ZyWALL (ZLD) Series Security Firewalls Versions: 3.10 Edition 1, 2/2013 Quick Start Guide CLI Reference Guide Default Login Details LAN Port IP Address http://192.168.1.1 User Name www.zyxel.
This is a Reference Guide for a series of products intended for people who want to configure ZLDbased ZyWALLs via Command Line Interface (CLI). Some commands or command options in this guide may not be available in your product. See your product's User’s Guide for a list of supported features. Every effort has been made to ensure that the information in this guide is accurate. Please refer to www.zyxel.com for product specific User Guides and product certifications.
Introduction ............................................................................................................................ 17 Command Line Interface ........................................................................................................... 19 User and Privilege Modes ......................................................................................................... 33 Reference ............................................................................................
Logs ......................................................................................................................................... 317 Reports and Reboot ................................................................................................................ 323 Session Timeout ...................................................................................................................... 329 Diagnostics ..............................................................................
Table of Contents Table of Contents Table of Contents .................................................................................................................................5 Part I: Introduction .......................................................................................... 17 Chapter 1 Command Line Interface....................................................................................................................19 1.1 Overview ..............................................
Table of Contents 2.1 User And Privilege Modes .................................................................................................................33 2.1.1 Debug Commands ...................................................................................................................34 Part II: Reference ............................................................................................. 37 Chapter 3 Object Reference .................................................................
Table of Contents 6.6.2 Cellular Interface Command Examples ...................................................................................80 6.7 Tunnel Interface Specific Commands ...............................................................................................81 6.7.1 Tunnel Interface Command Examples ....................................................................................82 6.8 USB Storage Specific Commands ...................................................................
Table of Contents 9.2.3 OSPF Area Commands .........................................................................................................109 9.2.4 Virtual Link Commands ..........................................................................................................109 9.2.5 Learned Routing Information Commands .............................................................................. 110 9.2.6 show ip route Command Example ...........................................................
Table of Contents Chapter 16 Firewall ..............................................................................................................................................133 16.1 Firewall Overview ..........................................................................................................................133 16.2 Firewall Commands ......................................................................................................................134 16.2.1 Firewall Sub-Commands ....
Table of Contents Chapter 20 Application Patrol .............................................................................................................................163 20.1 Application Patrol Overview ..........................................................................................................163 20.2 Application Patrol Commands Summary ......................................................................................163 20.2.1 Pre-defined Application Commands ....................
Table of Contents Chapter 23 Content Filtering ...............................................................................................................................199 23.1 Content Filtering Overview ............................................................................................................199 23.2 Content Filtering Policies ..............................................................................................................199 23.3 External Web Filtering Service .......
Table of Contents 26.1.1 User Types ..........................................................................................................................229 26.2 User/Group Commands Summary ................................................................................................230 26.2.1 User Commands ..................................................................................................................230 26.2.2 User Group Commands ..................................................
Table of Contents 31.1 Authentication Objects Overview ..................................................................................................255 31.2 aaa authentication Commands .....................................................................................................255 31.2.1 aaa authentication Command Example ...............................................................................256 31.3 test aaa Command .....................................................................
Table of Contents 37.3 Host Name Commands .................................................................................................................281 37.4 Time and Date ..............................................................................................................................281 37.4.1 Date/Time Commands .........................................................................................................282 37.5 Console Port Speed ............................................
Table of Contents Chapter 39 File Manager......................................................................................................................................299 39.1 File Directories ..............................................................................................................................299 39.2 Configuration Files and Shell Scripts Overview ...........................................................................299 39.2.
Table of Contents Chapter 42 Session Timeout ...............................................................................................................................329 Chapter 43 Diagnostics ......................................................................................................................................331 43.1 Diagnostics ....................................................................................................................................331 43.
P ART I Introduction 17
C HAPT ER 1 Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your ZyWALL, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the ZyWALL and possibly render it unusable. 1.1.
Chapter 1 Command Line Interface 1.2.1 Console Port The default settings for the console port are as follows. Table 1 Managing the ZyWALL: Console Port SETTING VALUE Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off When you turn on your ZyWALL, it performs several internal tests as well as line initialization. You can view the initialization information using the console port. • Garbled text displays if your terminal emulation program’s speed is set lower than the ZyWALL’s.
Chapter 1 Command Line Interface When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the ZyWALL. Follow the steps below to access the web console. 1 Log into the web configurator. 2 Click the Console icon 3 If the Java plug-in is already installed, skip to step 4. in the top-right corner of the web configurator screen. Otherwise, you will be prompted to install the Java plug-in.
Chapter 1 Command Line Interface Note: The default login username is admin. It is case-sensitive. Figure 5 Web Console: Connecting Then, the Password screen appears. Figure 6 Web Console: Password 6 Enter the password for the user name you specified earlier, and click OK. If you enter the password incorrectly, you get an error message, and you may have to close the console window and open it again. If you enter the password correctly, the console screen appears.
Chapter 1 Command Line Interface 1.2.3 Telnet Use the following steps to Telnet into your ZyWALL. 1 If your computer is connected to the ZyWALL over the Internet, skip to the next step. Make sure your computer IP address and the ZyWALL IP address are on the same subnet. 2 In Windows, click Start (usually in the bottom left corner) and Run. Then type telnet and the ZyWALL’s IP address. For example, enter telnet 192.168.1.1 (the default management IP address). 3 Click OK. A login screen displays.
Chapter 1 Command Line Interface 1.4 How Commands Are Explained Each chapter explains the commands for one keyword. The chapters are divided into the following sections. 1.4.1 Background Information (Optional) Note: See the User’s Guide for background information about most features. This section provides background information about features that you cannot configure in the web configurator. In addition, this section identifies related commands in other chapters. 1.4.
Chapter 1 Command Line Interface • Enter range exactly as it appears, followed by two numbers between 1 and 65535. 1.4.6 Changing the Password It is highly recommended that you change the password for accessing the ZyWALL. See Section 26.2 on page 230 for the appropriate commands. 1.5 CLI Modes You run CLI commands in one of several modes.
Chapter 1 Command Line Interface 1.6 Shortcuts and Help 1.6.1 List of Available Commands A list of valid commands can be found by typing ? or [TAB] at the command prompt. To view a list of available commands within a command group, enter ? or [TAB].
Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press [TAB] to have the ZyWALL automatically display the full command. For example, if you enter config and press [TAB] , the full command of configure automatically displays. If you enter a partial command that is not unique and press [TAB], the ZyWALL displays a list of commands that start with the partial command.
Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen. For example, in the following example, the next input value is a string called .
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) TAG # VALUES domain name Used in content filtering 0+ LEGAL VALUES lower-case letters, numbers, or .- Used in ip dns server 0-247 alphanumeric or .first character: alphanumeric or - Used in domainname, ip dhcp pool, and ip domain 0-254 alphanumeric or ._first character: alphanumeric or - email 1-63 alphanumeric or .@_- e-mail 1-64 alphanumeric or .
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) TAG # VALUES LEGAL VALUES key length -- 512, 768, 1024, 1536, 2048 license key 25 “S-” + 6 upper-case letters or numbers + “-” + 16 upper-case letters or numbers mac address -- aa:bb:cc:dd:ee:ff (hexadecimal) mail server fqdn lower-case letters, numbers, or -.
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) TAG # VALUES LEGAL VALUES url 1-511 alphanumeric or '()+,/:.=?;!*#@$_%- url Used in content filtering redirect “http://”+ “https://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%, starts with “http://” or “https://” may contain one pound sign (#) Used in other content filtering commands “http://”+ user name alphanumeric or ;/?:@&=+$\.
Chapter 1 Command Line Interface 1.10 Logging Out Enter the exit or end command in configure mode to go to privilege mode. Enter the exit command in user mode or privilege mode to log out of the CLI.
C HAPT ER 2 User and Privilege Modes This chapter describes how to use these two modes. 2.1 User And Privilege Modes This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the ZyWALL uses. See Chapter 26 on page 229 for more information about the user types. ‘User’ type accounts can only run ‘exit’ in this mode.
Chapter 2 User and Privilege Modes Table 4 User (U) and Privilege (P) Mode Commands (continued) COMMAND MODE DESCRIPTION exit U/P Goes to a previous mode or logs out. htm U/P Goes to htm (hardware test module) mode for testing hardware components. You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting. Note: These commands are for ZyXEL’s internal manufacturing process. interface U/P Dials or disconnects an interface.
Chapter 2 User and Privilege Modes is a Linux equivalent, it is displayed in this chapter for your reference. You must know a command listed here well before you use it. Otherwise, it may cause undesired results.
Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION debug system ipv6 IPv6 debug commands debug [cmdexec|corefile|ip |kernel|mac-idrewrite|observer|switch |system|zyinetpkt|zysh-ipt-op] (*) ZLD internal debug commands debug update server (*) Update server debug command 36 LINUX COMMAND EQUIVALENT ZyWALL (ZLD) CLI Reference Guide
P ART II Reference 37
C HAPT ER 3 Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
Chapter 3 Object Reference Table 6 show reference Commands (continued) COMMAND DESCRIPTION show reference object zone [object_name] Displays which configuration settings reference the specified zone object. show reference object dhcp6-lease-object [object_name] Displays which configuration settings reference the specified DHCPv6 lease object. show reference object dhcp6-requestobject [object_name] Displays which configuration settings reference the specified DHCPv6 request object.
C HAPT ER 4 Status This chapter explains some commands you can use to display information about the ZyWALL’s current operational state. Table 7 Status Show Commands COMMAND DESCRIPTION show boot status Displays details about the ZyWALL’s startup state. show comport status Displays whether the console and auxiliary ports are on or off. show cpu status Displays the CPU utilization. show disk Displays the disk utilization.
Chapter 4 Status Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number.
Chapter 4 Status Here is an example of the command that displays the open ports. Router(config)# show socket open No. Proto Local_Address Foreign_Address State =========================================================================== 1 tcp 172.23.37.240:22 172.23.37.10:1179 ESTABLISHED 2 udp 127.0.0.1:64002 0.0.0.0:0 3 udp 0.0.0.0:520 0.0.0.0:0 4 udp 0.0.0.0:138 0.0.0.0:0 5 udp 0.0.0.0:138 0.0.0.0:0 6 udp 0.0.0.0:138 0.0.0.0:0 7 udp 0.0.0.0:138 0.0.0.0:0 8 udp 0.0.0.0:138 0.0.0.0:0 9 udp 0.0.0.0:138 0.0.
Chapter 4 Status Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : ZyWALL USG 100 firmware version: 2.20(AQQ.0)b3 BM version : 1.08 build date : 2009-11-21 01:18:06 This example shows the current LED states on the ZyWALL. The SYS LED lights on and green. The AUX and HDD LEDs are both off.
C HAPT ER 5 Registration This chapter introduces myzyxel.com and shows you how to register the ZyWALL for IDP/AppPatrol, anti-virus, content filtering, and SSL VPN services using commands. 5.1 myZyXEL.com Overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. Note: You need to create an account before you can register your device and activate the services at myZyXEL.com. You can directly create a myZyXEL.
Chapter 5 Registration suppose you purchase a one-year Kaspersky engine anti-virus service subscription and use it for six months. Then you purchase a one-year ZyXEL engine anti-virus service subscription and enter the iCard’s PIN number (license key) in the Registration > Service screen. The one-year ZyXEL engine anti-virus service subscription is automatically extended to 18 months. • The IDP and application patrol features use the IDP/AppPatrol signature files on the ZyWALL.
Chapter 5 Registration Table 9 Command Summary: Registration (continued) COMMAND DESCRIPTION service-register service-type standard license-key key_value Activates a standard service subscription with the license key. service-register service-type trial service {contentfilter|idp} Activates the content filter or IDP trial service subscription. service-register service-type trial service all {kav|zav} Activates all of the trial service subscriptions, including Kaspersky or ZyXEL anti-virus.
Chapter 5 Registration The following command displays the service registration status and type and how many days remain before the service expires.
Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY COUNTRY NAME CODE COUNTRY COUNTRY NAME CODE 039 Canada 040 Cape Verde 041 Cayman Islands 042 Central African Republic 043 Chad 044 Chile 045 China 046 Christmas Island 047 Cocos (Keeling) Islands 048 Colombia 049 Comoros 050 Congo, Democratic Republic of the 051 Congo, Republic of 052 Cook Islands 053 Costa Rica 054 Cote d'Ivoire 055 Croatia/Hrvatska 056 Cyprus 057 Czech Republic 058 Denmark 059 Dji
Chapter 5 Registration Table 10 Country Codes (continued) 50 COUNTRY COUNTRY NAME CODE COUNTRY COUNTRY NAME CODE 119 120 Latvia Lebanon 121 Lesotho 122 Liberia 123 Liechtenstein 124 Lithuania 125 Luxembourg 126 Macau 127 Macedonia, Former Yugoslav Republic 128 Madagascar 129 Malawi 130 Malaysia 131 Maldives 132 Mali 133 Malta 134 Marshall Islands 135 Martinique 136 Mauritania 137 Mauritius 138 Mayotte 139 Mexico 140 Micronesia, Federal State of 141 Moldova,
Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY COUNTRY NAME CODE COUNTRY COUNTRY NAME CODE 197 St Pierre and Miquelon 198 St.
Chapter 5 Registration 52 ZyWALL (ZLD) CLI Reference Guide
C HAPT ER 6 Interfaces This chapter shows you how to use interface-related commands. 6.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. • Many interfaces can share the same physical port. • An interface is bound to at most one zone. • Many interface can belong to the same zone.
Chapter 6 Interfaces • The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the DIAL BACKUP port (labeled AUX on some models). • Trunks manage load balancing between interfaces. Port groups, trunks, and the auxiliary interface have a lot of characteristics that are specific to each type of interface.
