Configure Intrusion Prevention

Follow these steps to configure IDP on a policy.

Step 1.

Choose the policy you would like have IDP on.

Step 2.

Click on the

Edit

link on the rule you want to delete.

Step 3.

Enable the

Intrusion Detection / Prevention

checkbox.

Step 4.

Choose

Prevention

from the mode drop down list.

Step 5.

Enable the alerting checkbox for email alerting.

Click the

Apply

button below to apply the change or click

Cancel

to discard changes

32

Port mapping / Virtual Servers

The Port mapping / Virtual Servers configuration section is where you can configure virtual

servers like Web servers on the DMZ or similar. It is also possible to use Intrusion Detection /

Prevention on Port mapped services, these are done in the same way as on policies, so see

that chapter for more information.

Mappings are read from top to bottom, and the first matching mapping is carried out.

Add a new mapping

Follow these steps to add a new mapping on the WAN interface.

Step 1.

Choose the

WAN

policy list from the available policy lists.

Step 2.

Click on the

Add new

link.

Step 3.

Fill in the following values:

Name:

Specifies a symbolic name for the rule. This name is used mainly as a rule

reference in log data and for easy reference in the policy list.

Source Nets:

Specify the source networks, leave blank for everyone (0.0.0.0/0).

Source Users/Groups:

Specifies if an authenticated username is needed for this

mapping to match. Either make a list of usernames, separated by

,

or write

Any

for any

authenticated user. If it’s left blank there is no need for authentication for the policy.

Destination Nets:

Leave empty for the interfaces own IP or enter a new IP if using Virtual

IP.

Service:

Either choose a predefined service from the dropdown menu or make a custom.

Pass To:

The IP of the server that the traffic should be passed to.

Schedule:

Choose what schedule should be used for this mapping to match, choose

Always for no scheduling.

Click the

Apply

button below to apply the change or click

Cancel

to discard changes

Delete mapping

Follow these steps to delete a mapping.

Step 1.

Choose the mapping list (WAN, LAN or DMZ) you would like do delete the

mapping from.

Step 2.

Click on the

Edit

link on the rule you want to delete.

Step 3.

Enable the

Delete mapping

checkbox.

Click the

Apply

button below to apply the change or click

Cancel

to discard changes.

34

Users

User Authentication allows an administrator to grant or reject access to specific users from

specific IP addresses, based on their user credentials.

Before any traffic is allowed to pass through any policies configured with username or

groups, the user must first authenticate him/her-self. The DFL-200 can either verify the user

against a local database or passes along the user information to an external authentication

server, which verifies the user and the given password, and transmits the result back to the

firewall. If the authentication is successful, the DFL.700 will remember the source IP address

of this user, and any matching policies with usernames or groups configured will be allowed.

Specific policies that deal with user authentication can be defined, thus leaving policies that

not require user authentication unaffected.

The DFL-200 supports the RADIUS (Remote Authentication Dial In User Service)

authentication protocol. This protocol is heavily used in many scenarios where user

authentication is required, either by itself or as a front-end to other authentication services.

The DFL-200 RADIUS Support

The DFL-200 can use RADIUS to verify users against for example Active Directory or Unix

password-file. It is possible to configure up to two servers, if the first one is down it will try the

second IP instead.

The DFL-200 can use CHAP or PAP when communicating with the RADIUS server.

CHAP

(Challenge Handshake Authentication Protocol) does not allow a remote attacker to

extract the user password from an intercepted RADIUS packet. However, the password must

be stored in plaintext on the RADIUS server.

PAP

(Password Authentication Protocol) might

be defined as the less secure of the two. If a RADIUS packet is intercepted while being

transmitted between the firewall and the RADIUS server, the user password can be extracted,

given time. The upside to this is that the password does not have to be stored in plaintext in

the RADIUS server.

The DFL700 uses a shared secret when connecting to the RADIUS server. The shared

secret enables basic encryption of the user password when the RADIUS-packet is transmitted

from the firewall to the RADIUS server. The shared secret is case sensitive, can contain up to

100 characters, and must be typed exactly the same on both the firewall and the RADIUS

server.

Enable User Authentication via HTTP / HTTPS

Follow

these

steps

to

enable

User

Authentication.

Step 1.

Enable the checkbox for User

Authentication.

Step 2.

Specify if HTTP and HTTPS or

only HTTPS should be used for the login.

Step 3.

Specify the idle-timeout, the time a user can be idle before being logged out by the

firewall.

Step 4.

Choose new ports for the management WebUI to listen on as the user

authentication will use the same ports as the management WebUI is using..

Click the

Apply

button below to apply the setting or click

Cancel

to discard changes.

Enable RADIUS Support

Follow these steps to enable RADIUS

support.

Step

1.

Enable

the

checkbox

for

RADIUS Support.

Step 2.

Fill in up to two RADIUS servers.

Step 3.

Specified which mode to use, PAP or CHAP.

Step 3.

Specify the shared secret for this connection.

Click the

Apply

button below to apply the setting or click

Cancel

to discard changes.