Dptech Dpx8000 series User manual

DPX8000 Series Deep Service Switching Gateway

User Configuration Guide

Firewall Service Board Module v1.0

Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support.

If you need any help, please contact Hangzhou DPtech Technologies Co., Ltd. and its sale agent,

according to where you purchase their products.

Hangzhou DPtech Technologies Co., Ltd.

Address: 6th floor, zhongcai mansion, 68 tonghelu, Binjiangqu, Hangzhoushi

Address code: 310051

iii

Declaration

Hangzhou DPtech Technologies Co., Ltd.

No Part of the manual can be extracted or copied by any company or individuals without written

permission, and cannot be transmitted by any means.

Owing to product upgrading or other reasons, information in this manual is subject to change.

Hangzhou DPtech Technologies Co., Ltd. has the right to modify the content in this manual, as it is

a user guides, Hangzhou DPtech Technologies Co., Ltd. made every effort in the preparation of this

document to ensure accuracy of the contents, but all statements, information, and recommendations

in this document do not constitute the warranty of any kind express or implied.

Table of Contents

CHAPTER 1 FIREWALL 2

1.1 INTRODUCTION TO FIREWALL 2

1.2 PACKET FILTERING POLICY 3

1.2.1 PACKET FILTERING POLICY 3

1.2.2 PACKET FILTERING POLICY LOG 5

1.2.3 ALG CONFIGURATION 6

1.3 IPV6PACKET FILTERING POLICY 7

1.4 NAT 8

1.4.1 INTRODUCTION TO NAT 8

1.4.2 SOURCE NAT 8

1.4.3 DESTINATION NAT 9

1.4.4 ONE TO ONE NAT 10

1.4.5 ADDRESS POOL 11

1.4.6 ALG CONFIGURATION 11

1.5 NAT_PT 12

1.6 BASIC ATTACK PROTECTION 13

1.6.1 BASIC ATTACK PROTECTION 13

1.6.2 BASIC ATTACK LOG QUERY 14

1.7 SESSIONS LIMIT 15

1.8 SERVICE LIMITATION 15

1.9 IPV4 BASIC DDOSPROTECTION 16

1.9.1 DEFEND OBJECT MANAGEMENT 16

1.9.2 CONFIGURATION AND TENDENCY 17

1.9.3 PROTECTION HISTORY 18

1.10 BLACKLIST 19

1.10.1 BLACKLIST 19

1.10.2 BLACKLIST QUERY 20

1.10.3 BLACKLIST LOG QUERY 20

1.11 QOS 21

1.11.1 VIP BANDWIDTH GUARANTEE 21

1.11.2 TRAFFIC SHAPING 22

1.12 ANTI-ARP-SPOOFING 22

1.12.1 ANTI-ARP-SPOOFING 22

1.12.2 ARP CONFIGURATION 23

CHAPTER 2 LOAD BALANCING 25

2.1 LINK LOAD BALANCING 25

2.1.1 INTRODUCTION TO LINK LOAD BALANCING 25

2.1.2 LINK CONFIG 25

2.1.3 ISP 26

2.2 LOGIC LINK GROUP 26

2.3 LINK HEALTH CHECK 27

CHAPTER 3 VPN 28

3.1.1 INTRODUCTION TO IPSEC 28

3.1.2 IPSEC VPN CONFIGURATION 28

3.1.3 DPVPN 30

3.1.4 XAUTH USER 31

3.1.5 IPSEC INTERFACE 31

3.1.6 DISPLAY CONNECTIONS 31

3.1.7 OPERATION LOG 32

3.2 L2TP 33

3.2.1 INTRODUCTION TO L2TP 33

3.2.2 L2TP 33

3.3 GRE VPN 34

3.3.1 INTRODUCTION TO THE GRE 34

3.3.2 CONFIGURING GRE CONFIGURATION 34

3.4 SSL VPN 35

3.4.1 INTRODUCTION TO THE SSL VPN 35

3.4.2 GLOBAL CONFIGURATION 35

3.4.3 RESOURCE CONFIGURATION 36

3.4.4 USER MANAGEMENT 36

3.4.5 ONLINE USER STATUS 37

3.4.6 OPERATION LOG QUERY 37

CHAPTER 4 IDS INTEGRATION 39

4.1 IDS INTEGRATION LOG 39

List of Figures

Figure1-1 Firewall module........................................................................................................................................ 3