Chapter 6 Interfaces Table 12 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics (ZyWALL USG 200 and Below Models) (continued) CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE PPP VIRTUAL Packet size (MTU) Yes Yes Yes Yes Yes Yes No Data size (MSS) Yes Yes Yes Yes Yes Yes No DHCP DHCP server Yes No Yes Yes Yes No No DHCP relay Yes No Yes Yes Yes No No Connectivity Check Yes Yes No Yes Yes Yes No * - Each name consists of 2-4 letters (int
Chapter 6 Interfaces 6.1.2 Relationships Between Interfaces In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports (or port groups). The relationships between interfaces are explained in the following table.
Chapter 6 Interfaces 6.2 Interface General Commands Summary The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 15 Input Values for General Interface Commands LABEL DESCRIPTION interface_name The name of the interface. Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.
Chapter 6 Interfaces Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION show interface send statistics interval Displays the interval for how often the ZyWALL refreshes the sent packet statistics for the interfaces. show interface summary all Displays basic information about the interfaces. show interface summary all status Displays the connection status of the interfaces.
Chapter 6 Interfaces Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION enable Turns on the IPv6 interface. nd ra accept Sets the IPv6 interface to accept IPv6 neighbor discovery router advertisement messages. nd ra advertise Sets the IPv6 interface to send IPv6 neighbor discovery router advertisement messages.
Chapter 6 Interfaces Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND nd ra prefix-advertisement dhcp6_profile dhcp6_suffix_64 DESCRIPTION Configures the network prefix to use a delegated prefix as the beginning part of the network prefix. dhcp6_profile: Specify the DHCPv6 request object to use for generating the network prefix for the network. dhcp6_suffix_64: Specify the ending part of the IPv6 network address plus a slash (/) and the prefix length.
Chapter 6 Interfaces Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION nd ra hop-limit Removes the maximum number of hops setting for router advertisements and all IPv6 packets originating from the interface. nd ra min-rtr-interval Removes the minimum IPv6 router advertisement transmission interval setting. nd ra max-rtr-interval Removes the maximum IPv6 router advertisement transmission interval setting.
Chapter 6 Interfaces 6.2.1.1 Basic Interface Properties Command Examples The following commands make Ethernet interface ge1 a DHCP client. Router# configure terminal Router(config)# interface ge1 Router(config-if)# ip address dhcp Router(config-if)# exit This example shows how to modify the name of interface ge4 to “VIP”. First you have to check the interface system name (ge4 in this example) on the ZyWALL. Then change the name and display the result. Router> show interface-name No.
Chapter 6 Interfaces This example shows how to restart an interface. You can check all interface names on the ZyWALL. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it. Router> show interface-name No.
Chapter 6 Interfaces Table 17 interface Commands: DHCP Settings (continued) COMMAND [no] host ip DESCRIPTION Specifies the static IP address the ZyWALL should assign. Use this command, along with hardware-address, to create a static DHCP entry. Note: The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool. When this command is used, the ZyWALL treats this DHCP pool like a static entry, regardless of the network setting. The no command clears this field.
Chapter 6 Interfaces Table 17 interface Commands: DHCP Settings (continued) COMMAND [no] starting-address ip pool-size <1..65535> DESCRIPTION Sets the IP start address and maximum pool size of the specified DHCP pool. The final pool size is limited by the subnet mask. Note: You must specify the network number first, and the start address must be in the same subnet. The no command clears the IP start address and maximum pool size.
Chapter 6 Interfaces 6.2.2.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.
Chapter 6 Interfaces 6.2.3 Interface Parameter Command Examples This table shows an example of each interface type’s sub-commands. The sub-commands vary for different interface types.
Chapter 6 Interfaces Table 18 Examples for Different Interface Parameters BRIDGE AUXILIARY TUNNEL Router(config)# interface br0 Router(config-if-brg)# description downstream exit ip ipv6 join mss mtu no ping-check shutdown traffic-prioritize type upstream Router(config)# interface aux Router(config-if-aux)# authentication description dial-timeout dialing-type encrypted-password exit idle initial-string no password phone-number port-speed shutdown traffic-prioritize username downstream exit ip ipv6 met
Chapter 6 Interfaces Table 20 interface Commands: OSPF Settings (continued) COMMAND [no] passive-interface interface_name interface interface_name DESCRIPTION Sets the OSPF direction of the specified interface to in-only. The command makes OSPF bi-directional in the specified interface. no Enters sub-command mode. [no] ip ospf priority <0..255> Sets the priority of the specified interface to the specified value. The no command sets the priority to 1. [no] ip ospf cost <1..
Chapter 6 Interfaces 6.2.6 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL stops routing to the gateway.
Chapter 6 Interfaces 6.2.6.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check Interface: wan1 Check Method: tcp IP Address: 1.1.1.
Chapter 6 Interfaces Table 23 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION type {internal | external | general} Sets which type of network you will connect this interface. The ZyWALL automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces; for example LAN to WAN traffic. internal: Set this to connect to a local network. Other corresponding configuration options: DHCP server and DHCP relay.
Chapter 6 Interfaces 6.3.2.1 Port Grouping Command Examples The following commands add physical port 5 to representative interface ge1. Router# configure terminal Router(config)# show port-grouping No.
Chapter 6 Interfaces gateway 4.6.7.8, upstream bandwidth 345, downstream bandwidth 123, and description “I am vir interface”. Router# configure terminal Router(config)# interface ge1:1 Router(config-if-vir)# ip address 1.2.3.4 255.255.255.0 Router(config-if-vir)# ip gateway 4.6.7.8 Router(config-if-vir)# upstream 345 Router(config-if-vir)# downstream 123 Router(config-if-vir)# description I am vir interface Router(config-if-vir)# exit 6.
Chapter 6 Interfaces Table 26 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND DESCRIPTION [no] mss <536..1452> Specifies the maximum segment size (MSS) the interface can use. MSS is the largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece. The no command has the ZyWALL use its default MSS setting. mtu <576..1492> Sets the Maximum Transmission Unit in bytes. [no] ipv6 enable Turns on the IPv6 interface. The no command turns it off.
Chapter 6 Interfaces 2.2.2.2, MTU 1200, upstream bandwidth 345, downstream bandwidth 123, description “I am ppp0”, and dialed only when used. Router# configure terminal Router(config)# interface ppp0 Router(config-if-ppp)# account Hinet Router(config-if-ppp)# bind ge1 Router(config-if-ppp)# local-address 1.1.1.1 Router(config-if-ppp)# remote-address 2.2.2.
Chapter 6 Interfaces Table 27 Cellular Interface Commands (continued) COMMAND [no] network-selection {auto|home} DESCRIPTION Home network is the network to which you are originally subscribed. Home has the 3G device connect only to the home network. If the home network is down, the ZyWALL's 3G Internet connection is also unavailable.
Chapter 6 Interfaces Table 27 Cellular Interface Commands (continued) COMMAND DESCRIPTION budget percentage {ptime|pdata} <0..99> Sets a percentage (0~99) of time budget (ptime) or data (pdata) limit. When the specified limit is exceeded, the ZyWALL takes the action configured using the budget {log-percentage|logpercentage-alert} command. budget {log-percentage|log-percentagealert} [recursive <1..
Chapter 6 Interfaces Table 28 Cellular Status STATUS DESCRIPTION Limited service returned by the service provider in cases where the SIM card is expired, the user failed to pay for the service and so on; you cannot connect to the Internet. Device detected displays when you connect a 3G device. Device error a 3G device is connected but there is an error. Probe device fail the ZyWALL’s test of the 3G device failed. Probe device ok the ZyWALL’s test of the 3G device failed.
Chapter 6 Interfaces 6.6.2 Cellular Interface Command Examples This example shows the configuration of a cellular interface named cellular2 for use with a Sierra Wireless AC850 3G card. It uses only a 3G (or 3.5G) connection, PIN code 1234, an MTU of 1200 bytes, a description of "This is cellular2” and sets the connection to be nailed-up.
Chapter 6 Interfaces 6.7 Tunnel Interface Specific Commands The ZyWALL uses tunnel interfaces in Generic Routing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels. This section covers commands specific to tunnel interfaces. Tunnel interfaces also use many of the general interface commands discussed at the beginning of Section 6.2 on page 57. Use these commands to add, edit, activate, deactivate, or delete tunnel interfaces.
Chapter 6 Interfaces 6.7.1 Tunnel Interface Command Examples This example creates a tunnel interface called tunnel0 that uses wan1 as the source, 168.168.168.168 as the destination, and 10.0.0.100 and 255.255.0.0 as the inner source IP. Router> configure terminal Router(config)# interface tunnel0 Router(config-if-tunnel)# tunnel source wan1 Router(config-if-tunnel)# tunnel destination 168.168.168.168 Router(config-if-tunnel)# ip address 10.0.0.100 255.255.0.
Chapter 6 Interfaces Table 30 USB Storage General Commands (continued) COMMAND DESCRIPTION [no] diag-info copy usb-storage Sets to have the ZyWALL save or stop saving the current system diagnostics information to the connected USB storage device. You may need to send this file to customer support for troubleshooting. show diag-info copy usb-storage Displays whether (enable or disable) the ZyWALL saves the current system diagnostics information to the connected USB storage device.
Chapter 6 Interfaces 6.9.1 WLAN General Commands Use these commands to configure global settings that apply to all of the wireless LAN interfaces you create on the WLAN card. Table 32 WLAN General Commands COMMAND DESCRIPTION wlan slot_name Specifies the slot the WLAN card is installed in and enters sub-command mode. slot_name: The name of the slot where the WLAN card is installed in the ZyWALL. Use slotx where x equals the number of the card slot. [no] activate Turns the wireless device on.
Chapter 6 Interfaces Table 32 WLAN General Commands (continued) COMMAND DESCRIPTION guard-interval [short | long] Sets Guard Interval to Short (increases data throughput) or Long (prioritize data integrity). [no] amsdu Enables Aggregated Mac Service Data Unit (AMSDU) for faster data transfer rates. [no] ampdu Enables Aggregated Mac Protocol Data Unit (AMPDU) for faster data transfer rates. [no] block-ack Adds the block ACK (BA) mechanism to increase data output. exit Leaves the sub-command mode.
Chapter 6 Interfaces Table 33 WLAN Interface Commands (continued) COMMAND DESCRIPTION [no] mtu <576..2304> Specifies the Maximum Transmission Unit, which is the maximum number of bytes in each packet moving through this interface. The ZyWALL divides larger packets into smaller fragments. The no command resets the MTU to 1500. reauth <30..30000> Sets the WPA2 reauthentication timer. This is at what interval wireless stations have to resend usernames and passwords in order to stay connected.
Chapter 6 Interfaces Table 33 WLAN Interface Commands (continued) COMMAND DESCRIPTION [no] security external auth ip port <1..65535> Sets the IP address and port number of an external authentication (RADIUS) server. no security {none | wep | wpa | wpa-wpa2 | wpa2} Disables the specified security mode for the wireless interface. ssid ssid Sets the (Service Set IDentity). This identifies the Service Set with which a wireless station is associated.
Chapter 6 Interfaces Table 34 WLAN General Commands (continued) COMMAND DESCRIPTION wlan mac-filter associate Defines the filter action for the list of MAC addresses in the MAC address filter table. Allow permits them to access to the ZyWALL, MAC addresses not listed will be blocked. Deny blocks the listed addresses from accessing the router, MAC addresses not listed will be allowed to access the router.
Chapter 6 Interfaces Table 36 interface Commands: VLAN Interfaces (continued) COMMAND DESCRIPTION [no] vlan-id <1..4094> show port vlan-id Specifies the VLAN ID used to identify the VLAN. The no command clears the VLAN ID. Displays the Ethernet interface VLAN settings. 6.10.1 VLAN Interface Command Examples The following commands show you how to set up VLAN vlan100 with the following parameters: VLAN ID 100, interface ge1, IP 1.2.3.4, subnet 255.255.255.0, MTU 598, gateway 2.2.2.
Chapter 6 Interfaces Table 38 interface Commands: Bridge Interfaces (continued) COMMAND DESCRIPTION [no] join interface_name show bridge available member Adds the specified Ethernet interface or VLAN interface to the specified bridge. The no command removes the specified interface from the specified bridge. Displays the available interfaces that could be added to a bridge. 6.11.
Chapter 6 Interfaces Table 39 interface Commands: Auxiliary Interface (continued) COMMAND DESCRIPTION [no] phone-number phone Specifies the phone number of the auxiliary interface. You can use 1-20 numbers, commas (,), or plus signs (+). Use a comma to pause during dialing. Use a plus sign to tell the external modem to make an international call. The no command clears the phone number. [no] port-speed {9600 | 19200 | 38400 | 57600 | 115200} Specifies the baud rate of the auxiliary interface.
Chapter 6 Interfaces 92 ZyWALL (ZLD) CLI Reference Guide
C HAPT ER 7 Trunks This chapter shows you how to configure trunks on your ZyWALL. 7.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk. For example, you can use two interfaces for WAN connections.
Chapter 7 Trunks 7.3 Trunk Commands Input Values The following table explains the values you can input with the interface-group commands. Table 40 interface-group Command Input Values LABEL DESCRIPTION group-name A descriptive name for the trunk. For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-). The name cannot start with a number. This value is case-sensitive. The ZyWALL USG 200 and lower models use WAN_TRUNK or WAN_TRUNK2-5.
Chapter 7 Trunks Table 41 interface-group Commands Summary (continued) COMMAND DESCRIPTION loadbalancing-index inbound|outbound|total Use this command only if you use least load first or spill-over as the trunk’s load balancing algorithm. Set either inbound, outbound, or total (outbound and inbound) traffic to which the ZyWALL will apply the specified algorithm. Outbound traffic means the traffic travelling from an internal interface (ex. LAN) to an external interface (ex. WAN).
