Page 1 Network Security Firewall CLI Reference Guide NetDefendOS Security Security Ver. 11.04.01 Network Security Solution http://www.dlink.com...
Page 2 CLI Reference Guide DFL-260E/860E/870/1660/2560/2560G NetDefendOS version 11.04.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2016-10-03 Copyright © 2016...
Page 3 EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.
Page 4: Table Of Contents
Table of Contents Preface ....................... 11 1. Introduction ....................13 1.1. Running a command ................13 1.2. Help ..................... 14 1.2.1. Help for commands ..............14 1.2.2. Help for object types ..............14 1.3. Function keys ..................15 1.4. Command line history ................16 1.5.
Page 5 CLI Reference Guide 2.2.29. frags ..................50 2.2.30. ha .................... 51 2.2.31. hostmon ................... 51 2.2.32. httpalg ..................51 2.2.33. httpposter ................52 2.2.34. hwm ..................53 2.2.35. idppipes ................... 53 2.2.36. ifstat ..................54 2.2.37. igmp ..................54 2.2.38. ihs ................... 55 2.2.39.
Page 6 CLI Reference Guide 2.2.90. vlan ..................92 2.2.91. vpnstats ................... 93 2.2.92. zonedefense ................93 2.3. Utility ....................94 2.3.1. geoip ..................94 2.3.2. ping ..................94 2.3.3. traceroute .................. 95 2.4. Misc ..................... 97 2.4.1. echo ..................97 2.4.2. help ................... 97 2.4.3.
Page 7 CLI Reference Guide 3.24. DHCPServerSettings ................152 3.25. DHCPv6Server ................... 153 3.25.1. DHCPv6ServerPoolStaticHost ............. 154 3.26. DHCPv6ServerSettings ................ 155 3.27. DiagnosticsSettings ................156 3.28. DNS ....................157 3.29. DynamicRoutingRule ................158 3.29.1. DynamicRoutingRuleExportOSPF ..........159 3.29.2. DynamicRoutingRuleAddRoute ..........159 3.30. DynDnsClientCjbNet ................161 3.31.
Page 8 CLI Reference Guide 3.64.7. IPRuleFolder ................216 3.64.8. IPRule ..................216 3.65. IPsecAlgorithms ................. 217 3.66. IPsecTunnel ..................219 3.67. IPsecTunnelSettings ................222 3.68. IPSettings ..................224 3.69. L2TPClient ..................227 3.70. L2TPServer ..................229 3.71. L2TPServerSettings ................231 3.72. L2TPv3Client ..................232 3.73.
Page 9 CLI Reference Guide 3.115. ServiceIPProto .................. 295 3.116. ServiceTCPUDP ................296 3.117. SLBPolicy ..................297 3.118. SSHClientKey ................... 298 3.119. SSLSettings ..................299 3.120. SSLVPNInterface ................301 3.121. SSLVPNInterfaceSettings ..............302 3.122. StatelessPolicy ................. 303 3.123. StateSettings ................... 304 3.124. TCPSettings ..................305 3.125.
Page 10 List of Examples 1. Command option notation ................11 1.1. Help for commands ..................14 1.2. Help for object types ..................14 1.3. Command line history ..................16 1.4. Tab completion ..................... 17 1.5. Inline help ..................... 17 1.6. Edit an existing property value ................. 18 1.7.
Page 11: Preface
Administrators that are responsible for configuring and managing the D-Link Firewall. • Administrators that are responsible for troubleshooting the D-Link Firewall. This guide assumes that the reader is familiar with the D-Link Firewall, and has the necessary basic knowledge in network security. Notation...
Page 12 Notation Preface is specified. The following two examples will yield the same result: gw-world:/> routes -flushl3cache=100 gw-world:/> routes -flushl3cache Because the table name option is followed by ellipses it is possible to specify more than one routing table. Since table name is optional as well, the user can specify zero or more policy-based routing tables.
Page 13: Introduction
Chapter 1: Introduction • Running a command, page 13 • Help, page 14 • Function keys, page 15 • Command line history, page 16 • Tab completion, page 17 • User roles, page 20 This guide is a reference for all commands and configuration object types that are available in the command line interface for NetDefendOS.
Page 14: Help
Chapter 1: Introduction 1.2. Help 1.2.1. Help for commands There are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by -? or -h. This applies to all commands and is therefore not listed in the option list for each command in this guide.
Page 15: Function Keys
Chapter 1: Introduction 1.3. Function keys In addition to the return key there are a number of function keys that are used in the CLI. Backspace Delete the character to the left of the cursor. Complete current word. Ctrl-A or Home Move the cursor to the beginning of the line.
Page 16: Command Line History
Chapter 1: Introduction 1.4. Command line history Every time a command is run, the command line is added to a history list. The up and down arrow keys are used to access previous command lines (up arrow for older command lines and down arrow to move back to a newer command line).
Page 17: Tab Completion
Chapter 1: Introduction 1.5. Tab completion By using the tab function key in the CLI the names of commands, options, objects and object properties can be automatically completed. If the text entered before pressing tab only matches one possible item, e.g. "activate" is the only match for "acti", and a command is expected, the name will be autocompleted.
Page 18: Autocompleting Current And Default Value
Chapter 1: Introduction A more detailed help text about Address is displayed. 1.5.2. Autocompleting Current and Default value Another special character that can be used together with tab completion is the period "." character. If "." is entered instead of a property value and tab is pressed it will be replaced by the current value of that property.
Page 19 Chapter 1: Introduction Accessing an IP4Address object without the use of categories: gw-world:/> show IP4Address example_ip...
Page 20: User Roles
Chapter 1: Introduction 1.6. User roles Some commands and options cannot be used unless the logged-in user has administrator privileges. This is indicated in this guide by a note following the command or Admin only written next to an option.
Page 21 Chapter 1: Introduction...
Page 22: Command Reference
Chapter 2: Command Reference • Configuration, page 22 • Runtime, page 33 • Utility, page 94 • Misc, page 97 2.1. Configuration 2.1.1. activate Activate changes. Description Activate the latest changes. This will issue a reconfiguration, using the new configuration. If the reconfiguration is successful a commit command must be issued within the configured timeout interval in order to save the changes to media.
Page 23: Create A New Object
Chapter 2: Command Reference Description Create a new object and add it to the configuration. Specify the type of object you want to create and the identifier, if the type has one, unless the object is identified by an index. Set the properties of the object by writing the propertyname equals (=) and then the value.
Page 24: Cancel
Chapter 2: Command Reference 2.1.3. cancel Cancel ongoing commit. Description Cancel commit operation immediately, without waiting for the timeout. Usage cancel Note Requires Administrator privileges. 2.1.4. cc Change the current context. Description Change the current configuration context. A context is a group of objects that are dependent on and grouped by a parent object. Many objects lie in the "root"...
Page 25: Commit
Chapter 2: Command Reference Change the current context. cc -print Print the current context. Change to root context (same as "cc /"). Options -print Print the current context. <Category> Category that groups object types. <Identifier> The property that identifies the configuration object.
Page 26: Pskgen
Chapter 2: Command Reference activated. See also: undelete Example 2.3. Delete an object Delete an unreferenced object: gw-world:/> delete Address IP4Address example_ip Delete a referenced object: (will cause error in examplerule) gw-world:/> set IPRule examplerule SourceNetwork=examplenet gw-world:/> delete Address IP4Address examplenet -force Usage delete [<Category>] <Type>...
Page 27: Reject
Chapter 2: Command Reference Options -comments=<String> Comments for this key. -size={64 | 128 | 256 | 512 | 1024 | 2048 | Number of bits of data in the generated key. 4096} (Default: 64) <Name> Name of key. Note Requires Administrator privileges. 2.1.8.
Page 28: Reset
Chapter 2: Command Reference Usage reject [<Category>] <Type> [<Identifier>] [-recursive] Reject changes made to the specified object. reject -all Reject all changes in the configuration. Options -all Reject all changes in the configuration. -recursive Recursively reject changes. <Category> Category that groups object types. <Identifier>...
Page 29: Set
Chapter 2: Command Reference Note Requires Administrator privileges. 2.1.10. set Set property values. Description Set property values of configuration objects. Specify the type of object you want to modify and the identifier, if the type has one. Set the properties of the object by writing the propertyname equals (=) and then the value. An optional category can be specified for some object types when using tab completion.
Page 30: Show
Chapter 2: Command Reference object. May not be applicable depending on the specified <Type>. <key-value pair> One or more property-value pairs, i.e. <property name>=<value> or <property name>="<value>". <Type> Type of configuration object to perform operation Note Requires Administrator privileges. 2.1.11. show Show objects.
Page 31: Undelete
Chapter 2: Command Reference properties as well as their status: gw-world:/> show Address IP4Address gw-world:/> show IP4Address Show a table of all objects for each type in a category: gw-world:/> show Address Show objects with changes and errors: gw-world:/> show -changes gw-world:/>...
Page 32: Undelete An Object
Chapter 2: Command Reference Description Restore a previously deleted object. This is possible as long as the activate command has not been called. See also: delete Example 2.7. Undelete an object Undelete an unreferenced object: gw-world:/> delete Address IP4Address example_ip gw-world:/>...
Page 33: Runtime
Chapter 2: Command Reference 2.2. Runtime 2.2.1. about Show copyright/build information. Description Show copyright and build information. Usage about 2.2.2. alarm Show alarm information. Description Show list of currently active alarms. Usage alarm [-history] [-active] Options -active Show the currently active alarms. -history Show the 20 latest alarms.
Page 34: Arp
Chapter 2: Command Reference appcontrol Show general information about application control system. appcontrol -show_lists List information about specified application. appcontrol -delete_lists={ALL | <Integer>} List information about specified application. appcontrol <Name> List information about specified application. appcontrol -application=<String> [-save_list] Define a filter selecting individual applications. appcontrol -filter [-name=<String>] [-family=<String>] [-risk={VERY_LOW | LOW | MEDIUM | HIGH | VERY_HIGH}] [-tag=<String>] [-save_list]...
Page 35: Arpsnoop
Chapter 2: Command Reference The presented list can be filtered using the ip and hw options. Usage Show all ARP entries. arp -show [<Interface>] [-ip=<pattern>] [-hw=<pattern>] [-num=<n>] Show ARP entries. arp -hashinfo [<Interface>] Show information on hash table health. arp -flush [<Interface>] Flush ARP cache of specified interface.
Page 36: Ats
Chapter 2: Command Reference Usage arpsnoop Show snooped interfaces. arpsnoop {ALL | NONE | <interface>} [-verbose] Snoop specified interface. Options -verbose Verbose. {ALL | NONE | <interface>} Interface name. Note Requires Administrator privileges. 2.2.6. ats Show active ARP Transaction States. Description Show active ARP Transaction States.
Page 37: Authagentsnoop
Chapter 2: Command Reference authagent -version Shows the state of the configured Authentication Agents including the protocol version. authagent Shows the state of the configured Authentication Agents. authagent {ALL | <AuthAgent>} Shows the state of the configured Authentication Agents. authagent -reconnect {ALL | <AuthAgent>} Closes the connection with the Agent and attempst to reconnect.
Page 38: Avcache
Chapter 2: Command Reference 2.2.9. avcache Control the anti-virus cache. Description Show anti-virus cache statistics or remove all entries in it. Usage avcache -clear Remove all entries in the anti-virus cache. avcache Show anti-virus cache count. Options -clear Remove all entries in the anti-virus cache. 2.2.10.
Page 39: Buffers
Chapter 2: Command Reference | OTHER | TCPUDP | ALL}] [-port=<port number>] [-dest=<ip address>] [-time=<seconds>] Block specified netobject. blacklist -unblock <host> [-serv=<service>] [-prot={TCP | UDP | ICMP | OTHER | TCPUDP | ALL}] [-port=<port number>] [-dest=<ip address>] [-time=<seconds>] [-force] Unblock specified netobject. Options -all Show all the information.
Page 40: Cam
Chapter 2: Command Reference Usage buffers List the 20 most recently freed buffers. buffers -recent Decode the most recently freed buffer. buffers <Num> Decode buffer number <Num>. Options -recent Decode most recently freed buffer. <Num> Decode given buffer number. 2.2.12. cam CAM table information.
Page 41: Certcache
Chapter 2: Command Reference <Interface> Interface. 2.2.13. certcache Show the contents of the certificate cache. Description Show all certificates in the certificate cache. Usage certcache [-verbose] Options -verbose Show verbose information. 2.2.14. cfglog Display configuration log. Description Display the log of the last configuration read attempt. Usage cfglog 2.2.15.
Page 42: Cpuid
Chapter 2: Command Reference [-protocol=<name/num>] [-srcport=<port>] [-destport=<port>] List connections. connections Same as "connections -show". connections -close [-all] [-srciface=<interface>] [-destiface=<interface>] [-ipver={IPV6 | IPV4}] [-srcip=<ip address>] [-destip=<ip address>] [-protocol=<name/num>] [-srcport=<port>] [-destport=<port>] Close connections. Options -all Mark all connections. -close Close all connections that match the filter expression.
Page 43: Crashdump
Chapter 2: Command Reference 2.2.17. crashdump Show the contents of the crash.dmp file. Description Show the contents of the crash.dmp file, if it exists. Usage crashdump 2.2.18. cryptostat Show information about crypto accelerators. Description Show information about installed crypto accelerators. Usage cryptostat [-hashinfo] Options...
Page 44: Dconsole
Chapter 2: Command Reference 2.2.20. dconsole Displays the content of the diagnose console. Description The diagnose console is used to help troubleshooting internal problems within the firewall Usage dconsole [-clean] [-flush] [-date=<date>] [-onlyhigh] Options -clean Remove all diagnose entries. (Admin only) -date=<date>...
