Presentation is loading. Please wait.

Presentation is loading. Please wait.

2006 DFL-210/800/1600/2500 Technical Training

Similar presentations


Presentation on theme: "2006 DFL-210/800/1600/2500 Technical Training"— Presentation transcript:

1 2006 DFL-210/800/1600/2500 Technical Training
©Copyright By D-Link HQ ©Copyright All rights reserved

2 Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting

3 Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting

4 Appliance Overview model of firewall
DFL-800 Console WAN1 LAN WAN2 DMZ back

5 Appliance Overview model of firewall
DFL-1600 Console LAN3 LAN2 WAN1 LAN1 WAN2 DMZ back

6 Appliance Overview model of firewall
DFL-2500 Console LAN3 LAN2 LAN1 WAN1 WAN2 WAN3 WAN4 DMZ back

7 Appliance Overview Characters of firewall and for DFL-1600/2500
Brand new user-friendly , no GUI confusion issue. Neater and more professional look for firewall product line. mechanism with D-Link switches prevents threat spreading. Advanced firewall features including to ease the implementation. High Port Density Giga Interface GUI ID ZoneDefense Transparent Mode

8 Appliance Overview LED panel
Console Power System Serial Console Port Concealed Look LCD Display System Information Traffic Monitor Alert Monitor Configuration Display Ethernet Auto-Sensing Copper Port LAN Port WAN Port and DMZ port Keypad Keypad for “Right ” , “Left” , “Upper “ and “Confirm “

9 Appliance Overview LED panel
Setup Mode Press Keypad to enter setup mode “in 5 seconds” after the firewall is switched on Enter the Setup Mode Use Left or Right button to select 1.Start Firewall: Start off the firewall system 2.Reset Firewall: Reset the firewall to factory default. After reset firewall, choose “start firewall” After switch on the firewall 5 seconds, the firewall will enter Status Mode automatically

10 Appliance Overview LED panel
Status Mode Model name: Display the device model name. System Status: Display system working status. CPU Load and Connections: Show the CPU utilization and concurrent session Total BPS and PPS: Concurrent traffic statistics and packets statistics per second. Date and Time: Display device current date and time Uptime: Device boot up time. Mem: System memory utilization. IDS Sigs: Display IDS signature information. WAN DMZ LAN: Display each interface IP address Core Version: Display firewall firmware version.

11 Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting

12 Firewall Concept Questions
What is firewall? Which firewall is the safest? Firewall does not protect against application errors.

13 Connection established
Firewall Concept IP Start Communication Web Server Client (1.) > 80 SYN (2.) SYN.ACK <- 80 (3.) > 80 ACK Connection established SYN FLOOD 1. Sending a packet to the web server with the ”SYN” flag. The client uses a fake IP address 2. The server responds with a SYN.ACK. Then the server waits until the client responds with an ACK packet 3. The client repeats step one until it is satisfied that the damage is done

14 Firewall Concept IP Start Communication
More bits SYN – Synchronize = New connection ACK – Acknowledge = Acknowledge that data has been received PSH - Push = “Push received data to application layer now" URG - Urgent = Urgent data, Process first (Beg. 70) FIN - Finish = End communication with an handshake RST - Reset = “Do not communicate with me!”

15 Firewall Concept Firewall deployments in a network
Static Route Static routes are needed for the Firewall to communicate with Networks that are not locally attached on the same subnet NAT Internal address are private addresses from RFC1918 All private addresses are translated to a valid IP address before accessing the Internet Transparent No changes required on any end station, router or server Routing protocols can be configured to pass through the firewall in Transparent mode The firewall offers full firewall and VPN capabilities

16 Firewall Concept Firewall deployments in a network Static Route
LAN WAN Intranet Web Corp Mail Intranet DNS AdminPC 1 AdminPC 2 AdminPC 3 Internet Router DMZ Corporate Web Mail Relay DMZ DNS Sales Support Marketing

17 Firewall Concept Firewall deployments in a network NAT
LAN WAN Intranet Web Corp Mail Intranet DNS AdminPC 1 AdminPC 2 AdminPC 3 Internet Router DMZ Corporate Web Mail Relay DMZ DNS Sales Support Marketing

18 Firewall Concept Firewall deployments in a network Transparent
LAN WAN Intranet Web Corp Mail Intranet DNS AdminPC 1 AdminPC 2 AdminPC 3 Internet Router DMZ Corporate Web Mail Relay DMZ DNS Sales Support Marketing

19 Firewall Concept Firewall Generations
First generation Packet filtering Second generation Proxy Third generation Stateful Inspection Fourth generation IDS/IDP

20 Firewall Concept 1.Packet Filtering
Works with the IP & TCP level Disadvantages: Does not re-create fragmented packets Does not understand the relationship between packets Advantages High speed of packets process OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical

21 Firewall Concept 2.Proxy
Receives packets, reads and re-creates the packets No physical connection between the client and the server. Disadvantages Slow The proxy must understand the application protocol Mostly based on complex operating system Advantages Attacks on the TCP/IP level will never penetrate through the protected network Able to analyze application data Able to strip things like ActiveX and Java. OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical

22 Firewall Concept 3.Stateful Inspection
Re-create fragmented packets Understand the relationship between packets Advantages Does not need to understand the application data to work Great flexibility Better performance than proxy Disadvantages Harder to analyze the application data (but still possible) OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical

23 Firewall Concept 4.IDS/IDP
Receives packets, reads and re-creates the packets No physical connection between the client and the server. Disadvantages Slow The proxy must understand the application protocol Mostly based on complex operating system Advantages Attacks on the TCP/IP level will never penetrate through the protected network Able to analyze application data Able to strip things like ActiveX and Java. OSI Model 7. Applikation 6. Presentation 5. Session 4. Transport 3. Network 2. DataLink 1. Physical

24 Firewall Concept Packet flow
WAN IP: INTERNET Packet inspection Priority processes Allow? Drop? NAT? Reject? IP:

25 Firewall Concept Packet flow
When all traffic get in the firewall,they will be inspected by VLAN first (If VLAN is used ). The IDS rule is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. Then these traffic will be inspected by IP rule and routing rule After that the traffic will be inspected by Zone Defense and Traffic Shaping

26 Including verification of
Firewall Concept Packet flow VLAN packet? Inbound packet Basic sanity checks, Including verification of IP header Check IDS signatures Yes Yes Drop De-capsulate Fragment? failed Yes Process fragment Drop No Open Connction Traffic Shaping ZD Allow/NAT/SAT false Yes DestIP = FW? Route IP Verify TCP/UDP header Found matching Connection? Apply Rules SAT_ ApplyRulePack Traffic Shaping FwdFast/SAT No true Traffic Shaping Forward packet Drop Drop ZD

27 Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting

28 Basic Configuration Default Interface Attribute Definition(DFL-800)
LAN can be managed and pinged The firewall disable DHCP

29 Basic Configuration Default Interface Attribute Definition(DFL-1600)
LAN1 can be managed and pinged The firewall disable DHCP

30 Basic Configuration Default Interface Attribute Definition(DFL-2500)
LAN1 can be managed and pinged The firewall disable DHCP

31 Basic Configuration design concept of UI
Any undesired rules or objects are being created without hitting the “ok” button, users must hit “cancel” button or that rule or object would still be in the list and named “untitle”. Traffic is being examined by the pattern where the rules were created from top down When right-click any rules or objects and select delete, a strike line will show on that rule or object. The “save and activate” button will not be available if the “untitle” rule or object is not deleted After click “save and activate” , must reconnect to it within 30 seconds (default setting) for the configuration changes to be finalized. If this fails, the unit will revert to its previous configuration. The reconnecting time can be adjustable.

