Page 1 Edition 1, 03/2015 Quick Start Guide CLI Reference Guide Default Login Details LAN Port https://192.168.1.1 (UAG715) http://172.16.0.1 (UAG2100/ UAG4100/UAG5100 LAN1) http://172.17.0.1 (UAG2100/ www.zyxel.com UAG4100/UAG5100 LAN2) User Name admin Password 1234 Copyright © 2011 Copyright © 2015 ZyXEL Communications Corporation ZyXEL Communications Corporation...
Page 2  IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a Reference Guide for a series of products. Not all products support all firmware features. Screenshots, graphics and commands in this book may differ slightly from your product due to differences in your product firmware or your computer operating system.
Page 3: About This Cli Reference Guide
About This CLI Reference Guide About This CLI Reference Guide Intended Audience This manual is intended for people who want to configure ZLD-based UAGs via Command Line Interface (CLI). You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Page 4: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 5 Document Conventions Server Firewall Telephone Switch Router UAG CLI Reference Guide...
Page 6: Table Of Contents
Contents Overview Contents Overview Introduction ............................22 Command Line Interface .........................24 User and Privilege Modes ........................37 Reference ............................41 Object Reference ............................43 Status ..............................45 Registration .............................48 AP Management .............................55 Wireless LAN Profiles ..........................59 Rogue AP ..............................71 Wireless Frame Capture .........................75 Dynamic Channel Selection ........................77 Wireless Load Balancing .........................79 Auto-Healing ............................82 Interfaces ..............................84...
Page 7 Contents Overview Printer Manager ............................184 Free Time ..............................186 SMS ..............................188 Bandwidth Management ........................190 IPSec VPN ............................195 SSL VPN ...............................205 Application Patrol ..........................210 Content Filtering ............................213 User/Group ............................224 Application Object ..........................232 Addresses .............................235 Services ..............................238 Schedules .............................241 AAA Server ............................243 Authentication Objects ..........................250 Certificates ............................253 ISP Accounts ............................258 SSL Application .............................260...
Page 8: Table Of Contents
Table of Contents Table of Contents About This CLI Reference Guide......................3 Document Conventions ........................4 Contents Overview ..........................6 Table of Contents ..........................8 Part I: Introduction ..................22 Chapter 1 Command Line Interface........................24 1.1 Overview ............................24 1.1.1 The Configuration File ......................24 1.2 Accessing the CLI ..........................24 1.2.1 Console Port ..........................25 1.2.2 Web Configurator Console ......................25 1.2.3 Telnet ............................28...
Page 9 Table of Contents 1.9 Saving Configuration Changes ......................36 1.10 Logging Out .............................36 Chapter 2 User and Privilege Modes ........................37 2.1 User And Privilege Modes .........................37 2.1.1 Debug Commands ........................38 Part II: Reference ..................... 41 Chapter 3 Object Reference ..........................43 3.1 Object Reference Commands ......................43 3.1.1 Object Reference Command Example ..................44 Chapter 4 Status ..............................45...
Page 10 Table of Contents 7.4 SSID Profile Commands ........................65 7.4.1 SSID Profile Example ......................67 7.5 Security Profile Commands .......................68 7.5.1 Security Profile Example ......................69 7.6 MAC Filter Profile Commands ......................70 7.6.1 MAC Filter Profile Example .....................70 Chapter 8 Rogue AP.............................71 8.1 Rogue AP Detection Overview ......................71 8.2 Rogue AP Detection Commands ......................71 8.2.1 Rogue AP Detection Examples ....................72 8.3 Rogue AP Containment Overview ....................73...
Page 11 Table of Contents 13.1.1 Types of Interfaces ........................84 13.1.2 Relationships Between Interfaces ..................85 13.2 Interface General Commands Summary ..................86 13.2.1 Basic Interface Properties and IP Address Commands ............87 13.2.2 DHCP Setting Commands .....................90 13.2.3 Interface Parameter Command Examples ................94 13.2.4 RIP Commands ........................94 13.2.5 OSPF Commands .........................95 13.2.6 Connectivity Check (Ping-check) Commands ...............97 13.3 Ethernet Interface Specific Commands ...................98...
Page 12 Table of Contents 16.2 Policy Route Commands ....................... 114 16.2.1 Assured Forwarding (AF) PHB for DiffServ ................. 117 16.2.2 Policy Route Command Example ..................118 16.3 IP Static Route ..........................119 16.4 Static Route Commands ....................... 119 16.4.1 Static Route Commands Examples ..................120 Chapter 17 Routing Protocol..........................121 17.1 Routing Protocol Overview ......................121...
Page 13 Table of Contents 21.2.2 vpn-1-1-map pool Command Examples ................138 21.2.3 vpn-1-1-map rule Sub-commands ..................138 21.2.4 vpn-1-1-map rule Command Examples ................139 21.2.5 vpn-1-1-map statistics Command Examples ...............139 Chapter 22 HTTP Redirect ...........................140 22.1 HTTP Redirect Overview ......................140 22.1.1 Web Proxy Server ........................140 22.2 HTTP Redirect Commands ......................140 22.2.1 HTTP Redirect Command Examples ..................141 Chapter 23...
Page 14 Table of Contents 27.3 Layer 2 Isolation Commands Example ..................155 Chapter 28 IPnP..............................156 28.1 IPnP Overview ..........................156 28.2 IPnP Commands ...........................156 28.3 IPnP Commands Example ......................157 Chapter 29 Web Authentication ..........................158 29.1 Web Authentication Overview .......................158 29.2 Web Authentication Commands ....................158 29.2.1 web-auth login setting Sub-commands ................160 29.2.2 web-auth policy Sub-commands ..................161 29.2.3 web-auth type default-user-agreement Sub-commands .............162...
Page 15 Table of Contents 33.2.1 Firewall Sub-Commands .....................174 33.2.2 Firewall Command Examples ....................175 33.3 Session Limit Commands ......................176 Chapter 34 Billing..............................177 34.1 Billing Overview ..........................177 34.2 Billing Commands .........................177 34.2.1 Billing Profile Sub-commands ....................178 34.2.2 Billing Command Example ....................179 Chapter 35 Payment Service ..........................181 35.1 Payment Service Overview ......................181 35.2 Payment-service Commands ......................181...
Page 16 Table of Contents 39.3 Bandwidth Management Commands Example ................194 Chapter 40 IPSec VPN............................195 40.1 IPSec VPN Overview ........................195 40.2 IPSec VPN Commands Summary ....................196 40.2.1 IKE SA Commands ......................197 40.2.2 IPSec SA Commands (except Manual Keys) ..............199 40.2.3 IPSec SA Commands (for Manual Keys) ................202 40.2.4 VPN Concentrator Commands ....................202 40.2.5 VPN Configuration Provisioning Commands ...............203 40.2.6 SA Monitor Commands .......................204...
Page 17 Table of Contents 44.1 User Account Overview .........................224 44.1.1 User Types ..........................224 44.2 User/Group Commands Summary ....................225 44.2.1 User Commands ........................225 44.2.2 User Group Commands .......................226 44.2.3 User Setting Commands .....................227 44.2.4 MAC Auth Commands ......................228 44.2.5 Additional User Commands ....................230 Chapter 45 Application Object ..........................232 45.1 Application Object Commands Summary ..................232...
Page 18 Table of Contents 49.2.5 aaa group server ad Commands ..................245 49.2.6 aaa group server ldap Commands ..................246 49.2.7 aaa group server radius Commands ...................247 49.2.8 aaa group server Command Example .................249 Chapter 50 Authentication Objects........................250 50.1 Authentication Objects Overview ....................250 50.2 aaa authentication Commands .....................250 50.2.1 aaa authentication Command Example ................251 50.3 test aaa Command ........................251...
Page 19 Table of Contents 55.2.1 dynamic-guest Sub-commands ...................270 55.2.2 Dynamic-guest Command Example ..................271 Chapter 56 System ...............................272 56.1 System Overview ..........................272 56.2 Customizing the WWW Login Page ....................272 56.3 Host Name Commands .........................274 56.4 Time and Date ..........................274 56.4.1 Date/Time Commands ......................275 56.5 Console Port Speed ........................275 56.6 DNS Overview ..........................276 56.6.1 Domain Zone Forwarder .....................276...
Page 20 Table of Contents 57.8.1 Supported MIBs ........................288 57.8.2 SNMP Traps ........................288 57.8.3 SNMP Commands .......................289 57.8.4 SNMP Commands Examples ....................289 57.9 ICMP Filter ...........................290 Chapter 58 File Manager............................291 58.1 File Directories ..........................291 58.2 Configuration Files and Shell Scripts Overview ................291 58.2.1 Comments in Configuration Files or Shell Scripts ...............292 58.2.2 Errors in Configuration Files or Shell Scripts ...............293 58.2.3 UAG Configuration File Details ....................293...
Page 21 Table of Contents 60.2.1 Email Daily Report Example ....................312 60.3 Reboot ............................314 Chapter 61 Session Timeout ..........................315 Chapter 62 Diagnostics ............................316 62.1 Diagnostics ............................316 62.2 Diagnosis Commands ........................316 62.3 Diagnosis Commands Example ....................316 Chapter 63 Packet Flow Explore.........................317 63.1 Packet Flow Explore ........................317 63.2 Packet Flow Explore Commands ....................317 63.3 Packet Flow Explore Commands Example ...................318 Chapter 64...
Page 22: Introduction
Introduction...
Page 24: Command Line Interface
H A PT ER Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your UAG, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the UAG and possibly render it unusable.
Page 25: Console Port
Chapter 1 Command Line Interface 1.2.1 Console Port The default settings for the console port are as follows. Table 1 Managing the UAG: Console Port SETTING VALUE Speed 115200 bps Data Bits Parity None Stop Bit Flow Control When you turn on your UAG, it performs several internal tests as well as line initialization. You can view the initialization information using the console port.
Page 26 Chapter 1 Command Line Interface When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the UAG. Follow the steps below to access the web console. Log into the web configurator. Click the Console icon in the top-right corner of the web configurator screen.
Page 27 Chapter 1 Command Line Interface Note: The default login username is admin. It is case-sensitive. Figure 5 Web Console: Connecting Then, the Password screen appears. Figure 6 Web Console: Password Enter the password for the user name you specified earlier, and click OK. If you enter the password incorrectly, you get an error message, and you may have to close the console window and open it again.
Page 28: Telnet
Chapter 1 Command Line Interface 1.2.3 Telnet Use the following steps to Telnet into your UAG. If your computer is connected to the UAG over the Internet, skip to the next step. Make sure your computer IP address and the UAG IP address are on the same subnet. In Windows, click Start (usually in the bottom left corner) and Run.
Page 29: How Commands Are Explained
Chapter 1 Command Line Interface 1.4 How Commands Are Explained Each chapter explains the commands for one keyword. The chapters are divided into the following sections. 1.4.1 Background Information (Optional) Note: See the User’s Guide for background information about most features. This section provides background information about features that you cannot configure in the web configurator.
Page 30: Changing The Password
Chapter 1 Command Line Interface • Enter exactly as it appears, followed by two numbers between 1 and 65535. range 1.4.6 Changing the Password It is highly recommended that you change the password for accessing the UAG. See Section 44.2 on page 225 for the appropriate commands.
Page 31: Shortcuts And Help
Chapter 1 Command Line Interface 1.6 Shortcuts and Help 1.6.1 List of Available Commands A list of valid commands can be found by typing at the command prompt. To view a list of [TAB] available commands within a command group, enter <command>...
Page 32: Entering Partial Commands
Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the UAG automatically display the full command. [TAB] For example, if you enter and press , the full command of automatically...
Page 33: Input Values
Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen.
Page 34 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES e-mail 1-64 alphanumeric or .@_- encryption key 16-64 “0x” or “0X” + 16-64 hexadecimal values 8-32 alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=- file name 0-31 alphanumeric or _- filter extension...
Page 35 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES phone number 1-20 numbers or ,+ preshared key 16-64 “0x” or “0X” + 16-64 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- profile name 0-30 alphanumeric or _- first character: letters or _-...
Page 36: Ethernet Interfaces
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES week-day sequence, i.e. 1=first,2=second xauth method 1-31 alphanumeric or _- xauth password 1-31 alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- mac address 0-12 (even hexadecimal number) for example: aa aabbcc aabbccddeeff 1.8 Ethernet Interfaces...
Page 37: User And Privilege Modes
H A PT ER User and Privilege Modes This chapter describes how to use these two modes. 2.1 User And Privilege Modes This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the UAG uses.
Page 38: Debug Commands
Chapter 2 User and Privilege Modes Table 4 User (U) and Privilege (P) Mode Commands (continued) COMMAND MODE DESCRIPTION Goes to a previous mode or logs out. exit Goes to htm (hardware test module) mode for testing hardware components. You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting.
Page 39 Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT Capwap debug commands debug capwap (*) Content Filtering debug commands debug content-filter DNS query related debug commands debug dns-query (*) Dynamic guest debug commands debug dynamic-guest (*) Endpoint security debug commands debug eps...
Page 40 Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT ZLD internal debug commands debug [cmdexec|corefile|ip |kernel|mac-id- rewrite|observer|switch |system|zyinetpkt|zysh-ipt-op] Update server debug command debug update server (*) VPN 1-1 mapping debug commands debug vpn-1-1-map (*) Web authentication debug commands debug web-auth (*) Controller debug commands...
Page 41: Reference
Reference...
Page 43: Object Reference
H A PT ER Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
Page 44: Object Reference Command Example
Chapter 3 Object Reference Table 6 show reference Commands (continued) COMMAND DESCRIPTION Displays which configuration settings reference the specified user group show reference object-group username object. [username] Displays which configuration settings reference the specified address show reference object-group address group object. [object_name] Displays which configuration settings reference the specified service show reference object-group service...
Page 45: Status
H A PT ER Status This chapter explains some commands you can use to display information about the UAG’s current operational state. Table 7 Status Show Commands COMMAND DESCRIPTION Displays details about the UAG’s startup state. show boot status Displays whether the console and auxiliary ports are on or off. show comport status Displays the CPU utilization.
Page 46 Chapter 4 Status Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number. Router(config)# show fan-speed FAN1(F00)(rpm): limit(hi)=8000, limit(lo)=1400, max=6115, min=6115, avg=6115 Router(config)# show mac MAC address: 00:00:AA:80:05:58-00:00:AA:80:05:5C Router(config)# show mem status memory usage: 39% Router(config)# show ram-size ram size: 512MB...
Page 47 Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : UAG715 firmware version: V2.50(AACG.0) BM version : 1.22...
Page 48: Registration
H A PT ER Registration This chapter introduces myzyxel.com and shows you how to register the UAG for subscription services using commands. 5.1 myZyXEL.com Overview myZyXEL.com is ZyXEL’s online services center where you can register your UAG and manage subscription services available for the UAG. To use a subscription service, you have to register the UAG and activate the corresponding service at myZyXEL.com.
Page 49: Maximum Number Of Managed Aps
Chapter 5 Registration 5.2.2 Maximum Number of Managed APs The UAG is initially configured to support up to one local AP and 8 remote managed APs (such as the NWA5123-NI). You can increase this by subscribing to additional licenses. As of this writing, each license upgrade allows an additional 8 remote managed APs while the maximum number of remote managed APs a single UAG can support is 16.
Page 50: Command Examples