Chapter 7 Trunks The following example creates a spill-over trunk for Ethernet interfaces ge1 and ge3, which will apply to both incoming and outgoing traffic through the trunk.. The ZyWALL sends traffic through ge1 until it hits the limit of 1000 kbps. The ZyWALL sends anything over 1000 kbps through ge3.
Chapter 7 Trunks 4 File server C finds that the request comes from WAN2’s IP address instead of WAN1’s IP address and rejects the request. 5 If link sticking had been configured, the ZyWALL would have still used WAN1 to send LAN user A’s request to file server C and the file server would have given the file to A. 7.7 Link Sticking Commands Summary The following table lists the ip load-balancing link-sticking commands for link sticking.
Chapter 7 Trunks 98 ZyWALL (ZLD) CLI Reference Guide
C HAPT ER 8 Route This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL. 8.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Chapter 8 Route Table 43 Input Values for General Policy Route Commands (continued) LABEL DESCRIPTION policy_number The number of a policy route. 1 - X where X is the highest number of policy routes the ZyWALL model supports. See the ZyWALL’s User’s Guide for details. schedule_object The name of the schedule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. service_name The name of the service (group).
Chapter 8 Route Table 44 Command Summary: Policy Route (continued) COMMAND DESCRIPTION [no] dscp {any | <0..63>} Sets a custom DSCP code point (0~63). This is the DSCP value of incoming packets to which this policy route applies. any means all DSCP value or no DSCP marker. [no] dscp class {default | dscp_class} Sets a DSCP class. Use default to apply this policy route to incoming packets that are marked with DSCP value 0.
Chapter 8 Route Table 44 Command Summary: Policy Route (continued) COMMAND DESCRIPTION [no] tunnel tunnel_name Sets the incoming interface to an IPSec VPN tunnel. The no command removes the IPSec VPN tunnel through which the incoming packets are received. [no] user user_name Sets the user name. The no command resets the user name to the default (any). any means all users.
Chapter 8 Route Table 44 Command Summary: Policy Route (continued) COMMAND DESCRIPTION [no] source {address6_object|any} Sets the source IPv6 IP address that the matched packets must have. The no command resets the source IP address to the default (any). any means all IP addresses. [no] user user_name Sets the user name. The no command resets the user name to the default (any). any means all users.
Chapter 8 Route 8.2.1 Assured Forwarding (AF) PHB for DiffServ Assured Forwarding (AF) behavior is defined in RFC 2597. The AF behavior group defines four AF classes. Inside each class, packets are given a high, medium or low drop precedence. The drop precedence determines the probability that routers in the network will drop packets when congestion occurs. If congestion occurs between classes, the traffic in the higher class (smaller numbered class) is generally given priority.
Chapter 8 Route 8.3 IP Static Route The ZyWALL has no knowledge of the networks beyond the network that is directly connected to the ZyWALL. For instance, the ZyWALL knows about network N2 in the following figure through gateway R1. However, the ZyWALL is unable to route a packet to network N3 because it doesn't know that there is a route through the same gateway R1 (via gateway R2). The static routes are for you to tell the ZyWALL about the networks beyond the network connected to the ZyWALL directly.
Chapter 8 Route Table 46 Command Summary: Static Route (continued) COMMAND DESCRIPTION [no] ip route control-virtual-server-rules activate Gives static routes priority over NAT virtual server rules (1-1 SNAT). It also automatically gives policy routes priority over NAT virtual server rules. Use the no command to give NAT virtual server rules priority over static routes.
C HAPT ER 9 Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the ZyWALL. 9.1 Routing Protocol Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL then stores this routing information in the routing table, which it uses when it makes routing decisions. In turn, the ZyWALL can also provide routing information via routing protocols to other routers.
Chapter 9 Routing Protocol 9.2.1 RIP Commands This table lists the commands for RIP. Table 49 router Commands: RIP COMMAND DESCRIPTION router rip Enters sub-command mode. [no] network interface_name Enables RIP on the specified Ethernet interface. The command disables RIP on the specified interface. [no] redistribute {static | ospf} Enables redistribution of routing information learned from the specified source. The no command disables redistribution from the specified source.
Chapter 9 Routing Protocol 9.2.3 OSPF Area Commands This table lists the commands for OSPF areas. Table 51 router Commands: OSPF Areas COMMAND DESCRIPTION Enters sub-command mode. router ospf [no] network interface area IP Adds the specified interface to the specified area. The command removes the specified interface from the specified area. [no] area IP [{stub | nssa}] Creates the specified area and sets it to the indicated type. The no command removes the area.
Chapter 9 Routing Protocol 9.2.5 Learned Routing Information Commands This table lists the commands to look at learned routing information. Table 53 ip route Commands: Learned Routing Information COMMAND DESCRIPTION show ip route [kernel | connected | static | ospf | rip | bgp] Displays learned routing and other routing information. 9.2.6 show ip route Command Example The following example shows learned routing information on the ZyWALL.
C HAPTER 10 Zones Set up zones to configure network security and network policies in the ZyWALL. 10.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface, auxiliary interface, and VPN tunnel can be assigned to at most one zone.
Chapter 10 Zones 10.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands.s Table 54 Input Values for Zone Commands LABEL DESCRIPTION profile_name The name of a zone, or the name of a VPN tunnel. For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-). The name cannot start with a number. This value is case-sensitive.
Chapter 10 Zones 10.2.1 Zone Command Examples The following commands add Ethernet interfaces ge1 and ge2 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface ge1 Router(zone)# interface ge2 Router(zone)# block Router(zone)# exit Router(config)# show zone No. Name Block Member =========================================================================== 1 A yes ge1,ge2 Router(config)# show zone A blocking intra-zone traffic: yes No.
Chapter 10 Zones 114 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 11 DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the ZyWALL. 11.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address. Note: You must have a public WAN IP address to use Dynamic DNS.
Chapter 11 DDNS 11.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 57 Input Values for DDNS Commands LABEL DESCRIPTION profile_name The name of the DDNS profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. The following table lists the DDNS commands.
Chapter 11 DDNS Table 58 ip ddns Commands (continued) COMMAND DESCRIPTION [no] backup-iface interface_name Sets the backup WAN interface in the specified DDNS profile. The no command clears it. [no] ha-iface interface_name Sets the HA interface in the specified DDNS profile. The command clears it. [no] backmx Enables the backup mail exchanger. The disables it. [no] wildcard Enables the wildcard feature. The ZyWALL (ZLD) CLI Reference Guide no no command no command disables it.
Chapter 11 DDNS 118 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 12 Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. Virtual server commands configure NAT. 12.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the ZyWALL that you want to make available outside the private network.
Chapter 12 Virtual Servers The following table lists the virtual server commands. Table 60 ip virtual-server Commands COMMAND DESCRIPTION show ip virtual-server [profile_name] Displays information about the specified virtual server or about all the virtual servers. no ip virtual-server profile_name Deletes the specified virtual server.
Chapter 12 Virtual Servers Table 60 ip virtual-server Commands (continued) COMMAND DESCRIPTION ip virtual-server profile_name interface interface_name original-ip {any | IP | address_object} map-to {address_object | ip} map-type original-service service_object mapped-service service_object [natloopback [nat-1-1-map] [deactivate] | nat-1-1-map [deactivate] | deactivate] Creates or modifies the specified virtual server and maps the specified (destination IP address, protocol, and service object) to the sp
Chapter 12 Virtual Servers 12.2.2 Tutorial - How to Allow Public Access to a Server This is an example of making an HTTP (web) server in the DMZ zone accessible from the Internet (the WAN zone). You will use a public IP address of 1.1.1.2 on the ge2 (or wan1 on USG 200 and lower models) interface and map it to the HTTP server’s private IP address of 192.168.3.7. Figure 17 Public Server Example Network Topology WAN DMZ 192.168.3.7 1.1.1.2 Follow the following steps for the setting.
C HAPTER 13 HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL. 13.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. 13.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Chapter 13 HTTP Redirect 13.2 HTTP Redirect Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 61 Input Values for HTTP Redirect Commands LABEL DESCRIPTION description The name to identify the rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. interface_name The name of the interface.
Chapter 13 HTTP Redirect 13.2.1 HTTP Redirect Command Examples The following commands create a HTTP redirect rule, disable it and display the settings. Router# configure terminal Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.
Chapter 13 HTTP Redirect 126 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 14 ALG This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 14.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload.
Chapter 14 ALG 14.2 ALG Commands The following table lists the alg commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 63 alg Commands COMMAND DESCRIPTION [no] alg sip [inactivitytimeout | signal-port <1025..65535> | signalextra-port <1025..65535> | media-timeout <1..86400> | signal-timeout <1..86400> | transformation] Turns on or configures the ALG.
Chapter 14 ALG 14.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323.
Chapter 14 ALG 130 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 15 IP/MAC Binding 15.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL uses DHCP to assign IP addresses and records to MAC address it assigned each IP address. The ZyWALL then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the ZyWALL. Suppose you configure access privileges for IP address 192.168.1.
Chapter 15 IP/MAC Binding 15.3 IP/MAC Binding Commands Example The following example enables IP/MAC binding on the LAN1 interface and displays the interface’s IP/MAC binding status.
C HAPTER 16 Firewall This chapter introduces the ZyWALL’s firewall and shows you how to configure your ZyWALL’s firewall. 16.1 Firewall Overview The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. A zone is a group of interfaces or VPN tunnels.
Chapter 16 Firewall 16.2 Firewall Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 65 Input Values for General Firewall Commands LABEL DESCRIPTION address_object The name of the IP address (or address group) object. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 16 Firewall Table 66 Command Summary: Firewall (continued) COMMAND DESCRIPTION firewall zone_object {zone_object|ZyWALL} delete <1..5000> Removes a direction specific through-ZyWALL rule or to-ZyWALL rule. <1..5000>: the index number in a direction specific firewall rule list. firewall zone_object {zone_object|ZyWALL} flush Removes all direction specific through-ZyWALL rule or to-ZyWALL rules.
Chapter 16 Firewall Table 66 Command Summary: Firewall (continued) COMMAND DESCRIPTION firewall6 zone_object {zone_object|ZyWALL} append Enters the IPv6 firewall sub-command mode to add a direction specific through-ZyWALL rule or to-ZyWALL rule to the end of the global rule list. See Table 67 on page 137 for the sub-commands. firewall6 zone_object {zone_object|ZyWALL} delete <1..5000> Removes a direction specific IPv6 through-ZyWALL rule or to-ZyWALL rule. <1..
Chapter 16 Firewall 16.2.1 Firewall Sub-Commands The following table describes the sub-commands for several firewall and firewall6 commands. Table 67 firewall Sub-commands COMMAND DESCRIPTION action {allow|deny|reject} Sets the action the ZyWALL takes when packets match this rule. [no] activate Enables a firewall rule. The no command disables the firewall rule.
Chapter 16 Firewall Table 67 firewall Sub-commands (continued) COMMAND DESCRIPTION [no] to {zone_object|ZyWALL} Sets the zone to which the packets are sent. The no command removes the zone to which the packets are sent and resets it to the default (any). any means all interfaces or VPN tunnels. [no] user user_name Sets a user-aware firewall rule. The rule is activated only when the specified user logs into the system. The no command resets the user name to the default (any). any means all users. 16.
Chapter 16 Firewall The following command displays the default IPv6 firewall rule that applies to the WAN to ZyWALL packet direction. The firewall rule number is in the rule’s priority number in the global rule list. Router(config)# show firewall6 WAN ZyWALL firewall rule: 13 description: user: any, schedule: none from: WAN, to: ZyWALL source IP: any, source port: any destination IP: any, service: Default_Allow_v6_WAN_To_ZyWALL log: no, action: allow, status: yes 16.
Chapter 16 Firewall Table 69 Command Summary: Session Limit (continued) COMMAND DESCRIPTION session-limit append Enters the session-limit sub-command mode to add a session-limit rule to the end of the session-limit rule list. session-limit delete rule_number Removes a session-limit rule. session-limit flush Removes all session-limit rules. session-limit insert rule_number Enters the session-limit sub-command mode to add a session-limit rule before the specified rule number.
C HAPTER 17 IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. 17.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 17 IPSec VPN which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. Figure 20 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Chapter 17 IPSec VPN Table 70 Input Values for IPSec VPN Commands (continued) LABEL DESCRIPTION distinguished_name A domain name. You can use up to 511 alphanumeric, characters, spaces, or .@=,_characters. sort_order Sort the list of currently connected SAs by one of the following classifications. algorithm encapsulation inbound name outbound policy timeout uptime The following sections list the IPSec VPN commands. 17.2.1 IKE SA Commands This table lists the commands for IKE SAs (VPN gateways).
Chapter 17 IPSec VPN Table 71 isakmp Commands: IKE SAs (continued) COMMAND DESCRIPTION group1 group2 group5 Sets the DHx group to the specified group. [no] natt Enables NAT traversal. The local-ip {ip {ip | domain_name} | interface interface_name} Sets the local gateway address to the specified IP address, domain name, or interface. peer-ip {ip | domain_name} [ip | domain_name] Sets the remote gateway address(es) to the specified IP address(es) or domain name(s).
Chapter 17 IPSec VPN Table 72 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION crypto map rename map_name map_name Renames the specified IPSec SA (first map_name) to the specified name (second map_name). crypto map map_name activate deactivate Activates or deactivates the specified IPSec SA. adjust-mss {auto | <200..
Chapter 17 IPSec VPN Table 72 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION [no] nail-up Automatically re-negotiates the SA as needed. The does not. [no] replay-detection Enables replay detection. The [no] netbios-broadcast Enables NetBIOS broadcasts through the IPSec SA. The no command disables NetBIOS broadcasts through the IPSec SA. [no] out-snat activate Enables out-bound traffic SNAT over IPSec. The disables out-bound traffic SNAT over IPSec.
