ZyXEL Communications UAG Series Cli Reference Manual

ZyXEL Communications UAG Series Cli Reference Manual

Unified access gateway
Hide thumbs Also See for UAG Series:
Table of Contents

Advertisement

UAG Series
Unified Access Gateway
Versions: 2.50
Edition 1, 08/2012
Quick Start Guide
CLI Reference Guide
Default Login Details
LAN Port
User Name
www.zyxel.com
Password
https://192.168.1.1
admin
1234
Copyright © 2011
Copyright © 2012 ZyXEL Communications Corporation
ZyXEL Communications Corporation

Advertisement

Table of Contents
loading

Summary of Contents for ZyXEL Communications UAG Series

  • Page 1 UAG Series Unified Access Gateway Versions: 2.50 Edition 1, 08/2012 Quick Start Guide CLI Reference Guide Default Login Details LAN Port https://192.168.1.1 User Name admin www.zyxel.com Password 1234 Copyright © 2011 Copyright © 2012 ZyXEL Communications Corporation ZyXEL Communications Corporation...
  • Page 2  IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a Reference Guide for a series of products. Not all products support all firmware features. Screenshots, graphics and commands in this book may differ slightly from your product due to differences in your product firmware or your computer operating system.
  • Page 3: About This Cli Reference Guide

    About This CLI Reference Guide About This CLI Reference Guide Intended Audience This manual is intended for people who want to configure ZLD-based UAGs via Command Line Interface (CLI). You should have at least a basic knowledge of TCP/IP networking concepts and topology.
  • Page 4: Document Conventions

    Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
  • Page 5 Document Conventions Server Firewall Telephone Switch Router UAG CLI Reference Guide...
  • Page 6 Document Conventions UAG CLI Reference Guide...
  • Page 7: Table Of Contents

    Contents Overview Contents Overview Introduction ............................19 Command Line Interface .........................21 User and Privilege Modes ........................35 Reference ............................39 Object Reference ............................41 Status ..............................43 Registration .............................47 Interfaces ..............................53 Trunks ..............................75 Route ...............................81 Routing Protocol ............................89 Zones ..............................93 DDNS ..............................97 Virtual Servers ............................101 VPN 1-1 Mapping ..........................105 HTTP Redirect ............................109 SMTP Redirect ............................
  • Page 8 Contents Overview Reports and Reboot ..........................237 Session Timeout ...........................243 Diagnostics ............................245 Packet Flow Explore ..........................247 Maintenance Tools ..........................251 Watchdog Timer ............................257 UAG CLI Reference Guide...
  • Page 9: Table Of Contents

    Table of Contents Table of Contents About This CLI Reference Guide......................3 Document Conventions ........................4 Contents Overview ..........................7 Table of Contents ..........................9 Part I: Introduction ..................19 Chapter 1 Command Line Interface........................21 1.1 Overview ............................21 1.1.1 The Configuration File ......................21 1.2 Accessing the CLI ..........................21 1.2.1 Console Port ..........................22 1.2.2 Web Configurator Console ......................22 1.2.3 Telnet ............................25...
  • Page 10 Table of Contents 1.9 Saving Configuration Changes ......................33 1.10 Logging Out .............................33 Chapter 2 User and Privilege Modes ........................35 2.1 User And Privilege Modes .........................35 2.1.1 Debug Commands ........................36 Part II: Reference ..................... 39 Chapter 3 Object Reference ..........................41 3.1 Object Reference Commands ......................41 3.1.1 Object Reference Command Example ..................42 Chapter 4 Status ..............................43...
  • Page 11 Table of Contents 6.4.1 Virtual Interface Command Examples ..................69 6.5 PPPoE/PPTP Specific Commands ....................70 6.5.1 PPPoE/PPTP Interface Command Examples .................71 6.6 USB Storage Specific Commands ....................71 6.6.1 USB Storage General Commands Example ................72 6.7 VLAN Interface Specific Commands ....................72 6.7.1 VLAN Interface Command Examples ..................73 6.8 Bridge Specific Commands .......................73 6.8.1 Bridge Interface Command Examples ..................74 Chapter 7...
  • Page 12 Table of Contents 10.1 Zones Overview ..........................93 10.2 Zone Commands Summary ......................94 10.2.1 Zone Command Examples ....................95 Chapter 11 DDNS..............................97 11.1 DDNS Overview ..........................97 11.2 DDNS Commands Summary ......................98 Chapter 12 Virtual Servers ..........................101 12.1 Virtual Server Overview ........................101 12.1.1 1:1 NAT and Many 1:1 NAT ....................101 12.2 Virtual Server Commands Summary .....................101 12.2.1 Virtual Server Command Examples ..................103 12.2.2 Tutorial - How to Allow Public Access to a Server ...............104...
  • Page 13 Table of Contents 16.1 ALG Introduction ........................... 115 16.2 ALG Commands ..........................116 16.3 ALG Commands Example ......................117 Chapter 17 IP/MAC Binding..........................119 17.1 IP/MAC Binding Overview ......................119 17.2 IP/MAC Binding Commands ......................119 17.3 IP/MAC Binding Commands Example ..................120 Chapter 18 Firewall ..............................121 18.1 Firewall Overview ..........................121...
  • Page 14 Table of Contents 21.4 Content Filtering Reports ......................143 21.5 Content Filter Command Input Values ..................144 21.6 General Content Filter Commands ....................145 21.7 Content Filter Filtering Profile Commands ..................147 21.8 Content Filter URL Cache Commands ..................149 21.9 Content Filtering Statistics ......................150 21.9.1 Content Filtering Statistics Example ..................151 21.10 Content Filtering Commands Example ..................151 Chapter 22...
  • Page 15 Table of Contents 26.2 Authentication Server Command Summary ..................175 26.2.1 ad-server Commands ......................175 26.2.2 ldap-server Commands .......................176 26.2.3 radius-server Commands ....................177 26.2.4 radius-server Command Example ..................177 26.2.5 aaa group server ad Commands ..................177 26.2.6 aaa group server ldap Commands ..................178 26.2.7 aaa group server radius Commands ...................179 26.2.8 aaa group server Command Example .................180 Chapter 27...
  • Page 16 Table of Contents Chapter 32 System ...............................201 32.1 System Overview ..........................201 32.2 Customizing the WWW Login Page ....................201 32.3 Host Name Commands .........................203 32.4 Time and Date ..........................203 32.4.1 Date/Time Commands ......................204 32.5 Console Port Speed ........................204 32.6 DNS Overview ..........................205 32.6.1 Domain Zone Forwarder .....................205 32.6.2 DNS Commands ........................205 32.6.3 DNS Command Example ....................206...
  • Page 17 Table of Contents 34.2.1 Comments in Configuration Files or Shell Scripts ...............218 34.2.2 Errors in Configuration Files or Shell Scripts ...............219 34.2.3 UAG Configuration File Details ....................219 34.2.4 Configuration File Flow at Restart ..................220 34.3 File Manager Commands Input Values ..................220 34.4 File Manager Commands Summary .....................221 34.5 File Manager Command Examples ....................222 34.6 FTP File Transfer ..........................222...
  • Page 18 Table of Contents Chapter 39 Packet Flow Explore.........................247 39.1 Packet Flow Explore ........................247 39.2 Packet Flow Explore Commands ....................247 39.3 Packet Flow Explore Commands Example ...................248 Chapter 40 Maintenance Tools..........................251 40.1 Maintenance Command Examples ....................253 40.1.1 Packet Capture Command Example ...................254 Chapter 41 Watchdog Timer..........................257 41.1 Hardware Watchdog Timer ......................257...
  • Page 19: Introduction

    Introduction...
  • Page 21: Command Line Interface

    H A PT ER Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your UAG, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the UAG and possibly render it unusable.
  • Page 22: Console Port

    Chapter 1 Command Line Interface 1.2.1 Console Port The default settings for the console port are as follows. Table 1 Managing the UAG: Console Port SETTING VALUE Speed 115200 bps Data Bits Parity None Stop Bit Flow Control When you turn on your UAG, it performs several internal tests as well as line initialization. You can view the initialization information using the console port.
  • Page 23 Chapter 1 Command Line Interface When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the UAG. Follow the steps below to access the web console. Log into the web configurator. Click the Console icon in the top-right corner of the web configurator screen.
  • Page 24 Chapter 1 Command Line Interface Note: The default login username is admin. It is case-sensitive. Figure 5 Web Console: Connecting Then, the Password screen appears. Figure 6 Web Console: Password Enter the password for the user name you specified earlier, and click OK. If you enter the password incorrectly, you get an error message, and you may have to close the console window and open it again.
  • Page 25: Telnet

    Chapter 1 Command Line Interface 1.2.3 Telnet Use the following steps to Telnet into your UAG. If your computer is connected to the UAG over the Internet, skip to the next step. Make sure your computer IP address and the UAG IP address are on the same subnet. In Windows, click Start (usually in the bottom left corner) and Run.
  • Page 26: How Commands Are Explained

    Chapter 1 Command Line Interface 1.4 How Commands Are Explained Each chapter explains the commands for one keyword. The chapters are divided into the following sections. 1.4.1 Background Information (Optional) Note: See the User’s Guide for background information about most features. This section provides background information about features that you cannot configure in the web configurator.
  • Page 27: Changing The Password

    Chapter 1 Command Line Interface • Enter exactly as it appears, followed by two numbers between 1 and 65535. range 1.4.6 Changing the Password It is highly recommended that you change the password for accessing the UAG. See Section 22.2 on page 156 for the appropriate commands.
  • Page 28: Shortcuts And Help

    Chapter 1 Command Line Interface 1.6 Shortcuts and Help 1.6.1 List of Available Commands A list of valid commands can be found by typing at the command prompt. To view a list of [TAB] available commands within a command group, enter <command>...
  • Page 29: Entering Partial Commands

    Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the UAG automatically display the full command. [TAB] For example, if you enter and press , the full command of automatically...
  • Page 30: Input Values

    Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen.
  • Page 31 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES e-mail 1-64 alphanumeric or .@_- encryption key 16-64 “0x” or “0X” + 16-64 hexadecimal values 8-32 alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=- file name 0-31 alphanumeric or _- filter extension...
  • Page 32 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES phone number 1-20 numbers or ,+ preshared key 16-64 “0x” or “0X” + 16-64 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- profile name 0-30 alphanumeric or _- first character: letters or _-...
  • Page 33: Ethernet Interfaces

    Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES week-day sequence, i.e. 1=first,2=second xauth method 1-31 alphanumeric or _- xauth password 1-31 alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- mac address 0-12 (even hexadecimal number) for example: aa aabbcc aabbccddeeff 1.8 Ethernet Interfaces...
  • Page 34 Chapter 1 Command Line Interface UAG CLI Reference Guide...
  • Page 35: User And Privilege Modes

    H A PT ER User and Privilege Modes This chapter describes how to use these two modes. 2.1 User And Privilege Modes This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the UAG uses.
  • Page 36: Debug Commands

    Chapter 2 User and Privilege Modes Table 4 User (U) and Privilege (P) Mode Commands (continued) COMMAND MODE DESCRIPTION Goes to a previous mode or logs out. exit Goes to htm (hardware test module) mode for testing hardware components. You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting.
  • Page 37 Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT Endpoint security debug commands debug eps Authentication policy debug commands debug force-auth (*) Web Configurator related debug debug gui (*) commands Hardware debug commands debug hardware (*) Interface debug commands debug interface...
  • Page 38 Chapter 2 User and Privilege Modes UAG CLI Reference Guide...
  • Page 39: Reference

    Reference...
  • Page 41: Object Reference

    H A PT ER Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
  • Page 42: Object Reference Command Example

    Chapter 3 Object Reference Table 6 show reference Commands (continued) COMMAND DESCRIPTION Displays which configuration settings reference the specified user group show reference object-group username object. [username] Displays which configuration settings reference the specified address show reference object-group address group object. [object_name] Displays which configuration settings reference the specified service show reference object-group service...
  • Page 43: Status

    H A PT ER Status This chapter explains some commands you can use to display information about the UAG’s current operational state. Table 7 Status Show Commands COMMAND DESCRIPTION Displays details about the UAG’s startup state. show boot status Displays whether the console and auxiliary ports are on or off. show comport status Displays the CPU utilization.
  • Page 44 Chapter 4 Status Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number. Router(config)# show fan-speed FAN1(F00)(rpm): limit(hi)=8000, limit(lo)=1400, max=6115, min=6115, avg=6115 Router(config)# show mac MAC address: 00:00:AA:80:05:58-00:00:AA:80:05:5C Router(config)# show mem status memory usage: 39% Router(config)# show ram-size ram size: 512MB...
  • Page 45 Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : UAG715 firmware version: V2.50(AACG.0) BM version : 1.22...
  • Page 46 Chapter 4 Status UAG CLI Reference Guide...
  • Page 47: Registration

    H A PT ER Registration This chapter introduces myzyxel.com and shows you how to register the UAG for the content filtering service using commands. 5.1 myZyXEL.com Overview myZyXEL.com is ZyXEL’s online services center where you can register your UAG and manage subscription services available for the UAG.
  • Page 48: Registration Commands

    Chapter 5 Registration 5.2 Registration Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 8 Input Values for General Registration Commands LABEL DESCRIPTION The user name of your myZyXEL.com account. You must use six to 20 alphanumeric user_name characters (and the underscore).
  • Page 49: Country Code

    Chapter 5 Registration The following command displays the account information and whether the device is registered. Router# configure terminal Router(config)# show device-register status username : example password : 123456 device register status : yes expiration self check : no The following command displays the service registration status and type and how many days remain before the service expires.
  • Page 50 Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo, Democratic Republic of the Congo, Republic of Cook Islands Costa Rica Cote d'Ivoire Croatia/Hrvatska...
  • Page 51 Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Lesotho Liberia Liechtenstein Lithuania Luxembourg Macau Macedonia, Former Yugoslav Madagascar Republic Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia, Federal State of Moldova, Republic of Monaco Mongolia...
  • Page 52 Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Suriname Svalbard and Jan Mayen Islands Swaziland Sweden Switzerland Taiwan Tajikistan Tanzania Thailand Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu US Minor Outlying Islands Uganda...
  • Page 53: Interfaces

    H A PT ER Interfaces This chapter shows you how to use interface-related commands. 6.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
  • Page 54: Relationships Between Interfaces

    Chapter 6 Interfaces Port groups, and trunks have a lot of characteristics that are specific to each type of interface. These characteristics are listed in the following tables and discussed in more detail farther on. Table 11 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ETHERNET...
  • Page 55: Interface General Commands Summary

    Chapter 6 Interfaces Table 12 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE virtual interface (virtual Ethernet interface) Ethernet interface* (virtual VLAN interface) VLAN interface* (virtual bridge interface) bridge interface trunk Ethernet interface VLAN interface bridge interface PPPoE/PPTP interface * - You cannot set up a PPPoE/PPTP interface, virtual Ethernet interface, or virtual VLAN interface if the underlying interface is a member of a bridge.
  • Page 56: Basic Interface Properties And Ip Address Commands

    Chapter 6 Interfaces 6.2.1 Basic Interface Properties and IP Address Commands This table lists basic properties and IP address commands. Table 14 interface General Commands: Basic Properties and IP Address Assignment COMMAND DESCRIPTION Displays the connection status of the specified type of interfaces. show interface {ethernet | vlan | bridge | ppp | auxiliary} status Displays information about the specified interface, specified type of...
  • Page 57 Chapter 6 Interfaces Table 14 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Turns off traffic priority settings for when the interface sends the traffic-prioritize {tcp-ack|content- specified type of traffic. filter|dns|ipsec-vpn|ssl-vpn} deactivate Specifies the upstream bandwidth for the specified interface. The [no] upstream <0..1048576>...
  • Page 58 Chapter 6 Interfaces This example shows how to modify the name of interface lan2 to “VIP”. First you have to check the interface system name (ge4 in this example) on the UAG. Then change the name and display the result. Router>...
  • Page 59: Dhcp Setting Commands

    Chapter 6 Interfaces This example shows how to restart an interface. You can check all interface names on the UAG. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it. Router>...
  • Page 60 Chapter 6 Interfaces Table 15 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Specifies the static IP address the UAG should assign. Use this [no] host ip command, along with hardware-address, to create a static DHCP entry. Note: The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool.
  • Page 61 Chapter 6 Interfaces Table 15 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Sets the IP start address and maximum pool size of the specified [no] starting-address ip pool-size DHCP pool. The final pool size is limited by the subnet mask. <1..65535>...
  • Page 62 Chapter 6 Interfaces 6.2.2.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.2 Router(config-ip-dhcp-pool)#...
  • Page 63: Interface Parameter Command Examples

    Chapter 6 Interfaces 6.2.3 Interface Parameter Command Examples This table shows an example of each interface type’s sub-commands. The sub-commands vary for different interface types. Table 16 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE/PPTP Router(config)# interface wan1 Router(config)# interface wan1:1 Router(config)# interface wan1_ppp Router(config-if-wan1)# Router(config-if-vir)#...
  • Page 64: Ospf Commands

    Chapter 6 Interfaces Table 17 interface Commands: RIP Settings (continued) COMMAND DESCRIPTION Sets the send or receive version to the specified version number. The [no] ip rip {send | receive} version command sets the send or received version to the current global <1..2>...
  • Page 65 Chapter 6 Interfaces Table 18 interface Commands: OSPF Settings (continued) COMMAND DESCRIPTION Sets the number of seconds the UAG waits for “hello” messages from [no] ip ospf dead-interval <1..65535> peer routers before it assumes the peer router is not available and deletes associated routing information.
  • Page 66: Connectivity Check (Ping-Check) Commands

    Chapter 6 Interfaces 6.2.6 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the UAG stops routing to the gateway.
  • Page 67: Ethernet Interface Specific Commands

    Chapter 6 Interfaces 6.2.6.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check...
  • Page 68: Port Grouping Commands

    Chapter 6 Interfaces Table 21 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION Sets which type of network you will connect this interface. The UAG automatically adds type {internal | default route and SNAT settings for traffic it routes from internal interfaces to external external | general} interfaces;...
  • Page 69: Virtual Interface Specific Commands

    Chapter 6 Interfaces 6.3.2.1 Port Grouping Command Examples The following commands add physical port 5 to interface lan1. Router# configure terminal Router(config)# show port-grouping No. Representative Name Port1 Port2 Port3 Port4 Port5 ========================================================= wan1 wan2 lan1 lan2 Router(config)# port-grouping lan1 Router(config-port-grouping)# port 5 Router(config-port-grouping)# exit Router(config)# show port-grouping...
  • Page 70: Pppoe/Pptp Specific Commands

    Chapter 6 Interfaces gateway 4.6.7.8, upstream bandwidth 345, downstream bandwidth 123, and description “I am vir interface”. Router# configure terminal Router(config)# interface lan1:1 Router(config-if-vir)# ip address 1.2.3.4 255.255.255.0 Router(config-if-vir)# ip gateway 4.6.7.8 Router(config-if-vir)# upstream 345 Router(config-if-vir)# downstream 123 Router(config-if-vir)# description I am vir interface Router(config-if-vir)# exit 6.5 PPPoE/PPTP Specific Commands This section covers commands that are specific to PPPoE/PPTP interfaces.
  • Page 71: Pppoe/Pptp Interface Command Examples

    Chapter 6 Interfaces Table 24 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND DESCRIPTION Specifies the maximum segment size (MSS) the interface can use. MSS is the [no] mss <536..1452> largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece.
  • Page 72: Usb Storage General Commands Example

    Chapter 6 Interfaces Table 25 USB Storage General Commands (continued) COMMAND DESCRIPTION Mounts the connected USB storage device. usb-storage mount Unmounts the connected USB storage device. usb-storage umount Sets to have the UAG log or not log any information about the connected USB [no] logging usb-storage storage device(s) for the system log.
  • Page 73: Vlan Interface Command Examples