Chapter 5 Registration 5.3.1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time, and activate a trial service subscription. Router# configure terminal Router(config)# device-register username alexctsui password 123456 Router(config)# service-register service-type trial service content-filter The following command displays the account information and whether the device is registered.
Page 51: Command Examples
Chapter 5 Registration 5.4.1 Command Examples The following command displays the service registration status and type and how many days remain before the service expires. Router# configure terminal Router(config)# show service-register status all Service Status Type Count Expiration =============================================================================== Extension User Licensed standard External-AP-Control...
Page 52 Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Congo, Republic of Cook Islands Costa Rica Cote d'Ivoire Croatia/Hrvatska Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia...
Page 53 Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia, Federal State of Moldova, Republic of Monaco Mongolia Montserrat Morocco Mozambique Namibia Nauru Nepal Netherlands Netherlands Antilles...
Page 54 Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu US Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu...
Page 55: Ap Management
H A PT ER AP Management This chapter shows you how to configure wireless AP management options on your UAG. 6.1 AP Management Overview The UAG allows you to remotely manage all of the Access Points (APs) on your network. You can manage a number of APs without having to configure them individually as the UAG automatically handles basic configuration for you.
Page 56 Chapter 6 AP Management The following table describes the commands available for AP management. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 13 Command Summary: AP Management COMMAND DESCRIPTION Adds the specified AP to the UAG for management.
Page 57 Chapter 6 AP Management Table 13 Command Summary: AP Management (continued) COMMAND DESCRIPTION Enables or disables the specified LAN port on the AP and lan_port {activate | inactivate} pvid configures a PVID (Port VLAN ID) for this port. <1..4094> lan_port: the name of the AP’s LAN port (lan1 for example). Creates a new VLAN or configures an existing VLAN.
Page 58: Ap Management Commands Example
Chapter 6 AP Management 6.2.1 AP Management Commands Example The following example shows you how to add an AP to the management list, and then edit it. Router# show capwap ap wait-list index: 1 IP: 192.168.1.35, MAC: 00:11:11:11:11:FE Model: NWA5160N, Description: AP-00:11:11:11:11:FE index: 2 IP: 192.168.1.36, MAC: 00:19:CB:00:BB:03 Model: NWA5160N, Description: AP-00:19:CB:00:BB:03...
Page 59: Wireless Lan Profiles
H A PT ER Wireless LAN Profiles This chapter shows you how to configure wireless LAN profiles on your UAG. 7.1 Wireless LAN Profiles Overview The managed Access Points designed to work explicitly with your UAG do not have on-board configuration files, you must create “profiles”...
Page 60 Chapter 7 Wireless LAN Profiles Table 14 Input Values for General Radio Profile Commands (continued) LABEL DESCRIPTION Sets the HT MCS rate. The available rates are: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, wlan_mcs_speed 12, 13, 14, 15. Sets the basic band rate for 5 GHz.
Page 61 Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Fixes the channel bandwidth as 40 MHz. The no command has the [no] dot11n-disable-coexistence AP automatically choose 40 MHz if all the clients support it or 20 MHz if some clients only support 20 MHz.
Page 62 Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Activates MPDU frame aggregation for this profile. Use the no [no] amsdu parameter to disable it. Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header.
Page 63: Ap Profile Commands Example
Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Disables or sets the 5 GHz support rate. 5g-support-speed {disable | wlan_5g_support_speed} The default is 6.0~54.0. Activates HT protection for this profile. Use the no parameter to [no] htprotection disable it.
Page 64: Ap Monitor Profile Commands
Chapter 7 Wireless LAN Profiles It will also assign the SSID profile labeled ‘default’ in order to create WLAN VAP (wlan-1-1) functionality within the radio profile. Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# activate Router(config-profile-radio)# band 2.4G Router(config-profile-radio)# 2g-channel 6 Router(config-profile-radio)# ch-width 20m Router(config-profile-radio)# dtim-period 2 Router(config-profile-radio)# beacon-interval 100 Router(config-profile-radio)# ampdu...
Page 65: Ssid Profile Commands
Chapter 7 Wireless LAN Profiles Table 17 Command Summary: Monitor Profile (continued) COMMAND DESCRIPTION Enters configuration mode for the specified monitor profile. Use the [no] wlan-monitor-profile no parameter to remove the specified profile. monitor_profile_name Makes this profile active or inactive. [no] activate By default, this is enabled.
Page 66 Chapter 7 Wireless LAN Profiles Table 18 Input Values for General SSID Profile Commands (continued) LABEL DESCRIPTION Assigns an existing security profile to the SSID profile. You may use 1-31 securityprofile alphanumeric characters, underscores ( ), or dashes (-), but the first character cannot be a number.
Page 67: Ssid Profile Example
Chapter 7 Wireless LAN Profiles Table 19 Command Summary: SSID Profile (continued) COMMAND DESCRIPTION Enables intra-BSSID traffic blocking. Use the no parameter to [no] block-intra disable it in this profile. By default this is disabled. Sets the maximum incoming transmission data rate (either in downlink-rate-limit data_rate mbps or kbps) on a per-station basis.
Page 68: Security Profile Commands
Chapter 7 Wireless LAN Profiles 7.5 Security Profile Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 20 Input Values for General Security Profile Commands LABEL DESCRIPTION The security profile name.
Page 69: Security Profile Example
Chapter 7 Wireless LAN Profiles Table 21 Command Summary: Security Profile (continued) COMMAND DESCRIPTION Sets the WPA/WPA2 encryption cipher type. wpa-encrypt {tkip | aes | auto} auto: This automatically chooses the best available cipher based on the cipher in use by the wireless client that is attempting to make a connection.
Page 70: Mac Filter Profile Commands
Chapter 7 Wireless LAN Profiles 7.6 MAC Filter Profile Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 22 Input Values for General MAC Filter Profile Commands LABEL DESCRIPTION The MAC filter profile name.
Page 71: Rogue Ap
H A PT ER Rogue AP This chapter shows you how to set up Rogue Access Point (AP) detection and containment. 8.1 Rogue AP Detection Overview Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can potentially open holes in the network security.
Page 72: Rogue Ap Detection Examples
Chapter 8 Rogue AP Table 25 Command Summary: Rogue AP Detection (continued) COMMAND DESCRIPTION Sets the device that owns the specified MAC address as a rogue rogue-ap ap_mac description2 AP. You can also assign a description to this entry on the rogue AP list.
Page 73: Rogue Ap Containment Overview
Chapter 8 Rogue AP This example shows the friendly AP detection list. Router(config)# show rogue-ap detection list friendly description =========================================================================== 11:11:11:11:11:11 third floor 00:13:49:11:22:33 00:13:49:00:00:05 00:13:49:00:00:01 00:0D:0B:CB:39:33 dept1 This example shows the combined rogue and friendly AP detection list. Router(config)# show rogue-ap detection list all role description ===========================================================================...
Page 74: Rogue Ap Containment Commands
Chapter 8 Rogue AP 8.4 Rogue AP Containment Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 26 Input Values for Rogue AP Containment Commands LABEL DESCRIPTION Specifies the MAC address (in XX:XX:XX:XX:XX:XX format) of the AP to be ap_mac...
Page 75: Wireless Frame Capture
H A PT ER Wireless Frame Capture This chapter shows you how to configure and use wireless frame capture on the UAG. 9.1 Wireless Frame Capture Overview Troubleshooting wireless LAN issues has always been a challenge. Wireless sniffer tools like Ethereal can help capture and decode packets of information, which can then be analyzed for debugging.
Page 76: Wireless Frame Capture Examples
Chapter 9 Wireless Frame Capture The following table describes the commands available for wireless frame capture. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 29 Command Summary: Wireless Frame Capture COMMAND DESCRIPTION Enters sub-command mode for wireless frame capture.
Page 77: Dynamic Channel Selection
HAPTER Dynamic Channel Selection This chapter shows you how to configure and use dynamic channel selection on the UAG. 10.1 DCS Overview Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by passively listening to the area around it and determining what channels are currently being broadcast on by other devices.
Page 78: Dcs Examples
Chapter 10 Dynamic Channel Selection Table 31 Command Summary: DCS (continued) COMMAND DESCRIPTION When enabled, this ensures that an AP will not change channels dcs client-aware {enable|disable} as long as a client is connected to it. If disabled, the AP may change channels regardless of whether it has clients connected to it or not.
Page 79: Wireless Load Balancing
HAPTER Wireless Load Balancing This chapter shows you how to configure wireless load balancing. 11.1 Wireless Load Balancing Overview Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it. Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users.
Page 80: Wireless Load Balancing Examples
Chapter 11 Wireless Load Balancing Table 32 Command Summary: Load Balancing (continued) COMMAND DESCRIPTION Enables the kickout feature for load balancing and also sets the load-balancing kickInterval <1..255> kickout interval in seconds. While load balancing is enabled, the AP periodically disconnects stations at intervals equal to this setting.
Page 81 Chapter 11 Wireless Load Balancing The following example shows you how to configure AP load balancing in "by traffic" mode. The traffic level is set to low, and "disassociate station" is enabled. Router(config)# load-balancing mode traffic Router(config)# load-balancing traffic level low Router(config)# load-balancing kickout Router(config)# show load-balancing config load balancing config:...
Page 82: Auto-Healing
HAPTER Auto-Healing This chapter shows you how to configure auto-healing settings. 12.1 Auto-Healing Overview Auto-healing allows you to extend the wireless service coverage area of the managed APs when one of the managed APs fails. 12.2 Auto-Healing Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Page 83: Auto-Healing Examples
Chapter 12 Auto-Healing Table 34 Command Summary: Auto-Healing (continued) COMMAND DESCRIPTION Enters a number from 0 to 9. This value is used to calculate the auto-healing margin power level (power-threshold + margin) to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas.
Page 84: Interfaces
HAPTER Interfaces This chapter shows you how to use interface-related commands. 13.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 85: Relationships Between Interfaces
Chapter 13 Interfaces Port groups, and trunks have a lot of characteristics that are specific to each type of interface. These characteristics are listed in the following tables and discussed in more detail farther on. Table 35 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ETHERNET...
Page 86: Interface General Commands Summary
Chapter 13 Interfaces Table 36 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE virtual interface (virtual Ethernet interface) Ethernet interface* (virtual VLAN interface) VLAN interface* (virtual bridge interface) bridge interface trunk Ethernet interface VLAN interface bridge interface PPPoE/PPTP interface * - You cannot set up a PPPoE/PPTP interface, virtual Ethernet interface, or virtual VLAN interface if the underlying interface is a member of a bridge.
Page 87: Basic Interface Properties And Ip Address Commands
Chapter 13 Interfaces 13.2.1 Basic Interface Properties and IP Address Commands This table lists basic properties and IP address commands. Table 38 interface General Commands: Basic Properties and IP Address Assignment COMMAND DESCRIPTION Displays the connection status of the specified type of interfaces. show interface {ethernet | vlan | bridge | ppp | auxiliary} status Displays information about the specified interface, specified type of...
Page 88 Chapter 13 Interfaces Table 38 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Turns off traffic priority settings for when the interface sends the traffic-prioritize {tcp-ack|content- specified type of traffic. filter|dns|ipsec-vpn|ssl-vpn} deactivate Specifies the upstream bandwidth for the specified interface. The [no] upstream <0..1048576>...
Page 89 Chapter 13 Interfaces This example shows how to modify the name of interface lan2 to “VIP”. First you have to check the interface system name (ge4 in this example) on the UAG. Then change the name and display the result. Router>...
Page 90: Dhcp Setting Commands
Chapter 13 Interfaces This example shows how to restart an interface. You can check all interface names on the UAG. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it. Router>...
Page 91 Chapter 13 Interfaces Table 39 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Specifies the static IP address the UAG should assign. Use this [no] host ip command, along with hardware-address, to create a static DHCP entry. Note: The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool.
Page 92 Chapter 13 Interfaces Table 39 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Sets the IP start address and maximum pool size of the specified [no] starting-address ip pool-size DHCP pool. The final pool size is limited by the subnet mask. <1..65535>...
Page 93 Chapter 13 Interfaces 13.2.2.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.2 Router(config-ip-dhcp-pool)#...
Page 94: Interface Parameter Command Examples
Chapter 13 Interfaces 13.2.3 Interface Parameter Command Examples This table shows an example of each interface type’s sub-commands. The sub-commands vary for different interface types. Table 40 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE/PPTP Router(config)# interface wan1 Router(config)# interface wan1:1 Router(config)# interface wan1_ppp Router(config-if-wan1)# Router(config-if-vir)#...
Page 95: Ospf Commands
Chapter 13 Interfaces Table 41 interface Commands: RIP Settings (continued) COMMAND DESCRIPTION Sets the send or receive version to the specified version number. The [no] ip rip {send | receive} version command sets the send or received version to the current global <1..2>...
Page 96 Chapter 13 Interfaces Table 42 interface Commands: OSPF Settings (continued) COMMAND DESCRIPTION Sets the number of seconds the UAG waits for “hello” messages from [no] ip ospf dead-interval <1..65535> peer routers before it assumes the peer router is not available and deletes associated routing information.
Page 97: Connectivity Check (Ping-Check) Commands
Chapter 13 Interfaces 13.2.6 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the UAG stops routing to the gateway.
Page 98: Ethernet Interface Specific Commands
Chapter 13 Interfaces 13.2.6.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check...
Page 99: Port Grouping Commands
Chapter 13 Interfaces Table 45 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION Sets which type of network you will connect this interface. The UAG automatically adds type {internal | default route and SNAT settings for traffic it routes from internal interfaces to external external | general} interfaces;...
Page 100: Virtual Interface Specific Commands
Chapter 13 Interfaces 13.3.2.1 Port Grouping Command Examples The following commands add physical port 5 to interface lan1. Router# configure terminal Router(config)# show port-grouping No. Representative Name Port1 Port2 Port3 Port4 Port5 ========================================================= wan1 wan2 lan1 lan2 Router(config)# port-grouping lan1 Router(config-port-grouping)# port 5 Router(config-port-grouping)# exit Router(config)# show port-grouping...
Page 101: Pppoe/Pptp Specific Commands
Chapter 13 Interfaces gateway 4.6.7.8, upstream bandwidth 345, downstream bandwidth 123, and description “I am vir interface”. Router# configure terminal Router(config)# interface lan1:1 Router(config-if-vir)# ip address 1.2.3.4 255.255.255.0 Router(config-if-vir)# ip gateway 4.6.7.8 Router(config-if-vir)# upstream 345 Router(config-if-vir)# downstream 123 Router(config-if-vir)# description I am vir interface Router(config-if-vir)# exit 13.5 PPPoE/PPTP Specific Commands This section covers commands that are specific to PPPoE/PPTP interfaces.
Page 102: Pppoe/Pptp Interface Command Examples
Chapter 13 Interfaces Table 48 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND DESCRIPTION Specifies the maximum segment size (MSS) the interface can use. MSS is the [no] mss <536..1452> largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece.
Page 103: Usb Storage General Commands Example
Chapter 13 Interfaces Table 49 USB Storage General Commands (continued) COMMAND DESCRIPTION Mounts the connected USB storage device. usb-storage mount Unmounts the connected USB storage device. usb-storage umount Sets to have the UAG log or not log any information about the connected USB [no] logging usb-storage storage device(s) for the system log.
Page 104: Vlan Interface Command Examples
Chapter 13 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 50 Input Values for VLAN Interface Commands LABEL DESCRIPTION VLAN interface: vlanx, x = 0 - 4094 interface_name Table 37 on page 86 for detailed information about the interface name.
Page 105: Bridge Interface Command Examples
Chapter 13 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 52 Input Values for Bridge Interface Commands LABEL DESCRIPTION The name of the interface. interface_name VLAN interface: vlanx, x = 0 - 4094 bridge interface: brx, x = 0 - N, where N depends on the number of bridge interfaces your UAG model supports.
Page 106: Trunks
HAPTER Trunks This chapter shows you how to configure trunks on your UAG. 14.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the UAG sends traffic through another member of the trunk.
Page 107: Trunk Commands Input Values
