Manuals / D-Link / Computer Equipment / Network Card

D-Link DFL-500 user manual Firewall configuration, Default policy

Models: DFL-500

1 122

Download 122 pages 7.35 Kb

Page 23

Firewall configuration

By default, the users on your internal network can connect through the DFL-500 NPG to the Internet. The firewall blocks all other connections. The firewall is configured with a default policy that matches any connection request received from the internal network and instructs the firewall to forward the connection to the Internet.

Default policy

Policies are instructions used by the firewall to decide what to do with a connection request. When the firewall receives a connection request in the form of a packet, it analyzes the packet to extract its source address, destination address, and service (port number).

For the packet to be connected through the DFL-500 NPG, you must have added a policy that matches the packet's source address, destination address, and service. The policy directs the action that the firewall should perform on the packet. The action can be to allow the connection, deny the connection, require authentication before the connection is allowed, or process the packet as an IPSec VPN packet.

You can enable and disable policies. You can add schedules to policies so that the firewall can process connections differently depending on the time of day or the day of the week, month, or year. You can also enable web content filtering for policies that control the HTTP service.

Use Int ->Ext policies to control how users on your internal network access the Internet. You can use these policies to apply web content filtering to protect users on your internal network from downloading unwanted content from the Internet. You can also use these policies to control IPSec VPN connections through the firewall.

Use Ext ->Int policies to control connections from the Internet to your internal network. You can use these policies to apply web content filtering. You can also use these policies to allow remote users to connect to your internal network using PPTP and L2TP VPN.

This chapter describes:

