D-Link CP310 User Guide
D-Link CP310 - DFL - Security Appliance Manual
 |
UPC - 790069289293
View all D-Link CP310 manuals
Add to My Manuals
Save this manual to your list of manuals |
D-Link CP310 manual content summary:
- D-Link CP310 | User Guide - Page 1
D-Link NetDefend firewall Security VPN Firewall NetDefend secured by Check Point User Guide Version 1.0 Revised: 01/17/2006 - D-Link CP310 | User Guide - Page 2
-1, SVN, UAM, User-to-Address Mapping, UserAuthority, Visual Policy Editor, VPN-1, VPN-1 Accelerator Card, VPN-1 Gateway, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, and VPN-1 Edge are trademarks, service marks, or registered trademarks of Check Point Software Technologies Ltd. or - D-Link CP310 | User Guide - Page 3
that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section - D-Link CP310 | User Guide - Page 4
provided in this User's Guide before attempting to install or operate the appliance. Failure to follow these instructions may result in damage to equipment and/or personal injuries. Before cleaning the appliance, unplug the power cord. Use only a soft cloth dampened with water for cleaning. When - D-Link CP310 | User Guide - Page 5
Contents About This Guide ...xi Introduction ...1 About Your D-Link NetDefend firewall 1 NetDefend Secured by Check Point Product Family 2 NetDefend Features and Compatibility 2 Connectivity ...2 Firewall ...3 VPN ...4 Management...4 Optional Security Services...5 Power Pack Features ...5 Package - D-Link CP310 | User Guide - Page 6
32 Network Installation...35 Setting Up the NetDefend firewall...36 Getting Started ...39 Initial Login to the NetDefend Portal 39 Logging on to the NetDefend Portal 42 Accessing the ...69 Using a PPTP Connection...71 Using a Telstra (BPA) Connection 73 ii D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 7
91 Setting Up a Dialup Backup Connection 92 Managing Your Network...93 Configuring Network Settings ...93 Configuring a DHCP Server ...94 Changing IP Addresses ...105 Enabling/Disabling Hide NAT...107 Configuring a DMZ Network...108 Configuring the OfficeMode Network 110 Configuring VLANs - D-Link CP310 | User Guide - Page 8
Shaper Defaults Troubleshooting Wireless Connectivity 183 Viewing Reports ...187 Viewing the Event Log ...187 Using the Traffic Monitor ...191 Viewing Traffic Reports ...191 Configuring Traffic Monitor Settings 193 Exporting General Traffic Reports 194 iv D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 9
Contents Viewing Computers ...194 Viewing Connections ...197 Viewing Wireless Statistics...198 Setting Your Security Policy ...203 Default Security Policy ...203 Setting the Firewall Security Level 204 Configuring Servers ...207 Using Rules ...209 Adding and Editing Rules ...213 Enabling/Disabling - D-Link CP310 | User Guide - Page 10
Service Center 289 Web Filtering ...290 Enabling/Disabling Web Filtering 290 Selecting Categories for Blocking 291 Temporarily Disabling Web Filtering 292 Automatic and Manual Updates...294 Checking for Software VPN Gateway 324 Deleting a VPN Site ...340 vi D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 11
Setting Up Remote VPN Access for Users 367 Using RADIUS Authentication...368 Configuring the RADIUS Vendor-Specific Attribute 372 Maintenance ...375 Viewing Firmware Status...375 Updating the Firmware ...377 Upgrading Your Software Product 379 Registering Your NetDefend firewall 383 Configuring - D-Link CP310 | User Guide - Page 12
the Appliance 397 Using Diagnostic Tools...401 Using IP Tools ...402 Using Packet Sniffer ...404 Resetting the NetDefend firewall to Defaults 418 Running Diagnostics ...421 Troubleshooting ...437 Connectivity ...438 Service Center and Upgrades ...442 viii D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 13
Contents Other Problems ...443 Specifications ...445 Technical Specifications ...445 CE Declaration of Conformity ...449 Federal Communications Commission Radio Frequency Interference Statement 451 Glossary of Terms ...453 Index...461 Contents ix - D-Link CP310 | User Guide - Page 14
- D-Link CP310 | User Guide - Page 15
About Your D-Link NetDefend firewall About This Guide To make finding information in this manual easier, some types of DFL-CP310 or DFL-CPG310, with or without the Power Pack DFL-CPG310 only, with or without the Power Pack DFL-CP310 or DFL-CPG310, with the Power Pack only Chapter 1: About This Guide - D-Link CP310 | User Guide - Page 16
- D-Link CP310 | User Guide - Page 17
purchasing static IP addresses. With the NetDefend firewall, you can subscribe to additional security services available from select service providers, including firewall security and software updates, Antivirus, Web Filtering, reporting, and VPN management. By supporting integrated VPN capabilities - D-Link CP310 | User Guide - Page 18
access and dialup modem connection • Supported Internet connection methods: Static IP, DHCP Client, Cable Modem, PPTP Client, PPPoE Client, Telstra BPA login, Dialup • Concurrent firewall connections: 8,000 • DHCP server, client, and relay • MAC cloning 2 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 19
Monitoring • Traffic Shaping • VLAN Support (requires Power Pack) • Dynamic Routing (requires Power Pack) The NetDefend DFL-CPG310 firewall includes the following additional • Network Address Translation (NAT) • Three preset security policies • Anti-spoofing • Voice over IP (H.323) support • Instant - D-Link CP310 | User Guide - Page 20
NetDefend series includes the following features: • Remote Access VPN Server with OfficeMode and RADIUS support • Remote Access VPN Client • Site to Site VPN Gateway • IPSEC VPN pass Table Monitor, Wireless Monitor, Active Computers Display, Local Logs 4 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 21
and Software Updates • Web Filtering • Email Antivirus and Antispam Protection • VStream Embedded Antivirus Updates • VPN Management • Security Reporting • Vulnerability Scanning Service Power Pack Features The table below describes the differences between the standard DFL-CP310 and DFL-CPG310 - D-Link CP310 | User Guide - Page 22
Compatibility Feature DFL-CP310/CPG310 DFL-CP310/CPG310 with Power Pack VLAN (Port/Tag-based) - VPN Throughput Site-to-Site VPN 20 Mbps 2 tunnels 30 Mbps 15 tunnels Site-to-Site VPN (Managed) * 10 tunnels 100 tunnels Included VPN-1 SecuRemote client Licenses 5 users 25 users * When - D-Link CP310 | User Guide - Page 23
) • 10BaseT or 100BaseT Network Interface Card installed on each computer • TCP/IP network protocol installed on each computer • Internet Explorer 5.0 or higher, or 5.5 or higher, or Mozilla Firefox 1.0 or higher. • When using the DFL-CPG310, an 802.11b, 802.11g or 802.11 Super G wireless card - D-Link CP310 | User Guide - Page 24
Panel Items The following table lists the NetDefend firewall 's rear panel elements. Table 1: NetDefend firewall Rear Panel Elements Label Description PWR A power jack used for supplying power to the unit. Connect the supplied power adapter to this jack. 8 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 25
to the version that shipped with the NetDefend firewall. This results in the loss of all security services and passwords and reverting to the factory default firmware. You will have to re-configure your NetDefend firewall. Do not reset the unit without consulting your system administrator. A serial - D-Link CP310 | User Guide - Page 26
On (Red) LAN 1-4/ WAN/ DMZ/WAN2 LINK/ACT Off, 100 Off LINK/ACT On, 100 Off Explanation Power off System boot-up Establishing Internet connection Normal operation Hacker attack blocked Error Link is down 10 Mbps link established for the corresponding port 10 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 27
(Green) Flashing (Green) Explanation 100 Mbps link established for the corresponding port Data is being transmitted/received VPN port in use Serial port in use Getting to Know Your NetDefend firewall Rear Panel All physical connections (network and power) to the NetDefend firewall are made via - D-Link CP310 | User Guide - Page 28
the NetDefend firewall. This results in the loss of all security services and passwords and reverting to the factory default firmware. You will have to re-configure your NetDefend firewall. Do Antenna connectors, used to connect the supplied wireless antennas 12 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 29
4: NetDefend firewall Status LEDs LED State Explanation PWR/SEC Off Power off Flashing quickly (Green) System boot-up Flashing slowly ( (Orange) Software update in progress LAN 1-4/ WAN/ DMZ/WAN2 LINK/ACT Off, 100 Off Link is down LINK/ACT On, 100 Off 10 Mbps link established for - D-Link CP310 | User Guide - Page 30
/received VPN port in use Serial port in use USB port in use WLAN in use Contacting Technical Support If there is a problem with your NetDefend firewall, see http://support.dlink.com/. You can also download the latest version of this guide from the site. 14 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 31
for operation, you must do the following: • Check if TCP/IP Protocol is installed on your computer. • Check your computer's TCP/IP settings to make sure it obtains its IP address automatically. Refer to the relevant section in this guide in accordance with the operating system that runs on your - D-Link CP310 | User Guide - Page 32
, it is recommended to disable it if you are using a NetDefend firewall, since the NetDefend firewall offers better protection. Checking the TCP/IP Installation 1. Click Start > Settings > Control Panel. The Control Panel window appears. 2. Double-click the Network and Dial-up Connections icon. 16 - D-Link CP310 | User Guide - Page 33
Before You Install the NetDefend firewall The Network and Dial-up Connections window appears. 3. Right-click the opens. icon and select Properties from the pop-up menu that Chapter 2: Installing and Setting up the NetDefend firewall 17 - D-Link CP310 | User Guide - Page 34
In the above window, check if TCP/IP appears in the components list and if it is properly configured with the Ethernet card, installed on your computer. If TCP/IP does not appear in the Components list, you must install it as described in the next section. 18 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 35
Before You Install the NetDefend firewall Installing TCP/IP Protocol 1. In the Local Area Connection Properties window The Select Network Protocol window appears. 3. Choose Internet Protocol (TCP/IP) and click OK. TCP/IP protocol is installed on your computer. Chapter 2: Installing and Setting up - D-Link CP310 | User Guide - Page 36
192.168.10 is the default value, and it may vary if you changed it in the My Network page.) 3. Click the Obtain DNS server address automatically radio button. 4. Click OK to save the new settings. Your computer is now ready to access your NetDefend firewall. 20 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 37
Windows 98/Millennium Checking the TCP/IP Installation 1. Click Start > Settings > Control Panel. The Control Panel window appears. Before You Install the NetDefend firewall 2. Double-click the icon. Chapter 2: Installing and Setting up the NetDefend firewall 21 - D-Link CP310 | User Guide - Page 38
configured with the Ethernet card, installed on your computer. Installing TCP/IP Protocol Note: If TCP/IP is already installed and configured on your computer skip this section and move directly to TCP/IP Settings. 1. In the Network window, click Add. 22 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 39
and click Add. The Select Network Protocol window appears. 3. In the Manufacturers list choose Microsoft, and in the Network Protocols list choose TCP/IP. 4. Click OK. If Windows asks for original Windows installation files, provide the installation CD and relevant path when required (e.g. D:\win98 - D-Link CP310 | User Guide - Page 40
correct configurations. 1. In the Network window, double-click the TCP/IP service for the Ethernet card, which has been installed on your computer (e.g. ). The TCP/IP Properties window opens. 2. Click the Gateway tab, and remove any installed gateways. 24 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 41
Before You Install the NetDefend firewall 3. Click the DNS Configuration tab, and click the Disable DNS radio button. Chapter 2: Installing and Setting up the NetDefend firewall 25 - D-Link CP310 | User Guide - Page 42
IP address, select Specify an IP address, type in an IP address in the range of 192.168.10.129-254, enter 255.255.255.0 in the Subnet Mask field, and click OK to save the new settings. (Note that 192.168.10 is the default for setting up the TCP/IP Protocol. 26 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 43
the NetDefend firewall 1. Choose Apple Menus -> Control Panels -> TCP/IP. The TCP/IP window appears. 2. Click the Connect via drop-down list, and select Ethernet. 3. Click the Configure drop-down list, and select Using DHCP Server. 4. Close the window and save the setup. Chapter 2: Installing - D-Link CP310 | User Guide - Page 44
Before You Install the NetDefend firewall Mac OS-X Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple -> System Preferences. The System Preferences window appears. 2. Click Network. The Network window appears. 28 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 45
Before You Install the NetDefend firewall 3. Click Configure. Chapter 2: Installing and Setting up the NetDefend firewall 29 - D-Link CP310 | User Guide - Page 46
Wall Mounting the Appliance TCP/IP configuration fields appear. 4. Click the Configure IPv4 drop-down list, and select Using DHCP. 5. Click Apply Now. Wall Mounting the Appliance If desired, you can the appliance on the wall facing up, down, left, or right. 30 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 47
Wall Mounting the Appliance Note: Mounting the appliance facing downwards is not recommended, as dust might accumulate in unused ports. 3. Mark two drill holes on the wall, in accordance with the following sketch: 4. Drill two 3.5 mm diameter holes, approximately 25 mm deep. 5. Insert two plastic - D-Link CP310 | User Guide - Page 48
to install a looped security cable on your appliance. A looped security cable typically includes the parts shown in the diagram below. Figure 6: Looped Security Cable 32 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 49
Securing the Appliance against Theft While these parts may differ between devices, all looped security cables include a bolt with knobs, as shown in the diagram below: Figure 7: Looped Security Cable Bolt The bolt has two states, Open and Closed, and is used to connect the looped security cable to - D-Link CP310 | User Guide - Page 50
's holes, and insert the pin into the main body of the anti-theft device, as described in the documentation that came with your device. 34 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 51
to a Cable Modem, xDSL modem or office network. 4. Connect the power adapter to the power socket, labeled PWR, at the back of the NetDefend firewall. 5. Plug the power adapter into the wall electrical outlet. Warning: The NetDefend firewall power adapter is compatible with either 100, 120 or 230 VAC - D-Link CP310 | User Guide - Page 52
hub. Warning: Verify that the USB devices' power requirement does not exceed the appliance's USB power supply capabilities. Failure to observe this warning may After you have logged on and set up your password, the Setup Wizard automatically opens and displays the D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 53
on to the NetDefend Portal and setting up your password Initial Login to the NetDefend Portal on page 39 Configuring an Your Software Product on page 379 Registering your NetDefend firewall Registering Your NetDefend firewall on page 383 Setting up subscription services Connecting to a Service Center - D-Link CP310 | User Guide - Page 54
Setting Up the NetDefend firewall To access the Setup Wizard 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click NetDefend Setup Wizard. The NetDefend Setup Wizard opens with the Welcome page displayed. 38 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 55
your NetDefend firewall. This chapter includes the following topics: Initial Login to the NetDefend Portal 39 Logging on to the NetDefend Portal 46 Logging off 51 Initial Login to the NetDefend Portal The first time you log on to the NetDefend Portal, you must set up your password. To log on to - D-Link CP310 | User Guide - Page 56
2. Type a password both in the Password and the Confirm Password fields. Note: The password must be five to 25 characters (letters or numbers). Note: You can change your password at any time. For further information, see Changing Your Password. 3. Click OK. 40 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 57
Initial Login to the NetDefend Portal The NetDefend Setup Wizard opens, with the Welcome page Wizard on page 54. After you have completed the Internet Wizard, the Setup Wizard continues to guide you through appliance setup. For more information, see Setting Up the NetDefend firewall. • Internet - D-Link CP310 | User Guide - Page 58
the NetDefend Portal Note: By default, HTTP and HTTPS access to the NetDefend Portal is not allowed from the WLAN, unless you do one of the following: • Configure a specific firewall rule to allow access Accessing the NetDefend Portal Remotely on page 44. 42 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 59
The login page appears. Logging on to the NetDefend Portal 2. Type your username and password. 3. Click OK. Chapter 3: Getting Started 43 - D-Link CP310 | User Guide - Page 60
to access the NetDefend Portal remotely using HTTPS, you must first do both of the following: • Configure your password, using HTTP. See Initial Login to the NetDefend Portal on page 39. • Configure HTTPS Remote Access. See Configuring HTTPS on page 390. 44 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 61