Chapter 14 Trunks 14.3 Trunk Commands Input Values The following table explains the values you can input with the commands. interface-group Table 54 interface-group Command Input Values LABEL DESCRIPTION A descriptive name for the trunk. group-name The name cannot start with a number. This value is case-sensitive. The name of an interface, it could be an Ethernet, PPP, VLAN or bridge interface.
Page 108: Trunk Command Examples
Chapter 14 Trunks Table 55 interface-group Commands Summary (continued) COMMAND DESCRIPTION Displays whether the UAG enable SNAT or not. The UAG performs SNAT show system default-snat by default for traffic going to or from the WAN interfaces. Displays the WAN trunk the UAG first attempts to use. show system default-interface-group 14.5 Trunk Command Examples The following example creates a weighted round robin trunk for Ethernet interfaces wan1 and...
Page 109: Link Sticking
Chapter 14 Trunks 14.6 Link Sticking You can have the UAG send each local computer’s traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file.
Page 110: Link Sticking Command Example
Chapter 14 Trunks mode before you can use these commands. See Table 54 on page 107 for details about the values you can input with these commands. Table 56 ip load-balancing link-sticking Commands Summary COMMAND DESCRIPTION Turns link sticking on or off. [no] ip load-balancing link-sticking activate Sets for how many seconds (30-3600) the UAG sends all of each [no] ip load-balancing link-sticking timeout...
Page 111: Ip Drop-In
HAPTER IP Drop-In This chapter explains some commands you can use to set the UAG interfaces to work in drop-in mode. 15.1 Drop-In Mode Overview When the UAG is in drop-in mode, you can deploy it in your existing network without changing the network architecture and use its multiple WAN feature to connect to more than one ISP.
Page 112: Drop-In Limitations
Chapter 15 IP Drop-In 15.1.1 Drop-In Limitations • The interfaces in drop-in mode cannot join the port group of the interfaces that are not in drop-in mode. But other interfaces can join a drop-in interface’s port group. • The interfaces in drop-in mode cannot be part of a bridge interface. •...
Page 113 Chapter 15 IP Drop-In The following example shows you how to set the drop-in WAN interface and LAN interface, set a WAN host, turn on the dop-in mode and show the settings. Router> configure terminal Router(config)# ip drop-in Router(drop-in)# wan-host 10.1.2.3 Router(drop-in)# wan-interface wan1 lan-interface lan1 Router(drop-in)# activate Router(drop-in)# exit...
Page 114: Route
HAPTER Route This chapter shows you how to configure policies for IP routing and static routes on your UAG. 16.1 Policy Route Traditionally, routing is based on the destination address only and the UAG takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 115 Chapter 16 Route The following table describes the commands available for policy route. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 60 Command Summary: Policy Route COMMAND DESCRIPTION Globally enables bandwidth management. You must globally activate [no] bwm activate bandwidth management to have individual policy routes policies apply bandwidth management.
Page 116 Chapter 16 Route Table 60 Command Summary: Policy Route (continued) COMMAND DESCRIPTION [no] dscp class {default | dscp_class} Sets a DSCP class. Use default to apply this policy route to incoming packets that are marked with DSCP value 0. Use one of the pre- defined AF classes (including af11~af13, af21~af23, af31~af33, and af41~af43) to apply this policy route to incoming packets that are marked with the DSCP AF class.
Page 117: Assured Forwarding (Af) Phb For Diffserv
Chapter 16 Route Table 60 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Sets the user name. The no command resets the user name to the [no] user user_name default (any). any means all users. Enables the UAG to use policy routes to manually specify the [no] policy controll-ipsec-dynamic-rules destination addresses of dynamic IPSec rules.
Page 118: Policy Route Command Example
Chapter 16 Route numbered class) is generally given priority. Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets. Table 61 Assured Forwarding (AF) Behavior Group CLASS 1 CLASS 2 CLASS 3 CLASS 4...
Page 119: Ip Static Route
Chapter 16 Route 16.3 IP Static Route The UAG has no knowledge of the networks beyond the network that is directly connected to the UAG. For instance, the UAG knows about network N2 in the following figure through gateway R1. However, the UAG is unable to route a packet to network N3 because it doesn't know that there is a route through the same gateway R1 (via gateway R2).
Page 120: Static Route Commands Examples
Chapter 16 Route 16.4.1 Static Route Commands Examples The following command sets a static route with IP address 10.10.10.0 and subnet mask 255.255.255.0 and with the next-hop interface wan1. Then use the show command to display the setting. Router(config)# ip route 10.10.10.0 255.255.255.0 wan1 Router(config)# Router(config)# show ip route-settings Route...
Page 121: Routing Protocol
HAPTER Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the UAG. 17.1 Routing Protocol Overview Routing protocols give the UAG routing information about the network from other routers. The UAG then stores this routing information in the routing table, which it uses when it makes routing decisions.
Page 122: Rip Commands
Chapter 17 Routing Protocol 17.2.1 RIP Commands This table lists the commands for RIP. Table 65 router Commands: RIP COMMAND DESCRIPTION Enters sub-command mode. router rip Enables RIP on the specified Ethernet interface. The [no] network interface_name command disables RIP on the specified interface. Enables redistribution of routing information learned from [no] redistribute {static | ospf} the specified source.
Page 123: Ospf Area Commands
Chapter 17 Routing Protocol 17.2.3 OSPF Area Commands This table lists the commands for OSPF areas. Table 67 router Commands: OSPF Areas COMMAND DESCRIPTION Enters sub-command mode. router ospf Adds the specified interface to the specified area. The [no] network interface area IP command removes the specified interface from the specified area.
Page 124: Learned Routing Information Commands
Chapter 17 Routing Protocol 17.2.5 Learned Routing Information Commands This table lists the commands to look at learned routing information. Table 69 ip route Commands: Learned Routing Information COMMAND DESCRIPTION Displays learned routing and other routing show ip route [kernel | connected | static | ospf | rip | information.
Page 125: Zones
HAPTER Zones Set up zones to configure network security and network policies in the UAG. 18.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The UAG uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap.
Page 126: Zone Commands Summary
Chapter 18 Zones 18.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands.s Table 70 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone, or the name of a VPN tunnel. profile_name Use up to 31 characters (a-zA-Z0-9_-).
Page 127: Zone Command Examples
Chapter 18 Zones 18.2.1 Zone Command Examples The following commands add interfaces vlan123 and vlan234 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface vlan123 Router(zone)# interface vlan234 Router(zone)# block Router(zone)# exit Router(config)# show zone No.
Page 128: Ddns
HAPTER DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the UAG. 19.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.
Page 129: Ddns Commands Summary
Chapter 19 DDNS 19.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 73 Input Values for DDNS Commands LABEL DESCRIPTION The name of the DDNS profile. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number.
Page 130: Ddns Commands Example
Chapter 19 DDNS Table 74 ip ddns Commands (continued) COMMAND DESCRIPTION Sets the backup WAN interface in the specified DDNS profile. [no] backup-iface interface_name command clears it. Sets the HA interface in the specified DDNS profile. The [no] ha-iface interface_name command clears it.
Page 131: Virtual Servers
HAPTER Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. Virtual server commands configure NAT. 20.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the UAG that you want to make available outside the private network.
Page 132 Chapter 20 Virtual Servers The following table lists the virtual server commands. Table 76 ip virtual-server Commands COMMAND DESCRIPTION show ip virtual-server [profile_name] Displays information about the specified virtual server or about all the virtual servers. Deletes the specified virtual server. no ip virtual-server profile_name Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name...
Page 133: Virtual Server Command Examples
Chapter 20 Virtual Servers Table 76 ip virtual-server Commands (continued) COMMAND DESCRIPTION Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name (destination IP address, protocol, and service object) to the specified interface interface_name original-ip (destination IP address and service object).
Page 134: Tutorial - How To Allow Public Access To A Server
Chapter 20 Virtual Servers The following command shows information about all the virtual servers in the UAG. Router(config)# show ip virtual-server virtual server: WAN-LAN_H323 active: yes interface: wan1 NAT-loopback active: yes NAT 1-1: no original IP: 10.0.0.8 mapped IP: 192.168.1.56 mapping type: port protocol type: tcp original service:...
Page 135 Chapter 20 Virtual Servers • HTTP traffic and the HTTP server in this example both use TCP port 80. So you set the port mapping type to “port”, the protocol type to “TCP”, and the original and mapped ports to “80”. Router(config)# ip virtual-server To-VirtualServer-WWW interface wan1 original-ip wan1_HTTP map-to DMZ_HTTP map-type port protocol tcp original-port 80 mapped-port 80 Router(config)#...
Page 136: Vpn 1-1 Mapping
HAPTER VPN 1-1 Mapping This chapter shows you how to configure VPN 1-1 mapping on your UAG. 21.1 VPN 1-1 Mapping Overview VPN 1-1 mapping allows an authenticated user in your network to access the Internet or an external server using a public IP address different from the one used by the UAG’s WAN interface. With VPN 1-1 mapping, each user that logs into the UAG and matches a pre-configured mapping rule can obtain an individual public IP address.
Page 137 Chapter 21 VPN 1-1 Mapping The following table describes the commands available for VPN 1-1 mapping. You must use the command to enter the configuration mode before you can use the configure terminal configuration commands. Table 78 Command Summary: vpn-1-1-map COMMAND DESCRIPTION Enables VPN 1-1 mapping on the UAG.
Page 138: Vpn-1-1-Map Pool Sub-Commands
Chapter 21 VPN 1-1 Mapping 21.2.1 vpn-1-1-map pool Sub-commands The following table describes the sub-commands for the vpn-1-1-map pool command. Table 79 vpn-1-1-map pool Sub-commands COMMAND DESCRIPTION Configures the name of the IP address object the profile is set to use. address address_object An address object presents the IP address(es), which can be assigned to the matched users by the UAG.
Page 139: Vpn-1-1-Map Rule Command Examples
Chapter 21 VPN 1-1 Mapping Table 80 vpn-1-1-map rule Sub-commands (continued) COMMAND DESCRIPTION Sets the name of the pool profile used by this rule. You can associate up [no] pool profile_name to four pool profiles to a VPN 1-1 mapping rule. The no command removes the specified pool file.
Page 140: Http Redirect
HAPTER HTTP Redirect This chapter shows you how to configure HTTP redirection on your UAG. 22.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the UAG) to a web proxy server. 22.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Page 141: Http Redirect Command Examples
Chapter 22 HTTP Redirect Table 82 Command Summary: HTTP Redirect (continued) COMMAND DESCRIPTION Disables a rule with the specified rule name. ip http-redirect deactivate description Removes a rule with the specified rule name. no ip http-redirect description Clears all HTTP redirect rules. ip http-redirect flush Displays HTTP redirect settings.
Page 142: Smtp Redirect
HAPTER SMTP Redirect This chapter shows you how to configure SMTP redirection on your UAG. 23.1 SMTP Redirect Overview SMTP redirect forwards the authenticated client’s SMTP message to a SMTP server, that handles all outgoing e-mail messages. The UAG forwards SMTP traffic using TCP port 25. 23.1.1 SMTP Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard.
Page 143: Smtp-Redirect Sub-Commands
Chapter 23 SMTP Redirect The following table describes the commands available for SMTP redirection. You must use the command to enter the configuration mode before you can use the configure terminal configuration commands. Table 84 Command Summary: SMTP Redirect COMMAND DESCRIPTION Enters the smtp-redirect sub-command mode to set a SMTP redirect [no] smtp-redirect <1..16>...
Page 144: Smtp Redirect Command Examples
Chapter 23 SMTP Redirect 23.2.2 SMTP Redirect Command Examples The following commands create a SMTP redirect rule, enable it and display the settings. Router# configure terminal Router(config)# smtp-redirect 1 Router(smtp-redirect)# activate Router(smtp-redirect)# interface lan2 Router(smtp-redirect)# server smtp.zyxel.com.tw Router(smtp-redirect)# source lan1_1 Router(smtp-redirect)# user admin Router(smtp-redirect)# exit Router(config)# show smtp-redirect...
Page 145: Alg
HAPTER This chapter covers how to use the UAG’s ALG feature to allow certain applications to pass through the UAG. 24.1 ALG Introduction The UAG can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the UAG’s NAT. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’...
Page 146: Alg Commands
Chapter 24 ALG 24.2 ALG Commands The following table lists the commands. You must use the command to configure terminal enter the configuration mode before you can use these commands. Table 86 alg Commands COMMAND DESCRIPTION Turns on or configures the ALG. [no] alg sip [inactivity- timeout | signal-port Use inactivity-timeout to have the UAG apply SIP media and signaling...
Page 147: Alg Commands Example
Chapter 24 ALG 24.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323. Router# configure terminal Router(config)# alg sip Router(config)# no alg h323 UAG CLI Reference Guide...
Page 148: Upnp
HAPTER UPnP 25.1 UPnP and NAT-PMP Overview The UAG supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 149: Upnp & Nat-Pmp Commands Example
Chapter 25 UPnP Table 87 ip upnp Commands (continued) COMMAND DESCRIPTION Enables NAT-PMP on the UAG. [no] nat-pmp activate The no command disables NAT-PMP on the UAG. Enables UPnP on the UAG. [no] upnp-igd activate The no command disables UPnP on the UAG. Removes all or a specific port mapping rule.
Page 150 Chapter 25 UPnP The following example displays the UAG’s port mapping entries and removes the entry with the specified port number and protocol type. Router# configure terminal Router(config) # show ip upnp port-mapping No: 0 Remote Host: (null) Client Type: upnp External Port: 1122 Protocol: tcp Internal Port: 1122...
Page 151: Ip/Mac Binding
HAPTER IP/MAC Binding 26.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The UAG uses DHCP to assign IP addresses and records to MAC address it assigned each IP address.
Page 152: Ip/Mac Binding Commands Example
Chapter 26 IP/MAC Binding 26.3 IP/MAC Binding Commands Example The following example enables IP/MAC binding on the lan1 interface and displays the interface’s IP/ MAC binding status. Router# configure terminal Router(config)# ip ip-mac-binding lan1 activate Router(config)# show ip ip-mac-binding lan1 Name: lan1 Status: Enable Log: No...
Page 153: Layer 2 Isolation
HAPTER Layer 2 Isolation 27.1 Layer 2 Isolation Overview Layer-2 isolation is used to prevent connected devices from communicating with each other in the UAG’s local network(s), on which layer-2 isolation is enabled, except the devices in the white list. Note: Layer-2 isolation does not check the wireless traffic.
Page 154: Layer 2 Isolation Commands
Chapter 27 Layer 2 Isolation 27.2 Layer 2 Isolation Commands The following table lists the l2-isolation commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 89 l2-isolation Commands COMMAND DESCRIPTION Enters the layer 2 isolation sub-command mode to enable Layer-2 isolation l2-isolation...
Page 155: Layer 2 Isolation Commands Example
Chapter 27 Layer 2 Isolation Table 90 l2-isolation white-list Sub-commands (continued) COMMAND DESCRIPTION Sets a descriptive name (up to 60 printable ASCII [no] description description characters) for a rule. The no command removes the descriptive name from the rule. Sets an IPv4 address associated with this rule. The no [no] ip-address ip command removes the IP address.
Page 156: Ipnp
HAPTER IPnP 28.1 IPnP Overview IP Plug and Play (IPnP) allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, even when the IP addresses of the computer and the UAG are not in the same subnet. When you disable the IPnP feature, only computers with dynamic IP addresses or static IP addresses in the same subnet as the UAG’s LAN IP address can connect to the UAG or access the Internet through the UAG.
Page 157: Ipnp Commands Example
Chapter 28 IPnP 28.3 IPnP Commands Example The following example enables IPnP on the UAG and interface lan1. It also displays the IPnP settings. Router# configure terminal Router(config)# ip ipnp activate Router(config)# ip ipnp config Router(ipnp)# interface lan1 Router(ipnp)# exit Router(config)# show ip ipnp activation IPnP Status: yes Router(config)# show ip ipnp interface...
Page 158: Web Authentication
HAPTER Web Authentication 29.1 Web Authentication Overview Web authentication can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions.
Page 159 Chapter 29 Web Authentication Table 92 web-auth Commands (continued) COMMAND DESCRIPTION Creates a new condition for forcing user authentication at the end of the web-auth policy append current list and enters sub-command mode. See Table 94 on page 161 the sub-commands. Creates a new condition for forcing user authentication at the specified web-auth policy insert <1..1024>...
Page 160: Web-Auth Login Setting Sub-Commands
Chapter 29 Web Authentication 29.2.1 web-auth login setting Sub-commands The following table describes the sub-commands for the web-auth login setting command. Table 93 web-auth login setting Sub-commands COMMAND DESCRIPTION Leaves the sub-command mode. exit Sets the login page appears whenever the web portal intercepts network traffic, type {external | internal} preventing unauthorized users from gaining access to the network.
Page 161: Web-Auth Policy Sub-Commands