Page 45: Dhcprelay
Chapter 2: Command Reference -lease={RENEW | RELEASE} Modify interface lease. -list List all DHCP enabled interfaces. -show Show information about DHCP enabled interface. <interface> DHCP Interface. 2.2.22. dhcprelay Show DHCP/BOOTP relayer ruleset. Description Display the content of the DHCP/BOOTP relayer ruleset and the current routed DHCP relays. Display filter filters relays based on interface/ip (example: if1 192.168.*) Usage dhcprelay...
Page 46: Dhcpv6
Chapter 2: Command Reference Show content of the DHCP server ruleset. Description Show the content of the DHCP server ruleset and various information about active/inactive leases. Display filter filters entries based on Interface/MAC/IP (example: If1 192.168.*) Usage dhcpserver Show DHCP server leases. dhcpserver -show [-rules] [-leases] [-num=<Integer>] [-fromentry=<Integer>] [-mappings] [-utilization] [<Display filter>]...
Page 47: Dhcpv6Server
Chapter 2: Command Reference Display information about DHCPv6-enabled interfaces or modify/update their leases. Description Display information about a DHCPV6-enabled interface. Usage dhcpv6 List DHCPv6 enabled interfaces. dhcpv6 -list List DHCPv6 enabled interfaces. dhcpv6 -show [<interface>] Show information about DHCPv6 enabled interface. dhcpv6 -lease={RENEW | RELEASE} <interface>...
Page 48: Dns
Chapter 2: Command Reference Release an active IP6. dhcpv6server -show [-rules] [-leases] [-num=<Integer>] [-fromentry=<Integer>] [<display filter>]... Show DHCP server ruleset. Options -fromentry=<Integer> Shows dhcp server lease list from offset <n>. -leases Show DHCPv6 server leases. -num=<Integer> Limit list to <n> leases. -releaseip Release an active IP.
Page 49: Dnsbl
Chapter 2: Command Reference Options -cache Show contents of DNS cache. -list List pending DNS queries. -num=<n> Limit list to <n> addresses. (Default: 20) -query Resolve domain name. -remove Remove all pending DNS queries. -type={A | AAAA} Query type. <domain name> Resolve domain name.
Page 50: Frags
Chapter 2: Command Reference Route is unexported Usage dynroute [-rules] [-exports] Options -exports Show current exports. -rules Show dynamic routing, filter ruleset. 2.2.29. frags Show active fragment reassemblies. Description List active fragment reassemblies. More detailed information can optionally be obtained for specific reassemblies: Newest reassembly All reassemblies 0..1023...
Page 51: Hostmon
Chapter 2: Command Reference (Default: all) 2.2.30. ha Show current HA status. Description Show current HA status. Usage ha [-activate] [-deactivate] Options -activate Go active. -deactivate Go inactive. 2.2.31. hostmon Show Host Monitor statistics. Description Show active Host Monitor sessions. Usage hostmon [-verbose] [-num=<n>] Options...
Page 52: Httpposter
Chapter 2: Command Reference Show information about the WCF cache or list the overridden WCF hosts. Usage httpalg -override [-flush] List or flush hosts that have overridden the wcf filter. httpalg -wcfcache [-show] [-url=<String>] [-flush] [-verbose] [-count] [-server[={STATUS | CONNECT | DISCONNECT}]] [-num=<n>] Display URL cache information.
Page 53: Hwm
Chapter 2: Command Reference 2.2.34. hwm Show hardware monitor sensor status. Description Show hardware monitor sensor status. Usage hwm [-all] [-verbose] Options -all Show ALL sensors, WARNING: use at own risk, may take long time for highspeed ifaces to cope. -verbose Show sensor number, type and limits.
Page 54: Ifstat
Chapter 2: Command Reference -unpipe Remove piping for the specified host. (Admin only) 2.2.36. ifstat Show interface statistics. Description Show list of attached interfaces, or in-depth information about a specific interface. Usage ifstat [<Interface>] [-filter=<expr>] [-pbr=<table name>] [-num=<n>] [-restart] [-allindepth] [-maclist] [-snmpnewindexes] Options -allindepth...
Page 55: Ihs
Chapter 2: Command Reference Prints the current IGMP state. igmp -state [<Interface>] Prints the current IGMP state. If an interface is specified, more details are provided. igmp -query <Interface> [<MC address> [<router address>]] Simulate an incoming IGMP query message. igmp -join <Interface> <MC address> [<host address>] Simulate an incoming IGMP join message.
Page 56 Chapter 2: Command Reference Show memory statistics about the IKE enigne. ike -delete [<ip address>] [-srcif=<Interface>] [-force] Delete IKE SAs. ike -connect [<IPsecTunnel>] Setup IKE and IPsec SAs for a specified tunnel. ike -tunnels [<IPsecTunnel>] [-num={ALL | <Integer>}] [-force] Show configured tunnels. ike -show [<ip address>] [-num={ALL | <Integer>}] [-srcif=<Interface>] [-verbose] [-force] [-tunnel=<IPsecTunnel>]...
Page 57: Ikesnoop
Chapter 2: Command Reference -srcif=<Interface> Interface used to reach the remote endpoint. -stat Show verbose information. -tunnel=<IPsecTunnel> IPsec interface. -tunnels Show information on configured tunnels. -verbose Show verbose information. <ip address> IP address of remote SG/peer. <IPsecTunnel> IPsec interface. 2.2.40. ikesnoop Enable or disable IKE-snooping.
Page 58: Ipsec
Chapter 2: Command Reference Show IP pool information. Description Show information about the current state of the configured IP pools. Usage ippool Show IP pool information. ippool -release [<ip address>] [-all] Forcibly free IP assigned to subsystem. ippool -renew [<ip address>] [-all] Try to renew IP leases through DHCP Server.
Page 59: Ipsecdefines
Chapter 2: Command Reference ipsec -stat [<IPsecTunnel>] Show global or interface statistics about IPsec SAs. ipsec -show [<IPsecTunnel>] [-verbose] [-num={ALL | <Integer>}] [-srcif=<Interface>] [-force] [-usage] Show SA information. ipsec Show SA information. Options -force Bypass confirmation question. -num={ALL | <Integer>} Maximum number of entries to show (default: 40/8).
Page 60: Ipsechastat
Chapter 2: Command Reference Usage ipsecglobalstats -mem [-verbose] Start IKE test. ipsecglobalstats -verbose Start IKE test. ipsecglobalstats Show interfaces. Options -mem Show memory statistics. -verbose Show all statistics. Deprecated (2014-05-27) Replaced by command ike -stat. Deprecated commands may be removed in future releases.
Page 61: Ipsectunnels
Chapter 2: Command Reference Description List the currently active IKE and IPsec SAs, optionally only showing SAs matching the pattern given for the argument "tunnel". Usage ipsecstats [-ike] [<tunnel>] [-ipsec] [-usage] [-verbose] [-num={ALL | <Integer>}] [-force] Options -force Bypass confirmation question. -ike Show IKE SAs.
Page 62: Killsa
Chapter 2: Command Reference Show interfaces. Options -force Bypass confirmation question. -iface=<recv iface> IPsec interface to show information about. -num={ALL | <Integer>} Maximum number of entries to show (default: 40). Deprecated (2014-05-27) Replaced by command ike -tunnels. Deprecated commands may be removed in future releases.
Page 63: L2Tp
Chapter 2: Command Reference 2.2.49. l2tp Show L2TP information. Description Shows L2TP information and statistics. Usage l2tp -state={ALL | ACTIVE | LISTENING} [-child] [-num=<Integer>] Show all L2TP sessions. l2tp -l2tpserver=<PPTP/L2TP Server> [-l2tpv3server=<L2TPv3 Server>] [-l2tpv3client=<L2TPv3 Client>] [-l2tpclient=<PPTP/L2TP Client>] [-state={ALL | ACTIVE | LISTENING}] [-child] [-num=<Integer>] List L2TP sessions.
Page 64: Ldap
Chapter 2: Command Reference Description Manage language files on disk Usage languagefiles Show all language files on disk. languagefiles -remove=<String> Remove a language file from disk. Options -remove=<String> Specify language file to delete. 2.2.51. ldap LDAP information. Description Status and statistics for the configured LDAP databases. Usage ldap List all LDAP databases.
Page 65: License
Chapter 2: Command Reference <LDAP Server> LDAP database. 2.2.52. license License management. Description Display the current license. Usage license Show the contents of the current license. license -show Show the contents of the current license. Options -show Show current status and credentials. 2.2.53.
Page 66: Lwhttp
Chapter 2: Command Reference Usage logout 2.2.55. lwhttp Commands related to the Light-Weight HTTP inspection engine. Description The lwhttp CLI command prints information about the Light-Weight HTTP inspection engine aka LW-HTTP ALG. The LW-HTTP inspection engine automatically replaces the ordinary HTTP-ALG when the policies configured on an IP Policy requires less management state, e.g.
Page 67: Natpool
Chapter 2: Command Reference lists. Usage memory 2.2.58. natpool Show current NAT Pools. Description Show current NAT Pools and in-depth information. Usage natpool [-verbose] [<pool name> [<IP4 Address>]] [-num=<Integer>] Options -num=<Integer> Maximum number of items to list (default: 20). -verbose Verbose (more information).
Page 68: Ndsnoop
Chapter 2: Command Reference Show all Neighbor Discovery entries. nd -show [<Interface>] [-ip=<pattern>] [-hw=<pattern>] [-num=<n>] Show Neighbor Discovery entries. nd -hashinfo [<Interface>] Show information on hash table health. nd -flush [<Interface>] Flush Neighbor Discovery cache of specified interface. nd -query=<ip> <Interface> Send Neighbor Solicitation for IP.
Page 69: Netobjects
Chapter 2: Command Reference Usage ndsnoop Show snooped interfaces. ndsnoop {ALL | NONE | <interface>} [-verbose] Snoop specified interface. Options -verbose Verbose. {ALL | NONE | <interface>} Interface name. Note Requires Administrator privileges. 2.2.61. netobjects Show runtime values of network objects. Description Displays named network objects and their contents.
Page 70 Chapter 2: Command Reference Show runtime OSPF information. Description Show runtime information about the OSPF router process(es). Note: -process is only required if there are >1 OSPF router processes. Usage ospf Show runtime information. ospf -iface [<interface>] [-process=<OSPF Router Process>] Show interface information.
Page 71: Pcapdump
Chapter 2: Command Reference -database Show the LSA database. -execute={STOP | START | RESTART} Start/stop/restart OSPF process. (Admin only) -iface Show interface information. -ifacedown Take specified interface offline. (Admin only) -ifaceup Take specified interface online. (Admin only) -lsa Show details for a specified LSA <lsaID>. -neighbor Show neighbor information.
Page 72 Chapter 2: Command Reference Start capture. pcapdump -stop [<interface(s)>] Stop capture. pcapdump -status Show capture status. pcapdump -show [<interface(s)>] [-num={ALL | <Integer>}] Show a captured packets brief. pcapdump -write [<interface(s)>] [-filename=<String>] Write the captured packets to disk. pcapdump -wipe Remove all captured packets from memory. pcapdump -cleanup Remove all captured packets, release capture mode and delete all written capture files from disk.
Page 73: Pipes
Chapter 2: Command Reference -proto=<0...255> IP protocol filter. -show Show a captured packets brief. -size=<value> Size (kb) of buffer to store captured packets in memory (default 512kb). -snaplen=<value> Maximum length of each packet to capture. -srcport=<0...65535> Source TCP/UDP port filter. -start Start capture.
Page 74: Pptp
Chapter 2: Command Reference Options -expr=<String> Pipe wildcard(*) expression. -show Show pipe details. -users List users of a given pipe. <Pipe> Show pipe details. 2.2.65. pptp Show PPTP information. Description Shows PPTP information and statistics. Usage pptp -state={ALL | ACTIVE | LISTENING | CHILDONLY} [-child] [-num=<Integer>] Show all PPTP sessions.
Page 75: Reconfigure
Chapter 2: Command Reference Description Shows information and statistics of the PPTP ALGs. Usage pptpalg Show all configured PPTP ALGs. pptpalg -sessions <PPTP ALG> [-verbose] [-num=<Integer>] List all PPTP sessions. pptpalg -services <PPTP ALG> List all services attached to PPTP ALG. Options -num=<Integer>...
Page 76: Route
Chapter 2: Command Reference Description Rekey IPsec or IKE SAs associated with a given remote IKE peer, or optionally all IPsec or IKE SAs in the system. Usage rekeysa -ike <ip address> Rekey IKE SAs. rekeysa -ipsec <ip address> Rekey IPsec SAs. rekeysa <ip address>...
Page 77: Routes
Chapter 2: Command Reference 2.2.71. routes Display routing lists. Description Display information about the routing table(s): Contents of a (named) routing table. The list of routing tables, along with a total count of route entries in each table, as well as how many of the entries are single-host routes.
Page 78: Rtmonitor
Chapter 2: Command Reference <table name> Name of routing table. 2.2.72. rtmonitor Real-time monitor information. Description Show information about real-time monitor objects, and real-time monitor alerts. All objects matching the specified filter are displayed. The filter can be the name of an object, or the beginning of a name.
Page 79: Selftest
Chapter 2: Command Reference Usage rules -type=IP [-ruleset={* | MAIN | <IP Rule Set>}] [-verbose] [-schedule] [<rules>]... Show IP rules. rules -type={ROUTING | PIPE | IDP | THRESHOLD | IGMP} [-verbose] [-schedule] [<rules>]... Show a specific type of rules. Options -ruleset={* | MAIN | <IP Rule Set>} Show a specified IP ruleset.
Page 80: Interface Ping Test Between Interfaces 'If1' And 'If2
Chapter 2: Command Reference selftest -ping Example 2.14. Interface ping test between interfaces 'if1' and 'if2' selftest -ping -interfaces=if1,if2 Example 2.15. Start 30 min burn-in, testing RAM, storage media and crypto accelerator selftest -burnin -minutes 30 -media -memory -cryptoaccel Usage selftest -memory [-num=<Integer>] Check the sanity of the RAM.