Accessing the TNetDefendT Portal Remotely Using HTTPS Note: Your browser must support 128-bit cipher strength. To check your browser's cipher strength, open Internet Explorer and click Help > About Internet Explorer. To access the NetDefend Portal from - D-Link CP310 | User Guide - Page 62
frame may also contain tabs that allow you to view different pages related to the selected topic. Status bar Shows your Internet connection and managed services status. 46 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 63
established connections. Security Provides controls and options for setting the security of any computer in the network. Antivirus Allows you to configure VStream Antivirus settings. Services Allows you to control your subscription to subscription - D-Link CP310 | User Guide - Page 64
to upgrade your license and firmware and to configure HTTPS access to your NetDefend firewall. Allows you to manage NetDefend users. Allows you to manage on what model you are using. The differences are described throughout this guide. Status Bar The status bar is located at the bottom of each page - D-Link CP310 | User Guide - Page 65
Connected - Probing Failed. Connection probing is enabled and has detected problems with the Internet connectivity. • Not Connected. The Internet connection is trying to contact the Internet default gateway. • Disabled. The Internet connection has been manually disabled. Note: You can configure - D-Link CP310 | User Guide - Page 66
services. • Connection Failed. The NetDefend firewall failed to connect to the Service Center. • Connecting. The NetDefend firewall is connecting to the Service Center. • Connected. You are connected to the Service Center, and security services are active. 50 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 67
off Logging off terminates your administration session. Any subsequent attempt to connect to the NetDefend Portal will require re-entering of the administration password. To log off of the NetDefend Portal • Do one of the following: • If you are connected through HTTP, click Logout in the main - D-Link CP310 | User Guide - Page 68
- D-Link CP310 | User Guide - Page 69
can access the Internet through the NetDefend firewall. You can configure your Internet connection using any of the following setup tools: • Setup Wizard. Guides you through the NetDefend firewall setup step by step. The first part of the Setup Wizard is the Internet Wizard. For further information - D-Link CP310 | User Guide - Page 70
you to configure your NetDefend firewall for Internet connection quickly and easily through its user-friendly interface. It lets you to choose between the following three types of broadband Internet tab. The Internet page appears. 2. Click Internet Wizard. 54 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 71
Using the Internet Wizard The Internet Wizard opens with the Welcome page displayed. 3. Click Next. The Internet Connection Method dialog box appears. 4. Select the Internet connection method you want to use for connecting to the Internet. Chapter 4: Configuring the Internet Connection 55 - D-Link CP310 | User Guide - Page 72
Wizard Note: If you selected PPTP or PPPoE dialer, do not use your dial-up software to connect to the Internet. 5. Click Next. Using a Direct LAN Connection No further settings to the Internet via the selected connection. The Connecting... screen appears. 56 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 73
Using the Internet Wizard At the end of the connection process the Connected screen appears. 2. Click Finish. Chapter 4: Configuring the Internet Connection 57 - D-Link CP310 | User Guide - Page 74
the following: • Click This Computer to automatically "clone" the MAC address of your computer to the NetDefend firewall. Or • If the ISP requires authentication using the MAC address of a different computer, enter the MAC address in the MAC cloning field. 58 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 75
Using the Internet Wizard 3. Click Next. The Confirmation screen appears. 4. Click Next. The system attempts to connect to the Internet. The Connecting... screen appears. At the end of the connection process the Connected screen appears. 5. Click Finish. Using a PPTP or PPPoE Dialer Connection If - D-Link CP310 | User Guide - Page 76
to the Internet via the DSL connection. The Connecting... screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish. 60 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 77
Internet Wizard Table 8: PPPoE Connection Fields In this field... Do this... Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name. This field can be left blank. Using PPTP If you selected the PPTP connection - D-Link CP310 | User Guide - Page 78
password Type your password again. Service Type your service name. Server IP Type the IP address of the PPTP modem. Internal IP Type the local IP address required for accessing the PPTP modem. Subnet Mask Type the subnet mask of the PPTP modem. 62 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 79
Using Internet Setup Using Internet Setup Internet Setup allows you to manually configure your Internet connection. To configure the Internet connection using Internet Setup 1. Click Network in the main menu, and click the Internet tab. 2. Next to - D-Link CP310 | User Guide - Page 80
display changes according to the connection type you selected. The following steps should be performed in accordance with the connection type you have chosen. 64 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 81
Using a LAN Connection Using Internet Setup 1. Complete the fields using the relevant information in Internet Setup Fields on page 77. Chapter 4: Configuring the Internet Connection 65 - D-Link CP310 | User Guide - Page 82
Bar displays the Internet status "Connecting". This may take several seconds. Once the connection is made, the Status Bar displays the Internet status "Connected". 66 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 83
Using a Cable Modem Connection Using Internet Setup 1. Complete the fields using the relevant information in Internet Setup Fields on page 77. Chapter 4: Configuring the Internet Connection 67 - D-Link CP310 | User Guide - Page 84
Bar displays the Internet status "Connecting". This may take several seconds. Once the connection is made, the Status Bar displays the Internet status "Connected". 68 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 85
Using a PPPoE Connection Using Internet Setup 1. Complete the fields using the relevant information in Internet Setup Fields on page 77. Chapter 4: Configuring the Internet Connection 69 - D-Link CP310 | User Guide - Page 86
Bar displays the Internet status "Connecting". This may take several seconds. Once the connection is made, the Status Bar displays the Internet status "Connected". 70 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 87
Using a PPTP Connection Using Internet Setup 1. Complete the fields using the relevant information in Internet Setup Fields on page 77. Chapter 4: Configuring the Internet Connection 71 - D-Link CP310 | User Guide - Page 88
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The NetDefend firewall attempts to connect to the Internet, and the Status Bar displays the Internet status "Connecting". This may take several seconds. 72 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 89
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status "Connected". Using a Telstra (BPA) Connection Use this Internet connection type only if you are subscribed to Telstra® BigPond™ Internet. Telstra BigPond is a trademark of Telstra Corporation Limited. 1. - D-Link CP310 | User Guide - Page 90
Bar displays the Internet status "Connecting". This may take several seconds. Once the connection is made, the Status Bar displays the Internet status "Connected". 74 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 91
Using Internet Setup Using a Dialup Connection To use this connection type, you must first set up the dialup modem. For information, see Setting Up a Dialup Modem on page 84. 1. Complete the fields using the relevant information in Internet Setup Fields on page 77. Chapter 4: Configuring the - D-Link CP310 | User Guide - Page 92
Bar displays the Internet status "Connecting". This may take several seconds. Once the connection is made, the Status Bar displays the Internet status "Connected". 76 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 93
Do this... Username Type your user name. Password Type your password. Confirm password Type your password. Service Type your service name. If your ISP has not provided you with a service name, leave this field empty. Server IP If you selected PPTP, type the IP address of the PPTP server as - D-Link CP310 | User Guide - Page 94
do not want the NetDefend firewall to obtain an IP address automatically using DHCP. IP Address Type the static IP address of your NetDefend firewall. Subnet Mask Select the subnet mask that applies to the static IP address of your NetDefend firewall. 78 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 95
DNS Server Secondary DNS Server WINS Server QoS Shape Upstream: Link Rate Do this... Type the IP address of your ISP's default gateway. Clear this option if you want the NetDefend firewall to obtain an IP address automatically using DHCP, but not to automatically configure DNS servers. Clear this - D-Link CP310 | User Guide - Page 96
you to control the maximum transmission unit size. As a general recommendation you should leave this field empty. If however you wish to modify the default MTU, it is recommended that you consult with your ISP first and use MTU values between 1300 and 1500. 80 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 97
authentication using the MAC address of a different computer, type the MAC address in this field. Note: In the secondary Internet connection, this field is enabled only if the DMZ/WAN2 port is set to WAN2. The High Availability area only appears in NetDefend with Power Pack. If you are using - D-Link CP310 | User Guide - Page 98
this is done by sending PPP echo reply (LCP) messages to the PPP peer. By default, if the default gateway does not respond, the Internet connection is considered to be down. If it is continuous Internet connectivity. This option is selected by default. 82 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 99
router, which is usually at your ISP, connectivity to the next hop router does not always indicate that the Internet is accessible. For example, if there is a problem with a different router is the default value. • Ping Addresses. Ping anywhere from one to three servers specified by IP address or DNS - D-Link CP310 | User Guide - Page 100
the desired servers. If you chose the Probe VPN Gateway (RDP) connection probing method, type the IP addresses or DNS names of the desired VPN gateways. You can clear a field by clicking Clear. Setting Click Network in the main menu, and click the Ports tab. 84 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 101
The Ports page appears. Setting Up a Dialup Modem 3. In the RS232 drop-down list, select Dialup. 4. Click Apply. 5. Next to the RS232 drop-down list, click Setup. Chapter 4: Configuring the Internet Connection 85 - D-Link CP310 | User Guide - Page 102
modem type. Initialization String Type the installation string for the custom modem type. If you selected a standard modem type, this field is read-only. 86 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 103
Viewing Internet Connection Information In this field... Dial Mode Port Speed Do this... Select the dial mode the modem uses. Select the modem's port speed (in bits per second). Viewing Internet Connection Information You can view information on your Internet connection(s) in terms of status, - D-Link CP310 | User Guide - Page 104
in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds IP Address Your IP address. Enabled Indicates whether or not the connection is enabled. For further information, see connection's Enabled/Disabled status is persistent through reboots. 88 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 105
Enabling/Disabling the Internet Connection To enable/disable an Internet connection 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. Next to the Internet connection, do one of the following: • To enable the connection, click . The button changes to and the - D-Link CP310 | User Guide - Page 106
NetDefend firewall acts as a DNS relay and routes requests from computers within the network to the appropriate DNS server for the active Internet connection. 90 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 107
. 2. Connect your two modems or routers to the hub/switch. 3. Configure two Internet connections. For instructions, see Using Internet Setup on page 63 . Important: The two connections can be of different types. However, they cannot both be LAN DHCP - D-Link CP310 | User Guide - Page 108
Up a Dialup Modem on page 84. 2. Configure a LAN or broadband primary Internet connection. For instructions, see Using Internet Setup on page 63. 3. Configure a Dialup secondary Internet connection. For instructions, see Using Internet Setup on page 63. 92 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 109
. Note: If you change the network settings to incorrect values and are unable to correct the error, you can reset the NetDefend firewall to its default settings. See Resetting the NetDefend firewall to Defaults on page 418. Chapter 5: Managing Your Network 93 - D-Link CP310 | User Guide - Page 110
DHCP relay. When in DHCP relay mode, the NetDefend firewall relays information from the desired DHCP server to the devices on your network. Note: You can perform DHCP reservation using network objects. For information, see Using Network Objects on page 129. 94 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 111
Network Settings Enabling/Disabling the NetDefend DHCP Server You can enable and disable the NetDefend DHCP Server for internal networks. Note: Enabling and disabling the DHCP Server is not available for the OfficeMode network. To enable/disable the NetDefend DHCP server 1. Click Network in the main - D-Link CP310 | User Guide - Page 112
is configured to obtain its IP address automatically (using DHCP), and either the NetDefend DHCP server or another DHCP server is enabled, restart your computer. If you enabled the DHCP server, your computer obtains an IP address in the DHCP address range. 96 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 113
Network Settings Configuring the DHCP Address Range By default, the NetDefend DHCP server automatically sets the DHCP address range. The DHCP address range is the range of IP addresses that the DHCP server can assign to network devices. IP addresses outside of the DHCP address range are reserved for - D-Link CP310 | User Guide - Page 114
appears 7. If your computer is configured to obtain its IP address automatically (using DHCP), and either the NetDefend DHCP server or another DHCP server is enabled, restart your computer. Your computer obtains an IP address in the new DHCP address range. 98 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 115
will not work if the appliance is located behind a NAT device. Note: Configuring DHCP options are not available for the OfficeMode network. To configure DHCP relay 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click - D-Link CP310 | User Guide - Page 116
appears 7. If your computer is configured to obtain its IP address automatically (using DHCP), and either the NetDefend DHCP server or another DHCP server is enabled, restart your computer. Your computer obtains an IP address in the DHCP address range. 100 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 117
Domain suffix • DNS servers • WINS servers • NTP servers • VoIP call managers • TFTP server and boot filename Note: Configuring DHCP options are not available for the DMZ or VLANs. To configure DHCP options 1. Click Network in the main menu, and click the My Network tab. The My Network page appears - D-Link CP310 | User Guide - Page 118
Configuring Network Settings The DHCP Server Options page appears. 4. Complete the fields using the relevant information in the table below. 102 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 119
your computer is configured to obtain its IP address automatically (using DHCP), restart your computer. Your computer obtains an IP address in the DHCP address range. Table 13: DHCP Server Options Fields In this field... Do this... Domain Name Type a default domain suffix that should be passed - D-Link CP310 | User Guide - Page 120
to synchronize the time on the DHCP clients, type the IP address of the Primary and Secondary NTP servers. To assign Voice over Internet Protocol (VoIP) call managers to the DHCP clients, type the IP address of the Primary and Secondary VoIP servers. 104 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 121
of the TFTP server. Type the boot file to use for booting DHCP clients via TFTP. Changing IP Addresses If desired, you can change your NetDefend firewall's internal IP address, or the entire range of IP addresses in your internal network. You may want to perform these tasks if, for example, you - D-Link CP310 | User Guide - Page 122
your computer. Your computer obtains an IP address in the new range. • Otherwise, manually reconfigure your computer to use the new address range using the TCP/IP settings. For information on configuring TCP/IP, see TCP/IP Settings on page 24, on page 20. 106 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 123
several computers, by "hiding" the private IP addresses of the internal computers behind the NetDefend firewall's single Internet IP address. Note: If Hide NAT is disabled, you must obtain a range of Internet IP addresses from your ISP. Hide NAT is enabled by default. Note: Static NAT and Hide NAT - D-Link CP310 | User Guide - Page 124