•NAT/Route mode and Transparent mode

•Adding NAT/Route mode policies

•Adding Transparent mode policies

•Configuring policy lists

•Addresses

•Services

•Schedules

•Virtual IPs

•IP pools

•IP/MAC binding

DFL-500 User Manual	23

Image 23

D-Link DFL-500 user manual Firewall configuration, Default policy

Contents

Link DFL-500 Regulatory Compliance Table of Contents Firewall configuration IPSec VPNs Logging and reporting Page Introduction NAT/Route mode and Transparent modeNAT/Route mode Transparent modeDFL-500 QuickStart Guide DFL-500 CLI Reference Guide Customer service and technical supportFor more information Mounting Package contentsGetting started Powering on Connecting to the web-based manager Initial configurationBits per second Connecting to the command line interface CLIDFL-500 login Stop bits Flow control Next stepsData bits Parity NAT/Route mode settings NAT/Route mode installationPreparing to configure NAT/Route mode Reconnecting to the web-based manager Using the setup wizardUsing the command line interface Starting the setup wizardSet system route number 1 gw1 Connecting to your networksDFL-500 NPG network connections Configuring your internal networkCompleting the configuration Setting the date and timeTransparent mode settings Administrator Password Transparent mode installationPreparing to configure Transparent mode Changing to Transparent modeSet system management ip 10.10.10.2 Configuring the Transparent mode management IP addressConfigure the Transparent mode default gateway Setting the date and timeConnecting to your network DFL-500 network connections Default policy Firewall configurationGo to Firewall Policy Adding NAT/Route mode policiesChanging to NAT/Route mode VPN Tunnel Source Destination Schedule Service ActionAuthentication Dynamic IP Pool Fixed PortWeb filter Content filteringAdding a NAT/Route Int -Ext policy Adding Transparent mode policiesSource Destination Schedule Service Log Traffic Authentication Web filter Policy matching in detail Configuring policy listsAdding a Transparent mode Int -Ext policy Enabling and disabling policies AddressesChanging the order of policies in a policy list Adding a firewall address Adding addressesDeleting addresses Go to Firewall AddressAdding an internal address group ServicesOrganizing addresses into address groups Go to Firewall Address GroupGo to Firewall Service Custom Predefined servicesProviding access to custom services Grouping servicesGo to Firewall Schedule One-time Adding a service groupSchedules Creating one-time schedulesGo to Firewall Schedule Recurring Virtual IPsCreating recurring schedules Adding a schedule to a policyStatic NAT Port Forwarding Adding static NAT virtual IPsGo to Firewall Virtual IP Adding a static NAT virtual IP Using port forwarding virtual IPsSource Adding policies with virtual IPsGo to Firewall Policy Ext Int Adding a Port Forwarding virtual IPIP pools Destination Schedule Service ActionAuthentication Log Traffic Web filter Adding an IP Pool Go to Firewall IP/MAC Binding SettingIP/MAC binding Go to Firewall IP/MAC Binding Static IP/MACAdding IP/MAC addresses Configuring IP/MAC binding for packets going to the firewallGo to Firewall IP/MAC Binding Dynamic IP/MAC IP/MAC settingsViewing the dynamic IP/MAC list Enabling IP/MAC bindingAdding user names and configuring authentication Users and authenticationSetting authentication time out Adding user names and configuring authenticationAdding a user name DisableDeleting user names from the internal database Deleting Radius servers Configuring Radius supportExample Radius configuration Adding Radius serversAdding user groups Configuring user groupsAdding a user group Deleting user groupsInteroperability with IPSec VPN products IPSec VPNsSee Adding a remote gateway Configuring AutoIKE key IPSec VPNConfiguring a VPN concentrator for hub and spoke VPN Configuring manual key IPSec VPNConfiguring dialup VPN Configuring the member VPNs Configuring the VPN concentratorConfiguring IPSec redundancy Local ID Adding a remote gatewayGo to VPN Ipsec Remote Gateway Adding a remote gateway Dialup User selected About dialup VPN authenticationNat-traversal Keepalive Frequency Main mode with no user group selected Key About DH groupsAbout the P1 proposal Local ID EmptyGo to VPN Ipsec AutoIKE Key Adding an AutoIKE key VPN tunnelAbout NAT traversal Adding an AutoIKE key VPN tunnel About the P2 proposalAbout replay detection Autokey Keep Alive ConcentratorGo to VPN Ipsec Manual Key Adding a manual key VPN tunnelAbout perfect forward secrecy PFS Adding a manual key VPN tunnel Adding a VPN concentratorAdding a VPN concentrator Adding an encrypt policyVPN Tunnel Allow inbound Go to Firewall Policy Int-ExtAdding an encrypt policy Allow outbound Inbound Viewing VPN tunnel statusAutoIKE key tunnel status Testing a VPNViewing dialup VPN connection status Page Pptp and L2TP VPNs Pptp VPN configurationPptp VPN between a Windows client and the DFL-500 NPG Configuring the DFL-500 NPG as a Pptp gatewayGo to VPN Pptp Pptp Range Source Destination Service Action Example Pptp Range configurationL2TP VPN between a Windows client and the DFL-500 NPG L2TP VPN configurationConfiguring the DFL-500 NPG as an L2TP gateway Go to VPN L2TP L2TP RangeSample L2TP address range configuration Configuring content filtering Web content filteringEnabling web content Filtering Blocking web pages that contain unwanted contentBacking up and restoring the banned word list Changing the content block messageClearing the banned word list Go to Web Filter URL Block Blocking access to URLsConfiguring URL blocking Uploading a URL block list Clearing the URL block listChanging the URL block message Downloading the URL block listGo to Web Filter Script Filter Exempting URLs from content or URL blockingRemoving scripts from web pages Go to Web Filter Exempt URL Adding URLs to the Exempt URL ListClearing the Exempt URL list Downloading the Exempt URL listUploading an Exempt URL list Recording logs on a remote computer Configuring LoggingGo to Log&Report Log setting Logging and reportingSelecting what to log Configuring alert emailExample log settings Go to System Network DNS Configuring alert emailSystem status AdministrationExecute ping Upgrading the DFL-500 NPG firmwareEnter File Name image.out Enter Tftp Server AddressEnter Local Address Displaying the DFL-500 NPG serial number Backing up system settingsRestoring system settings Restoring system settings to factory defaultsChanging to Transparent mode System status monitor Restarting the DFL-500 NPGShutting down the DFL-500 NPG Protocol From IP From Port To IP To Port Expire Clear Network configurationSystem status monitor CPU usage Memory usage Up time Total Number of SessionsGo to System Network Interface Configuring the internal interfaceConfiguring the external interface Configuring the internal interfaceConfiguring the external interface with a static IP address Configuring the external interface Configuring the external interface for PPPoEHttps Ping SSH Snmp Adding routing gateways Configuring routingConfiguring the management interface Transparent mode Setting DNS server addressesGo to System Network Routing Table Adding a default routeAdding routes to the routing table Go to System Network Routing Configuring the routing tableAdding routes Transparent mode Enabling RIP server supportStarting IP Ending IP Netmask Lease Duration Domain Providing Dhcp services to your internal networkDefault Route Exclusion Range Go to System Network DhcpExample Dynamic IP list System configurationSample Dhcp settings Example date and time setting Setting system date and timeGo to System Config Time Read Write Only Adding and editing administrator accountsGo to System Config Admin Changing web-based manager optionsGo to System Config Snmp Configuring Snmp100 101 Glossary102 103 104 Index105 CLI106 Dhcp107 Snmp108 PFS109 Transparent mode manual key Adding VPN tunnel IPSec VPN110 NTP111 Pptp112 Smtp113 VPN114 IPSec VPN Remote Gateway user groups Deleting115 116 Technical Support117 Registration Card118 119 Limited Warranty120 121 122 Registration