|
Enhanced security settings
that are available and are discussed in this chapter :
·
URL Filter : You can block specific web sites by configuring
their IP address, URL or Key words .
·
Access filter : You can block all Internet access, select
blocks of well-known ports or block user define ports for previously defined
groups of LAN users.
·
Session Limit : You can limit user access
to the Internet in the event of the device detecting any new sessions that
exceed the maximum sessions setting during the given sampling time.
·
Firewall Exception : This option bypasses the
SPI Firewall and the NAT. It permits the specified packets to be processed
directly by the system protocol stack. As any unrecognized packet to the device
are normally rejected, if you want the device to accept any specific packets,
you should build the corresponding exception rules in this section.
This feature allows you to block or allow access to specific Web sites. You can block or allow Internet access
by URL, IP
address, or Keyword. You can also have different
blocking or allow access settings for
different groups of PCs.
·
When in operation, every URL is searched to see if
it matches or contains any of the URL or keywords specified. A DNS lookup
determines the IP address of the requested site and the site's IP address is
checked against specified IP address entries. Depending on the results and the
URL filter settings, access is either granted or denied.
URL
Filter Page
|
Access Group |
·
Select Group A group that current rule is applied for · URL Filter Type The Filter type (Block/Allow) that current group is set to use. Block Internet Access: All the web page accesses will be blocked if the target is found in the packets. Allow Internet Access: All the web page accesses will be permitted if the target is found in the packets. |
|
Access Item |
This text field is to enable/disable the URL Filter function, and
input URL keyword phrase. |
|
Internet Access List |
List of current input items. |
You can use
the Access Filter settings to gain control over the Internet access and
applications available to LAN users.
·
Five user groups are available and each group can
have different access rights.
·
By default all PCs (users) are in the Default group unless specifically
assigned to another group on the Host IP screen.
Access Filter
Page
|
Access Group |
The Group that the current rule is applied for. To apply
restrictions to everyone, select the Default group. All users (Hosts)
are in the default group unless moved to another group on the Host IP
screen. |
|
Filter Setting |
·
No Filtering To allow all Internet access by LAN users. ·
Block All Access To prohibit all Internet access by LAN users. ·
Allow Selected Items To apply the rules for permitting Internet access
defined in User-Defined
Filter. ·
Block Selected Items To apply the rules for blocking Internet access
defined in User-Defined Filter. |
|
ICMP Filter |
To limit the ICMP activities initialized from the LAN. ·
Selected Packet Types To prohibit the selected types of ICMP packets
from the LAN to be passed through the device. ·
Packet Types The types of ICMP packets that could be
blocked |
|
User-defined Filter |
This lets you define which custom ports are to be blocked. ·
Enable To activate or deactivate the current rule. ·
Name A unique name to identify the current rule. ·
Protocol Type The protocol to be blocked. ·
Port No. Range The port number range to be blocked. (For TCP and
UDP only) If only one port number is used, enter the same port number in both
fields. |
|
User- Defined Filter
List |
List all enabled and
disabled filter and have been defined. |
This feature allows to
drop any new session requests from the WAN or the LAN when the total new
sessions number exceedes the maximum sessions during the sampling time.
Session
Limit Page
Session
Limit
|
Outgoing New Session |
·
Session Limit Check this to enable limiting sessions. ·
Sampling Time The period to count the new sessions. Only those
new sessions which occurred in the most recently Sampling Time are counted
for limit checking. (default: 400 mili-sec., maximum: 500 mili-sec., step: 50
mili-sec.) ·
Maximum of Total New
session If the number of new sessions for the system
exceeds the Maximum in the Sampling Time, any new session in the system will
be dropped. (default: 65535 sess./sec., maximum: 65535 sess./sec.) ·
Maximum of New Sessions for Host If the number of new sessions for the host exceeds
the Maximum in the Sampling Time, any new session of the host will be
dropped. (default: 100 sess./sec., maximum: 999 sess./sec.) ·
Maximum of Dropped New Sessions for Host If the number of dropped new sessions for the
host exceeds the Maximum in the Sampling Time, any new session of the host
will be dropped for the Pause Time. (default: 25 sess./sec., maximum: 999
sess./sec.) ·
Pause Time for Host
while exceeding limits on dropped new sessions Within the Pause Time, no new session of the
suspended host will be served by the system. (default: 5 min., maximum:
65535 min.) |
The Duolinks SW24 Series
Load Balancers built-in SPI firewall will automatically reject any unrecognized packets. If you want the device to
accept any specific packets, you should build the corresponding exception rules
using the System Filter Exceptions.
You will not need to
modify the default settings or add anything here except if you are running a
specific application which needs the default SPI firewall and security settings
modified on the load balancer.
SysFilter Exception Page
|
System
Filter Exception Rules |
·
Enable To activate or deactivate this rule. ·
Interface The port that the packets enter the device on. ·
Protocol The protocol of the packets to be accepted. ·
Foreign Port Range The source port range of the packets to be accepted.
·
Device Port Range The destination port range of the packets to be
accepted. |
|
System Filter Exception
Rule List |
List all system rules
that have been defined. |
Important Note : Misconfiguration of this section may lead
to serious security threats for your network.
|