2. Computers & electronics
  3. Software
  4. D-Link
  5. NetDefendOS

D-Link NetDefendOS User manual

  • Hello! I am an AI chatbot trained to assist you with the D-Link NetDefendOS User manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Network Security Solution http://www.dlink.com
NetDefendOS
Ver. 11.04.01
Network Security Firewall
User Manual
Security
Security
User Manual
DFL-260E/860E/870/1660/2560/2560G
NetDefendOS Version 11.04.01
D-Link Corporation
No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C.
http://www.DLink.com
Published 2016-10-03
Copyright ©2016
User Manual
DFL-260E/860E/870/1660/2560/2560G
NetDefendOS Version 11.04.01
Published 2016-10-03
Copyright ©2016
Copyright Notice
This publication, including all photographs, illustrations and software, is protected under
international copyright laws, with all rights reserved. Neither this manual, nor any of the material
contained herein, may be reproduced without the written consent of D-Link.
Disclaimer
The information in this document is subject to change without notice. D-Link makes no
representations or warranties with respect to the contents hereof and specifically disclaims any
implied warranties of merchantability or fitness for a particular purpose. D-Link reserves the right
to revise this publication and to make changes from time to time in the content hereof without
any obligation to notify any person or parties of such revision or changes.
Limitations of Liability
UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY
CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION, WORK STOPPAGE,
LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM
THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT,
EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK
WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES.
D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK
RECEIVED FROM THE END-USER FOR THE PRODUCT.
Table of Contents
Preface...............................................................................................................17
1.NetDefendOSOverview .....................................................................................20
1.1.Features ...............................................................................................20
1.2.NetDefendOSArchitecture ......................................................................24
1.2.1.State-basedArchitecture ..............................................................24
1.2.2.NetDefendOSBuildingBlocks ........................................................24
1.2.3.BasicPacketFlow.........................................................................25
1.3.NetDefendOS StateEngine Packet Flow .....................................................28
2.ManagementandMaintenance ..........................................................................33
2.1.ManagingNetDefendOS .........................................................................33
2.1.1.Overview ....................................................................................33
2.1.2.ConfiguringManagementAccess ...................................................34
2.1.3.AdministratorAccount .................................................................40
2.1.4.TheWebInterface ........................................................................41
2.1.5.TheCLI .......................................................................................46
2.1.6.CLIScripts...................................................................................58
2.1.7.SecureCopy................................................................................64
2.1.8.TheConsoleBootMenu ................................................................66
2.1.9.RADIUSManagementAuthentication .............................................67
2.1.10.ManagementAdvancedSettings ..................................................70
2.1.11.WorkingwithConfigurations .......................................................71
2.2.SystemDateandTime ............................................................................78
2.2.1.Overview ....................................................................................78
2.2.2.SettingDateandTimeManually.....................................................78
2.2.3.DaylightSavingTime ...................................................................79
2.2.4.UsingExternalTimeServers...........................................................82
2.2.5.SettingsSummaryforDateandTime ..............................................85
2.3.EventsandLogging ................................................................................87
2.3.1.Overview ....................................................................................87
2.3.2.LogMessages .............................................................................87
2.3.3.LogReceiverTypes ......................................................................88
2.3.4.TheMemoryLogReceiver(Memlog) ...............................................89
2.3.5.TheSyslogLogReceiver................................................................89
2.3.6.MailAlerting ...............................................................................92
2.3.7. Severity Filter and Message Exceptions ........................................... 96
2.3.8.SNMPTraps ................................................................................97
2.3.9.AdvancedLogSettings .................................................................98
2.3.10.Logsnoop .................................................................................99
2.4.Monitoring .......................................................................................... 103
2.4.1.Real-timeMonitorAlerts ............................................................. 103
2.4.2.TheLinkMonitor ....................................................................... 103
2.4.3.HardwareMonitoring ................................................................. 107
2.4.4.MemoryMonitoringSettings ....................................................... 109
2.5.SNMP ................................................................................................. 111
2.5.1.Management withSNMP ............................................................ 111
2.5.2.PersistentSNMPInterfaceIndexes ................................................ 115
2.5.3.SNMPAdvancedSettings ............................................................ 116
2.6.DiagnosticTools .................................................................................. 118
2.6.1.Overview .................................................................................. 118
2.6.2. The ping Command .................................................................... 118
2.6.3. The stats Command ................................................................... 122
2.6.4. The connections Command ......................................................... 123
2.6.5. The dconsole Command .............................................................. 125
2.6.6. The pcapdump Command ........................................................... 126
2.6.7. The traceroute Command ............................................................ 128
2.6.8. The frags Command ................................................................... 131
4
2.6.9. The selftest Command ................................................................ 133
2.7.Maintenance ....................................................................................... 135
2.7.1.VersionUpdateAlerts ................................................................. 135
2.7.2.Auto-UpdateMechanism ............................................................ 136
2.7.3.Backing UpConfigurations .......................................................... 136
2.7.4.RestoretoFactoryDefaults.......................................................... 139
2.8.Languages .......................................................................................... 141
2.9.DiagnosticsandImprovements .............................................................. 142
3.Fundamentals ................................................................................................ 145
3.1.TheAddressBook ................................................................................ 145
3.1.1.Overview .................................................................................. 145
3.1.2.IPAddresses ............................................................................. 146
3.1.3.EthernetAddresses .................................................................... 148
3.1.4.AddressGroups ......................................................................... 148
3.1.5.Auto-GeneratedAddressObjects ................................................. 149
3.1.6.AddressBookFolders ................................................................. 150
3.1.7.FQDNAddressObjects ............................................................... 150
3.2.IPv6Support ....................................................................................... 156
3.3.Services .............................................................................................. 165
3.3.1.Overview .................................................................................. 165
3.3.2.CreatingCustomServices ............................................................ 167
3.3.3.ICMPServices ............................................................................ 171