called a DMZ (demilitarized zone) network. For information on default security policy rules controlling traffic to and from the DMZ, see Default Security Policy on page 203. To configure a DMZ network and click the Ports tab. The Ports page appears. 108 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 125
Hide NAT. See Enabling/Disabling Hide NAT on page 107. 9. If desired, configure a DHCP server. See Configuring a DHCP Server on page 94. 10. In the IP Address field, type the IP address of the DMZ network's default gateway. Note: The DMZ network must not overlap other networks. 11. In the Subnet - D-Link CP310 | User Guide - Page 126
link. • Some networking protocols or resources may require the client's IP address to be an internal one. OfficeMode solves these problems by enabling the NetDefend DHCP Server to automatically assign a unique local IP address . The fields are enabled. 110 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 127
Network Settings 4. In the IP Address field, type the IP address to use as the OfficeMode network's default gateway. Note: The OfficeMode Enabling/Disabling Hide NAT on page 107. 7. If desired, configure DHCP options. See Configuring DHCP Server Options on page 101. 8. Click Apply. A warning - D-Link CP310 | User Guide - Page 128
another division without rewiring your network, by simply reassigning them to the desired VLAN. The NetDefend firewall supports the following VLAN types: • Tag-based In tag-based VLAN you use one of the gateway to the correct VLAN. Figure 10: Tag-based VLAN 112 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 129
appliance's internal switch has only four ports. You can define up to ten VLAN networks (port-based and tag-based combined). For information on the default security policy for VLANs, see Default Security Policy on page 203. Chapter 5: Managing Your Network 113 - D-Link CP310 | User Guide - Page 130
the Network Name field, type a name for the VLAN. 4. In the Type drop-down list, select Port Based VLAN. The VLAN Tag field disappears. 114 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 131
the IP address of the VLAN network's default gateway. Note: The VLAN network must not overlap other networks. 6. In the Subnet Mask field, type the VLAN's internal network range. 7. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 107. 8. If desired, configure a DHCP - D-Link CP310 | User Guide - Page 132
the IP address of the VLAN network's default gateway. Note: The VLAN network must not overlap other networks. 7. In the Subnet Mask field, type the VLAN's internal network range. 8. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 107. 9. If desired, configure a DHCP - D-Link CP310 | User Guide - Page 133
In this mode, it will not accept untagged packets. 15. Configure a VLAN trunk (802.1Q) port on the VLAN-aware switch, according to the vendor instructions. Define the same VLAN IDs on the switch. 16. Connect the NetDefend firewall's DMZ/WAN2 port to the VLAN-aware switch's VLAN trunk port. Chapter - D-Link CP310 | User Guide - Page 134
tab. The My Network page appears. 3. In the desired VLAN's row, click the Erase icon. A confirmation message appears. 4. Click OK. The VLAN is deleted. 118 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 135
. The gateways in a HA cluster each have a separate IP address within the local network. In addition, the gateways share a single virtual IP address, which is the default gateway address for the local network. Control of the virtual IP address is passed as follows: 1. Each gateway is assigned - D-Link CP310 | User Guide - Page 136
IP address without creating an IP address conflict. WAN HA avoids an IP address change, and thereby ensures virtually uninterrupted access from the Internet to internal servers at your network. Before configuring HA, the following requirements must be met: 120 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 137
firmware versions and firewall rules. • The appliances' internal networks must be the same. • The appliances must have different real internal IP addresses, but share the same virtual IP address the DHCP server in all NetDefend firewalls. A Passive Gateway's DHCP server will start answering DHCP - D-Link CP310 | User Guide - Page 138
. Each appliance must have a different internal IP address. See Changing IP Addresses on page 105. 2. Click Setup in the main menu, and click the High Availability tab. The High Availability page appears. 3. Select the Gateway High Availability check box. 122 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 139
4. Next to each network for which you want to enable HA, select the HA check box. 5. In the Virtual IP field, type the default gateway IP address. This can be any unused IP address in the network, and must be the same for all gateways. 6. Click the Synchronization radio button next to the network - D-Link CP310 | User Guide - Page 140
connected and enabled on all gateways. Otherwise, multiple appliances may become active, causing unpredictable problems. 7. Complete the fields using the information the table below. 8. Click Apply. A success . This must be an integer between 0 and 255. 124 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 141
Type the amount to reduce the gateway's priority if the LAN port's Ethernet link is lost. DMZ Advanced Group ID Type the amount to reduce the gateway's should belong. This must be an integer between 1 and 255. The default value is 55. If only one HA cluster exists, there is no need to change - D-Link CP310 | User Guide - Page 142
interface is the DMZ network, the LAN virtual IP address is 192.168.100.3, and the DMZ virtual IP address is 192.168.101.3. Gateway A is the Active Gateway. To configure HA for Gateway A and Gateway B 1. Connect the LAN port of Gateways A and B to hub 1. 126 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 143
the HA check box. e. In the LAN network's Virtual IP field, type the default gateway IP address 192.168.100.3. f. Next to DMZ, select the HA check box. g. In the DMZ network's Virtual IP field, type the default gateway IP address 192.168.101.3. h. Click the Synchronization radio button next to - D-Link CP310 | User Guide - Page 144
Virtual IP field, type the default gateway IP address 192.168.100.3. f. Next to DMZ, select the HA check box. g. In the DMZ network's Virtual IP field, type the default gateway IP address 192. connection goes down. k. Click Apply. A success message appears. 128 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 145
the host's internal IP address, and not the Internet IP address to which the internal IP address is mapped. For further information, see Using Rules on page 209. Note: Static NAT and Hide NAT can be used together. Note: The NetDefend firewall supports Proxy ARP (Address Resolution Protocol). When - D-Link CP310 | User Guide - Page 146
IP address for use by the computer's MAC address only. This is called DHCP reservation, and it is useful if you are hosting a public Internet server on your network. • Secure HotSpot enforcement In NetDefend with Power Pack and click the Network Objects tab. 130 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 147
Configuring High Availability The Network Objects page appears with a list of network objects. 2. Do one of the following: • To add a network object, click New. • To edit an existing network object, click Edit next to the desired computer in the list. Chapter 5: Managing Your Network 131 - D-Link CP310 | User Guide - Page 148
network object should represent a single computer or device, click Single Computer. • To specify that the network object should represent a network, click Network. 4. Click Next. 132 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 149
Configuring High Availability The Step 2: Computer Details dialog box appears. If you chose Single Computer, the dialog box includes the Perform Static NAT option. If you chose Network, the dialog box does not include this option. 5. Complete the fields using the information in the tables below. - D-Link CP310 | User Guide - Page 150
Finish. To add or edit a network object via the Active Computers page 1. Click Reports in the main menu, and click the Active Computers tab. 134 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 151
The Active Computers page appears. Configuring High Availability If a computer has not yet been added as a network object, the Add button appears next to it. If a computer has already been added as a network object, the Edit button appears next to it. 2. Do one of the following: • To add a network - D-Link CP310 | User Guide - Page 152
. 4. Click Next. The Step 2: Computer Details dialog box appears. The computer's IP address and MAC address are automatically filled in. 5. Complete the fields using the information in the tables below . The new object appears in the Network Objects page. 136 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 153
) Select this option to map the local computer's IP address to an Internet IP address. You must then fill in the External IP field. External IP Type the Internet IP address to which you want to map the local computer's IP address. Exclude this computer from HotSpot enforcement Select this - D-Link CP310 | User Guide - Page 154
IP address range to a range of Internet IP addresses of the same size. You must then fill in the External IP Range field. External IP Range Type the Internet IP address range to which you want to map the network's IP address object is deleted. icon. 138 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 155
match any defined static route will be routed to the default gateway. To modify the default gateway, see Using a LAN Connection on page 65. A static route can be based on the packet's destination IP address, or based on the source IP address, in which case it is a source route. Source routing can - D-Link CP310 | User Guide - Page 156
Using Static Routes The Static Routes page appears, with a list of existing static routes. 2. Do one of the following: • To add a static route, click New Route. • To edit an existing static route, click Edit next to the desired route in the list. 140 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 157
Step 1: Source and Destination dialog box. 3. To select a specific source network (source routing), do the following: a) In the Source drop-down list, select Specified Network. New fields appear. b) In the Network field, type the IP address of the source network. Chapter 5: Managing Your Network - D-Link CP310 | User Guide - Page 158
network, do the following: a) In the Destination drop-down list, select Specified Network. New fields appear. b) In the Network field, type the IP address of the destination network. c) In the Netmask drop-down list, select the subnet mask. 5. Click Next. 142 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 159
, type the IP address of the gateway (next hop router) to which to route the packets destined for this network. 7. In the Metric field, type the static route's metric. The gateway sends a packet to the route that matches the packet's destination and has the lowest metric. The default value is 10 - D-Link CP310 | User Guide - Page 160
Routes The new static route is saved. Viewing and Deleting Static Routes Note: The "default" route cannot be deleted. To delete a static route 1. Click Network in the main the Erase icon. A confirmation message appears. 3. Click OK. The route is deleted. 144 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 161
you to quickly and easily assign its ports to different uses, as shown in the table below. Furthermore, you can restrict each port to a specific link speed and duplex setting. Table 18: Ports and Assignments You can assign this port... To these uses... LAN LAN network VLAN network DMZ/WAN2 - D-Link CP310 | User Guide - Page 162
1. Click Network in the main menu, and click the Ports tab. The Ports page appears. The following information is displayed for each enabled port: 146 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 163
port's current assignment. For example, if the DMZ/WAN2 port is currently used for the DMZ, the drop-down list displays "DMZ". • Link Configuration. The configured link speed (10 Mbps or 100 Mbps) and duplex (Full Duplex or Half Duplex) configured for the port. Automatic Detection indicates that the - D-Link CP310 | User Guide - Page 164
list to the right of the port, select the desired port assignment. 2. Click Apply. The port is reassigned to the specified network or purpose. 148 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 165
Configurations Managing Ports By default, the NetDefend automatically detects the link speed and duplex. If desired, you can manually restrict the NetDefend firewall's ports to a specific link speed. To modify a port's link configuration 1. Click Network in the main menu, and click the Ports tab - D-Link CP310 | User Guide - Page 166
currently established connections that are not supported by the default settings may be broken. For example, if you were using the DMZ/WAN2 port as WAN2, the port reverts to its DMZ assignment, and the secondary Internet connection moves to the WAN port. 150 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 167
155 Deleting Classes 159 Restoring Traffic Shaper Defaults 160 Overview Traffic Shaper is a services are assigned weights of 30 and 10 respectively. If the lines are congested, Traffic Shaper will maintain the ratio of bandwidth allocated to Web traffic and FTP traffic at 3:1. If a specific - D-Link CP310 | User Guide - Page 168
may be limited to a specific rate, such as 512 kilobit Power Pack. Note: You can prioritize wireless traffic from WMM-compliant multimedia applications, by enabling Wireless Multimedia (WMM) for the WLAN network. See Manually Configuring a WLAN on page 165. 152 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 169
Adding and Editing Classes on page 155. Note: If you are using DFL-CP310, you have Simplified Traffic Shaper, and you cannot add or modify the classes. To add or modify classes, upgrade to DFLCP310 with Power Pack, which supports Advanced Traffic Shaper. 3. Use Allow or Allow and Forward rules to - D-Link CP310 | User Guide - Page 170
traffic is assigned to this class by default. Urgent 15 High Traffic that is highly sensitive to delay. For (Interactive Traffic) example, IP telephony, videoconferencing, and interactive protocols that require quick user response, such as telnet. 154 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 171
. Adding and Editing Classes To add or edit a QoS class 1. Click Network in the main menu, and click the Traffic Shaper tab. The Quality of Service Classes page appears. 2. Click Add. Chapter 6: Using Traffic Shaper 155 - D-Link CP310 | User Guide - Page 172
The NetDefend QoS Class Editor wizard opens, with the Step 1 of 3: Quality of Service Parameters dialog box displayed. 3. Complete the fields using the relevant information in the table below the fields using the relevant information in the table below. 156 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 173
creating a class for high priority Web connections, you can name the class "High Priority Web". 8. Click Finish. The new class appears in the Quality of Service Classes page. Chapter 6: Using Traffic Shaper 157 - D-Link CP310 | User Guide - Page 174
Traffic that is highly sensitive to delay. For example, IP telephony, videoconferencing, and interactive protocols that require quick user response, such as telnet. Traffic Shaper serves delay-sensitive bandwidth (in kilobits/second) in the field provided. 158 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 175
their DSCP. To use this option, your ISP or private WAN must support DiffServ. You can obtain the correct DSCP value from your ISP or Network in the main menu, and click the Traffic Shaper tab. The Quality of Service Classes page appears. 2. Click the Erase icon of the class you wish to delete - D-Link CP310 | User Guide - Page 176
or not, by viewing the Rules page. To restore Traffic Shaper defaults 1. Click Network in the main menu, and click the Traffic Shaper tab. The Quality of Service Classes page appears. 2. Click Restore Defaults. A confirmation message appears. 3. Click OK. 160 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 177
Preparing the Wireless Stations 182 Troubleshooting Wireless Connectivity 183 Overview In addition to the LAN and DMZ networks, you can define a wireless internal network called a WLAN (wireless LAN) network, when using the DFL-CPG310. For information on default security policy rules controlling - D-Link CP310 | User Guide - Page 178
VPN. The DFL-CPG310 supports the latest 802 are interoperable. The DFL-CPG310 also supports a special Super DFL-CPG310 transmits in 2.4GHz range, using dual diversity antennas to increase the range. In addition, the NetDefend firewall supports more than the 802.11 specification. This allows ranges of - D-Link CP310 | User Guide - Page 179
Protocols The NetDefend wireless security appliance supports the following security protocols: Table 23: Wireless Security Protocols Security Protocol None Description No security method is used. This option is not recommended, because it allows unauthorized users to access your WLAN network - D-Link CP310 | User Guide - Page 180
, encryption WPA-PSK: password authentication, encryption WPA2 (802 security method, you must first configure a RADIUS server which supports 802.1x. See Using RADIUS Authentication. on page 368 to the WLAN network to wireless stations that support the WPA2 security method. If this setting is not - D-Link CP310 | User Guide - Page 181
Manually Configuring a WLAN Note: For increased security, it is recommended to enable the NetDefend internal VPN Server for users connecting from your internal networks, and to install SecuRemote on each computer in the WLAN. This ensures that all connections from the WLAN to the - D-Link CP310 | User Guide - Page 182