    Chapter 6 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 26 Input Values for VLAN Interface Commands LABEL DESCRIPTION VLAN interface: vlanx, x = 0 - 4094 interface_name Table 13 on page 55 for detailed information about the interface name.
  • Page 74: Bridge Interface Command Examples

    Chapter 6 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 28 Input Values for Bridge Interface Commands LABEL DESCRIPTION The name of the interface. interface_name VLAN interface: vlanx, x = 0 - 4094 bridge interface: brx, x = 0 - N, where N depends on the number of bridge interfaces your UAG model supports.
  • Page 75: Trunks

    H A PT ER Trunks This chapter shows you how to configure trunks on your UAG. 7.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the UAG sends traffic through another member of the trunk.
  • Page 76: Trunk Commands Input Values

    Chapter 7 Trunks 7.3 Trunk Commands Input Values The following table explains the values you can input with the commands. interface-group Table 30 interface-group Command Input Values LABEL DESCRIPTION A descriptive name for the trunk. group-name The name cannot start with a number. This value is case-sensitive. The name of an interface, it could be an Ethernet, PPP, VLAN or bridge interface.
  • Page 77: Trunk Command Examples

    Chapter 7 Trunks Table 31 interface-group Commands Summary (continued) COMMAND DESCRIPTION Displays whether the UAG enable SNAT or not. The UAG performs SNAT show system default-snat by default for traffic going to or from the WAN interfaces. Displays the WAN trunk the UAG first attempts to use. show system default-interface-group 7.5 Trunk Command Examples The following example creates a weighted round robin trunk for Ethernet interfaces wan1 and...
  • Page 78: Link Sticking

    Chapter 7 Trunks 7.6 Link Sticking You can have the UAG send each local computer’s traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file.
  • Page 79: Link Sticking Command Example

    Chapter 7 Trunks mode before you can use these commands. See Table 30 on page 76 for details about the values you can input with these commands. Table 32 ip load-balancing link-sticking Commands Summary COMMAND DESCRIPTION Turns link sticking on or off. [no] ip load-balancing link-sticking activate Sets for how many seconds (30-3600) the UAG sends all of each [no] ip load-balancing link-sticking timeout...
  • Page 80 Chapter 7 Trunks UAG CLI Reference Guide...
  • Page 81: Route

    H A PT ER Route This chapter shows you how to configure policies for IP routing and static routes on your UAG. 8.1 Policy Route Traditionally, routing is based on the destination address only and the UAG takes the shortest path to forward a packet.
  • Page 82 Chapter 8 Route The following table describes the commands available for policy route. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 34 Command Summary: Policy Route COMMAND DESCRIPTION Globally enables bandwidth management. You must globally activate [no] bwm activate bandwidth management to have individual policy routes policies apply bandwidth management.
  • Page 83 Chapter 8 Route Table 34 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Leaves the sub-command mode. exit Sets the interface on which the incoming packets are received. The no [no] interface interface_name command resets the incoming interface to the default ( means all interfaces.
  • Page 84: Assured Forwarding (Af) Phb For Diffserv

    Chapter 8 Route Table 34 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Gives policy routes priority over NAT virtual server rules (1-1 SNAT). [no] policy controll-virtual-server-rules Use the no command to give NAT virtual server rules priority over activate policy routes. Displays whether or not the global setting for bandwidth management show bwm activation on the UAG is enabled.
  • Page 85: Ip Static Route

    Chapter 8 Route through the interface wan1 to the next-hop router GW_1. This route uses the IP address of the outgoing interface as the matched packets’ source IP address. Router(config)# address-object TW_SUBNET 192.168.2.0 255.255.255.0 Router(config)# address-object GW_1 192.168.2.250 Router(config)# policy insert 1 Router(policy-route)# description example Router(policy-route)# destination any Router(policy-route)# interface ge1...
  • Page 86: Static Route Commands

    Chapter 8 Route a route through the same gateway R1 (via gateway R2). The static routes are for you to tell the UAG about the networks beyond the network connected to the UAG directly. Figure 15 Example of Static Routing Topology 8.4 Static Route Commands The following table describes the commands available for static route.
  • Page 87: Static Route Commands Examples

    Chapter 8 Route 8.4.1 Static Route Commands Examples The following command sets a static route with IP address 10.10.10.0 and subnet mask 255.255.255.0 and with the next-hop interface wan1. Then use the show command to display the setting. Router(config)# ip route 10.10.10.0 255.255.255.0 wan1 Router(config)# Router(config)# show ip route-settings Route...
  • Page 88 Chapter 8 Route UAG CLI Reference Guide...
  • Page 89: Routing Protocol

    H A PT ER Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the UAG. 9.1 Routing Protocol Overview Routing protocols give the UAG routing information about the network from other routers. The UAG then stores this routing information in the routing table, which it uses when it makes routing decisions.
  • Page 90: Rip Commands

    Chapter 9 Routing Protocol 9.2.1 RIP Commands This table lists the commands for RIP. Table 39 router Commands: RIP COMMAND DESCRIPTION Enters sub-command mode. router rip Enables RIP on the specified Ethernet interface. The [no] network interface_name command disables RIP on the specified interface. Enables redistribution of routing information learned from [no] redistribute {static | ospf} the specified source.
  • Page 91: Ospf Area Commands

    Chapter 9 Routing Protocol 9.2.3 OSPF Area Commands This table lists the commands for OSPF areas. Table 41 router Commands: OSPF Areas COMMAND DESCRIPTION Enters sub-command mode. router ospf Adds the specified interface to the specified area. The [no] network interface area IP command removes the specified interface from the specified area.
  • Page 92: Learned Routing Information Commands

    Chapter 9 Routing Protocol 9.2.5 Learned Routing Information Commands This table lists the commands to look at learned routing information. Table 43 ip route Commands: Learned Routing Information COMMAND DESCRIPTION Displays learned routing and other routing show ip route [kernel | connected | static | ospf | rip | information.
  • Page 93: Zones

    HAPTER Zones Set up zones to configure network security and network policies in the UAG. 10.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The UAG uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap.
  • Page 94: Zone Commands Summary

    Chapter 10 Zones 10.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands.s Table 44 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone, or the name of a VPN tunnel. profile_name Use up to 31 characters (a-zA-Z0-9_-).
  • Page 95: Zone Command Examples

    Chapter 10 Zones 10.2.1 Zone Command Examples The following commands add interfaces vlan123 and vlan234 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface vlan123 Router(zone)# interface vlan234 Router(zone)# block Router(zone)# exit Router(config)# show zone No.
  • Page 96 Chapter 10 Zones UAG CLI Reference Guide...
  • Page 97: Ddns

    HAPTER DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the UAG. 11.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.
  • Page 98: Ddns Commands Summary

    Chapter 11 DDNS 11.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 47 Input Values for DDNS Commands LABEL DESCRIPTION The name of the DDNS profile. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number.
  • Page 99 Chapter 11 DDNS Table 48 ip ddns Commands (continued) COMMAND DESCRIPTION Sets the backup WAN interface in the specified DDNS profile. [no] backup-iface interface_name command clears it. Sets the HA interface in the specified DDNS profile. The [no] ha-iface interface_name command clears it.
  • Page 100 Chapter 11 DDNS UAG CLI Reference Guide...
  • Page 101: Virtual Servers

    HAPTER Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. Virtual server commands configure NAT. 12.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the UAG that you want to make available outside the private network.
  • Page 102 Chapter 12 Virtual Servers The following table lists the virtual server commands. Table 50 ip virtual-server Commands COMMAND DESCRIPTION show ip virtual-server [profile_name] Displays information about the specified virtual server or about all the virtual servers. Deletes the specified virtual server. no ip virtual-server profile_name Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name...
  • Page 103: Virtual Server Command Examples

    Chapter 12 Virtual Servers Table 50 ip virtual-server Commands (continued) COMMAND DESCRIPTION Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name (destination IP address, protocol, and service object) to the specified interface interface_name original-ip (destination IP address and service object).
  • Page 104: Tutorial - How To Allow Public Access To A Server

    Chapter 12 Virtual Servers 12.2.2 Tutorial - How to Allow Public Access to a Server This is an example of making an HTTP (web) server in the DMZ zone accessible from the Internet (the WAN zone). You will use a public IP address of 1.1.1.2 on the wan1 interface and map it to the HTTP server’s private IP address of 192.168.3.7.
  • Page 105: Vpn 1-1 Mapping

    HAPTER VPN 1-1 Mapping This chapter shows you how to configure VPN 1-1 mapping on your UAG. 13.1 VPN 1-1 Mapping Overview VPN 1-1 mapping allows an authenticated user in your network to access the Internet or an external server using a public IP address different from the one used by the UAG’s WAN interface. With VPN 1-1 mapping, each user that logs into the UAG and matches a pre-configured mapping rule can obtain an individual public IP address.
  • Page 106 Chapter 13 VPN 1-1 Mapping The following table describes the commands available for VPN 1-1 mapping. You must use the command to enter the configuration mode before you can use the configure terminal configuration commands. Table 52 Command Summary: vpn-1-1-map COMMAND DESCRIPTION Enables VPN 1-1 mapping on the UAG.
  • Page 107: Vpn-1-1-Map Pool Sub-Commands

    Chapter 13 VPN 1-1 Mapping 13.2.1 vpn-1-1-map pool Sub-commands The following table describes the sub-commands for the vpn-1-1-map pool command. Table 53 vpn-1-1-map pool Sub-commands COMMAND DESCRIPTION Configures the name of the IP address object the profile is set to use. address address_object An address object presents the IP address(es), which can be assigned to the matched users by the UAG.
  • Page 108: Vpn-1-1-Map Rule Command Examples

    Chapter 13 VPN 1-1 Mapping Table 54 vpn-1-1-map rule Sub-commands (continued) COMMAND DESCRIPTION Sets the name of the pool profile used by this rule. You can associate up [no] pool profile_name to four pool profiles to a VPN 1-1 mapping rule. The no command removes the specified pool file.
  • Page 109: Http Redirect