Figure1-2 Packet filtering policy............................................................................................................................... 3

Figure1-3 Packet filtering policy log......................................................................................................................... 5

Figure1-4 Packet filtering policy log......................................................................................................................... 6

Figure1-5 ALG configuration.................................................................................................................................... 7

Figure1-6 IPv6 packet filtering policy....................................................................................................................... 7

Figure1-7 Source NAT.............................................................................................................................................. 8

Figure1-8 Destination NAT....................................................................................................................................... 9

Figure1-9 One to one NAT...................................................................................................................................... 10

Figure1-10 Address pool......................................................................................................................................... 11

Figure1-11 ALG configuration................................................................................................................................ 12

Figure1-12 ALG configuration................................................................................................................................ 12

Figure1-13 Basic attack protection.......................................................................................................................... 13

Figure1-14 Basic attack log query........................................................................................................................... 14

Figure1-15 Session limitation.................................................................................................................................. 15

Figure1-16 Service limitation.................................................................................................................................. 16

Figure1-17 Defend object management................................................................................................................... 16

Figure1-18 Traffic status and monitoring................................................................................................................ 17

Figure1-19 DDOS defend settings........................................................................................................................... 18

Figure1-20 Protection history.................................................................................................................................. 19

Figure1-21 Blacklist configuration.......................................................................................................................... 19

Figure1-22 Blacklist query ...................................................................................................................................... 20

Figure1-23 Blacklist log query................................................................................................................................ 20

Figure1-24 VIP bandwidth guarantee...................................................................................................................... 21

Figure1-25 Traffic shaping...................................................................................................................................... 22

Figure1-26 Anti-ARP-Spoofing .............................................................................................................................. 23

Figure1-27 ARP configuration................................................................................................................................ 24

Figure2-1 Link load balancing................................................................................................................................. 25

Figure2-2 ISP........................................................................................................................................................... 26

Figure2-3 Logic link group...................................................................................................................................... 27

Figure2-4 Link health check.................................................................................................................................... 27

Figure3-1 IPsec VPN configuration ........................................................................................................................ 29

Figure3-2 DPVPN ................................................................................................................................................... 30

Figure3-3 Xauth user............................................................................................................................................... 31

Figure3-4 IPsec interface......................................................................................................................................... 31

Figure3-5 Display connection.................................................................................................................................. 31

Figure3-6 Operation log .......................................................................................................................................... 32

Figure3-7 L2TP ....................................................................................................................................................... 33

Figure3-8 GRE ........................................................................................................................................................ 34

Figure3-9 SSL VPN................................................................................................................................................. 35

Figure3-10 Resource configuration......................................................................................................................... 36

Figure3-11 Resource configuration......................................................................................................................... 37

Figure3-12 Online user status.................................................................................................................................. 37

Figure3-13 Operation log query .............................................................................................................................. 38

vii

Figure4-1 IDS integration log.................................................................................................................................. 39

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

List of Tables

Table1-1 packet filtering policy................................................................................................................................. 4

Table1-2 Configuring action...................................................................................................................................... 4

Table1-3 Packet filtering policy log .......................................................................................................................... 6

Table1-4 ALG configuration..................................................................................................................................... 7

Table1-5 Source NAT configuration......................................................................................................................... 8

Table1-6 Destination NAT configuration.................................................................................................................. 9

Table1-7 One to one NAT configuration................................................................................................................. 10

Table1-8 Address pool configuration...................................................................................................................... 11

Table1-9 Alg configuration..................................................................................................................................... 12

Table1-10 Basic attack protection ........................................................................................................................... 13

Table1-11 Basic attack log query ............................................................................................................................ 14

Table1-12 Exceeding control................................................................................................................................... 15

Table1-13 Defend object management.................................................................................................................... 16

Table1-14 Traffic and status monitoring ................................................................................................................. 17

Table1-15 DDOS defend settings............................................................................................................................ 18

Table1-16 Blacklist configuration........................................................................................................................... 19

Table1-17 Blacklist query........................................................................................................................................ 20

Table1-18 Blacklist log query ................................................................................................................................. 21