list, select Enabled. The fields are enabled. 6. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 107. 7. If desired, configure a DHCP server. See Configuring a DHCP Server on page 94. 166 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 183
Manually Configuring a WLAN 8. Complete the fields using the information in Basic WLAN Settings Fields on page 168. 9. To configure advanced settings, click Show Advanced Settings and - D-Link CP310 | User Guide - Page 184
Manually Configuring a WLAN 11. Click OK. A success message appears. 12. Prepare the wireless stations. See Preparing the Wireless Stations on page 182. Table 24: WLAN Settings Fields In this field... Do this... IP Address Type the IP address of the WLAN network's default gateway. Note: The - D-Link CP310 | User Guide - Page 185
Manually Configuring a WLAN In this field... Operation Mode Do this... Select an operation mode: • 802.11b and degrades with distance. Important: The station wireless cards must support the selected operation mode. For a list of cards supporting 802.11g Super, refer to http://www.super-ag.com. - D-Link CP310 | User Guide - Page 186
default. • A specific channel. The list of channels is dependent on the selected country and operation mode. Note: If there is another wireless network in the vicinity, the two networks may interfere with one another. To avoid this problem as well. 170 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 187
Manually Configuring a WLAN In this field... Do this... Require WPA2 (802.11i) network. • Disable. Wireless stations using either WPA or WPA2 can access the WLAN network. This is the default. If you selected WEP encryption, you must configure at least one WEP key. The wireless stations must be - D-Link CP310 | User Guide - Page 188
Manually Configuring a WLAN In this field... Do this... Key 1, 2, 3, 4 text box Type the products, such as Microsoft Windows XP, and attempt to connect to your network. This is the default. Note: Hiding the SSID does not provide strong security, because by a determined attacker can still - D-Link CP310 | User Guide - Page 189
. The NetDefend firewall automatically selects a rate. This is the default. • A specific rate Transmitter Power Select the transmitter power. Setting a higher transmitter power increases the access point's range. A lower power reduces interference with other access points in the vicinity. The - D-Link CP310 | User Guide - Page 190
avoid the problems of multipath manual diversity control (ANT 1 or ANT 2), if there is only one antenna connected to the appliance. Fragmentation Threshold Type the smallest IP packet size (in bytes) that requires that the IP default value is 2346. 174 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 191
Manually Configuring a WLAN In this field... Do this... RTS Threshold Type the smallest IP packet size for which a station must send an RTS (Request To Send) before sending the IP is congested, and the users are distant from one another as needed. This is the default. For more information on XR - D-Link CP310 | User Guide - Page 192
Wizard. The Wireless Configuration Wizard opens, with the Wireless Configuration dialog box displayed. 5. Select the Enable wireless networking check box to enable the WLAN. 176 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 193
security mode. Using WEP, wireless stations must use a pre-shared key to connect to your network. WEP is widely known to be insecure, and is supported mainly for compatibility with existing networks and stations that do not - D-Link CP310 | User Guide - Page 194
You cannot configure WPA and 802.1x using this wizard. For information on configuring these modes, see Manually Configuring a WLAN on page 165. 10. Click Next. WPA-PSK If you chose WPA-PSK, the and special characters, and is case-sensitive. 2. Click Next. 178 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 195
Using the Wireless Configuration Wizard The Wireless Security Confirmation dialog box appears. 3. Click Next. 4. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. Prepare the wireless stations. Chapter 7: Configuring a Wireless Network 179 - D-Link CP310 | User Guide - Page 196
selected length. The key is composed of characters 0-9 and A-F, and is not case-sensitive. The wireless stations must be configured with this same key. 180 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 197
Using the Wireless Configuration Wizard 3. Click Next. The Wireless Security Confirmation dialog box appears. 4. Click Next. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. Prepare the wireless stations. See Preparing the Wireless Stations on page 182. No - D-Link CP310 | User Guide - Page 198
firewall's region must both match the region of the world where you are located. If you purchased your NetDefend firewall in a different region, contact technical support. 182 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 199
Troubleshooting MAC filtering is enabled, verify that the MAC address of all stations is listed in the Network for specific wireless stations, such as the number of transmission errors, and the current reception power of settings is set to Automatic (see Manually Configuring a WLAN on page 165). - D-Link CP310 | User Guide - Page 200
the IP packet. Try setting the RTS Threshold parameter in the WLAN's advanced settings (see Manually Configuring a WLAN on page 165) to a lower value. This will cause stations to use RTS for smaller IP packets, thus decreasing the likeliness of collisions. 184 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 201
Troubleshooting Wireless Connectivity In addition, try setting the Fragmentation Threshold parameter in the WLAN's advanced settings (see Manually Configuring a WLAN on page 165) to a lower value. This will cause stations to fragment IP packets of a certain size into smaller packets, thereby - D-Link CP310 | User Guide - Page 202
- D-Link CP310 | User Guide - Page 203
... this color... Blue Changes in your setup that you have made yourself or as a result of a security update implemented by your Service Center. Red Connection attempts that were blocked by your firewall. Orange Connection attempts that were blocked by your custom security rules. Chapter - D-Link CP310 | User Guide - Page 204
to an *.xls (Microsoft Excel) file, and then store it for analysis purposes or send it to technical support. Note: You can configure the NetDefend firewall to send event logs to a Syslog server. For information, see Configuring Syslog Logging on page 384. 188 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 205
. 2. If an event is highlighted in red, indicating a blocked attack on your network, you can display the attacker's details, by clicking on the IP address of the attacking machine. The NetDefend firewall queries the Internet WHOIS server, and a window displays the name of the entity to whom the - D-Link CP310 | User Guide - Page 206
is created and saved to the specified directory. 5. To clear all displayed events: a. Click Clear. A confirmation message appears. b. Click OK. All events are cleared. 190 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 207
Using the Traffic Monitor Using the Traffic Monitor You can view incoming and outgoing traffic for selected network interfaces and QoS classes using the Traffic Monitor. This enables you to identify network traffic trends and anomalies, and to fine-tune Traffic Shaper QoS class assignments. The - D-Link CP310 | User Guide - Page 208
to a certain amount of traffic of the type "Traffic blocked by firewall" that appears under normal circumstances and usually does not indicate an attack. 192 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 209
Settings page appears. 3. In the Sample monitoring data every field, type the interval (in seconds) at which the NetDefend firewall should collect traffic data. The default value is one sample every 1800 seconds (30 minutes). 4. Click Apply. Chapter 8: Viewing Reports 193 - D-Link CP310 | User Guide - Page 210
The active computers are graphically displayed, each with its name, IP address, and settings (DHCP, Static, etc.). You can also view node limit information. To view the active computers 1. Click Reports in the main menu, and click the Active Computers tab. 194 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 211
Availability, both the master and backup appliances are shown. If you configured OfficeMode, the OfficeMode network is shown. If you are using the DFL-CPG310, the wireless stations are shown. For information on viewing statistics for these computers, see Viewing Wireless Statistics on page 198. If - D-Link CP310 | User Guide - Page 212
to My HotSpot. • Excluded from HotSpot. The computer is in an IP address range excluded from HotSpot enforcement. To enforce HotSpot, you must edit the appears with installed software product and the number of nodes used. b. Click Close to close the window. 196 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 213
appears. The page displays the information in the table below. 2. To refresh the display, click Refresh. 3. To view information on the destination machine, click its IP address. The NetDefend firewall queries the Internet WHOIS server, and a window displays the name of the entity to which the - D-Link CP310 | User Guide - Page 214
(TCP, UDP, etc.) Source - IP Address The source IP address Source - Port The source port Destination - IP Address The destination IP address Destination -Port The destination port QoS Class Click Reports in the main menu, and click the Wireless tab. 198 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 215
This field... Displays... Wireless Mode The operation mode used by the WLAN, followed by the transmission rate in Mbps MAC Address The MAC address of the NetDefend firewall's WLAN interface Domain The NetDefend access point's region Country The country configured for the WLAN Channel The - D-Link CP310 | User Guide - Page 216
strength 2. Mouse-over the information icon next to the wireless station. A tooltip displays statistics for the wireless station, as described in the table below. 200 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 217
client's maximum speed. Possible values are B, G, and 108G. For more information, see Basic WLAN Settings Fields on page 168. XR Indicates whether the wireless client supports Extended Range (XR) mode. Possible values are: • yes. The wireless client - D-Link CP310 | User Guide - Page 218
Viewing Wireless Statistics This field... Displays... Cipher The security protocol used for the connection with the wireless client. For more information, see Wireless Security Protocols on page 163. 202 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 219
such as Web Filtering and Email Filtering. For information on subscribing to services, see Using Subscription Services on page 281. This chapter includes the following topics: Default Security Policy 203 Setting the Firewall Security Level 204 Configuring Servers 207 Using Rules 209 Using - D-Link CP310 | User Guide - Page 220
user-defined firewall rules. For further information, see Using Rules on page 209. Setting the Firewall Security Level The firewall security level can be controlled using a simple lever available on the Firewall page. You can set the lever to three states. 204 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 221
is blocked to the external incoming connections, NetDefend firewall IP address, except for ICMP while permitting all echoes ("pings"). outgoing connections. This is the default level and is recommended for most cases. Leave it unchanged unless you have a specific need for a higher or lower - D-Link CP310 | User Guide - Page 222
provided in this table represent the NetDefend firewall's default security policy. Security updates downloaded from a Service Center may alter this policy and change these definitions desired level. The NetDefend firewall security level changes accordingly. 206 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 223
rules, see Using Rules on page 209. To allow a service to be run on a specific host 1. Click Security in the main menu, and click the Servers tab. The Servers page appears, displaying a list of services and a host IP address for each allowed service. Chapter 9: Setting Your Security Policy 207 - D-Link CP310 | User Guide - Page 224
of services and a host IP address for each allowed service. 2. In the desired service or application's row, click Clear. The Host IP field of the desired service is cleared. 3. Click Apply. The service or application is not allowed on the specific host. 208 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 225
the destination IP address, when deciding whether to allow or block traffic. User-defined rules have priority over the default security policy department computers. You can override the default security policy rules, by creating firewall rules that allow specific DMZ computers (such a manager's - D-Link CP310 | User Guide - Page 226
2, and the exception is rule number 1. The NetDefend firewall will process rule 1 first, allowing outgoing FTP traffic from the specified IP address, and only then it will process rule 2, blocking all outgoing FTP traffic. The following rule types exist: 210 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 227
: • Permit incoming access from the Internet to a specific service in your internal network. • Forward all such connections to a specific computer in your network. • Redirect the specified connections to a specific port. This option is called Port Address Translation (PAT). • Assign traffic to a QoS - D-Link CP310 | User Guide - Page 228
for static NAT IP addresses. This rule type enables you to do the following: • Block outgoing access from your internal network to a specific service on the Internet. • Block incoming access from the Internet to a specific service in your internal network. 212 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 229
Adding and Editing Rules To add or edit a rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. Using Rules 2. Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click the Edit icon next to the desired rule. Chapter 9: - D-Link CP310 | User Guide - Page 230
Firewall Rule wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows an Allow rule. 5. Complete the fields using the relevant information in the table below. 214 - D-Link CP310 | User Guide - Page 231
6. Click Next. The Step 3: Destination & Source dialog box appears. Using Rules 7. Complete the fields using the relevant information in the table below. The Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page. Chapter 9: Setting Your Security Policy - D-Link CP310 | User Guide - Page 232
connections you want to allow/block. To specify an IP address, select Specified IP and type the desired IP address in the filed provided. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. 216 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 233
IP address, select This Gateway. This option is not available in Allow and Forward rules. To specify any destination except the NetDefend Portal and network printers, select ANY. Quality of Service the specified blocked or allowed connections. By default, accepted connections are not logged, and - D-Link CP310 | User Guide - Page 234
this option to redirect the connections to a specific port. You must then type the desired port in the field provided. This option is called Port Address Translation (PAT), and is only available when , click . The button changes to and the rule is disabled. 218 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 235
Changing Rules' Priority Using Rules To change a rule's priority 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. Do one of the following: • Click next to the desired rule, to move the rule up in the table. • Click next to the desired rule, to move the rule - D-Link CP310 | User Guide - Page 236
Using SmartDefense Using SmartDefense The NetDefend firewall includes Check Point SmartDefense Services, based on Check Point Application Intelligence. SmartDefense provides a combination operations, and File Transfer Protocol (FTP) uploading, among others. 220 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 237
and the nodes it contains, see SmartDefense Categories on page 224. Each node represents an attack type, a sanity check, or a protocol or service that is vulnerable to attacks. To control how SmartDefense handles an attack, you must configure the relevant node's settings. Chapter 9: Setting Your - D-Link CP310 | User Guide - Page 238
the icon next to it. • To collapse a category, click the icon next to it. 2. Expand the relevant category, and click on the desired node. 222 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 239
information in SmartDefense Categories on page 224. b) Click Apply. 4. To reset the node to its default values: a) Click Default. A confirmation message appears. b) Click OK. The fields are reset to their default values, and your changes are saved. Chapter 9: Setting Your Security Policy 223 - D-Link CP310 | User Guide - Page 240
Service on page 224 • IP and ICMP on page 229 • TCP on page 239 • Port Scan on page 242 • FTP on page 245 • Microsoft Networks on page 249 • IGMP on page 251 • Peer to Peer on page 252 • Instant Messengers on page 254 Denial of Service Denial of Service service IP fragments, the latter entirely contained - D-Link CP310 | User Guide - Page 241
selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack. Ping of Death In a Ping of Death attack, the attacker sends a fragmented PING request that exceeds the maximum IP packet size (64KB). Some operating systems are unable to handle such requests - D-Link CP310 | User Guide - Page 242
: • Block. Block the attack. This is the default. • None. No action. Track Specify whether to address and port are the same as the destination (the victim computer). The victim computer then tries to reply to itself and either reboots or crashes. 226 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 243