Chapter 29 Web Authentication Table 93 web-auth login setting Sub-commands (continued) COMMAND DESCRIPTION Forces users to agree to the terms before they can use the service. An agreement [no] terms-of-service checkbox will display in the login page. The no command allows users to use the service without agreeing to the terms. Sets the welcome page’s URL;...
Page 162: Web-Auth Type Default-User-Agreement Sub-Commands
Chapter 29 Web Authentication Table 94 web-auth policy Sub-commands (continued) COMMAND DESCRIPTION Sets the time criteria for the specified condition. The no command removes [no] schedule schedule_name the time criteria, making the condition effective all the time. Sets the source criteria for the specified condition. The no command [no] source {address_object | removes the source criteria, making the condition effective for all sources.
Page 163: Web-Auth Type Profile Sub-Commands
Chapter 29 Web Authentication 29.2.5 web-auth type profile Sub-commands The following table describes the sub-commands for several web-auth type profile commands. Note that not all rule commands use all the sub-commands listed here. Table 97 web-auth type profile Sub-commands COMMAND DESCRIPTION Specifies the custom web portal file you want to use in this profile.
Page 164: Web-Auth User-Agreement Sub-Commands
Chapter 29 Web Authentication Table 97 web-auth type profile Sub-commands (continued) COMMAND DESCRIPTION Sets the session page’s URL; for example, http://IIS server IP Address/ [no] web-portal session-url url session.html. You can use up to 255 characters (0-9a-zA-Z;/?:@&=+$\.- _!~*'()%) in quotes. The no command removes the URL.
Page 165: Web Authentication Policy Insert Command Example
Chapter 29 Web Authentication 29.2.7 Web Authentication Policy Insert Command Example The following commands show how to insert a web authentication policy at position 1 of the checking order. This policy applies endpoint security policies and uses the following settings: •...
Page 166: Walled Garden
HAPTER Walled Garden 30.1 Walled Garden Overview A user must log in before the UAG allows the user’s access to the Internet. However, with a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example.
Page 167: Walled-Garden Rule Sub-Commands
Chapter 30 Walled Garden 30.2.1 walled-garden rule Sub-commands The following table describes the sub-commands for several walled-garden rule commands. Note that not all rule commands use all the sub-commands listed here. Table 100 walled-garden rule Sub-commands COMMAND DESCRIPTION Enables this entry. The command disables the entry.
Page 168: Advertisement
HAPTER Advertisement 31.1 Advertisement Overview You can set the UAG to display an advertisement web page as the first web page whenever the user connects to the Internet. 31.2 Advertisement Commands This table lists the advertisement commands. You must use the command configure terminal to enter the configuration mode before you can use these commands.
Page 169: Rtls
HAPTER RTLS 32.1 RTLS Overview Ekahau RTLS (Real Time Location Service) tracks battery-powered Wi-Fi tags attached to APs managed by the UAG to create maps, alerts, and reports. The Ekahau RTLS Controller is the centerpiece of the RTLS system. This server software runs on a Windows computer to track and locate Ekahau tags from Wi-Fi signal strength measurements.
Page 170: Rtls Configuration Commands
Chapter 32 RTLS 32.1.1 RTLS Configuration Commands Use these commands to configure RTLS on the UAG. Table 103 RTLS Commands COMMAND DESCRIPTION Enables RTLS to use Wi-Fi to track the location of Ekahau Wi-Fi tags. The no [no] rtls ekahau activate command disables tracking.
Page 171: Firewall
HAPTER Firewall This chapter introduces the UAG’s firewall and shows you how to configure your UAG’s firewall. 33.1 Firewall Overview The UAG’s firewall is a stateful inspection firewall. The UAG restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 172: Firewall Commands
Chapter 33 Firewall 33.2 Firewall Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 104 Input Values for General Firewall Commands LABEL DESCRIPTION The name of the IP address (or address group) object. You may use 1-31 address_object alphanumeric characters, underscores( ), or dashes (-), but the first character...
Page 173 Chapter 33 Firewall Table 105 Command Summary: Firewall (continued) COMMAND DESCRIPTION Enters the firewall sub-command mode to add a {firewall|secure-policy} profile_name direction specific through-Device rule or to-Device {zone_object|Device} append rule to the end of the global rule list. See Table 106 on page 174 for the sub-commands.
Page 174: Firewall Sub-Commands
Chapter 33 Firewall 33.2.1 Firewall Sub-Commands The following table describes the sub-commands for several firewall commands. Table 106 firewall Sub-commands COMMAND DESCRIPTION Sets the action the UAG takes when packets match this action {allow|deny|reject} rule. Enables a firewall rule. The no command disables the [no] activate firewall rule.
Page 175: Firewall Command Examples
Chapter 33 Firewall Table 106 firewall Sub-commands (continued) COMMAND DESCRIPTION Sets the zone to which the packets are sent. The [no] to {zone_object|Device} command removes the zone to which the packets are sent and resets it to the default (any). any means all interfaces or VPN tunnels.
Page 176: Session Limit Commands
Chapter 33 Firewall 33.3 Session Limit Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 107 Input Values for General Session Limit Commands LABEL DESCRIPTION The priority number of a session limit rule, 1 - 1000. rule_number The name of the IP address (group) object.
Page 177: Billing
HAPTER Billing 34.1 Billing Overview You can use the built-in billing function to setup billing profiles. A billing profile describes how to charge users. This chapter also shows you how to select an accounting method or configure a discount price plan. 34.2 Billing Commands This table lists the billing commands.
Page 178: Billing Profile Sub-Commands
Chapter 34 Billing Table 109 billing Commands (continued) COMMAND DESCRIPTION Creates a new discount level by setting the duration of the billing period [no] billing discount unit <2..10> that should be reached before the UAG charges users at this level and price price defining this level’s charge per time unit.
Page 179: Billing Command Example
Chapter 34 Billing Table 110 billing profile Sub-commands (continued) COMMAND DESCRIPTION Turns on bandwidth management for the user account. [no] bandwidth activate The no command disables bandwidth management for the user account. Defines each profile’s price, up to 999999.99, per time unit. price price Sets how much downstream and/or upstream data in Megabytes can be quota {total | upload | download}...
Page 180 Chapter 34 Billing This example creates a billing profile named billing_1hour and displays the profile settings. Router# configure terminal Router(config)# billing profile billing_1hour Router(billing profile button-a)# activate Router(billing profile button-a)# price 2 Router(billing profile button-a)# time-period hour 1 Router(billing profile button-a)# exit Router(config)# show billing profile Billing Profile: billing_30mins activate: yes...
Page 181: Payment Service
HAPTER Payment Service 35.1 Payment Service Overview The online payment service allows users to purchase access time online with a credit card. You must register with the supported credit card service before you can configure the UAG to handle credit card transactions. 35.2 Payment-service Commands The following table identifies the values required for many of these commands.
Page 182 Chapter 35 Payment Service Table 112 payment-service Commands (continued) COMMAND DESCRIPTION Sets the UAG to use a custom online payment service page. [no] payment-service page- customization You can customize the online payment service pages that displays after an unauthorized user click the link in the Web Configurator login screen to purchase access time The no command sets the UAG to use the default online payment service page built into the device.
Page 183: Payment-Service Provider Paypal Sub-Commands
Chapter 35 Payment Service 35.2.1 Payment-Service Provider Paypal Sub-commands The following table describes the sub-commands for the payment-service provider paypal command. Table 113 payment-service provider paypal Sub-commands COMMAND DESCRIPTION Sets your PayPal account name. You should already have a PayPal account [no] account e-mail to receive credit card payments.
Page 184: Chapter 36 Printer Manager
HAPTER Printer Manager 36.1 Printer Manager Overview You can create dynamic guest accounts and print guest account information by pressing the button on an external statement printer, such as SP350E. Make sure that the printer is connected to the appropriate power and the UAG, and that there is printing paper in the printer. Refer to the printer’s documentation for details.
Page 185: Printer-Manager Printer Sub-Commands
Chapter 36 Printer Manager Table 114 printer-manager Commands (continued) COMMAND DESCRIPTION Displays the name of billing profile that is applied to each button. show printer-manager button Displays information of the printer that is connected to and detected by the show printer-manager discover-printer- UAG.
Page 186: Chapter 37 Free Time
HAPTER Free Time 37.1 Free Time Overview With Free Time, the UAG can create dynamic guest accounts that allow users to browse the Internet free of charge for a specified period of time. 37.2 Free-Time Commands The following table lists the free-time commands. You must use the configure terminal command to enter the configuration mode before you can use these commands.
Page 187: Free-Time Commands Example
Chapter 37 Free Time 37.3 Free-Time Commands Example The following example enables the free time feature and sets the UAG to provide user account information in the web screen and also sent account information via SMS text messages. It then displays the free time settings.
Page 188: Chapter 38 Sms
HAPTER 38.1 SMS Overview The UAG supports Short Message Service (SMS) to send short text messages to mobile devices. At the time of writing, the UAG uses ViaNett as the SMS gateway to help forward SMS messages. You must already have a Vianett account in order to use the SMS service. 38.2 SMS Commands The following table lists the sms-service commands.
Page 189: Sms Commands Example
Chapter 38 SMS 38.3 SMS Commands Example The following example enables the SMS service on the UAG to provide and configures the ViaNett account information. It then displays the SMS settings. Router# configure terminal Router(config)# sms-service activate Router(config)# sms-service provider vianett Router(sms-service-vianett)# username test@example.com Router(sms-service-vianett)# password 12345 Router(sms-service-vianett)# exit...
Page 190: Chapter 39 Bandwidth Management
HAPTER Bandwidth Management 39.1 Bandwidth Management Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 39.1.1 BWM Type The UAG supports two types of bandwidth management: shared and per-user.
Page 191: Bandwidth Sub-Commands
Chapter 39 Bandwidth Management Table 118 bwm Commands (continued) COMMAND DESCRIPTION Moves a policy to the number that you specified. bwm move <1..127> to <1..127> Displays whether bandwidth management is enabled. show bwm activation Displays all bandwidth management policies. show bwm all Displays the default bandwidth management policy.
Page 192 Chapter 39 Bandwidth Management Table 119 bwm Sub-commands (continued) COMMAND DESCRIPTION Sets the source interface of the traffic to which this policy [no] incoming-interface {interface applies. interface_name | trunk group_name} interface_name: The name of the interface. This depends on the UAG model. See Table 37 on page 86 for detailed information about the interface name.
Page 193 Chapter 39 Bandwidth Management Table 119 bwm Sub-commands (continued) COMMAND DESCRIPTION Specifies a service or service group to identify the type of [no] service service-object {service_name | traffic to which this policy applies. any} any: the policy is effective for every service. The no command resets the service to the default (any).
Page 194: Bandwidth Management Commands Example
Chapter 39 Bandwidth Management 39.3 Bandwidth Management Commands Example The following example adds a new bandwidth management policy for trial-users to limit incoming and outgoing bandwidth and sets the traffic priority to 3. It then displays the policy settings. Router# configure terminal Router(config)# bwm append Router(config-bwm append 6)# activate Router(config-bwm append 6)# description example...
Page 195: Chapter 40 Ipsec Vpn
HAPTER IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the UAG. 40.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Page 196: Ipsec Vpn Commands Summary
Chapter 40 IPSec VPN and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. Figure 21 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Page 197: Ike Sa Commands
Chapter 40 IPSec VPN Table 120 Input Values for IPSec VPN Commands (continued) LABEL DESCRIPTION A domain name. You can use up to 511 alphanumeric, characters, spaces, or .@=,_- distinguished_name characters. Sort the list of currently connected SAs by one of the following classifications. sort_order algorithm encapsulation...
Page 198 Chapter 40 IPSec VPN Table 121 isakmp Commands: IKE SAs (continued) COMMAND DESCRIPTION Sets the encryption and authentication algorithms for each IKE SA transform-set isakmp-algo [isakmp_algo proposal. [isakmp_algo]] isakmp_algo: {des-md5 | des-sha | 3des-md5 | 3des-sha | aes128-md5 | aes128-sha | aes192-md5 | aes192-sha | aes256- md5 | aes256-sha | aes256-sha256 | aes256-sha512} Sets the IKE SA life time to the specified value.
Page 199: Ipsec Sa Commands (Except Manual Keys)
Chapter 40 IPSec VPN 40.2.2 IPSec SA Commands (except Manual Keys) This table lists the commands for IPSec SAs, excluding manual keys (VPN connections using VPN gateways). Table 122 crypto Commands: IPSec SAs COMMAND DESCRIPTION Fragment packets larger than the MTU (Maximum Transmission [no] crypto ignore-df-bit Unit) that have the “don’t”...
Page 200 Chapter 40 IPSec VPN Table 122 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Sets the IPSec SA life time. set security-association lifetime seconds <180..3000000> Enables Perfect Forward Secrecy group. set pfs {group1 | group2 | group5 | none} Sets the address object for the local policy (local network). local-policy address_name Sets the address object for the remote policy (remote network).
Page 201 Chapter 40 IPSec VPN Table 122 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Turns on the VPN connection check. The UAG can regularly check conn-check {IPv4 | FQDN | first-and-last} the VPN connection to the gateway you specified to make sure it is method {icmp | tcp} period <5..600>...
Page 202: Ipsec Sa Commands (For Manual Keys)
Chapter 40 IPSec VPN 40.2.3 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 123 crypto map Commands: IPSec SAs (Manual Keys) COMMAND DESCRIPTION Creates the specified IPSec SA if necessary and enters sub-command crypto map map_name mode.
Page 203: Vpn Configuration Provisioning Commands
Chapter 40 IPSec VPN Table 124 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION Adds the specified IPSec SA to the specified VPN concentrator. The [no] crypto map_name command removes the specified IPSec SA from the specified VPN concentrator. Renames the specified VPN concentrator (first profile_name) to the vpn-concentrator rename profile_name specified name (second profile_name).
Page 204: Sa Monitor Commands
Chapter 40 IPSec VPN 40.2.6 SA Monitor Commands This table lists the commands for the SA monitor. Table 126 sa Commands: SA Monitor COMMAND DESCRIPTION Displays the current IPSec SAs and the status of each one. You can specify a range of show sa monitor [{begin SA entries to display.
Page 205: Chapter 41 Ssl Vpn
HAPTER SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. 41.1 SSL Access Policy An SSL access policy allows the UAG to perform the following tasks: • limit user access to specific applications or files on the network. •...
Page 206: Ssl Vpn Commands
Chapter 41 SSL VPN Table 127 Input Values for SSL VPN Commands (continued) LABEL DESCRIPTION The name of a user (group). You may use 1-31 alphanumeric characters, user_name underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 207: Setting An Ssl Vpn Rule Tutorial
Chapter 41 SSL VPN Table 128 SSL VPN Commands COMMAND DESCRIPTION Sets the number of minutes to have the UAG repeat the endpoint security [no] eps periodical-check check at a regular interval. The no command disables this setting. <1..1440> Use this to configure for a VPN tunnel between the authenticated users and [no] network-extension {activate | the internal network.
Page 208 Chapter 41 SSL VPN First of all, configure 10.1.1.254/24 for the IP address of interface wan1 which is an external interface for public SSL VPN to access. Configure 172.16.10.254/24 for the IP address of interface lan2 which is an internal network. Router(config)# interface wan1 Router(config-if-ge)# ip address 10.1.1.254 255.255.255.0 Router(config-if-ge)# exit...
Page 209 Chapter 41 SSL VPN Displays the SSL VPN rule settings. Router(config)# show sslvpn policy SSL_VPN_TEST index: 1 active: yes name: SSL_VPN_TEST description: user: tester ssl application: none network extension: yes ip pool: IP-POOL dns server 1: DNS1 dns server 2: DNS2 wins server 1: none wins server 2: none network: NETWORK1...
Page 210: Chapter 42 Application Patrol
HAPTER Application Patrol This chapter describes how to set up application patrol for the UAG. 42.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Page 211: Application Patrol Commands
Chapter 42 Application Patrol 42.2.1 Application Patrol Commands This table lists the application patrol commands. Table 130 app Commands: Application Patrol COMMAND DESCRIPTION app rename profile_name_old profile_name_new Renames an existing profile Generates a log when traffic matches a signature in this category. [no] app log_sid The no command disables it.
Page 212 Chapter 42 Application Patrol These are some other example application patrol usage commands Router(config)# show app statistics collect collect statistics: yes collect statistics time: since 2014-06-03 05:39:59 to 2014-06-10 06:20:17 Router(config)# show app signatures version version: 3.1.4.049 Router(config)# show app signatures date date: 2013-12-05 18:09:51 Router(config)# app john Router(config-app-patrol-profile-john)# description this is a dummy profile...
Page 213: Chapter 43 Content Filtering
