D-Link DFL-500 User Manual
Soho firewall
Hide thumbs
Also See for DFL-500:
- Manual (122 pages) ,
- User manual (140 pages) ,
- Quick install manual (8 pages)
Related Manuals for D-Link DFL-500
Summary of Contents for D-Link DFL-500
- Page 1 DFL-500 SOHO Firewall User ’ s Manual Rev. 02 (March, 2002) D-Link Systems, Inc. DFL-500 User’s Manual...
- Page 2 © Copyright 2002 D-Link Systems, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of D-Link Systems, Inc.
-
Page 3: Table Of Contents
Configuring the DFL-500 from the CLI......................19 Connecting to the CLI ..........................19 Configuring the DFL-500 to run in NAT mode ..................19 Configuring the DFL-500 to run in Transparent mode................20 Connecting the DFL-500 to your network ..................... 21 Configuring your internal network ......................... - Page 4 Adding internal and external addresses ....................45 Adding an IPSec VPN policy ........................46 Autokey IPSec VPN for remote clients ......................47 Configuring the VPN tunnel for the client VPN ..................48 Adding internal and external addresses ....................49 DFL-500 User’s Manual...
- Page 5 Configuring a Windows 98 client for PPTP....................58 Configuring a Windows 2000 Client for PPTP..................59 Configuring a Windows XP Client to connect to a DFL-500 PPTP VPN ..........59 PPTP VPN pass through ..........................60 PPTP client to network VPN pass through ....................61 L2TP VPN configuration ..........................
- Page 6 System status..............................89 Changing the operating mode ........................89 Upgrading the DFL-500 firmware ......................89 Updating your antivirus database ......................89 Displaying the DFL-500 serial number ..................... 90 Backing-up system settings ........................90 Restoring system settings......................... 90 DFL-500 User’s Manual...
- Page 7 Configuring the external interface for PPPoE................... 93 Changing MTU size to improve network performance ................94 Setting DNS server addresses ......................... 94 Controlling management access to the DFL-500 ..................94 Configuring routing ........................... 95 Enabling RIP server support........................95 Providing DHCP services to your internal network................... 96 System configuration ............................
- Page 8 DFL-500 User’s Manual...
-
Page 9: Introducing The Dfl-500
Network Address Translation (NAT) In NAT mode, the DFL-500 is installed as a privacy barrier between the private network and the Internet. The firewall provides network address translation to protect the private network. In NAT mode, you can add a Internal network to provide public access to Internet servers while protecting them behind the firewall on a separate internal network. -
Page 10: Transparent Mode
The internal and external network interfaces of the DFL-500 can be in the same network; therefore, the DFL-500 can be inserted into your network at any point without the need to make any changes to your network. -
Page 11: Virus And Worm Protection
Dynamic link libraries (dll) • MS Office files You can configure DFL-500 virus scanning to block the target files or scan them for viruses and worms. You can configure three levels of virus protection: • High level protection removes target files from HTTP transfers and email attachments before they pass through the firewall With high level protection turned on, the DFL-500 does not perform virus scanning. -
Page 12: Secure Installation, Configuration, And Management
Secure installation, configuration, and management Installation is quick and simple. All that is required to get the DFL-500 up and running and protecting your network is to connect to the web-based manager and use the firewall setup wizard. You can also do the basic configuration from the DFL-500 command line interface (CLI). -
Page 13: About This Document