    HAPTER HTTP Redirect This chapter shows you how to configure HTTP redirection on your UAG. 14.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the UAG) to a web proxy server. 14.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
  • Page 110: Http Redirect Command Examples

    Chapter 14 HTTP Redirect Table 56 Command Summary: HTTP Redirect (continued) COMMAND DESCRIPTION Disables a rule with the specified rule name. ip http-redirect deactivate description Removes a rule with the specified rule name. no ip http-redirect description Clears all HTTP redirect rules. ip http-redirect flush Displays HTTP redirect settings.
  • Page 111: Smtp Redirect

    HAPTER SMTP Redirect This chapter shows you how to configure SMTP redirection on your UAG. 15.1 SMTP Redirect Overview SMTP redirect forwards the authenticated client’s SMTP message to a SMTP server, that handles all outgoing e-mail messages. The UAG forwards SMTP traffic using TCP port 25. 15.1.1 SMTP Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard.
  • Page 112: Smtp-Redirect Sub-Commands

    Chapter 15 SMTP Redirect The following table describes the commands available for SMTP redirection. You must use the command to enter the configuration mode before you can use the configure terminal configuration commands. Table 58 Command Summary: SMTP Redirect COMMAND DESCRIPTION Enters the smtp-redirect sub-command mode to set a SMTP redirect [no] smtp-redirect <1..16>...
  • Page 113: Smtp Redirect Command Examples

    Chapter 15 SMTP Redirect 15.2.2 SMTP Redirect Command Examples The following commands create a SMTP redirect rule, enable it and display the settings. Router# configure terminal Router(config)# smtp-redirect 1 Router(smtp-redirect)# activate Router(smtp-redirect)# interface lan2 Router(smtp-redirect)# server smtp.zyxel.com.tw Router(smtp-redirect)# source lan1_1 Router(smtp-redirect)# user admin Router(smtp-redirect)# exit Router(config)# show smtp-redirect...
  • Page 114 Chapter 15 SMTP Redirect UAG CLI Reference Guide...
  • Page 115: Alg

    HAPTER This chapter covers how to use the UAG’s ALG feature to allow certain applications to pass through the UAG. 16.1 ALG Introduction The UAG can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the UAG’s NAT. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’...
  • Page 116: Alg Commands

    Chapter 16 ALG 16.2 ALG Commands The following table lists the commands. You must use the command to configure terminal enter the configuration mode before you can use these commands. Table 60 alg Commands COMMAND DESCRIPTION Turns on or configures the ALG. [no] alg sip [inactivity- timeout | signal-port Use inactivity-timeout to have the UAG apply SIP media and signaling...
  • Page 117: Alg Commands Example

    Chapter 16 ALG 16.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323. Router# configure terminal Router(config)# alg sip Router(config)# no alg h323 UAG CLI Reference Guide...
  • Page 118 Chapter 16 ALG UAG CLI Reference Guide...
  • Page 119: Ip/Mac Binding

    HAPTER IP/MAC Binding 17.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The UAG uses DHCP to assign IP addresses and records to MAC address it assigned each IP address.
  • Page 120: Ip/Mac Binding Commands Example

    Chapter 17 IP/MAC Binding 17.3 IP/MAC Binding Commands Example The following example enables IP/MAC binding on the lan1 interface and displays the interface’s IP/ MAC binding status. Router# configure terminal Router(config)# ip ip-mac-binding lan1 activate Router(config)# show ip ip-mac-binding lan1 Name: lan1 Status: Enable Log: No...
  • Page 121: Firewall

    HAPTER Firewall This chapter introduces the UAG’s firewall and shows you how to configure your UAG’s firewall. 18.1 Firewall Overview The UAG’s firewall is a stateful inspection firewall. The UAG restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
  • Page 122: Firewall Commands

    Chapter 18 Firewall 18.2 Firewall Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 62 Input Values for General Firewall Commands LABEL DESCRIPTION The name of the IP address (or address group) object. You may use 1-31 address_object alphanumeric characters, underscores( ), or dashes (-), but the first character...
  • Page 123 Chapter 18 Firewall Table 63 Command Summary: Firewall (continued) COMMAND DESCRIPTION Removes a direction specific through-Device rule or firewall profile_name {zone_object|Device} delete to-Device rule. <1..5000> <1..5000>: the index number in a direction specific firewall rule list. Removes all direction specific through-Device rule or firewall profile_name {zone_object|Device} flush to-Device rules.
  • Page 124: Firewall Sub-Commands

    Chapter 18 Firewall 18.2.1 Firewall Sub-Commands The following table describes the sub-commands for several firewall commands. Table 64 firewall Sub-commands COMMAND DESCRIPTION Sets the action the UAG takes when packets match this action {allow|deny|reject} rule. Enables a firewall rule. The no command disables the [no] activate firewall rule.
  • Page 125: Session Limit Commands

    Chapter 18 Firewall The following example shows you how to add an IPv4 firewall rule to allow a MyService connection from the WAN zone to the IP addresses Dest_1 in the LAN zone. • Enter configuration command mode. • Create an IP address object. •...
  • Page 126 Chapter 18 Firewall The following table describes the session-limit commands. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 66 Command Summary: Session Limit COMMAND DESCRIPTION Turns the session-limit feature on or off. [no] session-limit activate Sets the default number of concurrent NAT/firewall sessions per host.
  • Page 127: Ipsec Vpn

    HAPTER IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the UAG. 19.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
  • Page 128: Ipsec Vpn Commands Summary

    Chapter 19 IPSec VPN and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. Figure 20 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
  • Page 129: Ike Sa Commands

    Chapter 19 IPSec VPN Table 67 Input Values for IPSec VPN Commands (continued) LABEL DESCRIPTION A domain name. You can use up to 511 alphanumeric, characters, spaces, or .@=,_- distinguished_name characters. Sort the list of currently connected SAs by one of the following classifications. sort_order algorithm encapsulation...
  • Page 130: Ipsec Sa Commands (Except Manual Keys)

    Chapter 19 IPSec VPN Table 68 isakmp Commands: IKE SAs (continued) COMMAND DESCRIPTION Sets the DHx group to the specified group. group1 group2 group5 Enables NAT traversal. The command disables NAT traversal. [no] natt Sets the local gateway address to the specified IP address, domain local-ip {ip {ip | domain_name} | name, or interface.
  • Page 131 Chapter 19 IPSec VPN Table 69 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Renames the specified IPSec SA (first map_name) to the specified crypto map rename map_name map_name name (second map_name). crypto map map_name Activates or deactivates the specified IPSec SA. activate deactivate Set a specific number of bytes for the Maximum Segment Size...
  • Page 132 Chapter 19 IPSec VPN Table 69 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Automatically re-negotiates the SA as needed. The command [no] nail-up does not. Enables replay detection. The command disables it. [no] replay-detection Enables NetBIOS broadcasts through the IPSec SA. The [no] netbios-broadcast command disables NetBIOS broadcasts through the IPSec SA.
  • Page 133: Ipsec Sa Commands (For Manual Keys)

    Chapter 19 IPSec VPN 19.2.3 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 70 crypto map Commands: IPSec SAs (Manual Keys) COMMAND DESCRIPTION crypto map map_name Sets the active protocol, SPI (<256..4095>), authentication key and set session-key {ah <256..4095>...
  • Page 134: Vpn Configuration Provisioning Commands

    Chapter 19 IPSec VPN Table 71 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION Adds the specified IPSec SA to the specified VPN concentrator. The [no] crypto map_name command removes the specified IPSec SA from the specified VPN concentrator. Renames the specified VPN concentrator (first profile_name) to the vpn-concentrator rename profile_name specified name (second profile_name).
  • Page 135: Sa Monitor Commands

    Chapter 19 IPSec VPN 19.2.6 SA Monitor Commands This table lists the commands for the SA monitor. Table 73 sa Commands: SA Monitor COMMAND DESCRIPTION Displays the current IPSec SAs and the status of each one. You can specify a range of show sa monitor [{begin SA entries to display.
  • Page 136 Chapter 19 IPSec VPN UAG CLI Reference Guide...
  • Page 137: Ssl Vpn

    HAPTER SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. 20.1 SSL Access Policy An SSL access policy allows the UAG to perform the following tasks: • limit user access to specific applications or files on the network. •...
  • Page 138: Ssl Vpn Commands

    Chapter 20 SSL VPN Table 74 Input Values for SSL VPN Commands (continued) LABEL DESCRIPTION The name of a user (group). You may use 1-31 alphanumeric characters, user_name underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
  • Page 139: Setting An Ssl Vpn Rule Tutorial

    Chapter 20 SSL VPN Table 75 SSL VPN Commands COMMAND DESCRIPTION Sets the number of minutes to have the UAG repeat the endpoint security [no] eps periodical-check check at a regular interval. The no command disables this setting. <1..1440> Use this to configure for a VPN tunnel between the authenticated users and [no] network-extension {activate | the internal network.
  • Page 140 Chapter 20 SSL VPN First of all, configure 10.1.1.254/24 for the IP address of interface wan1 which is an external interface for public SSL VPN to access. Configure 172.16.10.254/24 for the IP address of interface lan2 which is an internal network. Router(config)# interface wan1 Router(config-if-ge)# ip address 10.1.1.254 255.255.255.0 Router(config-if-ge)# exit...
  • Page 141 Chapter 20 SSL VPN Displays the SSL VPN rule settings. Router(config)# show sslvpn policy SSL_VPN_TEST index: 1 active: yes name: SSL_VPN_TEST description: user: tester ssl application: none network extension: yes ip pool: IP-POOL dns server 1: DNS1 dns server 2: DNS2 wins server 1: none wins server 2: none network: NETWORK1...
  • Page 142 Chapter 20 SSL VPN UAG CLI Reference Guide...
  • Page 143: Content Filtering

    HAPTER Content Filtering This chapter covers how to use the content filtering feature to control web access. 21.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites. It can also block access to specific categories of web site content. You can create different content filtering policies for different addresses, schedules, users or groups and content filtering profiles.
  • Page 144: Content Filter Command Input Values