32 Basic Configuration Configure Static IP address on your laptop or PC
User will be authenticated before logging to the firewall Default login: admin, Password: admin User will be presented with; Menu Bar Tree View List Main Window back

33 Basic Configuration Tree View List Menu Bar Main windows

34 Basic Configuration UI of System

35 Basic Configuration UI of Object

36 Basic Configuration UI of Rules

37 Basic Configuration UI of Interfaces

38 Basic Configuration UI of Routing

39 Basic Configuration UI of IDS/IDP

40 UI of User Authentication
Basic Configuration UI of User Authentication

41 Basic Configuration UI of Traffic Shaping

42 Basic Configuration UI of ZoneDefense

43 Basic Configuration Three Steps to Configure
1.Create and verify the object 2.Create the rule (IP rule ,IDS rule ,user authentication rule and Pipes rule ) 3.Create and verify routing rule

44 First Step to Configure
Basic Configuration First Step to Configure 1.Create and verify the object The most important in firewall configuration is OBJECT. Objects are basic network elements defined in the firewall. It is a list of symbolic names associated with various types of addresses, including IP addresses of host and network Object items are heavily used through a firewall configuration; in routing tables, rule-set, interface definitions, VPN Tunnels among others

45 Basic Configuration Objects – Address Book
Hosts & Networks configuration items are symbolic names for IP networks

46 Basic Configuration Objects – ALG
ALGs are designed to manage specific protocols Examine the payload data and carry out appropriate actions based on defined rules Appropriate Application Layer Gateway definition is selected in a Service configuration item. Network traffic which matches the service definition will thus be managed by the selected Application Layer Gateway.

47 Basic Configuration Objects – Services
A definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80.

48 Basic Configuration Objects – Schedules
The Schedule will only allow those firewall rules to be used at those designated times only. Any activities outside the scheduled time slot will not follow the rules and will therefore unlikely be permitted to pass through the firewall

49 Basic Configuration Objects – Certificate
A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy manner. Certificates can be used on authenticate individual users or other entities. These types of certificates are commonly called end-entity certificates.

50 Basic Configuration Second Step to Configure 2.Create the rule
The Rules configuration section represents the rule-set, the "heart" of the firewall. The rule-set is the primary filter which is configured to allow or disallow certain types of network traffic through the firewall. The rule-set also regulates how address translation and bandwidth management, traffic shaping, is applied to traffic flowing through the firewall.

51 Basic Configuration IP Rules – Drop
Packets matching Drop rules will be immediately dropped. Such packets will be logged if logging has been enabled in the Log Settings page

52 Basic Configuration IP Rules – Drop DROP RULE DROPPING LOG

53 Basic Configuration IP Rules – Reject
Reject works basically the same way as Drop. In addition, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet is a TCP packet, a TCP RST message.

54 Basic Configuration IP Rules – Reject REJECT RULE ICMP Unreachable
TCP RST REJECTING LOG

55 Basic Configuration IP Rules – FwdFast
Packets matched FwdFast rules are allowed through immediately. Firewall does not memorize the open connections and does not statefully inspect traffic which has passed through it. For one single packet, it is indeed faster than first having to open a state-tracked connection and then passing the packet to it. But when several packets pass the same connection, state tracking (Allow) is faster

56 Remember that that there need to be a FwdFast rule in each direction.
Basic Configuration IP Rules – FwdFast No Statefully traffic Inspection (does not remember open connections) INTERNET Packets matching FwdFast Rules Note: Allow is usually faster then FwdFast Remember that that there need to be a FwdFast rule in each direction.

57 Basic Configuration IP Rules – Allow
Packets matched Allow rules are passed to the stateful inspection engine, which will memorize that a connection has been opened Rules for return traffic will not be required as traffic belonging to open connections which is automatically dealt with before it reaches the rule set

58 Basic Configuration IP Rules – Allow Logging & Stateful Inspection
INTERNET Packets matching Allow Rules

59 Basic Configuration IP Rules – SAT
Nothing happens when a packet matches a SAT rule at the beginning The firewall will memorize where to send the traffic and continue to look for a matching rule that will allow the packet to pass and a static address translation will be performed at that stage

60 I want the file from FTP server
Basic Configuration IP Rules – SAT I want the file from FTP server FTP SERVER DMZ WAN IP: The public_ip should be bound to the WAN of firewall first redirect_address is used to redirect incoming connection from public_ip to private_ip

61 Basic Configuration IP Rules – NAT
The rules perform dynamic address translation and NAT hide the sender address. Mostly hiding all machines on a protected network to appear at the outside world as if they use a single IP address

62 Network Address Translation
Basic Configuration IP Rules – NAT INTERNET WAN IP: Network Address Translation IP:

63 Third Step to Configure
Basic Configuration Third Step to Configure 3.Create and verify routing rule Main Route: The Routes configuration section describes the firewall’s routing table.Firewall uses a slightly different way of describing routes compared to most other systems. Policy- Base Route: The rules in the PBR rule-set are able to specify which routing table to be used in the forward as well as return direction (Select routing priority)

64 Basic Configuration Main Routing Table
Routing tells the firewall in which direction it should send packets destined for a given IP address

65 Basic Configuration Policy Based Routing
Connect to two or more ISPs , and accept inbound connections from all of them. Return traffic is routed back through the ISP that delivered the incoming requests. Route certain protocols through transparent proxies such as web caches and anti-virus scanners, without adding another point of failure for the network as a whole. Create provider-independent metropolitan area networks, i.e. one where all users share a common active backbone, but able to use different ISPs, subscribe to different streaming media providers, etc.

66 Basic Configuration Policy Based Routing Internet WAN1 Extranet
/24 Intranet /24 DMZ WAN2

67 Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting

68 Scenario & Hands-on Basic Configuration(WAN/LAN/DMZ Transparent mode)
Configure Load Sharing and Route Failover (use 2 WANs) Configure ZoneDefend Port mapping for server(SAT and server load balance) Runtime Authentication configuration Traffic shaping Configure VPN tunnel(PPTP L2TP and IPsec)

69 Scenario & Hands-on Accomplished all scenarios topology Hands on:
DFL-800 IPSec VPN Tunnel WAN1 IP: /24 Remote LAN Internal LAN IP: /24 WAN1 (DHCP) FTP Server WAN2 (Static IP) Hands on: Basic Configuration Load Sharing and Route Failover ZoneDefense Port mapping for server User Authentication Traffic Shaping VPN tunnel DMZ DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

70 Scenario & Hands-on Network topology for hands-on
Internet All WAN1 port connect to switch main switch G4 G1 G2 G3 back

71 Scenario & Hands-on Network topology for every group main switch
Four persons in one group LAN1 port connects to group switch group switch

72 and enable transparent mode)
Scenario & Hands-on 1 Basic Configuration (Configure WAN type ,modify IP address of LAN and enable transparent mode) WAN1 PPPoE , DHCP Static IP: /24 Internal DMZ IP: /24 Objective: How to modify IP address for LAN and DMZ in Object How to use DHCP, Static IP and PPPoE to access Internet How to enable transparent mode Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

