Network Security Firewall for Enterprise
D-Link's DFL-1100 is an easy-to-deploy, high-capacity firewall designed for the large enterprises that require superior
price/performance. This firewall is a powerful security solution that features fault tolerance and high availability, providing
integrated Network Address Translation (NAT), Firewall, Content Filtering, IDS protection, bandwidth management as well as
Virtual Private Network (VPN) support. The DFL-1100 includes a WAN link support, a trusted LAN port, a DMZ port to
support local e-mail and web servers, and a backup port to connect to another firewall.

Multi-Function Security Application
Advanced Features for Complete Protection
The DFL-1100 features enterprise-grade firewall functions,
DFL-1100 provides advanced features including Content filtering,
including Stateful Packet Inspection (SPI), detect/drop intruding
IDS (Intrusion Detection System), Bandwidth Management for
packets, embedded VPN, a physical DMZ port, multiple-mapped
complete solution protection to users's network. Content Filtering lets
IPs and multiple virtual servers. The DFL-1100 connects your
you filter/protect your network with customized policy. Bandwidth
office to a broadband modem such as cable or DSL through an
management guarantees bandwidth for different services.
external 10/100BASE-TX WAN port.
The DFL-1100 protects your network from attacks. It can be
Full Firewall Functions
configured to log all attacks, locate the source IP address generating
The DFL-1100 provides complete firewall functions, including the
the attack, send the attack report notification to a specified e-mail
NAT mode, PAT (Port Address Translation) mode, Transparent
address and establish policies to restrict incoming traffic from
mode, Routing mode and SPI. It also supports customized policy
specific IP address sources. Network administrators can set e-mail
and virtual server configuration. Administrators can easily manage
addresses to receive alert message from the DFL-1100. When
the network through graphical statistics in a logging/monitoring
intrusion events are detected, the DFL-1100 will log them and send
alert e-mail, and the administrator can check the log file on the router
to find out what happened.
High Performance IPSec VPN Support
The DFL-1100 is equipped with embedded VPN support, allowing
High Performance With Fault Tolerance
you to create multiple IPSec tunnels to remote sites/clients. IPSec
The DFL-1100 can operate with up to 200,000 concurrent sessions,
on the DFL-1100 uses strong encryption with DES, 3DES, AES
providing up to 1,000 VPN tunnels for up to 1,000 mobile
and Automated Key Management via IKE/ISAKMP. A VPN tunnel
telecommuters needing secure remote connections to the company
can be activated from the DFL-1100 to a remote site or a mobile
network. In addition, this firewall also provides fault tolerance
user for secured traffic flow using triple DES encryption. This
through redundancy backup with another firewall through a backup
offers users a way to confidentially access and transfer sensitive
port, providing continuous firewall protection for mission-critical
information. Multiple VPN tunnels may be easily created without
the need to setup IKE (Internet Key Exchange) policies.
1 DMZ Port, 1 Trusted LAN Port, 1 Backup Port
Access Control List (ACL)
The DFL-1100 includes a LAN port that connects to your internal
URL blocking is part of basic features offered by DFL-1100. This
office network, a backup port that connects to another firewall, and a
function provides the benefit of limiting access to undesirable
physical DMZ (Demilitarized Zone) port that can connect your Web,
Internet sites. Logs of real-time Internet traffic, alarms of Internet
mail or FTP servers for access from the Internet. DMZ alleviates
attacks, and notice of web-browsing activities are logged and can
congested server traffic from entering the Internal network, while
be reported through e-mail notification.
protecting your other office computers from Internet attacks by
hiding them behind the firewall.
DFL-1100 supports Radius authentication so you can make use of
your existing Radius Server and user information.
Key Features
1 10/100BASE-TX LAN port, 1 10/100BASE-TX DMZ port, 1
Network Address Translation (NAT)/Network Address Port
10/100BASE-TX sync port
Translation (NAPT)
1 10/100BASE-TX WAN port for cable/DSL modem connection
NAT Application Level Gateway (ALG) support
PPTP, L2TP, IPSec VPN tunneling support
DHCP server/client and parental control
PPTP, L2TP, IPSec VPN pass throughput support
PPPoE support for dial-up DSL to save ISP charge
Aggressive/Main client mode for VPN
Content filtering, URL/domain blocking and key word check
Stateful Packet Inspection (SPI) firewall protection
Virtual server support
Denial of Service (DoS) and DDoS attack blocking
Web-based configuration management & real-time monitoring
SYSlog protocol support