Page 81: Services
Chapter 2: Command Reference selftest Show the status of a running test. Options -abort Abort a running self test. -burnin Run burn-in tests for a selected set of sub tests. -cryptoaccel Verify the correct functioning of available crypto accelerator cards. -hours[=<Integer>] Test duration in hours.
Page 82: Sessionmanager
Chapter 2: Command Reference services http* Usage services [<String>] Options <String> Name or pattern. 2.2.76. sessionmanager Session Manager. Description Show information about the Session Manager, and list currently active users. Explanation of Timeout flags for sessions: Session is disabled Session uses a timeout in its subsystem Session does not use timeout Usage sessionmanager...
Page 83: Settings
Chapter 2: Command Reference Forcibly terminate session(s). Options -disconnect Forcibly terminate session(s). (Admin only) -info Show in-depth information about session. -list List active sessions. -message Send message to session. -num=<n> List <n> number of session. -status Show Session Manager status. <database>...
Page 84: Sipalg
Chapter 2: Command Reference Description Initiate restart of the core/system. Usage shutdown [<seconds>] [-normal] [-reboot] Options -normal Initiate core shutdown. -reboot Initiate system reboot. <seconds> Seconds until shutdown. (Default: 5) Note Requires Administrator privileges. 2.2.79. sipalg SIP ALG. Description List running SIP-ALG configurations, SIP registration and call information. The -flags option with -snoop allows any combination of the following values: 0x00000001 GENERAL 0x00000002 ERRORS...
Page 85 Chapter 2: Command Reference 0x00001000 RESPONSE 0x00002000 TOPO_CHANGES 0x00004000 MEDIA 0x00008000 CONTACT 0x00010000 CONN 0x00020000 PING 0x00040000 TRANSACTION 0x00080000 CALLLEG 0x00100000 REGISTRY Flags can be added in the usual way. The default value is 0x00000003 (GENERAL and ERRORS). NOTE: 'verbose' option outputs a lot of information on the console which may lead to system instability.
Page 86: Smtp
Chapter 2: Command Reference -connection Show SIP connections. -definition Show running ALG configuration parameters. -flags=<String> SIP snooping for certain levels. Expected number in hexadecimal notation. -registration[={SHOW | FLUSH}] Show or flush registration table. (Default: show) -session Show active SIP sessions. -snoop={ON | OFF | VERBOSE} Enable or disable SIP snooping.
Page 87: Sshserver
Chapter 2: Command Reference -logreceiver=<Mail Alerting> LogReceiver. -message=<String> Mail message. -num[=<1...1000>] Number of entries to list. (Default: 40) -sendmail Send test mail to SMTP LogReceiver. -stat Show SMTP statistics. -verbose Verbose output. 2.2.81. sshserver SSH Server. Description Show SSH Server status, or start/stop/restart SSH Server. Usage sshserver Show server status and list all connected clients.
Page 88: Sslvpn
Chapter 2: Command Reference Note Requires Administrator privileges. 2.2.82. sslvpn SSLVPN tunnels. Description List running SSLVPN configurations, SSLVPN active tunnels and call information. Usage sslvpn [-num=<n>] Options -num=<n> Limit display to <n> entries. (Default: 20) 2.2.83. stats Display various general firewall statistics. Description Display general information about the firewall, such as uptime, CPU load, resource consumption and other performance data.
Page 89: Techsupport
Chapter 2: Command Reference sysmsgs 2.2.85. techsupport Technical Support information. Description Generate information useful for technical support. Due to the large amount of output, this command might show a truncated result when execute from the local console. Usage techsupport 2.2.86. time Display current system time.
Page 90: Uarules
Chapter 2: Command Reference <HH:MM:SS>. -sync Synchronize time with timeserver(s) (specified in settings). -verbose Show more information about time zone and DST. <date> Date YYYY-MM-DD. <time> Time HH:MM:SS. 2.2.87. uarules Show user authentication rules. Description Displays the contents of the user authentication ruleset. Example 2.17.
Page 91: Userauth
Chapter 2: Command Reference Show update status and database information. updatecenter -status[={ANTIVIRUS | IDP | ALL}] [-verbose] Show update status and database information. updatecenter -update[={ANTIVIRUS | IDP | ALL}] Initiate an update check of the specified database. updatecenter -removedb={ANTIVIRUS | IDP} Remove the specified signature database.
Page 92: Vlan
Chapter 2: Command Reference userauth -user <user ip> Show all information for user(s) with this IP address. userauth -remove <user ip> <Interface> Forcibly log out an authenticated user. Options -blocked List all blocked users. -list List all authenticated users. -num=<n> Limit list of authenticated users.
Page 93: Vpnstats
Chapter 2: Command Reference -num=<n> Limit display lines to <n> entries in page. (Default: -page[=<n>] Set page <n> for lines to display. (Default: 1) <Interface> Display VLAN information about this interface. 2.2.91. vpnstats Alias for ipsecstats. 2.2.92. zonedefense Zonedefense. Description Block/unblock IP addresses/net and ethernet addresses.
Page 94: Utility
Chapter 2: Command Reference 2.3. Utility 2.3.1. geoip Display GeoIP information. Description Display status of GeoIP database and perform manual lookups. Usage geoip Display statistics. geoip -filters [-num=<n>] Display filter information. geoip -status Display statistics. geoip -query <IPAddress> Lookup IP address to GeoIP location. Options -filters Display current active Geolocation Filters.
Page 95: Traceroute
Chapter 2: Command Reference Usage ping [<String>] [-srcif=<interface>] [-srcip=<ip address>] [-pbr=<table>] [-count=<1...10>] [-length=<2...8192>] [-port=<0...65535>] [-udp] [-tcp] [-tos=<0...255>] [-verbose] [-6] Options Force IPv6. -count=<1...10> Number of packets to send. (Default: 1) -length=<2...8192> Packet size. (Default: 4) -pbr=<table> Route using PBR Table. -port=<0...65535>...
Page 96 Chapter 2: Command Reference traceroute -stop Stop trace. Options Force IPv6 if target is a FQDN. -count=<1...10> Number of queries to send for each hop. (Default: -maxhops=<1...255> Maximum number of hosts to traverse in search of target. (Default: 30) -nodelay Send queries as fast as possible (may look like Denial of Service attack).
Page 97: Misc
Chapter 2: Command Reference 2.4. Misc 2.4.1. echo Print text. Description Print text to the console. Example 2.18. Hello World echo Hello World Usage echo [<String>]... Options <String> Text to print. 2.4.2. help Show help for selected topic. Description The help system contains information about commands and configuration object types. The fastest way to get help is to simply type help followed by the topic that you want help with.
Page 98: History
Chapter 2: Command Reference Display help about selected topic from any category. help -category={COMMANDS | TYPES} [<Topic>] Display help from a specific topic category. Options -category={COMMANDS | TYPES} Topic category. <Topic> Help topic. 2.4.3. history Dump history to screen. Description List recently typed commands that have been stored in the command history.
Page 99: Rate Limit Log Flow To Five Logs Per Second
Chapter 2: Command Reference Example 2.20. Rate limit log flow to five logs per second :/> logsnoop -on -rate=5 Example 2.21. Show logs from the memlog buffer :/> logsnoop -on -source=memlog Example 2.22. Show logs having a source IP value :/>...
Page 100: Transfer Script Files To And From The Device
Chapter 2: Command Reference -destif=<Interface> Destination interface to filter on. -destip=<IPAddress> Destination IP address or network to filter on. -destport=<0...65535> Destination port to filter on. -endtime=<DateTime> End time of log snooping. Format: year-month-day [HH:MM:SS]. -event=<String> Log event to filter on. -ipproto={TCP | UDP | ICMP | <String>} Protocol to filter on.
Page 101: Script
Chapter 2: Command Reference Download: scp user@sgw-ip:script/myscript ./myscript In addition to the files listed it is possible to upload license, certificates and ssh public key files. Example 2.25. Upload license data scp licence.lic user@sgw-ip:license.lic Certificates and ssh client key objects are created if they do not exist. Example 2.26.
Page 102 Chapter 2: Command Reference "script.sgs": add IP4Address Name=$1 Address=$2 Comment="$0: \$100". :/> script -execute -name=script.sgs ip_test 127.0.0.1 is executed as line: add IP4Address Name=ip_test Address=127.0.0.1 Comment="script.sgs: $100" Usage script -create [[<Category>] <Type> [<Identifier>]] [-name=<Name>] Create configuration script from specified object, class or category. script -execute [-verbose] [-force] [-quiet] -name=<Name>...
Page 103 Chapter 2: Command Reference <Identifier> The property that identifies the configuration object. May not be applicable depending on the specified <Type>. <Parameters> List of input arguments. <Type> Type of configuration object to perform operation Note Requires Administrator privileges.
Page 104 Chapter 2: Command Reference...
Page 105: Configuration Reference
Chapter 3: Configuration Reference • Access, page 109 • Address, page 111 • AdvancedScheduleProfile, page 116 • ALG, page 117 • AntiVirusPolicy, page 126 • AppControlSettings, page 127 • ApplicationRuleSet, page 128 • ARPND, page 130 • ARPNDSettings, page 131 •...
Page 106 Chapter 3: Configuration Reference • DHCPServerSettings, page 152 • DHCPv6Server, page 153 • DHCPv6ServerSettings, page 155 • DiagnosticsSettings, page 156 • DNS, page 157 • DynamicRoutingRule, page 158 • DynDnsClientCjbNet, page 161 • DynDnsClientDLink, page 162 • DynDnsClientDLinkChina, page 163 •...
Page 107 Chapter 3: Configuration Reference • IGMPSetting, page 195 • IKEAlgorithms, page 196 • InterfaceGroup, page 198 • IP6in4Tunnel, page 199 • IPPolicy, page 200 • IPPool, page 204 • IPRule, page 205 • IPRuleFolder, page 208 • IPRuleSet, page 216 •...
Page 108 Chapter 3: Configuration Reference • MulticastSettings, page 252 • NATPool, page 253 • OSPFProcess, page 254 • Pipe, page 259 • PipeRule, page 262 • PPPoETunnel, page 263 • PPPSettings, page 265 • PSK, page 266 • RadiusAccounting, page 267 •...
Page 109: Access
Chapter 3: Configuration Reference • SSLVPNInterface, page 301 • SSLVPNInterfaceSettings, page 302 • StatelessPolicy, page 303 • StateSettings, page 304 • TCPSettings, page 305 • ThresholdRule, page 307 • UpdateCenter, page 309 • UserAuthRule, page 310 • VLAN, page 313 •...
Page 110 Chapter 3: Configuration Reference Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 111: Address
Chapter 3: Configuration Reference 3.2. Address This is a category that groups the following object types. 3.2.1. AddressFolder Description An address folder can be used to group related address objects for better overview. Properties Name Specifies a symbolic name for the network object. (Identifier) Comments Text describing the current object.
Page 112 Chapter 3: Configuration Reference 3.2.1.3. EthernetAddress Description Use an Ethernet Address item to define a symbolic name for an Ethernet MAC address. Properties Name Specifies a symbolic name for the network object. (Identifier) Address Ethernet MAC address, e.g. "12-34-56-78-ab-cd". Comments Text describing the current object.
Page 113 Chapter 3: Configuration Reference Use an IP6 Address item to define a name for a specific IP6 host, network or range. Properties Name Specifies a symbolic name for the network object. (Identifier) Address IPv6 address, e.g. "2001:DB8::/32". ActiveAddress The dynamically set address used by e.g. DHCPv6 enabled Ethernet interfaces.
Page 114: Ethernetaddress
Chapter 3: Configuration Reference Members Group members. UserAuthGroups Groups and user names that belong to this object. Objects that filter on credentials can only be used as source networks and destinations networks in rules. (Optional) NoDefinedCredentials If this property is enabled the object requires user authentication, but has no credentials (user names or groups) defined.
Page 115: Ip4Group
Chapter 3: Configuration Reference 3.2.5. IP4Group The definitions here are the same as in Section 3.2.1.8, “IP4Group” . 3.2.6. IP4HAAddress The definitions here are the same as in Section 3.2.1.9, “IP4HAAddress” . 3.2.7. IP6Address The definitions here are the same as in Section 3.2.1.6, “IP6Address” . 3.2.8.
Page 116: Advancedscheduleprofile
Chapter 3: Configuration Reference 3.3. AdvancedScheduleProfile Description An advanced schedule profile contains definitions of occurrences used by various policies in the system. Properties Name Specifies a symbolic name for the service. (Identifier) Comments Text describing the current object. (Optional) 3.3.1. AdvancedScheduleOccurrence Description An advanced schedule occurrence specifies an occurrence that should happen between certain times for days in month/week...
Page 117: Alg
Chapter 3: Configuration Reference 3.4. ALG This is a category that groups the following object types. 3.4.1. ALG_FTP Description Use an FTP Application Layer Gateway to manage FTP traffic through the system. Properties Name Specifies a symbolic name for the ALG. (Identifier) AllowServerPassive Allow server to use passive mode (unsafe for server).
Page 118: Alg_H323
Chapter 3: Configuration Reference ZDEnabled Enable ZoneDefense Block. (Default: No) ZDNetwork Hosts within this network will be blocked at switches if a virus is found. FileListType Specifies if the file list contains files to allow or deny. (Default: Block) FailModeBehavior Standard behaviour on error: Allow or Deny.
Page 119 Chapter 3: Configuration Reference RemoveScripts Remove Javascript/VBScript. (Default: No) RemoveApplets Remove Java applets. (Default: No) RemoveActiveX Remove ActiveX objects (including Flash). (Default: ForceSafeSearch Force SafeSearch on Google, Bing and Yahoo! search engines. (Default: No) VerifyUTF8URL Verify that URLs does not contain invalid UTF8 encoding.