Chapter 17 IPSec VPN 17.2.3 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 73 crypto map Commands: IPSec SAs (Manual Keys) COMMAND DESCRIPTION crypto map map_name set session-key {ah <256..4095> auth_key | esp <256..4095> [cipher enc_key] authenticator auth_key} Sets the active protocol, SPI (<256..4095>), authentication key and encryption key (if any).
Chapter 17 IPSec VPN Table 74 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION [no] crypto map_name vpn-concentrator rename profile_name profile_name Adds the specified IPSec SA to the specified VPN concentrator. The command removes the specified IPSec SA from the specified VPN concentrator. no Renames the specified VPN concentrator (first profile_name) to the specified name (second profile_name). 17.2.
Chapter 17 IPSec VPN 17.2.6 SA Monitor Commands This table lists the commands for the SA monitor. Table 76 sa Commands: SA Monitor COMMAND DESCRIPTION show sa monitor [{begin <1..1000>} | {end <1..1000>} | {crypto-map regexp} | {policy regexp} |{rsort sort_order} | {sort sort_order}] Displays the current IPSec SAs and the status of each one. You can specify a range of SA entries to display. You can also control the sort order of the display and search by VPN connection or (local or remote) policy.
Chapter 17 IPSec VPN 150 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 18 SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. 18.1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: • limit user access to specific applications or files on the network. • allow user access to specific networks. • assign private IP addresses and provide DNS/WINS server information to remote users to access internal networks. 18.1.
Chapter 18 SSL VPN Table 77 Input Values for SSL VPN Commands (continued) LABEL DESCRIPTION user_name The name of a user (group). You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. eps_profile_name The name of an endpoint security object. The following sections list the SSL VPN commands. 18.2.1 SSL VPN Commands This table lists the commands for SSL VPN.
Chapter 18 SSL VPN Table 78 SSL VPN Commands COMMAND DESCRIPTION [no] eps periodical-check <1..1440> Sets the number of minutes to have the ZyWALL repeat the endpoint security check at a regular interval. The no command disables this setting. [no] network-extension ip-pool address_object {address_object | ip } {address_object | ip } {address_object | ip } {address_object | ip } address_object} Use this to configure for a VPN tunnel between the authenticated users and the internal network.
Chapter 18 SSL VPN 1 First of all, configure 10.1.1.254/24 for the IP address of interface ge2 which is an external interface for public SSL VPN to access. Configure 172.16.10.254/24 for the IP address of interface ge3 which is an internal network. Router(config)# interface ge2 Router(config-if-ge)# ip address 10.1.1.254 255.255.255.0 Router(config-if-ge)# exit Router(config)# interface ge3 Router(config-if-ge)# ip address 172.16.10.254 255.255.255.
Chapter 18 SSL VPN 6 Displays the SSL VPN rule settings.
Chapter 18 SSL VPN 156 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 19 L2TP VPN This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL. 19.1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or VPN client software.
Chapter 19 L2TP VPN 19.2.1 Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN. If you use it, edit the following. Configure the local and remote policies as follows. • For the Local Policy, create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW. Use this address object in the local policy.
Chapter 19 L2TP VPN 19.4 L2TP VPN Commands The following table describes the values required for some L2TP VPN commands. Other values are discussed with the corresponding commands. Table 79 Input Values for L2TP VPN Commands LABEL DESCRIPTION address_object The name of an IP address (group) object. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. interface_name The name of the interface.
Chapter 19 L2TP VPN Table 80 L2TP VPN Commands COMMAND DESCRIPTION certificate cert_name Select the certificate to use to identify the ZyWALL for L2TP VPN connections. The certificate is used with the EAP, PEAP, and MSCHAPv2 authentication protocols. The certificate must already be configured. [no] l2tp-over-ipsec user user_name Specifies the user or user group that can use the L2TP VPN tunnel. If you do not configure this, any user with a valid account and password on the ZyWALL to log in.
Chapter 19 L2TP VPN • You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel. • The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192.168.1.1/ 24 subnet. 19.5.1 Configuring the Default L2TP VPN Gateway Example The following commands configure the Default_L2TP_VPN_GW entry. • Configure the My Address setting. This example uses interface ge3 with static IP address 172.23.
Chapter 19 L2TP VPN • Enable the connection.
C HAPTER 20 Application Patrol This chapter describes how to set up application patrol for the ZyWALL. 20.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Chapter 20 Application Patrol Table 81 Input Values for Application Patrol Commands (continued) LABEL DESCRIPTION zone_name The name of a zone. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. schedule_name The name of a schedule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 20 Application Patrol Table 83 app Commands: Rules in Pre-Defined Applications (continued) COMMAND DESCRIPTION app protocol_name rule default or app protocol_name rule modify default Enters sub-command mode for editing the default rule for the application. See Table 84 on page 165 for the sub-commands. no app protocol_name rule rule_number Deletes the specified rule. 20.2.2.1 Rule Sub-commands The following table describes the sub-commands for several application patrol rule commands.
Chapter 20 Application Patrol 20.2.3 Exception Commands for Pre-defined Applications This table lists the commands for exception rules for application access controls. These commands are used for backward compatible only. Table 85 app Commands: Exception Rules in Pre-Defined Applications COMMAND DESCRIPTION app protocol_name exception insert rule_number Creates a new rule at the specified row and enters sub-command mode. See Table 86 on page 166 for the sub-commands.
Chapter 20 Application Patrol Table 86 app patrol exception rule Sub-commands (continued) COMMAND DESCRIPTION [no] outbound-dscp-mark {<0..63> | class {default | dscp_class}} This is how the ZyWALL handles the DSCP value of the outgoing packets from a connection’s initiator that match this policy. Enter a DSCP value to have the ZyWALL apply that DSCP value. Set this to the class default to have the ZyWALL set the DSCP value to 0. port <0..65535> Specifies the destination port. 0 means any.
Chapter 20 Application Patrol 20.2.5.1 Other Rule Sub-commands The following table describes the sub-commands for several application patrol other rule commands. Note that not all rule commands use all the sub-commands listed here. Table 89 app patrol other rule Sub-commands COMMAND DESCRIPTION [no] activate Turns on this rule. The no command turns off this rule. [no] port <0..65535> Specifies the destination port. 0 means any. [no] schedule profile_name Adds the specified schedule to the rule.
Chapter 20 Application Patrol This table lists the general commands for application patrol. Table 90 app Commands: Pre-Defined Applications COMMAND DESCRIPTION [no] app activate Turns on application patrol. The application patrol. [no] app highest sip bandwidth priority Turns the option to maximize the throughput of SIP traffic on or off. [no] app protocol_name bandwidth-graph Sets the specified protocol to display on the bandwidth statistics graph.
Chapter 20 Application Patrol Table 90 app Commands: Pre-Defined Applications (continued) COMMAND DESCRIPTION show app highest sip bandwidth priority Displays whether or not the option to maximize the throughput of SIP traffic is enabled. show bwm activation Displays whether or not the global setting for bandwidth management on the ZyWALL is enabled. 20.2.6.1 General Command Examples The following examples show the information that is displayed by some of the show commands.
Chapter 20 Application Patrol Router# configure terminal Router(config)# show app other config bandwidth-graph: yes Router# configure terminal Router(config)# show app other rule all index: 1 activate: yes port: 5963 schedule: none user: any from zone: any to zone: any source address: any destination address: any protocol: tcp access: forward DSCP inbound marking: preserve DSCP outbound marking: preserve bandwidth excess-usage: no bandwidth priority: 1 bandwidth inbound: 0 bandwidth outbound: 0 log: no in
Chapter 20 Application Patrol 172 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 21 Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 21.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
Chapter 21 Anti-Virus 21.2.1 General Anti-virus Commands The following table describes general anti-virus commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Note: You must register for the anti-virus service before you can use it (see Chapter 5 on page 45). Table 92 General Anti-virus Commands COMMAND DESCRIPTION [no] anti-virus activate Enables anti-virus service. Anti-virus service also depends on anti-virus service registration.
Chapter 21 Anti-Virus Table 93 Commands for Zone to Zone Anti-Virus Rules (continued) COMMAND DESCRIPTION anti-virus rule <1..32> Enters the anti-virus sub-command mode to edit the specified direction specific rule. [no] activate Turns a direction specific anti-virus rule on or off. [no] log [alert] Sets the ZyWALL to create a log (and optionally an alert) when packets match this rule and are found to be virus-infected.
Chapter 21 Anti-Virus 21.2.2.1 Zone to Zone Anti-virus Rule Example This example shows how to configure (and display) a WAN to LAN antivirus rule to scan HTTP traffic and destroy infected files. The white and black lists are ignored and zipped files are decompressed. Any zipped files that cannot be decompressed are destroyed.
Chapter 21 Anti-Virus Table 94 Commands for Anti-virus White and Black Lists (continued) COMMAND DESCRIPTION [no] anti-virus black-list file-pattern av_file_pattern {activate|deactivate} Adds or removes a black list file pattern. Turns a file pattern on or off. anti-virus black-list replace old_av_file_pattern new_av_file_pattern {activate|deactivate} Replaces the specified black list file pattern with a new file pattern. 21.2.3.
Chapter 21 Anti-Virus 21.2.4.1 Signature Search Example This example shows how to search for anti-virus signatures with MSN in the name. Router(config)# anti-virus search signature name MSN signature: 1 virus id: 41212 virus name: MSN category: virus severity: Low 21.3 Update Anti-virus Signatures Use these commands to update new signatures. You should have already registered for anti-virus service.
Chapter 21 Anti-Virus 21.3.1 Update Signature Examples These examples show how to enable/disable automatic anti-virus downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version number, show the total number of signatures and show the date/time the signatures were created. Router# configure terminal Router(config)# anti-virus update signatures ANTI-VIRUS signature update in progress. Please check system log for future information.
Chapter 21 Anti-Virus 21.4.1 Anti-virus Statistics Example This example shows how to collect and display anti-virus statistics. It also shows how to sort the display by the most common destination IP addresses.
C HAPTER 22 IDP Commands This chapter introduces IDP-related commands. 22.1 Overview Commands mostly mirror web configurator features. It is recommended you use the web configurator for IDP features such as searching for web signatures, creating/editing an IDP profile or creating/editing a custom signature. Some web configurator terms may differ from the command-line equivalent. Note: The “no” command negates the action or returns it to the default value.
Chapter 22 IDP Commands This table shows the IDP signature, anomaly, and system-protect activation commands. Table 99 IDP Activation COMMAND DESCRIPTION [no] idp {signature | anomaly | system-protect} activate Enables IDP signatures, anomaly detection, and/or system-protect. IDP signatures use requires IDP service registration. If you don’t have a standard license, you can register for a once-off trial one. Anomaly detection and the self-protect feature do not require registration.
Chapter 22 IDP Commands 22.3.1.1 Example of Global Profile Commands In this example we rename an IDP signature profile from “old_profile” to “new_profile”, delete the “bye_profile” and show all base profiles available. Router# configure terminal Router(config)# idp rename signature old_profile new_profile Router(config)# no idp signature bye_profile Router(config)# show idp signature base profile No.
Chapter 22 IDP Commands 22.3.2.1 Example of IDP Zone to Zone Rule Commands The following example creates IDP zone to zone rule one. The rule applies the LAN_IDP profile to all traffic going to the LAN zone.
Chapter 22 IDP Commands Note: You CANNOT change the base profile later! Table 103 Editing/Creating Anomaly Profiles COMMAND DESCRIPTION idp anomaly newpro [base {all | none}] Creates a new IDP anomaly profile called newpro. newpro uses the base profile you specify. Enters subcommand mode. All the following commands relate to the new profile. Use exit to quit sub-command mode. scan-detection sensitivity {low | medium | high} Sets scan-detection sensitivity.
Chapter 22 IDP Commands Table 103 Editing/Creating Anomaly Profiles (continued) COMMAND DESCRIPTION [no] http-inspection {http-xxx} activate Activates or deactivates http-inspection options where http-xxx = {ascii-encoding | u-encoding | bare-byteunicode-encoding | base36-encoding | utf-8-encoding | iis-unicode-codepoint-encoding | multi-slash-encoding | iis-backslash-evasion | self-directory-traversal | directory-traversal | apache-whitespace | non-rfc-httpdelimiter | non-rfc-defined-char | oversize-re
Chapter 22 IDP Commands Table 103 Editing/Creating Anomaly Profiles (continued) COMMAND DESCRIPTION show idp anomaly profile scan-detection {tcp-portscan | tcp-decoy-portscan | tcp-portsweep | tcp-distributedportscan | tcp-filtered-portscan | tcp-filtered-decoyportscan | tcp-filtered-distributed-portscan | tcpfiltered-portsweep} details Shows selected TCP scan-detection settings for the specified IDP profile.
Chapter 22 IDP Commands 22.3.4.1 Creating an Anomaly Profile Example In this example we create a profile named “test”, configure some settings, display them, and then return to global command mode.
Chapter 22 IDP Commands Note: It is recommended you use the web configurator to search for signatures. Table 105 Signature Search Command COMMAND DESCRIPTION idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate {any | yes | no} log {any | no | log | logalert} action action_mask Searches for signature(s) in a profile by the parameters specified.
Chapter 22 IDP Commands example, to search for signatures for Windows NT, Windows XP and Windows 2000 computers, then type “12” as the platform parameter.
Chapter 22 IDP Commands 22.3.6.2 Signature Search Example This example command searches for all signatures in the LAN_IDP profile: • Containing the text “worm” within the signature name • With an ID of 12345 • Has a very low severity level • Operates on the Windows NT platform • Is a scan policy type, DNS service • Is enabled • Generates logs.