3.3.4.CustomIP ProtocolServices ........................................................ 172
3.3.5.ServiceGroups .......................................................................... 173
3.3.6.CustomServiceTimeouts ............................................................ 174
3.3.7.Path MTU Discovery ................................................................... 174
3.4.Interfaces ............................................................................................ 178
3.4.1.Overview .................................................................................. 178
3.4.2.EthernetInterfaces ..................................................................... 180
3.4.3.LinkAggregation ....................................................................... 191
3.4.4.VLAN ....................................................................................... 195
3.4.5.ServiceVLAN............................................................................. 199
3.4.6.PPPoE ...................................................................................... 202
3.4.7.GRETunnels .............................................................................. 205
3.4.8.6in4Tunnels ............................................................................. 209
3.4.9.LoopbackInterfaces ................................................................... 213
3.4.10.InterfaceGroups ...................................................................... 218
3.4.11.Layer2PassThrough ................................................................ 219
3.5.ARP .................................................................................................... 221
3.5.1.Overview .................................................................................. 221
3.5.2.TheARPCache .......................................................................... 221
3.5.3.ARPPublish .............................................................................. 223
3.5.4.UsingARPAdvanced Settings ...................................................... 226
3.6.IPRulesandIP Policies .......................................................................... 228
3.6.1.SecurityPolicies ......................................................................... 228
3.6.2.IPRuleSet Evaluation ................................................................. 232
3.6.3.IP Rule ...................................................................................... 233
3.6.4.Multiple IPRuleSets ................................................................... 235
3.6.5.IP RuleSet Folders ..................................................................... 240
3.6.6.Configuration ObjectGroups ....................................................... 241
3.6.7.IP Policy ................................................................................... 245
3.6.8.StatelessPolicy .......................................................................... 251
3.7.Application Control .............................................................................. 253
3.8.Schedules ........................................................................................... 265
3.9.Certificates .......................................................................................... 268
3.9.1.Overview .................................................................................. 268
3.9.2.Uploading andUsing Certificates ................................................. 273
3.9.3.CRL Distribution Point Lists ......................................................... 275
3.9.4.CA ServerAccess ....................................................................... 277
3.9.5. Creating Windows CA Server Requests .......................................... 279
3.10.DNS .................................................................................................. 281
User Manual
5
4.Routing ......................................................................................................... 285
4.1.Overview ............................................................................................ 285
4.2.Static Routing ...................................................................................... 286
4.2.1.The Principles ofRouting ............................................................ 286
4.2.2.Static Routing ........................................................................... 290
4.2.3.RouteFailover ........................................................................... 296
4.2.4.Host MonitoringforRoute Failover ............................................... 299
4.2.5.Advanced Settings forRoute Failover ............................................ 301
4.2.6.ProxyARP ................................................................................. 302
4.2.7.Broadcast Packet Forwarding ...................................................... 304
4.3.Policy-basedRouting ............................................................................ 308
4.4.Route LoadBalancing ........................................................................... 316
4.5.VirtualRouting .................................................................................... 323
4.5.1.Overview .................................................................................. 323
4.5.2.ASimple Scenario ...................................................................... 323
4.5.3.The DisadvantageofRoutingRules............................................... 325
4.5.4.IP RuleSetswithVirtualRouting ................................................... 328
4.5.5.Multiple IPrulesets .................................................................... 329
4.5.6.Trouble Shooting ....................................................................... 329
4.6.OSPF .................................................................................................. 331
4.6.1.Dynamic Routing ....................................................................... 331
4.6.2.OSPF Concepts .......................................................................... 334
4.6.3.OSPF Components ..................................................................... 339
4.6.4.Dynamic Routing Rules ............................................................... 345
4.6.5.Setting UpOSPF ........................................................................ 348
4.6.6.An OSPFExample ...................................................................... 352
4.6.7.OSPF Troubleshooting ................................................................ 357
4.7.Multicast Routing ................................................................................. 361
4.7.1.Overview .................................................................................. 361
4.7.2. Multicast Forwarding with SAT Multiplex Rules ............................... 362
4.7.3.IGMP Configuration ................................................................... 368
4.7.4.Advanced IGMPSettings ............................................................. 374
4.7.5.TunnelingMulticast usingGRE ..................................................... 376
4.8.Transparent Mode ................................................................................ 379
4.8.1.Overview .................................................................................. 379
4.8.2.EnablingInternet Access ............................................................. 384
4.8.3.ATransparent Mode Use Case ...................................................... 386
4.8.4.SpanningTreeBPDUSupport ...................................................... 388
4.8.5.MPLS Pass Through .................................................................... 389
4.8.6. Advanced Settings for Transparent Mode ...................................... 390
5.DHCP Services ................................................................................................ 393
5.1.Overview ............................................................................................ 393
5.2.IPv4 DHCP Client .................................................................................. 395
5.3.IPv4 DHCP Server ................................................................................. 397
5.3.1.Static IPv4 DHCPHosts ............................................................... 401
5.3.2.Custom IPv4Options .................................................................. 402
5.4.IPv4 DHCP Relay .................................................................................. 404
5.5.IP Pools .............................................................................................. 408
5.6.DHCPv6 .............................................................................................. 411
5.6.1.DHCPv6Client ........................................................................... 411
5.6.2.DHCPv6Server .......................................................................... 414
6.Security Mechanisms ...................................................................................... 421
6.1.AccessRules ........................................................................................ 421
6.1.1.Overview .................................................................................. 421
6.1.2.IP Spoofing ............................................................................... 422
6.1.3.AccessRule Settings ................................................................... 422