LAND attack occurs, by selecting one of the following: • Block. Block the attack. This is the default. • None. No action. Track Specify whether to log LAND attacks, by selecting one of the following: and results in a Denial of Service (DoS). Chapter 9: Setting Your Security Policy 227 - D-Link CP310 | User Guide - Page 244
Non-TCP Traffic threshold, by selecting one of the following: • Log. Log the connections. • None. Do not log the connections. This is the default. Type the maximum percentage of state table capacity allowed for non-TCP connections. The default value is 0%. 228 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 245
Sanity Packet Sanity performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. You can configure whether logs should be issued for offending packets. Chapter 9: Setting Your Security Policy - D-Link CP310 | User Guide - Page 246
packet sanity tests, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs. The UDP length verification sanity check measures the UDP header length fail the UDP length verification check. This is the default. 230 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 247
take when an ICMP echo response exceeds the Max Ping Size threshold, by selecting one of the following: • Block. Block the request. This is the default. • None. No action. Specify whether to log ICMP echo responses that exceed the Max Ping Size threshold, by selecting one of the following: • Log - D-Link CP310 | User Guide - Page 248
The default value is 1500. IP Fragments When an IP packet is too big to be transported by a network link, it is split into several smaller IP packets , the NetDefend firewall always reassembles all the fragments of a given IP packet, before inspecting it to make sure there are no attacks or - D-Link CP310 | User Guide - Page 249
Fragments Fields In this field... Do this... Forbid IP Fragments Specify whether all fragmented packets should be dropped, by selecting one of the following: • True. Drop all fragmented packets. • False. No action. This is the default. Under normal circumstances, it is recommended to leave this - D-Link CP310 | User Guide - Page 250
. No action. Specify whether to log connections from a specific source that exceed the Max. Connections/Second per Source IP threshold, by selecting one of the following: • Log. Log the connections. This is the default. • None. Do not log the connections. 234 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 251
from Same Source IP Type the maximum number of network connections allowed per second from the same source IP address. The default value is 100 searching for other live computers to infect. It does so by sending a specific ping packet to a target and waiting for the reply that signals that the - D-Link CP310 | User Guide - Page 252
default. When a Cisco IOS device is sent a specially crafted sequence of IPv4 packets (with protocol type 53 - SWIPE, 55 - IP Mobility, 77 Sun ND, or 103 - Protocol Independent Multicast - PIM), the router will stop processing inbound traffic on that interface. 236 D-Link NetDefend firewall User - D-Link CP310 | User Guide - Page 253
by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack. Number of Hops to Protect Type the number of hops from the enforcement module that Cisco routers should be protected. The default value is 10. Chapter 9: Setting Your Security Policy 237 - D-Link CP310 | User Guide - Page 254
Specify what action to take when null payload ping packets are detected, by selecting one of the following: • Block. Block the packets. This is the default. • None. No action. 238 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 255
Do this... Track Specify whether to log null payload ping packets, by selecting one of the following: • Log. Log the packets. This is the default. • None. Do not log the packets. TCP This category allows you to configure various protections related to the TCP protocol. It includes the following - D-Link CP310 | User Guide - Page 256
take when an out-of-state TCP packet arrives, by selecting one of the following: • Block. Block the packets. • None. No action. This is the default. Specify whether to log null payload ping packets, by selecting one of the following: • Log. Log the packets. This is the - D-Link CP310 | User Guide - Page 257
is smaller than the Minimal MTU Size threshold, by selecting one of the following: • Block. Block the packet. • None. No action. This is the default. Specify whether to issue logs for packets are smaller than the Minimal MTU Size threshold, by selecting one of the following: • Log. Issue logs. This - D-Link CP310 | User Guide - Page 258
IP default specific host's ports to determine which of the ports are open. • Sweep Scan. The attacker scans various hosts to determine where a specific port is open. You can configure how the NetDefend firewall should react when a port scan is detected. 242 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 259
is 30, and 40 ports are accessed within a specified period of time, SmartDefense will detect the activity as a port scan. For Host Port Scan, the default value is 30. For Sweep Scan, the default value is 50. Chapter 9: Setting Your Security Policy 243 - D-Link CP310 | User Guide - Page 260
exceeded for 30 seconds, SmartDefense will not detect the activity as a port scan. The default value is 20 seconds. Track Specify whether to issue logs for scans, by selecting one Internet. This is the default. • True. Detect only scans from the Internet. 244 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 261
Overflow on page 247 • Blocked FTP Commands on page 248 FTP Bounce When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the - D-Link CP310 | User Guide - Page 262
following: • Block. Block the attack. This is the default. • None. No action. Track Specify whether to log following: • Log. Log the attack. This is the default. • None. Do not log the attack. Block Known Known ports are published ports associated with services (for example, SMTP is port 25). - D-Link CP310 | User Guide - Page 263
attempts to connect to a well-known port, by selecting one of the following: • Block. Block the connection. • None. No action. This is the default. Block Port Overflow FTP clients send PORT commands when connecting to the FTP sever. A PORT command consists of a series of numbers between 0 and 255 - D-Link CP310 | User Guide - Page 264
255, by selecting one of the following: • Block. Block the PORT command. This is the default. • None. No action. Blocked FTP Commands Some seldom-used FTP commands may compromise FTP server will be blocked. FTP command blocking is enabled by default. 248 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 265
command blocking • In the Action drop-down list, select None. All FTP commands are allowed, including those in the Blocked commands box. To block a specific FTP command 1. In the Allowed commands box, select the desired FTP command. 2. Click Block. The FTP command appears in the Blocked commands box - D-Link CP310 | User Guide - Page 266
following: • Block. Block the attack. • None. No action. This is the default. Track Specify whether to log CIFS worm attacks, by selecting one of the following attack. • None. Do not log the attack. This is the default. Select the worm patterns to detect. Patterns are matched against file names - D-Link CP310 | User Guide - Page 267
routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerability in the multicast routing software of the following: • Block. Block the attack. This is the default. • None. No action. Specify whether to log IGMP attacks, by selecting one - D-Link CP310 | User Guide - Page 268
addresses According to the IGMP specification, IGMP packets must be sent to multicast addresses. Sending IGMP packets to a unicast or broadcast address IGMP packets that are sent to non-multicast addresses. This is the default. • None. No action. Peer to Peer D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 269
action to take when a connection is attempted, by selecting one of the following: • Block. Block the connection. • None. No action. This is the default. Track Specify whether to log peer-to-peer connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the - D-Link CP310 | User Guide - Page 270
initiate the session. In each node, you can configure how instant messaging connections of the selected type should be handled, using the table below. 254 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 271
action to take when a connection is attempted, by selecting one of the following: Track • Block. Block the connection. • None. No action. This is the default. Specify whether to log instant messenger connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the - D-Link CP310 | User Guide - Page 272
you to add guest users quickly and easily. By default, guest users are given a username and password that expire in 24 hours and granted HotSpot Access permissions only. For information on adding quick guest users, see Adding Quick Guest Users on page 365. 256 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 273
Using Secure HotSpot You can choose to exclude specific network objects from HotSpot enforcement. For information, see Using Network Objects on page 129. Important: SecuRemote VPN software users who are authenticated by the Internal VPN Server are automatically exempt from HotSpot enforcement. This - D-Link CP310 | User Guide - Page 274
In the HotSpot Networks area, do one of the following: • To enable Secure HotSpot for a specific network, select the check box next to the network. • To disable Secure HotSpot for a specific network, clear the check box next to the network. 3. Click Apply. 258 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 275
Customizing Secure HotSpot Using Secure HotSpot To customize Secure HotSpot 1. Click Security in the main menu, and click the My HotSpot tab. The My HotSpot page appears. 2. Complete the fields using the information in the table below. Additional fields may appear. 3. To preview the My HotSpot - D-Link CP310 | User Guide - Page 276
a user to login from more than one computer at the same time check box appears. Allow a user to login from more than one computer at the same time Select this option to allow a single user to log on to My HotSpot from multiple computers at the same time. 260 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 277
. The exposed host receives all traffic that was not forwarded to another computer by use of Allow and Forward rules. Warning: Entering an IP address may make the designated computer vulnerable to hacker attacks. Defining an exposed host is not recommended unless you are fully aware of the security - D-Link CP310 | User Guide - Page 278
Defining an Exposed Host 2. In the Exposed Host field, type the IP address of the computer you wish to define as an exposed host. Alternatively, you can click This . The Exposed Host page appears. 2. Click Clear. 3. Click Apply. No exposed host is defined. 262 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 279
order to scan archive files on the fly, VStream Antivirus performs real-time decompression and scanning of ZIP, TAR, and GZ archive files, with support for nested archive files. When VStream Antivirus detects malicious content, the action it takes depends on the protocol in which the virus was found - D-Link CP310 | User Guide - Page 280
• Terminates the connection • Replaces the virusinfected email with a message notifying the user that a virus was found • Rejects the virusinfected email with error code 554 is not guaranteed and depends on the specific encoding used by the protocol. 264 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 281
, redirecting traffic through the Service Center for scanning, while VStream Antivirus scans for viruses in the gateway itself. • Email Antivirus is specific to email, scanning incoming POP3 and outgoing SMTP connections only, while VStream Antivirus supports additional protocols, including incoming - D-Link CP310 | User Guide - Page 282
quicker updates and saves on network bandwidth. You can view information about the VStream signature databases currently in use, in the VStream Antivirus page. 266 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 283
the VStream Antivirus Policy VStream Antivirus includes a flexible mechanism that allows the user to define exactly which traffic should be scanned, by specifying the protocol, ports, and source and destination IP addresses. VStream Antivirus processes policy rules in the order they appear in the - D-Link CP310 | User Guide - Page 284
For example, if you want to scan all outgoing SMTP traffic, except traffic from a specific IP address, you can create a rule scanning all outgoing SMTP traffic and move the rule down in that VStream Antivirus should not scan traffic matching the rule. 268 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 285
Configuring VStream Antivirus Rule Scan Description This rule type enables you to specify that VStream Antivirus should scan traffic matching the rule. If a virus is found, it is blocked and logged. Adding and Editing Rules To add or edit a rule 1. Click Antivirus in the main menu, and click the - D-Link CP310 | User Guide - Page 286
Policy Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows a Scan rule. 5. Complete the fields using the relevant information in the table below. 270 - D-Link CP310 | User Guide - Page 287
Configuring VStream Antivirus 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. Complete the fields using the relevant information in the table below. The Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page. Chapter 10: Using - D-Link CP310 | User Guide - Page 288
connections you want to allow/block. To specify an IP address, select Specified IP and type the desired IP address in the filed provided. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. 272 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 289
IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address The rule applies to downloaded and uploaded data. This is the default. • Download data. The rule applies to downloaded data, that - D-Link CP310 | User Guide - Page 290
, and click the Policy tab. The Antivirus Policy page appears. 2. Click the Erase icon of the rule you wish to delete. A confirmation message appears. 274 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 291
Advanced tab. The Advanced Antivirus Settings page appears. 2. Complete the fields using the table below. 3. Click Apply. 4. To restore the default VStream Antivirus settings, do the following: a) Click Default. A confirmation message appears. b) Click OK. Chapter 10: Using VStream Antivirus 275 - D-Link CP310 | User Guide - Page 292
Configuring VStream Antivirus The VStream Antivirus settings are reset to their defaults. For information on the default values, refer to the table below. Table 61: Advanced Antivirus , pcd, pif, reg, scr, sct, shs,shb, url, vb, vbe, vbs, wsc, wsf, wsh. 276 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 293
the file is skipped Selecting this option reduces the load on the gateway by skipping safe file types. This option is selected by default. Type the maximum number of nested content levels that VStream Antivirus should scan. Setting a higher number increases security. Setting a lower number prevents - D-Link CP310 | User Guide - Page 294
scan password-protected files inside archive. Specify how VStream Antivirus should handle such files, by selecting one of the following: • Pass file without scanning. Accept the file without scanning it. This is the default. • Block file. Block the file. 278 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 295
When you are subscribed to the VStream Antivirus updates service, VStream Antivirus virus signatures are automatically updated, keeping security up-to-date with no need for user intervention. However, you can still check for updates manually, if needed. To update the VStream Antivirus virus - D-Link CP310 | User Guide - Page 296
- D-Link CP310 | User Guide - Page 297
Center Connection 288 Configuring Your Account 288 Disconnecting from Your Service Center 289 Web Filtering 290 Automatic and Manual Updates 294 Connecting to a Service Center To connect to a Service Center 1. Click Services in the main menu, and click the Account tab. Chapter 11: Using - D-Link CP310 | User Guide - Page 298
Connecting to a Service Center The Account page appears. 2. In the Service Account area, click Connect. 282 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 299
. 4. Do one of the following: • To connect to the SofaWare Service Center, choose usercenter.sofaware.com. • To specify a Service Center, choose Specified IP and then in the Specified IP field, enter the desired Service Center's IP address, as given to you by your system administrator. 5. Click Next - D-Link CP310 | User Guide - Page 300
. Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider, then click Next. • The Connecting... screen appears. • The Confirmation dialog box appears with a list of services to which you are subscribed. 284 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 301
6. Click Next. The Done screen appears with a success message. Connecting to a Service Center 7. Click Finish. The following things happen: • If a new firmware is available, the NetDefend firewall may start downloading it. This may take several minutes. Once the download is complete, the NetDefend - D-Link CP310 | User Guide - Page 302
to which you are subscribed are now available on your NetDefend firewall and listed as such on the Account page. See Viewing Services Information on page 287 for further information. • The Services submenu includes the services to which you are subscribed. 286 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 303
