1. Home
    2. /
  2. Manuals
    3. /
  3. DrayTek
    4. /
  4. Vigor-2110
    5. /
  5. 24
Page 116 / 275 Scroll up to view Page 111 - 115
Vigor2110 Series User’s Guide
109
Stateful Packet Inspection (SPI)
Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy
static packet filtering, which examines a packet based on the information in its header, stateful
inspection builds up a state machine to track each connection traversing all interfaces of the
firewall and makes sure they are valid. The stateful firewall of Vigor router not just examine
the header information also monitor the state of the connection.
Denial of Service (DoS) Defense
The
DoS Defense
functionality helps you to detect and mitigate the DoS attack. The attacks
are usually categorized into two types, the flooding-type attacks and the vulnerability attacks.
The flooding-type attacks will attempt to exhaust all your system's resource while the
vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the
protocol or operation system.
The
DoS Defense
function enables the Vigor router to inspect every incoming packet based on
the attack signature database. Any malicious packet that might duplicate itself to paralyze the
host in the secure LAN will be strictly blocked and a Syslog message will be sent as warning, if
you set up Syslog server.
Also the Vigor router monitors the traffic. Any abnormal traffic flow violating the pre-defined
parameter, such as the number of thresholds, is identified as an attack and the Vigor router will
activate its defense mechanism to mitigate in a real-time manner.
The below shows the attack types that DoS/DDoS defense function can detect:
1. SYN flood attack
2. UDP flood attack
3. ICMP flood attack
4. Port Scan attack
5. IP options
6. Land attack
7. Smurf attack
8. Trace route
9. SYN fragment
10. Fraggle attack
11. TCP flag scan
12. Tear drop attack
13. Ping of Death attack
14. ICMP fragment
15. Unknown protocol
Below shows the menu items for Firewall.
Page 117 / 275
Vigor2110 Series User’s Guide
110
4.5.2 General Setup
General Setup allows you to adjust settings of IP Filter and common options.
Here you can
enable or disable the
Call Filter
or
Data Filter
. Under some circumstance, your filter set can
be linked to work in a serial manner. So here you assign the
Start Filter Set
only. Also you
can configure the
Log Flag
settings,
Apply IP filter to VPN incoming packets
, and
Accept
incoming fragmented UDP packets
.
Click
Firewall
and click
General Setup
to open the general setup page.
Call Filter
Check
Enable
to activate the Call Filter function. Assign a start filter
set for the Call Filter.
Data Filter
Check
Enable
to activate the Data Filter function. Assign a start filter
set for the Data Filter.
Filter
Select
Pass
or
Block
for the packets that do not match with the filter
rules.
IM/P2P Filter
Select a CSM profile for global IM/P2P application blocking. All the
hosts in LAN must follow the standard configured in the CSM
profile selected here. For detailed information, refer to the section of
CSM profile setup. For troubleshooting needs, you can specify to
record information for IM/P2P by checking the Log box. It will be
sent to Syslog server. Please refer to section 4.14.4
Syslog/Mail
Alert
for more detailed information.
URL Content Filter
Select one of the
URL Content Filter
profile settings (created in
CSM>> URL Content Filter
) for applying with this router. Please
set at least one profile for choosing in
CSM>> URL Content Filter
web page first. For troubleshooting needs, you can specify to record
information for
URL Content Filter
by checking the Log box. It
Page 118 / 275
Vigor2110 Series User’s Guide
111
will be sent to Syslog server. Please refer to section 4.14.4
Syslog/Mail Alert
for more detailed information.
Web Content Filter
Select one of the
Web Content Filter
profile settings (created in
CSM>> Web Content Filter
) for applying with this router. Please
set at least one profile for anti-virus in
CSM>> Web Content Filter
web page first. For troubleshooting needs, you can specify to record
information for
Web Content Filter
by checking the Log box. It
will be sent to Syslog server. Please refer to section 4.14.4
Syslog/Mail Alert
for more detailed information.
Syslog
For troubleshooting needs you can specify the filter log and/or CSM
log here by checking the box. The log will be displayed on Draytek
Syslog window.
Advance Setting
Click
Edit
to open the following window. However, it is
strongly recommended
to use the default settings here.
Codepage
- This function is used to compare the characters
among different languages. Choose correct codepage can help
the system obtaining correct ASCII after decoding data from
URL and enhance the correctness of URL Content Filter. The
default value for this setting is ANSI 1252 Latin I. If you do not
choose any codepage, no decoding job of URL will be processed.
Please use the drop-down list to choose a codepage.
If you do not have any idea of choosing suitable codepage,
please open Syslog. From Codepage Information of Setup dialog,
you will see the recommended codepage listed on the dialog box.
Page 119 / 275
Vigor2110 Series User’s Guide
112
Window size
– It determines the size of TCP protocol
(0~65535). The more the value is, the better the performance will
be. However, if the network is not stable, small value will be
proper.
Session timeout
–Setting timeout for sessions can make the best
utilization of network resources. However, Queue timeout is
configured for TCP protocol only; session timeout is configured
for the data flow which matched with the firewall rule.
Some on-line games (for example: Half Life) will use lots of fragmented UDP packets to
transfer game data. Instinctively as a secure firewall, Vigor router will reject these fragmented
packets to prevent attack unless you enable “
Accept large incoming fragmented UDP or
ICMP Packets
”. By checking this box, you can play these kinds of on-line games. If security
concern is in higher priority, you cannot enable “
Accept large incoming fragmented UDP or
ICMP Packets
”.
4.5.3 Filter Setup
Click
Firewall
and click
Filter Setup
to open the setup page.
To edit or add a filter, click on the set number to edit the individual set. The following page
will be shown. Each filter set contains up to 7 rules. Click on the rule number button to edit
each rule. Check
Active
to enable the rule.
Filter Rule
Click a button numbered (1 ~ 7) to edit the filter rule. Click the button
will open Edit Filter Rule web page. For the detailed information,
refer to the following page.
Page 120 / 275
Vigor2110 Series User’s Guide
113
Active
Enable or disable the filter rule.
Comment
Enter filter set comments/description. Maximum length is
23–character long.
Move Up/Down
Use
Up
or
Down
link to move the order of the filter rules.
Next Filter Set
Set the link to the next filter set to be executed after the current filter
run. Do not make a loop with many filter sets.
To edit
Filter Rule
, click the
Filter Rule
index button to enter the
Filter Rule
setup page.
Check to enable the
Filter Rule
Check this box to enable the filter rule.
Comments
Enter filter set comments/description. Maximum length is 14-
character long.
Index(1-15)
Set PCs on LAN to work at certain time interval only. You may
choose up to 4 schedules out of the 15 schedules pre-defined in
Applications >> Schedule
setup. The default setting of this field is
blank and the function will always work.
Direction
Set the direction of packet flow (LAN->WAN/WAN->LAN). It is for
Data Filter
only. For the
Call Filter
, this setting is not available
since
Call Filter
is only applied to outgoing traffic.
Source/Destination IP
Click
Edit
to access into the following dialog to choose the
source/destination IP or IP ranges.
To set the IP address manually, please choose
Any Address/Single
Address/Range Address/Subnet Address
as the Address Type and
type them in this dialog. In addition, if you want to use the IP range
from defined groups or objects, please choose
Group and Objects

Rate

4.7 / 5 based on 3 votes.

Popular DrayTek Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top