6.2.ALGs .................................................................................................. 425
6.2.1.Overview .................................................................................. 425
6.2.2.The HTTP ALG ........................................................................... 427
6.2.3.The LightWeight HTTP ALG ......................................................... 432
6.2.4.The FTPALG ............................................................................. 435
User Manual
6
6.2.5.The TFTPALG ............................................................................ 447
6.2.6.The SMTPALG ........................................................................... 448
6.2.7.The POP3ALG ........................................................................... 457
6.2.8.The PPTPALG............................................................................ 461
6.2.9.The SIPALG .............................................................................. 463
6.2.10.The H.323 ALG ......................................................................... 479
6.2.11.The TLSALG ............................................................................ 500
6.3.Web Content Filtering ........................................................................... 503
6.3.1.Overview .................................................................................. 503
6.3.2.Active Content Handling ............................................................. 503
6.3.3.Static Content Filtering ............................................................... 504
6.3.4.Dynamic WebContent Filtering ................................................... 507
6.4.Email FilteringandAnti-Spam ................................................................ 526
6.4.1.IP Policy BasedEmailFiltering ...................................................... 526
6.4.2.ALG Based EmailFiltering ............................................................ 534
6.4.3.DNSBLDatabases ...................................................................... 539
6.5.Anti-Virus Scanning .............................................................................. 541
6.5.1.Overview .................................................................................. 541
6.5.2.Implementation ........................................................................ 542
6.5.3.Anti-Virus Options ..................................................................... 545
6.5.4.Activating Anti-VirusScanning ..................................................... 546
6.5.5.The Anti-Virus Cache .................................................................. 550
6.6.Intrusion Detectionand Prevention ........................................................ 552
6.6.1.Overview .................................................................................. 552
6.6.2.IDP Subscriptions ....................................................................... 553
6.6.3.IDP Rules .................................................................................. 554
6.6.4.Insertion/Evasion Attack Prevention ............................................. 556
6.6.5.IDP Pattern Matching ................................................................. 557
6.6.6.IDP Signature Groups ................................................................. 558
6.6.7.Setting Up IDP ........................................................................... 559
6.6.8.SMTPLogReceiver forIDP Events ................................................. 562
6.6.9.Best PracticeDeployment ........................................................... 564
6.7.Denial-of-ServiceAttacks ....................................................................... 566
6.7.1.Overview .................................................................................. 566
6.7.2.DoS AttackMechanisms .............................................................. 566
6.7.3. Ping of Death Attacks .................................................................. 566
6.7.4.Fragmentation Overlap Attacks .................................................... 567
6.7.5. The Land and LaTierra Attacks ...................................................... 567
6.7.6. The WinNuke attack .................................................................... 567
6.7.7.Amplification Attacks ................................................................. 568
6.7.8.TCP SYNFloodAttacks ................................................................ 569
6.7.9. The Jolt2 Attack ......................................................................... 569
6.7.10.DistributedDoS Attacks ............................................................ 570
6.8.BlacklistingHostsand Networks ............................................................. 571
7.Address Translation ........................................................................................ 574
7.1.Overview ............................................................................................ 574
7.2.NAT ................................................................................................... 576
7.3.NATPools ........................................................................................... 584
7.4.SAT .................................................................................................... 588
7.4.1.Introduction ............................................................................. 588
7.4.2.One-to-One IPTranslation ........................................................... 590
7.4.3.Many-to-ManyIPTranslation ....................................................... 593
7.4.4.All-to-OneIPTranslation ............................................................. 596
7.4.5.Port Translation ......................................................................... 599
7.4.6. SAT with FwdFast Rules ............................................................... 600
7.4.7.Using anIP PolicyforSAT ............................................................ 601
7.4.8.Protocols Handled bySAT ........................................................... 602
7.4.9.SATwithNAT ............................................................................ 603
8.UserAuthentication ........................................................................................ 608
8.1.Overview ............................................................................................ 608
8.2.Authentication Setup ............................................................................ 610
User Manual
7
8.2.1.SetupSummary ......................................................................... 610
8.2.2.LocalUserDatabases .................................................................. 610
8.2.3.External RADIUS Servers ............................................................. 614
8.2.4.External LDAP Servers ................................................................ 616
8.2.5.Authentication Rules .................................................................. 624
8.2.6.Authentication Processing .......................................................... 626
8.2.7.HTTP Authentication .................................................................. 627
8.2.8.BruteForceProtection ................................................................ 630
8.3.ARP Authentication .............................................................................. 633
8.4.Customizing AuthenticationHTML ......................................................... 635
8.5.Policies Requiring Authentication ........................................................... 639
8.6.UserIdentityAwareness ........................................................................ 641
8.7.MultiFactorAuthentication ................................................................... 650
8.8.RadiusRelay ........................................................................................ 652
8.9.RADIUS Accounting .............................................................................. 659
8.9.1.Overview .................................................................................. 659
8.9.2.RADIUSAccounting Messages ..................................................... 659
8.9.3.InterimAccountingMessages ...................................................... 661
8.9.4.ConfiguringRADIUS Accounting .................................................. 661
8.9.5.RADIUSAccounting Security ....................................................... 663
8.9.6. RADIUS Accounting and High Availability ...................................... 663
8.9.7. Handling Unresponsive RADIUS Servers ........................................ 663
8.9.8.Accounting andSystemShutdowns ............................................. 664
8.9.9.Limitations with NAT .................................................................. 664
8.9.10.Advanced RADIUSSettings ........................................................ 664
9.VPN .............................................................................................................. 667
9.1.Overview ............................................................................................ 667
9.1.1.VPN Usage ................................................................................ 667
9.1.2.VPN Encryption ......................................................................... 668
9.1.3.VPN Planning ............................................................................ 669
