Download presentation
Presentation is loading. Please wait.
1
2006 DFL-210/800/1600/2500 Technical Training
©Copyright By D-Link HQ ©Copyright All rights reserved
2
Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting
3
Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting
4
Appliance Overview model of firewall
DFL-800 Console WAN1 LAN WAN2 DMZ back
5
Appliance Overview model of firewall
DFL-1600 Console LAN3 LAN2 WAN1 LAN1 WAN2 DMZ back
6
Appliance Overview model of firewall
DFL-2500 Console LAN3 LAN2 LAN1 WAN1 WAN2 WAN3 WAN4 DMZ back
7
Appliance Overview Characters of firewall and for DFL-1600/2500
Brand new user-friendly , no GUI confusion issue. Neater and more professional look for firewall product line. mechanism with D-Link switches prevents threat spreading. Advanced firewall features including to ease the implementation. High Port Density Giga Interface GUI ID ZoneDefense Transparent Mode
8
Appliance Overview LED panel
Console Power System Serial Console Port Concealed Look LCD Display System Information Traffic Monitor Alert Monitor Configuration Display Ethernet Auto-Sensing Copper Port LAN Port WAN Port and DMZ port Keypad Keypad for “Right ” , “Left” , “Upper “ and “Confirm “
9
Appliance Overview LED panel
Setup Mode Press Keypad to enter setup mode “in 5 seconds” after the firewall is switched on Enter the Setup Mode Use Left or Right button to select 1.Start Firewall: Start off the firewall system 2.Reset Firewall: Reset the firewall to factory default. After reset firewall, choose “start firewall” After switch on the firewall 5 seconds, the firewall will enter Status Mode automatically
10
Appliance Overview LED panel
Status Mode Model name: Display the device model name. System Status: Display system working status. CPU Load and Connections: Show the CPU utilization and concurrent session Total BPS and PPS: Concurrent traffic statistics and packets statistics per second. Date and Time: Display device current date and time Uptime: Device boot up time. Mem: System memory utilization. IDS Sigs: Display IDS signature information. WAN DMZ LAN: Display each interface IP address Core Version: Display firewall firmware version.
11
Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting
12
Firewall Concept Questions
What is firewall? Which firewall is the safest? Firewall does not protect against application errors.
13
Connection established
Firewall Concept IP Start Communication Web Server Client (1.) > 80 SYN (2.) SYN.ACK <- 80 (3.) > 80 ACK Connection established SYN FLOOD 1. Sending a packet to the web server with the ”SYN” flag. The client uses a fake IP address 2. The server responds with a SYN.ACK. Then the server waits until the client responds with an ACK packet 3. The client repeats step one until it is satisfied that the damage is done
14
Firewall Concept IP Start Communication
More bits SYN – Synchronize = New connection ACK – Acknowledge = Acknowledge that data has been received PSH - Push = “Push received data to application layer now" URG - Urgent = Urgent data, Process first (Beg. 70) FIN - Finish = End communication with an handshake RST - Reset = “Do not communicate with me!”
15
Firewall Concept Firewall deployments in a network
Static Route Static routes are needed for the Firewall to communicate with Networks that are not locally attached on the same subnet NAT Internal address are private addresses from RFC1918 All private addresses are translated to a valid IP address before accessing the Internet Transparent No changes required on any end station, router or server Routing protocols can be configured to pass through the firewall in Transparent mode The firewall offers full firewall and VPN capabilities
16
Firewall Concept Firewall deployments in a network Static Route
LAN WAN Intranet Web Corp Mail Intranet DNS AdminPC 1 AdminPC 2 AdminPC 3 Internet Router DMZ Corporate Web Mail Relay DMZ DNS Sales Support Marketing
17
Firewall Concept Firewall deployments in a network NAT
LAN WAN Intranet Web Corp Mail Intranet DNS AdminPC 1 AdminPC 2 AdminPC 3 Internet Router DMZ Corporate Web Mail Relay DMZ DNS Sales Support Marketing
18
Firewall Concept Firewall deployments in a network Transparent
LAN WAN Intranet Web Corp Mail Intranet DNS AdminPC 1 AdminPC 2 AdminPC 3 Internet Router DMZ Corporate Web Mail Relay DMZ DNS Sales Support Marketing
19
Firewall Concept Firewall Generations
First generation Packet filtering Second generation Proxy Third generation Stateful Inspection Fourth generation IDS/IDP
20
Firewall Concept 1.Packet Filtering
Works with the IP & TCP level Disadvantages: Does not re-create fragmented packets Does not understand the relationship between packets Advantages High speed of packets process OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical
21
Firewall Concept 2.Proxy
Receives packets, reads and re-creates the packets No physical connection between the client and the server. Disadvantages Slow The proxy must understand the application protocol Mostly based on complex operating system Advantages Attacks on the TCP/IP level will never penetrate through the protected network Able to analyze application data Able to strip things like ActiveX and Java. OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical
22
Firewall Concept 3.Stateful Inspection
Re-create fragmented packets Understand the relationship between packets Advantages Does not need to understand the application data to work Great flexibility Better performance than proxy Disadvantages Harder to analyze the application data (but still possible) OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical
23
Firewall Concept 4.IDS/IDP
Receives packets, reads and re-creates the packets No physical connection between the client and the server. Disadvantages Slow The proxy must understand the application protocol Mostly based on complex operating system Advantages Attacks on the TCP/IP level will never penetrate through the protected network Able to analyze application data Able to strip things like ActiveX and Java. OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical
24
Firewall Concept Packet flow
WAN IP: INTERNET Packet inspection Priority processes Allow? Drop? NAT? Reject? IP:
25
Firewall Concept Packet flow
When all traffic get in the firewall,they will be inspected by VLAN first (If VLAN is used ). The IDS rule is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. Then these traffic will be inspected by IP rule and routing rule After that the traffic will be inspected by Zone Defense and Traffic Shaping
26
Including verification of
Firewall Concept Packet flow VLAN packet? Inbound packet Basic sanity checks, Including verification of IP header Check IDS signatures Yes Yes Drop De-capsulate Fragment? failed Yes Process fragment Drop No Open Connction Traffic Shaping ZD Allow/NAT/SAT false Yes DestIP = FW? Route IP Verify TCP/UDP header Found matching Connection? Apply Rules SAT_ ApplyRulePack Traffic Shaping FwdFast/SAT No true Traffic Shaping Forward packet Drop Drop ZD
27
Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting
28
Basic Configuration Default Interface Attribute Definition(DFL-800)
LAN can be managed and pinged The firewall disable DHCP
29
Basic Configuration Default Interface Attribute Definition(DFL-1600)
LAN1 can be managed and pinged The firewall disable DHCP
30
Basic Configuration Default Interface Attribute Definition(DFL-2500)
LAN1 can be managed and pinged The firewall disable DHCP
31
Basic Configuration design concept of UI
Any undesired rules or objects are being created without hitting the “ok” button, users must hit “cancel” button or that rule or object would still be in the list and named “untitle”. Traffic is being examined by the pattern where the rules were created from top down When right-click any rules or objects and select delete, a strike line will show on that rule or object. The “save and activate” button will not be available if the “untitle” rule or object is not deleted After click “save and activate” , must reconnect to it within 30 seconds (default setting) for the configuration changes to be finalized. If this fails, the unit will revert to its previous configuration. The reconnecting time can be adjustable.