Technical Specifications
- DRAM: 256Mbytes SDRAM
- System log
- Flash memory: 64 Mbytes
- Firmware backup
- Accelerator: VPN accelerator for higher performance
- E-Mail Alerts
- Filtering activity (Logs rejected internal and external connection requests)
Device Ports
- Web access log
- WAN: 10/100BASE-TX port
- Internet Access Monitor
- LAN: 10/100BASE-TX port
- Remote Management from WAN
- DMZ: 10/100BASE-TX port
- Simple Network Time Protocol (SNTP)
- Sync: 10/100BASE-TX port
- Simple Network Management Protocol (SNMP)
- Console: serial COM port
- SDI service using Ericsson's Home Internet Solution
- Http
Performance & Throughput
- Consistency checks
- Firewall: 250Mbps or higher
- 3DES: 34Mbps or higher
Firewall & VPN User authentication
- AES: 84Mbps or higher
- RADIUS (external) database
- Concurrent sessions: 200,000 max.
- Built-in database: up to 1,500 users
- VPN tunnels: 1,000 max.
- NIDS pattern
- DDoS and DoS detected
Firewall Mode of Operation
- MAC address bind with IP
- NAT (Network Address Translation)
- On-line pattern update
- PAT (Port Address Translation)
- Detect CodeRed
- Transparent mode
- Attack alarm (via e-mail)
- Route mode
- Log and report
- Virtual IP
Bandwidth Management
- Policy-based NAT
- Guaranteed bandwidth
- Maximum bandwidth
VPN Security
- Priority-bandwidth utilization
- IPSec Server/Client, PPTP Server/Client, L2TP Server/Client
- DiffServ stamp
- IPSec/PPTP/L2TP pass-through
- Class-based policies
- Authentication transform: MD5 and SHA-1
- Application-specific traffic class
- Encryption transform: Null, DES and 3DES, AES
- Policy-based traffic shaping
- Key management: manual and IKE
- Subnet-specific traffic class
- Keying mode: Pre-Shared Key
- Key exchange: DH1, DH2 and DH5
High Availability (HA)
- Negotiation mode: Quick, Main and Aggressive mode
- Session protection for firewall and VPN
- Remote access VPN
- Active-Active cluster and load balance
- Policy-based firewall and session protection
- Device failure detection
- Keep-Alives on tunnel free configurable
- State synchronization
- Hub-n-Spoke
- VPN synchronization
- Synchronization method: Ethernet
- Average fail-over time: <800ms
Firewall Security
- Network notification on fail over
- Stateful Packet Inspection (SPI)/Denial of Service (DoS)
Driver/Firmware Support
- Packet Filter
Web Based configuration
- Content Filter (URL Keyword Blocking, Java/ActiveX/Cookie/
Proxy Blocking)
Diagnostic LEDs
- Custom Protocol Filters
- Power
- Custom ICMP Filter
- Status
- Microsoft Active Directory Integration (via MS IAS)
- Multiple administrators
- Backup
- Root Admin, Admin & Read Only user levels
- Software upgrades & configuration changes
- Trust host
Network Service
- DHCP Server / Client
- DHCP Relay
- DHCP over IPSec
- PPPoE for xDSL
- PPTP for xDSL
- BigPond Cable
- Free configuration of MTU
- Support H.323 Application layer gateway
- Support SIP Application layer gateway
- FTP application layer gateway
- DNS resolving of remote gateway

Technical Specifications
Physical & Environmental
Power Supply
Internal universal power supply
295 (D) x 440 (W) x 44(H) mm (device only)
3.8 kg (device only)
Operation Temperature
0 to 60 C
Storage Temperature
-20 to 70 C
Operation Humidity
5% to 95% non-condensing
Storage Humidity
5% to 95% non-condensing
Emission (EMI)
- FCC Class A
- CE Class A
- C-Tick
- UL
- LVD (EN60950)
Ordering Information
1 RJ-45 10/100BASE-TX port
(for DSL/cable modem connection)
1 RJ-45 10/100BASE-TX port (for DMZ network)
1 RJ-45 10/100BASE-TX port (for internal network)
1 RJ-45 10/100BASE-TX port (for backup,
connects to another firewall)
Specifications subject to change without
TEL: 1-714-885-6000
FAX: 1-866-743-4905
prior notice.
D-Link is a registered trademarks of
TEL: 1-905-8295033
FAX: 1-905-8295223
D-Link Corporation/D-Link System Inc.
TEL: 44-20-8731-5555
FAX: 44-20-8731-5511
All other trademarks belong to their
TEL: 49-6196-77990
FAX: 49-6196-7799300
TEL: 33-1-30238688
FAX: 33-1-30238689
TEL: 31-10-282-1445
FAX: 31-10-282-1331
TEL: 32(0)2-517-7111
FAX: 32(0)2-517-6500
TEL: 39-2-2900-0676
FAX: 39-2-2900-1723
TEL: 34-93-4090770
FAX: 34-93-4910795
TEL: 46-(0)8564-61900
FAX: 46-(0)8564-61901
TEL: 47-22-309075
FAX: 47-22-309085
TEL: 45-43-969040
FAX: 45-43-424347
TEL: 358-9-2707-5080
FAX: 358-9-2707-5081
TEL: 65-6774-6233
FAX: 65-6774-6322
TEL: 61-2-8899-1800
FAX: 61-2-8899-1868
TEL: 81-3-5434-9678
FAX: 81-3-5434-9868
TEL: 86-10-8518-2533
FAX: 86-10-8518-2250
TEL: 91-022-652-6696
FAX: 91-022-652-8914
Middle East (Dubai) TEL: 9714-8834234
FAX: 9714-8834394
TEL: 90-212-335-2553
FAX: 90-212-335-2500
TEL: 202-414-4295
FAX: 202-415-6704
TEL: 972-9-9715700
FAX: 972-9-9715601
TEL: 56-2-232-3185
FAX: 56-2-232-0923
TEL: 55-11-55039320
FAX: 55-11-55039321
South Africa
TEL: 27(0)1266-52165
FAX: 270 )1266-52186
TEL: 7-095-744-0099
FAX: 7-095-744-0099#350
TEL: 886-2-2910-2626
FAX: 886-2-2910-1515
Rev. 01 (May 2004)
D-Link Corp.
TEL: 886-2-2916-1600
FAX: 886-2-2914-6299

Document Outline