Report traffic that was denied by firewall policies • Report configuration changes Logs can be sent to a remote syslog server. About this document This user manual describes how to install and configure the DFL-500. This document contains the following information: • Installing the DFL-500 •... -
Page 14: Installing The Dfl-500
Before you start Before starting the installation of the DFL-500, you must decide whether you are going to be running it in NAT mode or Transparent mode. This choice determines the information that you require to install the DFL-500 as well as the installation steps that you perform. -
Page 15: Transparent Mode Install
Primary Secondary If you plan to use the DFL-500 as a DHCP server to assign IP addresses to the computers on 5. DHCP Server your internal network, you must specify the IP address range reserved to be assigned by the (optional) DHCP server. -
Page 16: Unpacking The Dfl-500
DFL-500 package contents Mounting the DFL-500 The DFL-500 can be installed on any stable surface. Make sure the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling. Dimensions •... -
Page 17: Powering On The Dfl-500
• Connect the power cord to a power outlet. The DFL-500 starts up. The Power and Status lights light. The Status light flashes while the DFL-500 is starting up and remains lit when the system is up and running. Front and back view of the DFL-500... -
Page 18: Starting The Firewall Setup Wizard
PPPoE user name and password. • Click OK. You have now completed the initial configuration of the DFL-500, and you can proceed to connect the DFL- 500 to your network using the information in Connecting the DFL-500 to your network. -
Page 19: Configuring The Dfl-500 From The Cli
Configuring the DFL-500 to run in Transparent mode. Configuring the DFL-500 to run in NAT mode The procedures in this section describe how to use the CLI to configure the DFL-500 to run in NAT mode. Configuring NAT mode IP addresses •... -
Page 20: Configuring The Dfl-500 To Run In Transparent Mode
Confirm that the addresses are correct. Enter: get system interface The CLI lists the IP address and netmask settings for each of the DFL-500 interfaces as well as the mode of the external interface (manual, DHCP, or PPPoE). Configure the NAT mode default gateway •... -
Page 21: Connecting The Dfl-500 To Your Network
<IP Address> Example set system manageip gateway 192.168.1.20 You have now completed the initial configuration of the DFL-500 and you can proceed to connect the DFL-500 to your network using the information in Connecting the DFL-500 to your network that follows. -
Page 22: Configuring Your Internal Network
DHCP. Use the internal address of the DFL-500 as the DHCP server IP address. If you are running the DFL-500 in Transparent mode, you do not have to make any changes to your network. Once the DFL-500 is connected, make sure it is functioning properly by connecting to the Internet from a computer on your internal network. -
Page 23: Firewall Configuration
Traffic shaping Policies By default the DFL-500 firewall allows all connections from the internal network to the Internet and blocks all connections from the Internet. Customizing the firewall configuration involves creating firewall policies to allow some connections that are blocked by default and to block or control some connections that are allowed by default. -
Page 24: Policy Information
A policy can specify that the firewall accepts, denies, or requests authentication for the connection. A policy can also trigger traffic log messages when the policy processes traffic and can apply traffic shaping to the traffic controlled by the policy. The parts of a DFL-500 policy Identifying information Source The IP address from which a user or service can connect to the firewall. - Page 25 Optionally select Traffic Shaping to control the bandwidth available to and set the priority of the traffic Shaping processed by the policy. See Traffic shaping Click OK to save the policy. Sample Int to Ext (Outgoing) policy: DFL-500 User’s Manual...