HAPTER Content Filtering This chapter covers how to use the content filtering feature to control web access. 43.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites. It can also block access to specific categories of web site content. You can create different content filtering policies for different addresses, schedules, users or groups and content filtering profiles.
Page 214: Content Filter Command Input Values
Chapter 43 Content Filtering 43.4 Content Filter Command Input Values The following table explains the values you can input with the commands. content-filter Table 131 Content Filter Command Input Values LABEL DESCRIPTION The number of the policy <0 - X > where X depends on the number of content filtering policy_number policies the UAG model supports.
Page 215: General Content Filter Commands
Chapter 43 Content Filtering Table 131 Content Filter Command Input Values (continued) LABEL DESCRIPTION The IP address or domain name of a forbidden web site. forbid_hosts Use a host name such as www.bad-site.com into this text field. Do not use the complete URL of the site –...
Page 216 Chapter 43 Content Filtering mode to be able to use these commands. See Table 131 on page 214 for details about the values you can input with these commands. Table 132 content-filter General Commands COMMAND DESCRIPTION Turns on content filtering. The command turns it off.
Page 217: Content Filter Report Commands
Chapter 43 Content Filtering Table 132 content-filter General Commands (continued) COMMAND DESCRIPTION Adds or removes a common trusted or forbidden web site entry. [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} ipv4: IPv4 address <W.X.Y.Z> ipv4_cidr: IPv4 subnet in CIDR format, i.e. 192.168.1.0/32 <W.X.Y.Z>/<1..32>...
Page 218 Chapter 43 Content Filtering to enter the configuration mode to be able to use these commands. See Table 131 on page 214 details about the values you can input with these commands. Table 134 content-filter profile Commands Summary COMMAND DESCRIPTION Creates a content filtering profile.
Page 219 Chapter 43 Content Filtering Table 134 content-filter profile Commands Summary (continued) COMMAND DESCRIPTION Sets the action for attempted access to web pages that content-filter profile filtering_profile url match match the profile’s selected managed categories. {block | log | warn | pass} Block access, allow and log access, display a warning message before allowing access, or allow access.
Page 220: Content Filter Url Cache Commands
Chapter 43 Content Filtering Table 134 content-filter profile Commands Summary (continued) COMMAND DESCRIPTION Has the UAG not log attempted access to web pages that no content-filter profile filtering_profile match the CommTouch profile’s selected managed commtouch-url match {log} categories. Has the UAG not log access to web pages if the no content-filter profile filtering_profile CommTouch external content filtering database is commtouch-url offline {log}...
Page 221: Content Filtering Statistics
Chapter 43 Content Filtering 43.9 Content Filtering Statistics The following table describes the commands for collecting and displaying content filtering statistics. You must use the command to enter the configuration mode before you configure terminal can use these commands. Table 136 Commands for Content Filtering Statistics COMMAND DESCRIPTION Turn the collection of content filtering statistics on or off.
Page 222 Chapter 43 Content Filtering Note: You must register for the external web filtering service before you can use it (see Chapter 5 on page 48). You can also customize the filtering profile. The following commands block active-X, java and proxy access.
Page 223 Chapter 43 Content Filtering Use this command to display the settings of the profile. Router(config)# show content-filter profile sales_CF_PROFILE commtouch service active : yes url match unsafe: block: no, warn: yes, log: url match other : block: yes, warn: no, log: url unrate : block: no, warn: yes, log:...
Page 224: Chapter 44 User/Group
HAPTER User/Group This chapter describes how to set up user accounts, user groups, and user settings for the UAG. You can also set up rules that control when users have to log in to the UAG before the UAG routes traffic for them (see Chapter 29 on page 158).
Page 225: User/Group Commands Summary
Chapter 44 User/Group 44.2 User/Group Commands Summary The following table identifies the values required for many commands. username/groupname Other input values are discussed with the corresponding commands. Table 138 username/groupname Command Input Values LABEL DESCRIPTION The name of the user (account). You may use 1-31 alphanumeric characters, underscores( username or dashes (-), but the first character cannot be a number.
Page 226: User Group Commands
Chapter 44 User/Group Table 139 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION Sets the account to use the factory default lease and username username logon-time-setting {default | reauthentication times or custom ones. manual} Sets the reauthentication time for the specified user. Set it to username username [no] logon-re-auth-time zero to set unlimited reauthentication time.
Page 227: User Setting Commands
Chapter 44 User/Group 44.2.3 User Setting Commands This table lists the commands for user settings, except for forcing user authentication. Table 141 username/groupname Commands Summary: Settings COMMAND DESCRIPTION Displays the default lease and reauthentication times for the show users default-setting {all | user-type specified type of user accounts.
Page 228: Mac Auth Commands
Chapter 44 User/Group Table 141 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION Enables the limit on the number of simultaneous logins by users of [no] users simultaneous-logon {administration the specified account-type. The command disables the limit, or | access | billing-account} enforce allows an unlimited number of simultaneous logins.
Page 229 Chapter 44 User/Group Table 142 mac-auth Commands Summary COMMAND DESCRIPTION Maps the specified OUI (Organizationally Unique Identifier) [no] mac-auth database mac oui type ext-oui mac-role authenticated by an external server to the specified MAC username description description role (MAC address user account). The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device.
Page 230: Additional User Commands
Chapter 44 User/Group 44.2.5 Additional User Commands This table lists additional commands for users. Table 143 username/groupname Commands Summary: Additional COMMAND DESCRIPTION Displays information about the users logged onto the system. show users {username | all | current} Displays users who are currently locked out. show lockout-users Unlocks the specified IP address.
Page 231 Chapter 44 User/Group The following commands display the users that are currently locked out and then unlocks the user who is displayed. Router# configure terminal Router(config)# show lockout-users Username Tried From Lockout Time Remaining =========================================================================== From Failed Login Attempt Record Expired Timer ===========================================================================1 172.16.1.5 Router(config)# unlock lockout-users 172.16.1.5...
Page 232: Chapter 45 Application Object
HAPTER Application Object Check that you have the latest App Patrol signatures. 45.1 Application Object Commands Summary The following table describes the values required for many application object commands. Other values are discussed with the corresponding commands. Table 144 Input Values for Application Object Commands LABEL DESCRIPTION Type the name of the object.
Page 233: Application Object Group Commands
Chapter 45 Application Object 45.1.1.1 application-object Examples These are some example usage commands. Router(config)# show application-object Name Description Content =============================================================================== tests New Create Facebook Game (access) Router(config)# show application-object tests Name: tests Description: New Create Category Application Application ID =============================================================================== Social Network Facebook Game (access) 402685702...
Page 234 Chapter 45 Application Object 45.1.2.1 object-group application Examples These are some example usage commands. Router(config)# show object-group application Name Description Member =============================================================================== Router(config)# object-group application may Router(group-application)# description rinse after use Router(group-application)# exit Router(config)# show object-group application Name Description Member =============================================================================== rinse after use tests...
Page 235: Chapter 46 Addresses
HAPTER Addresses This chapter describes how to set up addresses and address groups for the UAG. 46.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. You can create IP address objects based on an interface’s IP address, subnet, or gateway.
Page 236: Address Object Commands
Chapter 46 Addresses 46.2.1 Address Object Commands This table lists the commands for address objects. Table 148 address-object and address6-object Commands COMMAND DESCRIPTION Displays information about the specified object or all the objects of show {address-object | address6-object | the specified type. service-object | schedule-object} [object_name] Creates the specified IPv4 address object using the specified...
Page 237 Chapter 46 Addresses Table 149 object-group Commands: Address Groups (continued) COMMAND DESCRIPTION Adds the specified address to the specified address group. The no [no] address-object object_name command removes the specified address from the specified group. Adds the specified address group (second group_name) to the specified [no] object-group group_name address group (first group_name).
Page 238: Chapter 47 Services
HAPTER Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 47.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 47.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
Page 239: Service Group Commands
Chapter 47 Services Table 151 service-object Commands: Service Objects (continued) COMMAND DESCRIPTION Creates the specified ICMP message using the specified service-object object_name icmp icmp_value parameters. icmp_value: <0..255> | alternate-address | conversion-error | echo | echo-reply | information-reply | information-request | mask-reply | mask-request | mobile-redirect | parameter- problem | redirect | router-advertisement | router-solicitation | source-quench | time-exceeded | timestamp-reply |...
Page 240 Chapter 47 Services Table 152 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION Sets the description to the specified value. The command removes the [no] description description description. description: You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Renames the specified service group from the first group_name to the object-group service rename group_name second group_name.
Page 241: Chapter 48 Schedules
HAPTER Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, and content filtering. 48.1 Schedule Overview The UAG supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat. Note: Schedules are based on the current date and time in the UAG.
Page 242: Schedule Command Examples
Chapter 48 Schedules Table 154 schedule Commands (continued) COMMAND DESCRIPTION Creates or updates a one-time schedule. schedule-object object_name date time date time date: yyyy-mm-dd date format; yyyy-<01..12>-<01..31> Creates or updates a recurring schedule. schedule-object object_name time time [day] [day] [day] [day] [day] [day] [day] day: 3-character day of the week;...
Page 243: Chapter 49 Aaa Server
HAPTER AAA Server This chapter introduces and shows you how to configure the UAG to use external authentication servers. 49.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the UAG supports. •...
Page 244: Ldap-Server Commands
Chapter 49 AAA Server Table 155 ad-server Commands (continued) COMMAND DESCRIPTION Sets the user name the UAG uses to log into the default AD server. The [no] ad-server binddn binddn command clears this setting. Sets the unique common name (cn) to identify a record. The command clears [no] ad-server cn-identifier uid this setting.
Page 245: Radius-Server Commands
Chapter 49 AAA Server 49.2.3 radius-server Commands The following table lists the commands you use to set the default RADIUS server. radius-server Table 157 radius-server Commands COMMAND DESCRIPTION Displays the default RADIUS server settings. show radius-server Sets the RADIUS server address and service port number. Enter the IP address [no] radius-server host (in dotted decimal notation) or the domain name of a RADIUS server.
Page 246: Aaa Group Server Ldap Commands
Chapter 49 AAA Server Table 158 aaa group server ad Commands (continued) COMMAND DESCRIPTION Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name” or “e-mail address”. The command clears this setting.
Page 247: Aaa Group Server Radius Commands
Chapter 49 AAA Server Table 159 aaa group server ldap Commands (continued) COMMAND DESCRIPTION Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name”...
Page 248 Chapter 49 AAA Server Table 160 aaa group server radius Commands (continued) COMMAND DESCRIPTION Enter the sub-command mode. aaa group server radius group-name Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the IP address (in dotted decimal notation) or the domain name of a [no] server acct-address RADIUS accounting server to add to this server group.
Page 249: Aaa Group Server Command Example
Chapter 49 AAA Server Table 160 aaa group server radius Commands (continued) COMMAND DESCRIPTION Sets the IP address (in dotted decimal notation) or the domain name of a [no] server host radius_server RADIUS server to add to this server group. This also sets the port number auth-port auth_port (between 1 and 65535) on the RADIUS server to which the UAG sends accounting information.
Page 250: Authentication Objects
HAPTER Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 50.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the UAG uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Page 251: Aaa Authentication Command Example
Chapter 50 Authentication Objects Table 161 aaa authentication Commands (continued) COMMAND DESCRIPTION Sets the profile to use the authentication method(s) in the order specified. [no] aaa authentication profile-name member1 [member2] = group ad, group ldap, group radius, or local. member [member3] [member4] Note: You must specify at least one member for each profile.
Page 252 Chapter 50 Authentication Objects • Bind-dn: zyxel\engineerABC • Password: abcdefg • Login-name-attribute: sAMAccountName The result shows the account exists on the AD server. Otherwise, the UAG responds an error. Router> test aaa server ad host 172.16.50.1 port 389 base-dn DC=ZyXEL,DC=com bind-dn zyxel\engineerABC password abcdefg login-name-attribute sAMAccountName account userABC dn:: Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20=...
Page 253: Chapter 51 Certificates
HAPTER Certificates This chapter explains how to use the Certificates. 51.1 Certificates Overview The UAG can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Page 254: Certificates Commands Summary
Chapter 51 Certificates Table 163 Certificates Commands Input Values (continued) LABEL DESCRIPTION Identify the company or group to which the certificate owner belongs. You can use organization up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Page 255 Chapter 51 Certificates Table 164 ca Commands Summary (continued) COMMAND DESCRIPTION Enters the sub command mode for validation of ca validation remote_certificate certificates signed by the specified remote (trusted) certificates. Turns certificate revocation on or off. When it is turned on, cdp {activate|deactivate} the UAG validates a certificate by getting a Certificate Revocation List (CRL) through HTTP or LDAP (can be...
Page 256 Chapter 51 Certificates Table 164 ca Commands Summary (continued) COMMAND DESCRIPTION Displays the certification path of the specified local (my show ca category {local|remote} name certificate_name certificates) or remote (trusted certificates) certificate. certpath Displays a summary of the certificates in the specified show ca category {local|remote} [name category (local for my certificates or remote for trusted certificate_name format {text|pem}]...
Page 257: Certificates Commands Examples
Chapter 51 Certificates 51.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates.
Page 258: Chapter 52 Isp Accounts
HAPTER ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE and PPTP interfaces. 52.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE, or PPTP. 52.1.1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands.
Page 259 Chapter 52 ISP Accounts Table 165 PPPoE and PPTP ISP Account Commands (continued) COMMAND DESCRIPTION Sets the service name for the specified PPPoE ISP account. The [no] service-name {ip | hostname command clears the service name. | service_name} hostname: You may up to 63 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.
Page 260: Chapter 53 Ssl Application
HAPTER SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 53.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group.
Page 261: Ssl Application Command Examples
Chapter 53 SSL Application Table 166 SSL Application Object Commands COMMAND DESCRIPTION Sets this to create a link to a web site you specified that you expect the SSL server-type weblink url url VPN users to commonly use. url: Enter the fully qualified domain name (FQDN) or IP address of the application server.
Page 262: Chapter 54 Endpoint Security
HAPTER Endpoint Security This chapter describes how to configure endpoint security objects for use in authentication policy and SSL VPN. 54.1 Endpoint Security Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel. After a successful user authentication, a user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Page 263: Endpoint Security Commands Summary
Chapter 54 Endpoint Security Requirements User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. 54.1.1 Endpoint Security Commands Summary The following table describes the values required for many endpoint security object commands. Other values are discussed with the corresponding commands.
Page 264 Chapter 54 Endpoint Security Table 168 Endpoint Security Object Commands COMMAND DESCRIPTION Sets a permitted personal firewall. If you want to enter multiple personal firewalls, [no] personal-firewall use this command for each of them. Use the list signature personal-firewall personal_firewall_softwar command to view the available personal firewall software package options.