32
Basic Configuration Configure Static IP address on your laptop or PC
User will be authenticated before logging to the firewall Default login: admin, Password: admin User will be presented with; Menu Bar Tree View List Main Window back
33
Basic Configuration Tree View List Menu Bar Main windows
34
Basic Configuration UI of System
35
Basic Configuration UI of Object
36
Basic Configuration UI of Rules
37
Basic Configuration UI of Interfaces
38
Basic Configuration UI of Routing
39
Basic Configuration UI of IDS/IDP
40
UI of User Authentication
Basic Configuration UI of User Authentication
41
Basic Configuration UI of Traffic Shaping
42
Basic Configuration UI of ZoneDefense
43
Basic Configuration Three Steps to Configure
1.Create and verify the object 2.Create the rule (IP rule ,IDS rule ,user authentication rule and Pipes rule ) 3.Create and verify routing rule
44
First Step to Configure
Basic Configuration First Step to Configure 1.Create and verify the object The most important in firewall configuration is OBJECT. Objects are basic network elements defined in the firewall. It is a list of symbolic names associated with various types of addresses, including IP addresses of host and network Object items are heavily used through a firewall configuration; in routing tables, rule-set, interface definitions, VPN Tunnels among others
45
Basic Configuration Objects – Address Book
Hosts & Networks configuration items are symbolic names for IP networks
46
Basic Configuration Objects – ALG
ALGs are designed to manage specific protocols Examine the payload data and carry out appropriate actions based on defined rules Appropriate Application Layer Gateway definition is selected in a Service configuration item. Network traffic which matches the service definition will thus be managed by the selected Application Layer Gateway.
47
Basic Configuration Objects – Services
A definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80.
48
Basic Configuration Objects – Schedules
The Schedule will only allow those firewall rules to be used at those designated times only. Any activities outside the scheduled time slot will not follow the rules and will therefore unlikely be permitted to pass through the firewall
49
Basic Configuration Objects – Certificate
A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used on authenticate individual users or other entities. These types of certificates are commonly called end-entity certificates.
50
Basic Configuration Second Step to Configure 2.Create the rule
The Rules configuration section represents the rule-set, the "heart" of the firewall. The rule-set is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. The rule-set also regulates how address translation and bandwidth management, traffic shaping, is applied to traffic flowing through the firewall.
51
Basic Configuration IP Rules – Drop
Packets matching Drop rules will be immediately dropped. Such packets will be logged if logging has been enabled in the Log Settings page
52
Basic Configuration IP Rules – Drop DROP RULE DROPPING LOG
53
Basic Configuration IP Rules – Reject
Reject works basically the same way as Drop. In addition, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet is a TCP packet, a TCP RST message.
54
Basic Configuration IP Rules – Reject REJECT RULE ICMP Unreachable
TCP RST REJECTING LOG
55
Basic Configuration IP Rules – FwdFast
Packets matched FwdFast rules are allowed through immediately. Firewall does not memorize the open connections and does not statefully inspect traffic which has passed through it. For one single packet, it is indeed faster than first having to open a state-tracked connection and then passing the packet to it. But when several packets pass the same connection, state tracking (Allow) is faster
56
Remember that that there need to be a FwdFast rule in each direction.
Basic Configuration IP Rules – FwdFast No Statefully traffic Inspection (does not remember open connections) INTERNET Packets matching FwdFast Rules Note: Allow is usually faster then FwdFast Remember that that there need to be a FwdFast rule in each direction.
57
Basic Configuration IP Rules – Allow
Packets matched Allow rules are passed to the stateful inspection engine, which will memorize that a connection has been opened Rules for return traffic will not be required as traffic belonging to open connections which is automatically dealt with before it reaches the rule set
58
Basic Configuration IP Rules – Allow Logging & Stateful Inspection
INTERNET Packets matching Allow Rules
59
Basic Configuration IP Rules – SAT
Nothing happens when a packet matches a SAT rule at the beginning The firewall will memorize where to send the traffic and continue to look for a matching rule that will allow the packet to pass and a static address translation will be performed at that stage
60
I want the file from FTP server
Basic Configuration IP Rules – SAT I want the file from FTP server FTP SERVER DMZ WAN IP: The public_ip should be bound to the WAN of firewall first redirect_address is used to redirect incoming connection from public_ip to private_ip
61
Basic Configuration IP Rules – NAT
The rules perform dynamic address translation and NAT hide the sender address. Mostly hiding all machines on a protected network to appear at the outside world as if they use a single IP address
62
Network Address Translation
Basic Configuration IP Rules – NAT INTERNET WAN IP: Network Address Translation IP:
63
Third Step to Configure
Basic Configuration Third Step to Configure 3.Create and verify routing rule Main Route: The Routes configuration section describes the firewall’s routing table.Firewall uses a slightly different way of describing routes compared to most other systems. Policy- Base Route: The rules in the PBR rule-set are able to specify which routing table to be used in the forward as well as return direction (Select routing priority)
64
Basic Configuration Main Routing Table
Routing tells the firewall in which direction it should send packets destined for a given IP address
65
Basic Configuration Policy Based Routing
Connect to two or more ISPs , and accept inbound connections from all of them. Return traffic is routed back through the ISP that delivered the incoming requests. Route certain protocols through transparent proxies such as web caches and anti-virus scanners, without adding another point of failure for the network as a whole. Create provider-independent metropolitan area networks, i.e. one where all users share a common active backbone, but able to use different ISPs, subscribe to different streaming media providers, etc.