-
Page 26: Editing Policies
POP3 to get email, use FTP to download files through the DFL-500 and so on. If the default policy is at the top of the internal policy list, the DFL-500 allows all connections from the internal network to the Internet because all connections match with the default policy. -
Page 27: Accepting Incoming Connections In Nat Mode
Accepting incoming connections in NAT mode Running the DFL-500 in NAT mode hides the actual addresses of the computers on your internal network from the Internet. To provide Internet access to a server on your internal network, you must add a Virtual IP that creates an association between the Internet IP address of the server and the actual address of the computer on your internal network that is running the server. -
Page 28: Controlling Connections To The Internet
Example policy to deny access: Controlling connections to the Internet By default, the DFL-500 accepts all connections from the internal network to the Internet. If you do not want to enforce restrictions on access to the Internet, you do not have to change anything. -
Page 29: Accepting Connections To The Internet From The Internal Network
To services (see Services) • According to a one-time or recurring schedule (see Schedules) Policies that accept connections can be used in the following ways: • Add policies that accept connections as exceptions to policies that deny connections DFL-500 User’s Manual... -
Page 30: Requiring Authentication To Connect To The Internet
Requiring authentication to connect to the Internet When running the DFL-500 in NAT mode, you can configure policies to require users on the internal network to enter a user name and password to access the Internet. To require authentication you must add users to... -
Page 31: Addresses
Addresses All DFL-500 policies require source and destination IP addresses. By default the DFL-500 includes two addresses that cannot be edited or deleted: • Internal_All on the Internal address list which represents the IP addresses of all of the computers on your internal network •... -
Page 32: Editing Addresses
This section describes: • Pre-defined services • Providing access to custom services • Grouping services Pre-defined services The DFL-500 pre-defined services are listed in DFL-500 pre-defined services. DFL-500 pre-defined services Service Source Destination Description Protocol... -
Page 33: Providing Access To Custom Services
The name can contain numbers (0-9) and upper and lower case letters (A-Z, a-z), and the special characters - and _. Spaces and the @ character are not allowed. • Select the protocol (either TCP or UDP) used by the service. DFL-500 User’s Manual... -
Page 34: Grouping Services
Members list. • To remove services from the service group, select a service from the Members list and click the left arrow to remove it from the group. • Click OK to add the service group. DFL-500 User’s Manual... -
Page 35: Schedules
- and _. Spaces and the @ character are not allowed. • Specify the Start date and time for the schedule. Set start and stop times to 00 for the schedule to cover the entire day. DFL-500 User’s Manual... -
Page 36: Creating Recurring Schedules
Select the days of the week that are working days. • Set the Start Hour and the End Hour to the start and end of the work day. The Recurring schedule uses a 24-hour clock. • Click OK. DFL-500 User’s Manual... -
Page 37: Applying A Schedule To A Policy
Arranging a one-time schedule in the policy list to deny access. Users and authentication You can configure the DFL-500 to require users to authenticate (enter a user name and password) to access services through the firewall. To configure authentication you need to add user names and passwords to the firewall and then add policies that require authentication. -
Page 38: Adding User Names And Passwords
The default authentication time out is 5 minutes. Adding authentication to a policy Once you have added user names and passwords you can add or edit policies to require authentication. • Go to Firewall > Policy . DFL-500 User’s Manual... -
Page 39: Virtual Ips
Virtual IPs Running the DFL-500 in NAT mode hides the addresses of the computers on your internal network from the Internet. To provide Internet access to a server on your internal network, you must make an association between the Internet address of the server and the actual IP address of the computer on the internal network that is running the server. -
Page 40: Ip/Mac Binding
MAC address that the packet originated from matches the MAC address in the table. The DFL- 500 checks all packets arriving at the DFL-500 whether they are directed at the DFL-500 or are meant to be passed through. -
Page 41: Traffic Shaping
Configure traffic shaping for the policy: Guaranteed bandwidth Available in a future release. Maximum bandwidth Available in a future release. Traffic Priority Select high, medium, or low. • Click OK to save your changes to the policy. DFL-500 User’s Manual... -