Chapter 22 IDP Commands 22.4.1 Custom Signature Examples These examples show how to create a custom signature, edit one, display details of one, all and show the total number of custom signatures.
Chapter 22 IDP Commands This example shows you how to display custom signature details.
Chapter 22 IDP Commands This example shows you how to display custom signature contents.
Chapter 22 IDP Commands This example shows you how to display all details of a custom signature. Router(config)# show idp signatures custom-signature all details sid: 9000000 message: test edit policy type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no SGI: no other-Unix: no network-device: no service: outbreak: no This example shows you how to display the number of custom signatures on the ZyWALL.
Chapter 22 IDP Commands 22.5.1 Update Signature Examples These examples show how to enable/disable automatic IDP downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version number, show the total number of signatures and show the date/time the signatures were created. Router# configure terminal Router(config)# idp signature update signatures IDP signature update in progress. Please check system log for future information.
Chapter 22 IDP Commands 22.6.1 IDP Statistics Example This example shows how to collect and display IDP statistics. It also shows how to sort the display by the most common signature name, source IP address, or destination IP address.
Chapter 22 IDP Commands 198 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 23 Content Filtering This chapter covers how to use the content filtering feature to control web access. 23.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites. It can also block access to specific categories of web site content. You can create different content filtering policies for different addresses, schedules, users or groups and content filtering profiles.
Chapter 23 Content Filtering 23.5 Content Filter Command Input Values The following table explains the values you can input with the content-filter commands. Table 111 Content Filter Command Input Values LABEL DESCRIPTION policy_number The number of the policy <0 - X > where X depends on the number of content filtering policies the ZyWALL model supports. See the CLI help for details. address The name (up to 63 characters) of an existing address object or group to which the policy should be applied.
Chapter 23 Content Filtering Table 111 Content Filter Command Input Values (continued) LABEL DESCRIPTION forbid_hosts The IP address or domain name of a forbidden web site. Use a host name such as www.bad-site.com into this text field. Do not use the complete URL of the site – that is, do not include “http://”. All subdomains are also blocked. For example, entering “bad-site.com” also blocks “www.bad-site.com”, “partner.bad-site.com”, “press.bad-site.com”, etc.
Chapter 23 Content Filtering mode to be able to use these commands. See Table 111 on page 200 for details about the values you can input with these commands. Table 112 content-filter General Commands COMMAND DESCRIPTION [no] content-filter active Turns on content filtering. The [no] content-filter block message message Sets the message to display when content filtering blocks access to a web page. The no command clears the setting.
Chapter 23 Content Filtering Table 112 content-filter General Commands (continued) COMMAND DESCRIPTION [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} Adds or removes a common trusted or forbidden web site entry. ipv4: IPv4 address ipv4_cidr: IPv4 subnet in CIDR format, i.e. 192.168.1.0/32 /<1..32> ipv4_range: Range of IPv4 addresses. - wildcard_domainname: wildcard domain name, i.e. zyxel*.co* (([*a-z0-9\-]){1,63}\.
Chapter 23 Content Filtering Table 113 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION content-filter profile filtering_profile custom-list keyword Enters the sub-command for configuring the content filtering profile’s list of forbidden keywords. This has the content filtering profile block access to Web sites with URLs that contain the specified keyword or IP address in the URL.
Chapter 23 Content Filtering Table 113 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION [no] content-filter profile filtering_profile url url-server Sets a content filtering profile to use the external web filtering service. The no command has the profile not use the external web filtering service. [no] content-filter service-timeout service_timeout Sets how many seconds the ZyWALL is to wait for a response from the external content filtering server.
Chapter 23 Content Filtering Use the configure terminal command to enter the configuration mode to be able to use these commands. See Table 111 on page 200 for details about the values you can input with these commands. Table 114 content-filter url-cache Commands COMMAND DESCRIPTION [no] content-filter -timeout _timeout Sets how long to keep a content filtering URL cache entry before discarding it. The no command clears the setting.
Chapter 23 Content Filtering 23.9.1 Content Filtering Statistics Example This example shows how to collect and display content filtering statistics.
Chapter 23 Content Filtering 8 Activate the customization. Router# configure terminal Router(config)# address-object sales 172.21.3.
Chapter 23 Content Filtering Use this command to display the settings of the profile.
Chapter 23 Content Filtering 210 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 24 Anti-Spam This chapter introduces and shows you how to configure the anti-spam scanner. 24.1 Anti-Spam Overview The anti-spam feature marks or discards spam. Activate the anti-spam subscription service for sender IP reputation checking, mail content analysis, and virus outbreak detection. Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail.
Chapter 24 Anti-Spam 24.2.1.1 Activate/Deactivate Anti-Spam Example This example shows how to activate and deactivate anti-spam on the ZyWALL. Router# configure terminal Router(config)# anti-spam activate Router(config)# show anti-spam activation anti-spam activation: yes Router(config)# no anti-spam activate Router(config)# show anti-spam activation anti-spam activation: no Router(config)# 24.2.
Chapter 24 Anti-Spam Table 118 Commands for Zone to Zone Anti-Spam Rules (continued) COMMAND DESCRIPTION show anti-spam {smtp | pop3} defaultport Display the SMTP or POP3 TCP ports the ZyWALL checks for spam. [no] anti-spam ip-reputation activate Set whether or not to use IP reputation to identify spam by the sender’s IP address. anti-spam ip-reputation query-timeout time [timeout] Set how many seconds the ZyWALL waits for a reply when checking the IP reputation of a sender’s IP address.
Chapter 24 Anti-Spam 24.2.2.1 Zone to Zone Anti-spam Rule Example This example shows how to configure (and display) a WAN to DMZ anti-spam rule to scan POP3 and SMTP traffic. SMTP spam is forwarded. POP3 spam is marked with a spam tag. The ZyWALL logs the event when an e-mail matches the DNSBL (see Section 24.2.4 on page 216 for more on DNSBL). The white and black lists are ignored.
Chapter 24 Anti-Spam Table 119 Input Values for White and Black list Anti-Spam Commands (continued) LABEL DESCRIPTION rule_number The index number of an anti-spam white or black list entry. 1 - X where X is the highest number of entries the ZyWALL model supports. See the ZyWALL’s User’s Guide for details. subject A keyword in the content of the e-mail Subject headers. Use up to 63 ASCII characters. Spaces are not allowed, although you could substitute a question mark (?). See Section 24.2.3.
Chapter 24 Anti-Spam 24.2.3.1 White and Black Lists Example This example shows how to configure and enable a white list entries for e-mails with “testwhite” in the subject, e-mails from whitelist@ourcompany.com, e-mails with the Date header set to 2007, and e-mails from (or forwarded by) IP address 192.168.1.0 with subnet 255.255.255.0. Router(config)# anti-spam white-list subject testwhite activate Router(config)# anti-spam white-list e-mail whitelist@ourcompany.
Chapter 24 Anti-Spam This table describes the DNSBL commands. Table 122 DNSBL Commands COMMAND DESCRIPTION [no] anti-spam dnsbl activate Turns DNSBL checking on or off. anti-spam dnsbl [1..5] domain dnsbl_domain {activate|deactivate} Adds or edits a DNSBL domain for checking e-mail header IP addresses. no anti-spam dnsbl domain dnsbl_domain Removes the specified DNSBL domain.
Chapter 24 Anti-Spam Table 122 DNSBL Commands COMMAND DESCRIPTION [no] anti-spam xheader dnsbl mail-header mail-header-value Specify the name and value for the X-Header to add to e-mails with a sender or relay IP address in the header that matches a black list maintained by a DNSBL domain in the ZyWALL’s list show anti-spam xheader dnsbl Display the name and value for the X-Header to add to e-mails with a sender or relay IP address in the header that matches a black list maintained by a DNSBL domain i
Chapter 24 Anti-Spam 24.3 Anti-Spam Statistics The following table describes the commands for collecting and displaying anti-spam statistics. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 123 Commands for Anti-spam Statistics COMMAND DESCRIPTION [no] anti-spam statistics collect Turn the collection of anti-spam statistics on or off. anti-spam statistics flush Clears the collected statistics.
Chapter 24 Anti-Spam 220 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 25 Device HA Use device HA to increase network reliability. Device HA lets a backup ZyWALL (B) automatically take over if a master ZyWALL (A) fails. Figure 24 Device HA Backup Taking Over for the Master A B 25.1 Device HA Overview Active-Passive Mode and Legacy Mode • Active-passive mode lets a backup ZyWALL take over if the master ZyWALL fails.
Chapter 25 Device HA Otherwise you must manually configure the master ZyWALL’s settings on the backup (by editing copies of the configuration files in a text editor for example). 25.1.1 Before You Begin • Configure a static IP address for each interface that you will have device HA monitor. Note: Subscribe to services on the backup ZyWALL before synchronizing it with the master ZyWALL. • Synchronization includes updates for services to which the master and backup ZyWALLs are both subscribed.
Chapter 25 Device HA Virtual Router and Management IP Addresses • If a backup takes over for the master, it uses the master’s IP addresses. These IP addresses are know as the virtual router IP addresses. • Each interface can also have a management IP address. You can connect to this IP address to manage the ZyWALL regardless of whether it is the master or the backup. 25.4 Active-Passive Mode Device HA Commands The following table identifies the values required for many of these commands.
Chapter 25 Device HA Table 126 device-ha ap-mode Commands (continued) COMMAND DESCRIPTION [no] device-ha ap-mode interface_name manage-ip ip subnet_mask Sets the management IP address for an interface. [no] device-ha ap-mode interface_name activate Has device HA monitor the status of an interface’s connection. [no] device-ha ap-mode master sync authentication password password This is for a master ZyWALL. It specifies the password to require from synchronizing backup ZyWALLs.
Chapter 25 Device HA 25.4.2 Active-Passive Mode Device HA Command Example This example configures a ZyWALL to be a master ZyWALL for active-passive mode device HA. There is a management IP address of 192.168.1.3 on lan1. wan1 and lan1 are monitored. The synchronization password is set to “mySyncPassword”. Router(config)# Router(config)# Router(config)# Router(config)# Router(config)# Router(config)# device-ha device-ha device-ha device-ha device-ha device-ha ap-mode lan1 manage-ip 192.168.1.3 255.255.
Chapter 25 Device HA 25.6.1 VRRP Group Commands This table lists the commands for VRRP groups. Table 128 device-ha Commands: VRRP Groups COMMAND DESCRIPTION show device-ha vrrp-group Displays information about all VRRP groups. [no] device-ha vrrp-group vrrp_group_name Creates the specified VRRP group if necessary and enters sub-command mode. The no command deletes the specified VRRP group. no command [no] vrid <1..254> Sets the specified VRRP group’s ID to the specified VR ID. The clears the VR ID.
Chapter 25 Device HA Table 129 device-ha Commands: Synchronization (continued) COMMAND DESCRIPTION [no] device-ha sync port <1..65535> Specifies the port number to use to synchronize with the specified ZyWALL router. The no command resets the port to 21. [no] device-ha sync authentication password password Specifies the password to use when synchronizing. Every router in the virtual router should use the same password. The no command resets the password to “1234”.
Chapter 25 Device HA 228 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 26 User/Group This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them. 26.1 User Account Overview A user account defines the privileges of a user logged into the ZyWALL. User accounts are used in firewall rules and application patrol, in addition to controlling access to configuration and services in the ZyWALL. 26.1.
Chapter 26 User/Group 26.2 User/Group Commands Summary The following table identifies the values required for many username/groupname commands. Other input values are discussed with the corresponding commands. Table 132 username/groupname Command Input Values LABEL DESCRIPTION username The name of the user (account). You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. groupname The name of the user group.
Chapter 26 User/Group Table 133 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION username username [no] logon-lease-time <0..1440> Sets the lease time for the specified user. Set it to zero to set unlimited lease time. The no command sets the lease time to five minutes (regardless of the current default setting for new users). username username [no] logon-re-auth-time <0..1440> Sets the reauthorization time for the specified user.
Chapter 26 User/Group Table 135 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION users default-setting [no] user-type logon-re-auth-time <0..1440> Sets the default reauthorization time (in minutes) for each type of new user. Set it to zero for unlimited reauthorization time. The no command sets the default reauthorization time to thirty. show users retry-settings Displays the current retry limit settings for users.
Chapter 26 User/Group 26.2.4 Force User Authentication Commands This table lists the commands for forcing user authentication. Table 136 username/groupname Commands Summary: Forcing User Authentication COMMAND DESCRIPTION [no] force-auth activate Enables force user authentication that force users to log in to the ZyWALL before the ZyWALL routes traffic for them. The no command means the user authentication is not required.
Chapter 26 User/Group 26.2.4.1 force-auth Sub-commands The following table describes the sub-commands for several force-auth policy commands. Note that not all rule commands use all the sub-commands listed here. Table 137 force-auth policy Sub-commands COMMAND DESCRIPTION [no] activate Activates the specified condition. The specified condition. no command deactivates the [no] authentication {force | required} Select the authentication requirement for users when their traffic matches this policy.
Chapter 26 User/Group • Description: EPS-on-LAN • Source: use address object “LAN1_SUBNET” • Destination: use address object “DMZ_Servers” • User Authentication: required • Schedule: no specified • Endpoint security: Activate • endpoint security object: use “EPS-WinXP” and “EPS-WinVista” for the first and second checking EPS objects Router# configure terminal Router(config)# force-auth policy insert 1 Router(config-force-auth-1)# activate Router(config-force-auth-1)# description EPS-on-LAN Router(config-fo
Chapter 26 User/Group 26.2.5.1 Additional User Command Examples The following commands display the users that are currently logged in to the ZyWALL and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all No: 0 Name: admin Type: admin From: console Service: console Session_Time: 25:46:00 Idle_Time: unlimited Lease_Timeout: unlimited Re_Auth_Timeout: unlimited User_Info: admin No: 1 Name: admin Type: admin From: 192.168.1.
