2006 DFL-210/800/1600/2500 Technical Training

2006 DFL-210/800/1600/2500 Technical Training
©Copyright By D-Link HQ ©Copyright All rights reserved

Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting

Appliance Overview model of firewall
DFL-800 Console WAN1 LAN WAN2 DMZ back

DFL-1600 Console LAN3 LAN2 WAN1 LAN1 WAN2 DMZ back

DFL-2500 Console LAN3 LAN2 LAN1 WAN1 WAN2 WAN3 WAN4 DMZ back

Appliance Overview Characters of firewall and for DFL-1600/2500
Brand new user-friendly , no GUI confusion issue. Neater and more professional look for firewall product line. mechanism with D-Link switches prevents threat spreading. Advanced firewall features including to ease the implementation. High Port Density Giga Interface GUI ID ZoneDefense Transparent Mode

Appliance Overview LED panel
Console Power System Serial Console Port Concealed Look LCD Display System Information Traffic Monitor Alert Monitor Configuration Display Ethernet Auto-Sensing Copper Port LAN Port WAN Port and DMZ port Keypad Keypad for “Right ” , “Left” , “Upper “ and “Confirm “

Setup Mode Press Keypad to enter setup mode “in 5 seconds” after the firewall is switched on Enter the Setup Mode Use Left or Right button to select 1.Start Firewall: Start off the firewall system 2.Reset Firewall: Reset the firewall to factory default. After reset firewall, choose “start firewall” After switch on the firewall 5 seconds, the firewall will enter Status Mode automatically

Status Mode Model name: Display the device model name. System Status: Display system working status. CPU Load and Connections: Show the CPU utilization and concurrent session Total BPS and PPS: Concurrent traffic statistics and packets statistics per second. Date and Time: Display device current date and time Uptime: Device boot up time. Mem: System memory utilization. IDS Sigs: Display IDS signature information. WAN DMZ LAN: Display each interface IP address Core Version: Display firewall firmware version.

Firewall Concept Questions
What is firewall? Which firewall is the safest? Firewall does not protect against application errors.

Connection established
Firewall Concept IP Start Communication Web Server Client (1.) > 80 SYN (2.) SYN.ACK <- 80 (3.) > 80 ACK Connection established SYN FLOOD 1. Sending a packet to the web server with the ”SYN” flag. The client uses a fake IP address 2. The server responds with a SYN.ACK. Then the server waits until the client responds with an ACK packet 3. The client repeats step one until it is satisfied that the damage is done

Firewall Concept IP Start Communication
More bits SYN – Synchronize = New connection ACK – Acknowledge = Acknowledge that data has been received PSH - Push = “Push received data to application layer now" URG - Urgent = Urgent data, Process first (Beg. 70) FIN - Finish = End communication with an handshake RST - Reset = “Do not communicate with me!”

Firewall Concept Firewall deployments in a network
Static Route Static routes are needed for the Firewall to communicate with Networks that are not locally attached on the same subnet NAT Internal address are private addresses from RFC1918 All private addresses are translated to a valid IP address before accessing the Internet Transparent No changes required on any end station, router or server Routing protocols can be configured to pass through the firewall in Transparent mode The firewall offers full firewall and VPN capabilities

Firewall Concept Firewall deployments in a network Static Route
LAN WAN Intranet Web Corp Mail Intranet DNS AdminPC 1 AdminPC 2 AdminPC 3 Internet Router DMZ Corporate Web Mail Relay DMZ DNS Sales Support Marketing

Firewall Concept Firewall deployments in a network NAT

Firewall Concept Firewall deployments in a network Transparent

Firewall Concept Firewall Generations
First generation Packet filtering Second generation Proxy Third generation Stateful Inspection Fourth generation IDS/IDP

Firewall Concept 1.Packet Filtering
Works with the IP & TCP level Disadvantages: Does not re-create fragmented packets Does not understand the relationship between packets Advantages High speed of packets process OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical

Firewall Concept 2.Proxy
Receives packets, reads and re-creates the packets No physical connection between the client and the server. Disadvantages Slow The proxy must understand the application protocol Mostly based on complex operating system Advantages Attacks on the TCP/IP level will never penetrate through the protected network Able to analyze application data Able to strip things like ActiveX and Java. OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical

Firewall Concept 3.Stateful Inspection
Re-create fragmented packets Understand the relationship between packets Advantages Does not need to understand the application data to work Great flexibility Better performance than proxy Disadvantages Harder to analyze the application data (but still possible) OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical

Firewall Concept 4.IDS/IDP
Receives packets, reads and re-creates the packets No physical connection between the client and the server. Disadvantages Slow The proxy must understand the application protocol Mostly based on complex operating system Advantages Attacks on the TCP/IP level will never penetrate through the protected network Able to analyze application data Able to strip things like ActiveX and Java. OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical

Firewall Concept Packet flow
WAN IP: INTERNET Packet inspection Priority processes Allow? Drop? NAT? Reject? IP:

Firewall Concept Packet flow
When all traffic get in the firewall,they will be inspected by VLAN first (If VLAN is used ). The IDS rule is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. Then these traffic will be inspected by IP rule and routing rule After that the traffic will be inspected by Zone Defense and Traffic Shaping

Including verification of
Firewall Concept Packet flow VLAN packet? Inbound packet Basic sanity checks, Including verification of IP header Check IDS signatures Yes Yes Drop De-capsulate Fragment? failed Yes Process fragment Drop No Open Connction Traffic Shaping ZD Allow/NAT/SAT false Yes DestIP = FW? Route IP Verify TCP/UDP header Found matching Connection? Apply Rules SAT_ ApplyRulePack Traffic Shaping FwdFast/SAT No true Traffic Shaping Forward packet Drop Drop ZD

Basic Configuration Default Interface Attribute Definition(DFL-800)
LAN can be managed and pinged The firewall disable DHCP

LAN1 can be managed and pinged The firewall disable DHCP

Basic Configuration design concept of UI
Any undesired rules or objects are being created without hitting the “ok” button, users must hit “cancel” button or that rule or object would still be in the list and named “untitle”. Traffic is being examined by the pattern where the rules were created from top down When right-click any rules or objects and select delete, a strike line will show on that rule or object. The “save and activate” button will not be available if the “untitle” rule or object is not deleted After click “save and activate” , must reconnect to it within 30 seconds (default setting) for the configuration changes to be finalized. If this fails, the unit will revert to its previous configuration. The reconnecting time can be adjustable.