9.1.4.Key Distribution ......................................................................... 669
9.1.5.The TLSAlternativeforVPN ......................................................... 670
9.2.VPN QuickStart .................................................................................... 671
9.2.1. IPsec LAN-to-LAN with Pre-shared Keys ......................................... 672
9.2.2.IPsecLAN-to-LAN with Certificates ............................................... 673
9.2.3. IPsec Roaming Clients with Pre-shared Keys ................................... 674
9.2.4. IPsec Roaming Clients with Certificates ......................................... 677
9.2.5. L2TP/IPsec Roaming Clients with Pre-Shared Keys ........................... 678
9.2.6. L2TP/IPsec Roaming Clients with Certificates ................................. 680
9.2.7.PPTP Roaming Clients ................................................................. 680
9.2.8.iOS Setup ................................................................................. 681
9.3.IPsecComponents ............................................................................... 683
9.3.1.Overview .................................................................................. 683
9.3.2.InternetKeyExchange (IKE) ......................................................... 683
9.3.3.IKE Authentication ..................................................................... 690
9.3.4.IPsecProtocols (ESP/AH) ............................................................. 691
9.3.5.NATTraversal ............................................................................ 693
9.3.6.AlgorithmProposal Lists ............................................................. 694
9.3.7.Pre-shared Keys ......................................................................... 696
9.3.8.Using IDLists with Certificates ..................................................... 697
9.3.9.DiffServ withIPsec ..................................................................... 699
9.4.IPsecTunnels....................................................................................... 701
9.4.1.Overview .................................................................................. 701
9.4.2. LAN-to-LAN Tunnels with Pre-shared Keys ..................................... 704
9.4.3.Roaming Clients ........................................................................ 708
9.4.4.IKEv2 Support ........................................................................... 713
9.4.5.IKEv2 ClientSetup ...................................................................... 714
9.4.6. Fetching CRLs from an alternate LDAP server ................................. 719
9.4.7.The IPsec Tunnel SelectionProcess ............................................... 720
9.4.8.IPsecTunnel Monitoring ............................................................. 721
9.4.9.IPsecAdvanced Settings ............................................................. 723
User Manual
8
9.5.PPTP/L2TP .......................................................................................... 729
9.5.1.PPTP Servers ............................................................................. 729
9.5.2.L2TP Servers ............................................................................. 730
9.5.3.L2TP/PPTP ServerAdvanced Settings ............................................ 736
9.5.4.PPTP/L2TP Clients ...................................................................... 737
9.5.5.The l2tpandpptpCommands ..................................................... 739
9.6.L2TP Version 3 ..................................................................................... 741
9.6.1.L2TPv3Server ........................................................................... 741
9.6.2.L2TPv3Client ............................................................................ 748
9.7.SSL VPN .............................................................................................. 752
9.7.1.Overview .................................................................................. 752
9.7.2.ConfiguringSSL VPNin NetDefendOS ........................................... 753
9.7.3.InstallingtheSSL VPNClient ........................................................ 755
9.7.4.SSL VPNSetup Example .............................................................. 759
9.8.VPN Troubleshooting............................................................................ 762
9.8.1.General Troubleshooting ............................................................ 762
9.8.2.TroubleshootingCertificates ....................................................... 763
9.8.3. The ike -stat Command ............................................................... 763
9.8.4. The ike -snoop Command ............................................................ 764
9.8.5. Management Interface Failure with VPN ........................................ 771
9.8.6.SpecificErrorMessages ............................................................... 771
9.8.7.SpecificSymptoms ..................................................................... 774
10.Traffic Management ...................................................................................... 776
10.1.Traffic Shaping ................................................................................... 776
10.1.1.Overview ................................................................................ 776
10.1.2.TrafficShaping inNetDefendOS ................................................. 777
10.1.3.Simple BandwidthLimiting ....................................................... 780
10.1.4. Limiting Bandwidth in Both Directions ........................................ 781
10.1.5. Creating Differentiated Limits Using Chains ................................. 783
10.1.6.Precedences ............................................................................ 784
10.1.7.PipeGroups ............................................................................ 788
10.1.8.TrafficShaping Recommendations ............................................. 791
10.1.9.ASummary ofTraffic Shaping .................................................... 793
10.1.10.More Pipe Examples ............................................................... 793
10.2.IDP TrafficShaping ............................................................................. 798
10.2.1.Overview ................................................................................ 798
10.2.2.SettingUpIDP TrafficShaping ................................................... 798
10.2.3.Processing Flow ....................................................................... 799
10.2.4. The Importance of Specifying a Network ...................................... 799
10.2.5.AP2PScenario......................................................................... 800
10.2.6.Viewing TrafficShaping Objects ................................................. 801
10.2.7. Guaranteeing Instead of Limiting Bandwidth ................................ 802
10.2.8.Logging .................................................................................. 802
10.3.ThresholdRules .................................................................................. 803
10.4.Server LoadBalancing ......................................................................... 807
10.4.1.Overview ................................................................................ 807
10.4.2.SLB Distribution Algorithms ....................................................... 809
10.4.3.SelectingStickiness .................................................................. 809
10.4.4.SLB AlgorithmsandStickiness .................................................... 811
10.4.5.Server Health Monitoring .......................................................... 812
10.4.6. Setting Up SLB_SAT Rules .......................................................... 812
10.4.7.SLB Policy ............................................................................... 816
11.High Availability ........................................................................................... 820
11.1.Overview .......................................................................................... 820
11.2.HA Mechanisms ................................................................................. 823
11.3.Setting UpHA .................................................................................... 827
11.3.1.Hardware Setup ....................................................................... 827
11.3.2.Wizard HASetup ...................................................................... 829
11.3.3.ManualHA Setup ..................................................................... 831
11.3.4. Verifying that the Cluster Functions Correctly ............................... 832
11.3.5.Unique Shared Mac Addresses ................................................... 833
User Manual
9
11.4.HA Issues .......................................................................................... 834
11.5.UpgradinganHA Cluster ..................................................................... 837
11.6.Link Monitoring andHA ...................................................................... 839
11.7.HA AdvancedSettings ......................................................................... 840
12.ZoneDefense ............................................................................................... 843