C HAPTER 27 Addresses This chapter describes how to set up addresses and address groups for the ZyWALL. 27.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. You can create IP address objects based on an interface’s IP address, subnet, or gateway. The ZyWALL automatically updates these objects whenever the interface’s IP address settings change.
Chapter 27 Addresses The following sections list the address object and address group commands. 27.2.1 Address Object Commands This table lists the commands for address objects. Table 140 address-object and address6-object Commands COMMAND DESCRIPTION show {address-object | address6-object | service-object | schedule-object} [object_name] Displays information about the specified object or all the objects of the specified type.
Chapter 27 Addresses 27.2.1.1 Address Object Command Examples The following example creates three IPv4 address objects and then deletes one. Router# configure terminal Router(config)# address-object A0 192.168.1.1 Router(config)# address-object A1 192.168.1.1-192.168.1.20 Router(config)# address-object A2 192.168.1.0/24 Router(config)# show address-object Object name Type Address Ref. ===================================================================== A0 HOST 192.168.1.1 0 A1 RANGE 192.168.1.1-192.168.1.
Chapter 27 Addresses The following example creates host, range, subnet, and link local IPv6 address objects and then deletes the subnet IPv6 address object.
Chapter 27 Addresses Table 141 object-group Commands: Address Groups (continued) COMMAND DESCRIPTION [no] description description Sets the description to the specified value. The description. no command clears the description: You can use alphanumeric and ()+/:=?!*#@$_%characters, and it can be up to 60 characters long. object-group address rename group_name group_name Renames the specified address group from the first group_name to the second group_name. 27.2.2.
Chapter 27 Addresses 242 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 28 Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 28.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 28.2 Services Commands Summary The following table describes the values required for many service object and service group commands. Other values are discussed with the corresponding commands.
Chapter 28 Services Table 143 service-object Commands: Service Objects (continued) COMMAND DESCRIPTION service-object object_name icmp icmp_value Creates the specified ICMP message using the specified parameters. icmp_value: <0..
Chapter 28 Services Table 144 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION [no] object-group group_name Adds the specified service group (second group_name) to the specified service group (first group_name). The no command removes the specified service group from the specified service group. [no] description description Sets the description to the specified value. The description.
Chapter 28 Services 246 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 29 Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. 29.1 Schedule Overview The ZyWALL supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat. Note: Schedules are based on the current date and time in the ZyWALL. One-time schedules begin on a specific start date and time and end on a specific stop date and time.
Chapter 29 Schedules Table 146 schedule Commands (continued) COMMAND DESCRIPTION schedule-object object_name date time date time Creates or updates a one-time schedule. schedule-object object_name time time [day] [day] [day] [day] [day] [day] [day] date: yyyy-mm-dd date format; yyyy-<01..12>-<01..31> Creates or updates a recurring schedule. day: 3-character day of the week; sun | mon | tue | wed | thu | fri | sat 29.2.
C HAPTER 30 AAA Server This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers. 30.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the ZyWALL supports.
Chapter 30 AAA Server Table 147 ad-server Commands (continued) COMMAND DESCRIPTION [no] ad-server binddn binddn Sets the user name the ZyWALL uses to log into the default AD server. The command clears this setting. [no] ad-server cn-identifier uid Sets the unique common name (cn) to identify a record. The this setting. [no] ad-server host ad_server Sets the AD server address. Enter the IP address (in dotted decimal notation) or the domain name. The no command clears this setting.
Chapter 30 AAA Server 30.2.3 radius-server Commands The following table lists the radius-server commands you use to set the default RADIUS server. Table 149 radius-server Commands COMMAND DESCRIPTION show radius-server Displays the default RADIUS server settings. [no] radius-server host radius_server auth-port auth_port Sets the RADIUS server address and service port number. Enter the IP address (in dotted decimal notation) or the domain name of a RADIUS server. The no command clears the settings.
Chapter 30 AAA Server Table 150 aaa group server ad Commands (continued) COMMAND DESCRIPTION [no] server alternative-cnidentifier uid Sets the second type of identifier that the users can use to log in if any. For example “name” or “e-mail address”. The no command clears this setting. [no] server basedn basedn Sets the base DN to point to the AD directory on the AD server group. The no command clears this setting.
Chapter 30 AAA Server Table 151 aaa group server ldap Commands (continued) COMMAND DESCRIPTION [no] case-sensitive Specify whether or not the server checks the username case. Set this to be the same as the server’s behavior. [no] server alternative-cnidentifier uid Sets the second type of identifier that the users can use to log in if any. For example “name” or “e-mail address”. The no command clears this setting.
Chapter 30 AAA Server Table 152 aaa group server radius Commands (continued) COMMAND DESCRIPTION aaa group server radius group-name Enter the sub-command mode. [no] case-sensitive Specify whether or not the server checks the username case. Set this to be the same as the server’s behavior. [no] server description description Sets the descriptive information for the RADIUS server group. You can use up to 60 printable ASCII characters. The no command clears the setting.
C HAPTER 31 Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 31.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the ZyWALL uses to authenticate users (using VPN or managing through HTTP/HTTPS). 31.
Chapter 31 Authentication Objects Table 153 aaa authentication Commands (continued) COMMAND DESCRIPTION [no] aaa authentication profile-name member1 [member2] [member3] [member4] Sets the profile to use the authentication method(s) in the order specified. member = group ad, group ldap, group radius, or local. Note: You must specify at least one member for each profile. Each type of member can only be used once in a profile. The no command clears the specified authentication method(s) for the profile.
Chapter 31 Authentication Objects • Bind-dn: zyxel\engineerABC • Password: abcdefg • Login-name-attribute: sAMAccountName The result shows the account exists on the AD server. Otherwise, the ZyWALL responds an error. Router> test aaa server ad host 172.16.50.
Chapter 31 Authentication Objects 258 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 32 Certificates This chapter explains how to use the Certificates. 32.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner.
Chapter 32 Certificates Table 155 Certificates Commands Input Values (continued) LABEL DESCRIPTION organization Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. country Identify the nation where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Chapter 32 Certificates Table 156 ca Commands Summary (continued) COMMAND DESCRIPTION ca validation remote_certificate Enters the sub command mode for validation of certificates signed by the specified remote (trusted) certificates. cdp {activate|deactivate} Turns certificate revocation on or off.
Chapter 32 Certificates Table 156 ca Commands Summary (continued) COMMAND DESCRIPTION show ca category {local|remote} name certificate_name certpath Displays the certification path of the specified local (my certificates) or remote (trusted certificates) certificate.
Chapter 32 Certificates 32.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates. Finally it deletes the pkcs12request certification request. Router# configure terminal Router(config)# ca generate x509 name test_x509 cn-type ip cn 10.0.0.
C HAPTER 33 ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE, PPTP and cellular interfaces. 33.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE, PPTP, or cellular. 33.1.1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands.
Chapter 33 ISP Accounts Table 157 PPPoE and PPTP ISP Account Commands (continued) COMMAND DESCRIPTION [no] server ip Sets the PPTP server for the specified PPTP ISP account. The clears the server name. no command [no] encryption {nomppe | mppe-40 | mppe-128} Sets the encryption for the specified PPTP ISP account. The sets the encryption to nomppe. [no] connection-id connection_id Sets the connection ID for the specified PPTP ISP account. The clears the connection ID.
C HAPTER 34 SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 34.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group. 34.1.1 SSL Application Object Commands This table lists the commands for creating SSL application objects.
Chapter 34 SSL Application Table 159 SSL Application Object Commands COMMAND server-type file-sharing sharepath share-path DESCRIPTION Specifies the IP address, domain name or NetBIOS name (computer name) of the file server and the name of the share to which you want to allow user access. Enter the path in one of the following formats.
Chapter 34 SSL Application 34.1.2 SSL Application Command Examples The following commands create and display a server-type SSL application object named ZW5 for a web server at IP address 192.168.1.12. Router(config)# sslvpn application ZW5 Router(sslvpn application)# server-type web-server url http://192.168.1.12 Router(sslvpn application)# exit Router(config)# show sslvpn application SSL Application: ZW5 Server Type: web-server URL: http://192.168.1.
C HAPTER 35 Endpoint Security This chapter describes how to configure endpoint security objects for use in authentication policy and SSL VPN. 35.1 Endpoint Security Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel.
Chapter 35 Endpoint Security Requirements User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. 35.1.1 Endpoint Security Commands Summary The following table describes the values required for many endpoint security object commands. Other values are discussed with the corresponding commands. Table 160 Input Values for Endpoint Security Commands LABEL DESCRIPTION profile_name The name of the endpoint security object.
Chapter 35 Endpoint Security Table 161 Endpoint Security Object Commands COMMAND [no] personal-firewall personal_firewall_softwar e_name detect-autoprotection {enable | disable | ignore} DESCRIPTION Sets a permitted personal firewall. If you want to enter multiple personal firewalls, use this command for each of them. Use the list signature personal-firewall command to view the available personal firewall software package options.
Chapter 35 Endpoint Security Table 161 Endpoint Security Object Commands COMMAND DESCRIPTION windows-version {windows2000 | windows-xp | windows-2003 | windows2008 | windows-vista | windows-7 | windows2008r2} If you set windows as the operating system (using the os-type command), use this command to set the version of Windows. matching-criteria {any | all} Select whether the user’s computer has to match just one of the endpoint security object’s checking criteria or all of them.
Chapter 35 Endpoint Security Table 161 Endpoint Security Object Commands COMMAND DESCRIPTION eps warning-message {windowsauto-update | windowssecurity-patch | anti-virus | personal-firewall | windowsregistry | process | filepath} Enters the sub-command mode for configuring the EPS warning message to show to network clients whose computers fail the related EPS check. [no] enable Enables or disables showing the related EPS warning message to network clients whose computers fail the related EPS check.
Chapter 35 Endpoint Security However, he needs to check the Anti-Virus software name defined on the ZyWALL. The following example shows how to check all available Anti-Virus software packages for which the ZyWALL’s endpoint security can check. Copy and paste the name of the output item 17 for the setting later. Router> configure terminal Router(config)# show eps signature anti-virus No.
Chapter 35 Endpoint Security Now Peter can create the EPS object profile as the example shown next. Note that he uses the matching-criteria all command to make sure all users’ computers have the required software installed and settings being configured before they access the company’s SSL VPN.
C HAPTER 36 DHCPv6 Objects This chapter describes how to configure and view DHCPv6 request and lease objects. 36.1 DHCPv6 Object Commands Summary The following table identifies the values required for many DHCPv6 object commands. Other input values are discussed with the corresponding commands. Table 162 DHCPv6 Object Command Input Values LABEL DESCRIPTION dhcp6_profile The name of a DHCPv6 request object. Use a string of less than 31 characters. interface_name The name of the interface.
Chapter 36 DHCPv6 Objects Table 163 DHCPv6 Object Commands (continued) COMMAND DESCRIPTION dhcp6-lease-object dhcp6_profile { sip-server | ntp-server | dns-server } { ipv6_addr | dhcp6_profile } Creates or edits the specified SIP server, NTP server, or DNS server DHCP lease object with the specified IPv6 address. When you assign a request object, the lease object value will be the request object value retrieved from the DHCPv6 server.
Chapter 36 DHCPv6 Objects This example creates and displays a DHCPv6 pre-fix delegation lease object named “pfx” for IPv6 address prefix 2005::/64 and DUID 00:01:02:03:04:05:06:07, then renames it to “pd”.
C HAPTER 37 System This chapter provides information on the commands that correspond to what you can configure in the system screens. 37.1 System Overview Use these commands to configure general ZyWALL information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which ZyWALL zones (if any) from which computers. 37.
Chapter 37 System Figure 26 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black. • color-name: Enter the name of the desired color. • color-number: Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color.
Chapter 37 System Table 164 Command Summary: Customization (continued) COMMAND DESCRIPTION login-page window-color {color-rgb | color-name | color-number} Sets the color of the login page’s window border. logo background-color {color-rgb | color-name | color-number} Sets the color of the logo banner across the top of the login screen and access page. show access-page settings Lists the current access page settings. show login-page default-title Lists the factory default title for the login page.
Chapter 37 System 37.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 166 Command Summary: Date/Time COMMAND DESCRIPTION clock date yyyy-mm-dd time hh:mm:ss Sets the new date in year, month and day format manually and the new time in hour, minute and second format. [no] clock daylight-saving Enables daylight saving.
Chapter 37 System 37.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 37.6.1 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address. The ZyWALL can query the DNS server to resolve domain zones for features like VPN, DDNS and the time server.
Chapter 37 System Table 169 Command Summary: DNS (continued) COMMAND DESCRIPTION [no] ip dns server mx-record domain_name {w.x.y.z|fqdn} Sets a MX record that specifies a mail server that is responsible for handling the mail for a particular domain. The no command deletes a MX record. ip dns server rule {<1..32>|append|insert <1..32>} access-group {ALL|address_object} zone {ALL|address_object} action {accept|deny} Sets a service control rule for DNS requests. ip dns server rule move <1..32> to <1..
C HAPTER 38 System Remote Management This chapter shows you how to determine which services/protocols can access which ZyWALL zones (if any) from which computers. Note: To access the ZyWALL from a specified computer using a service, make sure no service control rules or to-ZyWALL firewall rules block that traffic. 38.
Chapter 38 System Remote Management 38.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 170 Input Values for General System Commands LABEL DESCRIPTION address_object The name of the IP address (group) object. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 38 System Remote Management Table 171 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION [no] ip http secure-server cert certificate_name Specifies a certificate used by the HTTPS server. The no command resets the certificate used by the HTTPS server to the factory default (default). certificate_name: The name of the certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.