Basic Configuration Configure Static IP address on your laptop or PC
User will be authenticated before logging to the firewall Default login: admin, Password: admin User will be presented with; Menu Bar Tree View List Main Window back

Basic Configuration Tree View List Menu Bar Main windows

Basic Configuration UI of System

Basic Configuration UI of Object

Basic Configuration UI of Rules

Basic Configuration UI of Interfaces

Basic Configuration UI of Routing

Basic Configuration UI of IDS/IDP

UI of User Authentication
Basic Configuration UI of User Authentication

Basic Configuration UI of Traffic Shaping

Basic Configuration UI of ZoneDefense

Basic Configuration Three Steps to Configure
1.Create and verify the object 2.Create the rule (IP rule ,IDS rule ,user authentication rule and Pipes rule ) 3.Create and verify routing rule

First Step to Configure
Basic Configuration First Step to Configure 1.Create and verify the object The most important in firewall configuration is OBJECT. Objects are basic network elements defined in the firewall. It is a list of symbolic names associated with various types of addresses, including IP addresses of host and network Object items are heavily used through a firewall configuration; in routing tables, rule-set, interface definitions, VPN Tunnels among others

Basic Configuration Objects – Address Book
Hosts & Networks configuration items are symbolic names for IP networks

Basic Configuration Objects – ALG
ALGs are designed to manage specific protocols Examine the payload data and carry out appropriate actions based on defined rules Appropriate Application Layer Gateway definition is selected in a Service configuration item. Network traffic which matches the service definition will thus be managed by the selected Application Layer Gateway.

Basic Configuration Objects – Services
A definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80.

Basic Configuration Objects – Schedules
The Schedule will only allow those firewall rules to be used at those designated times only. Any activities outside the scheduled time slot will not follow the rules and will therefore unlikely be permitted to pass through the firewall

Basic Configuration Objects – Certificate
A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used on authenticate individual users or other entities. These types of certificates are commonly called end-entity certificates.

Basic Configuration Second Step to Configure 2.Create the rule
The Rules configuration section represents the rule-set, the "heart" of the firewall. The rule-set is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. The rule-set also regulates how address translation and bandwidth management, traffic shaping, is applied to traffic flowing through the firewall.

Basic Configuration IP Rules – Drop
Packets matching Drop rules will be immediately dropped. Such packets will be logged if logging has been enabled in the Log Settings page

Basic Configuration IP Rules – Drop DROP RULE DROPPING LOG

Basic Configuration IP Rules – Reject
Reject works basically the same way as Drop. In addition, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet is a TCP packet, a TCP RST message.

Basic Configuration IP Rules – Reject REJECT RULE ICMP Unreachable
TCP RST REJECTING LOG

Basic Configuration IP Rules – FwdFast
Packets matched FwdFast rules are allowed through immediately. Firewall does not memorize the open connections and does not statefully inspect traffic which has passed through it. For one single packet, it is indeed faster than first having to open a state-tracked connection and then passing the packet to it. But when several packets pass the same connection, state tracking (Allow) is faster

Remember that that there need to be a FwdFast rule in each direction.
Basic Configuration IP Rules – FwdFast No Statefully traffic Inspection (does not remember open connections) INTERNET Packets matching FwdFast Rules Note: Allow is usually faster then FwdFast Remember that that there need to be a FwdFast rule in each direction.

Basic Configuration IP Rules – Allow
Packets matched Allow rules are passed to the stateful inspection engine, which will memorize that a connection has been opened Rules for return traffic will not be required as traffic belonging to open connections which is automatically dealt with before it reaches the rule set

Basic Configuration IP Rules – Allow Logging & Stateful Inspection
INTERNET Packets matching Allow Rules

Basic Configuration IP Rules – SAT
Nothing happens when a packet matches a SAT rule at the beginning The firewall will memorize where to send the traffic and continue to look for a matching rule that will allow the packet to pass and a static address translation will be performed at that stage

I want the file from FTP server
Basic Configuration IP Rules – SAT I want the file from FTP server FTP SERVER DMZ WAN IP: The public_ip should be bound to the WAN of firewall first redirect_address is used to redirect incoming connection from public_ip to private_ip

Basic Configuration IP Rules – NAT
The rules perform dynamic address translation and NAT hide the sender address. Mostly hiding all machines on a protected network to appear at the outside world as if they use a single IP address

Network Address Translation
Basic Configuration IP Rules – NAT INTERNET WAN IP: Network Address Translation IP:

Third Step to Configure
Basic Configuration Third Step to Configure 3.Create and verify routing rule Main Route: The Routes configuration section describes the firewall’s routing table.Firewall uses a slightly different way of describing routes compared to most other systems. Policy- Base Route: The rules in the PBR rule-set are able to specify which routing table to be used in the forward as well as return direction (Select routing priority)

Basic Configuration Main Routing Table
Routing tells the firewall in which direction it should send packets destined for a given IP address

Basic Configuration Policy Based Routing
Connect to two or more ISPs , and accept inbound connections from all of them. Return traffic is routed back through the ISP that delivered the incoming requests. Route certain protocols through transparent proxies such as web caches and anti-virus scanners, without adding another point of failure for the network as a whole. Create provider-independent metropolitan area networks, i.e. one where all users share a common active backbone, but able to use different ISPs, subscribe to different streaming media providers, etc.

Basic Configuration Policy Based Routing Internet WAN1 Extranet
/24 Intranet /24 DMZ WAN2

Scenario & Hands-on Basic Configuration(WAN/LAN/DMZ Transparent mode)
Configure Load Sharing and Route Failover (use 2 WANs) Configure ZoneDefend Port mapping for server(SAT and server load balance) Runtime Authentication configuration Traffic shaping Configure VPN tunnel(PPTP L2TP and IPsec)

Scenario & Hands-on Accomplished all scenarios topology Hands on:
DFL-800 IPSec VPN Tunnel WAN1 IP: /24 Remote LAN Internal LAN IP: /24 WAN1 (DHCP) FTP Server WAN2 (Static IP) Hands on: Basic Configuration Load Sharing and Route Failover ZoneDefense Port mapping for server User Authentication Traffic Shaping VPN tunnel DMZ DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

Scenario & Hands-on Network topology for hands-on
Internet All WAN1 port connect to switch main switch G4 G1 G2 G3 back

Scenario & Hands-on Network topology for every group main switch
Four persons in one group LAN1 port connects to group switch group switch

and enable transparent mode)
Scenario & Hands-on 1 Basic Configuration (Configure WAN type ,modify IP address of LAN and enable transparent mode) WAN1 PPPoE , DHCP Static IP: /24 Internal DMZ IP: /24 Objective: How to modify IP address for LAN and DMZ in Object How to use DHCP, Static IP and PPPoE to access Internet How to enable transparent mode Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Network topology Internal LAN1 IP: /24 Notes: DFL-800 only has LAN and DMZ DFL-1600/2500 has LAN1 , LAN2 ,LAN3 , and DMZ Pay attention to default manageable status Confirm connecting port DFL-800 DFL-1600 DFL-2500 Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway on laptop Internal LAN2 IP: /24 Internal LAN3 IP: /24 Internal DMZ IP: /24

The Logics of Configuration
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Objectives Access to LAN1 IP address successfully (Ping) or mange Web UI by new IP address The Logics of Configuration Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway in your laptop Modify objects of IP address and network in address book of Object

Scenario & Hands-on Bind two IP address on one NIC 1 2 3

Scenario & Hands-on Bind two IP address on one NIC 5 6 4

Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use web browser such as Internet Explorer 6 or Firefox 1.0 to connect to Web UI

Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ 1 2 3 1 2 Change the IP address in address book of Object Click “Interface Addresses” in Object Key in the correct IP address and network

Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ 1 2 3 1 2 Change the IP address in address book of Object or Ethernet of Interface Key in correct IP address and network

Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ 1 2 3 After all configurations are done , Click “configuration” in main bar Click “Save and Activate”

Scenario & Hands-on 1-1 Testing Result
Basic Configuration-Modify IP address for LAN and DMZ Ping LAN IP address Testing Result

Scenario & Hands-on 1-1 How to modify reconnection Web UI time
After you click” save and active” you can adjust the reconnection time Click “Click here to edit the configuration verification timeout.”

Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 1 2 3

Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 5 4 6

Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 7 8

Scenario & Hands-on 1-1 Exercise 1-1- Modify IP address for LAN and DMZ Objective: Change IP address of LAN1 Ping the new IP address of LAN1 and access to Web UI by new IP successfully Internal DMZ Internal LAN3 Internal LAN1 Internal LAN2 LAN1 IP: Group A(1): /24 Group B(2): /24 . Group I(9): /24 Group J(10): /24

Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
Network topology WAN1 IP: /24 /24 Note: Configure default gateway Configure DHCP relay, if firewall is in DHCP environment Internal LAN1 IP: /24 /24

Scenario & Hands-on 1-2 Basic Configuration-Transparent mode Objectives Implement firewall in transparent mode without changing exist network setting Allow or deny specific service and traffic (allow WAN1 to LAN1for ICMP service, allow LAN1to WAN1 for all service) The Logics of Configuration Enable transparent mode Configure IP Rules and objects in firewall Bind a secondary IP address to match the new network IP segment.

3 4 5 6 Configure the IP object in address book of Object to same Click “address book” in Object Configure IP address of WAN1 and LAN1

3 4 5 6 1 2 3 Enable transparent mode for WAN1 and LAN1 Click “Ethernet” under “Interface” Enable transparent in WAN1 interface and add the object of gateway to “Default Gateway” Disable “add route for interface network”

3 4 5 6 1 3 2 Enable transparent mode for WAN1 and LAN1 Click “Ethernet” in Interface Enable transparent on LAN1 interface Disable “add route for interface network”

3 4 5 6 3 1 2 4 Add the “Service” rule under IP rules(WAN1 to LAN1 and LAN1 to WAN1) Click “IP rules” in Rules Choose the correct Action,Service,Interface and Network for the rule

3 4 5 6 Create the DHCP relay for LAN1 to WAN1 Click “DHCP relays” under “System”  “DHCP Settings” Choose the correct Action,Service,Interface and Network for the rule

3 4 5 6 After all configuration , Click “configuration” in main bar Click “Save and Activate”

Basic Configuration-Transparent mode Get IP address from DHCP server and ping to gateway Testing Result

Exercise 1-2- Transparent mode
Scenario & Hands-on 1-2 Exercise 1-2- Transparent mode WAN1 Objectives: Enable transparent mode Allow ping from WAN to LAN Allow all service from LAN to WAN WAN1 IP LAN1 IP Group1: / /24 Group2: / /24 . Group9: / /24 Group10: / /24 DHCP server IP address : Internal LAN1

Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
Network topology WAN1(Static) IP: /24 WAN1-gatway IP: /24 Note: Configure default gateway Internal LAN1 IP: /24

Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP Objectives Configure WAN type with Static IP address The Logics of Configuration Before configuring WAN type with static IP, please reset the device to default Create an object for WAN1 gateway to apply to the interface of WAN1 Choose the correct Action, Service, Interface and Network for the rule

2 3 4 Create the correct gateway object under “Address Book” Click “address book” under “Object” Add an object for IP4 Host/Network Verify the IP addresses of wan1_ip and wan1net

2 3 4 1 2 Apply the gateway object to WAN Interface Click “Ethernet” under “Interfaces” Add the gateway object for “Default Gateway”

2 3 4 1 2 Create the service rule in IP rules Click “IP rules” under “Rules” Choose the correct Action,Service,Interface and Network for the rule

2 3 4 After all configuration , Click “configuration” in main bar Click “Save and Activate”

Basic Configuration- WAN type-Static IP Ping to Internet (tw.yahoo.com) Testing Result

Scenario & Hands-on 1-3 Exercise 1-3- WAN type-Static IP Objective
WAN1:Group IP Objective Change WAN type with static IP address of following IP addresses Use “NAT” mode to access the Internet WAN1 Group1: /24 Group2: /24 . Group9: /24 Group10: /24 WAN1-Gateway: LAN1 Group1: /24 Group2: /24 . Group9: /24 Group10: /24 Internal LAN1 Group private IP

Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
Network topology WAN1 PPPoE Note: Configure PPPoE tunnel Apply the PPPoE tunnel to IP rule Internal LAN1 IP: /24

Scenario & Hands-on 1-4 Basic Configuration- WAN type-PPPoE Objectives Configure WAN type on PPPoE tunnel to access Internet by NAT mode The Logics of Configuration Create a PPPoE tunnel and apply it to the IP rule Choose the correct Action, Service, Interface and Network for the rule

2 3 Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces” Click “PPPoE Tunnels” under “Interfaces” Apply correct Physical Interface, Remote Network,Username and Password in the object

2 3 1 2 Create the IP rule Click “IP rules” under “Rules” Choose the correct Action, Service, Interface and Network for the rule

2 3 After all configuration , Click “configuration” in the main bar Click “Save and Activate”

Basic Configuration – WAN type-PPPoE Ping to Internet (tw.yahoo.com) Testing Result

Exercise 1-4- WAN type-PPPoE
Scenario & Hands-on 1-4 Exercise 1-4- WAN type-PPPoE WAN1 PPPoE Objective: Configure WAN type on PPPoE tunnel and local user could access Internet Internal LAN1 IP: /24

Basic Configuration- WAN type-DHCP
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP Network topology WAN1 DHCP Note: Enable DHCP client in WAN interface Internal LAN1 IP: /24

Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP Objectives Dynamically assign IP to WAN interface and local users could access internet by NAT The Logics of Configuration Enable “DHCP client” in Interface Create the IP rule and choose correct Action, Service, Interface and Network for the rule

Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP 1 2 3 1 2 Enable the DHCP client in “Ethernet” under “Interfaces” Click “Ethernet” under “Interfaces” Enable “DHCP Client”

Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP 1 2 3 1 2 Create the service rule in “IP rules” Click “IP rules” in Rules Choose the correct Action,Service,Interface and Network for the rule

Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP 1 2 3 After all configuration , Click “configuration” in main bar Click “Save and Active”

Basic Configuration – WAN type-DHCP Verify the WAN IP from “Status” in tool bar Testing Result

Exercise 1-5- WAN type-DHCP
Scenario & Hands-on 1-5 Exercise 1-5- WAN type-DHCP WAN1 DHCP server Objective Dynamically assign IP to WAN interface and local users could access internet Internal LAN1 IP: /24

Scenario & Hands-on 2-1 WAN Failover Network topology WAN2(static IP)
WAN2-gateway IP: WAN1 DHCP Note: Manually add default route in main routing table Enable “Monitor “feature on routes WAN2 is back up link Internal LAN3 IP: /24 Internal LAN1 IP: /16 Internal LAN2 IP: /24

Scenario & Hands-on 2-1 WAN Failover Objectives WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet The Logics of Configuration Create routing policy in main routing table Applying routing policy between DHCP and static IP in WAN connection Create the IP rule and choose correct Action, Service, Interface and Network for the rule

Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 1 3 2 Enable the DHCP client in “Ethernet” under “Interfaces” Click “Ethernet” in Interface Uncheck “Add default route if default gateway is specified”

3 4 5 6 7 8 Create the correct gateway object in “Address Book” under “Object” (WAN2) Click “address book” in Object Add the object for IP4 Host/Network Modify wan2_ip and wan2net

3 4 5 6 7 8 1 3 2 Apply the gateway object to WAN Interface and disable “add default route” Click “Ethernet” in Interface Disable default route in Interface

3 4 5 6 7 8 Combine WAN1 and WAN2 to the object of WAN Click “interface Groups” in Interface Create the object and choose WAN1 and WAN2

Scenario & Hands-on 2-1 WAN Failover Create the IP rule for WAN group
3 4 5 6 7 8 Create the IP rule for WAN group Click “Rules” in IP Rule Choose correct Action, Service, Interface and Network in the rule

3 4 5 6 7 8 3 1 4 2 Create the WAN1 routing rule and enable “monitor this route” Click “Main Routing Table” under “Routing “ Create the routing rule for WAN1 Choose lower Metric value and enable “monitor this route”

3 4 5 6 7 8 3 1 4 2 Create the WAN2 routing rule and enable “monitor this route” Click “Main Routing Table” under “Routing “ Create the routing rule for WAN2 Choose higher Metric valueand enable “monitor this route”

3 4 5 6 7 8 After all configuration , Click “configuration” in main bar Click “Save and Activate”

Exercise 2-1- WAN Failover
Scenario & Hands-on 2-1 Exercise 2-1- WAN Failover WAN2 Group IP (Static IP) WAN1 DHCP Objectives: WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected, all traffic would failover to WAN2 WAN LAN1 Group1: / /24 Group2: / /24 Group9: / /24 Group10: / /24 WAN2-Gateway: Internal LAN1 Group IP

Scenario & Hands-on 2-2 Load Sharing and WAN failover Network topology
WAN2(static IP) IP: /24 WAN2-gateway IP: WAN1 DHCP Notes: Create PBR table and apply it to route policy Internal LAN3 IP: /24 Internal LAN1 IP: /16 Internal LAN2 IP: /24

Scenario & Hands-on 2-2 Load Sharing and WAN failover Objectives All services go through WAN1 but the FTP service and specific IP range go through WAN2 When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet When WAN2 is disconnected, the specified traffic and service can access to Internet by WAN1 The Logics of Configuration Modify PBR routing table and routing rule

Scenario & Hands-on 2-2 Load Sharing and WAN failover
1 2 3 4 Create the IP address object specifically for LAN1 Click “Address Book” under “Objects” Click “Ethernet” under “Interfaces”

1 2 3 4 3 1 2 Add the route of WAN2(Static) in PBR Click “PBR table ” under “Routing” Choose higher metric in PBR table and enable function of monitor

1 2 3 4 1 2 Add the route rule of WAN1 in PBR Click “PBR policy” under “Routing” Choose correct Forward, Return table, interface and network

Exercise 2-2- Load Sharing
Scenario & Hands-on 2-2 Exercise 2-2- Load Sharing WAN2 Static IP WAN1 DHCP Objectives: For Load Sharing: Except for ping-outbound and specific IP range X traffic by WAN2 then other service will pass through to Internet by WAN1. For Fail Over: When unplug any WAN cable, users still can access the Internet via a different WAN port. Internal LAN1 IP: x.0/24

How to enable the function of “tracer”
1 2 2 1 Modify the value of TTL min to 1 Click “IP Setting of Advanced Setting” in “System” Key in the smallest value (1)

How to enable the function of “tracer”
1 2 3 2 1 Enable “Pass returned from ICMP error messages from destination” Click “Services” in “Objects” and choose the object of “all_icmp”

Scenario & Hands-on 3 ZoneDefense
When there’s any infected host spreading worm into the network Firewall can stop the malicious traffic flooding to other subnets but have no way to stop it infecting its network [subnet A] The most effective solution will be: Firewall triggers the ACL in LAN switches to perform real time filtering on any malicious traffic found D-Link Firewalls implement ZoneDefense feature to perform proactive network security with D-Link switches Set ACL to block specific MAC or IP address DMZ WAN Firewall DES-3x26S DES-3350SR DES-3250TG DES-3500 series DES-3800 series xStack series Subnet B Subnet A Subnet C Infected Host

Uniquely from D-LINK – It operates with D-LINK switches to isolate infected host that is generating unusual traffic to the LAN Uses Threshold rules to examine connections through the firewall and take actions upon them. The threshold rules monitor the number of connections per second When a pre-defined limit is reached, the firewall sends block requests to the switches configured for ZoneDefense

Scenario & Hands-on 3 ZoneDefense Internet

Scenario & Hands-on 3 ZoneDefense INTERNET Note: WAN1
Verify the model of supporting switch Verify the IP address of switch Verify the community between switch and firewall WAN1 IP: /24 LAN1 IP: /24 Switch IP: /24 DGS-3324SR Block HTTP Request exceeding 4 sessions For every host PC PC

Scenario & Hands-on 3 ZoneDefense Objectives When traffic of every host exceed 4 sessions, switch create the ACLs rule to block illegal traffic by firewall The Logics of Configuration Configure the switch Choose the correct model of switch Exclude switch and administrator Create and configure the threshold rule

1 2 3 4 5 6 7 Reset to default and configure the IP address of switch Use CLI of switch to inspect Key in “reset config” Key in “config ipif System ipaddress /24”

1 2 3 4 5 6 7 Verify the communication between firewall and switch and inspect the community in switch Use CLI of switch to inspect Key in “show snmp community”

1 2 3 4 5 6 7 Create the object of IP address for switch and administrator Click “Address Book” under “Objects” Add the object for IP4 Host/Network