Page 42: Ipsec Vpns
Because the DFL-500 supports the IPSec industry standard for VPN, you can configure a VPN between the DFL-500 and any third party VPN client or gateway/firewall that supports IPSec VPN. To successfully establish the tunnel, the VPN settings must be the same on the DFL-500 and the third party product. DFL-500 IPSec VPNs support: •... -
Page 43: Autokey Ipsec Vpn Between Two Networks
Communication between the two networks takes place in an encrypted VPN tunnel that connects the two DFL-500 VPN gateways across the Internet. Users on the internal networks are not aware that when they connect to a computer on the other network that the connection is across the Internet. -
Page 44: Creating The Vpn Tunnel
During the second phase (P2) the VPN gateways negotiate to select a common algorithm for data communication. When you select algorithms for the P2 Proposal, you are selecting the algorithms that the DFL-500 will propose during Phase 2 negotiation. Again, during P2, each VPN gateway should have at least one algorithm in common. -
Page 45: Adding Internal And External Addresses
The name to assign to the internal network to be connected to the opposite Branch_Office Main_Office Name end of the VPN tunnel. 192.168.2.0 192.168.1.0 The IP address and netmask of the internal network at the other end of the address VPN tunnel. Netmask 255.255.255.0 255.255.255.0 DFL-500 User’s Manual... -
Page 46: Adding An Ipsec Vpn Policy
Complete the following procedure on both VPN gateways to add the VPN policy: • Go to VPN > IPSEC > Policy . • Click New to add a new IPSec VPN policy. • Configure the VPN Policy. • Click OK to save the VPN policy. DFL-500 User’s Manual... -
Page 47: Autokey Ipsec Vpn For Remote Clients
Communication between the remote users and the internal network takes place over an encrypted VPN tunnel that connects the remote user to the DFL-500 VPN gateway across the Internet. Once connected to the VPN, the remote user's computer appears as if it is installed on the internal network. -
Page 48: Configuring The Vpn Tunnel For The Client Vpn
Enter up to 20 characters. The VPN gateway and clients must have the same key ddcHH01887d and it should only be known by network administrators. Complete the following procedure on the DFL-500 VPN gateway. • Go to VPN > IPSEC > Autokey IKE . -
Page 49: Adding Internal And External Addresses
Example VPN Gateway policy configuration Example Description setting Source IP The Internal IP address (See Example VPN Gateway IP Addresses). Main_Office address Destination IP The Internet IP address of the client (See Example VPN Gateway IP Addresses). VPN_Client DFL-500 User’s Manual... -
Page 50: Configuring The Ipsec Vpn Client
(for an example, see Example VPN between two internal networks). Each internal network can be protected by a DFL-500 VPN gateway or one of the networks can be protected by a third-party VPN gateway. This section describes: •... -
Page 51: Adding Internal And External Addresses
Enter a hexadecimal number of up to eight digits. This number must be added to the Local SPI Remote SPI at the opposite end of the tunnel. Remote Enter the external IP address of the DFL-500 or other IPSec gateway at the opposite end of the Gateway tunnel. Encryption Select an algorithm from the list. -
Page 52: Adding An Ipsec Vpn Policy
Manual key exchange VPNs do not support VPN clients with dynamic IP addresses. The VPN client PC must have industry standard VPN client software installed. DFL-500 VPN is based on the industry standard IPSec implementation of VPN making it interoperable with other IPSec VPN products (see Compatibility with third-party VPN products). -
Page 53: Testing A Vpn
A visitor using your internal network can connect through your DFL-500 to their organization's VPN • A subnet on your Internal network, protected by a VPN gateway, can connect through your DFL-500 to a VPN on the Internet No special VPN configuration is required for the client or VPN gateway on your internal network. The VPN tunnel configuration of the VPN gateway on the Internet must be changed to accept connections from the IP address of the external interface of the DFL-500. -
Page 54: Ipsec Network To Network Vpn Pass Through
Configure the destination IPSec VPN Gateway with a VPN tunnel and policy to accept VPN connections from a VPN gateway with the static IP address of the external interface of the DFL-500 firewall. For more information about configuring the VPN client and IPSec VPN Gateway, see... - Page 55 When a computer on the internal IPSec VPN network connects to the internal network behind the destination IPSec VPN gateway, the DFL-500 firewall accepts IPSec VPN connections from the internal network and performs network address translation on them. The VPN packets are forwarded to the destination IPSec VPN gateway with a source address of the external interface of the DFL-500 firewall.