66
Basic Configuration Policy Based Routing Internet WAN1 Extranet
/24 Intranet /24 DMZ WAN2
67
Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting
68
Scenario & Hands-on Basic Configuration(WAN/LAN/DMZ Transparent mode)
Configure Load Sharing and Route Failover (use 2 WANs) Configure ZoneDefend Port mapping for server(SAT and server load balance) Runtime Authentication configuration Traffic shaping Configure VPN tunnel(PPTP L2TP and IPsec)
69
Scenario & Hands-on Accomplished all scenarios topology Hands on:
DFL-800 IPSec VPN Tunnel WAN1 IP: /24 Remote LAN Internal LAN IP: /24 WAN1 (DHCP) FTP Server WAN2 (Static IP) Hands on: Basic Configuration Load Sharing and Route Failover ZoneDefense Port mapping for server User Authentication Traffic Shaping VPN tunnel DMZ DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24
70
Scenario & Hands-on Network topology for hands-on
Internet All WAN1 port connect to switch main switch G4 G1 G2 G3 back
71
Scenario & Hands-on Network topology for every group main switch
Four persons in one group LAN1 port connects to group switch group switch
72
and enable transparent mode)
Scenario & Hands-on 1 Basic Configuration (Configure WAN type ,modify IP address of LAN and enable transparent mode) WAN1 PPPoE , DHCP Static IP: /24 Internal DMZ IP: /24 Objective: How to modify IP address for LAN and DMZ in Object How to use DHCP, Static IP and PPPoE to access Internet How to enable transparent mode Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24
73
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Network topology Internal LAN1 IP: /24 Notes: DFL-800 only has LAN and DMZ DFL-1600/2500 has LAN1 , LAN2 ,LAN3 , and DMZ Pay attention to default manageable status Confirm connecting port DFL-800 DFL-1600 DFL-2500 Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway on laptop Internal LAN2 IP: /24 Internal LAN3 IP: /24 Internal DMZ IP: /24
74
The Logics of Configuration
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Objectives Access to LAN1 IP address successfully (Ping) or mange Web UI by new IP address The Logics of Configuration Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway in your laptop Modify objects of IP address and network in address book of Object
75
Scenario & Hands-on Bind two IP address on one NIC 1 2 3
76
Scenario & Hands-on Bind two IP address on one NIC 5 6 4
77
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use web browser such as Internet Explorer 6 or Firefox 1.0 to connect to Web UI
78
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ 1 2 3 1 2 Change the IP address in address book of Object Click “Interface Addresses” in Object Key in the correct IP address and network
79
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ 1 2 3 1 2 Change the IP address in address book of Object or Ethernet of Interface Key in correct IP address and network
80
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ 1 2 3 After all configurations are done , Click “configuration” in main bar Click “Save and Activate”
81
Scenario & Hands-on 1-1 Testing Result
Basic Configuration-Modify IP address for LAN and DMZ Ping LAN IP address Testing Result
82
Scenario & Hands-on 1-1 How to modify reconnection Web UI time
After you click” save and active” you can adjust the reconnection time Click “Click here to edit the configuration verification timeout.”
83
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 1 2 3
84
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 5 4 6
85
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 7 8
86
Scenario & Hands-on 1-1 Exercise 1-1- Modify IP address for LAN and DMZ Objective: Change IP address of LAN1 Ping the new IP address of LAN1 and access to Web UI by new IP successfully Internal DMZ Internal LAN3 Internal LAN1 Internal LAN2 LAN1 IP: Group A(1): /24 Group B(2): /24 . Group I(9): /24 Group J(10): /24
87
Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
Network topology WAN1 IP: /24 /24 Note: Configure default gateway Configure DHCP relay, if firewall is in DHCP environment Internal LAN1 IP: /24 /24
88
The Logics of Configuration
Scenario & Hands-on 1-2 Basic Configuration-Transparent mode Objectives Implement firewall in transparent mode without changing exist network setting Allow or deny specific service and traffic (allow WAN1 to LAN1for ICMP service, allow LAN1to WAN1 for all service) The Logics of Configuration Enable transparent mode Configure IP Rules and objects in firewall Bind a secondary IP address to match the new network IP segment.
89
Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 Configure the IP object in address book of Object to same Click “address book” in Object Configure IP address of WAN1 and LAN1
90
Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 1 2 3 Enable transparent mode for WAN1 and LAN1 Click “Ethernet” under “Interface” Enable transparent in WAN1 interface and add the object of gateway to “Default Gateway” Disable “add route for interface network”
91
Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 1 3 2 Enable transparent mode for WAN1 and LAN1 Click “Ethernet” in Interface Enable transparent on LAN1 interface Disable “add route for interface network”
92
Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 3 1 2 4 Add the “Service” rule under IP rules(WAN1 to LAN1 and LAN1 to WAN1) Click “IP rules” in Rules Choose the correct Action,Service,Interface and Network for the rule
93
Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 Create the DHCP relay for LAN1 to WAN1 Click “DHCP relays” under “System” “DHCP Settings” Choose the correct Action,Service,Interface and Network for the rule
94
Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 After all configuration , Click “configuration” in main bar Click “Save and Activate”
95
Scenario & Hands-on 1-2 Testing Result
Basic Configuration-Transparent mode Get IP address from DHCP server and ping to gateway Testing Result
96
Exercise 1-2- Transparent mode
Scenario & Hands-on 1-2 Exercise 1-2- Transparent mode WAN1 Objectives: Enable transparent mode Allow ping from WAN to LAN Allow all service from LAN to WAN WAN1 IP LAN1 IP Group1: / /24 Group2: / /24 . Group9: / /24 Group10: / /24 DHCP server IP address : Internal LAN1
97
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
Network topology WAN1(Static) IP: /24 WAN1-gatway IP: /24 Note: Configure default gateway Internal LAN1 IP: /24
98
The Logics of Configuration
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP Objectives Configure WAN type with Static IP address The Logics of Configuration Before configuring WAN type with static IP, please reset the device to default Create an object for WAN1 gateway to apply to the interface of WAN1 Choose the correct Action, Service, Interface and Network for the rule
99
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
2 3 4 Create the correct gateway object under “Address Book” Click “address book” under “Object” Add an object for IP4 Host/Network Verify the IP addresses of wan1_ip and wan1net
100
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
2 3 4 1 2 Apply the gateway object to WAN Interface Click “Ethernet” under “Interfaces” Add the gateway object for “Default Gateway”
101
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
2 3 4 1 2 Create the service rule in IP rules Click “IP rules” under “Rules” Choose the correct Action,Service,Interface and Network for the rule
102
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
2 3 4 After all configuration , Click “configuration” in main bar Click “Save and Activate”
103
Scenario & Hands-on 1-3 Testing Result
Basic Configuration- WAN type-Static IP Ping to Internet (tw.yahoo.com) Testing Result
104
Scenario & Hands-on 1-3 Exercise 1-3- WAN type-Static IP Objective
WAN1:Group IP Objective Change WAN type with static IP address of following IP addresses Use “NAT” mode to access the Internet WAN1 Group1: /24 Group2: /24 . Group9: /24 Group10: /24 WAN1-Gateway: LAN1 Group1: /24 Group2: /24 . Group9: /24 Group10: /24 Internal LAN1 Group private IP
105
Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
Network topology WAN1 PPPoE Note: Configure PPPoE tunnel Apply the PPPoE tunnel to IP rule Internal LAN1 IP: /24
106
The Logics of Configuration
Scenario & Hands-on 1-4 Basic Configuration- WAN type-PPPoE Objectives Configure WAN type on PPPoE tunnel to access Internet by NAT mode The Logics of Configuration Create a PPPoE tunnel and apply it to the IP rule Choose the correct Action, Service, Interface and Network for the rule