    Chapter 21 Content Filtering 21.5 Content Filter Command Input Values The following table explains the values you can input with the commands. content-filter Table 76 Content Filter Command Input Values LABEL DESCRIPTION The number of the policy <0 - X > where X depends on the number of content filtering policy_number policies the UAG model supports.
  • Page 145: General Content Filter Commands

    Chapter 21 Content Filtering Table 76 Content Filter Command Input Values (continued) LABEL DESCRIPTION The IP address or domain name of a forbidden web site. forbid_hosts Use a host name such as www.bad-site.com into this text field. Do not use the complete URL of the site –...
  • Page 146 Chapter 21 Content Filtering mode to be able to use these commands. See Table 76 on page 144 for details about the values you can input with these commands. Table 77 content-filter General Commands COMMAND DESCRIPTION Turns on content filtering. The command turns it off.
  • Page 147: Content Filter Filtering Profile Commands

    Chapter 21 Content Filtering Table 77 content-filter General Commands (continued) COMMAND DESCRIPTION Adds or removes a common trusted or forbidden web site entry. [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} ipv4: IPv4 address <W.X.Y.Z> ipv4_cidr: IPv4 subnet in CIDR format, i.e. 192.168.1.0/32 <W.X.Y.Z>/<1..32>...
  • Page 148 Chapter 21 Content Filtering Table 78 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Enters the sub-command for configuring the content content-filter profile filtering_profile custom-list filtering profile’s list of forbidden keywords. This has the keyword content filtering profile block access to Web sites with URLs that contain the specified keyword or IP address in the URL.
  • Page 149: Content Filter Url Cache Commands

    Chapter 21 Content Filtering Table 78 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Sets a content filtering profile to use the external web [no] content-filter profile filtering_profile url filtering service. The command has the profile not use url-server the external web filtering service. Sets how many seconds the UAG is to wait for a response [no] content-filter service-timeout service_timeout from the external content filtering server.
  • Page 150: Content Filtering Statistics

    Chapter 21 Content Filtering Use the command to enter the configuration mode to be able to use these configure terminal commands. See Table 76 on page 144 for details about the values you can input with these commands. Table 79 content-filter url-cache Commands COMMAND DESCRIPTION Sets how long to keep a content filtering URL cache entry...
  • Page 151: Content Filtering Statistics Example

    Chapter 21 Content Filtering 21.9.1 Content Filtering Statistics Example This example shows how to collect and display content filtering statistics. Router(config)# content-filter statistics collect Router(config)# show content-filter statistics summary total web pages inspected web pages warned by category service : 0 web pages blocked by category service: 0 web pages blocked by custom service restricted web features...
  • Page 152 Chapter 21 Content Filtering Activate the customization. Router# configure terminal Router(config)# address-object sales 172.16.3.0/24 Router(config)# schedule-object all_day 00:00 23:59 Router(config)# content-filter profile sales_CF_PROFILE Router(config)# content-filter profile sales_CF_PROFILE url category adult-mature-content Router(config)# content-filter profile sales_CF_PROFILE url category pornography Router(config)# content-filter profile sales_CF_PROFILE url url-server Router(config)# content-filter profile sales_CF_PROFILE custom java Router(config)# content-filter profile sales_CF_PROFILE custom activex Router(config)# content-filter profile sales_CF_PROFILE custom proxy...
  • Page 153 Chapter 21 Content Filtering Use this command to display the settings of the profile. Router(config)# show content-filter profile sales_CF_PROFILE commtouch service active : yes url match unsafe: block: no, warn: yes, log: url match other : block: yes, warn: no, log: url unrate : block: no, warn: yes, log:...
  • Page 154 Chapter 21 Content Filtering UAG CLI Reference Guide...
  • Page 155: User/Group

    HAPTER User/Group This chapter describes how to set up user accounts, user groups, and user settings for the UAG. You can also set up rules that control when users have to log in to the UAG before the UAG routes traffic for them.
  • Page 156: User/Group Commands Summary

    Chapter 22 User/Group 22.2 User/Group Commands Summary The following table identifies the values required for many commands. username/groupname Other input values are discussed with the corresponding commands. Table 82 username/groupname Command Input Values LABEL DESCRIPTION The name of the user (account). You may use 1-31 alphanumeric characters, underscores( username or dashes (-), but the first character cannot be a number.
  • Page 157: User Group Commands

    Chapter 22 User/Group Table 83 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION Sets the reauthentication time for the specified user. Set it to username username [no] logon-re-auth-time zero to set unlimited reauthentication time. The command <0..1440> sets the reauthentication time to thirty minutes (regardless of the current default setting for new users).
  • Page 158: User Setting Commands

    Chapter 22 User/Group 22.2.3 User Setting Commands This table lists the commands for user settings, except for forcing user authentication. Table 85 username/groupname Commands Summary: Settings COMMAND DESCRIPTION Displays the default lease and reauthentication times for the show users default-setting {all | user-type specified type of user accounts.
  • Page 159: Web Authentication Policy Commands

    Chapter 22 User/Group 22.2.3.1 User Setting Command Examples The following commands show the current settings for the number of simultaneous logins. Router# configure terminal Router(config)# show users simultaneous-logon-settings enable simultaneous logon limitation for administration account: yes maximum simultaneous logon per administration account enable simultaneous logon limitation for access account : yes maximum simultaneous logon per access account...
  • Page 160 Chapter 22 User/Group Table 86 username/groupname Commands Summary: Web Authentication Policy (continued) COMMAND DESCRIPTION Displays services that users can access without user authentication. show web-auth exceptional-service Displays details about the policies for forcing user authentication. show web-auth policy {<1..1024> | all} Displays the web portal page settings.
  • Page 161 Chapter 22 User/Group 22.2.4.2 web-auth policy Sub-commands The following table describes the sub-commands for several web-auth policy commands. Note that not all rule commands use all the sub-commands listed here. Table 88 web-auth policy Sub-commands COMMAND DESCRIPTION Activates the specified condition. The command deactivates the [no] activate specified condition.
  • Page 162: Additional User Commands

    Chapter 22 User/Group • Description: EPS-on-LAN • Source: use address object “LAN1_SUBNET” • Destination: use address object “DMZ_Servers” • User Authentication: required • Schedule: no specified • Endpoint security: Activate • endpoint security object: use “EPS-WinXP” and “EPS-WinVista” for the first and second checking EPS objects Router# configure terminal Router(config)# web-auth policy insert 1...
  • Page 163 Chapter 22 User/Group 22.2.5.1 Additional User Command Examples The following commands display the users that are currently logged in to the UAG and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all No: 0 Name: admin Type: admin...
  • Page 164 Chapter 22 User/Group The following commands display the users that are currently locked out and then unlocks the user who is displayed. Router# configure terminal Router(config)# show lockout-users Username Tried From Lockout Time Remaining =========================================================================== From Failed Login Attempt Record Expired Timer ===========================================================================1 172.16.1.5 Router(config)# unlock lockout-users 172.16.1.5...
  • Page 165: Addresses

    HAPTER Addresses This chapter describes how to set up addresses and address groups for the UAG. 23.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. You can create IP address objects based on an interface’s IP address, subnet, or gateway.
  • Page 166: Address Object Commands

    Chapter 23 Addresses 23.2.1 Address Object Commands This table lists the commands for address objects. Table 91 address-object and address6-object Commands COMMAND DESCRIPTION Displays information about the specified object or all the objects of show {address-object | address6-object | the specified type. service-object | schedule-object} [object_name] Creates the specified IPv4 address object using the specified...
  • Page 167 Chapter 23 Addresses Table 92 object-group Commands: Address Groups (continued) COMMAND DESCRIPTION Adds the specified address to the specified address group. The no [no] address-object object_name command removes the specified address from the specified group. Adds the specified address group (second group_name) to the specified [no] object-group group_name address group (first group_name).
  • Page 168 Chapter 23 Addresses UAG CLI Reference Guide...
  • Page 169: Services

    HAPTER Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 24.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 24.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
  • Page 170: Service Group Commands

    Chapter 24 Services Table 94 service-object Commands: Service Objects (continued) COMMAND DESCRIPTION Creates the specified ICMP message using the specified service-object object_name icmp icmp_value parameters. icmp_value: <0..255> | alternate-address | conversion-error | echo | echo-reply | information-reply | information-request | mask-reply | mask-request | mobile-redirect | parameter- problem | redirect | router-advertisement | router-solicitation | source-quench | time-exceeded | timestamp-reply |...
  • Page 171 Chapter 24 Services Table 95 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION Sets the description to the specified value. The command removes the [no] description description description. description: You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Renames the specified service group from the first group_name to the object-group service rename group_name second group_name.
  • Page 172 Chapter 24 Services UAG CLI Reference Guide...
  • Page 173: Schedules

    HAPTER Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, and content filtering. 25.1 Schedule Overview The UAG supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat. Note: Schedules are based on the current date and time in the UAG.
  • Page 174: Schedule Command Examples

    Chapter 25 Schedules Table 97 schedule Commands (continued) COMMAND DESCRIPTION Creates or updates a one-time schedule. schedule-object object_name date time date time date: yyyy-mm-dd date format; yyyy-<01..12>-<01..31> Creates or updates a recurring schedule. schedule-object object_name time time [day] [day] [day] [day] [day] [day] [day] day: 3-character day of the week;...
  • Page 175: Aaa Server

    HAPTER AAA Server This chapter introduces and shows you how to configure the UAG to use external authentication servers. 26.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the UAG supports. •...
  • Page 176: Ldap-Server Commands

    Chapter 26 AAA Server Table 98 ad-server Commands (continued) COMMAND DESCRIPTION Sets the user name the UAG uses to log into the default AD server. The [no] ad-server binddn binddn command clears this setting. Sets the unique common name (cn) to identify a record. The command clears [no] ad-server cn-identifier uid this setting.
  • Page 177: Radius-Server Commands