1 2 3 4 5 6 7 1 2 Create the switch object in ZoneDefense Click “switches” under “ZoneDefense” Choose the correct switch model and Key in the SNMP Community Verity the firewall can communicate with the switch

1 2 3 4 5 6 7 Exclude the switch and the administrator Click “Exclude” under “ZoneDefense” Choose the correct object

1 2 3 4 5 6 7 1 3 2 Create the threshold rule in ZoneDefense Click “Threshold” under “ZoneDefense “ Choose the correct interface and network Key in the threshold condition (the value of host-base must be smaller then network)

1 2 3 4 5 6 7 After all configuration , Click “configuration” in main bar Click “Save and Active”

Scenario & Hands-on 3 ZoneDefense Testing Result
Block status form firewall Block status form Switch

Exercise-3 ZoneDefense
Scenario & Hands-on 3 Exercise-3 ZoneDefense INTERNET Objective: When web traffic of every host exceed 2 sessions, switch create the ACLs rule to block illegal traffic by firewall WAN1 DHCP LAN1 IP: Group IP address DGS-3324SR Switch IP: an IP that’s the same segment as the LAN1 IP PC PC

Scenario & Hands-on 4-1 Port mapping for server Network topology WAN1
IP: /24 FTP Server IP: /24 WAN1 IP: /24 FTP Server IP: /24 FTP Server Note: Add another public IP address in “ARP table” Verify the sequence of IP rule DMZ Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Back

The Logic of Configuration
Scenario & Hands-on 4-1 Port mapping for server Objectives Access the FTP server by public IP address( ) The Logic of Configuration Create objects of public and private IP addresses for FTP server Create ARP object in ARP Table Create the IP rule (SAT and allow) for FTP server

Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 1 2 Add the objects of both public and virtual IP addresses for FTP server *Click “Address Book” under Objects Key in the correct IP addresses

2 3 4 5 Create the object in ARP Table Click “ARP Table” under “Interfaces” Apply objects with the FTP IP address

2 3 4 5 1 3 2 Create the IP rule to map FTP server (SAT) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface,SAT setting and Network for the rule

2 3 4 5 1 2 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface and Network for the rule

Succeed to get in FTP server
Scenario & Hands-on 4-1 Port mapping for server Succeed to get in FTP server topology

Scenario & Hands-on 4-1 Exercise 4-1 - Port mapping for server
WAN1:DHCP FTP Server: Group public IP address FTP Server Group private IP Objective: Access to FTP server by group’s public IP address successfully DMZ IP : DFL-800 : Port DMZ DFL-1600: Port #3 DFL-2500: Port #5 DMZ FTP Server public IP Group1: /24 Group2: /24 . Group9: /24 Group10: /24 FTP Server private IP /24

Scenario & Hands-on 4-2 SAT in PPPoE connection Network topology WAN1
FTP Server Note: Add PPPoE in Interfaces Verify the sequence of IP rule DMZ Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Back

Scenario & Hands-on 4-2 SAT in PPPoE connection Objectives When using PPPoE connection, internal FTP server could be accessed by public The Logic of Configuration Create objects of PPPoE connection Create private IP addresses for FTP server Create the IP rule (SAT and allow) for FTP server

Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces” Click “PPPoE Tunnels” under “Interfaces” Apply correct Physical Interface, Remote Network,Username and Password in the object

1 2 3 4 5 Add the object of virtual IP addresses for FTP server *Click “Address Book” under Objects Key in the correct IP addresses

1 2 3 4 5 1 3 2 If use PPPoE connection, create the IP rule to map FTP server (SAT) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface,SAT setting and Network for the rule

1 2 3 4 5 1 2 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface and Network for the rule

1 2 3 4 5 After all configuration , Click “configuration” in main bar Click “Save and Activate”

Succeed to get in FTP server
Scenario & Hands-on 4-2 SAT in PPPoE connection Succeed to get in FTP server topology

Scenario & Hands-on 4-2 Exercise 4-2 - SAT in PPPoE connection
WAN1:PPPoE FTP Server: Group public IP address FTP Server Group private IP Objective: Access to FTP server by group’s public IP address successfully DMZ IP : DFL-800 : Port DMZ DFL-1600: Port #3 DFL-2500: Port #5 DMZ FTP Server public IP Group1: /24 Group2: /24 . Group9: /24 Group10: /24 FTP Server private IP /24

Scenario & Hands-on 4-3 SAT and server load balance Network topology
WAN1 IP: /24 FTP Server IP: /24 FTP Server-1 FTP Server-1 Note: Add another public IP address in “ARP table” Verify the sequence of IP rule DMZ Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

Scenario & Hands-on 4-3 SAT and server load balance Objectives Access two FTP servers by one public IP address ( ) The Logic of Configuration Create objects of public and private IP addresses for two FTP servers Create ARP object in ARP Table Cerate the IP rule (SAT_SLB and allow) for FTP server

Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 Add the public IP address object for two FTP servers Click “Address Book” under “Objects” Key in the correct IP address

1 2 3 4 5 6 1 2 Add two virtual IP address objects for two FTP servers Click “Address Book” under “Objects” Key in the correct IP address

1 2 3 4 5 6 Apply the object of IP address to ARP Table Click “ARP Table” under “Interfaces” Apply objects for the FTP IP address

1 2 3 4 5 6 3 1 2 Create the IP rule of FTP server Click “IP Rule” in Rules Choose correct Action,Service,Interface,SLB_SAT and Network in the rule

1 2 3 4 5 6 1 2 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

1 2 3 4 5 6 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”

Scenario & Hands-on 4-3 Exercise 4-3- SAT and server load balance
WAN1:DHCP FTP Server-1:Group public IP FTP Server-1 Group private IP-1 FTP Server-1 Group private IP-2 Objective: Access to two FTP servers by group’s public IP address successfully DMZ FTP Server public IP Group1: /24 Group2: /24 . Group9: /24 Group10: /24 FTP Server private IP-1 /24 DMZ: FTP Server private IP-2 Group1: /24

Scenario & Hands-on 5 Process of authentication
Runtime Authentication configuration Process of authentication Internet http request

Scenario & Hands-on 5 Runtime Authentication configuration
For authorize users to accessing the Internet, LAN and Intranet services either through the Local DB or RADIUS Server. The user authentication rules must be save & activated in order to apply the settings.

