Page 2
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a Reference Guide for a series of products. Not all products support all firmware features. Screenshots, graphics and commands in this book may differ slightly from your product due to differences in your product firmware or your computer operating system.
About This CLI Reference Guide About This CLI Reference Guide Intended Audience This manual is intended for people who want to configure ZLD-based UAGs via Command Line Interface (CLI). You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this guide. Warnings tell you about things that could harm you or your device. Note: Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Table of Contents Table of Contents About This CLI Reference Guide......................3 Document Conventions ........................4 Contents Overview ..........................6 Table of Contents ..........................8 Part I: Introduction ..................22 Chapter 1 Command Line Interface........................24 1.1 Overview ............................24 1.1.1 The Configuration File ......................24 1.2 Accessing the CLI ..........................24 1.2.1 Console Port ..........................25 1.2.2 Web Configurator Console ......................25 1.2.3 Telnet ............................28...
Page 9
Table of Contents 1.9 Saving Configuration Changes ......................36 1.10 Logging Out .............................36 Chapter 2 User and Privilege Modes ........................37 2.1 User And Privilege Modes .........................37 2.1.1 Debug Commands ........................38 Part II: Reference ..................... 41 Chapter 3 Object Reference ..........................43 3.1 Object Reference Commands ......................43 3.1.1 Object Reference Command Example ..................44 Chapter 4 Status ..............................45...
Page 10
Table of Contents 7.4 SSID Profile Commands ........................65 7.4.1 SSID Profile Example ......................67 7.5 Security Profile Commands .......................68 7.5.1 Security Profile Example ......................69 7.6 MAC Filter Profile Commands ......................70 7.6.1 MAC Filter Profile Example .....................70 Chapter 8 Rogue AP.............................71 8.1 Rogue AP Detection Overview ......................71 8.2 Rogue AP Detection Commands ......................71 8.2.1 Rogue AP Detection Examples ....................72 8.3 Rogue AP Containment Overview ....................73...
Page 11
Table of Contents 13.1.1 Types of Interfaces ........................84 13.1.2 Relationships Between Interfaces ..................85 13.2 Interface General Commands Summary ..................86 13.2.1 Basic Interface Properties and IP Address Commands ............87 13.2.2 DHCP Setting Commands .....................90 13.2.3 Interface Parameter Command Examples ................94 13.2.4 RIP Commands ........................94 13.2.5 OSPF Commands .........................95 13.2.6 Connectivity Check (Ping-check) Commands ...............97 13.3 Ethernet Interface Specific Commands ...................98...
Page 16
Table of Contents 39.3 Bandwidth Management Commands Example ................194 Chapter 40 IPSec VPN............................195 40.1 IPSec VPN Overview ........................195 40.2 IPSec VPN Commands Summary ....................196 40.2.1 IKE SA Commands ......................197 40.2.2 IPSec SA Commands (except Manual Keys) ..............199 40.2.3 IPSec SA Commands (for Manual Keys) ................202 40.2.4 VPN Concentrator Commands ....................202 40.2.5 VPN Configuration Provisioning Commands ...............203 40.2.6 SA Monitor Commands .......................204...
Page 17
Table of Contents 44.1 User Account Overview .........................224 44.1.1 User Types ..........................224 44.2 User/Group Commands Summary ....................225 44.2.1 User Commands ........................225 44.2.2 User Group Commands .......................226 44.2.3 User Setting Commands .....................227 44.2.4 MAC Auth Commands ......................228 44.2.5 Additional User Commands ....................230 Chapter 45 Application Object ..........................232 45.1 Application Object Commands Summary ..................232...
Page 18
Table of Contents 49.2.5 aaa group server ad Commands ..................245 49.2.6 aaa group server ldap Commands ..................246 49.2.7 aaa group server radius Commands ...................247 49.2.8 aaa group server Command Example .................249 Chapter 50 Authentication Objects........................250 50.1 Authentication Objects Overview ....................250 50.2 aaa authentication Commands .....................250 50.2.1 aaa authentication Command Example ................251 50.3 test aaa Command ........................251...
Page 19
Table of Contents 55.2.1 dynamic-guest Sub-commands ...................270 55.2.2 Dynamic-guest Command Example ..................271 Chapter 56 System ...............................272 56.1 System Overview ..........................272 56.2 Customizing the WWW Login Page ....................272 56.3 Host Name Commands .........................274 56.4 Time and Date ..........................274 56.4.1 Date/Time Commands ......................275 56.5 Console Port Speed ........................275 56.6 DNS Overview ..........................276 56.6.1 Domain Zone Forwarder .....................276...
H A PT ER Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your UAG, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the UAG and possibly render it unusable.
Chapter 1 Command Line Interface 1.2.1 Console Port The default settings for the console port are as follows. Table 1 Managing the UAG: Console Port SETTING VALUE Speed 115200 bps Data Bits Parity None Stop Bit Flow Control When you turn on your UAG, it performs several internal tests as well as line initialization. You can view the initialization information using the console port.
Page 26
Chapter 1 Command Line Interface When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the UAG. Follow the steps below to access the web console. Log into the web configurator. Click the Console icon in the top-right corner of the web configurator screen.
Page 27
Chapter 1 Command Line Interface Note: The default login username is admin. It is case-sensitive. Figure 5 Web Console: Connecting Then, the Password screen appears. Figure 6 Web Console: Password Enter the password for the user name you specified earlier, and click OK. If you enter the password incorrectly, you get an error message, and you may have to close the console window and open it again.
Chapter 1 Command Line Interface 1.2.3 Telnet Use the following steps to Telnet into your UAG. If your computer is connected to the UAG over the Internet, skip to the next step. Make sure your computer IP address and the UAG IP address are on the same subnet. In Windows, click Start (usually in the bottom left corner) and Run.
Chapter 1 Command Line Interface 1.4 How Commands Are Explained Each chapter explains the commands for one keyword. The chapters are divided into the following sections. 1.4.1 Background Information (Optional) Note: See the User’s Guide for background information about most features. This section provides background information about features that you cannot configure in the web configurator.
Chapter 1 Command Line Interface • Enter exactly as it appears, followed by two numbers between 1 and 65535. range 1.4.6 Changing the Password It is highly recommended that you change the password for accessing the UAG. See Section 44.2 on page 225 for the appropriate commands.
Chapter 1 Command Line Interface 1.6 Shortcuts and Help 1.6.1 List of Available Commands A list of valid commands can be found by typing at the command prompt. To view a list of [TAB] available commands within a command group, enter <command>...
Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the UAG automatically display the full command. [TAB] For example, if you enter and press , the full command of automatically...
Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen.
Page 34
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES e-mail 1-64 alphanumeric or .@_- encryption key 16-64 “0x” or “0X” + 16-64 hexadecimal values 8-32 alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=- file name 0-31 alphanumeric or _- filter extension...
Page 35
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES phone number 1-20 numbers or ,+ preshared key 16-64 “0x” or “0X” + 16-64 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- profile name 0-30 alphanumeric or _- first character: letters or _-...
H A PT ER User and Privilege Modes This chapter describes how to use these two modes. 2.1 User And Privilege Modes This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the UAG uses.
Chapter 2 User and Privilege Modes Table 4 User (U) and Privilege (P) Mode Commands (continued) COMMAND MODE DESCRIPTION Goes to a previous mode or logs out. exit Goes to htm (hardware test module) mode for testing hardware components. You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting.
H A PT ER Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
Chapter 3 Object Reference Table 6 show reference Commands (continued) COMMAND DESCRIPTION Displays which configuration settings reference the specified user group show reference object-group username object. [username] Displays which configuration settings reference the specified address show reference object-group address group object. [object_name] Displays which configuration settings reference the specified service show reference object-group service...
H A PT ER Status This chapter explains some commands you can use to display information about the UAG’s current operational state. Table 7 Status Show Commands COMMAND DESCRIPTION Displays details about the UAG’s startup state. show boot status Displays whether the console and auxiliary ports are on or off. show comport status Displays the CPU utilization.
Page 46
Chapter 4 Status Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number. Router(config)# show fan-speed FAN1(F00)(rpm): limit(hi)=8000, limit(lo)=1400, max=6115, min=6115, avg=6115 Router(config)# show mac MAC address: 00:00:AA:80:05:58-00:00:AA:80:05:5C Router(config)# show mem status memory usage: 39% Router(config)# show ram-size ram size: 512MB...
Page 47
Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : UAG715 firmware version: V2.50(AACG.0) BM version : 1.22...
H A PT ER Registration This chapter introduces myzyxel.com and shows you how to register the UAG for subscription services using commands. 5.1 myZyXEL.com Overview myZyXEL.com is ZyXEL’s online services center where you can register your UAG and manage subscription services available for the UAG. To use a subscription service, you have to register the UAG and activate the corresponding service at myZyXEL.com.
Chapter 5 Registration 5.2.2 Maximum Number of Managed APs The UAG is initially configured to support up to one local AP and 8 remote managed APs (such as the NWA5123-NI). You can increase this by subscribing to additional licenses. As of this writing, each license upgrade allows an additional 8 remote managed APs while the maximum number of remote managed APs a single UAG can support is 16.
Chapter 5 Registration 5.3.1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time, and activate a trial service subscription. Router# configure terminal Router(config)# device-register username alexctsui password 123456 Router(config)# service-register service-type trial service content-filter The following command displays the account information and whether the device is registered.
Chapter 5 Registration 5.4.1 Command Examples The following command displays the service registration status and type and how many days remain before the service expires. Router# configure terminal Router(config)# show service-register status all Service Status Type Count Expiration =============================================================================== Extension User Licensed standard External-AP-Control...
Page 52
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Congo, Republic of Cook Islands Costa Rica Cote d'Ivoire Croatia/Hrvatska Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia...
Page 53
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia, Federal State of Moldova, Republic of Monaco Mongolia Montserrat Morocco Mozambique Namibia Nauru Nepal Netherlands Netherlands Antilles...
Page 54
Chapter 5 Registration Table 11 Country Codes (continued) COUNTRY COUNTRY COUNTRY NAME COUNTRY NAME CODE CODE Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu US Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu...
H A PT ER AP Management This chapter shows you how to configure wireless AP management options on your UAG. 6.1 AP Management Overview The UAG allows you to remotely manage all of the Access Points (APs) on your network. You can manage a number of APs without having to configure them individually as the UAG automatically handles basic configuration for you.
Page 56
Chapter 6 AP Management The following table describes the commands available for AP management. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 13 Command Summary: AP Management COMMAND DESCRIPTION Adds the specified AP to the UAG for management.
Page 57
Chapter 6 AP Management Table 13 Command Summary: AP Management (continued) COMMAND DESCRIPTION Enables or disables the specified LAN port on the AP and lan_port {activate | inactivate} pvid configures a PVID (Port VLAN ID) for this port. <1..4094> lan_port: the name of the AP’s LAN port (lan1 for example). Creates a new VLAN or configures an existing VLAN.