107
Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
2 3 Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces” Click “PPPoE Tunnels” under “Interfaces” Apply correct Physical Interface, Remote Network,Username and Password in the object
108
Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
2 3 1 2 Create the IP rule Click “IP rules” under “Rules” Choose the correct Action, Service, Interface and Network for the rule
109
Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
2 3 After all configuration , Click “configuration” in the main bar Click “Save and Activate”
110
Scenario & Hands-on 1-4 Testing Result
Basic Configuration – WAN type-PPPoE Ping to Internet (tw.yahoo.com) Testing Result
111
Exercise 1-4- WAN type-PPPoE
Scenario & Hands-on 1-4 Exercise 1-4- WAN type-PPPoE WAN1 PPPoE Objective: Configure WAN type on PPPoE tunnel and local user could access Internet Internal LAN1 IP: /24
112
Basic Configuration- WAN type-DHCP
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP Network topology WAN1 DHCP Note: Enable DHCP client in WAN interface Internal LAN1 IP: /24
113
The Logics of Configuration
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP Objectives Dynamically assign IP to WAN interface and local users could access internet by NAT The Logics of Configuration Enable “DHCP client” in Interface Create the IP rule and choose correct Action, Service, Interface and Network for the rule
114
Basic Configuration- WAN type-DHCP
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP 1 2 3 1 2 Enable the DHCP client in “Ethernet” under “Interfaces” Click “Ethernet” under “Interfaces” Enable “DHCP Client”
115
Basic Configuration- WAN type-DHCP
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP 1 2 3 1 2 Create the service rule in “IP rules” Click “IP rules” in Rules Choose the correct Action,Service,Interface and Network for the rule
116
Basic Configuration- WAN type-DHCP
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP 1 2 3 After all configuration , Click “configuration” in main bar Click “Save and Active”
117
Scenario & Hands-on 1-5 Testing Result
Basic Configuration – WAN type-DHCP Verify the WAN IP from “Status” in tool bar Testing Result
118
Exercise 1-5- WAN type-DHCP
Scenario & Hands-on 1-5 Exercise 1-5- WAN type-DHCP WAN1 DHCP server Objective Dynamically assign IP to WAN interface and local users could access internet Internal LAN1 IP: /24
119
Scenario & Hands-on 2-1 WAN Failover Network topology WAN2(static IP)
WAN2-gateway IP: WAN1 DHCP Note: Manually add default route in main routing table Enable “Monitor “feature on routes WAN2 is back up link Internal LAN3 IP: /24 Internal LAN1 IP: /16 Internal LAN2 IP: /24
120
The Logics of Configuration
Scenario & Hands-on 2-1 WAN Failover Objectives WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet The Logics of Configuration Create routing policy in main routing table Applying routing policy between DHCP and static IP in WAN connection Create the IP rule and choose correct Action, Service, Interface and Network for the rule
121
Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 1 3 2 Enable the DHCP client in “Ethernet” under “Interfaces” Click “Ethernet” in Interface Uncheck “Add default route if default gateway is specified”
122
Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 Create the correct gateway object in “Address Book” under “Object” (WAN2) Click “address book” in Object Add the object for IP4 Host/Network Modify wan2_ip and wan2net
123
Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 1 3 2 Apply the gateway object to WAN Interface and disable “add default route” Click “Ethernet” in Interface Disable default route in Interface
124
Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 Combine WAN1 and WAN2 to the object of WAN Click “interface Groups” in Interface Create the object and choose WAN1 and WAN2
125
Scenario & Hands-on 2-1 WAN Failover Create the IP rule for WAN group
3 4 5 6 7 8 Create the IP rule for WAN group Click “Rules” in IP Rule Choose correct Action, Service, Interface and Network in the rule
126
Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 3 1 4 2 Create the WAN1 routing rule and enable “monitor this route” Click “Main Routing Table” under “Routing “ Create the routing rule for WAN1 Choose lower Metric value and enable “monitor this route”
127
Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 3 1 4 2 Create the WAN2 routing rule and enable “monitor this route” Click “Main Routing Table” under “Routing “ Create the routing rule for WAN2 Choose higher Metric valueand enable “monitor this route”
128
Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 After all configuration , Click “configuration” in main bar Click “Save and Activate”
129
Exercise 2-1- WAN Failover
Scenario & Hands-on 2-1 Exercise 2-1- WAN Failover WAN2 Group IP (Static IP) WAN1 DHCP Objectives: WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected, all traffic would failover to WAN2 WAN LAN1 Group1: / /24 Group2: / /24 Group9: / /24 Group10: / /24 WAN2-Gateway: Internal LAN1 Group IP
130
Scenario & Hands-on 2-2 Load Sharing and WAN failover Network topology
WAN2(static IP) IP: /24 WAN2-gateway IP: WAN1 DHCP Notes: Create PBR table and apply it to route policy Internal LAN3 IP: /24 Internal LAN1 IP: /16 Internal LAN2 IP: /24
131
The Logics of Configuration
Scenario & Hands-on 2-2 Load Sharing and WAN failover Objectives All services go through WAN1 but the FTP service and specific IP range go through WAN2 When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet When WAN2 is disconnected, the specified traffic and service can access to Internet by WAN1 The Logics of Configuration Modify PBR routing table and routing rule
132
Scenario & Hands-on 2-2 Load Sharing and WAN failover
1 2 3 4 Create the IP address object specifically for LAN1 Click “Address Book” under “Objects” Click “Ethernet” under “Interfaces”
133
Scenario & Hands-on 2-2 Load Sharing and WAN failover
1 2 3 4 3 1 2 Add the route of WAN2(Static) in PBR Click “PBR table ” under “Routing” Choose higher metric in PBR table and enable function of monitor
134
Scenario & Hands-on 2-2 Load Sharing and WAN failover
1 2 3 4 1 2 Add the route rule of WAN1 in PBR Click “PBR policy” under “Routing” Choose correct Forward, Return table, interface and network
135
Scenario & Hands-on 2-2 Load Sharing and WAN failover
1 2 3 4 After all configuration , Click “configuration” in main bar Click “Save and Activate”
136
Exercise 2-2- Load Sharing
Scenario & Hands-on 2-2 Exercise 2-2- Load Sharing WAN2 Static IP WAN1 DHCP Objectives: For Load Sharing: Except for ping-outbound and specific IP range X traffic by WAN2 then other service will pass through to Internet by WAN1. For Fail Over: When unplug any WAN cable, users still can access the Internet via a different WAN port. Internal LAN1 IP: x.0/24
137
How to enable the function of “tracer”
1 2 2 1 Modify the value of TTL min to 1 Click “IP Setting of Advanced Setting” in “System” Key in the smallest value (1)
138
How to enable the function of “tracer”
1 2 3 2 1 Enable “Pass returned from ICMP error messages from destination” Click “Services” in “Objects” and choose the object of “all_icmp”
139
Scenario & Hands-on 3 ZoneDefense
When there’s any infected host spreading worm into the network Firewall can stop the malicious traffic flooding to other subnets but have no way to stop it infecting its network [subnet A] The most effective solution will be: Firewall triggers the ACL in LAN switches to perform real time filtering on any malicious traffic found D-Link Firewalls implement ZoneDefense feature to perform proactive network security with D-Link switches Set ACL to block specific MAC or IP address DMZ WAN Firewall DES-3x26S DES-3350SR DES-3250TG DES-3500 series DES-3800 series xStack series Subnet B Subnet A Subnet C Infected Host
140
Scenario & Hands-on 3 ZoneDefense
Uniquely from D-LINK – It operates with D-LINK switches to isolate infected host that is generating unusual traffic to the LAN Uses Threshold rules to examine connections through the firewall and take actions upon them. The threshold rules monitor the number of connections per second When a pre-defined limit is reached, the firewall sends block requests to the switches configured for ZoneDefense
141
Scenario & Hands-on 3 ZoneDefense Internet
142
Scenario & Hands-on 3 ZoneDefense INTERNET Note: WAN1