Page 265 Chapter 54 Endpoint Security Table 168 Endpoint Security Object Commands COMMAND DESCRIPTION If you set windows as the operating system (using the os-type command), use this windows-version {windows- command to set the version of Windows. 2000 | windows-xp | windows-2003 | windows- 2008 | windows-vista | windows-7 | windows- 2008r2}...
Page 266: Endpoint Security Object Command Example
Chapter 54 Endpoint Security 54.1.3 Endpoint Security Object Command Example Peter wants to create and display an endpoint security object named EPS-Example. Only the computers that match the following criteria can access the company’s SSL VPN: • Operating system: Windows XP •...
Page 267 Chapter 54 Endpoint Security Then he also needs to check the personal firewall software name defined on the UAG. Copy and paste the name of the output item 4 for the setting later. Router(config)# show eps signature personal-firewall Name Detection =============================================================================== Kaspersky_Internet_Security_v2009 Kaspersky_Internet_Security_v2010...
Page 268 Chapter 54 Endpoint Security Then he leaves the sub-command mode and uses the show command to view the EPS object settings. Router(eps EPS-Example)# exit Router(config)# show eps profile name: EPS-Example description: os type: windows windows version: windows-xp matching criteria: all anti-virus activation: yes anti-virus: 1 name: Kaspersky_Anti-Virus_v2011...
Page 269: Dynamic Guest Accounts
HAPTER Dynamic Guest Accounts 55.1 Dynamic Guest Accounts Overview Dynamic guest accounts are guest accounts, but are created dynamically and stored in the UAG’s local user database. A dynamic guest account has a dynamically-created user name and password. A dynamic guest account user can access the UAG’s services only within a given period of time and will become invalid after the expiration date/time.
Page 270: Dynamic-Guest Sub-Commands
Chapter 55 Dynamic Guest Accounts Table 169 dynamic-guest Commands (continued) COMMAND DESCRIPTION Creates a dynamic guest account (billing-user) with the specified user [no] dynamic-guest user_name name and enters the dynamic-guest sub-command mode to set the password and timeout settings. See Table 170 on page 270 for the sub- commands.
Page 271: Dynamic-Guest Command Example
Chapter 55 Dynamic Guest Accounts Table 170 dynamic-guest Sub-commands (continued) COMMAND DESCRIPTION Sets the amount of Internet access time (in seconds) remaining for the remaining-time <1..25920000> account. Sets the total account of time (in minutes) the account can use to access time-period <1..432000>...
Page 272: Chapter 56 System
HAPTER System This chapter provides information on the commands that correspond to what you can configure in the system screens. 56.1 System Overview Use these commands to configure general UAG information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which UAG zones (if any) from which computers.
Page 273 Chapter 56 System Figure 23 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Page 274: Host Name Commands
Chapter 56 System Table 171 Command Summary: Customization (continued) COMMAND DESCRIPTION Sets the color of the login page’s window border. login-page window-color {color-rgb | color-name | color-number} Sets the color of the logo banner across the top of the login screen and logo background-color {color-rgb | access page.
Page 275: Date/Time Commands
Chapter 56 System 56.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 173 Command Summary: Date/Time COMMAND DESCRIPTION Sets the new date in year, month and day format...
Page 276: Dns Overview
Chapter 56 System 56.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 56.6.1 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address.
Page 277: Dns Command Example
Chapter 56 System Table 176 Command Summary: DNS (continued) COMMAND DESCRIPTION Sets a domain zone forwarder record that specifies a fully qualified [no] ip dns server zone-forwarder domain name. You can also use a star (*) if all domain zones are {<1..32>|append|insert <1..32>} served by the specified DNS server(s).
Page 278: Authentication Server Commands
Chapter 56 System 56.7.1 Authentication Server Commands The following table lists the authentication server commands you use to configure the UAG’s built-in authentication server settings. Table 177 Command Summary: Authentication Server COMMAND DESCRIPTION Sets the UAG to act as an authentication server for other RADIUS [no] auth-server activate clients, such as APs.
Page 279: Authentication Server Command Examples
Chapter 56 System 56.7.2 Authentication Server Command Examples The following example shows you how to enable the authentication server feature on the UAG and sets a trusted RADIUS client profile. This example also shows you the authentication server and client profile settings. Router# configure terminal Router(config)# auth-server activate Router(config)# auth-server trusted-client AP-1...
Page 280: Zon Commands
Chapter 56 System 56.8.2 ZON Commands The following table describes the commands available for ZON. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 178 Command Summary: ZON COMMAND DESCRIPTION Activates LLDP discovery on the UAG.
Page 281: System Remote Management
HAPTER System Remote Management This chapter shows you how to determine which services/protocols can access which UAG zones (if any) from which computers. Note: To access the UAG from a specified computer using a service, make sure no service control rules or to-Device firewall rules block that traffic. 57.1 Remote Management Overview You may manage your UAG from a remote location via: •...
Page 282: Common System Command Input Values
Chapter 57 System Remote Management 57.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 179 Input Values for General System Commands LABEL DESCRIPTION The name of the IP address (group) object.
Page 283 Chapter 57 System Remote Management Table 180 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION Specifies a certificate used by the HTTPS server. The [no] ip http secure-server cert certificate_name command resets the certificate used by the HTTPS server to the factory default ( default certificate_name: The name of the certificate.
Page 284: Http/Https Command Examples
Chapter 57 System Remote Management 57.3.1 HTTP/HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service. Router# configure terminal Router(config)# ip http server table admin rule append access-group Marketing zone WAN action accept...
Page 285: Ssh Commands
Chapter 57 System Remote Management 57.4.3 SSH Commands The following table describes the commands available for SSH. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 181 Command Summary: SSH COMMAND DESCRIPTION Allows SSH access to the UAG CLI.
Page 286: Telnet
Chapter 57 System Remote Management 57.5 Telnet You can configure your UAG for remote Telnet access. 57.6 Telnet Commands The following table describes the commands available for Telnet. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 182 Command Summary: Telnet COMMAND...
Page 287: Configuring Ftp
Chapter 57 System Remote Management 57.7 Configuring FTP You can upload and download the UAG’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 57.7.1 FTP Commands The following table describes the commands available for FTP. You must use the configure command to enter the configuration mode before you can use these commands.
Page 288: Snmp
Chapter 57 System Remote Management This command displays FTP settings. Router# configure terminal Router(config)# show ip ftp server status active : yes port : 21 certificate: default : no service control: Zone Address Action ======================================================================== 57.8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Page 289: Snmp Commands
Chapter 57 System Remote Management 57.8.3 SNMP Commands The following table describes the commands available for SNMP. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 185 Command Summary: SNMP COMMAND DESCRIPTION Allows SNMP access to the UAG.
Page 290: Icmp Filter
Chapter 57 System Remote Management The following command sets the password (secret) for read-write ( ) access. Router# configure terminal Router(config)# snmp-server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172.16.15.84 and the password (sent with each trap) to qwerty.
Page 291: Chapter 58 File Manager
HAPTER File Manager This chapter covers how to work with the UAG’s firmware, certificates, configuration files, packet trace results, shell scripts and temporary files. 58.1 File Directories The UAG stores files in the following directories. Table 187 FTP File Transfer Notes FILE NAME DIRECTORY FILE TYPE...
Page 292: Comments In Configuration Files Or Shell Scripts
Chapter 58 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 24 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure wan1...
Page 293: Errors In Configuration Files Or Shell Scripts
Chapter 58 File Manager Line 3 in the following example exits sub command mode. interface wan1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface wan1 # this interface is a DHCP client Lines 1 and 2 are comments.
Page 294: Configuration File Flow At Restart
Chapter 58 File Manager • When the UAG reboots, if the startup-config.conf file passes the error check, the UAG keeps a copy of the startup-config.conf file as the lastgood.conf configuration file for you as a back up file. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration.
Page 295: File Manager Commands Summary
Chapter 58 File Manager 58.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 190 File Manager Commands Summary COMMAND DESCRIPTION Has the UAG use a specific configuration file. You must still use the apply /conf/file_name.conf [ignore- command to save your configuration changes to the flash (“non- write...
Page 296: File Manager Command Examples
Chapter 58 File Manager Table 190 File Manager Commands Summary (continued) COMMAND DESCRIPTION Displays the settings of the configuration file that the system is using. show running-config Sets the UAG to back up the startup-conf.conf file when it is performing [no] backup-startup activate firmware upgrade.
Page 297: Command Line Ftp Configuration File Upload Example
Chapter 58 File Manager Use “put” to transfer files from the computer to the UAG. For example: In the conf directory, use "put config.conf today.conf” to upload the configuration file (config.conf) to the UAG and rename it “today.conf”. "put 1.00(XL.0).bin” transfers the firmware (1.00(XL.0).bin) to the UAG. The firmware update can take up to five minutes.
Page 298: Command Line Ftp Configuration File Download Example
Chapter 58 File Manager 58.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the UAG and saves it on the computer as current.conf. Figure 26 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1.
Page 299: Notification Of A Damaged Recovery Image Or Firmware
Chapter 58 File Manager 58.8 Notification of a Damaged Recovery Image or Firmware The UAG’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the UAG notifies you of a damaged recovery image or firmware file.
Page 300: Restoring The Recovery Image
Chapter 58 File Manager If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged. Use the procedure in Section 58.10 on page 302 to restore it. If the message does not display, the firmware is OK and you do not need to use the firmware recovery procedure.
Page 301 Chapter 58 File Manager Note: You only need to use the atuk or atur command if the recovery image is damaged. Figure 32 atuk Command for Restoring the Recovery Image > atuk This command is for restoring the "recovery image" (xxx.ri). Use This command only when 1) the console displays "Invalid Recovery Image"...
Page 302: Restoring The Firmware
Chapter 58 File Manager Enter atgo. The UAG starts up. If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged and you need to use the procedure in Section 58.10 on page 302 to recover the firmware.
Page 303 Chapter 58 File Manager Enter “quit” to exit the ftp prompt. Figure 38 FTP Firmware Transfer Complete 200 PORT command successful 150 Opening BINARY mode data connection for 250AACG0C0.bin 226-firmware verifying... 226-firmware updating... 226-Please Wait about 5 minutes!! 226-Do not poweroff or reset, 226-system will reboot automatically after finished updating.
Page 304: Chapter 59 Logs
HAPTER Logs This chapter provides information about the UAG’s logs. Note: When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the UAG. 59.1 Log Commands Summary The following table describes the values required for many log commands.
Page 305: System Log Commands
Chapter 59 Logs 59.1.2 System Log Commands This table lists the commands for the system log settings. Table 193 logging Commands: System Log Settings COMMAND DESCRIPTION Displays the current settings for the system log. show logging status system-log Specifies what kind of information, if any, is logged in the system log and logging system-log category module_name debugging log for the specified category.
Page 306: Debug Log Commands
Chapter 59 Logs 59.1.3 Debug Log Commands This table lists the commands for the debug log settings. Table 194 logging Commands: Debug Log Settings COMMAND DESCRIPTION Displays the current settings for the debug log. show logging debug status Displays the specified entries in the system log. show logging debug entries [priority pri] [category module_name] [srcip ip] [dstip ip] pri: alert | crit | debug | emerg | error | info | notice | warn...
Page 307: E-Mail Profile Commands
Chapter 59 Logs 59.1.4 E-mail Profile Commands This table lists the commands for the e-mail profile settings. Table 196 logging Commands: E-mail Profile Settings COMMAND DESCRIPTION Displays the current settings for the e-mail profiles. show logging status mail Enables the specified e-mail profile. The command disables [no] logging mail <1..2>...
Page 308: Console Port Logging Commands
Chapter 59 Logs Table 196 logging Commands: E-mail Profile Settings (continued) COMMAND DESCRIPTION Sets the UAG to use Transport Layer Security (TLS) to have [no] logging mail <1..2> tls activate encrypted communications between the mail server and the UAG. command disables TLS in communications between the mail server and the UAG.
Page 309: Chapter 60 Reports And Reboot
HAPTER Reports and Reboot This chapter provides information about the report associated commands and how to restart the UAG using commands. It also covers the daily report e-mail feature. 60.1 Report Commands Summary The following sections list the report, session, and packet size statistics commands. 60.1.1 Report Commands This table lists the commands for reports.
Page 310: Report Command Examples
Chapter 60 Reports and Reboot 60.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report lan1 ip No. IP Address User Amount Direction =================================================================== 192.168.1.4 admin 1273(bytes) Outgoing 192.168.1.4...
Page 311 Chapter 60 Reports and Reboot Use these commands to have the UAG e-mail you system statistics every day. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 201 Email Daily Report Commands COMMAND DESCRIPTION Displays the e-mail daily report settings.
Page 312: Email Daily Report Example
Chapter 60 Reports and Reboot Table 201 Email Daily Report Commands (continued) COMMAND DESCRIPTION Sends the daily e-mail report immediately. send-now Sets the UAG to use Transport Layer Security (TLS) to have [no] smtp-tls activate encrypted communications between the mail server and the UAG.
Page 313 Chapter 60 Reports and Reboot • Turns on the daily e-mail reporting. Router(config)# daily-report Router(config-daily-report)# no activate Router(config-daily-report)# smtp-address example-SMTP-mail-server.com Router(config-daily-report)# mail-subject set test Router(config-daily-report)# no mail-subject append system-name Router(config-daily-report)# mail-subject append date-time Router(config-daily-report)# mail-from my-email@example.com Router(config-daily-report)# mail-to-1 example-administrator@example.com Router(config-daily-report)# no mail-to-2 Router(config-daily-report)# no mail-to-3 Router(config-daily-report)# mail-to-4 my-email@example.com Router(config-daily-report)# no mail-to-5...
Page 314: Reboot
Chapter 60 Reports and Reboot 60.3 Reboot Use this to restart the device (for example, if the device begins behaving erratically). If you made changes in the CLI, you have to use the command to save the configuration write before you reboot. Otherwise, the changes are lost when you reboot. Use the command to restart the device.
Page 315: Session Timeout
HAPTER Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 202 Session Timeout Commands COMMAND DESCRIPTION Sets the timeout for UDP sessions to connect or deliver session timeout {udp-connect <1..300>...
Page 316: Chapter 62 Diagnostics
HAPTER Diagnostics This chapter covers how to use the diagnostics feature. 62.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the UAG’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
Page 317: Chapter 63 Packet Flow Explore
HAPTER Packet Flow Explore This chapter covers how to use the packet flow explore feature. 63.1 Packet Flow Explore Use this to get a clear picture on how the UAG determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems.
Page 318: Packet Flow Explore Commands Example
Chapter 63 Packet Flow Explore 63.3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order. Router> show route order route order: Direct Route, Policy Route, VPN 1-1 Mapping Route, 1-1 SNAT, SiteTo Site VPN, Dynamic VPN, Static-Dynamic Route, Default WAN Trunk, Main Route The following example shows all SNAT related functions and their order.
Page 319 Chapter 63 Packet Flow Explore The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn Source Destination VPN Tunnel =========================================================================== The following example shows all activated VPN 1-1 mapping rules. Router> sshow system route vpn-1-1-map Source Destination Outgoing Gateway...
Page 320 Chapter 63 Packet Flow Explore The following example shows all activated 1-to-1 NAT rules. Router> show system snat nat-1-1 VS Name Source Destination Outgoing SNAT =========================================================================== The following example shows the default WAN trunk settings. Router> show system snat default-snat Incoming Outgoing SNAT...
Page 321: Chapter 64 Maintenance Tools