Chapter 6 AP Management 6.2.1 AP Management Commands Example The following example shows you how to add an AP to the management list, and then edit it. Router# show capwap ap wait-list index: 1 IP: 192.168.1.35, MAC: 00:11:11:11:11:FE Model: NWA5160N, Description: AP-00:11:11:11:11:FE index: 2 IP: 192.168.1.36, MAC: 00:19:CB:00:BB:03 Model: NWA5160N, Description: AP-00:19:CB:00:BB:03...
H A PT ER Wireless LAN Profiles This chapter shows you how to configure wireless LAN profiles on your UAG. 7.1 Wireless LAN Profiles Overview The managed Access Points designed to work explicitly with your UAG do not have on-board configuration files, you must create “profiles”...
Page 60
Chapter 7 Wireless LAN Profiles Table 14 Input Values for General Radio Profile Commands (continued) LABEL DESCRIPTION Sets the HT MCS rate. The available rates are: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, wlan_mcs_speed 12, 13, 14, 15. Sets the basic band rate for 5 GHz.
Page 61
Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Fixes the channel bandwidth as 40 MHz. The no command has the [no] dot11n-disable-coexistence AP automatically choose 40 MHz if all the clients support it or 20 MHz if some clients only support 20 MHz.
Page 62
Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Activates MPDU frame aggregation for this profile. Use the no [no] amsdu parameter to disable it. Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header.
Chapter 7 Wireless LAN Profiles Table 15 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Disables or sets the 5 GHz support rate. 5g-support-speed {disable | wlan_5g_support_speed} The default is 6.0~54.0. Activates HT protection for this profile. Use the no parameter to [no] htprotection disable it.
Chapter 7 Wireless LAN Profiles It will also assign the SSID profile labeled ‘default’ in order to create WLAN VAP (wlan-1-1) functionality within the radio profile. Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# activate Router(config-profile-radio)# band 2.4G Router(config-profile-radio)# 2g-channel 6 Router(config-profile-radio)# ch-width 20m Router(config-profile-radio)# dtim-period 2 Router(config-profile-radio)# beacon-interval 100 Router(config-profile-radio)# ampdu...
Chapter 7 Wireless LAN Profiles Table 17 Command Summary: Monitor Profile (continued) COMMAND DESCRIPTION Enters configuration mode for the specified monitor profile. Use the [no] wlan-monitor-profile no parameter to remove the specified profile. monitor_profile_name Makes this profile active or inactive. [no] activate By default, this is enabled.
Page 66
Chapter 7 Wireless LAN Profiles Table 18 Input Values for General SSID Profile Commands (continued) LABEL DESCRIPTION Assigns an existing security profile to the SSID profile. You may use 1-31 securityprofile alphanumeric characters, underscores ( ), or dashes (-), but the first character cannot be a number.
Chapter 7 Wireless LAN Profiles Table 19 Command Summary: SSID Profile (continued) COMMAND DESCRIPTION Enables intra-BSSID traffic blocking. Use the no parameter to [no] block-intra disable it in this profile. By default this is disabled. Sets the maximum incoming transmission data rate (either in downlink-rate-limit data_rate mbps or kbps) on a per-station basis.
Chapter 7 Wireless LAN Profiles 7.5 Security Profile Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 20 Input Values for General Security Profile Commands LABEL DESCRIPTION The security profile name.
Chapter 7 Wireless LAN Profiles Table 21 Command Summary: Security Profile (continued) COMMAND DESCRIPTION Sets the WPA/WPA2 encryption cipher type. wpa-encrypt {tkip | aes | auto} auto: This automatically chooses the best available cipher based on the cipher in use by the wireless client that is attempting to make a connection.
Chapter 7 Wireless LAN Profiles 7.6 MAC Filter Profile Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 22 Input Values for General MAC Filter Profile Commands LABEL DESCRIPTION The MAC filter profile name.
H A PT ER Rogue AP This chapter shows you how to set up Rogue Access Point (AP) detection and containment. 8.1 Rogue AP Detection Overview Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can potentially open holes in the network security.
Chapter 8 Rogue AP Table 25 Command Summary: Rogue AP Detection (continued) COMMAND DESCRIPTION Sets the device that owns the specified MAC address as a rogue rogue-ap ap_mac description2 AP. You can also assign a description to this entry on the rogue AP list.
Chapter 8 Rogue AP This example shows the friendly AP detection list. Router(config)# show rogue-ap detection list friendly description =========================================================================== 11:11:11:11:11:11 third floor 00:13:49:11:22:33 00:13:49:00:00:05 00:13:49:00:00:01 00:0D:0B:CB:39:33 dept1 This example shows the combined rogue and friendly AP detection list. Router(config)# show rogue-ap detection list all role description ===========================================================================...
Chapter 8 Rogue AP 8.4 Rogue AP Containment Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 26 Input Values for Rogue AP Containment Commands LABEL DESCRIPTION Specifies the MAC address (in XX:XX:XX:XX:XX:XX format) of the AP to be ap_mac...
H A PT ER Wireless Frame Capture This chapter shows you how to configure and use wireless frame capture on the UAG. 9.1 Wireless Frame Capture Overview Troubleshooting wireless LAN issues has always been a challenge. Wireless sniffer tools like Ethereal can help capture and decode packets of information, which can then be analyzed for debugging.
Chapter 9 Wireless Frame Capture The following table describes the commands available for wireless frame capture. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 29 Command Summary: Wireless Frame Capture COMMAND DESCRIPTION Enters sub-command mode for wireless frame capture.
HAPTER Dynamic Channel Selection This chapter shows you how to configure and use dynamic channel selection on the UAG. 10.1 DCS Overview Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by passively listening to the area around it and determining what channels are currently being broadcast on by other devices.
Chapter 10 Dynamic Channel Selection Table 31 Command Summary: DCS (continued) COMMAND DESCRIPTION When enabled, this ensures that an AP will not change channels dcs client-aware {enable|disable} as long as a client is connected to it. If disabled, the AP may change channels regardless of whether it has clients connected to it or not.
HAPTER Wireless Load Balancing This chapter shows you how to configure wireless load balancing. 11.1 Wireless Load Balancing Overview Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it. Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users.
Chapter 11 Wireless Load Balancing Table 32 Command Summary: Load Balancing (continued) COMMAND DESCRIPTION Enables the kickout feature for load balancing and also sets the load-balancing kickInterval <1..255> kickout interval in seconds. While load balancing is enabled, the AP periodically disconnects stations at intervals equal to this setting.
Page 81
Chapter 11 Wireless Load Balancing The following example shows you how to configure AP load balancing in "by traffic" mode. The traffic level is set to low, and "disassociate station" is enabled. Router(config)# load-balancing mode traffic Router(config)# load-balancing traffic level low Router(config)# load-balancing kickout Router(config)# show load-balancing config load balancing config:...
HAPTER Auto-Healing This chapter shows you how to configure auto-healing settings. 12.1 Auto-Healing Overview Auto-healing allows you to extend the wireless service coverage area of the managed APs when one of the managed APs fails. 12.2 Auto-Healing Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Chapter 12 Auto-Healing Table 34 Command Summary: Auto-Healing (continued) COMMAND DESCRIPTION Enters a number from 0 to 9. This value is used to calculate the auto-healing margin power level (power-threshold + margin) to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas.
HAPTER Interfaces This chapter shows you how to use interface-related commands. 13.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Chapter 13 Interfaces Port groups, and trunks have a lot of characteristics that are specific to each type of interface. These characteristics are listed in the following tables and discussed in more detail farther on. Table 35 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ETHERNET...
Chapter 13 Interfaces Table 36 Relationships Between Different Types of Interfaces (continued) INTERFACE REQUIRED PORT / INTERFACE virtual interface (virtual Ethernet interface) Ethernet interface* (virtual VLAN interface) VLAN interface* (virtual bridge interface) bridge interface trunk Ethernet interface VLAN interface bridge interface PPPoE/PPTP interface * - You cannot set up a PPPoE/PPTP interface, virtual Ethernet interface, or virtual VLAN interface if the underlying interface is a member of a bridge.
Chapter 13 Interfaces 13.2.1 Basic Interface Properties and IP Address Commands This table lists basic properties and IP address commands. Table 38 interface General Commands: Basic Properties and IP Address Assignment COMMAND DESCRIPTION Displays the connection status of the specified type of interfaces. show interface {ethernet | vlan | bridge | ppp | auxiliary} status Displays information about the specified interface, specified type of...
Page 88
Chapter 13 Interfaces Table 38 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Turns off traffic priority settings for when the interface sends the traffic-prioritize {tcp-ack|content- specified type of traffic. filter|dns|ipsec-vpn|ssl-vpn} deactivate Specifies the upstream bandwidth for the specified interface. The [no] upstream <0..1048576>...
Page 89
Chapter 13 Interfaces This example shows how to modify the name of interface lan2 to “VIP”. First you have to check the interface system name (ge4 in this example) on the UAG. Then change the name and display the result. Router>...
Chapter 13 Interfaces This example shows how to restart an interface. You can check all interface names on the UAG. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it. Router>...
Page 91
Chapter 13 Interfaces Table 39 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Specifies the static IP address the UAG should assign. Use this [no] host ip command, along with hardware-address, to create a static DHCP entry. Note: The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool.
Page 92
Chapter 13 Interfaces Table 39 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Sets the IP start address and maximum pool size of the specified [no] starting-address ip pool-size DHCP pool. The final pool size is limited by the subnet mask. <1..65535>...
Page 93
Chapter 13 Interfaces 13.2.2.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.2 Router(config-ip-dhcp-pool)#...
Chapter 13 Interfaces 13.2.3 Interface Parameter Command Examples This table shows an example of each interface type’s sub-commands. The sub-commands vary for different interface types. Table 40 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE/PPTP Router(config)# interface wan1 Router(config)# interface wan1:1 Router(config)# interface wan1_ppp Router(config-if-wan1)# Router(config-if-vir)#...
Chapter 13 Interfaces Table 41 interface Commands: RIP Settings (continued) COMMAND DESCRIPTION Sets the send or receive version to the specified version number. The [no] ip rip {send | receive} version command sets the send or received version to the current global <1..2>...
Page 96
Chapter 13 Interfaces Table 42 interface Commands: OSPF Settings (continued) COMMAND DESCRIPTION Sets the number of seconds the UAG waits for “hello” messages from [no] ip ospf dead-interval <1..65535> peer routers before it assumes the peer router is not available and deletes associated routing information.
Chapter 13 Interfaces 13.2.6 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the UAG stops routing to the gateway.
Chapter 13 Interfaces 13.2.6.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check...
