When an attack has occurred, more information about the attack can be found. Copy the

attack string and paste it into the

By message

box at the following address:

(you can of course also write the attack string

manually in the box).

Intrusion attacks will always be logged in the usual logs if IDS is enabled for any of the

rules.

For more information about how to enable intrusion detection and prevention on a policy

or port mapping, read more under

Policies

and

Port Mappings

in the Firewall section below.

32

Time

Click on

System

in the menu bar, and then click

Time

below it. This will give you the

option to either set the system time by syncing to an Internet Network Time Server (NTP) or

by entering the system time by hand.

Changing time zone

Follow these steps to change the time zone.

Step 1.

Choose the correct time zone in the drop down menu.

Step 2.

Specify your daylight time or choose no daylight saving time by checking the

correct box.

Click the

Apply

button below to apply the setting or click Cancel to discard changes.

Using NTP to sync time

Follow these steps to sync to an Internet Time Server.

Step 1.

Enable synchronization by checking the

Enable NTP

box.

Step 2.

Enter the Server IP Address or Server name with which you want to synchronize.

Click the

Apply

button below to apply the setting or click Cancel to discard changes.

Setting time and date manually

Follow these steps to set the system time by hand.

Step 1.

Checking the

Set the system time

box.

Step 2.

Choose the correct date.

Step 3.

Set the correct time in 24-hour format.

Click the

Apply

button below to apply the setting or click Cancel to discard changes.

34

Firewall

Policy

The Firewall Policy configuration section is the "heart" of the firewall. The policies are the

primary filter that is configured to allow or disallow certain types of network traffic through the

firewall. The policies also regulate how bandwidth management, traffic shaping, is applied to

traffic flowing through the WAN interface of the firewall.

When a new connection is being established through the firewall, the policies are

evaluated, top to bottom, until a policy that matches the new connection is found. The Action

of the rule is then carried out. If the action is Allow, the connection will be established and a

state representing the connection is added to the firewall's internal state table. If the action is

Drop, the new connection will be refused. The section below will explain the meanings of the

various action types available.

Policy modes

The first step in configuring security policies is to configure the mode for the firewall. The

firewall can run in NAT or No NAT (Route) mode. Select NAT mode to use DFL-1100 network

address translation to protect private networks from public networks. In NAT mode, you can

connect a private network to the internal interface, a DMZ network to the dmz interface, and a

public network, such as the Internet, to the external interface. Then you can create NAT mode

policies to accept or deny connections between these networks. NAT mode policies hide the

addresses of the internal and DMZ networks from users on the Internet. In No NAT (Route)

mode you can also create routed policies between interfaces. Route mode policies accept or

deny connections between networks without performing address translation. To use NAT

mode select

Hide source addresses (many-to-one NAT)

and to use No NAT (Route) mode

choose

No NAT

.

Action Types

Drop –

Packets matching Drop rules will immediately be dropped. Such packets will be

logged if logging has been enabled in the Logging Settings page.

Reject –

Reject works in basically the same way as Drop. In addition to this, the firewall

sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet was a

TCP packet, a TCP RST message. Such packets will be logged if logging has been enabled

in the Logging Settings page.

Allow –

Packets matching Allow rules are passed to the stateful inspection engine, which

will remember that a connection has been opened. Therefore, rules for return traffic will not be

required as traffic belonging to open connections is automatically dealt with before it reaches

the policies. Logging is carried out if audit logging has been enabled in the Logging Settings

page.

Source and Destination Filter

Source Nets

– Specifies the sender span of IP addresses to be compared to the received

packet. Leave this blank to match everything.

Source Users/Groups

– Specifies if an authenticated username is needed for this policy

to match. Either make a list of usernames, separated by

,

or write

Any

for any authenticated

user. If it’s left blank there is no need for authentication for the policy.

Destination Nets

– Specifies the span of IP addresses to be compared to the destination

IP of the received packet.

Leave this blank to match everything.

Destination Users/Groups

– Specifies if an authenticated username is needed for this

policy to match. Either make a list of usernames, separated by , or write Any for any

authenticated user. If it’s left blank there is no need for authentication for the policy.

Service Filter

Either choose a predefined service from the dropdown menu or make a custom.

The following custom services exist:

All

–

This service matches all protocols.

TCP+UDP+ICMP

–

This service matches all ports on either the TCP or the UDP protocol,

including ICMP.

Custom TCP

–

This service is based on the TCP protocol.

Custom UDP

–

This service is based on the UDP protocol.

Custom TCP+UDP

–

This service is based on either the TCP or the UDP protocol.

The following is used when making a custom service:

Custom source/destination ports –

For many services, a single destination port is

sufficient. The source port most often be all ports, 0-65535. The http service, for instance, is

using destination port 80. A port range can also be used, meaning that a range 137-139

covers ports 137, 138 and 139. Multiple ranges or individual ports may also be entered,

separated by commas. For instance, a service can be defined as having source ports 1024-

65535 and destination ports 80-82, 90-92, 95. In this case, a TCP or UDP packet with the

destination port being one of 80, 81, 82, 90, 91, 92 or 95, and the source port being in the

range 1024-65535, will match this service.

Schedule

If a schedule should be used for the policy, choose one from the dropdown menu, these

are specified on the

Schedules

page. If the policy should always be active, choose Always

from the dropdown menu.

Intrusion Detection / Prevention

The DFL-1100 Intrusion Detection/Prevention System (IDS/IDP) is a real-time intrusion

detection and prevention sensor that identifies and takes action against a wide variety of

suspicious network activity. The IDS uses intrusion signatures, stored in the attack database,

to identify the most common attacks. In response to an attack, the IDS protect the networks

behind the DFL-1100 by dropping the traffic. To notify of the attack the IDS sends an email to