73 Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Network topology Internal LAN1 IP: /24 Notes: DFL-800 only has LAN and DMZ DFL-1600/2500 has LAN1 , LAN2 ,LAN3 , and DMZ Pay attention to default manageable status Confirm connecting port DFL-800 DFL-1600 DFL-2500 Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway on laptop Internal LAN2 IP: /24 Internal LAN3 IP: /24 Internal DMZ IP: /24

74 The Logics of Configuration
Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Objectives Access to LAN1 IP address successfully (Ping) or mange Web UI by new IP address The Logics of Configuration Bind a secondary IP address to match the new network IP segment. After configuration, use new LAN IP address for default gateway in your laptop Modify objects of IP address and network in address book of Object

75 Scenario & Hands-on Bind two IP address on one NIC 1 2 3

76 Scenario & Hands-on Bind two IP address on one NIC 5 6 4

77 Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use web browser such as Internet Explorer 6 or Firefox 1.0 to connect to Web UI

78 Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ 1 2 3 1 2 Change the IP address in address book of Object Click “Interface Addresses” in Object Key in the correct IP address and network

79 Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ 1 2 3 1 2 Change the IP address in address book of Object or Ethernet of Interface Key in correct IP address and network

80 Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ 1 2 3 After all configurations are done , Click “configuration” in main bar Click “Save and Activate”

81 Scenario & Hands-on 1-1 Testing Result
Basic Configuration-Modify IP address for LAN and DMZ Ping LAN IP address Testing Result

82 Scenario & Hands-on 1-1 How to modify reconnection Web UI time
After you click” save and active” you can adjust the reconnection time Click “Click here to edit the configuration verification timeout.”

83 Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 1 2 3

84 Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 5 4 6

85 Scenario & Hands-on 1-1 Basic Configuration-Modify IP address for LAN and DMZ Use new LAN IP address for default gateway on laptop 7 8

86 Scenario & Hands-on 1-1 Exercise 1-1- Modify IP address for LAN and DMZ Objective: Change IP address of LAN1 Ping the new IP address of LAN1 and access to Web UI by new IP successfully Internal DMZ Internal LAN3 Internal LAN1 Internal LAN2 LAN1 IP: Group A(1): /24 Group B(2): /24 . Group I(9): /24 Group J(10): /24

87 Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
Network topology WAN1 IP: /24 /24 Note: Configure default gateway Configure DHCP relay, if firewall is in DHCP environment Internal LAN1 IP: /24 /24

88 The Logics of Configuration
Scenario & Hands-on 1-2 Basic Configuration-Transparent mode Objectives Implement firewall in transparent mode without changing exist network setting Allow or deny specific service and traffic (allow WAN1 to LAN1for ICMP service, allow LAN1to WAN1 for all service) The Logics of Configuration Enable transparent mode Configure IP Rules and objects in firewall Bind a secondary IP address to match the new network IP segment.

89 Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 Configure the IP object in address book of Object to same Click “address book” in Object Configure IP address of WAN1 and LAN1

90 Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 1 2 3 Enable transparent mode for WAN1 and LAN1 Click “Ethernet” under “Interface” Enable transparent in WAN1 interface and add the object of gateway to “Default Gateway” Disable “add route for interface network”

91 Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 1 3 2 Enable transparent mode for WAN1 and LAN1 Click “Ethernet” in Interface Enable transparent on LAN1 interface Disable “add route for interface network”

92 Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 3 1 2 4 Add the “Service” rule under IP rules(WAN1 to LAN1 and LAN1 to WAN1) Click “IP rules” in Rules Choose the correct Action,Service,Interface and Network for the rule

93 Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 Create the DHCP relay for LAN1 to WAN1 Click “DHCP relays” under “System”  “DHCP Settings” Choose the correct Action,Service,Interface and Network for the rule

94 Scenario & Hands-on 1-2 Basic Configuration-Transparent mode
3 4 5 6 After all configuration , Click “configuration” in main bar Click “Save and Activate”

95 Scenario & Hands-on 1-2 Testing Result
Basic Configuration-Transparent mode Get IP address from DHCP server and ping to gateway Testing Result

96 Exercise 1-2- Transparent mode
Scenario & Hands-on 1-2 Exercise 1-2- Transparent mode WAN1 Objectives: Enable transparent mode Allow ping from WAN to LAN Allow all service from LAN to WAN WAN1 IP LAN1 IP Group1: / /24 Group2: / /24 . Group9: / /24 Group10: / /24 DHCP server IP address : Internal LAN1

97 Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
Network topology WAN1(Static) IP: /24 WAN1-gatway IP: /24 Note: Configure default gateway Internal LAN1 IP: /24

98 The Logics of Configuration
Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP Objectives Configure WAN type with Static IP address The Logics of Configuration Before configuring WAN type with static IP, please reset the device to default Create an object for WAN1 gateway to apply to the interface of WAN1 Choose the correct Action, Service, Interface and Network for the rule

99 Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
2 3 4 Create the correct gateway object under “Address Book” Click “address book” under “Object” Add an object for IP4 Host/Network Verify the IP addresses of wan1_ip and wan1net

100 Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
2 3 4 1 2 Apply the gateway object to WAN Interface Click “Ethernet” under “Interfaces” Add the gateway object for “Default Gateway”

101 Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
2 3 4 1 2 Create the service rule in IP rules Click “IP rules” under “Rules” Choose the correct Action,Service,Interface and Network for the rule

102 Scenario & Hands-on 1-3 Basic Configuration- WAN type-Static IP
2 3 4 After all configuration , Click “configuration” in main bar Click “Save and Activate”

103 Scenario & Hands-on 1-3 Testing Result
Basic Configuration- WAN type-Static IP Ping to Internet (tw.yahoo.com) Testing Result

104 Scenario & Hands-on 1-3 Exercise 1-3- WAN type-Static IP Objective
WAN1:Group IP Objective Change WAN type with static IP address of following IP addresses Use “NAT” mode to access the Internet WAN1 Group1: /24 Group2: /24 . Group9: /24 Group10: /24 WAN1-Gateway: LAN1 Group1: /24 Group2: /24 . Group9: /24 Group10: /24 Internal LAN1 Group private IP

105 Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
Network topology WAN1 PPPoE Note: Configure PPPoE tunnel Apply the PPPoE tunnel to IP rule Internal LAN1 IP: /24

106 The Logics of Configuration
Scenario & Hands-on 1-4 Basic Configuration- WAN type-PPPoE Objectives Configure WAN type on PPPoE tunnel to access Internet by NAT mode The Logics of Configuration Create a PPPoE tunnel and apply it to the IP rule Choose the correct Action, Service, Interface and Network for the rule

107 Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
2 3 Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces” Click “PPPoE Tunnels” under “Interfaces” Apply correct Physical Interface, Remote Network,Username and Password in the object

108 Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
2 3 1 2 Create the IP rule Click “IP rules” under “Rules” Choose the correct Action, Service, Interface and Network for the rule

109 Scenario & Hands-on 1-4 Basic Configuration – WAN type-PPPoE
2 3 After all configuration , Click “configuration” in the main bar Click “Save and Activate”

110 Scenario & Hands-on 1-4 Testing Result
Basic Configuration – WAN type-PPPoE Ping to Internet (tw.yahoo.com) Testing Result

111 Exercise 1-4- WAN type-PPPoE
Scenario & Hands-on 1-4 Exercise 1-4- WAN type-PPPoE WAN1 PPPoE Objective: Configure WAN type on PPPoE tunnel and local user could access Internet Internal LAN1 IP: /24