Chapter 13 Interfaces Table 45 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION Sets which type of network you will connect this interface. The UAG automatically adds type {internal | default route and SNAT settings for traffic it routes from internal interfaces to external external | general} interfaces;...
Chapter 13 Interfaces gateway 4.6.7.8, upstream bandwidth 345, downstream bandwidth 123, and description “I am vir interface”. Router# configure terminal Router(config)# interface lan1:1 Router(config-if-vir)# ip address 1.2.3.4 255.255.255.0 Router(config-if-vir)# ip gateway 4.6.7.8 Router(config-if-vir)# upstream 345 Router(config-if-vir)# downstream 123 Router(config-if-vir)# description I am vir interface Router(config-if-vir)# exit 13.5 PPPoE/PPTP Specific Commands This section covers commands that are specific to PPPoE/PPTP interfaces.
Chapter 13 Interfaces Table 48 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND DESCRIPTION Specifies the maximum segment size (MSS) the interface can use. MSS is the [no] mss <536..1452> largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece.
Chapter 13 Interfaces Table 49 USB Storage General Commands (continued) COMMAND DESCRIPTION Mounts the connected USB storage device. usb-storage mount Unmounts the connected USB storage device. usb-storage umount Sets to have the UAG log or not log any information about the connected USB [no] logging usb-storage storage device(s) for the system log.
Chapter 13 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 50 Input Values for VLAN Interface Commands LABEL DESCRIPTION VLAN interface: vlanx, x = 0 - 4094 interface_name Table 37 on page 86 for detailed information about the interface name.
Chapter 13 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 52 Input Values for Bridge Interface Commands LABEL DESCRIPTION The name of the interface. interface_name VLAN interface: vlanx, x = 0 - 4094 bridge interface: brx, x = 0 - N, where N depends on the number of bridge interfaces your UAG model supports.
HAPTER Trunks This chapter shows you how to configure trunks on your UAG. 14.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the UAG sends traffic through another member of the trunk.
Chapter 14 Trunks 14.3 Trunk Commands Input Values The following table explains the values you can input with the commands. interface-group Table 54 interface-group Command Input Values LABEL DESCRIPTION A descriptive name for the trunk. group-name The name cannot start with a number. This value is case-sensitive. The name of an interface, it could be an Ethernet, PPP, VLAN or bridge interface.
Chapter 14 Trunks Table 55 interface-group Commands Summary (continued) COMMAND DESCRIPTION Displays whether the UAG enable SNAT or not. The UAG performs SNAT show system default-snat by default for traffic going to or from the WAN interfaces. Displays the WAN trunk the UAG first attempts to use. show system default-interface-group 14.5 Trunk Command Examples The following example creates a weighted round robin trunk for Ethernet interfaces wan1 and...
Chapter 14 Trunks 14.6 Link Sticking You can have the UAG send each local computer’s traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file.
Chapter 14 Trunks mode before you can use these commands. See Table 54 on page 107 for details about the values you can input with these commands. Table 56 ip load-balancing link-sticking Commands Summary COMMAND DESCRIPTION Turns link sticking on or off. [no] ip load-balancing link-sticking activate Sets for how many seconds (30-3600) the UAG sends all of each [no] ip load-balancing link-sticking timeout...
HAPTER IP Drop-In This chapter explains some commands you can use to set the UAG interfaces to work in drop-in mode. 15.1 Drop-In Mode Overview When the UAG is in drop-in mode, you can deploy it in your existing network without changing the network architecture and use its multiple WAN feature to connect to more than one ISP.
Chapter 15 IP Drop-In 15.1.1 Drop-In Limitations • The interfaces in drop-in mode cannot join the port group of the interfaces that are not in drop-in mode. But other interfaces can join a drop-in interface’s port group. • The interfaces in drop-in mode cannot be part of a bridge interface. •...
Page 113
Chapter 15 IP Drop-In The following example shows you how to set the drop-in WAN interface and LAN interface, set a WAN host, turn on the dop-in mode and show the settings. Router> configure terminal Router(config)# ip drop-in Router(drop-in)# wan-host 10.1.2.3 Router(drop-in)# wan-interface wan1 lan-interface lan1 Router(drop-in)# activate Router(drop-in)# exit...
HAPTER Route This chapter shows you how to configure policies for IP routing and static routes on your UAG. 16.1 Policy Route Traditionally, routing is based on the destination address only and the UAG takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 115
Chapter 16 Route The following table describes the commands available for policy route. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 60 Command Summary: Policy Route COMMAND DESCRIPTION Globally enables bandwidth management. You must globally activate [no] bwm activate bandwidth management to have individual policy routes policies apply bandwidth management.
Page 116
Chapter 16 Route Table 60 Command Summary: Policy Route (continued) COMMAND DESCRIPTION [no] dscp class {default | dscp_class} Sets a DSCP class. Use default to apply this policy route to incoming packets that are marked with DSCP value 0. Use one of the pre- defined AF classes (including af11~af13, af21~af23, af31~af33, and af41~af43) to apply this policy route to incoming packets that are marked with the DSCP AF class.
Chapter 16 Route Table 60 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Sets the user name. The no command resets the user name to the [no] user user_name default (any). any means all users. Enables the UAG to use policy routes to manually specify the [no] policy controll-ipsec-dynamic-rules destination addresses of dynamic IPSec rules.
Chapter 16 Route numbered class) is generally given priority. Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets. Table 61 Assured Forwarding (AF) Behavior Group CLASS 1 CLASS 2 CLASS 3 CLASS 4...
Chapter 16 Route 16.3 IP Static Route The UAG has no knowledge of the networks beyond the network that is directly connected to the UAG. For instance, the UAG knows about network N2 in the following figure through gateway R1. However, the UAG is unable to route a packet to network N3 because it doesn't know that there is a route through the same gateway R1 (via gateway R2).
Chapter 16 Route 16.4.1 Static Route Commands Examples The following command sets a static route with IP address 10.10.10.0 and subnet mask 255.255.255.0 and with the next-hop interface wan1. Then use the show command to display the setting. Router(config)# ip route 10.10.10.0 255.255.255.0 wan1 Router(config)# Router(config)# show ip route-settings Route...
HAPTER Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the UAG. 17.1 Routing Protocol Overview Routing protocols give the UAG routing information about the network from other routers. The UAG then stores this routing information in the routing table, which it uses when it makes routing decisions.
Chapter 17 Routing Protocol 17.2.1 RIP Commands This table lists the commands for RIP. Table 65 router Commands: RIP COMMAND DESCRIPTION Enters sub-command mode. router rip Enables RIP on the specified Ethernet interface. The [no] network interface_name command disables RIP on the specified interface. Enables redistribution of routing information learned from [no] redistribute {static | ospf} the specified source.
Chapter 17 Routing Protocol 17.2.3 OSPF Area Commands This table lists the commands for OSPF areas. Table 67 router Commands: OSPF Areas COMMAND DESCRIPTION Enters sub-command mode. router ospf Adds the specified interface to the specified area. The [no] network interface area IP command removes the specified interface from the specified area.
Chapter 17 Routing Protocol 17.2.5 Learned Routing Information Commands This table lists the commands to look at learned routing information. Table 69 ip route Commands: Learned Routing Information COMMAND DESCRIPTION Displays learned routing and other routing show ip route [kernel | connected | static | ospf | rip | information.
HAPTER Zones Set up zones to configure network security and network policies in the UAG. 18.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The UAG uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap.
Chapter 18 Zones 18.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands.s Table 70 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone, or the name of a VPN tunnel. profile_name Use up to 31 characters (a-zA-Z0-9_-).
Chapter 18 Zones 18.2.1 Zone Command Examples The following commands add interfaces vlan123 and vlan234 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface vlan123 Router(zone)# interface vlan234 Router(zone)# block Router(zone)# exit Router(config)# show zone No.
HAPTER DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the UAG. 19.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.
Chapter 19 DDNS 19.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 73 Input Values for DDNS Commands LABEL DESCRIPTION The name of the DDNS profile. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number.
Chapter 19 DDNS Table 74 ip ddns Commands (continued) COMMAND DESCRIPTION Sets the backup WAN interface in the specified DDNS profile. [no] backup-iface interface_name command clears it. Sets the HA interface in the specified DDNS profile. The [no] ha-iface interface_name command clears it.
HAPTER Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. Virtual server commands configure NAT. 20.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the UAG that you want to make available outside the private network.
Page 132
Chapter 20 Virtual Servers The following table lists the virtual server commands. Table 76 ip virtual-server Commands COMMAND DESCRIPTION show ip virtual-server [profile_name] Displays information about the specified virtual server or about all the virtual servers. Deletes the specified virtual server. no ip virtual-server profile_name Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name...
Chapter 20 Virtual Servers Table 76 ip virtual-server Commands (continued) COMMAND DESCRIPTION Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name (destination IP address, protocol, and service object) to the specified interface interface_name original-ip (destination IP address and service object).
Chapter 20 Virtual Servers The following command shows information about all the virtual servers in the UAG. Router(config)# show ip virtual-server virtual server: WAN-LAN_H323 active: yes interface: wan1 NAT-loopback active: yes NAT 1-1: no original IP: 10.0.0.8 mapped IP: 192.168.1.56 mapping type: port protocol type: tcp original service:...
Page 135
Chapter 20 Virtual Servers • HTTP traffic and the HTTP server in this example both use TCP port 80. So you set the port mapping type to “port”, the protocol type to “TCP”, and the original and mapped ports to “80”. Router(config)# ip virtual-server To-VirtualServer-WWW interface wan1 original-ip wan1_HTTP map-to DMZ_HTTP map-type port protocol tcp original-port 80 mapped-port 80 Router(config)#...
HAPTER VPN 1-1 Mapping This chapter shows you how to configure VPN 1-1 mapping on your UAG. 21.1 VPN 1-1 Mapping Overview VPN 1-1 mapping allows an authenticated user in your network to access the Internet or an external server using a public IP address different from the one used by the UAG’s WAN interface. With VPN 1-1 mapping, each user that logs into the UAG and matches a pre-configured mapping rule can obtain an individual public IP address.
Page 137
Chapter 21 VPN 1-1 Mapping The following table describes the commands available for VPN 1-1 mapping. You must use the command to enter the configuration mode before you can use the configure terminal configuration commands. Table 78 Command Summary: vpn-1-1-map COMMAND DESCRIPTION Enables VPN 1-1 mapping on the UAG.
Chapter 21 VPN 1-1 Mapping 21.2.1 vpn-1-1-map pool Sub-commands The following table describes the sub-commands for the vpn-1-1-map pool command. Table 79 vpn-1-1-map pool Sub-commands COMMAND DESCRIPTION Configures the name of the IP address object the profile is set to use. address address_object An address object presents the IP address(es), which can be assigned to the matched users by the UAG.