The Account page displays the following information about your subscription. Table 62: Account Page Fields This field... Displays... Service Center Name The name of the Service Center to which you are connected (if known). Gateway ID Your gateway ID. Subscription will end on The date - D-Link CP310 | User Guide - Page 304
. Your service settings are refreshed. Configuring Your Account This option allows you to access your Service Center's Web site, which may offer additional configuration options for your account. Contact your Service Center for a user ID and password. 288 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 305
Center, this button will not appear. Your Service Center's Web site opens. 3. Follow the on-screen instructions. Disconnecting from Your Service Center If desired, you can disconnect from your Service Center. To disconnect from your Service Center 1. Click Services in the main menu, and click the - D-Link CP310 | User Guide - Page 306
and subscribed to this service. Enabling/Disabling Web Filtering Note: If you are remotely managed, contact your Service Center to change these settings. To enable/disable Web Filtering 1. Click Services in the main menu, and click the Web Filtering tab. 290 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 307
, by selecting the categories. Categories marked with will remain visible, while categories marked with will be blocked and will require the administrator password for viewing. Note: If you are remotely managed, contact your Service Center to change these settings. Chapter 11: Using Subscription - D-Link CP310 | User Guide - Page 308
the Web Filtering service. To temporarily disable Web Filtering 1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. 2. Click Snooze. • Web Filtering is temporarily disabled for all internal network computers. 292 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 309
changes to Resume. Web Filtering • The Web Filtering Off popup window opens. 3. To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page. • The service is re-enabled for all internal network computers. • If you clicked Resume in the Web Filtering page - D-Link CP310 | User Guide - Page 310
for software updates and installs them without user intervention. However, you can still check for updates manually, if needed. To manually check for security and software updates 1. Click Services in the main menu, and click the Software Updates tab. 294 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 311
managed, you can set it to automatically check for software updates, or you can set it so that software updates must be checked for manually. To configure software updates when locally managed 1. Click Services in the main menu, and click the Software Updates tab. Chapter 11: Using Subscription - D-Link CP310 | User Guide - Page 312
be checked for manually, drag the Automatic/Manual lever downwards. The NetDefend firewall does not check for software updates automatically. 4. To manually check for software updates, click Update Now. The system checks for new updates and installs them. 296 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 313
can securely read email, use the company's intranet, or access the company's database from home. The are four types of VPN sites: • Remote Access VPN Server. Makes a network remotely available to authorized users, who connect to the Remote Access VPN Server using the Chapter 12: Working With VPNs - D-Link CP310 | User Guide - Page 314
the Service Center can automatically deploy VPN configuration for your appliance. Site-to-Site VPNs A Site-to-Site VPN consists of two or more Site-to-Site VPN Gateways that can communicate with each other in a bi-directional relationship. The connected 298 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 315
Overview networks function as a single network. You can use this type of VPN to mesh office branches into one corporate network. Figure 12: Site-to-Site VPN Chapter 12: Working With VPNs 299 - D-Link CP310 | User Guide - Page 316
308. b. Then enable the Remote Access VPN Server using the procedure Setting Up Your NetDefend firewall as a Remote Access VPN Server on page 303. 300 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 317
or more Remote Access VPN Clients. You can use this type of VPN to make an office network remotely available to authorized users, such as employees working from home, who connect to the office Remote Access VPN Server with their Remote Access VPN Clients. Figure 13: Remote Access VPN Chapter 12 - D-Link CP310 | User Guide - Page 318
with SecuRemote VPN Client software installed can establish a Remote Access VPN session to the gateway. This means that connections from internal network users to the gateway , such as classrooms-are vulnerable to users trying to hack the internal network. 302 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 319
layer of security to such connections. For example, while you could create a firewall rule allowing a specific user on the DMZ or WLAN to access the LAN, enabling VPN access for the user means that such connections can be encrypted and authenticated. For more information, see Internal VPN Server on - D-Link CP310 | User Guide - Page 320
internal network computers. See Installing SecuRemote on page 307. 3. Set up remote VPN access for users. See Setting Up Remote VPN Access for Users on page 367. Note: Disabling the VPN Server for a specific type of connection (from the Internet or from internal networks) will cause all existing VPN - D-Link CP310 | User Guide - Page 321
Access VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The SecuRemote VPN Server page appears. 2. Select the Allow SecuRemote users to connect from the Internet check box. Chapter 12: Working With VPNs 305 - D-Link CP310 | User Guide - Page 322
to your internal network, select the Bypass NAT check box. 4. To allow authenticated users connecting from the Internet to bypass the firewall and access your internal network without restriction, the VPN Server tab. The SecuRemote VPN Server page appears. 306 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 323
Setting Up Your NetDefend firewall as a VPN Server 2. Select the Allow SecuRemote users to connect from my internal networks check box. New check boxes appear. 3. To allow authenticated users connecting from internal networks to bypass the firewall and access your internal network without - D-Link CP310 | User Guide - Page 324
the Download SecuRemote VPN client link. The VPN-1 SecuRemote for NetDefend page opens in a new window. 3. Follow the online instructions to complete installation. SecuRemote is installed. For information on using SecuRemote, see the User Help. To access SecuRemote User Help, right-click on the - D-Link CP310 | User Guide - Page 325
The VPN Sites page appears with a list of VPN sites. Adding and Editing VPN Sites 2. Do one of the following: • To add a VPN site, click New Site. • To edit a VPN site, click Edit in the desired VPN site's row. Chapter 12: Working With VPNs 309 - D-Link CP310 | User Guide - Page 326
a Remote Access VPN Server. • Select Site-to-Site VPN to create a permanent bi-directional connection to another Site-to-Site VPN Gateway. 4. Click Next. 310 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 327
Adding and Editing VPN Sites Configuring a Remote Access VPN Site If you selected Remote Access VPN, the VPN Gateway Address dialog box appears. 1. Enter the IP address of the Remote Access VPN Server to which you want to connect, as given to you by the network administrator. 2. To allow the VPN - D-Link CP310 | User Guide - Page 328
page 320. 5. Click Next. The following things happen in the order below: • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. 312 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 329
Adding and Editing VPN Sites Complete the fields using the information in VPN Network Configuration Fields on page 320 and click Next. • The Authentication Method dialog box appears. 6. Complete the fields using the information in Authentication Methods Fields on page 322. 7. Click Next. Chapter 12 - D-Link CP310 | User Guide - Page 330
Authentication Method If you selected Username and Password, the VPN Login dialog box appears. 1. Complete the fields using the information in VPN Login Fields on page 322. 2. Click Next. • If you selected Automatic Login, the Connect dialog box appears. 314 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 331
Adding and Editing VPN Sites Do the following: 1) To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels - D-Link CP310 | User Guide - Page 332
edited a VPN site, the modifications are reflected in the VPN Sites list. Certificate Authentication Method If you selected Certificate, the Connect dialog box appears. 316 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 333
Adding and Editing VPN Sites 1. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. - D-Link CP310 | User Guide - Page 334
, the modifications are reflected in the VPN Sites list. RSA SecurID Authentication Method If you selected RSA SecurID, the Site Name dialog box appears. 318 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 335
1. Enter a name for the VPN site. You may choose any name. 2. Click Next. The VPN Site Created screen appears. Adding and Editing VPN Sites 3. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the - D-Link CP310 | User Guide - Page 336
NetDefend Site-to-Site VPN Gateway. Specify Configuration Click this option to provide the network configuration manually. Route All Traffic Click this option to route all network traffic through the VPN site. configure one VPN site to route all traffic. 320 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 337
information on the relevant commands for OSPF, refer to the NetDefend CLI Reference Guide. This option is only available for when configuring a Site-to-Site VPN gateway. Destination network Type up to three destination network addresses at the VPN site to which you want to connect. Subnet mask - D-Link CP310 | User Guide - Page 338
Methods Fields In this field... Do this... Username and Password Select this option to use a user name and password for VPN authentication. In the next step, you can passcode every minute. SecurID is only supported in Remote Access manual login mode. 322 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 339
this option to configure the site for Manual Login. Manual Login connects only the computer you are currently logged onto to the VPN site, and only when the appropriate user name and password have been entered. For further information on Automatic and Manual Login, see, Logging on to a VPN Site on - D-Link CP310 | User Guide - Page 340
a Site-to-Site VPN Gateway If you selected Site-to-Site VPN, the VPN Gateway Address dialog box appears. 1. Complete the fields using the information in VPN Gateway Address Fields on page 335. 2. Click Next. The VPN Network Configuration dialog box appears. 324 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 341
Adding and Editing VPN Sites 3. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 320. 4. Click Next. • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Complete the fields using the information - D-Link CP310 | User Guide - Page 342
then click Next. • The Authentication Method dialog box appears. 5. Complete the fields using the information in Authentication Methods Fields on page 337. 6. Click Next. 326 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 343
Adding and Editing VPN Sites Shared Secret Authentication Method If you selected Shared Secret, the Authentication dialog box appears. If you chose Download Configuration, the dialog box contains additional fields. 1. Complete the fields using the information in VPN Authentication Fields on page - D-Link CP310 | User Guide - Page 344
settings, click Show Advanced Settings. New fields appear. 3. Complete the fields using the information in Security Methods Fields on page 337 and click Next. 328 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 345
The Connect dialog box appears. Adding and Editing VPN Sites 4. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all - D-Link CP310 | User Guide - Page 346
site alive even if there is no network traffic between the NetDefend firewall and the VPN site, select Keep this site alive. 8. Click Next. 330 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 347
this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the NetDefend firewall should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created - D-Link CP310 | User Guide - Page 348
VPN Authentication Fields on page 337 and click Next. • The Security Methods dialog box appears. 1. To configure advanced security settings, click Show Advanced Settings. 332 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 349
New fields appear. Adding and Editing VPN Sites 2. Complete the fields using the information in Security Methods Fields on page 337 and click Next. The Connect dialog box appears. 3. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This - D-Link CP310 | User Guide - Page 350
site alive even if there is no network traffic between the NetDefend firewall and the VPN site, select Keep this site alive. 7. Click Next. 334 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 351
this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the NetDefend firewall should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created - D-Link CP310 | User Guide - Page 352
IP Type a local IP address for this end of the VPN tunnel. Tunnel Remote IP Type the IP address of the remote end of the VPN tunnel. OSPF Cost Type the cost of this link for dynamic routing purposes. The default to the NetDefend CLI Reference Guide. 336 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 353
more information about certificates and instructions on how to install a certificate.) Table 69: VPN Authentication Fields In this field... Do this... Topology User Type the topology user's user name. Topology Password Use Shared Secret Type the topology user's password. Type the shared secret - D-Link CP310 | User Guide - Page 354
day). Phase 2 Security Methods Select the encryption and integrity algorithm to use for VPN traffic: • Automatic. The NetDefend firewall automatically selects the best security methods supported by the site. This is the default. • A specific algorithm 338 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 355
Diffie-Hellman group Select the Diffie-Hellman group to use: • Automatic. The NetDefend firewall automatically selects a group. This is the default. • A specific group A group with more bits ensures a stronger key but lowers performance. Renegotiate every Type the interval in seconds between IPSec - D-Link CP310 | User Guide - Page 356
: a. Click the icon in the desired VPN site's row. A confirmation message appears. b. Click OK. The icon changes to , and the VPN site is enabled. 340 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 357
on can use the tunnel. To share the tunnel with other computers in your home network, you must log on to the VPN site from those computers, using the same user name and password. Note: You must use a single user name and password for each VPN destination gateway. Chapter 12: Working With VPNs 341 - D-Link CP310 | User Guide - Page 358
Login tab. The VPN Login page appears. 2. From the Site Name list, select the site to which you want to log on. Note: Disabled VPN sites will not appear in the Site Name list. 3. Type your user name and password in the appropriate fields. 4. Click Login. 342 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 359
Status field displays "Connected". • The VPN Login Status box remains open until you manually log off the VPN site. Logging on through the my.vpn page Note: You don't need to know the my.firewall page administrator's password in order to use the my.vpn page. To manually log on to a VPN site through - D-Link CP310 | User Guide - Page 360
Login Status box appears. The Status field tracks the connection's progress. • Once the NetDefend firewall has finished connecting, the Status field changes to "Connected". • The VPN Login Status box remains open until you manually log off of the VPN site. 344 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 361
Site You need to manually log off a VPN site, if it is a Remote Access VPN site configured for Manual Login. To log off a VPN site • In the VPN Login Status box, click the Certificate Authority (CA) to entities such as gateways, users, or computers. The entity then uses the certificate to identify - D-Link CP310 | User Guide - Page 362
Installing a Certificate The NetDefend firewall supports certificates encoded in the PKCS#12 (Personal Information Exchange Syntax Standard) format, and enables you a self-signed certificate 1. Click VPN in the main menu, and click the Certificate tab. 346 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 363
The Certificate page appears. Installing a Certificate 2. Click Install Certificate. The NetDefend Certificate Wizard opens, with the Certificate Wizard dialog box displayed. 3. Click Generate a self-signed security certificate for this gateway. Chapter 12: Working With VPNs 347 - D-Link CP310 | User Guide - Page 364
. 5. Click Next. The NetDefend firewall generates the certificate. This may take a few seconds. The Done dialog box appears, displaying the certificate's details. 6. Click Finish. 348 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 365
Installing a Certificate The NetDefend firewall installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes. The Certificates page displays the following information: • The gateway's certificate • The gateway's name • The gateway certificate's - D-Link CP310 | User Guide - Page 366