    Chapter 26 AAA Server 26.2.3 radius-server Commands The following table lists the commands you use to set the default RADIUS server. radius-server Table 100 radius-server Commands COMMAND DESCRIPTION Displays the default RADIUS server settings. show radius-server Sets the RADIUS server address and service port number. Enter the IP address [no] radius-server host (in dotted decimal notation) or the domain name of a RADIUS server.
  • Page 178: Aaa Group Server Ldap Commands

    Chapter 26 AAA Server Table 101 aaa group server ad Commands (continued) COMMAND DESCRIPTION Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name” or “e-mail address”. The command clears this setting.
  • Page 179: Aaa Group Server Radius Commands

    Chapter 26 AAA Server Table 102 aaa group server ldap Commands (continued) COMMAND DESCRIPTION Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name”...
  • Page 180: Aaa Group Server Command Example

    Chapter 26 AAA Server Table 103 aaa group server radius Commands (continued) COMMAND DESCRIPTION Enter the sub-command mode. aaa group server radius group-name Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the descriptive information for the RADIUS server group.
  • Page 181: Authentication Objects

    HAPTER Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 27.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the UAG uses to authenticate users (using VPN or managing through HTTP/HTTPS).
  • Page 182: Aaa Authentication Command Example

    Chapter 27 Authentication Objects Table 104 aaa authentication Commands (continued) COMMAND DESCRIPTION Sets the profile to use the authentication method(s) in the order specified. [no] aaa authentication profile-name member1 [member2] = group ad, group ldap, group radius, or local. member [member3] [member4] Note: You must specify at least one member for each profile.
  • Page 183 Chapter 27 Authentication Objects • Bind-dn: zyxel\engineerABC • Password: abcdefg • Login-name-attribute: sAMAccountName The result shows the account exists on the AD server. Otherwise, the UAG responds an error. Router> test aaa server ad host 172.16.50.1 port 389 base-dn DC=ZyXEL,DC=com bind-dn zyxel\engineerABC password abcdefg login-name-attribute sAMAccountName account userABC dn:: Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20=...
  • Page 184: Certificates

    HAPTER Certificates This chapter explains how to use the Certificates. 28.1 Certificates Overview The UAG can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
  • Page 185: Certificates Commands Summary

    Chapter 28 Certificates Table 106 Certificates Commands Input Values (continued) LABEL DESCRIPTION Identify the company or group to which the certificate owner belongs. You can use organization up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
  • Page 186 Chapter 28 Certificates Table 107 ca Commands Summary (continued) COMMAND DESCRIPTION Enters the sub command mode for validation of ca validation remote_certificate certificates signed by the specified remote (trusted) certificates. Turns certificate revocation on or off. When it is turned on, cdp {activate|deactivate} the UAG validates a certificate by getting a Certificate Revocation List (CRL) through HTTP or LDAP (can be...
  • Page 187 Chapter 28 Certificates Table 107 ca Commands Summary (continued) COMMAND DESCRIPTION Displays the certification path of the specified local (my show ca category {local|remote} name certificate_name certificates) or remote (trusted certificates) certificate. certpath Displays a summary of the certificates in the specified show ca category {local|remote} [name category (local for my certificates or remote for trusted certificate_name format {text|pem}]...
  • Page 188: Certificates Commands Examples

    Chapter 28 Certificates 28.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates.
  • Page 189: Isp Accounts

    HAPTER ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE and PPTP interfaces. 29.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE, or PPTP. 29.1.1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands.
  • Page 190 Chapter 29 ISP Accounts Table 108 PPPoE and PPTP ISP Account Commands (continued) COMMAND DESCRIPTION Sets the PPTP server for the specified PPTP ISP account. The command [no] server ip clears the server name. Sets the encryption for the specified PPTP ISP account. The command [no] encryption {nomppe | mppe-40 sets the encryption to nomppe.
  • Page 191: Ssl Application

    HAPTER SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 30.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group.
  • Page 192: Ssl Application Command Examples

    Chapter 30 SSL Application Table 109 SSL Application Object Commands COMMAND DESCRIPTION Sets this to create a link to a web site you specified that you expect the SSL server-type weblink url url VPN users to commonly use. url: Enter the fully qualified domain name (FQDN) or IP address of the application server.
  • Page 193: Endpoint Security

    HAPTER Endpoint Security This chapter describes how to configure endpoint security objects for use in authentication policy and SSL VPN. 31.1 Endpoint Security Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel. After a successful user authentication, a user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
  • Page 194: Endpoint Security Commands Summary

    Chapter 31 Endpoint Security Requirements User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. 31.1.1 Endpoint Security Commands Summary The following table describes the values required for many endpoint security object commands. Other values are discussed with the corresponding commands.
  • Page 195 Chapter 31 Endpoint Security Table 111 Endpoint Security Object Commands COMMAND DESCRIPTION Sets a permitted personal firewall. If you want to enter multiple personal firewalls, [no] personal-firewall use this command for each of them. Use the list signature personal-firewall personal_firewall_softwar command to view the available personal firewall software package options.
  • Page 196 Chapter 31 Endpoint Security Table 111 Endpoint Security Object Commands COMMAND DESCRIPTION If you set windows as the operating system (using the os-type command), use this windows-version {windows- command to set the version of Windows. 2000 | windows-xp | windows-2003 | windows- 2008 | windows-vista | windows-7 | windows- 2008r2}...
  • Page 197: Endpoint Security Object Command Example

    Chapter 31 Endpoint Security 31.1.3 Endpoint Security Object Command Example Peter wants to create and display an endpoint security object named EPS-Example. Only the computers that match the following criteria can access the company’s SSL VPN: • Operating system: Windows XP •...
  • Page 198 Chapter 31 Endpoint Security Then he also needs to check the personal firewall software name defined on the UAG. Copy and paste the name of the output item 4 for the setting later. Router(config)# show eps signature personal-firewall Name Detection =============================================================================== Kaspersky_Internet_Security_v2009 Kaspersky_Internet_Security_v2010...
  • Page 199 Chapter 31 Endpoint Security Then he leaves the sub-command mode and uses the show command to view the EPS object settings. Router(eps EPS-Example)# exit Router(config)# show eps profile name: EPS-Example description: os type: windows windows version: windows-xp matching criteria: all anti-virus activation: yes anti-virus: 1 name: Kaspersky_Anti-Virus_v2011...
  • Page 200 Chapter 31 Endpoint Security UAG CLI Reference Guide...
  • Page 201: System

    HAPTER System This chapter provides information on the commands that correspond to what you can configure in the system screens. 32.1 System Overview Use these commands to configure general UAG information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which UAG zones (if any) from which computers.
  • Page 202 Chapter 32 System Figure 22 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
  • Page 203: Host Name Commands

    Chapter 32 System Table 112 Command Summary: Customization (continued) COMMAND DESCRIPTION Sets the color of the login page’s window border. login-page window-color {color-rgb | color-name | color-number} Sets the color of the logo banner across the top of the login screen and logo background-color {color-rgb | access page.
  • Page 204: Date/Time Commands

    Chapter 32 System 32.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 114 Command Summary: Date/Time COMMAND DESCRIPTION Sets the new date in year, month and day format...
  • Page 205: Dns Overview

    Chapter 32 System 32.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 32.6.1 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address.
  • Page 206: Dns Command Example

    Chapter 32 System Table 117 Command Summary: DNS (continued) COMMAND DESCRIPTION Sets a domain zone forwarder record that specifies a fully qualified [no] ip dns server zone-forwarder domain name. You can also use a star (*) if all domain zones are {<1..32>|append|insert <1..32>} served by the specified DNS server(s).
  • Page 207: System Remote Management

    HAPTER System Remote Management This chapter shows you how to determine which services/protocols can access which UAG zones (if any) from which computers. Note: To access the UAG from a specified computer using a service, make sure no service control rules or to-Device firewall rules block that traffic. 33.1 Remote Management Overview You may manage your UAG from a remote location via: •...
  • Page 208: Common System Command Input Values

    Chapter 33 System Remote Management 33.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 118 Input Values for General System Commands LABEL DESCRIPTION The name of the IP address (group) object.
  • Page 209 Chapter 33 System Remote Management Table 119 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION Specifies a certificate used by the HTTPS server. The [no] ip http secure-server cert certificate_name command resets the certificate used by the HTTPS server to the factory default ( default certificate_name: The name of the certificate.
  • Page 210: Http/Https Command Examples

    Chapter 33 System Remote Management 33.3.1 HTTP/HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service. Router# configure terminal Router(config)# ip http server table admin rule append access-group Marketing zone WAN action accept...
  • Page 211: Ssh Commands

    Chapter 33 System Remote Management 33.4.3 SSH Commands The following table describes the commands available for SSH. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 120 Command Summary: SSH COMMAND DESCRIPTION Allows SSH access to the UAG CLI.
  • Page 212: Telnet

    Chapter 33 System Remote Management 33.5 Telnet You can configure your UAG for remote Telnet access. 33.6 Telnet Commands The following table describes the commands available for Telnet. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 121 Command Summary: Telnet COMMAND...
  • Page 213: Configuring Ftp

    Chapter 33 System Remote Management 33.7 Configuring FTP You can upload and download the UAG’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 33.7.1 FTP Commands The following table describes the commands available for FTP. You must use the configure command to enter the configuration mode before you can use these commands.
  • Page 214: Snmp

    Chapter 33 System Remote Management This command displays FTP settings. Router# configure terminal Router(config)# show ip ftp server status active : yes port : 21 certificate: default : no service control: Zone Address Action ======================================================================== 33.8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
  • Page 215: Snmp Commands

    Chapter 33 System Remote Management 33.8.3 SNMP Commands The following table describes the commands available for SNMP. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 124 Command Summary: SNMP COMMAND DESCRIPTION Allows SNMP access to the UAG.
  • Page 216: Icmp Filter

    Chapter 33 System Remote Management The following command sets the password (secret) for read-write ( ) access. Router# configure terminal Router(config)# snmp-server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172.16.15.84 and the password (sent with each trap) to qwerty.
  • Page 217: File Manager

    HAPTER File Manager This chapter covers how to work with the UAG’s firmware, certificates, configuration files, packet trace results, shell scripts and temporary files. 34.1 File Directories The UAG stores files in the following directories. Table 126 FTP File Transfer Notes FILE NAME DIRECTORY FILE TYPE...
  • Page 218: Comments In Configuration Files Or Shell Scripts