Scenario & Hands-on 5 192.168.10.1 10.0.100.97 Core
Runtime Authentication configuration The Core owns the IP addresses Core WAN LAN

Network topology WAN1 IP: /24 Note: Modify the Web UI http port Verify the sequence of IP rule LAN1 IP: /24 Switch IP: /24 DES-3226S Authenticated user accessing the Internet PC PC

Scenario & Hands-on 5 Runtime Authentication configuration Objectives When user open a web browser, it will be a screen pop out automatically, and request for login. Services will be allowed after authentication. When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches. The Logic of Configuration Change Web UI http port Create an object for specific traffic network Create a local user database Create IP rules for Authentication

1 2 3 4 5 6 7 8 9 10 11 2 1 Change the remote management http port to avoid port conflict Click “Remote Management” then click “modify advanced setting” Change WebUI http port

1 2 3 4 5 6 7 8 9 10 11 3 1 2 4 Create the user database for Authentication Click “Local User Database” in User Authentication Key in the authenticated user(user name/password)

1 2 3 4 5 6 7 8 9 10 11 1 2 Create the User Authentication Rules Click “User Authentication Rules” in User Authentication Choose the correspond settings

1 2 3 4 5 6 7 8 9 10 11 2 1 Create the User Authentication Rules Click “User Authentication Rules” in User Authentication Choose the correspond settings

1 2 3 4 5 6 7 8 9 10 11 1 2 Create the IP address for Authenticating users Click “Address Book ” in Objects Add an object for authenticating users Key in the correct IP address and group name

1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “allow” rule (rule-1) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “NAT-DNS” rule (rule-2) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “NAT-all_service” rule (rule-3) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

1 2 3 4 5 6 7 8 9 10 11 1 3 2 Create the “SAT” rule (rule-4) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “Allow” rule (rule-5) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

1 2 3 4 5 6 7 8 9 10 11 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”

Action1 Action3 Action2 Allow manual log-out web page Allow user to look up the DNS Allow authorized users to use networking service All HTTP traffic will be mapped to firewall LAN1 IP address Allow all HTTP traffic to map to LAN1 IP address Action1 Action3 Action2 Action2

Testing Result

Exercise 5- Runtime Authentication configuration
Scenario & Hands-on 5 Exercise 5- Runtime Authentication configuration WAN1 DHCP LAN1 IP: /24 Switch IP: /24 Objective: The specific user or network must be authorized before access to the Internet When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches. DES-3226S Authenticated user accessing the Internet PC PC

Scenario & Hands-on 6 Traffic Shaping Pipes concept

This diagram shows not using the Dynamic balancing
Scenario & Hands-on 6 Traffic Shaping The Concept of Dynamic balancing This diagram shows not using the Dynamic balancing

The Concept of Dynamic balancing
Scenario & Hands-on 6 Traffic Shaping The Concept of Dynamic balancing When using the function of Dynamic balancing

The Concept of Precedence
Scenario & Hands-on 6 Traffic Shaping The Concept of Precedence Highest High Pipe Medium Low

Bandwidth of Leased Line with 1Mbps in both directions(two pipes)
Scenario & Hands-on 6 Traffic Shaping Concept of Design (Pipe 1Mbps) Bandwidth of Leased Line with 1Mbps in both directions(two pipes) The pipe throughput should be less than the physical pipe!

Concept of Design (Pipe 1Mbps) - download
Scenario & Hands-on 6 Traffic Shaping Concept of Design (Pipe 1Mbps) - download HTTP 250Kbps Highest FTP 250Kbps High 1Mbps SMTP 500Kbps Low HTTP 250Kbps Highest FTP 250Kbps High 1Mbps SMTP 500Kbps Low

Scenario & Hands-on 6 Traffic Shaping Pipes
All measuring, limiting, guaranteeing and balancing is carried out in pipes A pipe by itself is meaningless unless it is put into use in the Rules section. Each rule can pass traffic through one or more pipes, in a precedence (priority) of your choice.

Determine the bandwidth of precedence
Scenario & Hands-on 6 Traffic Shaping Precedence Determine the bandwidth of precedence

Scenario & Hands-on 6 Traffic Shaping Pipes rules
Plan your traffic shaping requirements. If you do not know how traffic should be limited, prioritized, guaranteed, or distributed, you will likely find the configuration work more confusing than helpful.

Scenario & Hands-on 6 Traffic Shaping Precedence Assign precedence

Scenario & Hands-on 6 Traffic Shaping
Network topology External WAN1 1.For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. 2.For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) 3.For other inbound and outbound service, the remaining bandwidth will be used. 4.Above all services are dedicating bandwidth value. Bandwidth of leased line Download: 1Mbps Upload: 1Mbps Internal LAN1 Note: Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.

The logic of Configuration
Scenario & Hands-on 6 Traffic Shaping Objective For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) For other inbound and outbound service, the remaining bandwidth will be used. Above all services are dedicating bandwidth value. The logic of Configuration Make sure to create IP rule Create objects of Pipe Create rules of Pipe Choose correct Action, Service, Interface and Network in the rule Key in correct value at Precedence and Total bandwidth value

1 2 2 3 4 5 6 7 8 9 10 Create object of the input pipe (Create the pipe of standard-in) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

1 1 2 3 4 5 6 7 8 9 10 Create object of the output pipe (Create the pipe of outbound) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

1 1 2 2 3 4 5 6 7 8 9 10 Create object of the HTTP input (Create the pipe HTTP-in) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

1 1 2 2 3 3 4 5 6 7 8 9 10 Create object of the HTTP output (Create the pipe of HTTP-in) Click “Pipes” in Traffic Shaping Key in correct value at Precedence and Total bandwidth value

1 2 3 4 5 6 7 8 9 10 1 3 2 4 Create Rules of the HTTP (Create the rule of HTTP ) Click “Pipes Rules” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

1 2 3 4 5 6 7 8 9 10 Create object of the POP3 input (Create a pipe of POP3-in ) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

1 2 3 4 5 6 7 8 9 10 Create object of the POP3 output (Create a pipe of POP3-out ) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

1 2 3 4 5 6 7 8 9 10 1 3 2 4 Create the rules of POP3 (Create the rule of POP3 ) Click “Pipes Rules” in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule

1 2 3 4 5 6 7 8 9 10 1 3 2 4 Create Rules of other service (Create the rule of other service ) Click “Pipes Rules” in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule

1 2 3 4 5 6 7 8 9 10 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”

Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.