Chapter 21 VPN 1-1 Mapping Table 80 vpn-1-1-map rule Sub-commands (continued) COMMAND DESCRIPTION Sets the name of the pool profile used by this rule. You can associate up [no] pool profile_name to four pool profiles to a VPN 1-1 mapping rule. The no command removes the specified pool file.
HAPTER HTTP Redirect This chapter shows you how to configure HTTP redirection on your UAG. 22.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the UAG) to a web proxy server. 22.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Chapter 22 HTTP Redirect Table 82 Command Summary: HTTP Redirect (continued) COMMAND DESCRIPTION Disables a rule with the specified rule name. ip http-redirect deactivate description Removes a rule with the specified rule name. no ip http-redirect description Clears all HTTP redirect rules. ip http-redirect flush Displays HTTP redirect settings.
HAPTER SMTP Redirect This chapter shows you how to configure SMTP redirection on your UAG. 23.1 SMTP Redirect Overview SMTP redirect forwards the authenticated client’s SMTP message to a SMTP server, that handles all outgoing e-mail messages. The UAG forwards SMTP traffic using TCP port 25. 23.1.1 SMTP Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard.
Chapter 23 SMTP Redirect The following table describes the commands available for SMTP redirection. You must use the command to enter the configuration mode before you can use the configure terminal configuration commands. Table 84 Command Summary: SMTP Redirect COMMAND DESCRIPTION Enters the smtp-redirect sub-command mode to set a SMTP redirect [no] smtp-redirect <1..16>...
HAPTER This chapter covers how to use the UAG’s ALG feature to allow certain applications to pass through the UAG. 24.1 ALG Introduction The UAG can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications (such as SIP) to operate properly through the UAG’s NAT. Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’...
Chapter 24 ALG 24.2 ALG Commands The following table lists the commands. You must use the command to configure terminal enter the configuration mode before you can use these commands. Table 86 alg Commands COMMAND DESCRIPTION Turns on or configures the ALG. [no] alg sip [inactivity- timeout | signal-port Use inactivity-timeout to have the UAG apply SIP media and signaling...
Chapter 24 ALG 24.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323. Router# configure terminal Router(config)# alg sip Router(config)# no alg h323 UAG CLI Reference Guide...
HAPTER UPnP 25.1 UPnP and NAT-PMP Overview The UAG supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Chapter 25 UPnP Table 87 ip upnp Commands (continued) COMMAND DESCRIPTION Enables NAT-PMP on the UAG. [no] nat-pmp activate The no command disables NAT-PMP on the UAG. Enables UPnP on the UAG. [no] upnp-igd activate The no command disables UPnP on the UAG. Removes all or a specific port mapping rule.
Page 150
Chapter 25 UPnP The following example displays the UAG’s port mapping entries and removes the entry with the specified port number and protocol type. Router# configure terminal Router(config) # show ip upnp port-mapping No: 0 Remote Host: (null) Client Type: upnp External Port: 1122 Protocol: tcp Internal Port: 1122...
HAPTER IP/MAC Binding 26.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The UAG uses DHCP to assign IP addresses and records to MAC address it assigned each IP address.
Chapter 26 IP/MAC Binding 26.3 IP/MAC Binding Commands Example The following example enables IP/MAC binding on the lan1 interface and displays the interface’s IP/ MAC binding status. Router# configure terminal Router(config)# ip ip-mac-binding lan1 activate Router(config)# show ip ip-mac-binding lan1 Name: lan1 Status: Enable Log: No...
HAPTER Layer 2 Isolation 27.1 Layer 2 Isolation Overview Layer-2 isolation is used to prevent connected devices from communicating with each other in the UAG’s local network(s), on which layer-2 isolation is enabled, except the devices in the white list. Note: Layer-2 isolation does not check the wireless traffic.
Chapter 27 Layer 2 Isolation 27.2 Layer 2 Isolation Commands The following table lists the l2-isolation commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 89 l2-isolation Commands COMMAND DESCRIPTION Enters the layer 2 isolation sub-command mode to enable Layer-2 isolation l2-isolation...
Chapter 27 Layer 2 Isolation Table 90 l2-isolation white-list Sub-commands (continued) COMMAND DESCRIPTION Sets a descriptive name (up to 60 printable ASCII [no] description description characters) for a rule. The no command removes the descriptive name from the rule. Sets an IPv4 address associated with this rule. The no [no] ip-address ip command removes the IP address.
HAPTER IPnP 28.1 IPnP Overview IP Plug and Play (IPnP) allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, even when the IP addresses of the computer and the UAG are not in the same subnet. When you disable the IPnP feature, only computers with dynamic IP addresses or static IP addresses in the same subnet as the UAG’s LAN IP address can connect to the UAG or access the Internet through the UAG.
Chapter 28 IPnP 28.3 IPnP Commands Example The following example enables IPnP on the UAG and interface lan1. It also displays the IPnP settings. Router# configure terminal Router(config)# ip ipnp activate Router(config)# ip ipnp config Router(ipnp)# interface lan1 Router(ipnp)# exit Router(config)# show ip ipnp activation IPnP Status: yes Router(config)# show ip ipnp interface...
HAPTER Web Authentication 29.1 Web Authentication Overview Web authentication can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions.
Page 159
Chapter 29 Web Authentication Table 92 web-auth Commands (continued) COMMAND DESCRIPTION Creates a new condition for forcing user authentication at the end of the web-auth policy append current list and enters sub-command mode. See Table 94 on page 161 the sub-commands. Creates a new condition for forcing user authentication at the specified web-auth policy insert <1..1024>...
Chapter 29 Web Authentication 29.2.1 web-auth login setting Sub-commands The following table describes the sub-commands for the web-auth login setting command. Table 93 web-auth login setting Sub-commands COMMAND DESCRIPTION Leaves the sub-command mode. exit Sets the login page appears whenever the web portal intercepts network traffic, type {external | internal} preventing unauthorized users from gaining access to the network.
Chapter 29 Web Authentication Table 93 web-auth login setting Sub-commands (continued) COMMAND DESCRIPTION Forces users to agree to the terms before they can use the service. An agreement [no] terms-of-service checkbox will display in the login page. The no command allows users to use the service without agreeing to the terms. Sets the welcome page’s URL;...
Chapter 29 Web Authentication Table 94 web-auth policy Sub-commands (continued) COMMAND DESCRIPTION Sets the time criteria for the specified condition. The no command removes [no] schedule schedule_name the time criteria, making the condition effective all the time. Sets the source criteria for the specified condition. The no command [no] source {address_object | removes the source criteria, making the condition effective for all sources.
Chapter 29 Web Authentication 29.2.5 web-auth type profile Sub-commands The following table describes the sub-commands for several web-auth type profile commands. Note that not all rule commands use all the sub-commands listed here. Table 97 web-auth type profile Sub-commands COMMAND DESCRIPTION Specifies the custom web portal file you want to use in this profile.
Chapter 29 Web Authentication Table 97 web-auth type profile Sub-commands (continued) COMMAND DESCRIPTION Sets the session page’s URL; for example, http://IIS server IP Address/ [no] web-portal session-url url session.html. You can use up to 255 characters (0-9a-zA-Z;/?:@&=+$\.- _!~*'()%) in quotes. The no command removes the URL.
Chapter 29 Web Authentication 29.2.7 Web Authentication Policy Insert Command Example The following commands show how to insert a web authentication policy at position 1 of the checking order. This policy applies endpoint security policies and uses the following settings: •...
HAPTER Walled Garden 30.1 Walled Garden Overview A user must log in before the UAG allows the user’s access to the Internet. However, with a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example.
Chapter 30 Walled Garden 30.2.1 walled-garden rule Sub-commands The following table describes the sub-commands for several walled-garden rule commands. Note that not all rule commands use all the sub-commands listed here. Table 100 walled-garden rule Sub-commands COMMAND DESCRIPTION Enables this entry. The command disables the entry.
HAPTER Advertisement 31.1 Advertisement Overview You can set the UAG to display an advertisement web page as the first web page whenever the user connects to the Internet. 31.2 Advertisement Commands This table lists the advertisement commands. You must use the command configure terminal to enter the configuration mode before you can use these commands.
HAPTER RTLS 32.1 RTLS Overview Ekahau RTLS (Real Time Location Service) tracks battery-powered Wi-Fi tags attached to APs managed by the UAG to create maps, alerts, and reports. The Ekahau RTLS Controller is the centerpiece of the RTLS system. This server software runs on a Windows computer to track and locate Ekahau tags from Wi-Fi signal strength measurements.
Chapter 32 RTLS 32.1.1 RTLS Configuration Commands Use these commands to configure RTLS on the UAG. Table 103 RTLS Commands COMMAND DESCRIPTION Enables RTLS to use Wi-Fi to track the location of Ekahau Wi-Fi tags. The no [no] rtls ekahau activate command disables tracking.
HAPTER Firewall This chapter introduces the UAG’s firewall and shows you how to configure your UAG’s firewall. 33.1 Firewall Overview The UAG’s firewall is a stateful inspection firewall. The UAG restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Chapter 33 Firewall 33.2 Firewall Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 104 Input Values for General Firewall Commands LABEL DESCRIPTION The name of the IP address (or address group) object. You may use 1-31 address_object alphanumeric characters, underscores( ), or dashes (-), but the first character...
Page 173
Chapter 33 Firewall Table 105 Command Summary: Firewall (continued) COMMAND DESCRIPTION Enters the firewall sub-command mode to add a {firewall|secure-policy} profile_name direction specific through-Device rule or to-Device {zone_object|Device} append rule to the end of the global rule list. See Table 106 on page 174 for the sub-commands.
Chapter 33 Firewall 33.2.1 Firewall Sub-Commands The following table describes the sub-commands for several firewall commands. Table 106 firewall Sub-commands COMMAND DESCRIPTION Sets the action the UAG takes when packets match this action {allow|deny|reject} rule. Enables a firewall rule. The no command disables the [no] activate firewall rule.
Chapter 33 Firewall Table 106 firewall Sub-commands (continued) COMMAND DESCRIPTION Sets the zone to which the packets are sent. The [no] to {zone_object|Device} command removes the zone to which the packets are sent and resets it to the default (any). any means all interfaces or VPN tunnels.
Chapter 33 Firewall 33.3 Session Limit Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 107 Input Values for General Session Limit Commands LABEL DESCRIPTION The priority number of a session limit rule, 1 - 1000. rule_number The name of the IP address (group) object.
HAPTER Billing 34.1 Billing Overview You can use the built-in billing function to setup billing profiles. A billing profile describes how to charge users. This chapter also shows you how to select an accounting method or configure a discount price plan. 34.2 Billing Commands This table lists the billing commands.