112 Basic Configuration- WAN type-DHCP
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP Network topology WAN1 DHCP Note: Enable DHCP client in WAN interface Internal LAN1 IP: /24

113 The Logics of Configuration
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP Objectives Dynamically assign IP to WAN interface and local users could access internet by NAT The Logics of Configuration Enable “DHCP client” in Interface Create the IP rule and choose correct Action, Service, Interface and Network for the rule

114 Basic Configuration- WAN type-DHCP
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP 1 2 3 1 2 Enable the DHCP client in “Ethernet” under “Interfaces” Click “Ethernet” under “Interfaces” Enable “DHCP Client”

115 Basic Configuration- WAN type-DHCP
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP 1 2 3 1 2 Create the service rule in “IP rules” Click “IP rules” in Rules Choose the correct Action,Service,Interface and Network for the rule

116 Basic Configuration- WAN type-DHCP
Scenario & Hands-on 1-5 Basic Configuration- WAN type-DHCP 1 2 3 After all configuration , Click “configuration” in main bar Click “Save and Active”

117 Scenario & Hands-on 1-5 Testing Result
Basic Configuration – WAN type-DHCP Verify the WAN IP from “Status” in tool bar Testing Result

118 Exercise 1-5- WAN type-DHCP
Scenario & Hands-on 1-5 Exercise 1-5- WAN type-DHCP WAN1 DHCP server Objective Dynamically assign IP to WAN interface and local users could access internet Internal LAN1 IP: /24

119 Scenario & Hands-on 2-1 WAN Failover Network topology WAN2(static IP)
WAN2-gateway IP: WAN1 DHCP Note: Manually add default route in main routing table Enable “Monitor “feature on routes WAN2 is back up link Internal LAN3 IP: /24 Internal LAN1 IP: /16 Internal LAN2 IP: /24

120 The Logics of Configuration
Scenario & Hands-on 2-1 WAN Failover Objectives WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet The Logics of Configuration Create routing policy in main routing table Applying routing policy between DHCP and static IP in WAN connection Create the IP rule and choose correct Action, Service, Interface and Network for the rule

121 Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 1 3 2 Enable the DHCP client in “Ethernet” under “Interfaces” Click “Ethernet” in Interface Uncheck “Add default route if default gateway is specified”

122 Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 Create the correct gateway object in “Address Book” under “Object” (WAN2) Click “address book” in Object Add the object for IP4 Host/Network Modify wan2_ip and wan2net

123 Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 1 3 2 Apply the gateway object to WAN Interface and disable “add default route” Click “Ethernet” in Interface Disable default route in Interface

124 Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 Combine WAN1 and WAN2 to the object of WAN Click “interface Groups” in Interface Create the object and choose WAN1 and WAN2

125 Scenario & Hands-on 2-1 WAN Failover Create the IP rule for WAN group
3 4 5 6 7 8 Create the IP rule for WAN group Click “Rules” in IP Rule Choose correct Action, Service, Interface and Network in the rule

126 Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 3 1 4 2 Create the WAN1 routing rule and enable “monitor this route” Click “Main Routing Table” under “Routing “ Create the routing rule for WAN1 Choose lower Metric value and enable “monitor this route”

127 Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 3 1 4 2 Create the WAN2 routing rule and enable “monitor this route” Click “Main Routing Table” under “Routing “ Create the routing rule for WAN2 Choose higher Metric valueand enable “monitor this route”

128 Scenario & Hands-on 2-1 WAN Failover
3 4 5 6 7 8 After all configuration , Click “configuration” in main bar Click “Save and Activate”

129 Exercise 2-1- WAN Failover
Scenario & Hands-on 2-1 Exercise 2-1- WAN Failover WAN2 Group IP (Static IP) WAN1 DHCP Objectives: WAN1 is the main link,WAN2 is the backup link When WAN1 is disconnected, all traffic would failover to WAN2 WAN LAN1 Group1: / /24 Group2: / /24 Group9: / /24 Group10: / /24 WAN2-Gateway: Internal LAN1 Group IP

130 Scenario & Hands-on 2-2 Load Sharing and WAN failover Network topology
WAN2(static IP) IP: /24 WAN2-gateway IP: WAN1 DHCP Notes: Create PBR table and apply it to route policy Internal LAN3 IP: /24 Internal LAN1 IP: /16 Internal LAN2 IP: /24

131 The Logics of Configuration
Scenario & Hands-on 2-2 Load Sharing and WAN failover Objectives All services go through WAN1 but the FTP service and specific IP range go through WAN2 When WAN1 is disconnected ,all traffic will go through WAN2 to Internet When WAN1 back to normal, all traffic would go through WAN1 to Internet When WAN2 is disconnected, the specified traffic and service can access to Internet by WAN1 The Logics of Configuration Modify PBR routing table and routing rule

132 Scenario & Hands-on 2-2 Load Sharing and WAN failover
1 2 3 4 Create the IP address object specifically for LAN1 Click “Address Book” under “Objects” Click “Ethernet” under “Interfaces”

133 Scenario & Hands-on 2-2 Load Sharing and WAN failover
1 2 3 4 3 1 2 Add the route of WAN2(Static) in PBR Click “PBR table ” under “Routing” Choose higher metric in PBR table and enable function of monitor

134 Scenario & Hands-on 2-2 Load Sharing and WAN failover
1 2 3 4 1 2 Add the route rule of WAN1 in PBR Click “PBR policy” under “Routing” Choose correct Forward, Return table, interface and network

135 Scenario & Hands-on 2-2 Load Sharing and WAN failover
1 2 3 4 After all configuration , Click “configuration” in main bar Click “Save and Activate”

136 Exercise 2-2- Load Sharing
Scenario & Hands-on 2-2 Exercise 2-2- Load Sharing WAN2 Static IP WAN1 DHCP Objectives: For Load Sharing: Except for ping-outbound and specific IP range X traffic by WAN2 then other service will pass through to Internet by WAN1. For Fail Over: When unplug any WAN cable, users still can access the Internet via a different WAN port. Internal LAN1 IP: x.0/24

137 How to enable the function of “tracer”
1 2 2 1 Modify the value of TTL min to 1 Click “IP Setting of Advanced Setting” in “System” Key in the smallest value (1)

138 How to enable the function of “tracer”
1 2 3 2 1 Enable “Pass returned from ICMP error messages from destination” Click “Services” in “Objects” and choose the object of “all_icmp”

139 Scenario & Hands-on 3 ZoneDefense
When there’s any infected host spreading worm into the network Firewall can stop the malicious traffic flooding to other subnets but have no way to stop it infecting its network [subnet A] The most effective solution will be: Firewall triggers the ACL in LAN switches to perform real time filtering on any malicious traffic found D-Link Firewalls implement ZoneDefense feature to perform proactive network security with D-Link switches Set ACL to block specific MAC or IP address DMZ WAN Firewall DES-3x26S DES-3350SR DES-3250TG DES-3500 series DES-3800 series xStack series Subnet B Subnet A Subnet C Infected Host

140 Scenario & Hands-on 3 ZoneDefense
Uniquely from D-LINK – It operates with D-LINK switches to isolate infected host that is generating unusual traffic to the LAN Uses Threshold rules to examine connections through the firewall and take actions upon them. The threshold rules monitor the number of connections per second When a pre-defined limit is reached, the firewall sends block requests to the switches configured for ZoneDefense

