Page 51 / 133 Scroll up to view Page 46 - 50
VPN – Advanced Settings
Advanced settings for a VPN tunnel is used when one need change some characteristics
of the tunnel when using for example trying to connect to a third party VPN Gateway.
The
different settings to set per tunnel is the following:
Limit MTU
Whit this setting it’s possible to limit the MTU (Max Transferable Unit) of the VPN tunnel.
IKE Mode
Specify if Main mode IKE or Aggressive Mode IKE should be used when establishing
outbound VPN Tunnels. Inbound main mode connections will always be allowed. Inbound
aggressive mode connections will only be allowed if this setting is set to aggressive mode.
IKE DH Group
Here it’s possible to configure the Diffie-Hellman group to 1 (modp 768-bit), 2 (modp 1024-
bit) or 5 (modp 1536-bit).
PFS – Perfect Forward Secrecy
If PFS, Perfect Forwarding Secrecy, is enabled, a new Diffie-Hellman exchange is
performed for each phase-2 negotiation. While this is slower, it makes sure that no keys are
dependent on any other previously used keys; no keys are extracted from the same initial
keying material. This is to make sure that, in the unlikely event that some key was
compromised; no subsequent keys can be derived.
NAT Traversal
Here it’s possible to configure how the NAT Traversal code should behave.
Disabled
- The firewall does not send the Vendor ID's that include NAT-T support when
setting up the tunnel.
On if supported and need NAT
- Will only use NAT-T if one of the VPN gateways is
NATed.
On if supported
- Always tries to use NAT-T when setting up the tunnel.
Keepalives
No keepalives
– Keep-alive is disabled.
Automatic keepalives
- The firewall will send ICMP pings to IP Addresses automatically
discovered from the VPN Tunnel settings.
Manually configured IP addresses
- Configure the source and destination IP addresses
used when sending the ICMP pings
Page 52 / 133
52
Proposal Lists
To agree on the VPN connection parameters, a negotiation process is performed. As the
result of the negotiations, the IKE and IPSec security associations (SAs) are established. As
the name implies, a proposal is the starting point for the negotiation. A proposal defines
encryption parameters, for instance encryption algorithm, life times etc, that the VPN gateway
supports.
There are two types of proposals, IKE proposals and IPSec proposals. IKE proposals are
used during IKE Phase-1 (IKE Security Negotiation), while IPSec proposals are using during
IKE Phase-2 (IPSec Security Negotiation).
A Proposal List is used to group several proposals. During the negotiation process, the
proposals in the proposal list are offered to the remote VPN gateway one after another until a
matching proposal is found.
IKE Proposal List
Cipher
– Specifies the encryption algorithm used in this IKE proposal. Supported
algorithms are AES, 3DES, DES, Blowfish, Twofish and CAST128.
Hash
– Specifies the hash function used to calculate a check sum that reveals if the data
packet is altered while being transmitted. MD5 and SHA1 are supported algorithms.
Life Times
– Specifies in KB or seconds when the security associations for the VPN
tunnel need to be re-negotiated.
IPSec Proposal List
Cipher
– Specifies the encryption algorithm used in this IPSec proposal. Supported
algorithms are AES, 3DES, DES, Blowfish, Twofish and CAST128.
HMAC
– Specifies the hash function used to calculate a check sum that reveals if the data
packet is altered while being transmitted. MD5 and SHA1 are supported algorithms.
Life Times
– Specifies in KB or seconds when the security associations for the VPN
tunnel need to be re-negotiated.
Page 53 / 133
Certificates
A certificate is a digital proof of identity. It links an identity to a public key in a trustworthy
manner. Certificates can be used to authenticate individual users or other entities. These
types of certificates are commonly called end-entity certificates.
Before a VPN tunnel with certificate based authentication can be set up, the firewall needs
a certificate of its own and that of the remote firewall. These certificates can either be self-
signed certificates, or issued by a CA.
Trusting Certificates
When setting up a VPN tunnel, the firewall has to be told whom it should trust. When using
pre-shared keys, this is simple. The firewall trusts anyone who has the same pre-shared key.