Chapter 34 Billing Table 109 billing Commands (continued) COMMAND DESCRIPTION Creates a new discount level by setting the duration of the billing period [no] billing discount unit <2..10> that should be reached before the UAG charges users at this level and price price defining this level’s charge per time unit.
Chapter 34 Billing Table 110 billing profile Sub-commands (continued) COMMAND DESCRIPTION Turns on bandwidth management for the user account. [no] bandwidth activate The no command disables bandwidth management for the user account. Defines each profile’s price, up to 999999.99, per time unit. price price Sets how much downstream and/or upstream data in Megabytes can be quota {total | upload | download}...
Page 180
Chapter 34 Billing This example creates a billing profile named billing_1hour and displays the profile settings. Router# configure terminal Router(config)# billing profile billing_1hour Router(billing profile button-a)# activate Router(billing profile button-a)# price 2 Router(billing profile button-a)# time-period hour 1 Router(billing profile button-a)# exit Router(config)# show billing profile Billing Profile: billing_30mins activate: yes...
HAPTER Payment Service 35.1 Payment Service Overview The online payment service allows users to purchase access time online with a credit card. You must register with the supported credit card service before you can configure the UAG to handle credit card transactions. 35.2 Payment-service Commands The following table identifies the values required for many of these commands.
Page 182
Chapter 35 Payment Service Table 112 payment-service Commands (continued) COMMAND DESCRIPTION Sets the UAG to use a custom online payment service page. [no] payment-service page- customization You can customize the online payment service pages that displays after an unauthorized user click the link in the Web Configurator login screen to purchase access time The no command sets the UAG to use the default online payment service page built into the device.
Chapter 35 Payment Service 35.2.1 Payment-Service Provider Paypal Sub-commands The following table describes the sub-commands for the payment-service provider paypal command. Table 113 payment-service provider paypal Sub-commands COMMAND DESCRIPTION Sets your PayPal account name. You should already have a PayPal account [no] account e-mail to receive credit card payments.
HAPTER Printer Manager 36.1 Printer Manager Overview You can create dynamic guest accounts and print guest account information by pressing the button on an external statement printer, such as SP350E. Make sure that the printer is connected to the appropriate power and the UAG, and that there is printing paper in the printer. Refer to the printer’s documentation for details.
Chapter 36 Printer Manager Table 114 printer-manager Commands (continued) COMMAND DESCRIPTION Displays the name of billing profile that is applied to each button. show printer-manager button Displays information of the printer that is connected to and detected by the show printer-manager discover-printer- UAG.
HAPTER Free Time 37.1 Free Time Overview With Free Time, the UAG can create dynamic guest accounts that allow users to browse the Internet free of charge for a specified period of time. 37.2 Free-Time Commands The following table lists the free-time commands. You must use the configure terminal command to enter the configuration mode before you can use these commands.
Chapter 37 Free Time 37.3 Free-Time Commands Example The following example enables the free time feature and sets the UAG to provide user account information in the web screen and also sent account information via SMS text messages. It then displays the free time settings.
HAPTER 38.1 SMS Overview The UAG supports Short Message Service (SMS) to send short text messages to mobile devices. At the time of writing, the UAG uses ViaNett as the SMS gateway to help forward SMS messages. You must already have a Vianett account in order to use the SMS service. 38.2 SMS Commands The following table lists the sms-service commands.
Chapter 38 SMS 38.3 SMS Commands Example The following example enables the SMS service on the UAG to provide and configures the ViaNett account information. It then displays the SMS settings. Router# configure terminal Router(config)# sms-service activate Router(config)# sms-service provider vianett Router(sms-service-vianett)# username test@example.com Router(sms-service-vianett)# password 12345 Router(sms-service-vianett)# exit...
HAPTER Bandwidth Management 39.1 Bandwidth Management Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 39.1.1 BWM Type The UAG supports two types of bandwidth management: shared and per-user.
Chapter 39 Bandwidth Management Table 118 bwm Commands (continued) COMMAND DESCRIPTION Moves a policy to the number that you specified. bwm move <1..127> to <1..127> Displays whether bandwidth management is enabled. show bwm activation Displays all bandwidth management policies. show bwm all Displays the default bandwidth management policy.
Page 192
Chapter 39 Bandwidth Management Table 119 bwm Sub-commands (continued) COMMAND DESCRIPTION Sets the source interface of the traffic to which this policy [no] incoming-interface {interface applies. interface_name | trunk group_name} interface_name: The name of the interface. This depends on the UAG model. See Table 37 on page 86 for detailed information about the interface name.
Page 193
Chapter 39 Bandwidth Management Table 119 bwm Sub-commands (continued) COMMAND DESCRIPTION Specifies a service or service group to identify the type of [no] service service-object {service_name | traffic to which this policy applies. any} any: the policy is effective for every service. The no command resets the service to the default (any).
Chapter 39 Bandwidth Management 39.3 Bandwidth Management Commands Example The following example adds a new bandwidth management policy for trial-users to limit incoming and outgoing bandwidth and sets the traffic priority to 3. It then displays the policy settings. Router# configure terminal Router(config)# bwm append Router(config-bwm append 6)# activate Router(config-bwm append 6)# description example...
HAPTER IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the UAG. 40.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Chapter 40 IPSec VPN and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. Figure 21 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Chapter 40 IPSec VPN Table 120 Input Values for IPSec VPN Commands (continued) LABEL DESCRIPTION A domain name. You can use up to 511 alphanumeric, characters, spaces, or .@=,_- distinguished_name characters. Sort the list of currently connected SAs by one of the following classifications. sort_order algorithm encapsulation...
Page 198
Chapter 40 IPSec VPN Table 121 isakmp Commands: IKE SAs (continued) COMMAND DESCRIPTION Sets the encryption and authentication algorithms for each IKE SA transform-set isakmp-algo [isakmp_algo proposal. [isakmp_algo]] isakmp_algo: {des-md5 | des-sha | 3des-md5 | 3des-sha | aes128-md5 | aes128-sha | aes192-md5 | aes192-sha | aes256- md5 | aes256-sha | aes256-sha256 | aes256-sha512} Sets the IKE SA life time to the specified value.
Chapter 40 IPSec VPN 40.2.2 IPSec SA Commands (except Manual Keys) This table lists the commands for IPSec SAs, excluding manual keys (VPN connections using VPN gateways). Table 122 crypto Commands: IPSec SAs COMMAND DESCRIPTION Fragment packets larger than the MTU (Maximum Transmission [no] crypto ignore-df-bit Unit) that have the “don’t”...
Page 200
Chapter 40 IPSec VPN Table 122 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Sets the IPSec SA life time. set security-association lifetime seconds <180..3000000> Enables Perfect Forward Secrecy group. set pfs {group1 | group2 | group5 | none} Sets the address object for the local policy (local network). local-policy address_name Sets the address object for the remote policy (remote network).
Page 201
Chapter 40 IPSec VPN Table 122 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Turns on the VPN connection check. The UAG can regularly check conn-check {IPv4 | FQDN | first-and-last} the VPN connection to the gateway you specified to make sure it is method {icmp | tcp} period <5..600>...
Chapter 40 IPSec VPN 40.2.3 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 123 crypto map Commands: IPSec SAs (Manual Keys) COMMAND DESCRIPTION Creates the specified IPSec SA if necessary and enters sub-command crypto map map_name mode.
Chapter 40 IPSec VPN Table 124 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION Adds the specified IPSec SA to the specified VPN concentrator. The [no] crypto map_name command removes the specified IPSec SA from the specified VPN concentrator. Renames the specified VPN concentrator (first profile_name) to the vpn-concentrator rename profile_name specified name (second profile_name).
Chapter 40 IPSec VPN 40.2.6 SA Monitor Commands This table lists the commands for the SA monitor. Table 126 sa Commands: SA Monitor COMMAND DESCRIPTION Displays the current IPSec SAs and the status of each one. You can specify a range of show sa monitor [{begin SA entries to display.
HAPTER SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. 41.1 SSL Access Policy An SSL access policy allows the UAG to perform the following tasks: • limit user access to specific applications or files on the network. •...
Chapter 41 SSL VPN Table 127 Input Values for SSL VPN Commands (continued) LABEL DESCRIPTION The name of a user (group). You may use 1-31 alphanumeric characters, user_name underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 41 SSL VPN Table 128 SSL VPN Commands COMMAND DESCRIPTION Sets the number of minutes to have the UAG repeat the endpoint security [no] eps periodical-check check at a regular interval. The no command disables this setting. <1..1440> Use this to configure for a VPN tunnel between the authenticated users and [no] network-extension {activate | the internal network.
Page 208
Chapter 41 SSL VPN First of all, configure 10.1.1.254/24 for the IP address of interface wan1 which is an external interface for public SSL VPN to access. Configure 172.16.10.254/24 for the IP address of interface lan2 which is an internal network. Router(config)# interface wan1 Router(config-if-ge)# ip address 10.1.1.254 255.255.255.0 Router(config-if-ge)# exit...
Page 209
Chapter 41 SSL VPN Displays the SSL VPN rule settings. Router(config)# show sslvpn policy SSL_VPN_TEST index: 1 active: yes name: SSL_VPN_TEST description: user: tester ssl application: none network extension: yes ip pool: IP-POOL dns server 1: DNS1 dns server 2: DNS2 wins server 1: none wins server 2: none network: NETWORK1...
HAPTER Application Patrol This chapter describes how to set up application patrol for the UAG. 42.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Chapter 42 Application Patrol 42.2.1 Application Patrol Commands This table lists the application patrol commands. Table 130 app Commands: Application Patrol COMMAND DESCRIPTION app rename profile_name_old profile_name_new Renames an existing profile Generates a log when traffic matches a signature in this category. [no] app log_sid The no command disables it.
Page 212
Chapter 42 Application Patrol These are some other example application patrol usage commands Router(config)# show app statistics collect collect statistics: yes collect statistics time: since 2014-06-03 05:39:59 to 2014-06-10 06:20:17 Router(config)# show app signatures version version: 3.1.4.049 Router(config)# show app signatures date date: 2013-12-05 18:09:51 Router(config)# app john Router(config-app-patrol-profile-john)# description this is a dummy profile...
HAPTER Content Filtering This chapter covers how to use the content filtering feature to control web access. 43.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites. It can also block access to specific categories of web site content. You can create different content filtering policies for different addresses, schedules, users or groups and content filtering profiles.
Chapter 43 Content Filtering 43.4 Content Filter Command Input Values The following table explains the values you can input with the commands. content-filter Table 131 Content Filter Command Input Values LABEL DESCRIPTION The number of the policy <0 - X > where X depends on the number of content filtering policy_number policies the UAG model supports.
Chapter 43 Content Filtering Table 131 Content Filter Command Input Values (continued) LABEL DESCRIPTION The IP address or domain name of a forbidden web site. forbid_hosts Use a host name such as www.bad-site.com into this text field. Do not use the complete URL of the site –...