141 Scenario & Hands-on 3 ZoneDefense Internet

142 Scenario & Hands-on 3 ZoneDefense INTERNET Note: WAN1
Verify the model of supporting switch Verify the IP address of switch Verify the community between switch and firewall WAN1 IP: /24 LAN1 IP: /24 Switch IP: /24 DGS-3324SR Block HTTP Request exceeding 4 sessions For every host PC PC

143 The Logics of Configuration
Scenario & Hands-on 3 ZoneDefense Objectives When traffic of every host exceed 4 sessions, switch create the ACLs rule to block illegal traffic by firewall The Logics of Configuration Configure the switch Choose the correct model of switch Exclude switch and administrator Create and configure the threshold rule

144 Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 Reset to default and configure the IP address of switch Use CLI of switch to inspect Key in “reset config” Key in “config ipif System ipaddress /24”

145 Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 Verify the communication between firewall and switch and inspect the community in switch Use CLI of switch to inspect Key in “show snmp community”

146 Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 Create the object of IP address for switch and administrator Click “Address Book” under “Objects” Add the object for IP4 Host/Network

147 Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 1 2 Create the switch object in ZoneDefense Click “switches” under “ZoneDefense” Choose the correct switch model and Key in the SNMP Community Verity the firewall can communicate with the switch

148 Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 Exclude the switch and the administrator Click “Exclude” under “ZoneDefense” Choose the correct object

149 Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 1 3 2 Create the threshold rule in ZoneDefense Click “Threshold” under “ZoneDefense “ Choose the correct interface and network Key in the threshold condition (the value of host-base must be smaller then network)

150 Scenario & Hands-on 3 ZoneDefense
1 2 3 4 5 6 7 After all configuration , Click “configuration” in main bar Click “Save and Active”

151 Scenario & Hands-on 3 ZoneDefense Testing Result
Block status form firewall Block status form Switch

152 Exercise-3 ZoneDefense
Scenario & Hands-on 3 Exercise-3 ZoneDefense INTERNET Objective: When web traffic of every host exceed 2 sessions, switch create the ACLs rule to block illegal traffic by firewall WAN1 DHCP LAN1 IP: Group IP address DGS-3324SR Switch IP: an IP that’s the same segment as the LAN1 IP PC PC

153 Scenario & Hands-on 4-1 Port mapping for server Network topology WAN1
IP: /24 FTP Server IP: /24 WAN1 IP: /24 FTP Server IP: /24 FTP Server Note: Add another public IP address in “ARP table” Verify the sequence of IP rule DMZ Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Back

154 The Logic of Configuration
Scenario & Hands-on 4-1 Port mapping for server Objectives Access the FTP server by public IP address( ) The Logic of Configuration Create objects of public and private IP addresses for FTP server Create ARP object in ARP Table Create the IP rule (SAT and allow) for FTP server

155 Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 1 2 Add the objects of both public and virtual IP addresses for FTP server *Click “Address Book” under Objects Key in the correct IP addresses

156 Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 Create the object in ARP Table Click “ARP Table” under “Interfaces” Apply objects with the FTP IP address

157 Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 1 3 2 Create the IP rule to map FTP server (SAT) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface,SAT setting and Network for the rule

158 Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 1 2 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface and Network for the rule

159 Scenario & Hands-on 4-1 Port mapping for server
2 3 4 5 After all configuration , Click “configuration” in main bar Click “Save and Activate”

160 Succeed to get in FTP server
Scenario & Hands-on 4-1 Port mapping for server Succeed to get in FTP server topology

161 Scenario & Hands-on 4-1 Exercise 4-1 - Port mapping for server
WAN1:DHCP FTP Server: Group public IP address FTP Server Group private IP Objective: Access to FTP server by group’s public IP address successfully DMZ IP : DFL-800 : Port DMZ DFL-1600: Port #3 DFL-2500: Port #5 DMZ FTP Server public IP Group1: /24 Group2: /24 . Group9: /24 Group10: /24 FTP Server private IP /24

162 Scenario & Hands-on 4-2 SAT in PPPoE connection Network topology WAN1
FTP Server Note: Add PPPoE in Interfaces Verify the sequence of IP rule DMZ Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24 Back

163 The Logic of Configuration
Scenario & Hands-on 4-2 SAT in PPPoE connection Objectives When using PPPoE connection, internal FTP server could be accessed by public The Logic of Configuration Create objects of PPPoE connection Create private IP addresses for FTP server Create the IP rule (SAT and allow) for FTP server

164 Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 Create an object for PPPoE rule in “PPPoE Tunnels” under “Interfaces” Click “PPPoE Tunnels” under “Interfaces” Apply correct Physical Interface, Remote Network,Username and Password in the object

165 Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 Add the object of virtual IP addresses for FTP server *Click “Address Book” under Objects Key in the correct IP addresses

166 Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 1 3 2 If use PPPoE connection, create the IP rule to map FTP server (SAT) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface,SAT setting and Network for the rule

167 Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 1 2 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” under “Rules” Choose the correct Action,Service,Interface and Network for the rule

168 Scenario & Hands-on 4-2 SAT in PPPoE connection
1 2 3 4 5 After all configuration , Click “configuration” in main bar Click “Save and Activate”

169 Succeed to get in FTP server
Scenario & Hands-on 4-2 SAT in PPPoE connection Succeed to get in FTP server topology

170 Scenario & Hands-on 4-2 Exercise 4-2 - SAT in PPPoE connection
WAN1:PPPoE FTP Server: Group public IP address FTP Server Group private IP Objective: Access to FTP server by group’s public IP address successfully DMZ IP : DFL-800 : Port DMZ DFL-1600: Port #3 DFL-2500: Port #5 DMZ FTP Server public IP Group1: /24 Group2: /24 . Group9: /24 Group10: /24 FTP Server private IP /24

171 Scenario & Hands-on 4-3 SAT and server load balance Network topology
WAN1 IP: /24 FTP Server IP: /24 FTP Server-1 FTP Server-1 Note: Add another public IP address in “ARP table” Verify the sequence of IP rule DMZ Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

172 The Logic of Configuration
Scenario & Hands-on 4-3 SAT and server load balance Objectives Access two FTP servers by one public IP address ( ) The Logic of Configuration Create objects of public and private IP addresses for two FTP servers Create ARP object in ARP Table Cerate the IP rule (SAT_SLB and allow) for FTP server

173 Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 Add the public IP address object for two FTP servers Click “Address Book” under “Objects” Key in the correct IP address

174 Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 1 2 Add two virtual IP address objects for two FTP servers Click “Address Book” under “Objects” Key in the correct IP address

175 Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 Apply the object of IP address to ARP Table Click “ARP Table” under “Interfaces” Apply objects for the FTP IP address

176 Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 3 1 2 Create the IP rule of FTP server Click “IP Rule” in Rules Choose correct Action,Service,Interface,SLB_SAT and Network in the rule

177 Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 1 2 Create the IP rule to allow FTP server (allow FTP) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

178 Scenario & Hands-on 4-3 SAT and server load balance
1 2 3 4 5 6 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”

179 Scenario & Hands-on 4-3 Exercise 4-3- SAT and server load balance
WAN1:DHCP FTP Server-1:Group public IP FTP Server-1 Group private IP-1 FTP Server-1 Group private IP-2 Objective: Access to two FTP servers by group’s public IP address successfully DMZ FTP Server public IP Group1: /24 Group2: /24 . Group9: /24 Group10: /24 FTP Server private IP-1 /24 DMZ: FTP Server private IP-2 Group1: /24

180 Scenario & Hands-on 5 Process of authentication
Runtime Authentication configuration Process of authentication Internet http request

181 Scenario & Hands-on 5 Runtime Authentication configuration
For authorize users to accessing the Internet, LAN and Intranet services either through the Local DB or RADIUS Server. The user authentication rules must be save & activated in order to apply the settings.