    Chapter 34 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 23 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure wan1...
  • Page 219: Errors In Configuration Files Or Shell Scripts

    Chapter 34 File Manager Line 3 in the following example exits sub command mode. interface wan1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface wan1 # this interface is a DHCP client Lines 1 and 2 are comments.
  • Page 220: Configuration File Flow At Restart

    Chapter 34 File Manager • When the UAG reboots, if the startup-config.conf file passes the error check, the UAG keeps a copy of the startup-config.conf file as the lastgood.conf configuration file for you as a back up file. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration.
  • Page 221: File Manager Commands Summary

    Chapter 34 File Manager 34.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 129 File Manager Commands Summary COMMAND DESCRIPTION Has the UAG use a specific configuration file. You must still use the apply /conf/file_name.conf [ignore- command to save your configuration changes to the flash (“non- write...
  • Page 222: File Manager Command Examples

    Chapter 34 File Manager Table 129 File Manager Commands Summary (continued) COMMAND DESCRIPTION Displays the settings of the configuration file that the system is using. show running-config Has the UAG ignore any errors in the startup-config.conf file and apply all setenv-startup stop-on-error off of the valid commands.
  • Page 223: Command Line Ftp Configuration File Upload Example

    Chapter 34 File Manager The firmware update can take up to five minutes. Do not turn off or reset the UAG while the firmware update is in progress! If you lose power during the firmware upload, you may need to refer to Section 34.8 on page 225 to recover the firmware.
  • Page 224: Command Line Ftp Configuration File Download Example

    Chapter 34 File Manager 34.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the UAG and saves it on the computer as current.conf. Figure 25 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1.
  • Page 225: Notification Of A Damaged Recovery Image Or Firmware

    Chapter 34 File Manager 34.8 Notification of a Damaged Recovery Image or Firmware The UAG’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the UAG notifies you of a damaged recovery image or firmware file.
  • Page 226: Restoring The Recovery Image

    Chapter 34 File Manager If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged. Use the procedure in Section 34.10 on page 228 to restore it. If the message does not display, the firmware is OK and you do not need to use the firmware recovery procedure.
  • Page 227 Chapter 34 File Manager Note: You only need to use the atuk or atur command if the recovery image is damaged. Figure 31 atuk Command for Restoring the Recovery Image > atuk This command is for restoring the "recovery image" (xxx.ri). Use This command only when 1) the console displays "Invalid Recovery Image"...
  • Page 228: Restoring The Firmware

    Chapter 34 File Manager Enter atgo. The UAG starts up. If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged and you need to use the procedure in Section 34.10 on page 228 to recover the firmware.
  • Page 229 Chapter 34 File Manager Enter “quit” to exit the ftp prompt. Figure 37 FTP Firmware Transfer Complete 200 PORT command successful 150 Opening BINARY mode data connection for 250AACG0C0.bin 226-firmware verifying... 226-firmware updating... 226-Please Wait about 5 minutes!! 226-Do not poweroff or reset, 226-system will reboot automatically after finished updating.
  • Page 230 Chapter 34 File Manager UAG CLI Reference Guide...
  • Page 231: Logs

    HAPTER Logs This chapter provides information about the UAG’s logs. Note: When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the UAG. 35.1 Log Commands Summary The following table describes the values required for many log commands.
  • Page 232: System Log Commands

    Chapter 35 Logs 35.1.2 System Log Commands This table lists the commands for the system log settings. Table 132 logging Commands: System Log Settings COMMAND DESCRIPTION Displays the current settings for the system log. show logging status system-log Specifies what kind of information, if any, is logged in the system log and logging system-log category module_name debugging log for the specified category.
  • Page 233: Debug Log Commands

    Chapter 35 Logs 35.1.3 Debug Log Commands This table lists the commands for the debug log settings. Table 133 logging Commands: Debug Log Settings COMMAND DESCRIPTION Displays the current settings for the debug log. show logging debug status Displays the specified entries in the system log. show logging debug entries [priority pri] [category module_name] [srcip ip] [dstip ip] pri: alert | crit | debug | emerg | error | info | notice | warn...
  • Page 234: E-Mail Profile Commands

    Chapter 35 Logs 35.1.4 E-mail Profile Commands This table lists the commands for the e-mail profile settings. Table 135 logging Commands: E-mail Profile Settings COMMAND DESCRIPTION Displays the current settings for the e-mail profiles. show logging status mail Enables the specified e-mail profile. The command disables [no] logging mail <1..2>...
  • Page 235: Console Port Logging Commands

    Chapter 35 Logs 35.1.4.1 E-mail Profile Command Examples The following commands set up e-mail log 1. Router# configure terminal Router(config)# logging mail 1 address mail.zyxel.com.tw Router(config)# logging mail 1 subject AAA Router(config)# logging mail 1 authentication username lachang.li password XXXXXX Router(config)# logging mail 1 send-log-to lachang.li@zyxel.com.tw Router(config)# logging mail 1 send-alerts-to lachang.li@zyxel.com.tw Router(config)# logging mail 1 from lachang.li@zyxel.com.tw...
  • Page 236 Chapter 35 Logs UAG CLI Reference Guide...
  • Page 237: Chapter 36 Reports And Reboot

    HAPTER Reports and Reboot This chapter provides information about the report associated commands and how to restart the UAG using commands. It also covers the daily report e-mail feature. 36.1 Report Commands Summary The following sections list the report, session, and packet size statistics commands. 36.1.1 Report Commands This table lists the commands for reports.
  • Page 238: Report Command Examples

    Chapter 36 Reports and Reboot 36.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report lan1 ip No. IP Address User Amount Direction =================================================================== 192.168.1.4 admin 1273(bytes) Outgoing 192.168.1.4...
  • Page 239 Chapter 36 Reports and Reboot Use these commands to have the UAG e-mail you system statistics every day. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 140 Email Daily Report Commands COMMAND DESCRIPTION Displays the e-mail daily report settings.
  • Page 240: Email Daily Report Example

    Chapter 36 Reports and Reboot Table 140 Email Daily Report Commands (continued) COMMAND DESCRIPTION Sends the daily e-mail report immediately. send-now Discards all report data and starts all of the report statistics reset-counter-now data counters over at zero. Leaves the sub-command mode. exit 36.2.1 Email Daily Report Example This example sets the following about sending a daily report e-mail:...
  • Page 241: Reboot

    Chapter 36 Reports and Reboot This displays the email daily report settings and has the UAG send the report. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp port: 25 smtp auth: yes smtp username: 12345 smtp password: pass12345...
  • Page 242 Chapter 36 Reports and Reboot UAG CLI Reference Guide...
  • Page 243: Chapter 37 Session Timeout

    HAPTER Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 141 Session Timeout Commands COMMAND DESCRIPTION Sets the timeout for UDP sessions to connect or deliver session timeout {udp-connect <1..300>...
  • Page 244 Chapter 37 Session Timeout UAG CLI Reference Guide...
  • Page 245: Chapter 38 Diagnostics

    HAPTER Diagnostics This chapter covers how to use the diagnostics feature. 38.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the UAG’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
  • Page 246 Chapter 38 Diagnostics UAG CLI Reference Guide...
  • Page 247: Chapter 39 Packet Flow Explore

    HAPTER Packet Flow Explore This chapter covers how to use the packet flow explore feature. 39.1 Packet Flow Explore Use this to get a clear picture on how the UAG determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems.
  • Page 248: Packet Flow Explore Commands Example

    Chapter 39 Packet Flow Explore 39.3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order. Router> show route order route order: Direct Route, Policy Route, VPN 1-1 Mapping Route, 1-1 SNAT, SiteTo Site VPN, Dynamic VPN, Static-Dynamic Route, Default WAN Trunk, Main Route The following example shows all SNAT related functions and their order.
  • Page 249 Chapter 39 Packet Flow Explore The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn Source Destination VPN Tunnel =========================================================================== The following example shows all activated VPN 1-1 mapping rules. Router> sshow system route vpn-1-1-map Source Destination Outgoing Gateway...
  • Page 250 Chapter 39 Packet Flow Explore The following example shows all activated 1-to-1 NAT rules. Router> show system snat nat-1-1 VS Name Source Destination Outgoing SNAT =========================================================================== The following example shows the default WAN trunk settings. Router> show system snat default-snat Incoming Outgoing SNAT...
  • Page 251: Chapter 40 Maintenance Tools

    HAPTER Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the UAG. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode. Table 144 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION...
  • Page 252 Chapter 40 Maintenance Tools Here are maintenance tool commands that you can use in configure mode. Table 145 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION Performs a packet capture that captures network traffic going through the [no] packet-capture activate set interface(s).
  • Page 253: Maintenance Command Examples

    Chapter 40 Maintenance Tools 40.1 Maintenance Command Examples Some packet-trace command examples are shown below. Router# packet-trace duration 3 tcpdump: listening on eth0 19:24:43.239798 192.168.1.10 > 192.168.1.1: icmp: echo request 19:24:43.240199 192.168.1.1 > 192.168.1.10: icmp: echo reply 19:24:44.258823 192.168.1.10 > 192.168.1.1: icmp: echo request 19:24:44.259219 192.168.1.1 >...
  • Page 254: Packet Capture Command Example

    Chapter 40 Maintenance Tools Table 146 Maintenance Tools Commands in Configuration Mode (continued) COMMAND DESCRIPTION Edits or creates an ARP table entry. arp IP mac_address Removes an ARP table entry. no arp ip The following example creates an ARP table entry for IP address 192.168.1.10 and MAC address 01:02:03:04:05:06.
  • Page 255 Chapter 40 Maintenance Tools • The maximum size of a packet capture file: 100 megabytes Router(config)# packet-capture configure Router(packet-capture)# iface add wan1 Router(packet-capture)# ip-type any Router(packet-capture)# host-ip any Router(packet-capture)# file-suffix Example Router(packet-capture)# files-size 10 Router(packet-capture)# duration 150 Router(packet-capture)# storage usbstorage Router(packet-capture)# ring-buffer disable Router(packet-capture)# split-size 100 Router(packet-capture)#...
  • Page 256 Chapter 40 Maintenance Tools UAG CLI Reference Guide...
  • Page 257: Chapter 41 Watchdog Timer