Table1-19 VIP bandwidth guarantee....................................................................................................................... 21

Table1-20 Anti-ARP-Spoofing................................................................................................................................ 23

Table1-21 ARP configuration.................................................................................................................................. 24

Table2-1 Link load balancing.................................................................................................................................. 25

Table2-2 ISP............................................................................................................................................................ 26

Table3-1 IPsec VPN configuration.......................................................................................................................... 29

Table3-2 DPVPN..................................................................................................................................................... 30

Table3-3 Display connections ................................................................................................................................. 31

Table3-4 Operation log............................................................................................................................................ 32

Table3-5 L2TP......................................................................................................................................................... 33

Table3-6 GRE.......................................................................................................................................................... 34

Table3-7 Global configuration ................................................................................................................................ 35

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

Chapter 1 Firewall

1.1 Introduction to Firewall

Firewall can control the incoming and outgoing data packet and block intrusion from outside network, the

followings are provided by firewall, including:

Packet filtering

IPv6 packet filtering

NAT

NAT_PT

Basic protection

Sessions limitation

Service limit

Basic DDoS

Advanced Algorithm

Blacklist

QoS

Anti-ARP-spoofing

Traffic analysis

To view the firewall menu, you choose Firewall module > Packet filtering, as shown in Figure1-1.

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

Figure1-1 Firewall module

1.2 Packet Filtering Policy

1.2.1 Packet Filtering Policy

Packet filtering is to inspect the source domain, destination domain, originator source IP, originator destination IP,

originator source MAC, originator destination MAC, service, IP fragment, flow re-mark, action for every data

packet.

To enter the packet filtering policy page, you choose Firewall module > Packet filtering, as shown in Figure1-2.

Figure1-2 Packet filtering policy

Table1-1 describes the details of packet filtering policy.

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

Table1-1 packet filtering policy

Item

Description

Serial number

Serial number of packet filtering policy.

Source domain

Specify the source domain.

Destination domain

Specify the destination domain.

Originator source IP

Specify the originator source IP.

Originator destination IP

Specify the originator destination IP.

Originator source MAC

Specify the range of packet source MAC.

Originator destination MAC

Specify the range of packet destination MAC.

Service

Specify the service scope of packet filtering policy.

IP fragment

Specify whether to fragment packet.

Valid time

Specify the valid time of packet filtering policy.

Status

Specify whether the current policy is effective.

Action

Specify whether permit the packet pass the device and further limit packet filtering

policy.

Operation

Click the copy icon, and then your copy will add into new policy.

Click the delete icon, and then you can delete a policy.

Click the insert icon, and then you can insert a new rule.

Table1-2 describes the details of how to configure action

Table1-2 Configuring action

Item

Description

Pass

Allow packet to pass through the device.

Discard

Not allow packet pass through the device.

Rate limitation

Select rate limitation rule which will apply to the packet filtering policy.

Per IP rate limitation

Select per IP limitation rule which will apply to the packet filtering policy.

Access control

Select access control rule which will apply to the packet filtering policy.

URL filtering

Select URL filtering rule which will apply to the packet filtering policy.

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

Item

Description

Advanced filtering

Select advanced filtering rule which will apply to the packet filtering policy.

Behavior audit

Select behavior audit rule which will apply to the packet filtering policy.

Flow analysis

Select whether to enable the flow analysis.

To create packet filtering policy:

Click copy icon

Select source domain and destination domain in the new line

Select initiate source IP and initiate destination IP for the packet filtering policy

Select the related service and valid for the packet filtering policy

The action you can select is the pass, discard or rate limitations

Click Ok button in the upper right

Caution:

It will perform by default if there is no packet match with packet filtering policy. The default is the interface with

high security level can visit the interface with lower security level, but interface with low security level can visit

high security level.

1.2.2 Packet Filtering Policy Log

Packet filtering policy log query function allows you to query some specific logs in the database. You select an

item to be enabled, as shown in Figure1-3.

Figure1-3 Packet filtering policy log

To enter the packet filtering policy page, you choose Firewall module > Packet filtering policy > Packet

filtering policy log, as shown in Figure1-4.

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

Figure1-4 Packet filtering policy log

Table1-3 describes the details of packet filtering policy log.