on the certificate, and will be visible to remote users inspecting the certificate. This field is filled in automatically with the gateway's MAC address. If desired, you can change this to a more . 3. Click Import a security certificate in PKCS#12 format. 350 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 367
The Import Certificate dialog box appears. Installing a Certificate 4. Click Browse to open a file browser from which to locate and select the file. The filename that you selected is displayed. 5. Click Next. The Import-Certificate Passphrase dialog box appears. This may take a few moments. 6. - D-Link CP310 | User Guide - Page 368
a currently installed certificate, there is no need to uninstall the certificate first. When you install the new certificate, the old certificate will be overwritten. 352 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 369
closed as follows: • Remote Access VPN sites configured for Automatic Login and Site-to-Site VPN Gateways A tunnel is created whenever your tunnel will be reestablished. • Remote Access VPN sites configured for Manual Login A tunnel is created whenever your computer attempts any kind of communication - D-Link CP310 | User Guide - Page 370
Fields This field... Displays... Type The currently active security protocol (IPSEC). Source The IP address or address range of the entity from which the tunnel originates. The entity's type is indicated by an icon. See VPN Tunnel Icons on page 355. 354 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 371
Tunnels This field... Destination Security Established Displays... The IP address or address range of the entity to which the tunnel are the strongest of those used at the two sites. Your NetDefend firewall supports AES, 3DES, and DES encryption schemes, and MD5 and SHA authentication schemes. - D-Link CP310 | User Guide - Page 372
Server A Site-to-Site VPN Gateway A remote access VPN user Viewing IKE Traces for VPN Connections If you are experiencing VPN connection problems, you can save a trace of IKE (Internet Key Exchange) currently stored on the NetDefend firewall is cleared. 356 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 373
for a connection 1. Establish a VPN tunnel to the VPN site with which you are experiencing connection problems. For information on when and how VPN tunnels are established, see Viewing VPN Tunnels on page 353. the *.elg file, or send the file to technical support. Chapter 12: Working With VPNs 357 - D-Link CP310 | User Guide - Page 374
- D-Link CP310 | User Guide - Page 375
Guest HotSpot Users 365 Viewing and Deleting Users 367 Setting Up Remote VPN Access for Users 367 Using RADIUS Authentication 368 Configuring the RADIUS Vendor-Specific Attribute 372 Changing Your Password You can change your password at any time. To change your password 1. Click Users in the - D-Link CP310 | User Guide - Page 376
Changing Your Password The Internal Users page appears. 2. In the row of your username, click Edit. The Account Wizard opens displaying the Set User Details dialog box. 3. Edit the Password and Confirm password fields. 360 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 377
or numbers) for the new password. 4. Click Next. The Set User Permissions dialog box appears. 5. Click Finish. Your changes are saved. Adding and Editing Users This procedure explains how to add and edit users. For information on quickly adding guest HotSpot users via a shortcut that the NetDefend - D-Link CP310 | User Guide - Page 378
user, click New User. • To edit an existing user, click Edit next to the desire user. The Account Wizard opens displaying the Set User Details dialog box. 3. Complete the fields using the information in Set User Details Fields on page 363. 4. Click Next. 362 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 379
the software and services you are using. 5. Complete the fields using the information in Set User Permissions Fields on page 364. 6. Click Finish. The user is saved. Table 74: Set User Details Fields In this field... Do this... Username Enter a username for the user. Password Enter a password - D-Link CP310 | User Guide - Page 380
via the Setup>Tools page. For example, you could assign this administrator level to technical support personnel who need to view the Event Log. The default level is No Access. The "admin" user's Administrator Level (Read/Write) cannot be changed. VPN Remote Access Select this option to allow - D-Link CP310 | User Guide - Page 381
Web Filtering service is defined. This option cannot be changed for the "admin" user. Select this option to allow the user to log on to the My HotSpot page. For information on Secure HotSpot, see Configuring Secure HotSpot on page 256. This option only appears in DFL-CP310 with Power Pack. Adding - D-Link CP310 | User Guide - Page 382
click on the arrows to specify the expiration date and time. 4. To print the user details, click Print. 5. Click Finish. The guest user is saved. You can edit the guest user's details and permissions using the procedure Adding and Editing Users on page 361. 366 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 383
cannot be deleted. To view or delete users 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears with a list of all users and their permissions. The expiration time of expired users appears in red. 2. To delete a user, do the following: a) In the desired - D-Link CP310 | User Guide - Page 384
a matching user name and password pair. If so, then the user is logged on. By default, all RADIUS-authenticated users are assigned the set of permissions specified in the NetDefend Portal's RADIUS page. However, you can configure the RADIUS server to pass the NetDefend firewall a specific set of - D-Link CP310 | User Guide - Page 385
Using RADIUS Authentication server for a specific user, the gateway will use the default permission set for this user. To use RADIUS authentication 1. Click Users in the main menu, and click the RADIUS tab. The RADIUS page appears. 2. Complete the fields using the table below. 3. Click Apply. 4. To - D-Link CP310 | User Guide - Page 386
to host the service. To clear the text box, click Clear. Port Type the port number on the RADIUS server's host computer. The default port number is 1812. Shared Secret Type the shared secret to use for secure communication with the RADIUS server. 370 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 387
time in seconds between attempts to communicate with the RADIUS server. The default value is 3 seconds. If the RADIUS VSA (Vendor-Specific Attribute) is configured for a user, the fields in this area will have no effect, and the user will be granted the permissions specified in the VSA. If the VSA - D-Link CP310 | User Guide - Page 388
option only appears if the Web Filtering service is defined. Select this option to allow the user to access the My HotSpot page. This option only appears in DFL-CP310 with Power Pack. Configuring the RADIUS Vendor-Specific Attribute For detailed instructions and examples, refer to the "Configuring - D-Link CP310 | User Guide - Page 389
Configuring the RADIUS Vendor-Specific Attribute Table 77: VSA Syntax Permission Description Attribute Number Attribute Format Attribute Values Notes Admin Indicates the 1 administrator's level of access to the NetDefend Portal String none. The user cannot access the NetDefend Portal. - D-Link CP310 | User Guide - Page 390
feature is enabled. UFP Indicates whether 4 the user can override Web Filtering. String true. The user can override Web Filtering. false. The user cannot override Web Filtering. This permission is only relevant if the Web Filtering service is enabled. 374 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 391
401 Backing Up the NetDefend firewall Configuration 415 Resetting the NetDefend firewall to Defaults 418 Running Diagnostics 421 Rebooting the NetDefend firewall 422 Viewing Firmware Status The firmware is the software program embedded in the NetDefend firewall. You can view your current - D-Link CP310 | User Guide - Page 392
example... WAN MAC Address The MAC address used for the Internet connection 00:80:11:22:33:44 Firmware Version The current version of the 6.0 firmware Installed Product The licensed software and the number of allowed nodes NetDefend unlimited nodes 376 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 393
on page 281. If you are not subscribed to the Software Updates service, you must update your firmware manually. To update your NetDefend firmware manually 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Firmware Update. Chapter 14: Maintenance 377 - D-Link CP310 | User Guide - Page 394
. Your NetDefend firewall firmware is updated. Updating may take a few minutes, during which time the PWR/SEC LED may start flashing red or orange. Do not power off the appliance. At the end of the process the NetDefend firewall restarts automatically. 378 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 395
Upgrading Your Software Product Upgrading Your Software Product You can upgrade your NetDefend firewall by adding the DFL-CP310 Power Pack. After purchasing the Power Pack, you will receive a new Product Key that enables you to use the Power Pack on the same NetDefend firewall you have today. There - D-Link CP310 | User Guide - Page 396
Product Key. 4. In the Product Key field, enter the new Product Key. 5. Click Next. The Installed New Product Key dialog box appears. 6. Click Next. 380 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 397
The first Registration dialog box appears. Upgrading Your Software Product 7. Do one of the following: • To register your NetDefend firewall later on, clear the I want to register my product check box and then click - D-Link CP310 | User Guide - Page 398
2) Enter your contact information in the appropriate fields. 3) To receive email notifications regarding new firmware versions and services, select the check box. 4) Click Next. The Registration... screen appears. The third Registration dialog box appears. 382 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 399
Your NetDefend firewall If you want to activate your warranty and optionally receive notifications of new firmware versions and services, you must register your NetDefend firewall. Privacy Statement: D-Link is committed to protecting your privacy. We use the information we collect about you to - D-Link CP310 | User Guide - Page 400
by the firewall, the event details include the source and destination IP address, the destination port, and the protocol used for the communication attempt can be downloaded from http://www.kiwisyslog.com. For technical support, contact Kiwi Enterprises. To configure Syslog logging 1. Click Setup in - D-Link CP310 | User Guide - Page 401
this... Type the IP address of the computer that will run the Syslog service (one of your network computers), or click This Computer to allow your computer to host the service. Clear Click to clear the Syslog Server field. Syslog Port Type the port number of the Syslog server. Default Click to - D-Link CP310 | User Guide - Page 402
NetDefend Portal's command line interface. To control the appliance via the NetDefend Portal 1. Click Setup in the main menu, and click the Tools tab. 386 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 403
The Tools page appears. Controlling the Appliance via the Command Line 2. Click Command. The Command Line page appears. 3. In the upper field, type a command. Chapter 14: Maintenance 387 - D-Link CP310 | User Guide - Page 404
the Command Line You can view a list of supported commands using the command help. For information on all commands, refer to the NetDefend CLI Reference Guide. 4. Click Go. The command is implemented. Click Network in the main menu, and click the Ports tab. 388 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 405
3. In the RS232 drop-down list, select Console. 4. Click Apply. You can now control the NetDefend firewall from the serial console. For information on all supported commands, refer to the NetDefend CLI Reference Guide. Chapter 14: Maintenance 389 - D-Link CP310 | User Guide - Page 406
Configuring HTTPS Configuring HTTPS You can enable NetDefend firewall users to access the NetDefend Portal from the Internet. To do so, you remotely, so it is especially important to make sure all NetDefend firewall users' passwords are difficult to guess. 390 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 407
the NetDefend Portal from your internal network, by surfing to https://my.firewall. If you selected IP Address Range, additional fields appear. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. Click Apply. The HTTPS configuration is saved. If you - D-Link CP310 | User Guide - Page 408
SSHv2 clients only. The SSHv1 protocol contains security vulnerabilities and is not supported. To configure SSH 1. Click Setup in the main menu, and click the Management tab. The Management page appears. 2. Specify from where SSH access should be granted. 392 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 409
it is especially important to make sure all NetDefend firewall users' passwords are difficult to guess. If you selected IP Address Range, additional fields appear. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. Click Apply. The SSH configuration - D-Link CP310 | User Guide - Page 410
Management tab. The Management page appears. 2. Specify from where SNMP access should be granted. See Access Options on page 391 for information. If you selected IP Address Range, additional fields appear. 394 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 411
3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. In the Community field, type the name of the SNMP community string. SNMP clients uses the SNMP community string as a password, when connecting to the NetDefend firewall. The default value is "public - D-Link CP310 | User Guide - Page 412
purposes. System Contact Type the name of the contact person. This information will be visible to SNMP clients, and is useful for administrative purposes. 396 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 413
Setting the Time on the Appliance In this field... SNMP Port Do this... Type the port to use for SNMP. The default port is 161. Setting the Time on the Appliance You set the time displayed in the NetDefend Portal during initial appliance setup. If desired, you - D-Link CP310 | User Guide - Page 414
and time, the Specify Date and Time dialog box appears. Set the date, time, and time zone in the fields provided, then click Next. 398 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 415
Setting the Time on the Appliance • If you selected Use a Time Server, the Time Servers dialog box appears. Complete the fields using the information in Time Servers Fields on page 400, then click Next. • The Date and Time Updated screen appears. 5. Click Finish. Chapter 14: Maintenance 399 - D-Link CP310 | User Guide - Page 416
... Primary Server Type the IP address of the Primary NTP server. Secondary Server Type the IP address of the Secondary NTP server. This field is optional. Clear Clear the field. Select your time zone Select the time zone in which you are located. 400 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 417
of the entity to which a specific IP address or DNS name is registered. This information is useful in tracking down hackers. Using IP Tools on page 402 Packet Sniffer Capture network traffic. This information is Using Packet Sniffer on page useful troubleshooting network problems. 404 Chapter 14 - D-Link CP310 | User Guide - Page 418
the following things happen: The NetDefend firewall sends packets to the specified the IP address or DNS name. The IP Tools window opens and displays the percentage of packet loss and the amount firewall connects to the specified IP address or DNS name. 402 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 419
Tools window opens and displays a list of routers used to make the connection. • If you selected WHOIS, the following things happen: The NetDefend firewall queries the Internet WHOIS server. A window displays the name of the entity to which the IP address or DNS name is registered and their contact - D-Link CP310 | User Guide - Page 420
capture packets from any internal network or NetDefend port. This is useful for troubleshooting network problems and for collecting data about network behavior. The NetDefend firewall saves the using the information in the table below. 4. Click Start. 404 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 421
Using Diagnostic Tools The Packet Sniffer window displays the name of the interface, the number of packets collected, and the percentage of storage space remaining on the appliance for storing the packets. 5. Click Stop to stop collecting packets. A standard File Download dialog box appears. 6. - D-Link CP310 | User Guide - Page 422
this to/from this gateway gateway only. If this option is not selected, Packet Sniffer will collect packets for all traffic on the interface. 406 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 423
Using Diagnostic Tools Filter String Syntax The following represents a list of basic filter string elements: • and on page 407 • dst on page 408 • dst port on page 408 • ether proto on page 409 • host on page 410 • not on page 410 • or on page 411 • port on page 411 • src on page 412 • src port on - D-Link CP310 | User Guide - Page 424
• An IP address • A host name The following filter string saves packets that are destined for the IP address 192.168.10.1: dst 192.168.10.1 dst port PURPOSE The dst port element captures all packets destined for a specific port. SYNTAX dst port port 408 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 425
The ether proto element is used to capture packets of a specific ether protocol type. SYNTAX ether proto \protocol PARAMETERS protocol String. The protocol type of the packet. This can be the following: ip, ip6, arp, rarp, atalk, aarp, dec net, sca, lat, mopdl, - D-Link CP310 | User Guide - Page 426