Page 120: Alg_Pop3
Chapter 3: Configuration Reference classified. (Default: Allow) AllowFilteringOverride Allow the user to display a blocked site. (Default: OverrideUpdateOnAccess Restart the override timer on each new access to disallowed categories. (Default: Yes) OverrideTimeToLive Seconds that all disallowed categories will be allowed for the host that requested the override. (Default: 300) Comments Text describing the current object.
Page 121: Alg_Pptp
Chapter 3: Configuration Reference deny. (Default: Block) FailModeBehavior Standard behaviour on error: Allow or Deny. (Default: Deny) File List of file types to allow or deny. (Optional) VerifyContentMimetype Verify that file extentions correspond to the MIME type. (Default: No) Antivirus Disabled, Audit or Protect.
Page 122: Alg_Smtp
Chapter 3: Configuration Reference Description Use a SIP ALG to manage SIP based multimedia sessions. Properties Name Specifies a symbolic name for the ALG. (Identifier) MaxSessionsPerId Maximum number of sessions per SIP URI. (Default: MaxRegistrationTime The maximum allowed time in seconds between registration requests.
Page 123 Chapter 3: Configuration Reference FileListType Specifies if the file list contains files to allow or deny. (Default: Block) FailModeBehavior Standard behaviour on error: Allow or Deny. (Default: Deny) File List of file types to allow or deny. (Optional) VerifyContentMimetype Verify that file extentions correspond to the MIME type.
Page 124: Alg_Tftp
Chapter 3: Configuration Reference DNSBlackLists Specifies the BlackList domain and its weighted value. Comments Text describing the current object. (Optional) 3.4.7.1. ALG_SMTP_Email Description Used to whitelist or blacklist an email sender/recipient. Properties Type Specifies if the email address is the sender or the recipient.
Page 125: Alg_Tls
Chapter 3: Configuration Reference Comments Text describing the current object. (Optional) 3.4.9. ALG_TLS Description TLS Alg Properties Name Specifies a symbolic name for the ALG. (Identifier) HostCert Specifies the host certificate. RootCert Specifies the root certificates. (Optional) Comments Text describing the current object. (Optional)
Page 126: Antiviruspolicy
Chapter 3: Configuration Reference 3.5. AntiVirusPolicy Description An Anti-Virus Profile can be used by one or many IP Policies which has its service object configured with a protocol that supports anti-virus scanning (HTTP, FTP, POP3 and SMTP). Properties Name Specifies a symbolic name for the Profile. (Identifier) AuditMode Anti-Virus audit mode.
Page 127: Appcontrolsettings
Chapter 3: Configuration Reference 3.6. AppControlSettings Description Settings related to the Application Control functionality. Properties MaxUnclassifiedPackets Maximum number of packets in one direction on a connection before the application will be forced to unknown. (Default: 5) MaxUnclassifiedBytes Maximum number of bytes transfered in one direction on a connection before the application will be forced to unknown.
Page 128: Applicationruleset
Chapter 3: Configuration Reference 3.7. ApplicationRuleSet Description An Application Rule Set contains a list of Application Rules and some settings and can be used by one or more IP rules/IP Policies to configure Application Control on the traffic matching those IP Rules/IP Policies.
Page 129 Chapter 3: Configuration Reference traffic. (Optional) ReturnChain Specifies one or more pipes to be used for return traffic. (Optional) Precedence Specifies what precedence should be assigned to the packets before sent into a pipe. (Default: FromPipe) FixedPrecedence Specifies the fixed precedence. Comments Text describing the current object.
Page 130: Arpnd
Chapter 3: Configuration Reference 3.8. ARPND Description Use an ARP/Neighbor Discovery entry to publish additional IP addresses and/or MAC addresses on a specified interface. Properties Mode Static, Publish or XPublish. (Default: Publish) Interface Indicates the interface to which the ARP entry applies;...
Page 131: Arpndsettings
Chapter 3: Configuration Reference 3.9. ARPNDSettings Description Advanced ARP/Neighbor Discovery-table settings. Properties ARPMatchEnetSender The Ethernet Sender address matching the hardware address in the ARP data. (Default: DropLog) ARPQueryNoSenderIP If the IP source address of an ARP query (NOT response!) is "0.0.0.0". (Default: DropLog) ARPSenderIP The IP Source address in ARP packets.
Page 132 Chapter 3: Configuration Reference LogResolveFailure Specifies whether or not to log failed ARP Resolves. (Default: Yes) NDRateLimit Rate limit originated ND packets. (Default: 1000) MaxAnycastDelayTime Randomized time to delay proxied and anycast advertisements. (Default: 100) NDMatchEnetSender Ignore ND packets with mismatching sender- and options MAC-addresses.
Page 133 Chapter 3: Configuration Reference RAReachableTime The value to be placed in the Reachable Time field in the Router Advertisement messages SGW. The value zero means unspecified. (Default: 0s). (Default: 0) RARetransTimer The value to be placed in the Retrans Timer field in the Router Advertisement messages sent by the SGW.
Page 134: Authagent
Chapter 3: Configuration Reference 3.10. AuthAgent Description The Authentication Agent collect user login and logout events on a network domain controller. Properties Name Specifies a symbolic name for the agent. IPAddress The IP address of the agent. Port The listening port of the agent. (Default: 9999) Selects the Pre-shared key to use with this agent.
Page 135: Authenticationsettings
Chapter 3: Configuration Reference 3.11. AuthenticationSettings Description Settings related to Authentication and Accounting. Properties LogoutAccUsersAtShutdown Logout authenticated accounting users and send AccountingStop packets prior to shutdown. (Default: Yes) AllowAuthIfNoAccountingResponse Allow an authenticated user to still have access even if no response is received by the Accounting Server.
Page 136: Blacklistwhitehost
Chapter 3: Configuration Reference 3.12. BlacklistWhiteHost Description Hosts and networks added to this whitelist can never be blacklisted by IDP or Threshold Rules. Properties Addresses Specifies the addresses that will be whitelisted. Service Specifies the service that will be whitelisted. Schedule The schedule when the whitelist should be active.
Page 137: Certificate
Chapter 3: Configuration Reference 3.13. Certificate Description An X. 509 certificate is used to authenticate a VPN client or gateway when establishing an IPsec tunnel. Properties Name Specifies a symbolic name for the certificate. (Identifier) Type Local, Remote or Request. CertificateData Certificate data.
Page 138: Comportdevice
Chapter 3: Configuration Reference 3.14. COMPortDevice Description A serial communication port, that is used for accessing the CLI. Properties Port Port. (Identifier) BitsPerSecond Bits per second. (Default: 9600) DataBits Data bits. (Default: 8) Parity Parity. (Default: None) StopBits Stop bits. (Default: 1) FlowControl Flow control.
Page 139: Configmodepool
Chapter 3: Configuration Reference 3.15. ConfigModePool Description An IKE Config Mode Pool will dynamically assign the IP address, DNS server, WINS server etc. to the VPN client connecting to this gateway. Properties IPPoolType Specifies whether a predefined IP Pool or a static set of IP addresses should be used as IP address source.
Page 140: Conntimeoutsettings
Chapter 3: Configuration Reference 3.16. ConnTimeoutSettings Description Timeout settings for various protocols. Properties ConnLife_TCP_SYN Connection idle lifetime for TCP connections being formed. (Default: 60) ConnLife_TCP Connection idle lifetime for TCP. (Default: 262144) ConnLife_TCP_FIN Connection idle lifetime for TCP connections being closed.
Page 141: Crldistpointlist
Chapter 3: Configuration Reference 3.17. CRLDistPointList Description A CRL distribution point list specifies one or more locations from where a certificate revocation list (CRL) can be obtained. It can be used to add distribution points to a certificate that does not provide any, or to override existing ones.
Page 142: Datetime
Chapter 3: Configuration Reference 3.18. DateTime Description Set the date, time and time zone information for this system. Properties TimeZone Specifies the time zone. (Default: GMT) Location Specifies the location to use its time zone. (Optional) DSTEnabled Enable daylight saving time. (Default: Yes) DSTOffset Daylight saving time offset in minutes.
Page 143 Chapter 3: Configuration Reference Note This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.
Page 144: Defaultinterface
Chapter 3: Configuration Reference 3.19. DefaultInterface Description A special interface used to represent internal mechanisms in the system as well as an abstract "any" interface. Properties Name Specifies a symbolic name for the interface. (Identifier) SNMPIndex Interface index assigned by the system when persistent interface indexes are enabled.
Page 145: Device
Chapter 3: Configuration Reference 3.20. Device Description Global parameters for this device. Properties Name Name of the device. (Default: Device) LocalCfgVersion Local version number of the configuration. (Default: 1) NextSNMPIfIndex SNMP interface index assigned to the next interface created within the system. (Default: 1) ConfigUser Name of the user who committed the current configuration.
Page 146: Dhcprelay
Chapter 3: Configuration Reference 3.21. DHCPRelay Description Use a DHCP Relay to dynamically alter the routing table according to relayed DHCP leases. Properties Name Specifies a symbolic name for the relay rule. (Identifier) Action Ignore, Relay or BootpFwd. (Default: Ignore) SourceInterface The source interface of the DHCP packet.
Page 147 Chapter 3: Configuration Reference LogSeverity Specifies with what severity log events will be sent to the specified log receivers. (Default: Default) Comments Text describing the current object. (Optional)
Page 148: Dhcprelaysettings
Chapter 3: Configuration Reference 3.22. DHCPRelaySettings Description Advanced DHCP relay settings. Properties MaxTransactions Maximum number of concurrent BOOTP/DHCP transactions. (Default: 32) TransactionTimeout Timeout for each transaction (in seconds). (Default: MaxPPMPerIface Maximum packets per minute that are relayed from clients to the server, per interface. (Default: 500) MaxHops Requests/responses that have traversed more than...
Page 149: Dhcpserver
Chapter 3: Configuration Reference 3.23. DHCPServer Description A DHCP Server determines a set of IP addresses and host configuration parameters to hand out to DHCP clients attached to a given interface. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the DHCP Server rule.
Page 150: Dhcpserverpoolstatichost
Chapter 3: Configuration Reference (Optional) LogEnabled Enable logging. (Default: Yes) LogSeverity Specifies with what severity log events will be sent to the specified log receivers. (Default: Default) Comments Text describing the current object. (Optional) 3.23.1. DHCPServerPoolStaticHost Description Static DHCP Server host entry Properties Host IP Address of the host.
Page 151 Chapter 3: Configuration Reference Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 152: Dhcpserversettings
Chapter 3: Configuration Reference 3.24. DHCPServerSettings Description Advanced DHCP server settings. Properties AutoSaveLeasePolicy Policy for saving the lease database to disk. (Default: ReconfShut) AutoSaveLeaseInterval Seconds between auto saving the lease database to disk. (Default: 86400) Note This object type does not have an identifier and is identified by the name of the type only.
Page 153: Dhcpv6Server
Chapter 3: Configuration Reference 3.25. DHCPv6Server Description A DHCPv6 Server determines a set of IPv6 addresses and host configuration parameters to hand out to DHCPv6 clients attached to a given interface. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the DHCPv6 Server rule.
Page 154: Dhcpv6Serverpoolstatichost
Chapter 3: Configuration Reference to the specified log receivers. (Default: Default) Comments Text describing the current object. (Optional) 3.25.1. DHCPv6ServerPoolStaticHost Description Static DHCPv6 Server host entry Properties Host IPv6 Address of the host. MACAddress The hardware address of the host. Comments Text describing the current object.
Page 155: Dhcpv6Serversettings
Chapter 3: Configuration Reference 3.26. DHCPv6ServerSettings Description Advanced DHCPv6 server settings. Properties AutoSaveLeasePolicy Policy for saving the lease database to disk. (Default: ReconfShut) AutoSaveLeaseInterval Seconds between auto saving the lease database to disk. (Default: 86400) Note This object type does not have an identifier and is identified by the name of the type only.
Page 156: Diagnosticssettings
3.27. DiagnosticsSettings Description Control how anonymous usage statistics are automatically shared with D-Link to improve the quality of the product and the services. Sensitive information e.g. VPN keys or certificates are not shared. All communication is encrypted and no information is shared with 3rd parties.
Page 157: Dns
Chapter 3: Configuration Reference 3.28. DNS Description Configure the DNS (Domain Name System) client settings. Properties DNSServer1 IP of the primary DNS Server. (Optional) DNSServer2 IP of the secondary DNS Server. (Optional) DNSServer3 IP of the tertiary DNS Server. (Optional) IP6DNSServer1 IP of the primary IPv6 DNS Server.
Page 158: Dynamicroutingrule
Chapter 3: Configuration Reference 3.29. DynamicRoutingRule Description A Dynamic Routing Policy rule creates a filter to catch statically configured or OSPF learned routes. The matched routes can be controlled by the action rules to be either exported to OSPF processes or to be added to one or more routing tables. Properties Index The index of the object, starting at 1.
Page 159: Dynamicroutingruleexportospf
Chapter 3: Configuration Reference last in the list and the Index will be equal to the length of the list. 3.29.1. DynamicRoutingRuleExportOSPF Description An OSPF action is used to manipulate and export new or changed routes to an OSPF Router Process.
Page 160 Chapter 3: Configuration Reference OffsetMetric Increases the metric by this value. (Optional) OffsetMetricType2 Increases the for Type2 routers metric by this value. (Optional) LimitMetricRange Limits the metrics for these routes to a minimum and maximum value, if a route has a higher or lower value then specified it will be set to the specified value.