13.Advanced Settings ........................................................................................ 849
13.1.IP LevelSettings ................................................................................. 849
13.2.TCP LevelSettings .............................................................................. 853
13.3.ICMP Level Settings ............................................................................ 859
13.4.State Settings .................................................................................... 860
13.5.Connection Timeout Settings ............................................................... 862
13.6.LengthLimitSettings .......................................................................... 864
13.7.FragmentationSettings ....................................................................... 867
13.8.Local Fragment Reassembly Settings ..................................................... 871
13.9.SSL/TLS Settings ................................................................................. 872
13.10.Miscellaneous Settings ...................................................................... 875
A.Subscribing toUpdates ................................................................................... 880
B.IDPSignature Groups ...................................................................................... 884
C.Verified MIME filetypes .................................................................................... 888
D.TheOSIFramework ........................................................................................ 892
E.DFL-260E/860E PortBased VLAN ....................................................................... 893
F.Third PartySoftwareLicenses ........................................................................... 895
Alphabetical Index ............................................................................................. 901
User Manual
10
List of Figures
1.1.PacketFlowSchematicPartI ............................................................................28
1.2.PacketFlowSchematicPartII ...........................................................................29
1.3.PacketFlowSchematicPartIII ..........................................................................30
1.4. Expanded Apply Rules Logic .............................................................................31
2.1.ManagementWorkstationConnection ..............................................................42
3.1.Path MTU Discovery Processing ...................................................................... 175
3.2.Link Aggregation ......................................................................................... 192
3.3.VLAN Connections ....................................................................................... 197
3.4.AServiceVLANUse Case ............................................................................... 200
3.5.An Exampleof GREUsage .............................................................................. 207
3.6.IP6in4 Tunnel Usage ..................................................................................... 210
3.7.Actingasa6in4Tunnel Server ........................................................................ 212
3.8.AUse Case forLoopback Interfaces ................................................................. 215
3.9. Setting Up Loopback Interfaces with Routing Tables .......................................... 216
3.10.Components ofLoopback Interface Setup ...................................................... 217
3.11.An ARPPublishEthernet Frame .................................................................... 225
3.12.Simplified NetDefendOS Traffic Flow ............................................................. 231
3.13.Certificate ValidationComponents ................................................................ 278
4.1.ATypical Routing Scenario ............................................................................ 287
4.2. Using Local IP Address withanUnbound Network .............................................. 289
4.3.ARoute Failover ScenarioforISPAccess .......................................................... 296
4.4.AProxy ARPExample .................................................................................... 303
4.5.The RLBRound Robin Algorithm ..................................................................... 317
4.6.The RLB Spillover Algorithm ........................................................................... 318
4.7.ARoute Load Balancing Scenario .................................................................... 320
4.8.VirtualRouting ............................................................................................ 324
4.9.The Disadvantage ofRouting Rules ................................................................. 325
4.10.The Advantage ofVirtual Routing ................................................................. 326
4.11.ASimple OSPFScenario ............................................................................... 332
4.12.OSPF Providing Route Redundancy ............................................................... 333
4.13.VirtualLinks ConnectingAreas ..................................................................... 337
4.14.VirtualLinks withPartitioned Backbone ......................................................... 338
4.15.NetDefendOSOSPFObjects ......................................................................... 339
4.16.Dynamic Routing RuleObjects ..................................................................... 347
4.17.An OSPFExample ....................................................................................... 353
4.18. Multicast Forwarding - No Address Translation ................................................ 363
4.19.Multicast Forwarding -AddressTranslation .................................................... 367
4.20.Multicast Snoop Mode ................................................................................ 369
4.21.Multicast Proxy Mode .................................................................................. 369
4.22.TunnelingMulticastusingGRE ..................................................................... 377
4.23.Non-transparent Mode InternetAccess .......................................................... 384
4.24.TransparentModeInternetAccess ................................................................ 385
4.25.TransparentModeUse Case ......................................................................... 386
4.26.An Example BPDURelaying Scenario ............................................................. 389
5.1.DHCP ServerObjects .................................................................................... 401
5.2.DHCP Relaywith Proxy ARP ........................................................................... 405
6.1.Deploying anALG ........................................................................................ 426
6.2.HTTP ALGProcessingOrder ........................................................................... 431
6.3.FTP ALGHybridMode ................................................................................... 437
6.4.SMTPALG Usage .......................................................................................... 449
6.5.SMTPALG ProcessingOrder ........................................................................... 452
6.6.POP3 ALGUsage .......................................................................................... 458
6.7.PPTP ALGUsage ........................................................................................... 462
6.8.TLS Termination ........................................................................................... 501
6.9.Web Content Filtering Flow ........................................................................... 509
6.10.Anti-SpamFiltering ..................................................................................... 540
11
6.11.Anti-VirusMaliciousFileMessage .................................................................. 543
6.12.Anti-VirusMaliciousURLMessage ................................................................. 543
6.13.IDP Database Updating ............................................................................... 553
6.14.IDP Signature Selection ............................................................................... 555
7.1.NATIPAddress Translation ............................................................................ 576
7.2.ANATExample ............................................................................................ 578
7.3.Automatic Address Translation ....................................................................... 581
7.4.Anonymizing with NAT ................................................................................. 583
7.5.SATAddress Translation ................................................................................ 593
7.6.SATwith NAT .............................................................................................. 603
8.1.Normal LDAPAuthentication ......................................................................... 623
8.2. LDAP for PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 ......................................... 624
8.3.UserIdentityAwareness ................................................................................ 641
8.4. The General Tabin theIDAInterface ................................................................ 646