Table1-3 Packet filtering policy log

Item

Description

Serial number

Displays the policy serial number.

Time

Displays when the log is created.

Protocol

Displays the protocol of the packet filtering policy.

Source IP

Displays the source IP of the packet filtering policy.

Destination IP

Displays the destination IP of the packet filtering policy.

Source port/type

Displays the source port/type of the packet filtering policy.

Destination port/code

Displays the destination port /code of the packet filtering policy.

Inbound interface

Displays the inbound interface of the packet filtering policy.

Outbound interface

Displays the outbound interface of the packet filtering policy.

Action

Display the action of the packet filtering policy.

1.2.3 ALG configuration

ALG configuration means you can configure all protocols application gateway, so that it can transmit all kind

protocol packets to the destination.

To enter the ALG configuration page, you choose Firewall module > Packet filtering policy > ALG

configuration, as shown in Figure1-5.

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

Figure1-5 ALG configuration

Table1-4 describes the details of ALG configuration.

Table1-4 ALG configuration

Item

Description

Protocol

Displays the protocol name

State

Displays the enabling status of alg configuration

1.3 IPv6 packet filtering policy

To enter the IPv6 packet filtering policy page, you choose Firewall module > Packet filtering policy > IPv6

packet filtering policy, as shown in Figure1-6.

Figure1-6 IPv6 packet filtering policy

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

1.4 NAT

1.4.1 Introduction to NAT

NAT (Network Address Translation) provides a way of translating the IP address in an IP packet header to another

IP address. In practice, NAT is primarily used to allow users using private IP addresses to access public networks.

With NAT, a smaller number of public IP addresses are used to meet public network access requirements from a

larger number of private hosts, and thus NAT effectively alleviating the depletion of IP addresses.

1.4.2 Source NAT

To enter the source NAT page, you choose Firewall module > NAT > Source NAT, as shown in Figure1-7.

Figure1-7 Source NAT

Table1-5 describes the details of source NAT configuration.

Table1-5 Source NAT configuration

Item

Description

Displays the serial number of source NAT policy.

Out interface

Select the out interface for source NAT policy.

Source IP

Configure the source IP segment for the source NAT policy.

Destination IP

Configure the destination IP segment for the source NAT policy.

Service

Configure the service scope of the source NAT policy, including all, service

group, user-defined service object and the pre-defined service object.

Public IP address pool

Configure the public address pool of the source NAT policy.

Operation

Click the copy icon and the delete icon to do the operations.

To configure the source NAT configuration:

Click the copy button of source NAT configuration

Configure the outbound interface of source NAT policy

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

Configure the IP address and mask of source NAT policy

Configure the public IP of the source NAT policy

After you configured the advanced configuration, click the Ok button on the upper right.

1.4.3 Destination NAT

To enter the destination NAT page, you choose Firewall module > Firewall > NAT > Destination NAT, as

shown in Figure1-8.

Figure1-8 Destination NAT

Table1-6 describes the details of destination NAT configuration.

Table1-6 Destination NAT configuration

Item

Description

Displays the destination NAT ID.

In interface

Displays the inbound interface of destination NAT policy.

Common address

Displays the destination NAT policy.

Service

Displays the service type of destination NAT policy.

Expert config

Displays the expert config of the destination policy.

Advanced configuration

Displays the advanced configuration of the destination policy

Operation

Click the copy icon and the delete icon to do the operations.

To configure destination NAT configuration:

Click the copy button of destination NAT policy

Configure the outbound interface of the destination NAT policy

Configure the service type of the destination NAT policy

Configure the public address of destination NAT server

Configure the inner IP address of destination NAT server

After you finish the above steps, you can click Ok button in the upper right.

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

Note:

If you configure the server inner port in the advanced configuration, it will connect to the destination port after it

switched destination NAT.

1.4.4 One to one NAT

To enter the one to one NAT page, you choose Firewall module > Firewall > NAT > One to one NAT, as

shown in Figure1-9.

Figure1-9 One to one NAT

Table1-7 describes the details of one to one NAT configuration.

Table1-7 One to one NAT configuration

Item

Destination

Serial number

Displays the serial number of one to one NAT policy.

Public interface

Displays the outbound interface of one to one NAT policy.