Page 161: Dyndnsclientcjbnet
Chapter 3: Configuration Reference 3.30. DynDnsClientCjbNet Description Configure the parameters used to connect to the Cjb.net Dynamic DNS service. Properties Username Username. Password The password for the specified username. (Optional) Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 162: Dyndnsclientdlink
Chapter 3: Configuration Reference 3.31. DynDnsClientDLink Description Configure the parameters used to connect to the D-Link DynDNS service. Properties DNSName The DNS name excluding the .dlinkddns.com suffix. Username Username. Password The password for the specified username. (Optional) Comments Text describing the current object. (Optional)
Page 163: Dyndnsclientdlinkchina
Chapter 3: Configuration Reference 3.32. DynDnsClientDLinkChina Description Configure the parameters used to connect to the D-Link DynDNS service (China only). Properties DNSName The DNS name excluding the .dlinkddns.com suffix. Username Username. Password The password for the specified username. (Optional) Comments Text describing the current object.
Page 164: Dyndnsclientdyndnsorg
Chapter 3: Configuration Reference 3.33. DynDnsClientDyndnsOrg Description Configure the parameters used to connect to the dyn.com Dynamic DNS service. Properties DNSName The DNS name excluding the .dyndns.org suffix. Username Username. Password The password for the specified username. (Optional) Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 165: Dyndnsclientdynscx
Chapter 3: Configuration Reference 3.34. DynDnsClientDynsCx Description Configure the parameters used to connect to the dyns.cx Dynamic DNS service. Properties DNSName The DNS name excluding the .dyns.cx suffix. Username Username. Password The password for the specified username. (Optional) Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 166: Dyndnsclientpeanuthull
Chapter 3: Configuration Reference 3.35. DynDnsClientPeanutHull Description Configure the parameters used to connect to the Peanut Hull Dynamic DNS service. Properties DNSNames Specifies the DNS names separated by ";". Username Username. Password The password for the specified username. (Optional) Comments Text describing the current object.
Page 167: Emailcontrolprofile
Chapter 3: Configuration Reference 3.36. EmailControlProfile Description An E-mail Control Profile can be used by one or many IP Policies which has its service object configured with a protocol that supports e-mail scanning (IMAP, POP3, SMTP). Properties Name Specifies a symbolic name for the Profile. (Identifier) AntiSpam Anti-Spam protects against unsolicited bulk email.
Page 168 Chapter 3: Configuration Reference for that email. (Default: No) DNSBL2 IP address blacklisting using an external database. If the sender's IP address is blacklisted, the configured score value is added to the total score for that email. (Default: No) DNSBL3 IP address blacklisting using an external database.
Page 169 Chapter 3: Configuration Reference DNSBL9Name Specify the DNS name of a DNS Blacklist. DNSBL10Name Specify the DNS name of a DNS Blacklist. DNSBL1Score Specify a score value for DNS Blacklist 1. (Default: DNSBL2Score Specify a score value for DNS Blacklist 2. (Default: DNSBL3Score Specify a score value for DNS Blacklist 3.
Page 170: Emailfilter
Chapter 3: Configuration Reference SMTP_MaxEmailPerMinute Specifies the maximum amount of emails per minute from the same host. (Optional) SMTP_MaxEmailSize Specifies the maximum allowed email size in kB. (Optional) SMTP_AllowSTARTTLS Allow clients to use the STARTTLS command. Note that this allows encrypted transactions to take place, which circumvents any enabled security mechanisms.
Page 171: Ethernet
Chapter 3: Configuration Reference 3.37. Ethernet Description An Ethernet interface represents a logical endpoint for Ethernet traffic. Properties Name Specifies a symbolic name for the interface. (Identifier) EthernetDevice Hardware settings for the Ethernet interface. VLanQoSInherit Set whether VLANs using the interface should inherit the IP QoS bits.
Page 172 Chapter 3: Configuration Reference Specifies the size (in bytes) of the largest packet that can be passed onward. Must be 1294 or larger when IPv6 is enabled. (Default: 1500) Metric Specifies the metric for the auto-created route. (Default: 100) DHCPEnabled Enable DHCP client on this interface.
Page 173: Ethernetdevice
Chapter 3: Configuration Reference 3.38. EthernetDevice Description Hardware settings for an Ethernet interface. Properties Name Specifies a symbolic name for the device. (Identifier) EthernetDriver The Ethernet PCI driver that should be used by the interface. PCIBus PCI bus number where the Ethernet adapter is installed.
Page 174: Ethernetsettings
Chapter 3: Configuration Reference 3.39. EthernetSettings Description Settings for Ethernet interface. Properties DHCP_MinimumLeaseTime Minimum lease time (seconds) accepted from the DHCP server. (Default: 60) DHCP_ValidateBcast Require that the assigned broadcast address is the highest address in the assigned network. (Default: Yes) DHCP_AllowGlobalBcast Allow DHCP server to assign 255.255.255.255 as...
Page 175 Chapter 3: Configuration Reference Note This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.
Page 176: Eventreceiversnmp2C
Chapter 3: Configuration Reference 3.40. EventReceiverSNMP2c Description A SNMP2c event receiver is used to receive SNMP events from the system. Properties Name Specifies a symbolic name for the log receiver. (Identifier) IPAddress Destination IP address. Port Destination port. (Default: 162) Community Community string.
Page 177: Filecontrolpolicy
Chapter 3: Configuration Reference 3.41. FileControlPolicy Description A File Control Profile can be used by one or many IP Policies which has its service object configured with a protocol that supports file control scanning (HTTP, FTP, POP3, SMTP). Properties Name Specifies a symbolic name for the Profile.
Page 178: Fragsettings
Chapter 3: Configuration Reference 3.42. FragSettings Description Settings related to fragmented packets. Properties PseudoReass_MaxConcurrent Maximum number concurrent fragment reassemblies. Set to 0 to drop all fragments. (Default: 1024) IllegalFrags Illegaly constructed fragments; partial overlaps, bad sizes, etc. (Default: DropLog) DuplicateFragData On receipt of duplicate fragments, verify matching data...
Page 179 Chapter 3: Configuration Reference LogSuspect) IP6RejectBadFragLength Send Parameter Problem error upon reception of fragments with bad data length. (Default: No) IP6IgnoreStubFrags Ignore fragments with M flag cleared and fragment offset zero. (Default: No) IP6MinimumFragLength Minimum allowed length of non-last fragments. (Default: 8) IP6ReassTimeout Timeout of a reassembly, since previous received...
Page 180: Geolocationfilter
Chapter 3: Configuration Reference 3.43. GeolocationFilter Description The Geolocation Filter allows the system to filter IP addresses based on country. Properties Name Specifies a symbolic name for the rule. (Identifier) MatchPrivate Specify if filter should match private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fd00::/8). (Default: No) MatchUnknown Specify if filter should match unclassified networks.
Page 181: Gotorule
Chapter 3: Configuration Reference 3.44. GotoRule Description A goto rule specifies what IP rule set to match IP rules in for traffic that matches the specified filter criteria. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule.
Page 182: Gretunnel
Chapter 3: Configuration Reference 3.45. GRETunnel Description A GRE interface is a Generic Routing Encapsulation (no encryption, no authentication, only encapsulation) tunnel over an existing IP network. Properties Name Specifies a symbolic name for the interface. (Identifier) Specifies the IP address of the GRE interface. Network Specifies the network address of the GRE interface.
Page 183: Highavailability
Chapter 3: Configuration Reference 3.46. HighAvailability Description Configure the High Availability cluster parameters for this system. Properties Enabled Enable high availability. (Default: No) ClusterID A (locally) unique cluster ID to use in identifying this group of HA firewalls. (Default: 0) SyncIface Specifies interface...
Page 184: Httpalgbanners
Chapter 3: Configuration Reference 3.47. HTTPALGBanners Description HTTP banner files specifies the look and feel of HTTP ALG restriction web pages. Properties Name Specifies a symbolic name for the HTTP Banner Files. (Identifier) CompressionForbidden HTML for the CompressionForbidden.html web page. ContentForbidden HTML for the ContentForbidden.html web page.
Page 185: Httpauthbanners
Chapter 3: Configuration Reference 3.48. HTTPAuthBanners Description HTTP banner files specifies the look and feel of HTML authentication web pages. Properties Name Specifies a symbolic name for the HTTP Banner Files. (Identifier) FormLogin HTML for the FormLogin.html web page. LoginSuccess HTML for the LoginSuccess.html web page.
Page 186: Httpposter
Chapter 3: Configuration Reference 3.49. HTTPPoster Description Use the HTTP poster for dynamic DNS or automatic logon to services using web-based authentication. Properties The URL that will be posted when the firewall is loaded. RepostDelay Delay in seconds until the URL is refetched. (Default: 1200) AlwaysRepost Repost on each reconfiguration.
Page 187: Hwm
Chapter 3: Configuration Reference 3.50. HWM Description Hardware Monitoring allows monitoring of hardware sensors. Properties Name Specifies a symbolic name for the object. Type Type of monitoring. Sensor Sensor index. MinLimit Lower limit. (Optional) MaxLimit Upper limit. (Optional) EnableMonitoring Enable/disable monitoring. (Default: No) Comments Text describing the current object.
Page 188: Hwmsettings
Chapter 3: Configuration Reference 3.51. HWMSettings Description General settings for Hardware Monitoring Properties EnableSensors Enable/disable all HWM functionality. (Default: No) SensorPollInterval Sensor polling interval. (Default: 500) MemoryPollInterval Memory polling interval in minutes. (Default: 15) MemoryUsePercent Should mem monitor use percentage as unit for monitoring, else it is megabyte.
Page 189: Icmpsettings
Chapter 3: Configuration Reference 3.52. ICMPSettings Description Settings related to the ICMP protocol. Properties ICMPSendPerSecLimit Maximum number of ICMP responses that will be sent each second. (Default: 500) SilentlyDropStateICMPErrors Silently drop ICMP errors regarding statefully tracked open connections. (Default: Yes) ICMP6MaxOptND Total number of options allowed per ICMP6 ND header.
Page 190: Idlist
Chapter 3: Configuration Reference 3.53. IDList Description An ID list contains IDs, which are used within the authentication process when establishing an IPsec tunnel. Properties Name Specifies a symbolic name for the ID list. (Identifier) Comments Text describing the current object. (Optional) 3.53.1.
Page 191: Idprule
Chapter 3: Configuration Reference 3.54. IDPRule Description An IDP Rule defines a filter for matching specific network traffic. When the filter criterion is met, the IDP Rule Actions are evaluated and possible actions taken. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule.
Page 192 Chapter 3: Configuration Reference Description An IDP Rule Action specifies what signatures to search for in the network traffic, and what action to take if those signatures are found. Properties Action Specifies what action to take if the given signature is found.
Page 193: Igmprule
Chapter 3: Configuration Reference 3.55. IGMPRule Description An IGMP rule specifies how to handle inbound IGMP reports and outbound IGMP queries. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule. (Optional) Type The type of IGMP messages the rule applies to.
Page 194 Chapter 3: Configuration Reference Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 195: Igmpsetting
Chapter 3: Configuration Reference 3.56. IGMPSetting Description IGMP parameters can be tuned for one, or a group of interfaces in order to match the characteristics of a network. Properties Name Specifies a symbolic name for the object. (Identifier) Interface The interfaces that these settings should apply to. RobustnessVariable IGMP is robust to (Robustness Variable - 1) packet losses.
Page 196: Ikealgorithms
Chapter 3: Configuration Reference 3.57. IKEAlgorithms Description Configure algorithms which are used in the IKE phase of an IPsec session. Properties Name Specifies a symbolic name for the object. (Identifier) DESEnabled Enable DES encryption algorithm. (Default: No) DES3Enabled Enable 3DES encryption algorithm. (Default: No) AESEnabled Enable AES encryption algorithm.
Page 197 Chapter 3: Configuration Reference XCBCEnabled Enable AES-XCBC integrity algorithm. (Default: No) Comments Text describing the current object. (Optional)
Page 198: Interfacegroup
Chapter 3: Configuration Reference 3.58. InterfaceGroup Description Use an interface group to combine several interfaces for a simplified security policy. Properties Name Specifies a symbolic name for the interface. (Identifier) Equivalent Specifies if the interfaces should be considered security equivalent, that means that if enabled the interface group can be used as a destination interface in rules where connections might need to be moved between the two interfaces.
Page 199: Ip6In4Tunnel
Chapter 3: Configuration Reference 3.59. IP6in4Tunnel Description A 6in4 tunnel (no encryption, no authentication, only encapsulation) allows tunneling of IPv6 packets over an existing IPv4 network. Properties Name Specifies a symbolic name for the interface. (Identifier) Specifies the IPv6 address of the 6in4 tunnel interface.
Page 200: Ippolicy
Chapter 3: Configuration Reference 3.60. IPPolicy Description An IP Policy specifies what action to perform on network traffic that matches the specified filter criteria. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the policy. Action Allow or Deny.
Page 201 Chapter 3: Configuration Reference AV_Policy Selects preconfigured Anti-Virus Profile. AV_AuditMode Anti-Virus audit mode. (Default: No) AV_ScanExclude List of files to exclude from antivirus scanning. (Optional) AV_CompressionRatio A compression ratio higher than this value will trigger the action in Compression Ratio Action, a value of zero will disable all compression checks.
Page 202 Chapter 3: Configuration Reference VoIP Voice over IP. (Default: No) VoIP_Policy Selects preconfigured VoIP Profile. FTPControl Enables FTP protocol specific settings. (Default: No) FTPAllowServerPassive Allow server to use passive mode (unsafe for server). (Default: Yes) FTPServerPorts Server data ports. (Default: 1024-65535) FTPAllowClientActive Allow client to use active mode (unsafe for client).
Page 203 Chapter 3: Configuration Reference TLSRootCert Specifies the root certificates. (Optional) HTTPInspection Enables HTTP protocol validation and logging of URLs. (Default: No) HTTPAllowUnknownProtocols Allow non-HTTP protocols to pass through without inspection. (Default: No) SourceInterface Specifies the name of the receiving interface to be compared to the received packet.
Page 204: Ippool
Chapter 3: Configuration Reference 3.61. IPPool Description An IP Pool is a dynamic object which consists of IP leases that are fetched from a DHCP Server. The IP Pool is used as an address source by subsystems that may need to distribute addresses, e.g.