-
Page 56: Pptp And L2Tp Vpns
RADIUS authentication for PPTP and L2TP VPNs PPTP VPN configuration This section describes how to configure the DFL-500 as a PPTP VPN server. This section also describes how to configure Windows 98, Windows 2000, and Windows XP clients to connect to the PPTP VPN. -
Page 57: Configuring The Dfl-500 As A Pptp Server
Configuring a Windows XP Client to connect to a DFL-500 PPTP VPN Configuring the DFL-500 as a PPTP server Use the following procedure to configure the DFL-500 to be a PPTP server. • Go to VPN > PPTP > PPTP User . -
Page 58: Configuring A Windows 98 Client For Pptp
Use the following procedure to configure a client machine running Windows 98 so that it can connect to a DFL-500 PPTP VPN. To configure the Windows 98 client, you must install and configure windows dial-up networking and virtual private networking support. -
Page 59: Configuring A Windows 2000 Client For Pptp
For Network Connection Type, select Connect to a private network through the Internet and click Next. • For Destination Address, enter the external address of the DFL-500 to connect to and click Next. • Set Connection Availability to Only for myself and click Next. -
Page 60: Pptp Vpn Pass Through
• If the Public Network dialog box appears, choose the appropriate initial connection and click Next. • In the VPN Server Selection dialog, enter the external IP address or hostname of the DFL-500 to connect to and click Next. •... -
Page 61: Pptp Client To Network Vpn Pass Through
• A subnet on your Internal network, protected by a VPN gateway, can connect through your DFL-500 to a VPN on the Internet No special VPN configuration is required for the client or VPN gateway on your internal network. The VPN tunnel configuration of the VPN gateway on the Internet must be changed to accept connections from the IP address of the external interface of the DFL-500. -
Page 62: L2Tp Vpn Configuration
DFL-500 firewall. L2TP VPN configuration This section describes how to configure the DFL-500 as an L2TP VPN server. This section also describes how to configure Windows 2000 and Windows XP clients to connect to the L2TP VPN. Configuring L2TP is similar to configuring PPTP. You must configure the DFL-500 to support L2TP by adding L2TP users and specifying an L2TP address range. -
Page 63: Configuring A Windows 2000 Client For L2Tp
For Network Connection Type, select Connect to a private network through the Internet and click Next. • For Destination Address, enter the external address of the DFL-500 to connect to and click Next. • Set Connection Availability to Only for myself and click Next. -
Page 64: Configuring A Windows Xp Client To Connect To A Dfl-500 L2Tp Vpn
This user name and password is not the same as your VPN user name and password. Configuring a Windows XP Client to connect to a DFL-500 L2TP VPN Use the following procedure to configure a client machine running Windows XP so that it can connect to a DFL-500 L2TP VPN. - Page 65 • If the Public Network dialog box appears, choose the appropriate initial connection and click Next. • In the VPN Server Selection dialog, enter the external IP address or hostname of the DFL-500 to connect to and click Next. •...
-
Page 66: Radius Authentication For Pptp And L2Tp Vpns
PPTP or L2TP user connects to a DFL-500 their user name and password are checked against the DFL-500 PPTP or L2TP user name and password list. If a match is not found locally, the DFL-500 contacts the RADIUS server for authentication. -
Page 67: Turning On Radius Authentication For Pptp
RADIUS authentication can be turned on separately for PPTP and L2TP. To turn on RADIUS authentication for L2TP users: • Go to VPN > L2TP > L2TP Range . • Click to check Enable RADIUS. • Click Apply. DFL-500 User’s Manual... -
Page 68: Intrusion Detection System (Ids)
With attack prevention configured, the DFL-500 monitors Internet connections for up to 11 common network attacks. If the DFL-500 detects one of these attacks, it takes action to prevent the attack from affecting your Internet connection. All attacks are recorded in the attack log. You can also configure the DFL-500 to send alert emails to system administrators if an attack is detected. -
Page 69: Configuring Alert Email
Make sure that the DNS server settings are correct for the DFL-500. See Setting DNS server addresses. Because the DFL-500 uses the SMTP server name to connect to the mail server, it must be able to look up this name on your DNS server. Example alert email settings: Testing email alerts You can test your email alert settings by sending a test email. -
Page 70: Virus Protection
If the DFL-500 detects a virus or worm in a file, the file is deleted from the data stream and replaced with an alert message. DFL-500 content virus and worm prevention is transparent to the end user. Client and server programs require no special configuration and D-Link high performance hardware and software ensure there are no noticeable download delays. -