182 Scenario & Hands-on 5 192.168.10.1 10.0.100.97 Core
Runtime Authentication configuration The Core owns the IP addresses Core WAN LAN

183 Scenario & Hands-on 5 Runtime Authentication configuration
Network topology WAN1 IP: /24 Note: Modify the Web UI http port Verify the sequence of IP rule LAN1 IP: /24 Switch IP: /24 DES-3226S Authenticated user accessing the Internet PC PC

184 The Logic of Configuration
Scenario & Hands-on 5 Runtime Authentication configuration Objectives When user open a web browser, it will be a screen pop out automatically, and request for login. Services will be allowed after authentication. When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches. The Logic of Configuration Change Web UI http port Create an object for specific traffic network Create a local user database Create IP rules for Authentication

185 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 2 1 Change the remote management http port to avoid port conflict Click “Remote Management” then click “modify advanced setting” Change WebUI http port

186 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 3 1 2 4 Create the user database for Authentication Click “Local User Database” in User Authentication Key in the authenticated user(user name/password)

187 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the User Authentication Rules Click “User Authentication Rules” in User Authentication Choose the correspond settings

188 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 2 1 Create the User Authentication Rules Click “User Authentication Rules” in User Authentication Choose the correspond settings

189 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the IP address for Authenticating users Click “Address Book ” in Objects Add an object for authenticating users Key in the correct IP address and group name

190 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “allow” rule (rule-1) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

191 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “NAT-DNS” rule (rule-2) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

192 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “NAT-all_service” rule (rule-3) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

193 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 3 2 Create the “SAT” rule (rule-4) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

194 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 1 2 Create the “Allow” rule (rule-5) Click “IP Rule” in Rules Choose correct Action,Service,Interface and Network in the rule

195 Scenario & Hands-on 5 Runtime Authentication configuration
1 2 3 4 5 6 7 8 9 10 11 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”

196 Scenario & Hands-on 5 Runtime Authentication configuration
Action1 Action3 Action2 Allow manual log-out web page Allow user to look up the DNS Allow authorized users to use networking service All HTTP traffic will be mapped to firewall LAN1 IP address Allow all HTTP traffic to map to LAN1 IP address Action1 Action3 Action2 Action2

197 Scenario & Hands-on 5 Runtime Authentication configuration
Testing Result

198 Exercise 5- Runtime Authentication configuration
Scenario & Hands-on 5 Exercise 5- Runtime Authentication configuration WAN1 DHCP LAN1 IP: /24 Switch IP: /24 Objective: The specific user or network must be authorized before access to the Internet When user logout, they can choose either logout manually, or it will logout automatically when the preset idle time reaches. DES-3226S Authenticated user accessing the Internet PC PC

199 Scenario & Hands-on 6 Traffic Shaping Pipes concept

200 This diagram shows not using the Dynamic balancing
Scenario & Hands-on 6 Traffic Shaping The Concept of Dynamic balancing This diagram shows not using the Dynamic balancing

201 The Concept of Dynamic balancing
Scenario & Hands-on 6 Traffic Shaping The Concept of Dynamic balancing When using the function of Dynamic balancing

202 The Concept of Precedence
Scenario & Hands-on 6 Traffic Shaping The Concept of Precedence Highest High Pipe Medium Low

203 Bandwidth of Leased Line with 1Mbps in both directions(two pipes)
Scenario & Hands-on 6 Traffic Shaping Concept of Design (Pipe 1Mbps) Bandwidth of Leased Line with 1Mbps in both directions(two pipes) The pipe throughput should be less than the physical pipe!

204 Concept of Design (Pipe 1Mbps) - download
Scenario & Hands-on 6 Traffic Shaping Concept of Design (Pipe 1Mbps) - download HTTP 250Kbps Highest FTP 250Kbps High 1Mbps SMTP 500Kbps Low HTTP 250Kbps Highest FTP 250Kbps High 1Mbps SMTP 500Kbps Low

205 Scenario & Hands-on 6 Traffic Shaping Pipes
All measuring, limiting, guaranteeing and balancing is carried out in pipes A pipe by itself is meaningless unless it is put into use in the Rules section. Each rule can pass traffic through one or more pipes, in a precedence (priority) of your choice.

206 Determine the bandwidth of precedence
Scenario & Hands-on 6 Traffic Shaping Precedence Determine the bandwidth of precedence

207 Scenario & Hands-on 6 Traffic Shaping Pipes rules
Plan your traffic shaping requirements. If you do not know how traffic should be limited, prioritized, guaranteed, or distributed, you will likely find the configuration work more confusing than helpful.

208 Scenario & Hands-on 6 Traffic Shaping Precedence Assign precedence

209 Scenario & Hands-on 6 Traffic Shaping
Network topology External WAN1 1.For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. 2.For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) 3.For other inbound and outbound service, the remaining bandwidth will be used. 4.Above all services are dedicating bandwidth value. Bandwidth of leased line Download: 1Mbps Upload: 1Mbps Internal LAN1 Note: Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.

210 The logic of Configuration
Scenario & Hands-on 6 Traffic Shaping Objective For inbound and outbound HTTP and HTTPS, the maximum bandwidth is 500Kb. For inbound and outbound POP3, the guarantee bandwidth is 300Kb. (maximum bandwidth is 1000Kb) For other inbound and outbound service, the remaining bandwidth will be used. Above all services are dedicating bandwidth value. The logic of Configuration Make sure to create IP rule Create objects of Pipe Create rules of Pipe Choose correct Action, Service, Interface and Network in the rule Key in correct value at Precedence and Total bandwidth value

211 Scenario & Hands-on 6 Traffic Shaping
1 2 2 3 4 5 6 7 8 9 10 Create object of the input pipe (Create the pipe of standard-in) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

212 Scenario & Hands-on 6 Traffic Shaping
1 1 2 3 4 5 6 7 8 9 10 Create object of the output pipe (Create the pipe of outbound) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

213 Scenario & Hands-on 6 Traffic Shaping
1 1 2 2 3 4 5 6 7 8 9 10 Create object of the HTTP input (Create the pipe HTTP-in) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

214 Scenario & Hands-on 6 Traffic Shaping
1 1 2 2 3 3 4 5 6 7 8 9 10 Create object of the HTTP output (Create the pipe of HTTP-in) Click “Pipes” in Traffic Shaping Key in correct value at Precedence and Total bandwidth value

215 Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 1 3 2 4 Create Rules of the HTTP (Create the rule of HTTP ) Click “Pipes Rules” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

216 Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 Create object of the POP3 input (Create a pipe of POP3-in ) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

217 Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 Create object of the POP3 output (Create a pipe of POP3-out ) Click “Pipes” in Traffic Shaping Key in correspond value for Precedence and total bandwidth value

218 Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 1 3 2 4 Create the rules of POP3 (Create the rule of POP3 ) Click “Pipes Rules” in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule

219 Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 1 3 2 4 Create Rules of other service (Create the rule of other service ) Click “Pipes Rules” in Traffic Shaping Choose correct Action,Service,Interface and Network in the rule

220 Scenario & Hands-on 6 Traffic Shaping
1 2 3 4 5 6 7 8 9 10 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”

221 Scenario & Hands-on 6 Traffic Shaping
Before use the traffic shaping for specified application. Please make sure that the IP rule has been created for the specified application.