Page 205: Iprule
Chapter 3: Configuration Reference 3.62. IPRule Description An IP rule specifies what action to perform on network traffic that matches the specified filter criteria. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule. (Optional) Action Reject, Drop, FwdFast, Allow, NAT, SAT or SLB_SAT.
Page 206 Chapter 3: Configuration Reference SLBMaxSlots Specifies maximum number of slots for IP and network stickiness. (Default: 2048) SLBNetSize Specifies network size for network stickiness. (Default: 24) SLBNewPort Rewrite destination port to this port. (Optional) SLBMonitorRoutingTable Routing table used for server monitoring. (Default: main) SLBMonitorPing Enable monitoring using ICMP Ping packets.
Page 207 Chapter 3: Configuration Reference attempts. (Default: 800) SLBHTTPURLType Defines how the request URL should be interpreted. (Default: FQDN) SLBHTTPRequestURL Specifies the HTTP URL to monitor. SLBHTTPExpectedResponse Expected HTTP response. (Optional) SLBDistribution Specifies the algorithm used for the load distribution tasks. (Default: RoundRobin) SLBWindowTime Specifies the window time used for counting the number of seconds back in time to summarize the...
Page 208: Iprulefolder
Chapter 3: Configuration Reference 3.63. IPRuleFolder Description An IP Rule Folder can be used to group IP Rules into logical groups for better overview and simplified management. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies the name of the folder. Comments Text describing the current object.
Page 209 Chapter 3: Configuration Reference SLBNewPort Rewrite destination port to this port. (Optional) SLBMonitorRoutingTable Routing table used for server monitoring. (Default: main) SLBMonitorPing Enable monitoring using ICMP Ping packets. (Default: No) SLBPingPollingInterval Delay in milliseconds between each ping interval. (Default: 5000) SLBPingSamples Specifies the number of attempts to use for statistical calculations.
Page 210 Chapter 3: Configuration Reference SLBHTTPExpectedResponse Expected HTTP response. (Optional) SLBDistribution Specifies the algorithm used for the load distribution tasks. (Default: RoundRobin) SLBWindowTime Specifies the window time used for counting the number of seconds back in time to summarize the number of new connections for connection-rate algorithm.
Page 211: Multicastpolicy
Chapter 3: Configuration Reference to the specified log receivers. (Default: Default) Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list. 3.63.3.
Page 212: Statelesspolicy
Chapter 3: Configuration Reference (Optional) SourceAddressTranslation Action to take on source address. (Default: Auto) NATSourceAddressAction Specify method to determine which sender address to use. (Default: OutgoingInterfaceIP) SATSourceAddressAction Specify method to determine which sender address to use. SourceNewIP Specifies which sender address will be used. SourceBaseIP Specifies base address for sender address.
Page 213 Chapter 3: Configuration Reference address to use. SourceNewIP Specifies which sender address will be used. SourceBaseIP Specifies base address for sender address. SourcePortAction Specify method to determine which port action to use. (Default: None) SourceNewSinglePort Translate to this port. (Optional) SourceBasePort Transpose using this port as base.
Page 214: Gotorule
Chapter 3: Configuration Reference Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list. 3.63.5. GotoRule The definitions here are the same as in Section 3.44, “GotoRule”...
Page 215: Iprule
Chapter 3: Configuration Reference 3.63.7. IPRule The definitions here are the same as in Section 3.62, “IPRule” .
Page 216: Ipruleset
Chapter 3: Configuration Reference 3.64. IPRuleSet Description An IP Rule Set is a self-contained set of IP Rules. Default action is Drop. Properties Name A name to uniquely identify this IPRuleSet. (Identifier) Comments Text describing the current object. (Optional) 3.64.1. IPPolicy The definitions here are the same as in Section 3.60, “IPPolicy”...
Page 217: Ipsecalgorithms
Chapter 3: Configuration Reference 3.65. IPsecAlgorithms Description Configure algorithms which are used in the IPsec phase of an IPsec session. Properties Name Specifies a symbolic name for the object. (Identifier) NULLEnabled Enable plaintext. (Default: No) DESEnabled Enable DES encryption algorithm. (Default: No) DES3Enabled Enable 3DES encryption algorithm.
Page 218 Chapter 3: Configuration Reference SHA512Enabled Enable SHA512 integrity algorithm. (Default: No) XCBCEnabled Enable AES-XCBC integrity algorithm. (Default: No) Comments Text describing the current object. (Optional)
Page 219: Ipsectunnel
Chapter 3: Configuration Reference 3.66. IPsecTunnel Description An IPsec tunnel item is used to define IPsec endpoint and will appear as a logical interface in the system. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the interface. (Identifier) LocalNetwork The network on "this side"...
Page 220 Chapter 3: Configuration Reference authenticated peers will be authorized. (Optional) EnforceLocalID Enable if local identity must match any identity proposed by the IKE peer. (Default: No) GatewayCertificate Selects the certificate the firewall uses to authenticate itself to the other IPsec peer. RootCertificates Selects one or more root certificates to use with this IPsec Tunnel.
Page 221 Chapter 3: Configuration Reference DeadPeerDetection Enable Dead Peer Detection. (Default: Yes) NATTraversal Enable disable traversal. (Default: OnIfNeeded) AutoEstablish Negotiate tunnel directly after reconfigureation. (Default: No) Metric Specifies the metric for the auto-created route. (Default: 90) AutoInterfaceNetworkRoute Automatically add a route for this interface using the given remote network.
Page 222: Ipsectunnelsettings
Chapter 3: Configuration Reference 3.67. IPsecTunnelSettings Description Settings for the IPsec tunnel interfaces used for establishing IPsec VPN connections to and from this system. Properties IPsecMaxTunnels Amount of IPsec tunnels allowed (0 = automatic). (Default: 0) IPsecMaxRules Amount of IPsec rules allowed (0 = automatic). (Default: 0) IKESendInitialContact Send 'initial contact' messages.
Page 223 Chapter 3: Configuration Reference IPsecDisablePKAccel Disable hardware acceleration for public-key operations. (Default: No) IPsecEnableFramedIP Include Framed IP address in the RADIUS Access Request message. (Default: No) IPsecEnableRadiusAccountRequestStart Enable sending of Accounting Request Start message, including Framed IP address. (Default: IPsecXCBCFallbackToRFC3664 Enable fallback to XCBC RFC3664 if XCBC RFC4344 fails when using IKEv2.
Page 224: Ipsettings
Chapter 3: Configuration Reference 3.68. IPSettings Description Settings related to the IP protocol. Properties EnableIPv6 Enable processing of IPv6 traffic. (Default: No) IP6LogOnForwardHopLimit0 Log any attempts of forwarding IPv6 packets with HopLimit=0 destined for outside the firewall; this should never happen! (Default: DropLog) IP6AnycastSrc Drop Log packets with anycast source address.
Page 225 Chapter 3: Configuration Reference IP6OPT_JUMBO Validate jumbogram packets. (Default: ValidateLog) IP6OPT_RA Validate Router Alert packets. (Default: Ignore) IP6OPT_HA Validate Home Address option packets. (Default: Ignore) IP6OPT_OTH Validate unknown option types. (Default: RFC2460Log) IP6_RH0 Validate routing header type 0 option. (Default: RFC5095NoSupportLog) IP6_RH2 Validate routing header type 2 option.
Page 226 Chapter 3: Configuration Reference SecuRemoteUDPEncapCompat Allow IP data to contain eight bytes more than the UDP total length field specifies -- Checkpoint SecuRemote violates NAT-T drafts. (Default: No) IPOptionSizes Validity of IP header option sizes. (Default: ValidateLogBad) IPOPT_SR How to handle IP packets with contained source or return routes.
Page 227: L2Tpclient
Chapter 3: Configuration Reference 3.69. L2TPClient Description A PPTP/L2TP client interface is a PPP (Point-to-Point Protocol) tunnel over an existing IP network. Its IP address and DNS servers are dynamically assigned. Properties Name Specifies a symbolic name for the interface. (Identifier) The host name to store the assigned IP address in, if this network object exists and have a value other...
Page 228 Chapter 3: Configuration Reference MPPERC440 Use an RC4 40 bit MPPE session key with MS-CHAP or MS-CHAP v2 authentication protocol. (Default: Yes) MPPERC456 Use an RC4 56 bit MPPE session key with MS-CHAP or MS-CHAP v2 authentication protocol. (Default: Yes) MPPERC4128 Use an RC4 128 bit MPPE session key with MS-CHAP or MS-CHAP v2 authentication protocol.
Page 229: L2Tpserver
Chapter 3: Configuration Reference 3.70. L2TPServer Description A PPTP/L2TP server interface terminates PPP (Point to Point Protocol) tunnels set up over existing IP networks. Properties Name Specifies a symbolic name for the interface. (Identifier) The IP address of the PPTP/L2TP server interface. TunnelProtocol Specifies if PPTP or L2TP should be used for this tunnel.
Page 230 Chapter 3: Configuration Reference Servers (NBNS) to assign IP addresses to NetBIOS names. (Optional) AllowedRoutes Restricts networks which routes automatically be added. (Default: all-nets) MPPEAllowStateful Allow usage of Stateful MPPE (less secure, use only for compatibility). (Default: No) SNMPIndex Interface index assigned by the system when persistent interface indexes are enabled.
Page 231: L2Tpserversettings
Chapter 3: Configuration Reference 3.71. L2TPServerSettings Description PPTP/L2TP server settings. Properties L2TPBeforeRules Pass L2TP connections sent to the firewall directly to the L2TP engine without consulting the ruleset. (Default: Yes) PPTPBeforeRules Pass PPTP connections sent to the firewall directly to the PPTP engine without consulting the ruleset. (Default: Yes) Note This object type does not have an identifier and is identified by the name of the type...
Page 232: L2Tpv3Client
Chapter 3: Configuration Reference 3.72. L2TPv3Client Description A L2TPv3 client interface terminates L2 (Ethernet and VLAN) tunnels set up over existing IP networks. Properties Name Specifies a symbolic name for the interface. (Identifier) The IP address of the L2TPv3 Client interface. LocalNetwork The network on "this side"...
Page 233 Chapter 3: Configuration Reference publishing routes via Proxy ARP. (Default: No) ProxyARPInterfaces Specifies the interfaces on which the firewall should publish routes via Proxy ARP. (Optional) Comments Text describing the current object. (Optional)
Page 234: L2Tpv3Server
Chapter 3: Configuration Reference 3.73. L2TPv3Server Description A L2TPv3 server interface terminates L2 (Ethernet and VLAN) tunnels set up over existing IP networks. Properties Name Specifies a symbolic name for the interface. (Identifier) The IP address of the L2TPv3 Server interface. LocalNetwork The network on "this side"...
Page 235: Ldapdatabase
Chapter 3: Configuration Reference 3.74. LDAPDatabase Description External LDAP server used to verify user names and passwords. Properties Name Specifies a symbolic name for the server. (Identifier) The IP address of the server. Port The TCP port of the server. (Default: 389) SourceIPSelection Which IP should be used as a source IP.
Page 236: Ldapserver
Chapter 3: Configuration Reference 3.75. LDAPServer Description An LDAP server is used as a central repository of certificates and CRLs that the firewall can download when necessary. Properties Host Specifies the IP address or hostname of the LDAP server. Username Specifies the username to use when accessing the LDAP server.
Page 237: Lengthlimsettings
Chapter 3: Configuration Reference 3.76. LengthLimSettings Description Length limitations for various protocols. Properties MaxTCPLen TCP; Sometimes has to be increased if tunneling protocols are used. (Default: 1480) MaxUDPLen UDP; Many interactive applications use large UDP packets, may otherwise be decreased to 1480. (Default: 60000) MaxICMPLen ICMP;...
Page 238: Linkaggregation
Chapter 3: Configuration Reference 3.77. LinkAggregation Description A Link Aggregation interface combines multiple Ethernet interfaces into a single logical endpoint. Properties Name Specifies a symbolic name for the interface. (Identifier) Members A set of Ethernet interfaces to aggregate. (Optional) DistributionAlgorithm Specifies how outgoing traffic will be distributed among the active links.
Page 239 Chapter 3: Configuration Reference PrivateIP The private IP address of this high availability node. (Optional) PrivateIP6 The private IP6 address of this high availability node. (Default: localhost6) NOCHB This will disable sending Cluster Heartbeats from this interface (used by HA to detect if a node is online and working).
Page 240 Chapter 3: Configuration Reference Comments Text describing the current object. (Optional)
Page 241: Linkmonitor
Chapter 3: Configuration Reference 3.78. LinkMonitor Description The Link Monitor allows the system to monitor one or more hosts and take action if they are unreachable. Properties Action Specifies what action the system should take. Addresses Specifies the addresses that should be monitored. MaxLoss A single host is considered unreachable if this number of consecutive ping responses to that host...
Page 242: Localreasssettings
Chapter 3: Configuration Reference 3.79. LocalReassSettings Description Parameters use for local fragment reassembly. Properties LocalReass_MaxConcurrent Maximum number concurrent local reassemblies. (Default: 256) LocalReass_MaxSize Maximum size of a locally reassembled packet. (Default: 10000) LocalReass_NumLarge Number of large (>2K) local reassembly buffers (of the above size).
Page 243: Localuserdatabase
Chapter 3: Configuration Reference 3.80. LocalUserDatabase Description A local user database contains user accounts used for authentication purposes. Properties Name Specifies a symbolic name for the object. (Identifier) Comments Text describing the current object. (Optional) 3.80.1. User Description User credentials may be used in User Authentication Rules, which in turn are used in e.g. PPP, IPsec XAuth, Web Authentication, etc Properties Name...