Page 216
Chapter 43 Content Filtering mode to be able to use these commands. See Table 131 on page 214 for details about the values you can input with these commands. Table 132 content-filter General Commands COMMAND DESCRIPTION Turns on content filtering. The command turns it off.
Chapter 43 Content Filtering Table 132 content-filter General Commands (continued) COMMAND DESCRIPTION Adds or removes a common trusted or forbidden web site entry. [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} ipv4: IPv4 address <W.X.Y.Z> ipv4_cidr: IPv4 subnet in CIDR format, i.e. 192.168.1.0/32 <W.X.Y.Z>/<1..32>...
Page 218
Chapter 43 Content Filtering to enter the configuration mode to be able to use these commands. See Table 131 on page 214 details about the values you can input with these commands. Table 134 content-filter profile Commands Summary COMMAND DESCRIPTION Creates a content filtering profile.
Page 219
Chapter 43 Content Filtering Table 134 content-filter profile Commands Summary (continued) COMMAND DESCRIPTION Sets the action for attempted access to web pages that content-filter profile filtering_profile url match match the profile’s selected managed categories. {block | log | warn | pass} Block access, allow and log access, display a warning message before allowing access, or allow access.
Chapter 43 Content Filtering Table 134 content-filter profile Commands Summary (continued) COMMAND DESCRIPTION Has the UAG not log attempted access to web pages that no content-filter profile filtering_profile match the CommTouch profile’s selected managed commtouch-url match {log} categories. Has the UAG not log access to web pages if the no content-filter profile filtering_profile CommTouch external content filtering database is commtouch-url offline {log}...
Chapter 43 Content Filtering 43.9 Content Filtering Statistics The following table describes the commands for collecting and displaying content filtering statistics. You must use the command to enter the configuration mode before you configure terminal can use these commands. Table 136 Commands for Content Filtering Statistics COMMAND DESCRIPTION Turn the collection of content filtering statistics on or off.
Page 222
Chapter 43 Content Filtering Note: You must register for the external web filtering service before you can use it (see Chapter 5 on page 48). You can also customize the filtering profile. The following commands block active-X, java and proxy access.
Page 223
Chapter 43 Content Filtering Use this command to display the settings of the profile. Router(config)# show content-filter profile sales_CF_PROFILE commtouch service active : yes url match unsafe: block: no, warn: yes, log: url match other : block: yes, warn: no, log: url unrate : block: no, warn: yes, log:...
HAPTER User/Group This chapter describes how to set up user accounts, user groups, and user settings for the UAG. You can also set up rules that control when users have to log in to the UAG before the UAG routes traffic for them (see Chapter 29 on page 158).
Chapter 44 User/Group 44.2 User/Group Commands Summary The following table identifies the values required for many commands. username/groupname Other input values are discussed with the corresponding commands. Table 138 username/groupname Command Input Values LABEL DESCRIPTION The name of the user (account). You may use 1-31 alphanumeric characters, underscores( username or dashes (-), but the first character cannot be a number.
Chapter 44 User/Group Table 139 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION Sets the account to use the factory default lease and username username logon-time-setting {default | reauthentication times or custom ones. manual} Sets the reauthentication time for the specified user. Set it to username username [no] logon-re-auth-time zero to set unlimited reauthentication time.
Chapter 44 User/Group 44.2.3 User Setting Commands This table lists the commands for user settings, except for forcing user authentication. Table 141 username/groupname Commands Summary: Settings COMMAND DESCRIPTION Displays the default lease and reauthentication times for the show users default-setting {all | user-type specified type of user accounts.
Chapter 44 User/Group Table 141 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION Enables the limit on the number of simultaneous logins by users of [no] users simultaneous-logon {administration the specified account-type. The command disables the limit, or | access | billing-account} enforce allows an unlimited number of simultaneous logins.
Page 229
Chapter 44 User/Group Table 142 mac-auth Commands Summary COMMAND DESCRIPTION Maps the specified OUI (Organizationally Unique Identifier) [no] mac-auth database mac oui type ext-oui mac-role authenticated by an external server to the specified MAC username description description role (MAC address user account). The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device.
Chapter 44 User/Group 44.2.5 Additional User Commands This table lists additional commands for users. Table 143 username/groupname Commands Summary: Additional COMMAND DESCRIPTION Displays information about the users logged onto the system. show users {username | all | current} Displays users who are currently locked out. show lockout-users Unlocks the specified IP address.
Page 231
Chapter 44 User/Group The following commands display the users that are currently locked out and then unlocks the user who is displayed. Router# configure terminal Router(config)# show lockout-users Username Tried From Lockout Time Remaining =========================================================================== From Failed Login Attempt Record Expired Timer ===========================================================================1 172.16.1.5 Router(config)# unlock lockout-users 172.16.1.5...
HAPTER Application Object Check that you have the latest App Patrol signatures. 45.1 Application Object Commands Summary The following table describes the values required for many application object commands. Other values are discussed with the corresponding commands. Table 144 Input Values for Application Object Commands LABEL DESCRIPTION Type the name of the object.
Chapter 45 Application Object 45.1.1.1 application-object Examples These are some example usage commands. Router(config)# show application-object Name Description Content =============================================================================== tests New Create Facebook Game (access) Router(config)# show application-object tests Name: tests Description: New Create Category Application Application ID =============================================================================== Social Network Facebook Game (access) 402685702...
Page 234
Chapter 45 Application Object 45.1.2.1 object-group application Examples These are some example usage commands. Router(config)# show object-group application Name Description Member =============================================================================== Router(config)# object-group application may Router(group-application)# description rinse after use Router(group-application)# exit Router(config)# show object-group application Name Description Member =============================================================================== rinse after use tests...
HAPTER Addresses This chapter describes how to set up addresses and address groups for the UAG. 46.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. You can create IP address objects based on an interface’s IP address, subnet, or gateway.
Chapter 46 Addresses 46.2.1 Address Object Commands This table lists the commands for address objects. Table 148 address-object and address6-object Commands COMMAND DESCRIPTION Displays information about the specified object or all the objects of show {address-object | address6-object | the specified type. service-object | schedule-object} [object_name] Creates the specified IPv4 address object using the specified...
Page 237
Chapter 46 Addresses Table 149 object-group Commands: Address Groups (continued) COMMAND DESCRIPTION Adds the specified address to the specified address group. The no [no] address-object object_name command removes the specified address from the specified group. Adds the specified address group (second group_name) to the specified [no] object-group group_name address group (first group_name).
HAPTER Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 47.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 47.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
Page 240
Chapter 47 Services Table 152 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION Sets the description to the specified value. The command removes the [no] description description description. description: You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Renames the specified service group from the first group_name to the object-group service rename group_name second group_name.
HAPTER Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, and content filtering. 48.1 Schedule Overview The UAG supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat. Note: Schedules are based on the current date and time in the UAG.
Chapter 48 Schedules Table 154 schedule Commands (continued) COMMAND DESCRIPTION Creates or updates a one-time schedule. schedule-object object_name date time date time date: yyyy-mm-dd date format; yyyy-<01..12>-<01..31> Creates or updates a recurring schedule. schedule-object object_name time time [day] [day] [day] [day] [day] [day] [day] day: 3-character day of the week;...
HAPTER AAA Server This chapter introduces and shows you how to configure the UAG to use external authentication servers. 49.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the UAG supports. •...
Chapter 49 AAA Server Table 155 ad-server Commands (continued) COMMAND DESCRIPTION Sets the user name the UAG uses to log into the default AD server. The [no] ad-server binddn binddn command clears this setting. Sets the unique common name (cn) to identify a record. The command clears [no] ad-server cn-identifier uid this setting.
Chapter 49 AAA Server 49.2.3 radius-server Commands The following table lists the commands you use to set the default RADIUS server. radius-server Table 157 radius-server Commands COMMAND DESCRIPTION Displays the default RADIUS server settings. show radius-server Sets the RADIUS server address and service port number. Enter the IP address [no] radius-server host (in dotted decimal notation) or the domain name of a RADIUS server.
Chapter 49 AAA Server Table 158 aaa group server ad Commands (continued) COMMAND DESCRIPTION Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name” or “e-mail address”. The command clears this setting.
Chapter 49 AAA Server Table 159 aaa group server ldap Commands (continued) COMMAND DESCRIPTION Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name”...
Page 248
Chapter 49 AAA Server Table 160 aaa group server radius Commands (continued) COMMAND DESCRIPTION Enter the sub-command mode. aaa group server radius group-name Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the IP address (in dotted decimal notation) or the domain name of a [no] server acct-address RADIUS accounting server to add to this server group.
Chapter 49 AAA Server Table 160 aaa group server radius Commands (continued) COMMAND DESCRIPTION Sets the IP address (in dotted decimal notation) or the domain name of a [no] server host radius_server RADIUS server to add to this server group. This also sets the port number auth-port auth_port (between 1 and 65535) on the RADIUS server to which the UAG sends accounting information.
HAPTER Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 50.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the UAG uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Chapter 50 Authentication Objects Table 161 aaa authentication Commands (continued) COMMAND DESCRIPTION Sets the profile to use the authentication method(s) in the order specified. [no] aaa authentication profile-name member1 [member2] = group ad, group ldap, group radius, or local. member [member3] [member4] Note: You must specify at least one member for each profile.
Page 252
Chapter 50 Authentication Objects • Bind-dn: zyxel\engineerABC • Password: abcdefg • Login-name-attribute: sAMAccountName The result shows the account exists on the AD server. Otherwise, the UAG responds an error. Router> test aaa server ad host 172.16.50.1 port 389 base-dn DC=ZyXEL,DC=com bind-dn zyxel\engineerABC password abcdefg login-name-attribute sAMAccountName account userABC dn:: Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20=...
HAPTER Certificates This chapter explains how to use the Certificates. 51.1 Certificates Overview The UAG can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Chapter 51 Certificates Table 163 Certificates Commands Input Values (continued) LABEL DESCRIPTION Identify the company or group to which the certificate owner belongs. You can use organization up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Page 255
Chapter 51 Certificates Table 164 ca Commands Summary (continued) COMMAND DESCRIPTION Enters the sub command mode for validation of ca validation remote_certificate certificates signed by the specified remote (trusted) certificates. Turns certificate revocation on or off. When it is turned on, cdp {activate|deactivate} the UAG validates a certificate by getting a Certificate Revocation List (CRL) through HTTP or LDAP (can be...
Page 256
Chapter 51 Certificates Table 164 ca Commands Summary (continued) COMMAND DESCRIPTION Displays the certification path of the specified local (my show ca category {local|remote} name certificate_name certificates) or remote (trusted certificates) certificate. certpath Displays a summary of the certificates in the specified show ca category {local|remote} [name category (local for my certificates or remote for trusted certificate_name format {text|pem}]...