8.5. The Event Monitoring Tab inthe IDAInterface ................................................... 646
8.6. The Security Tab intheIDA Interface ................................................................ 647
8.7. The Excluded Users Tab inthe IDAInterface ...................................................... 648
9.1.The AHprotocol ........................................................................................... 692
9.2.The ESPprotocol .......................................................................................... 693
9.3.PPTP Client Usage ........................................................................................ 739
9.4.An L2TPv3 Example ...................................................................................... 742
9.5.SSL VPNBrowser ConnectionChoices ............................................................. 756
9.6.The SSLVPN Client Login ............................................................................... 757
9.7.The SSLVPN Client Statistics .......................................................................... 758
10.1.PipeRules Determine Pipe Usage .................................................................. 779
10.2. FwdFast RulesBypassTraffic Shaping ............................................................. 780
10.3.Differentiated Limits UsingChains ................................................................ 783
10.4.The EightPipePrecedences ......................................................................... 784
10.5.Minimum andMaximumPipe Precedence ...................................................... 786
10.6.Traffic Grouped ByIP Address ....................................................................... 790
10.7.ABasicTrafficShapingScenario .................................................................... 794
10.8.IDP TrafficShaping P2PScenario ................................................................... 801
10.9.AServerLoadBalancingConfiguration .......................................................... 808
10.10.Connections fromThree Clients .................................................................. 811
10.11.Stickiness andRound-Robin ....................................................................... 811
10.12.Stickiness andConnection-rate ................................................................... 812
D.1.The 7Layers ofthe OSIModel ........................................................................ 892
User Manual
12
List of Examples
1.ExampleNotation .............................................................................................17
2.1.ChangingtheManagementValidationTimeout ..................................................37
2.2.ChangingtheManagementInterfaceIPAddress .................................................38
2.3.ChangingaRemoteManagementObject ..........................................................38
2.4.ChangingtheHAManagementIPAddress .........................................................39
2.5.AddingRemoteManagementviaHTTPS ............................................................40
2.6. Remote Management via HTTPS with CA Signed Certificates ................................. 46
2.7.EnablingSSHRemoteAccess ...........................................................................52
2.8.EnablingSSHAuthenticationUsingSSHKeys .....................................................53
2.9.RunningaCLIScriptfromtheWebInterface .......................................................63
2.10.EnablingRADIUSManagementAuthentication .................................................70
2.11.ListingConfigurationObjects .........................................................................72
2.12.DisplayingaConfigurationObject...................................................................73
2.13.EditingaConfigurationObject .......................................................................73
2.14.AddingaConfigurationObject .......................................................................74
2.15.DeletingaConfigurationObject .....................................................................75
2.16.Undeleting aConfiguration Object ..................................................................75
2.17.ListingModifiedConfigurationObjects ............................................................76
2.18.ActivatingandCommittingaConfiguration .....................................................76
2.19.SettingtheCurrentDateandTime ..................................................................78
2.20.SettingtheTimeZone ...................................................................................79
2.21.EnablingDSTwiththetzDatabase ..................................................................80
2.22.Enabling DSTManually ..................................................................................81
2.23.UsingtheD-LinkTimeServer .........................................................................83
2.24.ConfiguringCustomTimeServers ...................................................................83
2.25.ManuallyTriggeringaTimeSynchronization ....................................................84
2.26.ModifyingtheMaximumAdjustmentValue ......................................................84
2.27.ForcingTimeSynchronization ........................................................................85
2.28.EnableLoggingtoaSyslogHost .....................................................................90
2.29. Enabling Syslog RFC 5424 Compliance with Hostname ....................................... 91
2.30.SettingupaMailAlertingObject ....................................................................95
2.31.SendingSNMPTrapstoanSNMPTrapReceiver.................................................98
2.32.Link Monitor Setup ..................................................................................... 106
2.33.Enabling SNMP Versions 1and2c Monitoring ................................................. 113
2.34.Enabling SNMP Version3Monitoring ............................................................ 114
2.35.Enabling SNMP IndexPersistence ................................................................. 116
2.36. Disabling NetDefendOS Release Notifications ................................................. 135
2.37.Performing aComplete System Backup ......................................................... 138
2.38. Complete Hardware Reset to Factory Defaults ................................................ 139
2.39. Disabling Diagnostics and Quality Improvements Messaging ............................ 143
3.1.Adding anIP HostAddress ............................................................................. 146
3.2.Adding anIP Network ................................................................................... 147
3.3.Adding anIP Range ...................................................................................... 147
3.4.Deleting anAddressObject ........................................................................... 147
3.5.Adding anEthernetAddress .......................................................................... 148
3.6.Adding anFQDNAddress Object .................................................................... 153
3.7. Setting the DNS Minimum TTL and Minimum Lifetime ....................................... 153
3.8.Using FQDNObjectswith anIP Policy .............................................................. 154
3.9.Enabling IPv6 Globally .................................................................................. 156
3.10.Enabling IPv6 onan Interface ....................................................................... 157
3.11.ManuallyAddingIPv6InterfaceAddresses ..................................................... 158
3.12.Enabling IPv6 Advertisements ...................................................................... 160
3.13.AddinganIPv6 Route andEnabling Proxy ND ................................................. 161
3.14.Listing theAvailableServices ........................................................................ 166
3.15.ViewingaSpecific Service ............................................................................ 167
3.16.CreatingaCustomTCP/UDPService .............................................................. 170
13
3.17.AddinganIP Protocol Service ....................................................................... 172
3.18.CreatingaService ....................................................................................... 173
3.19.Enabling PathMTUDiscovery ....................................................................... 176
3.20.Link Aggregation........................................................................................ 195
3.21.Defining aVLAN ......................................................................................... 198
3.22.Defining aService VLAN .............................................................................. 200
3.23.ConfiguringaPPPoEClient .......................................................................... 204
3.24.6in4 Tunnel Configuration ........................................................................... 211
3.25.CreatingaLoopback Interface Pair ................................................................ 217
3.26.CreatinganInterfaceGroup ......................................................................... 218
3.27.Enabling Layer 2Pass Through ..................................................................... 219