Page 244: Logreceivermemory
Chapter 3: Configuration Reference 3.81. LogReceiverMemory Description A memory log receiver is used to receive and keep log events in system RAM. Properties Name Specifies a symbolic name for the log receiver. (Identifier) LogSeverity Specifies with what severity log events will be sent to the specified log receivers.
Page 245: Logreceiversmtp
Chapter 3: Configuration Reference 3.82. LogReceiverSMTP Description Mail Alerting is used for sending important events via email. Properties Name Specifies a symbolic name for the log receiver. (Identifier) IPAddress IP address or DNS name of an SMTP server that accepts emails for the given address(es). Port TCP port of the SMTP server.
Page 246: Logreceivermessageexception
Chapter 3: Configuration Reference that did not trigger the rate threshold. The report will always be sent, even if nothing occured. (Default: No) ReportEmailInterval How often to send report emails. (Default: 24) ReportEmailSubject The email Subject to use for report emails. LogSeverity Specifies with what severity log events will be sent to the specified log receivers.
Page 247: Logreceiversyslog
Chapter 3: Configuration Reference 3.83. LogReceiverSyslog Description A Syslog receiver is used to receive log events from the system in the standard Syslog format. Properties Name Specifies a symbolic name for the log receiver. (Identifier) IPAddress Specifies the IP address of the log receiver. Port Specifies the port number of the log service.
Page 248: Logsettings
Chapter 3: Configuration Reference 3.84. LogSettings Description Advanced log settings. Properties LogSendPerSecLimit Limits how many log packets the firewall may send out per second. (Default: 2000) Note This object type does not have an identifier and is identified by the name of the type only.
Page 249: Loopbackinterface
Chapter 3: Configuration Reference 3.85. LoopbackInterface Description Loopback interfaces will take all packets sent through them and pass them back up a different interface as newly received packets. Properties Name Specifies a symbolic name for the interface. (Identifier) LoopTo Loopback interface. (Optional) Interface address.
Page 250: Miscsettings
Chapter 3: Configuration Reference 3.86. MiscSettings Description Miscellaneous Settings Properties UDPSrcPort0 How to treat UDP packets with source port 0. (Default: DropLog) Port0 How to treat TCP/UDP packets with destination port 0 and TCP packets with source port 0. (Default: DropLog) HighBuffers_Dynamic Allocate the HighBuffers value dynamically.
Page 251: Multicastpolicy
Chapter 3: Configuration Reference 3.87. MulticastPolicy The definitions here are the same as in Section 3.63.3, “MulticastPolicy” .
Page 252: Multicastsettings
Chapter 3: Configuration Reference 3.88. MulticastSettings Description Advanced Multicast Settings. Properties AutoAddMulticastCoreRoute Auto generate core route "224.0.0.1-239.255.255.255". (Default: Yes) IGMPBeforeRules Allows IGMP traffic to enter the firewall by default. (Default: Yes) IGMPMaxGlobalRequestsPerSecond Maximum number of requests per second. (Default: 1000) IGMPMaxRequestsPerSecond Maximum number of requests per interface per second.
Page 253: Natpool
Chapter 3: Configuration Reference 3.89. NATPool Description A NAT Pool is used for NATing multiple concurrent connections to using different source IP addresses. Properties Name Specifies a symbolic name for the NAT Pool. (Identifier) Type Specifies how NAT'ed connections are assigned a NAT IP address.
Page 254: Ospfprocess
Chapter 3: Configuration Reference 3.90. OSPFProcess Description An OSPF Router Process defines a group of routers exchanging routing information via the Open Shortest Path First routing protocol. Properties Name Specifies a symbolic name for the OSPF process. (Identifier) RouterID Specifies the IP address that is used to identify the router.
Page 255: Ospfarea
Chapter 3: Configuration Reference DebugDDesc Enables disabled logging database description packets and also specifies the details of the log. (Default: Off ) DebugExchange Enables or disabled logging of exchange packets and also specifies the details of the log. (Default: Off ) DebugLSA Enables or disabled logging of LSA events and also specifies the details of the log.
Page 256 Chapter 3: Configuration Reference StubMetric Route metric for stub area. (Optional) FilterExternal Specifies the network addresses allowed to be imported into this area from external routing sources. (Optional) FilterInterArea Specifies the network addresses allowed to be imported from other routers inside the area. (Optional) Comments Text describing the current object.
Page 257 Chapter 3: Configuration Reference router will be declared to be down. (Default: 40) RxmtInterval Specifies the number of seconds between retransmissions of LSAs to neighbors on this interface. (Default: 5) RtrPrio Specifies the router priority, a higher number increases this routers chance of becoming DR or BDR, if 0 is specified this router will not be eligible in the DR/BDR election.
Page 258 Chapter 3: Configuration Reference Description An aggregate is used to replace any number of smaller networks belonging to the local (intra) area with one contiguous network which may then be advertised or hidden. Properties Network The aggregate network used to combine several small routes.
Page 259: Pipe
Chapter 3: Configuration Reference 3.91. Pipe Description A pipe defines basic traffic shaping parameters. The pipe rules then determines which traffic goes through which pipes. Properties Name Specifies a symbolic name for the pipe. (Identifier) LimitKbpsTotal Total bandwidth limit for this pipe in kilobits per second.
Page 260 Chapter 3: Configuration Reference precedence 7 (the highest precedence). (Optional) LimitPPS7 Specifies the packet per second limit for precedence 7 (the highest precedence). (Optional) UserLimitKbpsTotal Total bandwidth limit per group in the pipe in kilobits per second. (Optional) UserLimitPPSTotal Total throughput limit per group in the pipe in packets per second.
Page 261 Chapter 3: Configuration Reference GroupingNetworkSize If users are grouped according to source or destination network, the size of the network has to be specified by this setting. (Default: 0) Dynamic Enable dynamic balancing of groups. (Default: No) PrecedenceMin Specifies the lowest allowed precedence for traffic in this pipe.
Page 262: Piperule
Chapter 3: Configuration Reference 3.92. PipeRule Description A Pipe Rule determines traffic shaping policy - which Pipes to use - for one or more types of traffic with the same granularity as the standard ruleset. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the object.
Page 263: Pppoetunnel
Chapter 3: Configuration Reference 3.93. PPPoETunnel Description A PPPoE interface is a PPP (point-to-point protocol) tunnel over an existing physical Ethernet interface. Its IP address is dynamically assigned. Properties Name Specifies a symbolic name for the interface. (Identifier) EthernetInterface The physical Ethernet interface that connects to the PPPoE server network.
Page 264 Chapter 3: Configuration Reference Metric Specifies the metric for the auto-created route. (Default: 90) AutoInterfaceNetworkRoute Automatically add a route for this interface using the given remote network. (Default: Yes) Schedule The schedule defines when the PPPoE tunnel should be active. (Optional) ForceUnnumbered Force the PPPoE tunnel to be unnumbered.
Page 265: Pppsettings
Chapter 3: Configuration Reference 3.94. PPPSettings Description Settings related to the PPP protocol. Properties InitialResendTime Initial time in milliseconds to wait before sending a new configuration request if no server response is received. (Default: 200) Note This object type does not have an identifier and is identified by the name of the type only.
Page 266: Psk
Chapter 3: Configuration Reference 3.95. PSK Description PSK (Pre-Shared Key) authentication is based on a shared secret that is known only by the parties involved. Properties Name Specifies a symbolic name for the pre-shared key. (Identifier) Type Specifies the type of the shared key. PSKAscii Specifies the PSK as a passphrase.
Page 267: Radiusaccounting
Chapter 3: Configuration Reference 3.96. RadiusAccounting Description External RADIUS server used to collect user statistics. Properties Name Specifies a symbolic name for the server. (Identifier) IPAddress The IP address of the server. Port The UDP port of the server. (Default: 1813) RetryTimeout The retry timeout, in seconds, used when trying to contact the RADIUS accounting server.
Page 268: Radiusrelay
Chapter 3: Configuration Reference 3.97. RadiusRelay Description RADIUS relay for intercepting packets from a user endpoint and sending packets to a remote RADIUS server. Properties Name Specifies a symbolic name for the relayer. (Identifier) SourceInterface Specifies the name of the receive interface for RADIUS relay requests.
Page 269 Chapter 3: Configuration Reference LogEnabled Enable logging. (Default: Yes) LogSeverity Specifies with what severity log events will be sent to the specified log receivers. (Default: Default) RoutingTable Specifies the routing table the clients host route should be added to. (Default: main) Comments Text describing the current object.
Page 270: Radiusserver
Chapter 3: Configuration Reference 3.98. RadiusServer Description External RADIUS server used to verify user names and passwords. Properties Name Specifies a symbolic name for the server. (Identifier) IPAddress The IP address of the server. Port The UDP port of the server. (Default: 1812) RetryTimeout The retry timeout, in seconds, used when trying to contact the RADIUS server.
Page 271: Realtimemonitoralert
Chapter 3: Configuration Reference 3.99. RealTimeMonitorAlert Description Monitors a statistical value. Log messages are generated if the value goes below the lower threshold or above the high threshold. Properties Index The index of the object, starting at 1. (Identifier) Monitor Statistical value.
Page 272: Remotemgmthttp
Chapter 3: Configuration Reference 3.100. RemoteMgmtHTTP Description Configure HTTP/HTTPS management to enable remote management to the system. Properties Name Specifies a symbolic name for the object. (Identifier) Interface Specifies the interface for which remote access is granted. HTTP Enable remote management via HTTP. (Default: HTTPS Enable remote management via HTTPS.
Page 273: Remotemgmtrest
Chapter 3: Configuration Reference 3.101. RemoteMgmtREST Description Configure REST API management to enable API management to the system. Properties Name Specifies a symbolic name for the object. (Identifier) Interface Specifies the interface for which remote access is granted. HTTP Enable remote management via HTTP. (Default: HTTPS Enable remote management via HTTPS.
Page 274: Remotemgmtsettings
Chapter 3: Configuration Reference 3.102. RemoteMgmtSettings Description Setup and configure methods and permissions for remote management of this system. Properties NetconBiDirTimeout Specifies the amount of seconds to wait for the administrator to log in before reverting to the previous configuration. (Default: 30) WebUIBeforeRules Enable HTTP(S) traffic to the firewall regardless of configured IP Rules.
Page 275 Chapter 3: Configuration Reference reboots. Disabling and later re-enabling this setting will trigger a re-numbering of all interfaces in the system. (Default: No) Note This object type does not have an identifier and is identified by the name of the type only.
Page 276: Remotemgmtsnmp
Chapter 3: Configuration Reference 3.103. RemoteMgmtSNMP Description Configure SNMP management to enable SNMP polling. Properties Name Specifies a symbolic name for the object. (Identifier) Interface Specifies the interface for which remote access is granted. SnmpVersion Enabled SNMP version. (Default: SNMPv1_SNMPv2c) Snmp3SecurityLevel Enabled SNMPv3...
Page 277: Remotemgmtssh
Chapter 3: Configuration Reference 3.104. RemoteMgmtSSH Description Configure a Secure Shell (SSH) Server to enable remote management access to the system. Properties Name Specifies a symbolic name for the SSH server. (Identifier) Interface Specifies the interface for which remote access is granted.
Page 278 Chapter 3: Configuration Reference password has to be provided within this number of seconds or the session will be closed. (Default: 30) AuthenticationRetries The number of retires allowed before the session is closed. (Default: 3) AuthSource Optionally enable authentication from an external source.
Page 279: Routebalancinginstance
Chapter 3: Configuration Reference 3.105. RouteBalancingInstance Description A route balancing instance is associated with a routingtable and defines how to make use of multiple routes to the same destination. Properties RoutingTable Specify routingtable to deploy route load balancing in. (Identifier) Algorithm Specify which algorithm to use when balancing the routes.
Page 280: Routebalancingspilloversettings
Chapter 3: Configuration Reference 3.106. RouteBalancingSpilloverSettings Description Settings associated with the spillover algorithm. Properties Interface Interface to threshold limit. (Identifier) HoldTime Number of consecutive seconds over/under the threshold limit to trigger state change for the affected routes. (Default: 30) OutboundThreshold Outbound threshold limit.
Page 281: Routeradvertisement
Chapter 3: Configuration Reference 3.107. RouterAdvertisement Description Enabling Router Advertisement will answer Solicitations and periodically send out Advertisements. Stateless address autoconfiguration (SLAAC) will only work correctly if the configured network prefix is 64 (RFC4862). Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the Router Advertisement.
Page 282: Ra_Prefixinformation
Chapter 3: Configuration Reference sent. (Default: 0). (Default: 0) Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list. 3.107.1.
Page 283: Routingrule
Chapter 3: Configuration Reference 3.108. RoutingRule Description A Routing Rule forces the use of a routing table in the forward and/or return direction of traffic on a connection. The ordering parameter of the routing table determines if it is consulted before or after the main routing table.
Page 284: Routingsettings
Chapter 3: Configuration Reference 3.109. RoutingSettings Description Configure the routing capabilities of the system. Properties RouteFailOver_IfacePollInterval Time (ms) between polling of interface failure. (Default: 500) RouteFailOver_ARPPollInterval Time (ms) between ARP-lookup of gateways. May be overridden for each route. (Default: 1000) RouteFailOver_PingPollInterval Time (ms) between PING'ing of gateways.
Page 285: Routingtable
Chapter 3: Configuration Reference 3.110. RoutingTable Description The system has a predefined main routing table. Alternate routing tables can be defined by the user. Properties Name Specifies a symbolic name for the routing table. (Identifier) Ordering Specifies how a route lookup is done in a named routing table.
Page 286 Chapter 3: Configuration Reference MonitorGateway Mark the route as down if the next hop does not answer on ARP lookups during a specified time. (Default: No) MonitorGatewayARPInterval Specifies the ARP lookup interval in milliseconds. (Default: 1000) EnableHostMonitoring Enables Host Monitoring functionality.
