Page 1 100 UTM Firewall CLI USER’S MANUAL P/N: F0025000 Rev. 1.1...
Page 2 © Copyright 2006, freeGuard and the freedom9 company logo are trademarks or registered trademarks of Freedom9 Inc. All rights reserved. Windows is a trademark or registered trademark of Microsoft Corporation. Other trademarks or registered trademarks are the property of their respective...
Page 4: Table Of Contents
100 CLI User Manual INTRODUCTION ... 1 BOUT THIS DOCUMENT ... 2 ONVENTIONS FREEDOM DOCUMENTATION USTOMER SERVICE AND TECHNICAL SUPPORT USING THE CLI... 4 DMINISTRATOR ACCESS CLI... 4 ONNECTING TO THE CLI S ... 8 TRUCTURE ... 16 BASICS CONFIG ALERTEMAIL...
Page 5 ... 97 SYSLOGD SETTING ... 99 TRAFFICFILTER ... 102 WEBTRENDS SETTING CONFIG ROUTER... 104 ... 104 ACCESS LIST GET ROUTER INFO OSPF GET ROUTER INFO PROTOCOLS ... 108 GET ROUTER INFO RIP GET ROUTER INFO ROUTING ... 109 CHAIN ...112 OSPF ...
Page 6 100 CLI User Manual 10.29 ... 238 VDOM 10.30 ... 239 ZONE CONFIG USER ... 241 11.1 ... 241 GROUP 11.2 ... 243 LDAP 11.3 ... 245 LOCAL 11.4 ... 247 PEER 11.5 ... 249 PEERGRP 11.6 ... 251 RADIUS CONFIG VPN...
Page 8: Introduction
The freeGuard 100 is a dedicated easily managed security device that delivers a full suite of capabilities that include: •...
Page 9: Conventions
support before using these commands. Conventions This guide uses the following conventions to describe command syntax. • Angle brackets < > to indicate variables. For example: execute restore config <filename_str> You enter: execute restore config myfile.bak <xxx_str> indicates an ASCII string that does not contain new-lines or carriage returns. <xxx_integer>...
Page 10: Freedom9 Documentation
100 CLI Reference Guide freeGuard 100 Log Message Reference Guide freeGuard 100 VPN Guide The freeGuard 100 online help also contains procedures for using the freeGuard 100 web-based manager to configure and manage your freeGuard 100. Comments on freedom9 technical documentation You can send information about errors or omissions in this document or any Freedom9 technical documentation to support@freedom9.com.
Page 11: Using The Cli
Administrator access Each administrator account belongs to an access profile. You can create access profiles that deny access to or allow read only, write only, or both read and write access to the following freeGuard 100 features. System Configuration: Can access the system status, interface, virtual domain, HA, routing, option, SNMP, time, and replacement message features.
Page 12 To use the web-based manager to configure freeGuard 100 interfaces for SSH or Telnet access, see the freeGuard 100 Administration Guide. To use the CLI to configure SSH or Telnet access • Connect and log into the CLI using the freeGuard 100 console port and your terminal emulation software. 9600 None...
Page 13 <name_str> set allowaccess ssh Where <name_str> is the name of the freeGuard 100 interface to be configured to accept SSH connections. For example, to configure the internal interface to accept SSH connections, enter: config system interface...
Page 14 Connecting to the freeGuard 100 CLI using Telnet You can use Telnet to connect to the freeGuard 100 CLI from your internal network or the Internet. Once the freeGuard 100 is configured to accept Telnet connections, you can run a Telnet client on your management computer and use this client to connect to the freeGuard 100 CLI.
Page 15: Cli Structure
Add an entry to the freeGuard 100 configuration or edit an existing entry. For example in the config system admin shell: • type edit admin and press Enter to edit the settings for the default admin administrator account.
Page 16 • type move 3 before 1 and press Enter to move the policy in the third position in the table to the first position in the table. delete Remove an entry from the freeGuard 100 configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin.