    HAPTER Watchdog Timer This chapter provides information about the UAG’s watchdog timers. 41.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings.
  • Page 258: Application Watchdog

    Chapter 41 Watchdog Timer 41.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the app-watchdog commands. Use the command to enter the configuration mode to be able configure terminal to use these commands. Table 149 app-watchdog Commands COMMAND DESCRIPTION...
  • Page 259 Chapter 41 Watchdog Timer UAG CLI Reference Guide...
  • Page 260 Chapter 41 Watchdog Timer UAG CLI Reference Guide...
  • Page 261: List Of Commands (Alphabetical)

    List of Commands (Alphabetical) List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. Commands and subcommands appear at the same level. [no] {anti-virus | personal-firewall} activate .........194 [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} .......147 [no] aaa authentication default member1 [member2] [member3] [member4] ....181...
  • Page 262 List of Commands (Alphabetical) [no] area IP virtual-link IP ............91 [no] area IP virtual-link IP authentication ..........91 [no] area IP virtual-link IP authentication authentication-key authkey ....91 [no] area IP virtual-link IP authentication message-digest ......91 [no] area IP virtual-link IP authentication message-digest-key <1..255> md5 authkey ..91 [no] area IP virtual-link IP authentication same-as-area ........91...
  • Page 263 List of Commands (Alphabetical) [no] content-filter service-timeout service_timeout ........149 [no] content-filter statistics collect ..........150 [no] corefile copy usb-storage ............72 [no] crypto ignore-df-bit ..............130 [no] crypto map map_name ...............130 [no] crypto map_name ..............134 [no] crypto profile_name ..............94 [no] ctmatch {dnat | snat} .............124 [no] custom ip ................98...
  • Page 264 List of Commands (Alphabetical) [no] from zone_object ..............124 [no] groupname groupname ...............157 [no] groupname groupname ...............157 [no] ha-iface interface_name ............99 [no] hardware-address mac_address ............60 [no] hardware-watchdog-timer <4..37> ...........257 [no] host hostname ..............98 [no] host ip ................60 [no] hostname hostname ..............203 [no] idle <0..360>...
  • Page 265 List of Commands (Alphabetical) [no] ip-select {iface | auto | custom} ..........98 [no] ip-select-backup {iface | auto | custom} ...........98 [no] isakmp policy policy_name ............129 [no] item cf-report ..............239 [no] item cpu-usage ..............239 [no] item mem-usage ..............239 [no] item port-usage ..............239 [no] item session-usage ..............239...
  • Page 266 List of Commands (Alphabetical) [no] metric <0..15> ..............56 [no] mss <536..1452> ..............71 [no] mss <536..1460> ..............56 [no] mtu <576..1500> ..............56 [no] mx {ip | domain_name} ..............98 [no] nail-up ................132 [no] natt ................130 [no] negotiation auto ..............68 [no] netbios-broadcast ..............132 [no] network interface area IP ............91 [no] network interface_name .............63...
  • Page 267 List of Commands (Alphabetical) [no] server {domain_name|ip} ............112 [no] server alternative-cn-identifier uid ..........178 [no] server alternative-cn-identifier uid ..........179 [no] server basedn basedn ..............178 [no] server basedn basedn ..............179 [no] server binddn binddn ..............178 [no] server binddn binddn ..............179 [no] server cn-identifier uid ............178 [no] server cn-identifier uid ............179...
  • Page 268 List of Commands (Alphabetical) [no] sslvpn tunnel_name ..............83 [no] starting-address ip pool-size <1..65535> ...........61 [no] system default-snat ..............76 [no] third-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd-dns} | Device} ..61 [no] to {zone_object|Device} ............124 [no] trigger <1..8> incoming service_name trigger service_name ......83 [no] trust_hosts ...............148...
  • Page 269 List of Commands (Alphabetical) action {allow|deny|reject} .............124 activate ................107 activate ................129 activate ................131 address address_object ..............107 address-object object_name {ip | ip_range | ip_subnet | interface-ip | interface-subnet | in- terface-gateway} {interface} .............166 address-object rename object_name object_name ..........166 adjust-mss {auto | <200..1500>} ............131 algorithm {wrr|llf|spill-over} ............76...
  • Page 270 List of Commands (Alphabetical) content-filter profile filtering_profile url match {block | log | warn | pass} ..148 content-filter profile filtering_profile url match-unsafe {block | log | pass} ..148 content-filter profile filtering_profile url offline {block | log | warn | pass} ..148 content-filter profile filtering_profile url unrate {block | log | warn | pass} ..148...
  • Page 271 List of Commands (Alphabetical) number] [vat vat-number] ............48 dhcp-option <1..254> option_name {boolean <0..1>| uint8 <0..255> | uint16 <0..65535> ..60 diag ..................35 diag-info ................35 diag-info collect ..............245 ..................35 dir {/cert | /conf | /packet_trace | /script | /tmp} ........221 disable .................35 draw-usage-graphics ..............239 dscp-marking <0..63>...
  • Page 272 List of Commands (Alphabetical) host-ip {ip-address | profile_name | any> ..........252 host-port <0..65535> ..............252 ..................36 iface {add | del} {interface_name | virtual_interface_name} ......252 in-dnat <1..10> protocol {all | tcp | udp} original-ip address_name <0..65535> <0..65535> mapped-ip address_name <0..65535> <0..65535> ........132 in-dnat append protocol {all | tcp | udp} original-ip address_name <0..65535>...
  • Page 273 List of Commands (Alphabetical) ip ospf authentication same-as-area .............64 ip ospf message-digest-key <1..255> md5 password ........64 ip route replace {w.x.y.z} {w.x.y.z} {interface|w.x.y.z} <0..127> with {w.x.y.z} {w.x.y.z} {in- terface|w.x.y.z} <0..127> ............86 ip ssh server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny} ........211 ip ssh server rule move rule_number to rule_number ........211 ip telnet server rule {rule_number|append|insert rule_number} access-group {ALL|address_object}...
  • Page 274 List of Commands (Alphabetical) matching-criteria {any | all} ............196 mode {main | aggressive} ...............129 mode {normal|trunk} ..............76 move <1..8> to <1..8> ..............76 mtu <576..1492> .................71 network ip mask .................60 network IP/<1..32> ..............60 no address-object object_name ............166 no area IP virtual-link IP message-digest-key <1..255> ........91 no arp ip ................254...
  • Page 275 List of Commands (Alphabetical) packet-capture configure ...............252 packet-trace ................36 packet-trace [interface interface_name] [ip-proto {<0..255> | protocol_name | any}] [src-host {ip | hostname | any}] [dst-host {ip | hostname | any}] [port {<1..65535> | any}] [file] [duration <1..3600>] [extension-filter filter_extension] ......251 peer-id type {any | ip ip | fqdn domain_name | mail e_mail | dn distinguished_name} ..130 peer-ip {ip | domain_name} [ip | domain_name]...
  • Page 276 List of Commands (Alphabetical) service-object object_name {tcp | udp} {eq <1..65535> | range <1..65535> <1..65535>} ...169 service-object object_name icmp icmp_value ..........170 service-object object_name protocol <1..255> ...........170 service-object rename object_name object_name ..........170 service-register checkexpire ............48 service-register service-type standard license-key key_value ......48 service-register service-type trial service content-filter ......48 session timeout {tcp-established | tcp-synrecv | tcp-close | tcp-finwait | tcp-synsent | tcp-...
  • Page 277 List of Commands (Alphabetical) show console ................204 show content-filter common-list {trust|forbid} .........147 show content-filter passed warning .............147 show content-filter policy .............147 show content-filter profile [filtering_profile] ........149 show content-filter settings ............147 show content-filter statistics collect ..........150 show content-filter statistics summary ..........150 show content-filter statistics summary ..........150 show content-filter url-cache...
  • Page 278 List of Commands (Alphabetical) show ip route [kernel | connected | static | ospf | rip | bgp] ......92 show ip route control-virtual-server-rules ..........86 show ip route static-dynamic ............247 show ip route-settings ..............86 show ip ssh server status ..............211 show ip telnet server status ............212 show ip virtual-server [profile_name] ..........102...
  • Page 279 List of Commands (Alphabetical) show reference object address [object_name] ..........41 show reference object ca category {local|remote} [cert_name] ......41 show reference object crypto map [crypto_name] ..........41 show reference object eps [object_name] ..........41 show reference object interface [interface_name | virtual_interface_name] ....41 show reference object isakmp policy [isakmp_name] ........41 show reference object schedule [object_name] ..........41...
  • Page 280 List of Commands (Alphabetical) show system snat default-snat ............247 show system snat nat-1-1 ...............247 show system snat nat-loopback ............247 show system snat order ..............247 show system snat policy-route ............247 show system snat vpn-1-1-map ............247 show system uptime ..............43 show usb-storage ................71 show username [username] ...............156...
  • Page 281 List of Commands (Alphabetical) system default-interface-group group-name ..........76 telnet ..................36 test aaa ................36 test aaa {server|secure-server} {ad|ldap} host {hostname|ipv4-address} [host {hostname|ipv4- address}] port <1..65535> base-dn base-dn-string [bind-dn bind-dn-string password pass- word] login-name-attribute attribute [alternative-login-name-attribute attribute] ac- count account-name ...............182 traceroute ................36 traceroute {ip | hostname} .............251...
  • Page 282 List of Commands (Alphabetical) vpn-configuration-provision rule { delete conf_index | move conf_index to conf_index } .134 web-auth [no] exceptional-service service_name .........159 web-auth default-rule authentication {required | unnecessary} {no log | log [alert]} ...159 web-auth login setting ..............159 web-auth policy <1..1024> ..............159 web-auth policy append ..............159...

Table of Contents