originated from IP address 192.168.10.1, or are destined for that same IP address: host 192.168.10.1 not PURPOSE The not element is used to negate filter string elements. SYNTAX not element ! element PARAMETERS element String. A filter string element. 410 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 427
following filter string saves packets that either originate from IP address 192.168.10.1 or IP address 192.168.10.10: src 192.168.10.1 or src 192.168.10.10 port PURPOSE The port element captures all packets originating from or destined for a specific port. SYNTAX port port Note: This element can - D-Link CP310 | User Guide - Page 428
• An IP address • A host name The following filter string saves packets that originated from IP address 192.168.10.1: src 192.168.10.1 src port PURPOSE The src port element captures all packets originating from a specific port. SYNTAX src port port 412 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 429
Note: When not prepended to other elements, the tcp element is the equivalent of ip proto tcp. SYNTAX tcp tcp element PARAMETERS element String. A port-related filter dst port - Capture all TCP packets destined for a specific port. • port - Captures all TCP packets originating from or destined for - D-Link CP310 | User Guide - Page 430
the equivalent of ip proto udp. specific port. • port - Captures all UDP packets originating from or destined for a specific port. • src port - Capture all UDP packets originating from a specific port. The following filter string captures all UDP packets: 414 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 431
. If desired, you can edit the file. For a full explanation of the CLI script format and the supported CLI commands, see the NetDefend CLI Reference Guide. Exporting the NetDefend firewall Configuration Exporting the NetDefend firewall configuration creates a configuration file. To export the - D-Link CP310 | User Guide - Page 432
Import. The Import Settings page appears. 3. Do one of the following: • In the Import Settings field, type the full path to the configuration file. 416 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 433
. The Import Settings page displays the configuration file's content and the result of implementing each configuration command. Note: If the appliance's IP address changed as a result of the configuration import, your computer may be disconnected from the network; therefore you may not be able to - D-Link CP310 | User Guide - Page 434
have to set a new password and reconfigure your NetDefend firewall for Internet connection. For information on performing these tasks, see Setting Up the NetDefend firewall. You can reset the NetDefend firewall to defaults via the Web management interface (software) or by manually pressing the Reset - D-Link CP310 | User Guide - Page 435
the firmware version that shipped with the appliance, select the check box. 4. Click OK. • The Please Wait screen appears. • The NetDefend firewall returns to its factory defaults. • The NetDefend firewall is restarted (the PWR/SEC LED flashes quickly). This may take a few minutes. • The Login page - D-Link CP310 | User Guide - Page 436
reset the NetDefend firewall to factory defaults using the Reset button 1. Make sure the NetDefend firewall is powered on. 2. Using a pointed object Warning: If you choose to reset the NetDefend firewall by disconnecting the power cable and then reconnecting it, be sure to leave the NetDefend - D-Link CP310 | User Guide - Page 437
can view technical information about your NetDefend firewall's hardware, firmware, license, network status, and Service Center. This information is useful for troubleshooting. You can export it to an *.html file and send it to technical support. To view diagnostic information 1. Click Setup in the - D-Link CP310 | User Guide - Page 438
tab. The Firmware page appears. 2. Click Restart. A confirmation message appears. 3. Click OK. • The Please Wait screen appears. • The NetDefend firewall is restarted (the PWR/SEC LED flashes quickly). This may take a few minutes. • The Login page appears. 422 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 439
connecting up to four USB-based printers to the appliance. When using computers with a MAC OS-X operating system, the NetDefend firewall supports connecting one printer. The appliance automatically detects printers as they are plugged in, and they immediately become available for printing. Usually - D-Link CP310 | User Guide - Page 440
listed, check that you connected the printer correctly, then click Refresh to refresh the page. 5. Write down the port number allocated to the printer. 424 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 441
Configuring Computers to Use Network Printers The port number appears in the Printer Server TCP Port field. You will need this number later, when configuring computers to use the network printer. 6. To change the port number, do the following: a. Type the desired port number in the Printer Server - D-Link CP310 | User Guide - Page 442
opens with the Welcome dialog box displayed. 5. Click Next. The Local or Network Printer dialog box appears. 6. Click Local printer attached to this computer. 426 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 443
. The Select a Printer Port dialog box appears. 8. Click Create a new port. 9. In the Type of port drop-down list, select Standard TCP/IP Port. 10. Click Next. The Add Standard TCP/IP Port Wizard opens with the Welcome dialog box displayed. 11. Click Next. Chapter 15: Using Network Printers 427 - D-Link CP310 | User Guide - Page 444
or IP Address field, type the NetDefend firewall's LAN IP address, or "my.firewall". You can find the LAN IP address in IP Printer Port Wizard opens, with the Additional Port Information Required dialog box displayed. 14. Click Custom. 15. Click Settings. 428 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 445
the Printers page. 17. In the Protocol area, make sure that Raw is selected. 18. Click OK. The Add Standard TCP/IP Printer Port Wizard reappears. 19. Click Next. The Completing the Add Standard TCP/IP Printer Port Wizard dialog box appears. 20. Click Finish. Chapter 15: Using Network Printers 429 - D-Link CP310 | User Guide - Page 446
Configuring Computers to Use Network Printers The Add Printer Wizard reappears, with the Install Printer Software dialog box displayed. 21. Do one of the following: • Use the lists to select . In the Ports tab, in the list box, select the port you added. 430 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 447
Configuring Computers to Use Network Printers The port's name is IP_. 26. Click OK. MAC OS-X This procedure is relevant for computers with the latest version of the MAC OS-X operating system. Note: This procedure may - D-Link CP310 | User Guide - Page 448
Configuring Computers to Use Network Printers The System Preferences window appears. 3. Click Show All to display all categories. 4. In the Hardware area, click Print & Fax. The Print & Fax window appears. 5. In the Printing tab, click Set Up Printers. 432 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 449
. 8. In the Printer Type drop-down list, select Socket/HP Jet Direct. 9. In the Printer Address field, type the NetDefend firewall's LAN IP address, or "my.firewall". You can find the LAN IP address in the NetDefend Portal, under Network > My Network. 10. In the Queue Name field, type the name - D-Link CP310 | User Guide - Page 450
. Click Add. The new printer appears in the Printer List window. 14. In the Printer List window, select the newly added printer, and click Make Default. 434 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 451
Viewing Network Printers Viewing Network Printers To view network printers 1. Click Setup in the main menu, and click the Printers tab. The Printers page appears, displaying a list of connected printers. For each printer, the model, serial number, port, and status is displayed. A printer can have - D-Link CP310 | User Guide - Page 452
, and click the Printers tab. The Printers page appears. 2. Next to the desired printer, click Reset. The network printer's current print job is restarted. 436 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 453
the NetDefend firewall. Note: For information on troubleshooting wireless connectivity, see Troubleshooting Wireless Connectivity on page 183. T T This chapter includes the following topics: Connectivity 438 H H Service Center and Upgrades 442 H H Other Problems 443 H H Chapter 16 - D-Link CP310 | User Guide - Page 454
the power connection to the NetDefend firewall. • Check if the WAN LINK/ACT LED • Check your TCP/IP configuration according to Installing your ISP for possible service outage. • Check whether routers. Some DSL equipment can be configured to work both ways. 438 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 455
Ethernet adapter MAC address onto the NetDefend firewall. For instructions, see Configuring LINK/ACT LED for the port used by your computer is on. If not, check if the network cable linking default value, and it may vary if you changed it in the My Network page. Chapter 16: Troubleshooting 439 - D-Link CP310 | User Guide - Page 456
device that performs NAT, such as a DSL router or Wireless router, but the device will block all incoming connections from reaching your NetDefend firewall. To fix this problem, do ONE of the following. (The solutions are listed in order of preference.) 440 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 457
as Wireless access. • If possible, disable NAT in the router. Refer to the router's documentation for instructions on how to do this. • If the router has a "DMZ Computer" or "Exposed Host" option, set it to the NetDefend firewall's external IP address. • Open the following ports in the NAT device - D-Link CP310 | User Guide - Page 458
Center, check that the Service Center IP address is typed correctly. • The NetDefend firewall connects to the Service Center using UDP ports 9281/9282. If the NetDefend firewall is installed behind another firewall, make sure that these ports are open. 442 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 459
Problems Other Problems I have forgotten my password. What should I do? Reset your NetDefend firewall to factory defaults using the Reset button as detailed in Resetting the NetDefend firewall to Defaults application to be the exposed host. For instructions, see Defining an Exposed Host on page - D-Link CP310 | User Guide - Page 460
- D-Link CP310 | User Guide - Page 461
Interference H Statement 451 H Technical Specifications Table 86: NetDefend Appliance Attributes Attribute DFL-CP310 DFL-CPG310 General Dimensions 20 x 3.1 x 15.5 cm (width x height x depth) (7.9 x 1.2 x 6.1 inches) Weight 0.69 kg (1.55 lbs) Power supply nominal All Models: 100~240VAC - D-Link CP310 | User Guide - Page 462
Technical Specifications Attribute DFL-CP310 DFL-CPG310 Max. Power Consumption 8W (1.6A) Retail box dimensions 29 x 25 x 7.6 cm (width x height x depth) to +70°C - 5°C ~ 50°C 5%~90% at 25°C/ None condensed CNS1219 C6343 EN60950/ IEC60950/ cTUVus 60950 446 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 463
Attribute DFL-CP310 Technical Specifications DFL-CPG310 Quality Mean Time Between Failures (MTBF) ISO9001:2000 TL9000-HW R3.0 ISO14001 Ohsas18001: 1999 68,000 Hours at 30 ºC ISO9001:2000 TL9000-HW R3.0 ISO14001 Ohsas18001: 1999 68,000 Hours at 30 ºC Chapter 17: Specifications 447 - D-Link CP310 | User Guide - Page 464
Attributes Attribute DFL-CPG310 series Operation Frequency 2.412-2.484 MHz Transmission Power 79.4 mW Modulation OFDM, DSSS, 64QAM, 16QAM, QPSK, BPSK, CCK, DQPSK, DBPSK WPA Authentication Modes EAP-TLS, EAP-TTLS, PEAP (EAP-GTC), PEAP (EAP-MSCHAP V2) 448 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 465
Directive) In accordance with the following standards: Table 88: NetDefend Appliance Standards Attribute DFL-CP310 DFL-CPG310 EMC EN 55022:1998 EN 61000-3-2: 1995 EN 61000-3-3: 1995 EN 61000-4-2:1995 55022:1998 EN 55024:1998 EN 61000-3-2: 1995 EN 61000-3-3: 1995 Chapter 17: Specifications 449 - D-Link CP310 | User Guide - Page 466
CE Declaration of Conformity Attribute DFL-CP310 DFL-CPG310 EN 61000-4-8:1993 EN 61000-4-2:1995 EN 61000-4-11:1994 EN 61000-4-3:1996 of the Original Signed Declaration (in full conformance with EN45014), please contact SofaWare at the above address. 450 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 467
can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Shielded cables must be used with this must not be operated in conjunction with any other antenna. Chapter 17: Specifications 451 - D-Link CP310 | User Guide - Page 468
- D-Link CP310 | User Guide - Page 469
) issues certificates to entities such as gateways, users, or computers. The entity later uses the (information about itself), and possibly the IP address. After two entities exchange and validate each into someone else's computer system, bypasses passwords or licenses in computer programs; or in - D-Link CP310 | User Guide - Page 470
network. F Firmware Software embedded in a device. G Gateway A network point that acts as an entrance to another network. H Hacking An activity in which someone breaks into someone else's computer system, bypasses passwords or licenses in computer programs; or in D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 471
transmit to another computer, specific types of data. HTTPS default Web port number, and uses a public key to encrypt data HTTPS is used to transfer confidential user information. Hub A device with multiple ports, connecting several PCs or network devices on a network. I IP Address An IP address - D-Link CP310 | User Guide - Page 472
IP address assigned by the ISP among several PCs. Check Point FireWall-1's Stateful Inspection Network Address Translation (NAT) implementation supports hundreds of pre-defined applications, services, and protocols, more than any other firewall vendor. 456 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 473
includes the Internet address of the destination. computer users on an router is connected to at least two networks. S Server A server is a program (or host) that awaits and requests from client programs across the network. For example, a Web server is the computer program, running on a specific - D-Link CP310 | User Guide - Page 474
mask indicates which part of the IP address is the host ID and which IP, is sometimes referred to as UDP/IP. Like the Transmission Control Protocol, UDP uses the Internet Protocol to actually get a data unit (called a datagram) from one computer to another. Unlike D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 475
TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. UDP is often used for applications such as streaming data. URL A URL (Uniform Resource Locator) is the address of a file (resource) accessible on the Internet. The type - D-Link CP310 | User Guide - Page 476
- D-Link CP310 | User Guide - Page 477
Allow and Forward rules, explained • 213 Allow rules, explained • 213 Automatic login • 341 B backup connection configuring • 90 dialup • 92 LAN or interface controlling the appliance via • 386 D DHCP configuring • 94 explained • 454 options • 101 DHCP Server enabling/disabling • 94 explained • 94 - D-Link CP310 | User Guide - Page 478
• 211 setting security level • 204 firmware explained • 375, 454 updating manually • 377 viewing status • 375 462 FTP Bounce • 245 G gateways backup • 119 default • 108, 119, 139 explained • , 438, 455 I IGMP • 251 IKE traces, viewing • 356 initial login • 39 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 479
troubleshooting • 438 viewing information • 87 Internet Setup • 63 Internet Wizard • 54 IP address changing • 105 explained • 455 hiding • 107 IP , 421, 438 upgrading • 379 link configurations, modifying • 149 logs exporting • 187 viewing • 187 M MAC address • 456 Manual Login • 341 Max Ping Size • - D-Link CP310 | User Guide - Page 480
network • 110 enabling DHCP Server on • 94 string syntax • 407 using • 404 Pass rules, explained • 268 464 password changing • 359 setting up • 39 Peer to Peer • 252 Ping • 145 modifying assignments • 147 modifying link configurations • 149 resetting to defaults • 150 viewing statuses • 146 - D-Link CP310 | User Guide - Page 481
155 assigning services to • 209 built-in • 154, 160 deleting • 159 explained • 151 restoring defaults • 160 traffic • 191 viewing • 187 wireless statistics • 198 routers • 90, 119, 401, 438, 457 rules security • 259 enabling/disabling • 258 quick guest users • 365 setting up • 257 using • - D-Link CP310 | User Guide - Page 482
software updates checking for manually • 294 explained • 294 source routing, about • 139 SSH configuring • 392 explained • 392 Stateful Inspection • 456, 457 Static NAT explained • 129 using • 130 static routes adding and editing • 139 explained • 139 using • 139 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 483
restoring defaults • 160 setting up • 153 simplified • 151 using • 151 troubleshooting • 437 U UDP, explained • 458 URL, explained • 459 users adding and editing • 361 adding quick guest HotSpot • 365 managing • 359 setting up remote VPN access for • 367 viewing and deleting • 367 V Vendor-Specific - D-Link CP310 | User Guide - Page 484
enabling/disabling • 290 selecting categories for • 291 snoozing • 292 temporarily disabling • 292 Welchia • 235 WEP • 161, 163 WHOIS • 401 wireless hardware • 162 wireless protocols • 163 D-Link NetDefend firewall User Guide - D-Link CP310 | User Guide - Page 485
Index wireless stations preparing • 182 viewing • 198 WLAN configuring • 161 defined • 459 preparing stations for • 182 troubleshooting connectivity • 183 viewing statistics for • 198 WPA • 161, 163 WPA2 • 163 WPA-PSK • 161, 163 Index 469
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
 |
 |
D-Link NetDefend firewall
Security VPN Firewall
NetDefend secured by Check Point
User Guide
Version 1.0
Revised: 01/17/2006