Page 17 192.168.20.200 255.255.255.0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6- send-adv: disable == [ external name: external mode: static ip: 192.168.100.99 255.255.255.0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6- send-adv: disable Example When you type get in the internal interface shell, the configuration values for the internal interface are displayed.
Page 18 : ::/0 ip6-default-life : 1800 ... show branch Use show to display the freeGuard 100 configuration. Only changes to the default configuration are displayed. You can use show within a config shell to display the configuration of that shell, or you...
Page 19 5 set hostname 'FreeGuard 100' set interval 5 set lcdpin 123456 set ntpserver '132.246.168.148' set syncinterval 60 set timezone 04 execute branch Use execute to run static commands, to reset the freeGuard 100 to factory defaults, to back up or...
Page 20 Enter to restart the freeGuard 100. diagnose branch Commands in the diagnose branch are used for debugging the operation of the freeGuard 100 and to set parameters for displaying different levels of diagnostic information. The diagnose commands are not documented in this CLI Reference Guide.
Page 21 • To set the primary DNS server address to 172.16.100.100, type: set primary 172.16.100.100 and press Enter. • To set the secondary DNS server address to 207.104.200.1, type: set secondary 207.104.200.1 and press Enter. • To restore the primary DNS server address to the default address, type unset primary and press Enter.
Page 22 100 CLI User Manual unset show next abort • At the (internal)# prompt, type: config secondaryip and press Enter. The prompt changes to (secondaryip)#. • At the (secondaryip)# prompt, type: ? The following options are displayed. edit delete purge show •...
Page 23: Cli Basics
The following options are displayed. allowaccess detectserver gwdetect • To set the secondary IP address with the ID number 0 to 192.168.100.100 and the netmask to 255.255.255.0, type: set ip 192.168.100.100 255.255.255.0 and press Enter. • To add another secondary IP address to the internal interface, type next and press Enter. The prompt changes to (secondaryip)#.
Page 24 100 CLI User Manual • Line continuation • Command abbreviation • Environment variables • Encrypted password support • Using single quotes to enter tabs or spaces in strings • International characters • IP address formats • Editing the configuration file •...
Page 25 $SerialNum Encrypted password support After you enter a clear text password using the CLI, the freeGuard 100 encrypts the password and stores it in the configuration file with the prefix ENC. For example: show system admin user1 config system admin edit "user1"...
Page 26 100 CLI User Manual set password ENC XXNFKpSV3oIVk next It is also possible to enter an already encrypted password. For example, type: config system admin and press Enter. Type: edit user1 and press Enter. Type: set password ENC XXNFKpSV3oIVk and press Enter.
Page 27 The IP address is displayed in the configuration file in dotted decimal format. Editing the configuration file You can change the freeGuard 100 configuration by backing up the configuration file to a TFTP server. Then you can make changes to the file and restore it to the FreeGuard 100.
Page 28 To match a special character such as '.' and ‘*’, regular expressions use the ‘\’ escape character. For example: • To match freedom9.com, the regular expression should be freedom9\.com. In Perl regular expressions, ‘*’ means match 0 or more times of the character before it, not 0 or more times of any character. For example: •...
Page 29 "word": lines(underscores), such as foo and 12bar8 and foo_1 100\s*mk the strings 100 and mk optionally separated by any amount of white space (spaces, tabs, newlines) abc\b abc when followed by a word boundary (e.g. in abc! but not in abcd) perl\B perl when not followed by a word boundary (e.g.
Page 30: Config Alertemail
Use this command to specify what log activity and what log severity level to send alert email for. You can configure the freeGuard 100 to send alert email to multiple recipients when selected events occur. Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email.
Page 31 {disable | enable} exempt Enable or disable sending an alert email when the freeGuard 100 allows a web page listed on the URL {disable | enable} exempt list. Enable or disable sending an alert email when the freeGuard 100 logs high availability (HA) activity.
Page 32 Enable or disable sending an alert email for system activity. {disable | enable} url_block Enable or disable sending an alert email when the freeGuard 100 blocks a web page listed on the URL block {disable | enable} list. virus Enable or disable sending an alert email whenentries are written to the virus log.