222 Scenario & Hands-on 6 Traffic Shaping
First step: Create two bidirectional pipes for the physical WAN link Second step: Create two bidirectional pipes for the specified application

223 Scenario & Hands-on 6 Traffic Shaping
Third step: Create pipe rules for the specified application

224 Exercise 6- Traffic Shaping
Scenario & Hands-on 6 Exercise 6- Traffic Shaping External WAN1 Objectives For inbound and outbound SMTP, the maximum bandwidth is 400Kb. For inbound and outbound FTP, the guarantee bandwidth is 250Kb.(maximum bandwidth is 500Kb) For other inbound and outbound service, the maximum bandwidth is 350Kb. Above all services are dedicating bandwidth value. Bandwidth of leased line Download: 1Mbps Upload: 1Mbps Internal LAN1

225 Scenario & Hands-on 7-1 VPN Configuration-PPTP Network topology Note:
IP: /24 PPTP Client VPN Tunnel WAN1 DHCP IP: /24 Note: Choose correct inner IP address and Outer Interface filter for PPTP tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

226 The logic of configuration
Scenario & Hands-on 7-1 VPN Configuration-PPTP Objectives The user dial-up to firewall by Windows PPTP client software . Dial-up user communicate with LAN1 of firewall The logic of configuration Create object for PPTP server IP address and IP address range Create Authenticating database Configure PPTP server Create the IP rule for PPTP tunnel

227 Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 Create object for PPTP server IP address and IP address range Click “Address” in Objects Key in the correspond IP address

228 Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 Create Local Database for PPTP authentication Click “Local User Databases ” in User Authentication Key in the correct Username and Password

229 Scenario & Hands-on 7-1 VPN Configuration-PPTP Create PPTP tunnel
2 3 4 5 6 Create PPTP tunnel Click “PPTP/L2TP Servers ” in Interface Choose the correspond configuration

230 Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 Create User Authentication Rules for PPTP tunnel Click “User Authentication Rules ” in User Authentication Choose the correspond configuration Enable Log setting and choose local user database

231 Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 Create IP Rules for PPTP tunnel Click “IP Rules ” in Rules Choose the correspond configuration Enable Log setting

232 Scenario & Hands-on 7-1 VPN Configuration-PPTP
2 3 4 5 6 After all configuration, Click “configuration” on main menu bar Click “Save and Activate”

233 Scenario & Hands-on 7-1 VPN Configuration-PPTP Testing Result

234 Scenario & Hands-on 7-1 Exercise 7-1- VPN Configuration-PPTP
PPTP Client VPN Tunnel WAN1 DHCP IP Objectives: Use Windows client to Dial-up PPTP Ping the IP address of LAN in firewall DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

235 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec Network topology
L2TP/IPsec Client VPN Tunnel WAN1 DHCP Note: L2TP/IPsec must use transport mode Choose correct local net and remote net for IPsec tunnel Choose correct inner IP address and Outer Interface filter for L2TP tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

236 The logic of configuration
Scenario & Hands-on 7-2 VPN Configuration-IPsec Objectives The user dial-up to firewall by Windows L2TP/IPsec client software Dial-up user communicate with LAN1 of firewall The logic of configuration Create objects for L2TP server IP address and IP address range Create Authenticating database Configure IPsec tunnel Configure L2TP server Create the IP rule for L2TP tunnel

237 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create objects for L2TP server IP address and IP address range Click “Address” in Objects Key in the correspond IP address

238 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create Local Database for L2TP authentication Click “Local User Databases ” in User Authentication Key in correct Username and Password

239 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create the pre-shared key for L2TP Click “Pre-Share Keys ” in VPN Objects Key in the correspond value

240 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create the IPsec tunnel Click “IPsec Tunnels” in Interface Choose correspond configuration

241 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Verify the IPsec tunnel Click “Authentication” in this IPsec tunnel Apply pre-shared key to this IPsec tunnel

242 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Verify the IPsec tunnel Click “Routing” in this IPsec tunnel Enable “Dynamically add routes to remote network when a tunnel is established “in this IPsec tunnel

243 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Verify the IPsec tunnel Click “Advanced” in this IPsec tunnel Disable “Add route for remote network “in this IPsec tunnel

244 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create the L2TP tunnel Click “PPTP/L2TP Servers ” in Interface Choose correspond configuration

245 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create User Authentication Rules for L2TP tunnel Click “User Authentication Rules ” in User Authentication Choose correspond configuration Enable Log setting and choose local user database

246 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 Create IP Rules for L2TP tunnel Click “IP Rules” in Rules Choose correspond configuration Enable Log setting

247 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec
1 2 3 4 5 6 7 8 9 10 11 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”

248 Scenario & Hands-on 7-2 VPN Configuration-L2TP/IPsec Testing Result

249 Scenario & Hands-on 7-2 Exercise 7-2- VPN Configuration-L2TP/IPsec
L2TP/IPsec Client VPN Tunnel WAN1 DHCP IP Objectives: The user dial-up to firewall by Windows L2TP/IPsec client software Ping the IP address of LAN in firewall DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

250 VPN Objects – Pre Shared Keys
Scenario & Hands-on 7-3 VPN Configuration- IPsec VPN Objects – Pre Shared Keys For users to authenticate VPN tunnels 2 types of method to enter PSK – ASCII and HEX ASCII – type in passphrase HEX – type in passphrase and use “generate” to cipher passphrase

251 Scenario & Hands-on 7-3 VPN Configuration- IPsec VPN Objects – LDAP
For secured authentication to established over VPN, CA need to be downloaded to LDAP Server

252 Scenario & Hands-on 7-3 VPN Configuration- IPsec ID Lists
The Concept of ID Lists is to manage and control accessibility of the VPN clients and gateways Mobile clients can be restricted from accessing Internal networks by ID Lists

253 Scenario & Hands-on 7-3 VPN Configuration- IPsec IKE/IPsec Algorithms
Predefined IKE & IPSec Algorithms by default High – Very Secured Medium – Secured You can defined your own algorithms

254 Scenario & Hands-on 7-3 VPN Configuration- IPsec Network topology
DFL-1600 WAN1 IP: /24 Remote LAN Internal LAN IP: /24 VPN Tunnel WAN1 Static IP: /24 Note: Use same pre-share key and algorithm between two IPsec settings Choose correct local net and remote net for IPsec tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

255 The logic of configuration
Scenario & Hands-on 7-3 VPN Configuration-IPsec Objectives Two firewalls communicate to each other by IPsec tunnel . The client of local-net ping to the client of remote-net The logic of configuration Create VPN Object( pre-shared key) Configure IPsec tunnel Create the IP rule for IPsec tunnel

256 Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 Create objects for IP address of remote IP address and network Click “Address” in Objects Key in the correspond IP address

257 Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 Create the pre-shared key for IPsec tunnel Click “Pre-Share Keys ” in VPN Objects Key in the correct value

258 Scenario & Hands-on 7-3 VPN Configuration- IPsec 1 2 3 4 5 6
Create the IPsec tunnel Click “IPsec Tunnels” in Interface Choose the correspond configuration ! Note: If remote firewall wan IP is not static IP, in other words Remote Endpoint is using dynamic IP address from dynamic DNS server, administrator can enter DDNS domain name in here directly.