Page 71: High Level Virus Protection For Your Internal Network
You would not normally run the DFL-500 with high level protection turned on. However, it is available for extremely high risk situations, where there is no other way to prevent viruses from entering your network. -
Page 72: Medium Level Virus Protection For Your Internal Network
High Security Alert!!! You are not allowed to download this type of file . Medium level virus protection for your internal network Medium level protection scans all target files for viruses. You can configure the DFL-500 to scan target files for virus signatures and macro viruses. -
Page 73: Low Level Virus Protection For Your Internal Network
IMAP traffic. When the DFL-500 detects a virus and removes the infected file, the user who requested the file receives a message similar to the following: Sorry, Dangerous Attachment has been removed. -
Page 74: High Level Virus Protection For Incoming Connections
High Security Alert!!! You are not allowed to download this type of file . Medium level virus protection for incoming connections Medium level protection scans all target files for viruses. You can configure the DFL-500 to scan target files for virus signatures and macro viruses. -
Page 75: Low Level Virus Protection For Incoming Connections
IMAP traffic. When the DFL-500 detects a virus and removes the infected file, the user who requested the file receives a message similar to the following: Sorry, Dangerous Attachment has been removed. -
Page 76: Worm Protection For Your Internal Network
This database is continuously updated by D-Link as new viruses and worms are encountered and defined. You should keep your antivirus database up to date so that the DFL-500 can protect your network from new viruses. You can update your antivirus database manually, or you can configure the DFL-500 to update the antivirus database automatically. -
Page 77: Manual Antivirus Database Updates
Go to System > Status to confirm that the Antivirus Database Version information has been updated. When a new virus protection database is made available by D-Link, you should upgrade your DFL-500 as soon as possible. If a new virus is reported and you are not able to upgrade the anti-virus database immediately, you can... -
Page 78: Displaying Virus And Worm Lists
Scroll through the virus list to view the names of all of the viruses in the list. • To display the worm list, go to Anti-Virus > Config > Worm List . • Scroll through the worm list to view the names of all of the worms in the lists. DFL-500 User’s Manual... -
Page 79: Web Content Filtering
• Click Enable Banned Word to enable content blocking. The DFL-500 is now configured to block web pages containing words added to the banned word list. Adding words to the banned word list Use the following procedure to add words to the banned word list after content blocking has been enabled. -
Page 80: Temporarily Disabling The Banned Word List
Creating the banned word list using a text editor You can create a list of banned words in a text editor and then upload this text file to the DFL-500. •... -
Page 81: Block Access To Internet Sites
To block access to internet sites, enable URL blocking and then create a list of URLs and URL patterns to be blocked. With URL blocking enabled and a list of URLs to be blocked, the DFL-500 blocks access to all web pages with the specified URLs or URL patterns. -
Page 82: Temporarily Disabling The Url Block List
URLs from the URL block list. Creating the URL block list using a text editor You can create a URL block list in a text editor and then upload this text file to the DFL-500. •... -
Page 83: Remove Scripts From Web Pages
Remove scripts from web pages Use the following procedure to configure the DFL-500 to remove scripts from web pages. You can configure the DFL-500 to block Java Applets, Cookies, Malicious Scripts and ActiveX. Blocking of any of these items may prevent some web pages from working properly. -
Page 84: Logging And Reporting
Selecting what to log Recording logs on a remote computer Use the following procedure to configure the DFL-500 to record logs onto a remote computer. To save log messages to this remote computer it must be configured with a syslog server. -
Page 85: Selecting What To Log
Go to Log&Report > Log setting . • Click Sent Alert Email to add an entry to the event log whenever the DFL-500 sends an alert email. • Click Log All Internal Traffic To Firewall to record all connections to the internal interface. -
Page 86: Traffic Log Message Format