3.28.Displaying theARPCache ............................................................................ 222
3.29.Flushing theARPCache ............................................................................... 222
3.30.Defining anARP/Neighbor Discovery Object................................................... 225
3.31.CreatinganIP RuleSet ................................................................................ 235
3.32. Adding a Goto Rule ..................................................................................... 238
3.33.AddingaReturn Rule .................................................................................. 239
3.34. Adding an Allow IPRule ............................................................................... 240
3.35. Setting up a Policy to Allow Connections to a DMZ .......................................... 247
3.36. Setting up a SAT Policy to an Internal Web Server ............................................ 248
3.37.Setting upaGeolocation Filter ..................................................................... 249
3.38.CreatingaStateless Policy ........................................................................... 251
3.39.Specifying anApplicationControl Policy ........................................................ 253
3.40.Using anApplicationControl RuleSet ............................................................ 255
3.41.ApplicationContent Control ........................................................................ 259
3.42.ApplicationContent Controlwith Logging ..................................................... 260
3.43.Setting upaTime-Scheduled Security Policy ................................................... 266
3.44. Uploading a Certificate with the Web Interface ............................................... 274
3.45.AssociatingCertificates withIPsecTunnels ..................................................... 275
3.46.CRL DistributionPointList ........................................................................... 275
3.47.ConfiguringDNS Servers ............................................................................. 281
4.1. Displaying the main RoutingTable .................................................................. 292
4.2. Adding a Route to the main Table ................................................................... 294
4.3.DisplayingtheCore Routes ............................................................................ 295
4.4.Enabling Broadcast Forwarding onaRoute ...................................................... 306
4.5.Creating aRouting Table ............................................................................... 309
4.6.Adding Routes ............................................................................................. 310
4.7.Creating aRouting Rule ................................................................................. 310
4.8.Policy-basedRouting withMultiple ISPs ........................................................... 313
4.9.SettingUpRLB ............................................................................................. 321
4.10. Creating an OSPF Router Process .................................................................... 353
4.11. Add an OSPF Area ....................................................................................... 354
4.12. Add OSPF Interface Objects .......................................................................... 354
4.13. Import Routes from an OSPF AS into the Main Routing Table ............................. 355
4.14.ExportingtheRoutesintoan OSPFAS ............................................................ 356
4.15.Enabling OSPF DebugLog Events ................................................................. 358
4.16. Forwarding Multicast Traffic with a SAT Multiplex IP Rule .................................. 363
4.17. Forwarding Multicast Traffic with a Multicast Policy ......................................... 365
4.18.Multicast Forwarding -AddressTranslation .................................................... 367
4.19.IGMP -No Address Translation ...................................................................... 370
4.20. if1 Configuration ........................................................................................ 371
4.21. if2 Configuration-GroupTranslation ............................................................. 372
4.22.ATransparentModeUse Case ...................................................................... 386
5.1. Enabling an Ethernet Interface as a DHCP Client ................................................ 395
5.2.Settingupan IPv4DHCPserver ...................................................................... 399
5.3.Static IPv4DHCPHostAssignment .................................................................. 401
5.4.SettingupaDHCPRelayer ............................................................................. 405
5.5.Creating anIP Pool ....................................................................................... 410
5.6.DHCPv6 Client Setup .................................................................................... 413
5.7.DHCPv6 ServerSetup .................................................................................... 416
5.8.Static DHCPv6 HostAssignment ..................................................................... 418
User Manual
14
6.1.Settingupan Access Rule .............................................................................. 423
6.2.Using theLight WeightHTTP ALG ................................................................... 433
6.3.Protecting anFTP Serverwith anALG .............................................................. 440
6.4.Protecting FTPClients ................................................................................... 444
6.5.SMTPALG Setup .......................................................................................... 453
6.6.POP3 ALGSetup .......................................................................................... 459
6.7. SIP with Local Clients/Internet Proxy Using IP Rules ........................................... 470
6.8. SIP with Local Clients/Internet Proxy Using IP Policies ........................................ 471
6.9. Protecting Internal H.323 Phones Using IP Rules ................................................ 482
6.10. Protecting Internal H.323 Phones Using IP Policy Objects .................................. 483
6.11.H.323 with aPrivate AddressUsing IPRules .................................................... 485
6.12. 2 Phones Behind Different NetDefend Firewalls Using IP Rules .......................... 487
6.13.Using PrivateIPv4 Addresses ........................................................................ 489
6.14.H.323 with Gatekeeper ................................................................................ 491
6.15. H.323 with Gatekeeper and two NetDefend Firewalls ....................................... 493
6.16.Using H.323in anEnterpriseEnvironment ...................................................... 495
6.17.Configuringremote offices forH.323 ............................................................. 498
6.18. Allowing the H.323 Gateway to register with the Gatekeeper ............................ 499
6.19.Stripping ActiveX andJavaapplets ................................................................ 504
6.20.URL Filtering UsingIP Rules .......................................................................... 506
6.21. Enabling Web Content Filtering Using IP Rules ................................................ 511
6.22.Enabling AuditMode .................................................................................. 513
6.23.Reclassifying ablocked site .......................................................................... 514
6.24.Enabling WCFwith IPPolicies ....................................................................... 516
6.25.Editing Content Filtering HTTP Banner Files .................................................... 522
6.26.Enabling theWCFPerformance Log .............................................................. 525
6.27.Email filtering ofIMAP Traffic ........................................................................ 531
6.28.Activating Anti-Virus withan IPRule .............................................................. 547
6.29.Activating Anti-Virus withan IPPolicy ............................................................ 548
6.30.Changing theAnti-VirusCache Lifetime ......................................................... 550
6.31.Setting upIDP foraMail Server ..................................................................... 560
6.32.Configuringan SMTP LogReceiver ................................................................ 563
6.33.AddingaHost tothe Whitelist ...................................................................... 572
7.1. Specifying a NAT IPRule ................................................................................ 578
7.2. Specifying a NAT IPPolicy .............................................................................. 579
7.3.Using NATPools .......................................................................................... 586
7.4.One-to-One IPTranslation ............................................................................. 591
7.5.Many-to-ManyIP Translation ......................................................................... 594
7.6.All-to-OneIPTranslation ............................................................................... 597