Verify the model of supporting switch Verify the IP address of switch Verify the community between switch and firewall WAN1 IP: /24 LAN1 IP: /24 Switch IP: /24 DGS-3324SR Block HTTP Request exceeding 4 sessions For every host PC PC
143
The Logics of Configuration
Scenario & Hands-on 3 ZoneDefense Objectives When traffic of every host exceed 4 sessions, switch create the ACLs rule to block illegal traffic by firewall The Logics of Configuration Configure the switch Choose the correct model of switch Exclude switch and administrator Create and configure the threshold rule
144
Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 Reset to default and configure the IP address of switch Use CLI of switch to inspect Key in “reset config” Key in “config ipif System ipaddress /24”
145
Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 Verify the communication between firewall and switch and inspect the community in switch Use CLI of switch to inspect Key in “show snmp community”
146
Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 Create the object of IP address for switch and administrator Click “Address Book” under “Objects” Add the object for IP4 Host/Network
147
Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 1 2 Create the switch object in ZoneDefense Click “switches” under “ZoneDefense” Choose the correct switch model and Key in the SNMP Community Verity the firewall can communicate with the switch
148
Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 Exclude the switch and the administrator Click “Exclude” under “ZoneDefense” Choose the correct object
149
Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 1 3 2 Create the threshold rule in ZoneDefense Click “Threshold” under “ZoneDefense “ Choose the correct interface and network Key in the threshold condition (the value of host-base must be smaller then network)
150
Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 After all configuration , Click “configuration” in main bar Click “Save and Active”
151
Scenario & Hands-on 3 ZoneDefense Testing Result
Block status form firewall Block status form Switch
152
Exercise-3 ZoneDefense
Scenario & Hands-on 3 Exercise-3 ZoneDefense INTERNET Objective: When web traffic of every host exceed 2 sessions, switch create the ACLs rule to block illegal traffic by firewall WAN1 DHCP LAN1 IP: Group IP address DGS-3324SR Switch IP: an IP that’s the same segment as the LAN1 IP PC PC
153
Scenario & Hands-on 4-1 Port mapping for server Network topology WAN1
IP: /24 FTP Server IP: /24 WAN1 IP: /24 FTP Server IP: /24 FTP Server Note: Add another public IP address in “ARP table” Verify the sequence of IP rule DMZ Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Back
154
The Logic of Configuration
Scenario & Hands-on 4-1 Port mapping for server Objectives Access the FTP server by public IP address( ) The Logic of Configuration Create objects of public and private IP addresses for FTP server Create ARP object in ARP Table Create the IP rule (SAT and allow) for FTP server
155
Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 1 2 Add the objects of both public and virtual IP addresses for FTP server *Click “Address Book” under Objects Key in the correct IP addresses
156
Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 Create the object in ARP Table Click “ARP Table” under “Interfaces” Apply objects with the FTP IP address
157
Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 1 3 2 Create the IP rule to map FTP server (SAT) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface,SAT setting and Network for the rule
158
Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 1 2 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface and Network for the rule
159
Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 After all configuration , Click “configuration” in main bar Click “Save and Activate”
160
Succeed to get in FTP server
Scenario & Hands-on 4-1 Port mapping for server Succeed to get in FTP server topology
161
Scenario & Hands-on 4-1 Exercise 4-1 - Port mapping for server
WAN1:DHCP FTP Server: Group public IP address FTP Server Group private IP Objective: Access to FTP server by group’s public IP address successfully DMZ IP : DFL-800 : Port DMZ DFL-1600: Port #3 DFL-2500: Port #5 DMZ FTP Server public IP Group1: /24 Group2: /24 . Group9: /24 Group10: /24 FTP Server private IP /24
162
Scenario & Hands-on 4-2 SAT in PPPoE connection Network topology WAN1
FTP Server Note: Add PPPoE in Interfaces Verify the sequence of IP rule DMZ Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Back
163
The Logic of Configuration
Scenario & Hands-on 4-2 SAT in PPPoE connection Objectives When using PPPoE connection, internal FTP server could be accessed by public The Logic of Configuration Create objects of PPPoE connection Create private IP addresses for FTP server Create the IP rule (SAT and allow) for FTP server
164
Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces” Click “PPPoE Tunnels” under “Interfaces” Apply correct Physical Interface, Remote Network,Username and Password in the object
165
Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 Add the object of virtual IP addresses for FTP server *Click “Address Book” under Objects Key in the correct IP addresses
166
Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 1 3 2 If use PPPoE connection, create the IP rule to map FTP server (SAT) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface,SAT setting and Network for the rule
167
Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 1 2 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface and Network for the rule
168
Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 After all configuration , Click “configuration” in main bar Click “Save and Activate”
169
Succeed to get in FTP server
Scenario & Hands-on 4-2 SAT in PPPoE connection Succeed to get in FTP server topology
170
Scenario & Hands-on 4-2 Exercise 4-2 - SAT in PPPoE connection
WAN1:PPPoE FTP Server: Group public IP address FTP Server Group private IP Objective: Access to FTP server by group’s public IP address successfully DMZ IP : DFL-800 : Port DMZ DFL-1600: Port #3 DFL-2500: Port #5 DMZ FTP Server public IP Group1: /24 Group2: /24 . Group9: /24 Group10: /24 FTP Server private IP /24
171
Scenario & Hands-on 4-3 SAT and server load balance Network topology
WAN1 IP: /24 FTP Server IP: /24 FTP Server-1 FTP Server-1 Note: Add another public IP address in “ARP table” Verify the sequence of IP rule DMZ Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24
172
The Logic of Configuration
Scenario & Hands-on 4-3 SAT and server load balance Objectives Access two FTP servers by one public IP address ( ) The Logic of Configuration Create objects of public and private IP addresses for two FTP servers Create ARP object in ARP Table Cerate the IP rule (SAT_SLB and allow) for FTP server
173
Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 Add the public IP address object for two FTP servers Click “Address Book” under “Objects” Key in the correct IP address
174
Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 1 2 Add two virtual IP address objects for two FTP servers Click “Address Book” under “Objects” Key in the correct IP address
175
Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 Apply the object of IP address to ARP Table Click “ARP Table” under “Interfaces” Apply objects for the FTP IP address
176
Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 3 1 2 Create the IP rule of FTP server Click “IP Rule” in Rules Choose correct Action,Service,Interface,SLB_SAT and Network in the rule
177
Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 1 2 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule
178
Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”
179
Scenario & Hands-on 4-3 Exercise 4-3- SAT and server load balance
WAN1:DHCP FTP Server-1:Group public IP FTP Server-1 Group private IP-1 FTP Server-1 Group private IP-2 Objective: Access to two FTP servers by group’s public IP address successfully DMZ FTP Server public IP Group1: /24 Group2: /24 . Group9: /24 Group10: /24 FTP Server private IP-1 /24 DMZ: FTP Server private IP-2 Group1: /24
180
Scenario & Hands-on 5 Process of authentication
Runtime Authentication configuration Process of authentication Internet http request
181
Scenario & Hands-on 5 Runtime Authentication configuration
For authorize users to accessing the Internet, LAN and Intranet services either through the Local DB or RADIUS Server. The user authentication rules must be save & activated in order to apply the settings.