HAPTER Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the UAG. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode. Table 205 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION...
Page 322 Chapter 64 Maintenance Tools Here are maintenance tool commands that you can use in configure mode. Table 206 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION Performs a packet capture that captures network traffic going through the [no] packet-capture activate set interface(s).
Page 323: Maintenance Command Examples
Chapter 64 Maintenance Tools 64.1 Maintenance Command Examples Some packet-trace command examples are shown below. Router# packet-trace duration 3 tcpdump: listening on eth0 19:24:43.239798 192.168.1.10 > 192.168.1.1: icmp: echo request 19:24:43.240199 192.168.1.1 > 192.168.1.10: icmp: echo reply 19:24:44.258823 192.168.1.10 > 192.168.1.1: icmp: echo request 19:24:44.259219 192.168.1.1 >...
Page 324: Packet Capture Command Example
Chapter 64 Maintenance Tools Table 207 Maintenance Tools Commands in Configuration Mode (continued) COMMAND DESCRIPTION Edits or creates an ARP table entry. arp IP mac_address Removes an ARP table entry. no arp ip The following example creates an ARP table entry for IP address 192.168.1.10 and MAC address 01:02:03:04:05:06.
Page 325 Chapter 64 Maintenance Tools • The maximum size of a packet capture file: 100 megabytes Router(config)# packet-capture configure Router(packet-capture)# iface add wan1 Router(packet-capture)# ip-type any Router(packet-capture)# host-ip any Router(packet-capture)# file-suffix Example Router(packet-capture)# files-size 10 Router(packet-capture)# duration 150 Router(packet-capture)# storage usbstorage Router(packet-capture)# ring-buffer disable Router(packet-capture)# split-size 100 Router(packet-capture)#...
Page 326: Chapter 65 Watchdog Timer
HAPTER Watchdog Timer This chapter provides information about the UAG’s watchdog timers. 65.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings.
Page 327: Application Watchdog
Chapter 65 Watchdog Timer 65.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the app-watchdog commands. Use the command to enter the configuration mode to be able configure terminal to use these commands. Table 210 app-watchdog Commands COMMAND DESCRIPTION...
Page 328: Application Watchdog Commands Example
Chapter 65 Watchdog Timer 65.3.1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring. UAG CLI Reference Guide...
Page 329 Chapter 65 Watchdog Timer UAG CLI Reference Guide...
Page 330: List Of Commands (Alphabetical)
List of Commands (Alphabetical) List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. Commands and subcommands appear at the same level. [no] {anti-virus | personal-firewall} activate .........263 [no] {firewall|secure-policy} activate ..........173 [no] {firewall|secure-policy} asymmetrical-route activate ......172 [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} .......217...
Page 331 List of Commands (Alphabetical) [no] amsdu ................62 [no] anti-virus anti_virus_software_name detect-auto-protection {enable | disable | ignore} [no] app log_sid ...............211 [no] app profile_name ..............211 [no] app statistics collect ............211 [no] application application_object ............206 [no] application forbidden-process process_name ........264 [no] application sid ..............232 [no] application trusted-process process_name ..........264...
Page 332 List of Commands (Alphabetical) [no] bwm activate ..............115 [no] bwm activate ..............190 [no] bypass-firewall activate ............148 [no] cache-clean activate ..............206 [no] case-sensitive ..............245 [no] case-sensitive ..............247 [no] case-sensitive ..............248 [no] client-identifier mac_address ............91 [no] client-name host_name ..............91 [no] clock daylight-saving .............275 [no] clock saving-interval begin {apr|aug|dec|feb|jan|jul|jun|mar|may|nov|oct|sep} {1|2|3|4|last} {fri|mon|sat|sun|thu|tue|wed} hh:mm end...
Page 333 List of Commands (Alphabetical) [no] default-router ip ..............91 [no] description description ............115 [no] description description ............155 [no] description description ............161 [no] description description ............174 [no] description description ............176 [no] description description ............191 [no] description description ............206 [no] description description ............211 [no] description description ............226 [no] description description...
Page 334 List of Commands (Alphabetical) [no] forbid_hosts ..............218 [no] force ................161 [no] force vlan .................56 [no] frag <256..2346> ..............61 [no] frame-capture activate .............76 [no] free-time activate ..............186 [no] free-time deliver-method onscreen ..........186 [no] free-time deliver-method sms ............186 [no] free-time maximum-register-number <1..5> ..........186 [no] free-time reset-register hh:mm ............186...
Page 335 List of Commands (Alphabetical) [no] ip ftp server cert certificate_name ..........287 [no] ip ftp server port <1..65535> .............287 [no] ip ftp server tls-required ............287 [no] ip gateway ip ..............87 [no] ip helper-address ip ...............92 [no] ip http authentication auth_method ..........282 [no] ip http port <1..65535>...
Page 336 List of Commands (Alphabetical) [no] log [alert] ...............174 [no] log [alert] ...............192 [no] logging console ..............308 [no] logging console category module_name ..........308 [no] logging debug suppression ............306 [no] logging debug suppression interval <10..600> ........306 [no] logging mail <1..2> ...............307 [no] logging mail <1..2> {send-log-to | send-alerts-to} e_mail ......307 [no] logging mail <1..2>...
Page 337 List of Commands (Alphabetical) [no] negotiation auto ..............99 [no] netbios-broadcast ..............200 [no] network interface area IP ............123 [no] network interface_name ............122 [no] network interface_name .............94 [no] network interface_name area ip .............95 [no] network-extension {activate | ip-pool address_object | 1st-dns {address_object | ip } | 2nd-dns {address_object | ip } | 1st-wins {address_object | ip } | 2nd-wins {address_object | ip } | network address_object} .........207 [no] network-extension traffic-enforcement...
Page 338 List of Commands (Alphabetical) [no] reset-counter ..............311 [no] router-id IP ..............122 [no] rssi-thres .................60 [no] rtls ekahau activate ..............170 [no] schedule schedule_name ............162 [no] schedule schedule_object ............116 [no] schedule schedule_object ............174 [no] schedule schedule_object ............192 [no] second-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd-dns} | Device} ..92 [no] second-wins-server ip ..............92...
Page 339 List of Commands (Alphabetical) [no] sms-service activate ..............188 [no] smtp-auth activate ..............311 [no] smtp-port <1..65535> ..............311 [no] smtp-redirect <1..16> .............143 [no] smtp-redirect activate ............143 [no] smtp-tls activate ..............312 [no] smtp-tls authenticate-server ............312 [no] snat {outgoing-interface|pool {address_object}} ........116 [no] snmp-server ...............289 [no] snmp-server community community_string {ro|rw} ........289 [no] snmp-server contact description...
Page 340 List of Commands (Alphabetical) [no] users lockout-period <1..65535> ...........227 [no] users retry-count <1..99> ............227 [no] users retry-limit ..............227 [no] users simultaneous-logon {administration | access | billing-account} enforce ..228 [no] users simultaneous-logon {administration | access | billing-account} limit login_number [no] users update-lease automation .............228 [no] version <1..2>...
Page 341 List of Commands (Alphabetical) 2g-basic-speed wlan_2g_basic_speed ............62 2g-channel wireless_channel_2g ............62 2g-mcs-speed {disable | wlan_mcs_speed} ..........62 2g-multicast-speed wlan_2g_support_speed ..........62 2g-support-speed {disable | wlan_2g_support_speed} ........62 5g-basic-speed wlan_5g_basic_speed ............62 5g-channel wireless_channel_5g ............62 5g-mcs-speed {disable | wlan_mcs_speed} ..........62 5g-multicast-speed {wlan_5g_basic_speed} ..........62 5g-support-speed {disable | wlan_5g_support_speed} ........63 aaa authentication [no] match-default-group ..........251...
Page 342 List of Commands (Alphabetical) auto-healing margin: 0 ..............83 auto-healing power threshold: -70 dBm ...........83 auto-healing power-threshold <-50~-80> ..........82 auto-healing update ..............83 band {2.4G |5G} [band-mode {11n | bg | a}] ..........60 bandselect check-sta-interval <1..60000> ..........66 bandselect drop-authentication <1..16> ..........66 bandselect drop-probe-request <1..32> ...........66 bandselect min-sort-interval <1..60000>...
Page 343 List of Commands (Alphabetical) certificate certificate-name ............197 cf-profile cf_profile_name {[no log] | [log by-profile]}{activate|deactivate} ..174 charge price ................270 ch-width wlan_htcw ..............62 clear ...................37 clear aaa authentication profile-name ..........250 clear aaa group server ad [group-name] ..........245 clear aaa group server ldap [group-name] ..........246 clear aaa group server radius group-name ..........247...
Page 344 List of Commands (Alphabetical) dcs dcs-2g-method {auto|manual} ............78 dcs dcs-5g-method {auto|manual} ............78 dcs dfs-aware {enable|disable} ............78 dcs invoke ................78 dcs sensitivity-level {high| medium |low} ..........78 dcs time-interval interval ..............78 deactivate ................138 deactivate ................185 deactivate ................197 deactivate ................199 debug (*) ................37 debug [cmdexec|corefile|ip |kernel|mac-id-rewrite|observer|switch |system|zyinetpkt|zysh-ipt- op] (*) ................40 debug [remoteWTP | remoteWTP-cmd] (*)
Page 345 List of Commands (Alphabetical) description description ..............65 description2 ................71 details .................37 device-register checkuser user_name .............49 device-register username user_name password password [e-mail user@domainname] [country-code country_code] [reseller-name name] [reseller-mail email-address] [reseller-phone phone- number] [vat vat-number] ............49 dhcp-option <1..254> option_name {boolean <0..1>| uint8 <0..255> | uint16 <0..65535> ..91 diag ..................37...
Page 346 List of Commands (Alphabetical) exit ..................76 exit ..................87 exit ..................99 expire-time yyyy-mm-dd hh:mm ............270 fall-back-check-interval <60..86400> ...........197 file_name ................75 file-prefix file_name ..............76 files-size <1..10000> ..............322 files-size mon_dir_size ..............76 file-suffix <profile_name> .............322 filter-action {allow | deny} ............70 flush ..................107 flush pool ................138 frame-capture configure ..............76...
Page 347 List of Commands (Alphabetical) ip dns server max-ttl <10..3600> ............276 ip dns server rule {<1..32>|append|insert <1..32>} access-group {ALL|address_object} zone {ALL|address_object} action {accept|deny} ........276 ip dns server rule move <1..32> to <1..32> ..........276 ip dns server zone-forwarder {<1..32>|append|insert <1..32>} {domain_zone_name|*} user-defined w.x.y.z [private | interface {interface_name | auto}] ......277 ip dns server zone-forwarder move <1..32>...
Page 348 List of Commands (Alphabetical) ip virtual-server rename profile_name profile_name ........133 ip_address ................75 ipsec-isakmp policy_name ...............199 isakmp keepalive <2..60> ...............197 isakmp policy rename policy_name policy_name ...........198 keystring pre_shared_key ...............198 l2-isolation ................154 lan_port {activate | inactivate} pvid <1..4094> .........57 lan-provision ap ap_mac ..............56 ldap {activate|deactivate} .............255...
Page 349 List of Commands (Alphabetical) network IP/<1..32> ..............91 no address-object object_name ............236 no application-object object_name ............232 no application-object profile_name .............211 no area IP virtual-link IP message-digest-key <1..255> .........123 no arp ip ................324 no authentication key ..............122 no auth-server authentication ............278 no ca category {local|remote} certificate_name .........255 no ca validation name ..............255...
Page 350 List of Commands (Alphabetical) ntp sync ................275 object-group address rename group_name group_name ........237 object-group application object_group_name ..........233 object-group application rename object_group_name1 object_group_name2 ....233 object-group service rename group_name group_name ........240 ocsp {activate|deactivate} .............255 ocsp url url [id name password password] [deactivate] ........255 os-type {windows | linux | mac-osx | others} ...........264...
Page 351 List of Commands (Alphabetical) printer-manager discover ...............184 printer-manager encrypt secret-key secret_key ..........184 printer-manager multi-printout <1..3> ..........184 printer-manager port <1..65535> ............184 printer-manager printer append ............184 printer-manager printout-type {customized | default} ........184 ..................38 qos wlan_qos ................67 quota {total | upload | download} gigabytes <0..100> ........179 quota {total | upload | download} gigabytes <0..100>...
Page 352 List of Commands (Alphabetical) schedule-run 1 file_name.zysh {daily | monthly | weekly} time {date | sun | mon | tue | wed | thu | fri | sat} ..............295 security securityprofile ..............67 send-now ................312 server-auth <1..2> ip address ipv4_address port <1..65535> secret secret ....69 server-type rdp server-address server-address [starting- .......260...
Page 353 List of Commands (Alphabetical) show application-object object_name ............232 show app-watch-dog config ..............327 show app-watch-dog monitor-list ............327 show app-watch-dog reboot-log ............327 show arp-table .................323 show auth-server status ..............278 show auth-server trusted-client ............278 show auth-server trusted-client profile_name ...........278 show auto-healing config ..............83 show backup-startup status .............296 show billing discount default rule...
Page 354 List of Commands (Alphabetical) show corefile copy usb-storage ............103 show cpu status .................45 show crypto map [map_name] .............199 show daily-report status ...............311 show dcs config .................78 show ddns [profile_name] ...............129 show device-register status .............49 show diag-info .................316 show diag-info copy usb-storage ............103 show disk ................45...
Page 355 List of Commands (Alphabetical) show isakmp policy [policy_name] ............197 show isakmp sa .................204 show l2-isolation ..............154 show l2-isolation activation ............154 show l2-isolation white-list [rule_number] ..........154 show l2-isolation white-list activation ..........154 show lan-provision ap ap_mac interface {lan_port | vlan_interface | all| ethernet | uplink | vlan} ................57 show ldap-server ...............244...
Page 356 List of Commands (Alphabetical) show policy-route underlayer-rules .............117 show port setting ...............99 show port status ................99 show port vlan-id ..............104 show port-grouping ..............99 show printer-manager button ............185 show printer-manager discover-printer-status ...........185 show printer-manager printer [<1..10>] ..........185 show printer-manager printerfw version ..........185 show printer-manager printer-status ............185...
Page 357 List of Commands (Alphabetical) show service-register status all ............50 show service-register status content-filter ..........49 show service-register status extension-user ..........50 show service-register status external-ap-control ........50 show service-register status sms ............50 show session timeout {icmp | tcp | udp} ..........315 show session-limit ..............176 show session-limit begin rule_number end rule_number ........176...
Page 358 List of Commands (Alphabetical) show vpn-concentrator [profile_name] ...........202 show vpn-configuration-provision activation ..........203 show vpn-configuration-provision authentication ........203 show vpn-configuration-provision rules ..........203 show vpn-counters ..............204 show walled-garden activation ............166 show walled-garden rule <1..20> ............166 show web-auth activation ...............159 show web-auth default-rule .............159 show web-auth exceptional-service ............159 show web-auth method...
Page 359 List of Commands (Alphabetical) sslvpn policy {profile_name | profile_name append | profile_name insert <1..16>} ..206 sslvpn policy move <1..16> to <1..16> ..........207 sslvpn policy rename profile_name profile_name .........207 status: active .................280 storage <internal|usbstorage> ............322 subframe-ampdu <2..64> ..............61 system default-interface-group group-name ..........107 telnet ..................38...
Page 360 List of Commands (Alphabetical) users default-setting [no] logon-lease-time <0..1440> ........227 users default-setting [no] logon-re-auth-time <0..1440> ........227 users default-setting [no] user-type {admin | limited-admin | pre-subscriber | user | guest | ext-user | ext-group-user} ............227 users default-setting [no] user-type {admin | limited-admin | pre-subscriber | user | guest | ext-user | ext-group-user} logon-due-time time ........227 users default-setting [no] user-type {admin | limited-admin | pre-subscriber | user | guest | ext-user | ext-group-user} logon-lease-time <0..1440>...
Page 361 List of Commands (Alphabetical) wlan-security-profile rename security_profile_name1 security_profile_name2 ....68 wlan-ssid-profile rename ssid_profile_name1 ssid_profile_name2 ......66 wpa-encrypt {tkip | aes | auto} ............69 wpa-psk {wpa_key | wpa_key_64} ............69 write ..................296 write ...................38 zon lldp server ................280 zon lldp server tx-hold <1..10> ............280 zon lldp server tx-interval <1..600>...