Chapter 51 Certificates 51.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates.
HAPTER ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE and PPTP interfaces. 52.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE, or PPTP. 52.1.1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands.
Page 259
Chapter 52 ISP Accounts Table 165 PPPoE and PPTP ISP Account Commands (continued) COMMAND DESCRIPTION Sets the service name for the specified PPPoE ISP account. The [no] service-name {ip | hostname command clears the service name. | service_name} hostname: You may up to 63 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.
HAPTER SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 53.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group.
Chapter 53 SSL Application Table 166 SSL Application Object Commands COMMAND DESCRIPTION Sets this to create a link to a web site you specified that you expect the SSL server-type weblink url url VPN users to commonly use. url: Enter the fully qualified domain name (FQDN) or IP address of the application server.
HAPTER Endpoint Security This chapter describes how to configure endpoint security objects for use in authentication policy and SSL VPN. 54.1 Endpoint Security Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel. After a successful user authentication, a user’s computer must meet the endpoint security object’s Operating System (OS) option and security requirements to gain access.
Chapter 54 Endpoint Security Requirements User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. 54.1.1 Endpoint Security Commands Summary The following table describes the values required for many endpoint security object commands. Other values are discussed with the corresponding commands.
Page 264
Chapter 54 Endpoint Security Table 168 Endpoint Security Object Commands COMMAND DESCRIPTION Sets a permitted personal firewall. If you want to enter multiple personal firewalls, [no] personal-firewall use this command for each of them. Use the list signature personal-firewall personal_firewall_softwar command to view the available personal firewall software package options.
Page 265
Chapter 54 Endpoint Security Table 168 Endpoint Security Object Commands COMMAND DESCRIPTION If you set windows as the operating system (using the os-type command), use this windows-version {windows- command to set the version of Windows. 2000 | windows-xp | windows-2003 | windows- 2008 | windows-vista | windows-7 | windows- 2008r2}...
Chapter 54 Endpoint Security 54.1.3 Endpoint Security Object Command Example Peter wants to create and display an endpoint security object named EPS-Example. Only the computers that match the following criteria can access the company’s SSL VPN: • Operating system: Windows XP •...
Page 267
Chapter 54 Endpoint Security Then he also needs to check the personal firewall software name defined on the UAG. Copy and paste the name of the output item 4 for the setting later. Router(config)# show eps signature personal-firewall Name Detection =============================================================================== Kaspersky_Internet_Security_v2009 Kaspersky_Internet_Security_v2010...
Page 268
Chapter 54 Endpoint Security Then he leaves the sub-command mode and uses the show command to view the EPS object settings. Router(eps EPS-Example)# exit Router(config)# show eps profile name: EPS-Example description: os type: windows windows version: windows-xp matching criteria: all anti-virus activation: yes anti-virus: 1 name: Kaspersky_Anti-Virus_v2011...
HAPTER Dynamic Guest Accounts 55.1 Dynamic Guest Accounts Overview Dynamic guest accounts are guest accounts, but are created dynamically and stored in the UAG’s local user database. A dynamic guest account has a dynamically-created user name and password. A dynamic guest account user can access the UAG’s services only within a given period of time and will become invalid after the expiration date/time.
Chapter 55 Dynamic Guest Accounts Table 169 dynamic-guest Commands (continued) COMMAND DESCRIPTION Creates a dynamic guest account (billing-user) with the specified user [no] dynamic-guest user_name name and enters the dynamic-guest sub-command mode to set the password and timeout settings. See Table 170 on page 270 for the sub- commands.
Chapter 55 Dynamic Guest Accounts Table 170 dynamic-guest Sub-commands (continued) COMMAND DESCRIPTION Sets the amount of Internet access time (in seconds) remaining for the remaining-time <1..25920000> account. Sets the total account of time (in minutes) the account can use to access time-period <1..432000>...
HAPTER System This chapter provides information on the commands that correspond to what you can configure in the system screens. 56.1 System Overview Use these commands to configure general UAG information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which UAG zones (if any) from which computers.
Page 273
Chapter 56 System Figure 23 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Chapter 56 System Table 171 Command Summary: Customization (continued) COMMAND DESCRIPTION Sets the color of the login page’s window border. login-page window-color {color-rgb | color-name | color-number} Sets the color of the logo banner across the top of the login screen and logo background-color {color-rgb | access page.
Chapter 56 System 56.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 173 Command Summary: Date/Time COMMAND DESCRIPTION Sets the new date in year, month and day format...
Chapter 56 System 56.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 56.6.1 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address.
Chapter 56 System Table 176 Command Summary: DNS (continued) COMMAND DESCRIPTION Sets a domain zone forwarder record that specifies a fully qualified [no] ip dns server zone-forwarder domain name. You can also use a star (*) if all domain zones are {<1..32>|append|insert <1..32>} served by the specified DNS server(s).
Chapter 56 System 56.7.1 Authentication Server Commands The following table lists the authentication server commands you use to configure the UAG’s built-in authentication server settings. Table 177 Command Summary: Authentication Server COMMAND DESCRIPTION Sets the UAG to act as an authentication server for other RADIUS [no] auth-server activate clients, such as APs.
Chapter 56 System 56.7.2 Authentication Server Command Examples The following example shows you how to enable the authentication server feature on the UAG and sets a trusted RADIUS client profile. This example also shows you the authentication server and client profile settings. Router# configure terminal Router(config)# auth-server activate Router(config)# auth-server trusted-client AP-1...
Chapter 56 System 56.8.2 ZON Commands The following table describes the commands available for ZON. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 178 Command Summary: ZON COMMAND DESCRIPTION Activates LLDP discovery on the UAG.
HAPTER System Remote Management This chapter shows you how to determine which services/protocols can access which UAG zones (if any) from which computers. Note: To access the UAG from a specified computer using a service, make sure no service control rules or to-Device firewall rules block that traffic. 57.1 Remote Management Overview You may manage your UAG from a remote location via: •...
Chapter 57 System Remote Management 57.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 179 Input Values for General System Commands LABEL DESCRIPTION The name of the IP address (group) object.
Page 283
Chapter 57 System Remote Management Table 180 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION Specifies a certificate used by the HTTPS server. The [no] ip http secure-server cert certificate_name command resets the certificate used by the HTTPS server to the factory default ( default certificate_name: The name of the certificate.
Chapter 57 System Remote Management 57.3.1 HTTP/HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service. Router# configure terminal Router(config)# ip http server table admin rule append access-group Marketing zone WAN action accept...
Chapter 57 System Remote Management 57.4.3 SSH Commands The following table describes the commands available for SSH. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 181 Command Summary: SSH COMMAND DESCRIPTION Allows SSH access to the UAG CLI.
Chapter 57 System Remote Management 57.5 Telnet You can configure your UAG for remote Telnet access. 57.6 Telnet Commands The following table describes the commands available for Telnet. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 182 Command Summary: Telnet COMMAND...
Chapter 57 System Remote Management 57.7 Configuring FTP You can upload and download the UAG’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 57.7.1 FTP Commands The following table describes the commands available for FTP. You must use the configure command to enter the configuration mode before you can use these commands.
Chapter 57 System Remote Management This command displays FTP settings. Router# configure terminal Router(config)# show ip ftp server status active : yes port : 21 certificate: default : no service control: Zone Address Action ======================================================================== 57.8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Chapter 57 System Remote Management 57.8.3 SNMP Commands The following table describes the commands available for SNMP. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 185 Command Summary: SNMP COMMAND DESCRIPTION Allows SNMP access to the UAG.
Chapter 57 System Remote Management The following command sets the password (secret) for read-write ( ) access. Router# configure terminal Router(config)# snmp-server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172.16.15.84 and the password (sent with each trap) to qwerty.
HAPTER File Manager This chapter covers how to work with the UAG’s firmware, certificates, configuration files, packet trace results, shell scripts and temporary files. 58.1 File Directories The UAG stores files in the following directories. Table 187 FTP File Transfer Notes FILE NAME DIRECTORY FILE TYPE...
Chapter 58 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 24 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure wan1...
Chapter 58 File Manager Line 3 in the following example exits sub command mode. interface wan1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface wan1 # this interface is a DHCP client Lines 1 and 2 are comments.
Chapter 58 File Manager • When the UAG reboots, if the startup-config.conf file passes the error check, the UAG keeps a copy of the startup-config.conf file as the lastgood.conf configuration file for you as a back up file. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration.
Chapter 58 File Manager 58.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 190 File Manager Commands Summary COMMAND DESCRIPTION Has the UAG use a specific configuration file. You must still use the apply /conf/file_name.conf [ignore- command to save your configuration changes to the flash (“non- write...
Chapter 58 File Manager Table 190 File Manager Commands Summary (continued) COMMAND DESCRIPTION Displays the settings of the configuration file that the system is using. show running-config Sets the UAG to back up the startup-conf.conf file when it is performing [no] backup-startup activate firmware upgrade.
Chapter 58 File Manager Use “put” to transfer files from the computer to the UAG. For example: In the conf directory, use "put config.conf today.conf” to upload the configuration file (config.conf) to the UAG and rename it “today.conf”. "put 1.00(XL.0).bin” transfers the firmware (1.00(XL.0).bin) to the UAG. The firmware update can take up to five minutes.
Chapter 58 File Manager 58.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the UAG and saves it on the computer as current.conf. Figure 26 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1.
Chapter 58 File Manager 58.8 Notification of a Damaged Recovery Image or Firmware The UAG’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the UAG notifies you of a damaged recovery image or firmware file.
Chapter 58 File Manager If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged. Use the procedure in Section 58.10 on page 302 to restore it. If the message does not display, the firmware is OK and you do not need to use the firmware recovery procedure.
Page 301
Chapter 58 File Manager Note: You only need to use the atuk or atur command if the recovery image is damaged. Figure 32 atuk Command for Restoring the Recovery Image > atuk This command is for restoring the "recovery image" (xxx.ri). Use This command only when 1) the console displays "Invalid Recovery Image"...
Chapter 58 File Manager Enter atgo. The UAG starts up. If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged and you need to use the procedure in Section 58.10 on page 302 to recover the firmware.
Page 303
Chapter 58 File Manager Enter “quit” to exit the ftp prompt. Figure 38 FTP Firmware Transfer Complete 200 PORT command successful 150 Opening BINARY mode data connection for 250AACG0C0.bin 226-firmware verifying... 226-firmware updating... 226-Please Wait about 5 minutes!! 226-Do not poweroff or reset, 226-system will reboot automatically after finished updating.
HAPTER Logs This chapter provides information about the UAG’s logs. Note: When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the UAG. 59.1 Log Commands Summary The following table describes the values required for many log commands.