182
Scenario & Hands-on 5 192.168.10.1 10.0.100.97 Core
Runtime Authentication configuration The Core owns the IP addresses Core WAN LAN
183
Scenario & Hands-on 5 Runtime Authentication configuration
Network topology WAN1 IP: /24 Note: Modify the Web UI http port Verify the sequence of IP rule LAN1 IP: /24 Switch IP: /24 DES-3226S Authenticated user accessing the Internet PC PC
184
The Logic of Configuration
Scenario & Hands-on 5 Runtime Authentication configuration Objectives When user open a web browser, it will be a screen pop out automatically, and request for login. Services will be allowed after authentication. When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches. The Logic of Configuration Change Web UI http port Create an object for specific traffic network Create a local user database Create IP rules for Authentication
185
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 2 1 Change the remote management http port to avoid port conflict Click “Remote Management” then click “modify advanced setting” Change WebUI http port
186
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 3 1 2 4 Create the user database for Authentication Click “Local User Database” in User Authentication Key in the authenticated user(user name/password)
187
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the User Authentication Rules Click “User Authentication Rules” in User Authentication Choose the correspond settings
188
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 2 1 Create the User Authentication Rules Click “User Authentication Rules” in User Authentication Choose the correspond settings
189
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the IP address for Authenticating users Click “Address Book ” in Objects Add an object for authenticating users Key in the correct IP address and group name
190
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “allow” rule (rule-1) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule
191
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “NAT-DNS” rule (rule-2) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule
192
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “NAT-all_service” rule (rule-3) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule
193
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 3 2 Create the “SAT” rule (rule-4) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule
194
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “Allow” rule (rule-5) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule
195
Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”
196
Scenario & Hands-on 5 Runtime Authentication configuration
Action1 Action3 Action2 Allow manual log-out web page Allow user to look up the DNS Allow authorized users to use networking service All HTTP traffic will be mapped to firewall LAN1 IP address Allow all HTTP traffic to map to LAN1 IP address Action1 Action3 Action2 Action2
197
Scenario & Hands-on 5 Runtime Authentication configuration
Testing Result
198
Exercise 5- Runtime Authentication configuration
Scenario & Hands-on 5 Exercise 5- Runtime Authentication configuration WAN1 DHCP LAN1 IP: /24 Switch IP: /24 Objective: The specific user or network must be authorized before access to the Internet When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches. DES-3226S Authenticated user accessing the Internet PC PC
199
Scenario & Hands-on 6 Traffic Shaping Pipes concept
200
This diagram shows not using the Dynamic balancing
Scenario & Hands-on 6 Traffic Shaping The Concept of Dynamic balancing This diagram shows not using the Dynamic balancing
201
The Concept of Dynamic balancing
Scenario & Hands-on 6 Traffic Shaping The Concept of Dynamic balancing When using the function of Dynamic balancing
202
The Concept of Precedence
Scenario & Hands-on 6 Traffic Shaping The Concept of Precedence Highest High Pipe Medium Low
203
Bandwidth of Leased Line with 1Mbps in both directions(two pipes)
Scenario & Hands-on 6 Traffic Shaping Concept of Design (Pipe 1Mbps) Bandwidth of Leased Line with 1Mbps in both directions(two pipes) The pipe throughput should be less than the physical pipe!
204
Concept of Design (Pipe 1Mbps) - download
Scenario & Hands-on 6 Traffic Shaping Concept of Design (Pipe 1Mbps) - download HTTP 250Kbps Highest FTP 250Kbps High 1Mbps SMTP 500Kbps Low HTTP 250Kbps Highest FTP 250Kbps High 1Mbps SMTP 500Kbps Low
205
Scenario & Hands-on 6 Traffic Shaping Pipes
All measuring, limiting, guaranteeing and balancing is carried out in pipes A pipe by itself is meaningless unless it is put into use in the Rules section. Each rule can pass traffic through one or more pipes, in a precedence (priority) of your choice.
206
Determine the bandwidth of precedence
Scenario & Hands-on 6 Traffic Shaping Precedence Determine the bandwidth of precedence
207
Scenario & Hands-on 6 Traffic Shaping Pipes rules
Plan your traffic shaping requirements. If you do not know how traffic should be limited, prioritized, guaranteed, or distributed, you will likely find the configuration work more confusing than helpful.
208
Scenario & Hands-on 6 Traffic Shaping Precedence Assign precedence
209
Scenario & Hands-on 6 Traffic Shaping
Network topology External WAN1 1.For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. 2.For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) 3.For other inbound and outbound service, the remaining bandwidth will be used. 4.Above all services are dedicating bandwidth value. Bandwidth of leased line Download: 1Mbps Upload: 1Mbps Internal LAN1 Note: Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.
210
The logic of Configuration
Scenario & Hands-on 6 Traffic Shaping Objective For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) For other inbound and outbound service, the remaining bandwidth will be used. Above all services are dedicating bandwidth value. The logic of Configuration Make sure to create IP rule Create objects of Pipe Create rules of Pipe Choose correct Action, Service, Interface and Network in the rule Key in correct value at Precedence and Total bandwidth value
211
Scenario & Hands-on 6 Traffic Shaping
1 2 2 3 4 5 6 7 8 9 10 Create object of the input pipe (Create the pipe of standard-in) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
212
Scenario & Hands-on 6 Traffic Shaping
1 1 2 3 4 5 6 7 8 9 10 Create object of the output pipe (Create the pipe of outbound) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
213
Scenario & Hands-on 6 Traffic Shaping
1 1 2 2 3 4 5 6 7 8 9 10 Create object of the HTTP input (Create the pipe HTTP-in) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
214
Scenario & Hands-on 6 Traffic Shaping
1 1 2 2 3 3 4 5 6 7 8 9 10 Create object of the HTTP output (Create the pipe of HTTP-in) Click “Pipes” in Traffic Shaping Key in correct value at Precedence and Total bandwidth value
215
Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 1 3 2 4 Create Rules of the HTTP (Create the rule of HTTP ) Click “Pipes Rules” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
216
Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 Create object of the POP3 input (Create a pipe of POP3-in ) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
217
Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 Create object of the POP3 output (Create a pipe of POP3-out ) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value
218
Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 1 3 2 4 Create the rules of POP3 (Create the rule of POP3 ) Click “Pipes Rules” in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule
219
Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 1 3 2 4 Create Rules of other service (Create the rule of other service ) Click “Pipes Rules” in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule
220
Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”
221
Scenario & Hands-on 6 Traffic Shaping
Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.