Chapter 38 System Remote Management 38.3.1 HTTP/HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service. Router# configure terminal Router(config)# ip http server table admin rule append access-group Marketing zone WAN action accept This command sets an authentication method used by the HTTP/HTTPS server to authenticate the client(s).
Chapter 38 System Remote Management 38.4.3 SSH Commands The following table describes the commands available for SSH. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 172 Command Summary: SSH COMMAND DESCRIPTION [no] ip ssh server Allows SSH access to the ZyWALL CLI. The no command disables SSH access to the ZyWALL CLI.
Chapter 38 System Remote Management 38.5 Telnet You can configure your ZyWALL for remote Telnet access. 38.6 Telnet Commands The following table describes the commands available for Telnet. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 173 Command Summary: Telnet COMMAND DESCRIPTION [no] ip telnet server Allows Telnet access to the ZyWALL CLI. The access to the ZyWALL CLI. [no] ip telnet server port <1..
Chapter 38 System Remote Management This command displays Telnet settings. Router# configure terminal Router(config)# show ip telnet server status active : yes port : 23 service control: No. Zone Address Action ======================================================================== Router(config)# 38.7 Configuring FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 38.7.
Chapter 38 System Remote Management 38.7.2 FTP Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using FTP service. Router# configure terminal Router(config)# ip ftp server rule 4 access-group Sales zone WAN action accept This command displays FTP settings.
Chapter 38 System Remote Management 38.8.3 SNMP Commands The following table describes the commands available for SNMP. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 176 Command Summary: SNMP COMMAND DESCRIPTION [no] snmp-server Allows SNMP access to the ZyWALL. The SNMP access to the ZyWALL.
Chapter 38 System Remote Management The following command sets the password (secret) for read-write (rw) access. Router# configure terminal Router(config)# snmp-server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172.23.15.84 and the password (sent with each trap) to qwerty. Router# configure terminal Router(config)# snmp-server host 172.23.15.84 qwerty 38.9 ICMP Filter The ip icmp-filter commands are obsolete.
Chapter 38 System Remote Management 38.10.1 AT Command Strings For regular telephone lines, the default Dial string tells the modem that the line uses tone dialing. ATDT is the command for a switch that requires tone dialing. If your switch requires pulse dialing, change the string to ATDP. 38.10.2 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE.
Chapter 38 System Remote Management 38.10.4.1 Dial-in Management Command Examples The following commands show you how to set up dial-in management with the following parameters: active, port speed 57600, initial-string ATDT, and description “I am dial-in management”.
Chapter 38 System Remote Management Table 179 Command Summary: Vantage CNM COMMAND DESCRIPTION [no] cnm-agent acs password Configure the password of the ACS (Auto-Configuration Server) connection request for the ZyWALL to authenticate the server using HTTP digest authentication. [no] cnm-agent username Configure the username of the ZyWALLfor the ACS server to authenticate the ZyWALL using HTTP digest authentication.
Chapter 38 System Remote Management 38.13 IPv6 Commands Use the ipv6 commands to enable or disable IPv6 support. You must use the configure terminal command to enter the configuration mode before you can use the commands that configure settings. Table 181 Command Summary: IPv6 COMMAND DESCRIPTION [no] ipv6 activate Enables or disables IPv6 support. show ipv6 status Displays whether IPv6 support is enabled or disabled.
C HAPTER 39 File Manager This chapter covers how to work with the ZyWALL’s firmware, certificates, configuration files, custom IDP signatures, packet trace results, shell scripts and temporary files. 39.1 File Directories The ZyWALL stores files in the following directories.
Chapter 39 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 27 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3 interface ge3 ip address 172.23.37.240 255.255.255.0 ip gateway 172.23.37.
Chapter 39 File Manager Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp ! Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. ! interface ge1 # this interface is a DHCP client ! Lines 1 and 2 are comments. Line 5 exits sub command mode. ! this is from Joe # on 2006/06/05 interface ge1 ip address dhcp ! 39.2.
Chapter 39 File Manager • When the ZyWALL reboots, if the startup-config.conf file passes the error check, the ZyWALL keeps a copy of the startup-config.conf file as the lastgood.conf configuration file for you as a back up file. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration. 39.2.4 Configuration File Flow at Restart If there is not a startup-config.
Chapter 39 File Manager 39.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 185 File Manager Commands Summary COMMAND DESCRIPTION apply /conf/file_name.conf [ignoreerror] [rollback] Has the ZyWALL use a specific configuration file. You must still use the write command to save your configuration changes to the flash (“nonvolatile” or “long term”) memory.
Chapter 39 File Manager Table 185 File Manager Commands Summary (continued) COMMAND DESCRIPTION show running-config Displays the settings of the configuration file that the system is using. setenv-startup stop-on-error off Has the ZyWALL ignore any errors in the startup-config.conf file and apply all of the valid commands. show setenv-startup Displays whether or not the ZyWALL is set to ignore any errors in the startup-config.conf file and apply all of the valid commands.
Chapter 39 File Manager The firmware update can take up to five minutes. Do not turn off or reset the ZyWALL while the firmware update is in progress! If you lose power during the firmware upload, you may need to refer to Section 39.8 on page 307 to recover the firmware. 39.6.2 Command Line FTP Configuration File Upload Example The following example transfers a configuration file named tomorrow.conf from the computer and saves it on the ZyWALL as next.conf.
Chapter 39 File Manager 39.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the ZyWALL and saves it on the computer as current.conf. Figure 29 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1. 220 FTP Server (ZyWALL) [192.168.1.1] User (192.168.1.1:(none)): admin 331 Password required for admin. Password: 230 User admin logged in.
Chapter 39 File Manager 39.8 Notification of a Damaged Recovery Image or Firmware The ZyWALL’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the ZyWALL notifies you of a damaged recovery image or firmware file. Use this section if your device has stopped responding for an extended period of time and you cannot access or ping it. Note that the ZyWALL does not respond while starting up.
Chapter 39 File Manager 4 If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged. Use the procedure in Section 39.10 on page 310 to restore it. If the message does not display, the firmware is OK and you do not need to use the firmware recovery procedure. Figure 33 Firmware Damaged 39.9 Restoring the Recovery Image This procedure requires the ZyWALL’s recovery image. Download the firmware package from www.zyxel.
Chapter 39 File Manager Note: You only need to use the atuk or atur command if the recovery image is damaged. Figure 35 atuk Command for Restoring the Recovery Image 4 Enter Y and wait for the “Starting XMODEM upload” message before activating XMODEM upload on your terminal. Figure 36 Starting Xmodem Upload 5 This is an example Xmodem configuration upload using HyperTerminal. Click Transfer, then Send File to display the following screen.
Chapter 39 File Manager 7 Enter atgo. The ZyWALL starts up. If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged and you need to use the procedure in Section 39.10 on page 310 to recover the firmware. Figure 39 atgo Debug Command 39.10 Restoring the Firmware This procedure requires the ZyWALL’s firmware. Download the firmware package from www.zyxel.com and unzip it. The firmware file uses a .bin extension, for example, "1.
Chapter 39 File Manager 7 Wait for the file transfer to complete. Figure 41 FTP Firmware Transfer Complete 8 After the transfer is complete, “Firmware received” or “ZLD-current received” displays. Wait (up to four minutes) while the ZyWALL recovers the firmware. Figure 42 Firmware Received and Recovery Started 9 The console session displays “done” when the firmware recovery is complete. Then the ZyWALL automatically restarts.
Chapter 39 File Manager 10 The username prompt displays after the ZyWALL starts up successfully. The firmware recovery process is now complete and the ZyWALL is ready to use. Figure 44 Restart Complete 39.11 Restoring the Default System Database The default system database stores information such as the default anti-virus or IDP signatures. The ZyWALL can still operate if the default system database is damaged or missing, but related features (like anti-virus or IDP) may not function properly.
Chapter 39 File Manager If the default system database file is not valid, the ZyWALL displays a warning message in your console session at startup or when reloading the anti-virus or IDP signatures. It also generates a log. Here are some examples. Use this section to restore the ZyWALL’s default system database.
Chapter 39 File Manager example, "1.01(XL.0)C0.db". Do the following after you have obtained the default system database file. 39.11.1 Using the atkz -u Debug Command Note: You only need to use the atkz -u command if the default system database is damaged. 1 Restart the ZyWALL. 2 When “Press any key to enter debug mode within 3 seconds.” displays, press a key to enter debug mode. Figure 48 Enter Debug Mode 3 Enter atkz -u to start the recovery process.
Chapter 39 File Manager 7 Hit enter to log in anonymously. 8 Set the transfer mode to binary (type bin). 9 Transfer the firmware file from your computer to the ZyWALL. Type put followed by the path and name of the firmware file. This examples uses put e:\ftproot\ZLD FW \1.01(XL.0)C0.db. Figure 51 FTP Default System Database Transfer Command 10 Wait for the file transfer to complete.
Chapter 39 File Manager 12 The username prompt displays after the ZyWALL starts up successfully. The default system database recovery process is now complete and the ZyWALL IDP and anti-virus features are ready to use again.
C HAPTER 40 Logs This chapter provides information about the ZyWALL’s logs. Note: When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the ZyWALL. 40.1 Log Commands Summary The following table describes the values required for many log commands. Other values are discussed with the corresponding commands.
Chapter 40 Logs 40.1.1 Log Entries Commands This table lists the commands to look at log entries. Table 187 logging Commands: Log Entries COMMAND DESCRIPTION show logging entries [priority pri] [category module_name] [srcip ip] [srcip6 ipv6_addr] [dstip ip] [dstip6 ipv6_addr] [service service_name] [begin <1..512> end <1..512>] [keyword keyword] [srciface interface_name] [dstiface interface_name] [protocol protocol] Displays the specified entries in the system log.
Chapter 40 Logs 40.1.2.1 System Log Command Examples The following command displays the current status of the system log. Router# configure terminal Router(config)# show logging status system-log 512 events logged suppression active : yes suppression interval: 10 category settings : content-filter : normal , forward-web-sites : no blocked-web-sites : normal , user : normal myZyXEL.
Chapter 40 Logs This table lists the commands for the remote syslog server settings. Table 190 logging Commands: Remote Syslog Server Settings COMMAND DESCRIPTION show logging status syslog Displays the current settings for the remote servers. [no] logging syslog <1..4> Enables the specified remote server. The disables the specified remote server. [no] logging syslog <1..4> address {ip | hostname} Sets the URL or IP address of the specified remote server. The no command clears this field.
Chapter 40 Logs Table 192 logging Commands: E-mail Profile Settings (continued) COMMAND DESCRIPTION [no] logging mail <1..2> address {ip | hostname} Sets the URL or IP address of the mail server for the specified email profile. The no command clears the mail server field. hostname: You may up to 63 alphanumeric characters, dashes (), or periods (.), but the first character cannot be a period. logging mail <1..
Chapter 40 Logs 40.1.4.1 E-mail Profile Command Examples The following commands set up e-mail log 1. Router# configure terminal Router(config)# logging mail Router(config)# logging mail Router(config)# logging mail Router(config)# logging mail Router(config)# logging mail Router(config)# logging mail Router(config)# logging mail Router(config)# logging mail 1 1 1 1 1 1 1 1 address mail.zyxel.com.tw subject AAA authentication username lachang.li password XXXXXX send-log-to lachang.li@zyxel.com.
C HAPTER 41 Reports and Reboot This chapter provides information about the report associated commands and how to restart the ZyWALL using commands. It also covers the daily report e-mail feature. 41.1 Report Commands Summary The following sections list the report, session, and packet size statistics commands. 41.1.1 Report Commands This table lists the commands for reports. Table 194 report Commands COMMAND DESCRIPTION [no] report Begins data collection.
Chapter 41 Reports and Reboot 41.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report ge1 ip No. IP Address User Amount Direction =================================================================== 1 192.168.1.4 admin 1273(bytes) Outgoing 2 192.168.1.4 admin 711(bytes) Incoming Router(config)# show report ge1 service No.
Chapter 41 Reports and Reboot Table 196 Packet Size Statistics Commands (continued) COMMAND DESCRIPTION show report packet size statistics {interface_name} [interval interval] Displays the specified interface’s packet size distribution statistics. You can also specify the packet size interval into which to group the statistics. interval: 128, 256, or 512 (bytes) report packet size statistics clear Clears the packet size statistics data for all interface. 41.
Chapter 41 Reports and Reboot Table 198 Email Daily Report Commands (continued) COMMAND DESCRIPTION [no] mail-to-3 e_mail See above. [no] mail-to-4 e_mail See above. [no] mail-to-5 e_mail See above. [no] item as-report Determines whether or not anti-spam statistics are included in the report e-mails. [no] item av-report Determines whether or not anti-virus statistics are included in the report e-mails.
Chapter 41 Reports and Reboot • Has the ZyWALL provide username 12345 and password 12345 to the SMTP server for authentication. • Sets the ZyWALL to send the report at 1:57 PM. • Has the ZyWALL not reset the counters after sending the report. • Has the report include CPU, memory, port, and session usage along with traffic statistics. • Turns on the daily e-mail reporting.
Chapter 41 Reports and Reboot This displays the email daily report settings and has the ZyWALL send the report. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp port: 25 smtp auth: yes smtp username: 12345 smtp password: pass12345 mail subject: test subject append system name: no append date time: yes mail from: my-email@example.
C HAPTER 42 Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 199 Session Timeout Commands COMMAND DESCRIPTION session timeout {udp-connect <1..300> | udp-deliver <1..300> | icmp <1..300>} Sets the timeout for UDP sessions to connect or deliver and for ICMP sessions.