First step: Create two bidirectional pipes for the physical WAN link Second step: Create two bidirectional pipes for the specified application

Third step: Create pipe rules for the specified application

Exercise 6- Traffic Shaping
Scenario & Hands-on 6 Exercise 6- Traffic Shaping External WAN1 Objectives For inbound and outbound SMTP, the maximum bandwidth is 400Kb. For inbound and outbound FTP, the guarantee bandwidth is 250Kb.(maximum bandwidth is 500Kb) For other inbound and outbound service, the maximum bandwidth is 350Kb. Above all services are dedicating bandwidth value. Bandwidth of leased line Download: 1Mbps Upload: 1Mbps Internal LAN1

Scenario & Hands-on 7-1 VPN Configuration-PPTP Network topology Note:
IP: /24 PPTP Client VPN Tunnel WAN1 DHCP IP: /24 Note: Choose correct inner IP address and Outer Interface filter for PPTP tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

The logic of configuration
Scenario & Hands-on 7-1 VPN Configuration-PPTP Objectives The user dial-up to firewall by Windows PPTP client software . Dial-up user communicate with LAN1 of firewall The logic of configuration Create object for PPTP server IP address and IP address range Create Authenticating database Configure PPTP server Create the IP rule for PPTP tunnel

Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 Create object for PPTP server IP address and IP address range Click “Address” in Objects Key in the correspond IP address

2 3 4 5 6 Create Local Database for PPTP authentication Click “Local User Databases ” in User Authentication Key in the correct Username and Password

Scenario & Hands-on 7-1 VPN Configuration-PPTP Create PPTP tunnel
2 3 4 5 6 Create PPTP tunnel Click “PPTP/L2TP Servers ” in Interface Choose the correspond configuration

2 3 4 5 6 Create User Authentication Rules for PPTP tunnel Click “User Authentication Rules ” in User Authentication Choose the correspond configuration Enable Log setting and choose local user database

2 3 4 5 6 Create IP Rules for PPTP tunnel Click “IP Rules ” in Rules Choose the correspond configuration Enable Log setting

2 3 4 5 6 After all configuration, Click “configuration” on main menu bar Click “Save and Activate”

Scenario & Hands-on 7-1 VPN Configuration-PPTP Testing Result

Scenario & Hands-on 7-1 Exercise 7-1- VPN Configuration-PPTP
PPTP Client VPN Tunnel WAN1 DHCP IP Objectives: Use Windows client to Dial-up PPTP Ping the IP address of LAN in firewall DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec Network topology
L2TP/IPsec Client VPN Tunnel WAN1 DHCP Note: L2TP/IPsec must use transport mode Choose correct local net and remote net for IPsec tunnel Choose correct inner IP address and Outer Interface filter for L2TP tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

Scenario & Hands-on 7-2 VPN Configuration-IPsec Objectives The user dial-up to firewall by Windows L2TP/IPsec client software Dial-up user communicate with LAN1 of firewall The logic of configuration Create objects for L2TP server IP address and IP address range Create Authenticating database Configure IPsec tunnel Configure L2TP server Create the IP rule for L2TP tunnel

Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create objects for L2TP server IP address and IP address range Click “Address” in Objects Key in the correspond IP address

1 2 3 4 5 6 7 8 9 10 11 Create Local Database for L2TP authentication Click “Local User Databases ” in User Authentication Key in correct Username and Password

1 2 3 4 5 6 7 8 9 10 11 Create the pre-shared key for L2TP Click “Pre-Share Keys ” in VPN Objects Key in the correspond value

1 2 3 4 5 6 7 8 9 10 11 Create the IPsec tunnel Click “IPsec Tunnels” in Interface Choose correspond configuration

1 2 3 4 5 6 7 8 9 10 11 Verify the IPsec tunnel Click “Authentication” in this IPsec tunnel Apply pre-shared key to this IPsec tunnel

1 2 3 4 5 6 7 8 9 10 11 Verify the IPsec tunnel Click “Routing” in this IPsec tunnel Enable “Dynamically add routes to remote network when a tunnel is established “in this IPsec tunnel

1 2 3 4 5 6 7 8 9 10 11 Verify the IPsec tunnel Click “Advanced” in this IPsec tunnel Disable “Add route for remote network “in this IPsec tunnel

1 2 3 4 5 6 7 8 9 10 11 Create the L2TP tunnel Click “PPTP/L2TP Servers ” in Interface Choose correspond configuration

1 2 3 4 5 6 7 8 9 10 11 Create User Authentication Rules for L2TP tunnel Click “User Authentication Rules ” in User Authentication Choose correspond configuration Enable Log setting and choose local user database

1 2 3 4 5 6 7 8 9 10 11 Create IP Rules for L2TP tunnel Click “IP Rules” in Rules Choose correspond configuration Enable Log setting

1 2 3 4 5 6 7 8 9 10 11 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”

Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec Testing Result

Scenario & Hands-on 7-2 Exercise 7-2- VPN Configuration-L2TP/IPsec
L2TP/IPsec Client VPN Tunnel WAN1 DHCP IP Objectives: The user dial-up to firewall by Windows L2TP/IPsec client software Ping the IP address of LAN in firewall DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

VPN Objects – Pre Shared Keys
Scenario & Hands-on 7-3 VPN Configuration- IPsec VPN Objects – Pre Shared Keys For users to authenticate VPN tunnels 2 types of method to enter PSK – ASCII and HEX ASCII – type in passphrase HEX – type in passphrase and use “generate” to cipher passphrase

Scenario & Hands-on 7-3 VPN Configuration- IPsec VPN Objects – LDAP
For secured authentication to established over VPN, CA need to be downloaded to LDAP Server

Scenario & Hands-on 7-3 VPN Configuration- IPsec ID Lists
The Concept of ID Lists is to manage and control accessibility of the VPN clients and gateways Mobile clients can be restricted from accessing Internal networks by ID Lists

Scenario & Hands-on 7-3 VPN Configuration- IPsec IKE/IPsec Algorithms
Predefined IKE & IPSec Algorithms by default High – Very Secured Medium – Secured You can defined your own algorithms

Scenario & Hands-on 7-3 VPN Configuration- IPsec Network topology
DFL-1600 WAN1 IP: /24 Remote LAN Internal LAN IP: /24 VPN Tunnel WAN1 Static IP: /24 Note: Use same pre-share key and algorithm between two IPsec settings Choose correct local net and remote net for IPsec tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

Scenario & Hands-on 7-3 VPN Configuration-IPsec Objectives Two firewalls communicate to each other by IPsec tunnel . The client of local-net ping to the client of remote-net The logic of configuration Create VPN Object( pre-shared key) Configure IPsec tunnel Create the IP rule for IPsec tunnel

Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 Create objects for IP address of remote IP address and network Click “Address” in Objects Key in the correspond IP address

1 2 3 4 5 6 Create the pre-shared key for IPsec tunnel Click “Pre-Share Keys ” in VPN Objects Key in the correct value

Scenario & Hands-on 7-3 VPN Configuration- IPsec 1 2 3 4 5 6
Create the IPsec tunnel Click “IPsec Tunnels” in Interface Choose the correspond configuration ! Note: If remote firewall wan IP is not static IP, in other words Remote Endpoint is using dynamic IP address from dynamic DNS server, administrator can enter DDNS domain name in here directly.