222
Scenario & Hands-on 6 Traffic Shaping
First step: Create two bidirectional pipes for the physical WAN link Second step: Create two bidirectional pipes for the specified application
223
Scenario & Hands-on 6 Traffic Shaping
Third step: Create pipe rules for the specified application
224
Exercise 6- Traffic Shaping
Scenario & Hands-on 6 Exercise 6- Traffic Shaping External WAN1 Objectives For inbound and outbound SMTP, the maximum bandwidth is 400Kb. For inbound and outbound FTP, the guarantee bandwidth is 250Kb.(maximum bandwidth is 500Kb) For other inbound and outbound service, the maximum bandwidth is 350Kb. Above all services are dedicating bandwidth value. Bandwidth of leased line Download: 1Mbps Upload: 1Mbps Internal LAN1
225
Scenario & Hands-on 7-1 VPN Configuration-PPTP Network topology Note:
IP: /24 PPTP Client VPN Tunnel WAN1 DHCP IP: /24 Note: Choose correct inner IP address and Outer Interface filter for PPTP tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24
226
The logic of configuration
Scenario & Hands-on 7-1 VPN Configuration-PPTP Objectives The user dial-up to firewall by Windows PPTP client software . Dial-up user communicate with LAN1 of firewall The logic of configuration Create object for PPTP server IP address and IP address range Create Authenticating database Configure PPTP server Create the IP rule for PPTP tunnel
227
Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 Create object for PPTP server IP address and IP address range Click “Address” in Objects Key in the correspond IP address
228
Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 Create Local Database for PPTP authentication Click “Local User Databases ” in User Authentication Key in the correct Username and Password
229
Scenario & Hands-on 7-1 VPN Configuration-PPTP Create PPTP tunnel
2 3 4 5 6 Create PPTP tunnel Click “PPTP/L2TP Servers ” in Interface Choose the correspond configuration
230
Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 Create User Authentication Rules for PPTP tunnel Click “User Authentication Rules ” in User Authentication Choose the correspond configuration Enable Log setting and choose local user database
231
Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 Create IP Rules for PPTP tunnel Click “IP Rules ” in Rules Choose the correspond configuration Enable Log setting
232
Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 After all configuration, Click “configuration” on main menu bar Click “Save and Activate”
233
Scenario & Hands-on 7-1 VPN Configuration-PPTP Testing Result
234
Scenario & Hands-on 7-1 Exercise 7-1- VPN Configuration-PPTP
PPTP Client VPN Tunnel WAN1 DHCP IP Objectives: Use Windows client to Dial-up PPTP Ping the IP address of LAN in firewall DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24
235
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec Network topology
L2TP/IPsec Client VPN Tunnel WAN1 DHCP Note: L2TP/IPsec must use transport mode Choose correct local net and remote net for IPsec tunnel Choose correct inner IP address and Outer Interface filter for L2TP tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24
236
The logic of configuration
Scenario & Hands-on 7-2 VPN Configuration-IPsec Objectives The user dial-up to firewall by Windows L2TP/IPsec client software Dial-up user communicate with LAN1 of firewall The logic of configuration Create objects for L2TP server IP address and IP address range Create Authenticating database Configure IPsec tunnel Configure L2TP server Create the IP rule for L2TP tunnel
237
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create objects for L2TP server IP address and IP address range Click “Address” in Objects Key in the correspond IP address
238
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create Local Database for L2TP authentication Click “Local User Databases ” in User Authentication Key in correct Username and Password
239
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create the pre-shared key for L2TP Click “Pre-Share Keys ” in VPN Objects Key in the correspond value
240
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create the IPsec tunnel Click “IPsec Tunnels” in Interface Choose correspond configuration
241
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Verify the IPsec tunnel Click “Authentication” in this IPsec tunnel Apply pre-shared key to this IPsec tunnel
242
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Verify the IPsec tunnel Click “Routing” in this IPsec tunnel Enable “Dynamically add routes to remote network when a tunnel is established “in this IPsec tunnel
243
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Verify the IPsec tunnel Click “Advanced” in this IPsec tunnel Disable “Add route for remote network “in this IPsec tunnel
244
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create the L2TP tunnel Click “PPTP/L2TP Servers ” in Interface Choose correspond configuration
245
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create User Authentication Rules for L2TP tunnel Click “User Authentication Rules ” in User Authentication Choose correspond configuration Enable Log setting and choose local user database
246
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create IP Rules for L2TP tunnel Click “IP Rules” in Rules Choose correspond configuration Enable Log setting
247
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”
248
Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec Testing Result
249
Scenario & Hands-on 7-2 Exercise 7-2- VPN Configuration-L2TP/IPsec
L2TP/IPsec Client VPN Tunnel WAN1 DHCP IP Objectives: The user dial-up to firewall by Windows L2TP/IPsec client software Ping the IP address of LAN in firewall DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24
250
VPN Objects – Pre Shared Keys
Scenario & Hands-on 7-3 VPN Configuration- IPsec VPN Objects – Pre Shared Keys For users to authenticate VPN tunnels 2 types of method to enter PSK – ASCII and HEX ASCII – type in passphrase HEX – type in passphrase and use “generate” to cipher passphrase
251
Scenario & Hands-on 7-3 VPN Configuration- IPsec VPN Objects – LDAP
For secured authentication to established over VPN, CA need to be downloaded to LDAP Server
252
Scenario & Hands-on 7-3 VPN Configuration- IPsec ID Lists
The Concept of ID Lists is to manage and control accessibility of the VPN clients and gateways Mobile clients can be restricted from accessing Internal networks by ID Lists
253
Scenario & Hands-on 7-3 VPN Configuration- IPsec IKE/IPsec Algorithms
Predefined IKE & IPSec Algorithms by default High – Very Secured Medium – Secured You can defined your own algorithms
254
Scenario & Hands-on 7-3 VPN Configuration- IPsec Network topology
DFL-1600 WAN1 IP: /24 Remote LAN Internal LAN IP: /24 VPN Tunnel WAN1 Static IP: /24 Note: Use same pre-share key and algorithm between two IPsec settings Choose correct local net and remote net for IPsec tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24
255
The logic of configuration
Scenario & Hands-on 7-3 VPN Configuration-IPsec Objectives Two firewalls communicate to each other by IPsec tunnel . The client of local-net ping to the client of remote-net The logic of configuration Create VPN Object( pre-shared key) Configure IPsec tunnel Create the IP rule for IPsec tunnel
256
Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 Create objects for IP address of remote IP address and network Click “Address” in Objects Key in the correspond IP address
257
Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 Create the pre-shared key for IPsec tunnel Click “Pre-Share Keys ” in VPN Objects Key in the correct value
258
Scenario & Hands-on 7-3 VPN Configuration- IPsec 1 2 3 4 5 6
Create the IPsec tunnel Click “IPsec Tunnels” in Interface Choose the correspond configuration ! Note: If remote firewall wan IP is not static IP, in other words Remote Endpoint is using dynamic IP address from dynamic DNS server, administrator can enter DDNS domain name in here directly.