When using certificates, on the other hand, you tell the firewall that it can trust anyone
whose certificate is signed by a given CA. Before a certificate is accepted, the following steps
are taken to verify the validity of the certificate:
Construct a certification path up to the trusted root CA.
Verify the signatures of all certificates in the certification path.
Fetch the CRL for each certificate to verify that none of the certificates have been
revoked.
Local identities
This is a list of all the local identity certificates that can be used in VPN tunnels. A local
identity certificate is used by the firewall to prove its identity to the remote VPN peer.
To add a new local identity certificate, click Add new. The following pages will allow you to
specify a name for the local identity, and upload the certificate and private key files. This
certificate can be selected in the Local Identity field on the VPN page.
This list also includes a special certificate called Admin. This is the certificate used by the
web interface to provide HTTPS access.
Note: The certificate named Admin can only be replaced, not deleted or renamed. This is
used for HTTPS access to the DFL-200.
Certificates of remote peers
This is a list of all certificates of individual remote peers.
To add a new remote peer certificate, click Add new. The following pages will allow you to
specify a name for the remote peer certificate and upload the certificate file. This certificate
can be selected in the Certificates field on the VPN page.
Certificate Authorities
This is a list of all CA certificates. To add a new Certificate Authority certificate, click Add
new. The following pages will allow you to specify a name for the CA certificate and upload
the certificate file. This certificate can be selected in the Certificates field on the VPN page.
Page 54 / 133
54
Note: If the uploaded certificate is a CA certificate, it will automatically be placed in the
Certificate Authorities list, even if Add New was clicked in the Remote Peers list. Similiarly, a
non-CA certificate will be placed in the Remote Peers list even if Add New was clicked from
the Certificate Authorities list.
Identities
This is a list of all the configured Identity lists. An Identity list can be used on the VPN
page to limit inbound VPN access from this list of known identities.
Normally, a VPN tunnel is established if the certificate of the remote peer is present in the
Certificates field in the VPN section, or if the remote peer's certificate is signed by a CA
whose certificate is present in the Certificates field in the VPN section. However, in some
cases it might be necessary to limit who can establish a VPN tunnel even among peers
signed by the same CA.
The Identity list can be selected in the Identity List field on the VPN page.
If an Identity List is configured, the firewall will match the identity of the connecting remote
peer against the Identity List, and only allow it to open the VPN tunnel if it matches the
contents of the list.
If no Identity List is used, no identity matching is done.
Page 55 / 133
Content Filtering
DFL-200 HTTP content filtering can be configured to scan all HTTP content protocol
streams for URLs or for web page content.
You can configure URL blacklist to block all or just some of the pages on a website. Using
this feature you can deny access to parts of a web site without denying access to it
completely.
The HTTP content filter can also be configured to strip contents like ActiveX, Flash and
cookies.
There is also a URL whitelist for URLs that should be excluded from all Content Filtering.
To have the URL white/black list match entire sites, you will most likely want to use
wildcards before and after the host names, e.g. "*example.com/*". However, this will also
trigger on e.g. "myexample.com/", so you may want to split it up in two patterns, e.g.
"example.com/*" and "*.example.com/*", to catch the domain name by itself as well as
variants with prefixed host names ("www.") without having the filter trigger on domains ending
with the same text.
Note:
For HTTP URL filtering to work, all HTTP traffic needs to go trough a policy using a
service with the HTTP ALG, which is the case for the "http-outbound" service by default.
Also note that the HTTP content filter cannot examine HTTPS (encrypted) connections
due to their encrypted nature. If you wish to block access to HTTPS sites, you will need to
configure rules in the firewall policy to block access to port 443 (https) on the IP addresses in
question.
Active content handling
Active content handling can be enabled or disabled by checking the checkbox before each
type you would like to strip. For example to strip ActiveX and Flash enable the checkbox
named Strip ActiveX objects. It is possible to strip ActiveX, Flash, Java, JavaScript and
VBScript. It is also possible to block cookies.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top