Page 31 / 133 Scroll up to view Page 26 - 30
Configure Intrusion Prevention
Follow these steps to configure IDP on a policy.
Step 1.
Choose the policy you would like have IDP on.
Step 2.
Click on the
Edit
link on the rule you want to delete.
Step 3.
Enable the
Intrusion Detection / Prevention
checkbox.
Step 4.
Choose
Prevention
from the mode drop down list.
Step 5.
Enable the alerting checkbox for email alerting.
Click the
Apply
button below to apply the change or click
Cancel
to discard changes
Page 32 / 133
32
Port mapping / Virtual Servers
The Port mapping / Virtual Servers configuration section is where you can configure virtual
servers like Web servers on the DMZ or similar. It is also possible to use Intrusion Detection /
Prevention on Port mapped services, these are done in the same way as on policies, so see
that chapter for more information.
Mappings are read from top to bottom, and the first matching mapping is carried out.
Add a new mapping
Follow these steps to add a new mapping on the WAN interface.
Step 1.
Choose the
WAN
policy list from the available policy lists.
Step 2.
Click on the
Add new
link.
Step 3.
Fill in the following values:
Name:
Specifies a symbolic name for the rule. This name is used mainly as a rule
reference in log data and for easy reference in the policy list.
Source Nets:
Specify the source networks, leave blank for everyone (0.0.0.0/0).
Source Users/Groups:
Specifies if an authenticated username is needed for this
mapping to match. Either make a list of usernames, separated by
,
or write
Any
for any
authenticated user. If it’s left blank there is no need for authentication for the policy.
Destination Nets:
Leave empty for the interfaces own IP or enter a new IP if using Virtual
IP.
Service:
Either choose a predefined service from the dropdown menu or make a custom.
Pass To:
The IP of the server that the traffic should be passed to.
Schedule:
Choose what schedule should be used for this mapping to match, choose
Always for no scheduling.
Click the
Apply
button below to apply the change or click
Cancel
to discard changes
Page 33 / 133
Delete mapping
Follow these steps to delete a mapping.
Step 1.
Choose the mapping list (WAN, LAN or DMZ) you would like do delete the
mapping from.
Step 2.
Click on the
Edit
link on the rule you want to delete.
Step 3.
Enable the
Delete mapping
checkbox.
Click the
Apply
button below to apply the change or click
Cancel
to discard changes.
Page 34 / 133
34
Users
User Authentication allows an administrator to grant or reject access to specific users from
specific IP addresses, based on their user credentials.
Before any traffic is allowed to pass through any policies configured with username or
groups, the user must first authenticate him/her-self. The DFL-200 can either verify the user
against a local database or passes along the user information to an external authentication
server, which verifies the user and the given password, and transmits the result back to the
firewall. If the authentication is successful, the DFL.700 will remember the source IP address
of this user, and any matching policies with usernames or groups configured will be allowed.
Specific policies that deal with user authentication can be defined, thus leaving policies that
not require user authentication unaffected.
The DFL-200 supports the RADIUS (Remote Authentication Dial In User Service)
authentication protocol. This protocol is heavily used in many scenarios where user
authentication is required, either by itself or as a front-end to other authentication services.
The DFL-200 RADIUS Support
The DFL-200 can use RADIUS to verify users against for example Active Directory or Unix
password-file. It is possible to configure up to two servers, if the first one is down it will try the
second IP instead.
The DFL-200 can use CHAP or PAP when communicating with the RADIUS server.
CHAP
(Challenge Handshake Authentication Protocol) does not allow a remote attacker to
extract the user password from an intercepted RADIUS packet. However, the password must
be stored in plaintext on the RADIUS server.
PAP
(Password Authentication Protocol) might
be defined as the less secure of the two. If a RADIUS packet is intercepted while being
transmitted between the firewall and the RADIUS server, the user password can be extracted,
given time. The upside to this is that the password does not have to be stored in plaintext in
the RADIUS server.
The DFL700 uses a shared secret when connecting to the RADIUS server. The shared
secret enables basic encryption of the user password when the RADIUS-packet is transmitted
from the firewall to the RADIUS server. The shared secret is case sensitive, can contain up to
100 characters, and must be typed exactly the same on both the firewall and the RADIUS
server.
Page 35 / 133
Enable User Authentication via HTTP / HTTPS
Follow
these
steps
to
enable
User
Authentication.
Step 1.
Enable the checkbox for User
Authentication.
Step 2.
Specify if HTTP and HTTPS or
only HTTPS should be used for the login.
Step 3.
Specify the idle-timeout, the time a user can be idle before being logged out by the
firewall.
Step 4.
Choose new ports for the management WebUI to listen on as the user
authentication will use the same ports as the management WebUI is using..
Click the
Apply
button below to apply the setting or click
Cancel
to discard changes.
Enable RADIUS Support
Follow these steps to enable RADIUS
support.
Step
1.
Enable
the
checkbox
for
RADIUS Support.
Step 2.
Fill in up to two RADIUS servers.
Step 3.
Specified which mode to use, PAP or CHAP.
Step 3.
Specify the shared secret for this connection.
Click the
Apply
button below to apply the setting or click
Cancel
to discard changes.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top