One to one NAT

Displays the inner address of one to one NAT policy.

Public address

Displays the public address of one to one NAT policy.

Operation

Click the copy icon, and then you copy a one to one NAT policy.

Click the delete icon, and then you can delete a one to one NAT policy.

To configure one to one NAT configuration:

Click icon of the one to one NAT policy

Configure the public interface of one to one NAT policy

Configure the inner address of one to one NAT policy

Configure the public address of one to one NAT policy

After you finished the above steps, you can click Ok button in the upper right

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

1.4.5 Address pool

To enter the address pool page, you choose Firewall module > Firewall > NAT > Address pool, as shown in

Figure1-10.

Figure1-10 Address pool

Table1-8 describes the details of address pool.

Table1-8 Address pool configuration

Item

Description

Display the start IP address of address pool.

Start IP address

Configure the start IP address of address pool.

End IP address

Configure the end IP address of address pool.

Operation

Click the copy icon and the delete icon to do the operations.

To configure address pool configuration:

Click the button of the address pool (except the first line of the table)

Configure the ID number

Configure the start IP of address pool

Configure the end IP of address pool

After you finished the above steps, you can click the Ok button on the upper right.

1.4.6 ALG configuration

ALG configuration means you can configure all protocols application gateway, so that it can transmit all kind

protocol packets to the destination.

To enter the ALG configuration page, you choose Firewall module > Firewall > NAT > ALG configuration, as

shown in Figure1-11.

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

Figure1-11 ALG configuration

Table1-9 describes the detail of Alg configuration.

Table1-9 Alg configuration

Item

Description

Protocol

Displays the protocol name.

State

Select whether to enable or disable the protocol.

1.5 NAT_PT

Enabling the NAT_PT function, you can set the NAT_PT configuration.

To enter the ALG configuration page, you choose Firewall module > Firewall > NAT_PT, as shown in

Figure1-12.

Figure1-12 ALG configuration

DPX8000 Series Deep Service Switching Gateway User

Configuration Guide Firewall Service Board Module v1.0

1.6 Basic attack protection

1.6.1 Basic attack protection

Sometimes, there are some attacking packets transmitting in the network, which can disturb the host receiving

normal packets. Basic attack protection can block the attack packets and send log.

To enter the basic attack protection page, you choose Firewall module > Basic attack protection, as shown in

Figure1-13.

Figure1-13 Basic attack protection

Table1-10 describes the details of basic attack protection.

Table1-10 Basic attack protection

Item

Description

Attack type

Select an attack type of basic attack protection.

Threshold

Set the threshold of the basic attack protection.

Block

Click the select box of the basic attack protection, which enable the relevant

protocol attack protection.

Send log

Click the select box and then you can view the log while attack packet transmitted

through the device interface.

Number of attacks

Statistics of the attack count.

Other manuals for DPX8000 Series

Table of contents

Other DPtech Gateway manuals

DPtech

DPtech DPX19000 Series User manual

DPtech

DPtech DPX8000 Series User manual

Popular Gateway manuals by other brands

SMC Networks

SMC Networks EZ Networking SMC8013WG install guide

BES

BES DKAC-I Programming manual

smart-me

smart-me 152090 quick start guide

ELTEX

ELTEX SMG-4 Operation manual

BAB TECHNOLOGIE

BAB TECHNOLOGIE EIBPORT V3 Firmware update procedure

Imagine

Imagine Nexio NLE installation guide

IRROMETER

IRROMETER WATERMARK 900M-CG/BP-LTE install guide

AudioCodes

AudioCodes Mediant 3000 user manual

D-Link

D-Link DPN-124G Quick installation guide

Raritan

Raritan CCA-0N-V5.1-E Administration guide

ZyXEL Communications

ZyXEL Communications ZYAIR B-4000 user guide

Eurotech

Eurotech ReliaGATE 10-05-34 Original user manual

M-system

M-system WL40EW2F instruction manual

PalmMicro

PalmMicro PA168V Setup guide

OpenVox

OpenVox iAG801 Series user manual

Weishaupt

Weishaupt WEM-KNX Installation and operating manual

Nomadix

Nomadix AG 3100 user guide

AudioCodes

AudioCodes Mediant 600 user manual