Traffic log message format Traffic logs record each connection made to a DFL-500 interface. Each traffic log message records the date and time at which the connection was made, the source and destination address of the connection, and whether the connection was accepted or denied by the firewall. -
Page 87: Attack Log Message Format
When running in Transparent mode, the DFL-500 does not create an Attack log. Attack log messages are created when the DFL-500 detects one of the attacks listed on the IDS > Attack Prevention page. A sample attack log message contains the following information: Jan 23 11:11:28 2002 Attack port scan between Wed Jan 23 11:06:55 2002 and Wed Jan 23 11:06:28 2002 from 23.24.26.78 to 216.21.152.65 tcp port 2765 to 27702... -
Page 88: Administering The Dfl-500
Administering the DFL-500 This chapter describes how to use the DFL-500 web-based manager to administer and maintain the DFL-500. It contains the following sections: • Logging into the web-based manager • System status • Network configuration • System configuration Logging into the web-based manager To connect to the DFL-500 using the web-based manager you require: •... -
Page 89: System Status
System status Go to System > Status to make any of the following changes to the DFL-500 system status: • Changing the operating mode • Upgrading the DFL-500 firmware • Updating your antivirus database • Displaying the DFL-500 serial number •... -
Page 90: Displaying The Dfl-500 Serial Number
Use the following procedure to restore system settings to the values set at the factory. This procedure does not change the version of the Firmware or the Antivirus database. This procedure deletes all of the changes that you have made to the DFL-500 configuration and reverts the system to its original configuration including resetting interface addresses. - Page 91 You can restore your system settings by uploading a previously downloaded system settings text file to the DFL-500. Default NAT mode system configuration When the DFL-500 is first powered up or when it is reset to default, the system has the following standard configuration: •...
-
Page 92: Restarting The Dfl-500
Click Shutdown. The DFL-500 shuts down and all traffic flow through the firewall stops. The DFL-500 can only be restarted after shutdown by turning the power off and on. System status monitor You can use the system status monitor to view system activity including the number of active connections to the DFL-500 and information about the connections. -
Page 93: Network Configuration
• Click DHCP and click OK. The DFL-500 changes to DHCP mode and attempts to contact the DHCP server to set the external IP address, netmask, and default gateway IP address. When the DFL-500 gets this information from the DHCP server, the new addresses and netmask are displayed in the external IP address, netmask, and default gateway IP address fields. -
Page 94: Changing Mtu Size To Improve Network Performance
For example, the MTU of many PPP connections is 576, so if you connect to the Internet via PPP or PPPoE, you might want to set the MTU of the DFL-500 to 576. DSL modems may also have small MTU sizes. Most ethernet networks have an MTU of 1500. -
Page 95: Configuring Routing
If there are multiple routers installed on your network, you can configure static routes to determine the path that data follows over your network before and after it passes through the DFL-500. You can also use static routing to allow different IP domain users to access the Internet through the DFL-500. -
Page 96: Providing Dhcp Services To Your Internal Network
Click External interface to enable RIP server support from the external interface. Providing DHCP services to your internal network If it is operating in NAT mode, you can configure the DFL-500 to be the DHCP server for your internal network. •... -
Page 97: System Configuration
To configure the DFL-500 to use NTP, click Synchronize with NTP server. By default, the DFL-500 is configured to connect to an NTP server at IP address 192.5.5.250, which is the IP address of an NTP server maintained by the Internet Software Consortium at Palo Alto, CA, USA. -
Page 98: Changing Web-Based Manager Options
Adding and editing administrator accounts When the DFL-500 is initially installed, it is configured with a single administrator account with the user name admin. From this administrator account you can add and edit administrator accounts. You can also control the access level of each of these administrative accounts and, optionally, control the IP address from which the administrator can connect to the DFL-500. - Page 99 Adding new administrator accounts • Editing administrator accounts Adding new administrator accounts From the admin account, use the following procedure to add new administrator accounts to the DFL-500 and control their permission levels. • Go to System > Config > Admin .