Chapter 59 Logs 59.1.2 System Log Commands This table lists the commands for the system log settings. Table 193 logging Commands: System Log Settings COMMAND DESCRIPTION Displays the current settings for the system log. show logging status system-log Specifies what kind of information, if any, is logged in the system log and logging system-log category module_name debugging log for the specified category.
Chapter 59 Logs 59.1.3 Debug Log Commands This table lists the commands for the debug log settings. Table 194 logging Commands: Debug Log Settings COMMAND DESCRIPTION Displays the current settings for the debug log. show logging debug status Displays the specified entries in the system log. show logging debug entries [priority pri] [category module_name] [srcip ip] [dstip ip] pri: alert | crit | debug | emerg | error | info | notice | warn...
Chapter 59 Logs 59.1.4 E-mail Profile Commands This table lists the commands for the e-mail profile settings. Table 196 logging Commands: E-mail Profile Settings COMMAND DESCRIPTION Displays the current settings for the e-mail profiles. show logging status mail Enables the specified e-mail profile. The command disables [no] logging mail <1..2>...
Chapter 59 Logs Table 196 logging Commands: E-mail Profile Settings (continued) COMMAND DESCRIPTION Sets the UAG to use Transport Layer Security (TLS) to have [no] logging mail <1..2> tls activate encrypted communications between the mail server and the UAG. command disables TLS in communications between the mail server and the UAG.
HAPTER Reports and Reboot This chapter provides information about the report associated commands and how to restart the UAG using commands. It also covers the daily report e-mail feature. 60.1 Report Commands Summary The following sections list the report, session, and packet size statistics commands. 60.1.1 Report Commands This table lists the commands for reports.
Chapter 60 Reports and Reboot 60.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report lan1 ip No. IP Address User Amount Direction =================================================================== 192.168.1.4 admin 1273(bytes) Outgoing 192.168.1.4...
Page 311
Chapter 60 Reports and Reboot Use these commands to have the UAG e-mail you system statistics every day. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 201 Email Daily Report Commands COMMAND DESCRIPTION Displays the e-mail daily report settings.
Chapter 60 Reports and Reboot Table 201 Email Daily Report Commands (continued) COMMAND DESCRIPTION Sends the daily e-mail report immediately. send-now Sets the UAG to use Transport Layer Security (TLS) to have [no] smtp-tls activate encrypted communications between the mail server and the UAG.
Page 313
Chapter 60 Reports and Reboot • Turns on the daily e-mail reporting. Router(config)# daily-report Router(config-daily-report)# no activate Router(config-daily-report)# smtp-address example-SMTP-mail-server.com Router(config-daily-report)# mail-subject set test Router(config-daily-report)# no mail-subject append system-name Router(config-daily-report)# mail-subject append date-time Router(config-daily-report)# mail-from my-email@example.com Router(config-daily-report)# mail-to-1 example-administrator@example.com Router(config-daily-report)# no mail-to-2 Router(config-daily-report)# no mail-to-3 Router(config-daily-report)# mail-to-4 my-email@example.com Router(config-daily-report)# no mail-to-5...
Chapter 60 Reports and Reboot 60.3 Reboot Use this to restart the device (for example, if the device begins behaving erratically). If you made changes in the CLI, you have to use the command to save the configuration write before you reboot. Otherwise, the changes are lost when you reboot. Use the command to restart the device.
HAPTER Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 202 Session Timeout Commands COMMAND DESCRIPTION Sets the timeout for UDP sessions to connect or deliver session timeout {udp-connect <1..300>...
HAPTER Diagnostics This chapter covers how to use the diagnostics feature. 62.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the UAG’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
HAPTER Packet Flow Explore This chapter covers how to use the packet flow explore feature. 63.1 Packet Flow Explore Use this to get a clear picture on how the UAG determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems.
Chapter 63 Packet Flow Explore 63.3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order. Router> show route order route order: Direct Route, Policy Route, VPN 1-1 Mapping Route, 1-1 SNAT, SiteTo Site VPN, Dynamic VPN, Static-Dynamic Route, Default WAN Trunk, Main Route The following example shows all SNAT related functions and their order.
Page 319
Chapter 63 Packet Flow Explore The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn Source Destination VPN Tunnel =========================================================================== The following example shows all activated VPN 1-1 mapping rules. Router> sshow system route vpn-1-1-map Source Destination Outgoing Gateway...
Page 320
Chapter 63 Packet Flow Explore The following example shows all activated 1-to-1 NAT rules. Router> show system snat nat-1-1 VS Name Source Destination Outgoing SNAT =========================================================================== The following example shows the default WAN trunk settings. Router> show system snat default-snat Incoming Outgoing SNAT...
HAPTER Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the UAG. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode. Table 205 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION...
Page 322
Chapter 64 Maintenance Tools Here are maintenance tool commands that you can use in configure mode. Table 206 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION Performs a packet capture that captures network traffic going through the [no] packet-capture activate set interface(s).
Chapter 64 Maintenance Tools Table 207 Maintenance Tools Commands in Configuration Mode (continued) COMMAND DESCRIPTION Edits or creates an ARP table entry. arp IP mac_address Removes an ARP table entry. no arp ip The following example creates an ARP table entry for IP address 192.168.1.10 and MAC address 01:02:03:04:05:06.
Page 325
Chapter 64 Maintenance Tools • The maximum size of a packet capture file: 100 megabytes Router(config)# packet-capture configure Router(packet-capture)# iface add wan1 Router(packet-capture)# ip-type any Router(packet-capture)# host-ip any Router(packet-capture)# file-suffix Example Router(packet-capture)# files-size 10 Router(packet-capture)# duration 150 Router(packet-capture)# storage usbstorage Router(packet-capture)# ring-buffer disable Router(packet-capture)# split-size 100 Router(packet-capture)#...
HAPTER Watchdog Timer This chapter provides information about the UAG’s watchdog timers. 65.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings.
Chapter 65 Watchdog Timer 65.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the app-watchdog commands. Use the command to enter the configuration mode to be able configure terminal to use these commands. Table 210 app-watchdog Commands COMMAND DESCRIPTION...
Chapter 65 Watchdog Timer 65.3.1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring. UAG CLI Reference Guide...
List of Commands (Alphabetical) List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. Commands and subcommands appear at the same level. [no] {anti-virus | personal-firewall} activate .........263 [no] {firewall|secure-policy} activate ..........173 [no] {firewall|secure-policy} asymmetrical-route activate ......172 [no] {ipv4 | ipv4_cidr | ipv4_range | wildcard_domainname | tld} .......217...
Page 335
List of Commands (Alphabetical) [no] ip ftp server cert certificate_name ..........287 [no] ip ftp server port <1..65535> .............287 [no] ip ftp server tls-required ............287 [no] ip gateway ip ..............87 [no] ip helper-address ip ...............92 [no] ip http authentication auth_method ..........282 [no] ip http port <1..65535>...
Page 347
List of Commands (Alphabetical) ip dns server max-ttl <10..3600> ............276 ip dns server rule {<1..32>|append|insert <1..32>} access-group {ALL|address_object} zone {ALL|address_object} action {accept|deny} ........276 ip dns server rule move <1..32> to <1..32> ..........276 ip dns server zone-forwarder {<1..32>|append|insert <1..32>} {domain_zone_name|*} user-defined w.x.y.z [private | interface {interface_name | auto}] ......277 ip dns server zone-forwarder move <1..32>...
Page 349
List of Commands (Alphabetical) network IP/<1..32> ..............91 no address-object object_name ............236 no application-object object_name ............232 no application-object profile_name .............211 no area IP virtual-link IP message-digest-key <1..255> .........123 no arp ip ................324 no authentication key ..............122 no auth-server authentication ............278 no ca category {local|remote} certificate_name .........255 no ca validation name ..............255...
Page 352
List of Commands (Alphabetical) schedule-run 1 file_name.zysh {daily | monthly | weekly} time {date | sun | mon | tue | wed | thu | fri | sat} ..............295 security securityprofile ..............67 send-now ................312 server-auth <1..2> ip address ipv4_address port <1..65535> secret secret ....69 server-type rdp server-address server-address [starting- .......260...
Page 353
List of Commands (Alphabetical) show application-object object_name ............232 show app-watch-dog config ..............327 show app-watch-dog monitor-list ............327 show app-watch-dog reboot-log ............327 show arp-table .................323 show auth-server status ..............278 show auth-server trusted-client ............278 show auth-server trusted-client profile_name ...........278 show auto-healing config ..............83 show backup-startup status .............296 show billing discount default rule...
Page 354
List of Commands (Alphabetical) show corefile copy usb-storage ............103 show cpu status .................45 show crypto map [map_name] .............199 show daily-report status ...............311 show dcs config .................78 show ddns [profile_name] ...............129 show device-register status .............49 show diag-info .................316 show diag-info copy usb-storage ............103 show disk ................45...
Page 355
List of Commands (Alphabetical) show isakmp policy [policy_name] ............197 show isakmp sa .................204 show l2-isolation ..............154 show l2-isolation activation ............154 show l2-isolation white-list [rule_number] ..........154 show l2-isolation white-list activation ..........154 show lan-provision ap ap_mac interface {lan_port | vlan_interface | all| ethernet | uplink | vlan} ................57 show ldap-server ...............244...
Page 356
List of Commands (Alphabetical) show policy-route underlayer-rules .............117 show port setting ...............99 show port status ................99 show port vlan-id ..............104 show port-grouping ..............99 show printer-manager button ............185 show printer-manager discover-printer-status ...........185 show printer-manager printer [<1..10>] ..........185 show printer-manager printerfw version ..........185 show printer-manager printer-status ............185...
Page 357
List of Commands (Alphabetical) show service-register status all ............50 show service-register status content-filter ..........49 show service-register status extension-user ..........50 show service-register status external-ap-control ........50 show service-register status sms ............50 show session timeout {icmp | tcp | udp} ..........315 show session-limit ..............176 show session-limit begin rule_number end rule_number ........176...
Page 358
List of Commands (Alphabetical) show vpn-concentrator [profile_name] ...........202 show vpn-configuration-provision activation ..........203 show vpn-configuration-provision authentication ........203 show vpn-configuration-provision rules ..........203 show vpn-counters ..............204 show walled-garden activation ............166 show walled-garden rule <1..20> ............166 show web-auth activation ...............159 show web-auth default-rule .............159 show web-auth exceptional-service ............159 show web-auth method...
Page 359
List of Commands (Alphabetical) sslvpn policy {profile_name | profile_name append | profile_name insert <1..16>} ..206 sslvpn policy move <1..16> to <1..16> ..........207 sslvpn policy rename profile_name profile_name .........207 status: active .................280 storage <internal|usbstorage> ............322 subframe-ampdu <2..64> ..............61 system default-interface-group group-name ..........107 telnet ..................38...