ZyXEL Communications UAG Series Reference Manual

About this CLI Reference Guide

Document Conventions

Contents Overview

Table of Contents

Introduction

PART I Introduction

Chapter 1 Command Line Interface

Chapter 2 User and Privilege Modes

Reference

PART II Reference

Chapter 3 Object Reference

Chapter 4 Status

Chapter 5 Registration

Chapter 6 AP Management

Chapter 7 Wireless LAN Profiles

Chapter 8 Rogue AP

Chapter 9 Wireless Frame Capture

Chapter 10 Dynamic Channel Selection

Chapter 11 Wireless Load Balancing

Chapter 12 Auto-Healing

Chapter 13 Interfaces

Chapter 14 Trunks

Chapter 15 IP Drop-In

Chapter 16 Route

Chapter 17 Routing Protocol

Chapter 18 Zones

Chapter 19 DDNS

Chapter 20 Virtual Servers

Chapter 21 VPN 1-1 Mapping

Chapter 22 HTTP Redirect

Chapter 23 SMTP Redirect

Chapter 24 ALG

Chapter 25 Upnp

Chapter 26 IP/MAC Binding

Chapter 27 Layer 2 Isolation

Chapter 28 Ipnp

Chapter 29 Web Authentication

Chapter 30 Walled Garden

Chapter 31 Advertisement

Chapter 32 RTLS

Chapter 33 Firewall

Chapter 34 Billing

Chapter 35 Payment Service

Chapter 36 Printer Manager

Chapter 37 Free Time

Chapter 38 SMS

Chapter 39 Bandwidth Management

Chapter 40 Ipsec VPN

Chapter 41 SSL VPN

Chapter 42 Application Patrol

Chapter 43 Content Filtering

Chapter 44 User/Group

Chapter 45 Application Object

Chapter 46 Addresses

Quick Links

Related Manuals for ZyXEL Communications UAG Series

Summary of Contents for ZyXEL Communications UAG Series