1 2 3 4 5 6 Combine two interfaces to one interface group Click “Interface Groups” in this Interface Choose the correspond interfaces

1 2 3 4 5 6 Create IP Rules for L2TP tunnel Click “IP Rules” in Rules Choose correspond configuration Enable Log setting

1 2 3 4 5 6 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”

Scenario & Hands-on 7-3 Exercise 7-3- VPN Configuration-IPsec
Odd group DFL-1600 Remote LAN Internal LAN VPN Tunnel Even group DFL-1600 Objectives: Two firewalls communicate to each other by IPsec tunnel The client of local-net ping to the client of remote-net Internal LAN1

Scenario & Hands-on 7-4 VPN Configuration- IPsec with NetScreen 204
Network topology NetScreen 204 WAN1 IP: /24 Remote LAN Internal LAN IP: /24 VPN Tunnel WAN1 Static IP: /24 Note: Use same pre-share key and algorithm between two DFL-1600 and NS-204 Choose correct local net and remote net for IPsec tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204 Objectives Two firewalls communicate to each other by IPsec tunnel . The client of local-net ping to the client of remote-net The logic of configuration Create VPN Object( pre-shared key, remote net/gateway and algorithm ) Configure IPsec tunnel Create the IP rule for IPsec tunnel

Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 1 Create network objects for DFL-1600 (remote network ) Click “List” under “Addresses” in Objects Key in the corresponding network

1 2 3 4 5 6 7 8 2 1 Create IP address objects for DFL-1600 (remote gateway ) Click “List” under “Addresses” in Objects Key in the corresponding IP address

1 2 3 4 5 6 6 6 2 1 Create P1(Phase 1) Proposal of DFL-1600 for VPN configuration Click “P1 Proposal” under “AutoKey Advanced” in VPNs Choose in the corresponding Algorithm and DH Group

1 2 3 4 5 6 7 8 2 1 Create P2(Phase 2) Proposal of DFL-1600 for VPN configuration Click “P2 Proposal” under “AutoKey Advanced” in VPNs Choose in the corresponding Algorithm and DH Group

1 2 3 4 5 6 7 8 2 3 4 5 6 1 Create Gateway objects of DFL-1600 for VPN configuration Click “Gateway” under “AutoKey Advanced” in VPNs Key in the corresponding IP address and Preshared Key Click “Advanced”

1 2 3 4 5 6 7 8 2 3 4 1 “Advanced“ of Gateway objects Choose “Custom” in User Defined and Phase 1 Proposal Choose “Main” mode

1 2 3 4 5 6 7 8 2 3 4 1 5 Create IPsec VPN tunnel for DFL-1600 Choose “Security Level” and “Predefined” for Remote Gateway Choose “Outgoing Interface” and Click “Advanced”

1 2 3 4 5 6 7 8 2 3 4 5 1 6 Create IPsec VPN policy for DFL-1600 Choose correct Action ,Service, Network in the rule Enable ”Modify matching bidirectional VPN policy”

Testing Result

DFL-1600 IPsec VPN status NetScreen VPN status

Troubleshooting Confirm configuration of firewall
Four Ways to troubleshooting Confirm configuration of firewall Inspect the firewall status Use “Console command” to get more information Capture packets to analyze (ethereal and sniffer )

Confirm configuration The problem have solved
Troubleshooting Flow Chart Inspect the firewall status No Found main cause Found main cause Confirm configuration No The problem Use console command to inspect Yes Yes Capture packets to analyze Environment cause Configuration cause or Environment cause Verify network environments Found main cause Yes Configuration cause No Verify configuration The problem have solved Dtrack System

Troubleshooting Confirm configuration of firewall
IP address or network in “Object” Configuration in “Interface” Configuration in “IP rules” Action and service Interface and network Configuration in “Main routing” Routing table Metric Configuration in “PBR” Routing table and rules Advanced configuration Zone defense Traffic shaping User Authentication

Troubleshooting Inspect the firewall status
Click “Status” on main menu bar System Logging Connection Interfaces IPsec User Auth Routes DHCP server IDS SLB Zone Defense

How to use “Console command” with HyperTerminal in MS Windows
Troubleshooting Console commands How to use “Console command” with HyperTerminal in MS Windows 1.Start HyperTerminal (Hypertrm.exe) Enter a name for the connection (for example, DFL-800) in the Name box Click an icon for the connection in the Icon box, and then click OK In the Connect Using box, click Direct To Com (choose “Restore Default”) and then click OK. 5.Verify the settings on the part settings tab and then click OK.

Troubleshooting Console commands
The first command you should learn is the HELP or H command. The help command prints a list of available commands at the console About (Displays information about the firewall core) Crashdump (dump all crash and error information) Access (Prints the active anti-spoof section) Arp [interface] (Displays the cached ARP information for all interfaces. If you add a specific interface name to the command, you will get only the specified interface.) Arpsnoop [interface] (Displays ARP queries and responses. You enable this by typing ARPSNOOP [interface]. The same command again disables it. You can also use the all string for ALL interfaces. To disable all the arpsnoop printout you can use the string NONE.) Buffers [buf num] (Displays the 20 most recently freed buffers. You can examine a specific buffer by adding the number.) Cfglog (Displays the boot log of the firewall configuration.)

Connections (Displays the connections in the firewall.) CPUid (Displays processor information.) DHCP [switches] <interface> (With this command you can renew (-renew) or release (-release) the DHCP IP address on a specific interface.) Frags (Display the 20 most recent fragment reassembly attempts. This includes both ongoing and completed attempts.) Ifstat [interface] (Displays interfaces. If you add an interface you will get statistics for this interface.) Loghosts (Displays configured loghosts.) Logout (Secures the console with the configured password.) Netcon (Displays the active console connection or management connections to the firewall.) Netobjects (Displays the active host & network configurations.) Ping (Is the normal ping command to verify an IP connection. You can use Ping [IP address] [num] where “num” is the amount of ping requests.) Reconfigure (Reloads the configuration from the boot media.)

Ikesnoop [on/off/verbose] (Ikesnoop is used to diagnose problems with IPsec tunnels.) DHCPRelay (Displays if the DHCP boot relay is enabled or disabled.) Remote (Displays the active configuration of the remote section.) Routes (Displays the active configuration of the route section.) Rules (Displays the active configuration of the rule section. There are several string commands that you can add. The –v string enables all available information {like usages}.) Scrsave (Runs the screen saver) Services (Displays the active services within the configuration.) Shutdown (Shuts down the firewall.) Stats (Displays statistics information for the firewall.) Time (Displays the firewalls current time.)

Troubleshooting Capture packets to analyze
Set up a laptop with software such as Ethereal or Sniffer to capture packets from the problem node The laptop needs to connect to the problem node through a hub If it connects through a switch, the port mirror function will have to be enabled in the switch mirror function intranet Problem node Ethereal or Sniffer

Troubleshooting Capture packets to analyze
Inspect IP address of Source, Destination and Protocol to analyze problematic network status

Questions & Answers THANK YOU

2006 DFL-210/800/1600/2500 Technical Training

Similar presentations

Presentation on theme: "2006 DFL-210/800/1600/2500 Technical Training"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

2006 DFL-210/800/1600/2500 Technical Training

Similar presentations

Presentation on theme: "2006 DFL-210/800/1600/2500 Technical Training"— Presentation transcript:

Similar presentations

About project

Feedback