-
Page 100: Configuring Snmp
Configuring SNMP Configure SNMP for the DFL-500 so that the SNMP agent running on the DFL-500 can report system information and send traps. Traps can alert system administrators about problems with the DFL-500. • Go to System > Config > SNMP . -
Page 101: Using The Dfl-500 Cli
This chapter explains how to connect to the DFL-500 CLI and also describes some of the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings. -
Page 102: Connecting To The Dfl-500 Cli Using Ssh
Type the password for this administrator and press Enter. The following prompt appears: Type ? for a list of commands. You have connected to the DFL-500 CLI, and you can proceed to enter CLI commands as if you have connected through the DFL-500 communications port. CLI basics This section describes the basics of using the DFL-500 CLI to enter commands. -
Page 103: Recalling Commands
Installing firmware from a TFTP server D-Link releases new versions of the DFL-500 firmware periodically. When D-Link releases new firmware, you can download the upgrade from our Web site (http://tsd.dlink.com.tw). You can save this file on your management computer and then use the following procedure to upgrade the firmware on your DFL-500. - Page 104 Make sure the Internal interface of the DFL-500 is connected to your internal network. • To confirm that you can connect to the TFTP server from the DFL-500, start the DFL-500 CLI and use the following command to ping the computer running the TFTP server. If the TFTP server's IP address is 192.168.1.168:...
- Page 105 You must then restore your previous configuration. Begin by changing the interface addresses. You can do this from the CLI using the command: set system interface Once the interface addresses are changed you can access the DFL-500 from the web-based manager and upload your configuration files. DFL-500 User’s Manual...
-
Page 106: Glossary
HTTPS : The SSL protocol for transmitting private documents over the Internet using a Web browser. Internal interface : The DFL-500 interface that is connected to your internal (private) network. Internet : A collection of networks connected together that span the entire globe using the NFSNET as their backbone. - Page 107 Routing table : A list of valid paths through which data can be transmitted. SCCU , Security and Content Control Units : D-Link products that provide high-performance, hardware- based protection against content-based security threats, such as viruses and worms, combined with firewall, VPN, intrusion detection, content filtering, and traffic shaping.
- Page 108 Worm : A program or algorithm that replicates itself over a computer network, usually through email, and performs malicious actions, such as using up the computer's resources and possibly shutting the system down. DFL-500 User’s Manual...
-
Page 109: Troubleshooting Faqs
Q: When I set policies all the computers on the network seem to be affected. The policy for a single machine is being applied to the entire network. This most often occurs when adding a single address and forgetting to change the netmask from 255.255.255.0 to 255.255.255.255. DFL-500 User’s Manual... -
Page 110: Schedules
Check the default gateway setting on that particular computer. Its default gateway must match the internal address of the DFL-500. Q: I checked the default gateway and it matches but I still cannot connect to the Internet. -
Page 111: Virus Protection
Q: A new virus is spreading through the Internet. What should I do? Set virus protection to high. See High level virus protection for your internal network. Next contact D-Link and obtain an AntiVirus database update which includes the new virus. To install the new database, see Updating your antivirus database. -
Page 112: Technical Support
Le Florilege #2, Allee de la Fresnerie, 78330 Fontenay le Fleury France TEL: 33-1-302-38688 FAX: 33-1-3023-8689 E-MAIL: info@dlink-france.fr URL: www.dlink-france.fr GERMANY D-LINK Central Europe/D-Link Deutschland GmbH Schwalbacher Strasse 74, D-65760 Eschborn, Germany TEL: 49-6196-77990 FAX: 49-6196-7799300 INFO LINE: 00800-7250-0000 (toll free) HELP LINE: 00800-7250-4000 (toll free) - Page 113 8. What category best describes your company? Aerospace Engineering Education Finance Hospital Legal Insurance/Real Estate Manufacturing Retail/Chainstore/Wholesale Government Transportation/Utilities/Communication System house/company Other________________________________ 9. Would you recommend your D-Link product to a friend? Don't know yet 10.Your comments on this product? __________________________________________________________________________________________ __________________________________________________________________________________________ DFL-500 User’s Manual...
- Page 114 DFL-500 User’s Manual...