Chapter 42 Session Timeout 330 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 43 Diagnostics This chapter covers how to use the diagnostics feature. 43.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting. 43.2 Diagnosis Commands The following table lists the commands that you can use to have the ZyWALL collect diagnostics information.
Chapter 43 Diagnostics 332 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 44 Packet Flow Explore This chapter covers how to use the packet flow explore feature. 44.1 Packet Flow Explore Use this to get a clear picture on how the ZyWALL determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems. 44.
Chapter 44 Packet Flow Explore 44.3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order. Router> show route order route order: Policy Route, Direct Route, 1-1 SNAT, SiteToSite VPN, Dynamic VPN, Static-Dynamic Route, Default WAN Trunk, Main Route The following example shows all SNAT related functions and their order.
Chapter 44 Packet Flow Explore The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn No. Source Destination VPN Tunnel =========================================================================== The following example shows all activated static-dynamic VPN rules.
Chapter 44 Packet Flow Explore The following example shows the default WAN trunk settings.
C HAPTER 45 Packet Flow Filter This chapter covers how to use the packet flow filter feature. 45.1 Packet Flow Filter Use the packet flow filter to troubleshoot firewall rules and policy routes when specific packets you expect to go through the ZyWALL do not. 45.2 Packet Flow Filter Commands The following table identifies some common values used in packet-flow commands. Other input values are discussed with the corresponding commands.
Chapter 45 Packet Flow Filter Table 203 Packet Flow Filter Commands (continued) COMMAND DESCRIPTION Leaves the sub-command mode. exit [no] packet-flow activate Turns the packet flow filter on or off. show packet-flow status Displays whether or not the packet flow filter is activated and whether the ring buffer is enabled or disabled. show packet-flow buffer [pf_cpu_core_num] Displays the details of the captured packet flow.
Chapter 45 Packet Flow Filter This example displays the packet flow filter 1’s settings. Router> show packet-flow filter 1 Filter #1 Status: Activation: Yes Src IP: 1.2.3.4 Dst IP: 5.6.7.8 Host Configured: No Protocol: 17 Src Port: 123 This example displays the details of a captured packet flow. In this case traffic matches and is dropped by firewall rule 3. Router> show packet-flow buffer #1 Tracking ID: 1 Feature: Firewall (type:IPTables) Action: Drop Pkt Info: Src :192.168.30.1:67 Dst :255.255.255.
Chapter 45 Packet Flow Filter This example activates the packet flow ring buffer feature.
C HAPTER 46 Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the ZyWALL. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode. Table 204 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION packet-trace [interface interface_name] [[ip-proto|ipv6-proto] | protocol_name | any}] [src-host {ip | hostname | any}] [dst-host {ip | hostname | any}] [port {<1..
Chapter 46 Maintenance Tools Table 204 Maintenance Tools Commands in Privilege Mode (continued) COMMAND file-suffix DESCRIPTION Specifies text to add to the end of the file name (before the dot and filename extension) to help you identify the packet capture files. Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name. The file name format is “interface name-file suffix.cap”, for example “vlan2-packet-capture.cap”. files-size <1..
Chapter 46 Maintenance Tools Table 204 Maintenance Tools Commands in Privilege Mode (continued) COMMAND DESCRIPTION show ipv6 neighbor-list Displays the ZyWALL’s IPv6 neighbors. show packet-capture config Displays current packet capture settings. Here are maintenance tool commands that you can use in configuration mode.
Chapter 46 Maintenance Tools Router# traceroute www.zyxel.com traceroute to www.zyxel.com (203.160.232.7), 30 hops max, 38 byte packets 1 172.23.37.254 3.049 ms 1.947 ms 1.979 ms 2 172.23.6.253 2.983 ms 2.961 ms 2.980 ms 3 172.23.6.1 5.991 ms 5.968 ms 6.984 ms 4 * * * Here are maintenance tool commands that you can use in configure mode. Table 206 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION show arp-table Displays the current Address Resolution Protocol table.
Chapter 46 Maintenance Tools • IP address: any • Host IP: any • Host port: any (then you do not need to configure this setting) • File suffix: Example • File size: 10 megabytes • Duration: 150 seconds • Save the captured packets to: USB storage device • Use the ring buffer: no • The maximum size of a packet capture file: 100 megabytes Router(config)# packet-capture configure Router(packet-capture)# iface add wan1 Router(packet-capture)# ip-type any Router(packet-capture)# host-ip any Router(packet-capture)
Chapter 46 Maintenance Tools 346 ZyWALL (ZLD) CLI Reference Guide
C HAPTER 47 Watchdog Timer This chapter provides information about the ZyWALL’s watchdog timers. 47.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings. Table 207 hardware-watchdog-timer Commands COMMAND DESCRIPTION [no] hardware-watchdog-timer <4..
Chapter 47 Watchdog Timer 47.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the app-watchdog commands. Use the configure terminal command to enter the configuration mode to be able to use these commands. Table 209 app-watchdog Commands COMMAND DESCRIPTION [no] app-watch-dog activate Turns the application watchdog timer on or off. [no] app-watch-dog auto-recover If app-watch-dog detects a dead process, app-watch-dog will try to auto recover.
Application Watch Dog Setting: activate: yes alert: yes console print: always retry count: 3 auto recover: yes system reboot: yes interval: 60 seconds mem threshold: 80% ~ 90% cpu threshold: 80% ~ 90% disk threshold: 80% ~ 90% Router(config)# show app-watch-dog monitor-list #app_name min_process_count max_process_count(-1 unlimited) recover_enable uamd 1 -1 1 firewalld 1 -1 0 policyd 1 -1 1 contfltd 1 -1 1 classify 1 -1 0 ospfd 1 -1 0 ripd 1 -1 0 resd 1 -1 0 zyshd_wd 1 -1 0 zyshd 1 -1 0 httpd 1 -1 1 dhcpd 1
Chapter 47 Watchdog Timer 350 ZyWALL (ZLD) CLI Reference Guide
List of Commands (Alphabetical) List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. Commands and subcommands appear at the same level. Ping {ipv4 | hostname} [source ipv4] [size <0..65507>] [forever| count <1..4096>] .....342 [no] {anti-virus | personal-firewall} activate .........................................270 [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} .......................
List of Commands (Alphabetical) [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] ad-server ssl .....................................................................250 ampdu ..............................................................................84 ampdu ..................
List of Commands (Alphabetical) [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] app-watch-dog cpu-threshold min <1..100> max <1..100> .............................348 app-watch-dog disk-threshold min <1..100> max <1..100> ............................
List of Commands (Alphabetical) [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] {fri|mon|sat|sun|thu|tue|wed} hh:mm offset .......................................282 clock time-zone {-|+hh} ...........................................................
List of Commands (Alphabetical) [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] description description ...........................................................234 description description ...........................................................
List of Commands (Alphabetical) [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] eps profile profile_name ..........................................................270 eps rename profile_name new_profile_name ..........................................273 fall-back .............................
List of Commands (Alphabetical) [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] interface {num|interface-name} .....................................................95 interface ap_interface .............................................................
List of Commands (Alphabetical) [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] ipv6 dhcp6-request-object dhcp6_profile ............................................75 ipv6 enable ........................................................................75 ipv6 metric <0..
List of Commands (Alphabetical) [no] logging syslog <1..4> {disable | level normal | level all} ........................320 [no] logging syslog <1..4> address {ip | hostname} .....................................320 [no] logging syslog <1..4> facility {local_1 | local_2 | local_3 | local_4 | local_5 | local_6 | local_7} .......................................................................320 [no] logging syslog <1..4> format {cef | vrpt} .........................................
List of Commands (Alphabetical) [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] out-snat activate .................................................................146 packet-capture activate ...........................................................
List of Commands (Alphabetical) [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] security dot1x acct ip port <1..65535> .............................................86 security dot1x activate ............................................................
List of Commands (Alphabetical) [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] [no] source {address_object|any} .......................................................101 source {any|ipv4} .................................................................
List of Commands (Alphabetical) [no] wan-iface interface_name ..........................................................116 [no] webpage-encrypt ...................................................................267 [no] wildcard ..........................................................................117 [no] windows-auto-update {enable | disable | ignore} ...................................272 [no] windows-registry registry_key {eq | gt | lt | ge | le | neq} registry_value .......
List of Commands (Alphabetical) anti-spam tag {dnsbl | dnsbl-timeout} [tag] ............................................217 anti-spam tag {mail-content | virus-outbreak} [tag] ....................................213 anti-spam tag black-list [tag] .........................................................215 anti-spam tag query-timeout [tag] ......................................................
List of Commands (Alphabetical) bandwidth priority <1..7> ..............................................................168 bandwidth-graph ........................................................................164 bind profile ...........................................................................183 budget {log|log-alert}[recursive <1..65535>] ............................................77 budget {log-percentage|log-percentage-alert} [recursive <1..65535>] .....................
List of Commands (Alphabetical) content-filter profile filtering_profile url match {block | log | warn | pass} .........204 content-filter profile filtering_profile url match-unsafe {block | log | pass} .........204 content-filter profile filtering_profile url offline {block | log | warn | pass} .......204 content-filter profile filtering_profile url unrate {block | log | warn | pass} ........204 content-filter statistics flush ........................................................
List of Commands (Alphabetical) debug system ipv6 .......................................................................36 debug update server (*) .................................................................36 delete ..................................................................................33 delete {/cert | /conf | /idp | /packet_trace | /script | /tmp}/file_name ...............303 details .................................................................................
List of Commands (Alphabetical) eps warning-message {windows-auto-update | windows-security-patch | anti-virus | personalfirewall | windows-registry | process | file-path} ...............................273 exit ...................................................................................101 exit ...................................................................................102 exit ...................................................................................139 exit .......................
List of Commands (Alphabetical) force-auth policy flush ................................................................233 force-auth policy insert <1..1024> .....................................................233 force-auth policy move <1..1024> to <1..1024> ..........................................233 gateway .................................................................................60 gateway ipv6_addr metric <0..15> ........................................................58 group1 ............
List of Commands (Alphabetical) interface dial interface_name ...........................................................74 interface disconnect aux ................................................................90 interface disconnect interface_name .....................................................74 interface interface_name ................................................................65 interface interface_name ................................................................
List of Commands (Alphabetical) ip virtual-server profile_name interface interface_name original-ip {any | ip | address_object} map-to {address_object | ip} map-type any [nat-loopback [nat-1-1-map] [deactivate] | nat1-1-map [deactivate] | deactivate] ...............................................
List of Commands (Alphabetical) login-page window-color {color-rgb | color-name | color-number} ........................281 logo background-color {color-rgb | color-name | color-number} ..........................281 mac mac .................................................................................71 mail-subject set subject ...............................................................325 matching-criteria {any | all} ..........................................................
List of Commands (Alphabetical) no no no no no no no no no no no content-filter profile filtering_profile url offline {log} ..........................204 content-filter profile filtering_profile url unrate {log} ...........................204 device-ha link-monitoring ...........................................................227 device-ha stop-stub-interface .......................................................227 dhcp6-lease-object dhcp6_profile ....................................................
List of Commands (Alphabetical) object-group service rename group_name group_name ......................................245 ocsp {activate|deactivate} .............................................................261 ocsp url url [id name password password] [deactivate] ..................................261 or .....................................................................................164 or .....................................................................................165 or ................
List of Commands (Alphabetical) renew dhcp interface-name ...............................................................65 report packet size statistics clear ....................................................325 reset-counter-now ......................................................................326 ring-buffer ...........................................................342 role ap .................................................................................84 router ospf .......
List of Commands (Alphabetical) session-limit delete rule_number .......................................................140 session-limit flush ....................................................................140 session-limit insert rule_number .......................................................140 session-limit limit <0..8192> ..........................................................139 session-limit move rule_number to rule_number ..........................................
List of Commands (Alphabetical) show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show anti-spam tag {dnsbl | dnsbl-timeout} .............................................217 anti-spam tag {mail-content | virus-outbreak} .....................................
List of Commands (Alphabetical) show comport status .....................................................................41 show conn [user {username|any|unknown}] [service {service-name|any|unknown}] [source {ip|any}] [destination {ip|any}] [begin <1..128000>] [end <1..128000>] .....................324 show conn ip-traffic destination .......................................................324 show conn ip-traffic source ............................................................324 show conn status .....
List of Commands (Alphabetical) show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show firewall ..........................................................................135 firewall any ZyWALL ...............................................................135 firewall block_rules ..............................................................
List of Commands (Alphabetical) show idp profiles ......................................................................182 show idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate {any | yes | no} log {any | no | log | log-alert} action action_mask ..............................
List of Commands (Alphabetical) show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show ipv6 nd ra status config_interface .................................................57 ipv6 neighbor-list ................................................................343 ipv6 static address interface ..
List of Commands (Alphabetical) show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show reference object aaa authentication [default | auth_method] ........................39 reference object account pppoe [object_name] .......................................
List of Commands (Alphabetical) show show show show show show show show show show show show show show show show show show show show show sslvpn application [application_object] ...........................................266 sslvpn monitor ....................................................................152 ssl-vpn network-extension local-ip ................................................152 sslvpn policy [profile_name] ......................................................
List of Commands (Alphabetical) sslvpn no connection username user_name ................................................153 sslvpn policy {profile_name | profile_name append | profile_name insert <1..16>} .......152 sslvpn policy move <1..16> to <1..16> ..................................................153 sslvpn policy rename profile_name profile_name .........................................153 station-limit <1..255> ..................................................................
List of Commands (Alphabetical) username username user-type ext-user ...................................................230 users default-setting [no] logon-lease-time <0..1440> ..................................231 users default-setting [no] logon-re-auth-time <0..1440> ................................
List of Commands (Alphabetical) 386 ZyWALL (ZLD) CLI Reference Guide
