THE QUALITY, SELECTION AND PERFORMANCE OF THE PRODUCT IS WITH THE PURCHASER OF THE PRODUCT. Limitation of Liability: TO THE MAXIMUM EXTENT PERMITTED B...

[Page 87] D-Link DFL-1100 - Security Appliance

13. Durch die Lüftungsöffnungen dürfen niemals Gegenstände oder Flüssigkeiten in das Gerät gelangen. Dies könnte einen Brand bzw. Elektrischen Schlag auslösen. 14. Öffnen Sie niemals das Gerät. Das Gerät darf aus Gründen der ele...

[Page 88] D-Link DFL-1100 - Security Appliance

FCC Warning This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a res...

[Page 89] D-Link DFL-1100 - Security Appliance

International Offices U.S.A 17595 Mt. Herrmann Street Fountain Valley, CA. 92708 TEL: 714-885-6000 Fax 866-743-4905 URL: www.dlink.com Canada 2180 Winston Park Drive Oakvil...

[Page 90] D-Link DFL-1100 - Security Appliance

Registration Card Print, type or use block letters. Your name: Mr./Ms_____________________________________________________________________________ Organization: ________________________________________________ Dept. ___________________________...

[Page 91] D-Link DFL-1100 - Security Appliance

...