259
Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 Combine two interfaces to one interface group Click “Interface Groups” in this Interface Choose the correspond interfaces
260
Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 Create IP Rules for L2TP tunnel Click “IP Rules” in Rules Choose correspond configuration Enable Log setting
261
Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”
262
Scenario & Hands-on 7-3 Exercise 7-3- VPN Configuration-IPsec
Odd group DFL-1600 Remote LAN Internal LAN VPN Tunnel Even group DFL-1600 Objectives: Two firewalls communicate to each other by IPsec tunnel The client of local-net ping to the client of remote-net Internal LAN1
263
Scenario & Hands-on 7-4 VPN Configuration- IPsec with NetScreen 204
Network topology NetScreen 204 WAN1 IP: /24 Remote LAN Internal LAN IP: /24 VPN Tunnel WAN1 Static IP: /24 Note: Use same pre-share key and algorithm between two DFL-1600 and NS-204 Choose correct local net and remote net for IPsec tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24
264
The logic of configuration
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204 Objectives Two firewalls communicate to each other by IPsec tunnel . The client of local-net ping to the client of remote-net The logic of configuration Create VPN Object( pre-shared key, remote net/gateway and algorithm ) Configure IPsec tunnel Create the IP rule for IPsec tunnel
265
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 1 Create network objects for DFL-1600 (remote network ) Click “List” under “Addresses” in Objects Key in the corresponding network
266
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 1 Create IP address objects for DFL-1600 (remote gateway ) Click “List” under “Addresses” in Objects Key in the corresponding IP address
267
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 6 6 2 1 Create P1(Phase 1) Proposal of DFL-1600 for VPN configuration Click “P1 Proposal” under “AutoKey Advanced” in VPNs Choose in the corresponding Algorithm and DH Group
268
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 1 Create P2(Phase 2) Proposal of DFL-1600 for VPN configuration Click “P2 Proposal” under “AutoKey Advanced” in VPNs Choose in the corresponding Algorithm and DH Group
269
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 3 4 5 6 1 Create Gateway objects of DFL-1600 for VPN configuration Click “Gateway” under “AutoKey Advanced” in VPNs Key in the corresponding IP address and Preshared Key Click “Advanced”
270
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 3 4 1 “Advanced“ of Gateway objects Choose “Custom” in User Defined and Phase 1 Proposal Choose “Main” mode
271
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 3 4 1 5 Create IPsec VPN tunnel for DFL-1600 Choose “Security Level” and “Predefined” for Remote Gateway Choose “Outgoing Interface” and Click “Advanced”
272
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 3 4 5 1 6 Create IPsec VPN policy for DFL-1600 Choose correct Action ,Service, Network in the rule Enable ”Modify matching bidirectional VPN policy”
273
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
Testing Result
274
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
DFL-1600 IPsec VPN status NetScreen VPN status
275
Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting
276
Troubleshooting Confirm configuration of firewall
Four Ways to troubleshooting Confirm configuration of firewall Inspect the firewall status Use “Console command” to get more information Capture packets to analyze (ethereal and sniffer )
277
Confirm configuration The problem have solved
Troubleshooting Flow Chart Inspect the firewall status No Found main cause Found main cause Confirm configuration No The problem Use console command to inspect Yes Yes Capture packets to analyze Environment cause Configuration cause or Environment cause Verify network environments Found main cause Yes Configuration cause No Verify configuration The problem have solved Dtrack System
278
Troubleshooting Confirm configuration of firewall
IP address or network in “Object” Configuration in “Interface” Configuration in “IP rules” Action and service Interface and network Configuration in “Main routing” Routing table Metric Configuration in “PBR” Routing table and rules Advanced configuration Zone defense Traffic shaping User Authentication
279
Troubleshooting Inspect the firewall status
Click “Status” on main menu bar System Logging Connection Interfaces IPsec User Auth Routes DHCP server IDS SLB Zone Defense
280
How to use “Console command” with HyperTerminal in MS Windows
Troubleshooting Console commands How to use “Console command” with HyperTerminal in MS Windows 1.Start HyperTerminal (Hypertrm.exe) Enter a name for the connection (for example, DFL-800) in the Name box Click an icon for the connection in the Icon box, and then click OK In the Connect Using box, click Direct To Com (choose “Restore Default”) and then click OK. 5.Verify the settings on the part settings tab and then click OK.
281
Troubleshooting Console commands
The first command you should learn is the HELP or H command. The help command prints a list of available commands at the console About (Displays information about the firewall core) Crashdump (dump all crash and error information) Access (Prints the active anti-spoof section) Arp [interface] (Displays the cached ARP information for all interfaces. If you add a specific interface name to the command, you will get only the specified interface.) Arpsnoop [interface] (Displays ARP queries and responses. You enable this by typing ARPSNOOP [interface]. The same command again disables it. You can also use the all string for ALL interfaces. To disable all the arpsnoop printout you can use the string NONE.) Buffers [buf num] (Displays the 20 most recently freed buffers. You can examine a specific buffer by adding the number.) Cfglog (Displays the boot log of the firewall configuration.)
282
Troubleshooting Console commands
Connections (Displays the connections in the firewall.) CPUid (Displays processor information.) DHCP [switches] <interface> (With this command you can renew (-renew) or release (-release) the DHCP IP address on a specific interface.) Frags (Display the 20 most recent fragment reassembly attempts. This includes both ongoing and completed attempts.) Ifstat [interface] (Displays interfaces. If you add an interface you will get statistics for this interface.) Loghosts (Displays configured loghosts.) Logout (Secures the console with the configured password.) Netcon (Displays the active console connection or management connections to the firewall.) Netobjects (Displays the active host & network configurations.) Ping (Is the normal ping command to verify an IP connection. You can use Ping [IP address] [num] where “num” is the amount of ping requests.) Reconfigure (Reloads the configuration from the boot media.)
283
Troubleshooting Console commands
Ikesnoop [on/off/verbose] (Ikesnoop is used to diagnose problems with IPsec tunnels.) DHCPRelay (Displays if the DHCP boot relay is enabled or disabled.) Remote (Displays the active configuration of the remote section.) Routes (Displays the active configuration of the route section.) Rules (Displays the active configuration of the rule section. There are several string commands that you can add. The –v string enables all available information {like usages}.) Scrsave (Runs the screen saver) Services (Displays the active services within the configuration.) Shutdown (Shuts down the firewall.) Stats (Displays statistics information for the firewall.) Time (Displays the firewalls current time.)
284
Troubleshooting Capture packets to analyze
Set up a laptop with software such as Ethereal or Sniffer to capture packets from the problem node The laptop needs to connect to the problem node through a hub If it connects through a switch, the port mirror function will have to be enabled in the switch mirror function intranet Problem node Ethereal or Sniffer
285
Troubleshooting Capture packets to analyze
Inspect IP address of Source, Destination and Protocol to analyze problematic network status
286
Questions & Answers THANK YOU
Similar presentations
© 2018 SlidePlayer.com Inc.
All rights reserved.
Ppt on cross multiplication method of linear equations Download ppt on fundamental rights and duties of citizens Ppt on porter's five forces example Ppt on p&g products brands tide Ppt on depth first search complexity Ppt on obesity prevention strategies Ppt on ready mix concrete plant Ppt on foley catheter Ppt on first conditional esl Ppt on kingdom monera phylum