259 Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 Combine two interfaces to one interface group Click “Interface Groups” in this Interface Choose the correspond interfaces

260 Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 Create IP Rules for L2TP tunnel Click “IP Rules” in Rules Choose correspond configuration Enable Log setting

261 Scenario & Hands-on 7-3 VPN Configuration- IPsec
1 2 3 4 5 6 After all configuration , Click “configuration” on main menu bar Click “Save and Activate”

262 Scenario & Hands-on 7-3 Exercise 7-3- VPN Configuration-IPsec
Odd group DFL-1600 Remote LAN Internal LAN VPN Tunnel Even group DFL-1600 Objectives: Two firewalls communicate to each other by IPsec tunnel The client of local-net ping to the client of remote-net Internal LAN1

263 Scenario & Hands-on 7-4 VPN Configuration- IPsec with NetScreen 204
Network topology NetScreen 204 WAN1 IP: /24 Remote LAN Internal LAN IP: /24 VPN Tunnel WAN1 Static IP: /24 Note: Use same pre-share key and algorithm between two DFL-1600 and NS-204 Choose correct local net and remote net for IPsec tunnel DFL-1600 Internal LAN3 IP: /24 Internal LAN1 IP: /24 Internal LAN2 IP: /24

264 The logic of configuration
Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204 Objectives Two firewalls communicate to each other by IPsec tunnel . The client of local-net ping to the client of remote-net The logic of configuration Create VPN Object( pre-shared key, remote net/gateway and algorithm ) Configure IPsec tunnel Create the IP rule for IPsec tunnel

265 Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 1 Create network objects for DFL-1600 (remote network ) Click “List” under “Addresses” in Objects Key in the corresponding network

266 Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 1 Create IP address objects for DFL-1600 (remote gateway ) Click “List” under “Addresses” in Objects Key in the corresponding IP address

267 Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 6 6 2 1 Create P1(Phase 1) Proposal of DFL-1600 for VPN configuration Click “P1 Proposal” under “AutoKey Advanced” in VPNs Choose in the corresponding Algorithm and DH Group

268 Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 1 Create P2(Phase 2) Proposal of DFL-1600 for VPN configuration Click “P2 Proposal” under “AutoKey Advanced” in VPNs Choose in the corresponding Algorithm and DH Group

269 Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 3 4 5 6 1 Create Gateway objects of DFL-1600 for VPN configuration Click “Gateway” under “AutoKey Advanced” in VPNs Key in the corresponding IP address and Preshared Key Click “Advanced”

270 Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 3 4 1 “Advanced“ of Gateway objects Choose “Custom” in User Defined and Phase 1 Proposal Choose “Main” mode

271 Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 3 4 1 5 Create IPsec VPN tunnel for DFL-1600 Choose “Security Level” and “Predefined” for Remote Gateway Choose “Outgoing Interface” and Click “Advanced”

272 Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
1 2 3 4 5 6 7 8 2 3 4 5 1 6 Create IPsec VPN policy for DFL-1600 Choose correct Action ,Service, Network in the rule Enable ”Modify matching bidirectional VPN policy”

273 Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
Testing Result

274 Scenario & Hands-on 7-4 VPN Configuration- NetScreen 204
DFL-1600 IPsec VPN status NetScreen VPN status

275 Agenda Appliance Overview Firewall Concept Basic Configuration
Scenario & Hands-on Troubleshooting

276 Troubleshooting Confirm configuration of firewall
Four Ways to troubleshooting Confirm configuration of firewall Inspect the firewall status Use “Console command” to get more information Capture packets to analyze (ethereal and sniffer )

277 Confirm configuration The problem have solved
Troubleshooting Flow Chart Inspect the firewall status No Found main cause Found main cause Confirm configuration No The problem Use console command to inspect Yes Yes Capture packets to analyze Environment cause Configuration cause or Environment cause Verify network environments Found main cause Yes Configuration cause No Verify configuration The problem have solved Dtrack System

278 Troubleshooting Confirm configuration of firewall
IP address or network in “Object” Configuration in “Interface” Configuration in “IP rules” Action and service Interface and network Configuration in “Main routing” Routing table Metric Configuration in “PBR” Routing table and rules Advanced configuration Zone defense Traffic shaping User Authentication

279 Troubleshooting Inspect the firewall status
Click “Status” on main menu bar System Logging Connection Interfaces IPsec User Auth Routes DHCP server IDS SLB Zone Defense

280 How to use “Console command” with HyperTerminal in MS Windows
Troubleshooting Console commands How to use “Console command” with HyperTerminal in MS Windows 1.Start HyperTerminal (Hypertrm.exe) Enter a name for the connection (for example, DFL-800) in the Name box Click an icon for the connection in the Icon box, and then click OK In the Connect Using box, click Direct To Com (choose “Restore Default”) and then click OK. 5.Verify the settings on the part settings tab and then click OK.

281 Troubleshooting Console commands
The first command you should learn is the HELP or H command. The help command prints a list of available commands at the console About (Displays information about the firewall core) Crashdump (dump all crash and error information) Access (Prints the active anti-spoof section) Arp [interface] (Displays the cached ARP information for all interfaces. If you add a specific interface name to the command, you will get only the specified interface.) Arpsnoop [interface] (Displays ARP queries and responses. You enable this by typing ARPSNOOP [interface]. The same command again disables it. You can also use the all string for ALL interfaces. To disable all the arpsnoop printout you can use the string NONE.) Buffers [buf num] (Displays the 20 most recently freed buffers. You can examine a specific buffer by adding the number.) Cfglog (Displays the boot log of the firewall configuration.)

282 Troubleshooting Console commands
Connections (Displays the connections in the firewall.) CPUid (Displays processor information.) DHCP [switches] <interface> (With this command you can renew (-renew) or release (-release) the DHCP IP address on a specific interface.) Frags (Display the 20 most recent fragment reassembly attempts. This includes both ongoing and completed attempts.) Ifstat [interface] (Displays interfaces. If you add an interface you will get statistics for this interface.) Loghosts (Displays configured loghosts.) Logout (Secures the console with the configured password.) Netcon (Displays the active console connection or management connections to the firewall.) Netobjects (Displays the active host & network configurations.) Ping (Is the normal ping command to verify an IP connection. You can use Ping [IP address] [num] where “num” is the amount of ping requests.) Reconfigure (Reloads the configuration from the boot media.)

283 Troubleshooting Console commands
Ikesnoop [on/off/verbose] (Ikesnoop is used to diagnose problems with IPsec tunnels.) DHCPRelay (Displays if the DHCP boot relay is enabled or disabled.) Remote (Displays the active configuration of the remote section.) Routes (Displays the active configuration of the route section.) Rules (Displays the active configuration of the rule section. There are several string commands that you can add. The –v string enables all available information {like usages}.) Scrsave (Runs the screen saver) Services (Displays the active services within the configuration.) Shutdown (Shuts down the firewall.) Stats (Displays statistics information for the firewall.) Time (Displays the firewalls current time.)

284 Troubleshooting Capture packets to analyze
Set up a laptop with software such as Ethereal or Sniffer to capture packets from the problem node The laptop needs to connect to the problem node through a hub If it connects through a switch, the port mirror function will have to be enabled in the switch mirror function intranet Problem node Ethereal or Sniffer

285 Troubleshooting Capture packets to analyze
Inspect IP address of Source, Destination and Protocol to analyze problematic network status

286 Questions & Answers THANK YOU


Download ppt "2006 DFL-210/800/1600/2500 Technical Training"

Similar presentations


Ads by Google