Page 287: Route6
Chapter 3: Configuration Reference ReachabilityRequired Specifies if this host is required to be reachable for monitoring to be successful. (Default: No) Samples Specifies the number of attempts to use for statistical calculations. (Default: 10) MaxPollFails Specifies the maximum number of failed attempts until host is considered to be unreachable.
Page 288: Switchroute
Chapter 3: Configuration Reference publishing routes via Proxy Neighbor Discovery. (Default: No) ProxyNDInterfaces Specifies the interfaces on which the firewall should publish routes via Proxy ARP. (Optional) Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 289: Scheduleprofile
Chapter 3: Configuration Reference 3.111. ScheduleProfile Description A Schedule Profile defines days and dates and are then used by the various policies in the system. Properties Name Specifies a symbolic name for the service. (Identifier) Specifies during which intervals the schedule profile is active on Mondays.
Page 290: Servicegroup
Chapter 3: Configuration Reference 3.112. ServiceGroup Description A Service Group is a collection of service objects, which can then be used by different policies in the system. Properties Name Specifies a symbolic name for the service. (Identifier) Members Group members. Comments Text describing the current object.
Page 291: Serviceicmp
Chapter 3: Configuration Reference 3.113. ServiceICMP Description An ICMP Service is an object definition representing ICMP traffic with specific parameters. Properties Name Specifies a symbolic name for the service. (Identifier) MessageTypes Specifies the ICMP message types that are applicable to this service. (Default: All) EchoRequest Enable matching of Echo Request messages.
Page 292 Chapter 3: Configuration Reference endpoints to negotiate optimal packet sizes. This prevents fragmentation by network equipment between the endpoints. Path MTU Discovery relies on ICMP message forwarding so ICMP forwarding must also be enabled. (Default: No) Protocol Protocol settings are only used by IP Policies. (Optional) MaxSessionsProtocol Specifies how many concurrent sessions that are...
Page 293: Serviceicmpv6
Chapter 3: Configuration Reference 3.114. ServiceICMPv6 Description An IPv6-ICMP Service is an object definition representing IPv6-ICMP traffic with specific parameters. Properties Name Specifies a symbolic name for the service. (Identifier) MessageTypes Specifies the IPv6-ICMP message types that are applicable to this service. (Default: All) EchoRequest Enable matching of Echo Request messages.
Page 294 Chapter 3: Configuration Reference must also be enabled. (Default: No) Protocol Protocol settings are only used by IP Policies. (Optional) MaxSessionsProtocol Specifies how many concurrent sessions that are permitted using this Protocol. (Default: 200) An Application Layer Gateway (ALG), capable of managing advanced protocols, can be specified for this service.
Page 295: Serviceipproto
Chapter 3: Configuration Reference 3.115. ServiceIPProto Description An IP Protocol Service is a definition of an IP protocol with specific parameters. Properties Name Specifies a symbolic name for the service. (Identifier) IPProto IP protocol number or range, e.g. "1-4,7" will match the protocols ICMP, IGMP, GGP, IP-in-IP and CBT.
Page 296: Servicetcpudp
Chapter 3: Configuration Reference 3.116. ServiceTCPUDP Description A TCP/UDP Service is a definition of an TCP or UDP protocol with specific parameters. Properties Name Specifies a symbolic name for the service. (Identifier) DestinationPorts Specifies the destination port or the port ranges applicable to this service.
Page 297: Slbpolicy
Chapter 3: Configuration Reference 3.117. SLBPolicy The definitions here are the same as in Section 3.63.2, “SLBPolicy” .
Page 298: Sshclientkey
Chapter 3: Configuration Reference 3.118. SSHClientKey Description The public key of the client connecting to the SSH server. Properties Name Specifies a symbolic name for the key. (Identifier) Type DSA or RSA. (Default: DSA) Subject Value of the Subject header tag of the public key file.
Page 299: Sslsettings
Chapter 3: Configuration Reference 3.119. SSLSettings Description Settings related to SSL (Secure Sockets Layer). Properties SSL_ProcessingPriority The amount of CPU time that SSL processing is allowed to use. (Default: Normal) SSL_TlsVersion Minimum allowed version of the Secure Socket layer. TLSv1.1 is not supported. (Default: TLSv10) TLS_RSA_WITH_AES_256_CBC_SHA256 Enable cipher...
Page 300 Chapter 3: Configuration Reference Note This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.
Page 301: Sslvpninterface
Chapter 3: Configuration Reference 3.120. SSLVPNInterface Description An SSL VPN interface, together with the bundled client, creates an easy to use tunnel solution for roaming users. Properties Name Specifies a symbolic name for the interface. (Identifier) OuterInterface The physical interface that the SSL VPN interface will listen on.
Page 302: Sslvpninterfacesettings
Chapter 3: Configuration Reference 3.121. SSLVPNInterfaceSettings Description SSL VPN interface settings. Properties SSLVPNBeforeRules Pass SSL VPN connections sent to the firewall directly to the SSL VPN engine without consulting the ruleset. (Default: Yes) Note This object type does not have an identifier and is identified by the name of the type only.
Page 303: Statelesspolicy
Chapter 3: Configuration Reference 3.122. StatelessPolicy The definitions here are the same as in Section 3.63.4, “StatelessPolicy” .
Page 304: Statesettings
Chapter 3: Configuration Reference 3.123. StateSettings Description Parameters for the state engine in the system. Properties ConnReplace What to do when the connection table is full. (Default: ReplaceLog) LogOpenFails Log packets that are neither part of open connections nor valid new connections. (Default: Yes) LogReverseOpens Log reverse connection attempts through an...
Page 305: Tcpsettings
Chapter 3: Configuration Reference 3.124. TCPSettings Description Settings related to the TCP protocol. Properties TCPOptionSizes Validity of TCP header option sizes. (Default: ValidateLogBad) TCPMSSMin Minimum allowed TCP MSS (Maximum Segment Size). (Default: 100) TCPMSSOnLow How to handle too low MSS values. (Default: DropLog) TCPMSSMax Maximum allowed TCP MSS (Maximum Segment...
Page 306 Chapter 3: Configuration Reference TCPSynUrg The TCP URG flag together with SYN; normally invalid (strip=strip URG). (Default: DropLog) TCPSynPsh The TCP PSH flag together with SYN; normally invalid but always used by some IP stacks (strip=strip PSH). (Default: StripSilent) TCPSynRst The TCP RST flag together with SYN;...
Page 307: Thresholdrule
Chapter 3: Configuration Reference 3.125. ThresholdRule Description A Threshold Rule defines a filter for matching specific network traffic. When the filter criterion is met, the Threshold Rule Actions are evaluated and possible actions taken. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule.
Page 308 Chapter 3: Configuration Reference ThresholdUnit Specifies the threshold unit. (Default: ConnsSec) ZoneDefense Activate ZoneDefense. (Default: No) BlackList Activate BlackList. (Default: No) BlackListTimeToBlock The number of seconds that the dynamic black list should remain. (Optional) BlackListBlockOnlyService Only block the service that triggered the blacklisting.
Page 309: Updatecenter
Chapter 3: Configuration Reference 3.126. UpdateCenter Description Configure automatical updates. Properties AVEnabled Automatic updates of antivirus definitions and engine. (Default: No) IDPEnabled Automatic updates of IDP signatures. (Default: No) UpdateInterval Specifies the interval at which the automatic update runs. (Default: Daily) UpdateDate Specifies the day of month when the automatic update is run.
Page 310: Userauthrule
Chapter 3: Configuration Reference 3.127. UserAuthRule Description The User Authentication Ruleset specifies from where users are allowed to authenticate to the system, and how. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule. Agent ARPCache, HTTP, HTTPS, XAuth, PPP or EAP.
Page 311 Chapter 3: Configuration Reference HTTPBanners HTTP Authentication HTML Banners. (Default: Default) RealmString The string that is presented as a part of the 401 - Authentication Required message. (Optional) HostCertificate Specifies the host certificate that the firewall sends to the client. Only RSA certificates are supported. RootCertificate Specifies the root certificate that was used to sign the host certificate.
Page 312 Chapter 3: Configuration Reference received by the user. (Default: Yes) SessionTime Enable reporting of the number of seconds the session lasted. (Default: Yes) SupportInterimAccounting Enable Interim Accounting Messages to update the accounting server with the current status of an authenticated user. (Default: No) ServerInterimControl Let the RADIUS server determine the interval that interim accounting events should be sent.
Page 313: Vlan
Chapter 3: Configuration Reference 3.128. VLAN Description Use a VLAN to define a virtual interface compatible with the IEEE 802.1Q / 802.1ad Virtual LAN standard. Properties Name Specifies a symbolic name for the interface. (Identifier) VLANID The virtual LAN ID used for this virtual LAN interface.
Page 314 Chapter 3: Configuration Reference PrivateIP The private IP address of this high availability node. (Optional) PrivateIP6 The private IP6 address of this high availability node. (Default: localhost6) Metric Specifies the metric for the auto-created route. (Default: 100) AutoSwitchRoute Allows traffic to be forwarded transparently across all interfaces with Transparent Mode enabled that belong to the same routing table.
Page 315: Vlansettings
Chapter 3: Configuration Reference 3.129. VLANSettings Description Settings for IEEE 802.1Q based Virtual LAN interfaces. Properties UnknownVLANTags VLAN packets tagged with an unknown ID. (Default: DropLog) Note This object type does not have an identifier and is identified by the name of the type only.
Page 316: Voipprofile
Chapter 3: Configuration Reference 3.130. VoIPProfile Description A VoIP Profile can be used by one or many IP Policies which has its service object configured with SIP or H.323 as protocol. Properties Name Specifies a symbolic name for the Profile. (Identifier) Enables automatic pinhole creation for SIP sessions.
Page 317 Chapter 3: Configuration Reference Comments Text describing the current object. (Optional)
Page 318: Webprofile
Chapter 3: Configuration Reference 3.131. WebProfile Description A Web Profile can be used by one or many IP Policies which has its service object configured with HTTP or HTTPS as protocol. Properties Name Specifies a symbolic name for the Profile. (Identifier) ForceSafeSearch Force SafeSearch on Google, Bing and Yahoo!
Page 319 Chapter 3: Configuration Reference Action Whitelist or Blacklist. (Default: Blacklist) Specifies the URL to blacklist or whitelist. Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 320: Zonedefenseblock
Chapter 3: Configuration Reference 3.132. ZoneDefenseBlock Description Manually configured blocks are used to block a host/network on the switches either by default or based on schedule. Properties Addresses Specifies the addresses to block. Protocol All, TCP, UDP or ICMP. (Default: All) Port Specifies which UDP or TCP port to use.
Page 321: Zonedefenseexcludelist
Chapter 3: Configuration Reference 3.133. ZoneDefenseExcludeList Description The exclude list is used exclude certain hosts/networks from being blocked out by IDP/Threshold rule violations. Properties Addresses Specifies the addresses that should not be blocked. (Optional) Comments Text describing the current object. (Optional) Note This object type does not have an identifier and is identified by the name of the type only.
Page 322: Zonedefenseswitch
Chapter 3: Configuration Reference 3.134. ZoneDefenseSwitch Description A ZoneDefense switch will have its ACLs controlled and hosts/networks violating the IDP/Threshold rules will be blocked directly on the switch. Properties Name Specifies a symbolic name for the ZoneDefense switch. (Identifier) SwitchModel Specifies switch model...
Page 323: Zonedefenseswitchsettings
Chapter 3: Configuration Reference 3.135. ZoneDefenseSwitchSettings Description Advanced ZoneDefense Switch Settings. Properties SupervisorEnabled Enables automatic unblocking of hosts that has been blocked a configurable period of time. A host is only unblocked if the number of times it has been blocked during a supervision period (the contravention value) does not exceed the tolerance, otherwise...
Page 324 Chapter 3: Configuration Reference...
Page 325: Index
history, 98 hostmon, 51 Index httpalg, 51 httpposter, 52 hwm, 53 Commands idppipes, 53 ifstat, 54 about, 33 igmp, 54 activate, 22 ihs, 55 add, 22 (see also ipsechastat) alarm, 33 ike, 55 appcontrol, 33 ikesnoop, 57 arp, 34 ippool, 57 arpsnoop, 35 ipsec, 58 ats, 36...
Page 326 Index reset, 28 AppControlSettings, 127 route, 76 ApplicationRule, 128 (see also routes) ApplicationRuleSet, 128 routemon, 76 ARPND, 130 routes, 77 ARPNDSettings, 131 rtmonitor, 78 AuthAgent, 134 rules, 78 AuthenticationSettings, 135 script, 101 BlacklistWhiteHost, 136 selftest, 79 services, 81 sessionmanager, 82 Certificate, 137 set, 29 COMPortDevice, 138...
Page 327 Index HighAvailability, 183 OSPFAggregate, 257 HTTPALGBanners, 184 OSPFArea, 255 HTTPAuthBanners, 185 OSPFInterface, 256 HTTPPoster, 186 OSPFNeighbor, 257 HWM, 187 OSPFProcess, 254 HWMSettings, 188 OSPFVLink, 258 ICMPSettings, 189 Pipe, 259 ID, 190 PipeRule, 262 IDList, 190 PPPoETunnel, 263 IDPRule, 191 PPPSettings, 265 IDPRuleAction, 191 PSK, 266 IGMPRule, 193...
Page 328 Index VLAN, 313 VLANSettings, 315 VoIPProfile, 316 WebProfile, 318 ZoneDefenseBlock, 320 ZoneDefenseExcludeList, 321 ZoneDefenseSwitch, 322 ZoneDefenseSwitchSettings, 323...

This manual is also suitable for:

Dfl-2560g Dfl-870 Dfl-860e Dfl-1660 Dfl-2560

D-Link DFL-260E Reference Manual

1 Introduction

2 Command Reference

3 Configuration Reference

Quick Links

Related Manuals for D-Link DFL-260E

Summary of Contents for D-Link DFL-260E