7.7.SettingupaSATIPPolicy .............................................................................. 602
8.1.Creating aLocal UserDatabase ...................................................................... 610
8.2.Adding aUser withGroup Membership ........................................................... 611
8.3.ConfiguringaRADIUSServer ......................................................................... 615
8.4.UserAuthenticationSetupforWebAccess ....................................................... 629
8.5.EditingContent Filtering HTTP Banner Files ...................................................... 636
8.6.Policies Requiring Authentication ................................................................... 639
8.7.Enabling UserIdentityAwareness ................................................................... 642
8.8.RadiusRelay ................................................................................................ 655
8.9.RADIUS Accounting ServerSetup ................................................................... 662
9.1.Using anAlgorithmProposal List .................................................................... 695
9.2.Using aPre-Shared key ................................................................................. 696
9.3.Using anIDList ............................................................................................ 698
9.4.PSK BasedLAN-to-LAN IPsec Tunnel Setup ....................................................... 705
9.5. PSK Based IPsec Tunnel for Roaming Clients Setup ............................................ 708
9.6. Certificate Based IPsec Tunnels for Roaming Clients ........................................... 710
9.7. Setting Up Config Mode Using a Predefined IP Pool ........................................... 712
9.8.Using ConfigModewithIPsecTunnels ............................................................ 713
9.9.IKEv2 EAPClient Setup .................................................................................. 716
9.10.Setting upan LDAP server ........................................................................... 719
9.11.Enabling IPsec TunnelMonitoring ................................................................. 722
9.12.Setting upaPPTPserver .............................................................................. 730
User Manual
15
9.13.Setting upan L2TPserver ............................................................................ 731
9.14.Setting upan L2TPTunnelOverIPsec ............................................................ 732
9.15.L2TPv3 Server Setup ................................................................................... 743
9.16.L2TPv3 Server SetupWith IPsec .................................................................... 744
9.17.L2TPv3 Server SetupFor VLANs .................................................................... 746
9.18.L2TPv3 Client Setup .................................................................................... 749
9.19.L2TPv3 Client SetupWith IPsec ..................................................................... 750
9.20.Setting Upan SSLVPN Interface .................................................................... 759
9.21.Setting SSLVPN InterfaceClientRoutes ......................................................... 761
10.1.Applying aSimpleBandwidth Limit ............................................................... 780
10.2.Limiting BandwidthinBoth Directions ........................................................... 782
10.3.CreatingaThresholdRule ............................................................................ 805
10.4.Setting upSLB withIP Rules ......................................................................... 813
10.5.Setting upSLB withan SLB Policy .................................................................. 816
11.1.Enabling AutomaticClusterSynchronization .................................................. 821
12.1.Setting UpZoneDefense .............................................................................. 846
User Manual
16
Preface
Intended Audience
The target audience for this reference guide is Administrators who are responsible for
configuring and managing NetDefend Firewalls which are running the NetDefendOS operating
system. This guide assumes that the reader has some basic knowledge of networks and network
security.
Text Structure and Conventions
The text is broken down into chapters and sub-sections. Numbered sub-sections are shown in
the table of contents at the beginning. An index is included at the end of the document to aid
with alphabetical lookup of subjects.
Where a "See chapter/section" link (such as: see Chapter 9, VPN) is provided in the main text, this
can be clicked to take the reader directly to that reference.
Text that may appear in the user interface of the product is designated by being in bold case.
Where a term is being introduced for the first time or being stressed it may appear in italics.
Where console interaction is shown in the main text outside of an example, it will appear in a box
with a gray background.
Where a web address reference is shown in the text, clicking it will open the specified URL in a
browser in a new window (some systems may not allow this).
For example, http://www.dlink.com.
Screenshots
This guide contains a minimum of screenshots. This is deliberate and is done because the manual
deals specifically with NetDefendOS and administrators have a choice of management user
interfaces. It was decided that the manual would be less cluttered and easier to read if it
concentrated on describing how NetDefendOS functions rather than including large numbers of
screenshots showing how the various interfaces are used. Examples are given but these are
largely textual descriptions of management interface usage.
Examples
Examples in the text are denoted by the header Example and appear with a gray background as
shown below. They contain a CLI example and/or a Web Interface example as appropriate. (The
NetDefendOS CLI Reference Guide documents all CLI commands.)
Example 1. Example Notation
Information about what the example is trying to achieve is found here, sometimes with an
explanatory image.
Command-Line Interface
The Command Line Interface example would appear here. It would start with the command
prompt followed by the command:
gw-world:/> somecommand someparameter=somevalue
17
Web Interface
The Web Interface actions for the example are shown here. They are also typically a numbered
list showing what items need to be opened followed by information about the data items that
need to be entered:
1. Go to: Item X > Item Y > Item Z
2. Now enter:
•DataItem1: datavalue1
•DataItem2: datavalue2
Highlighted Content
Sections of text which the reader should pay special attention to are indicated by icons on the
left hand side of the page followed by a short paragraph in italicized text. Such sections are of
the following types with the following purposes:
Note
This indicates some piece of information that is an addition to the preceding text. It may
concern something that is being emphasized, or something that is not obvious or
explicitly stated in the preceding text.
Tip
This indicates a piece of non-critical information that is useful to know in certain
situations but is not essential reading.
Caution
This indicates where the reader should be careful with their actions as an undesirable
situation may result if care is not exercised.
Important
This is an essential point that the reader should read and understand.
Warning
This is essential reading for the user as they should be aware that a serious situation
may result if certain actions are taken or not taken.
Trademarks
Preface
18
Certain names in this publication are the trademarks of their respective owners.
Windows is either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries.
Apple,Mac and Mac OS are trademarks of Apple Inc. registered in the United States and/or other
countries.
Preface
19
Chapter 1: NetDefendOS Overview
This chapter outlines the key features of NetDefendOS.
• Features, page 20
• NetDefendOS Architecture, page 24
• NetDefendOS State Engine Packet Flow, page 28
1.1. Features
D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend
Firewall hardware products.
NetDefendOS as a Network Security Operating System
Designed as a network security operating system, NetDefendOS features high throughput
performance with high reliability plus super-granular control. In contrast to products built on top
of standard operating systems such as Unix or Microsoft Windows, NetDefendOS offers seamless
integration of all its subsystems, in-depth administrative control of all functionality, as well as a
minimal attack surface which helps to negate the risk from security attacks.
NetDefendOS Objects
From the administrator's perspective the conceptual approach of NetDefendOS is to visualize
operations through a set of logical building blocks or objects. These objects allow the
configuration of NetDefendOS in an almost limitless number of different ways. This granular
control allows the administrator to meet the requirements of the most demanding network
security scenarios.
Key Features
NetDefendOS has an extensive feature set. The list below presents the key features of the
product:
IP Routing NetDefendOS provides a variety of options for IP routing
including static routing, dynamic routing (with OSPF) as
well as multicast routing capabilities. In addition,
20
/