Page 33 Use this command to configure the freeGuard 100 to send alert email to up to three recipients, and to configure how frequently the FreeGuard 100 sends alert email. Note: Because the freeGuard 100 uses the SMTP server name to connect to the mail server, it must be able to look up this name on your DNS server.
Page 34 100 CLI User Manual alertemail setting command keywords and variables Keywords & Variables Description alert-interval Enter the number of minutes the freeGuard 100 should <minutes_integer> wait before sending out alert email for alert level messages. Authenticate Enable SMTP authentication if the freeGuard 100 is required to authenticate before using the SMTP server.
Page 35 This address appears in theFrom <user-name_str> header of the alert email. warning-interval Enter the number of minutes the freeGuard 100 should <minutes_integer> wait before sending out alert email for warninglevel messages. Examples This example shows how to configure the SMTP server and user name, add two email addresses for sending alerts to, and specify how frequently to send alerts for each log severity level.
Page 36: Config Antivirus
100 CLI User Manual config antivirus filepattern grayware <category-name_str> heuristic service http service ftp service pop3 service imap service smtp filepattern Use this command to add, edit or delete the file patterns used for virus blocking and to set which protocols to check for files to block.
Page 37: Grayware Category Name Str
enabledfile patterns. block Block selectedprotocols. Blocking deletes files that match {ftp http imap pop3 smtp} the file patterns. Example This example shows how to add the *.xyz file pattern, allow *.xyz files in IMAP, SMTP, and POP3 traffic, and block *.xyz files in HTTP and FTP traffic. config antivirus filepattern edit *.xyz set allow imap smtp pop3...
Page 38 The freeGuard 100 scans for known grayware executable programs in each category you enable. The category list and contents are added or updated whenever your freeGuard 100 receives a virus update package. New categories may be added at any time and are loaded with virus updates. By default, all new categories are disabled.
Page 39 <category-name_str> unset <keyword> get antivirus grayware [<category-name_str>] show antivirus grayware [<category-name_str>] Note: The freeGuard 100 CLI is case sensitive and the first letter of all grayware category names is uppercase. antivirus grayware command keywords and variables Keywords & Variables...
Page 40: Heuristic
100 CLI User Manual • config antivirus heuristic • config antivirus service http • config antivirus service ftp • config antivirus service pop3 • config antivirus service imap • config antivirus service smtp • config system autoupdate schedule •...
Page 41: Service Http
• config antivirus service smtp service http Use this command to configure how the freeGuard 100 handles antivirus scanning of large files in HTTP traffic and what ports the freeGuard 100 scans for HTTP. Command syntax pattern config antivirus service http set <keyword>...
Page 42 100 CLI User Manual a variety of encoding types and someencodings translate into larger file sizes than the original attachment. The most common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. So a file may be blocked or logged as oversized even if the attachment is several megabytes less than the memfilesizelimit.
Page 43: Service Ftp
Use this command to configure how the freeGuard 100 handles antivirus scanning of large files in FTP traffic and how the freeGuard 100 handles the buffering and uploading of files to an FTP server.
Page 44: Service Pop3
This example shows how to set the maximum file size buffered to memory for scanning at 25 MB, the maximum uncompressed file size that can be buffered to memory at 100 MB, and how to enable antivirus scanning on ports 20 and 21 for FTP traffic.
Page 45 The maximum file size allowed is 10% of the freeGuard 100 RAM size. For example, a freeGuard 100 with 256 MB of RAM could have a threshold range of 1 MB to 25 MB. Note: For email...
Page 46: Service Imap
• config antivirus service smtp service imap Use this command to configure how the freeGuard 100 handles antivirus scanning of large files in IMAP traffic and what ports the freeGuard 100 scans for IMAP. Command syntax pattern config antivirus service imap set <keyword>...
Page 47 common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. So a file may be blocked or logged asoversized even if the attachment is several megabytes less than the memfilesizelimit. port <port_integer> Configure antivirus scanning on a nonstandard port number or multiple port numbers for IMAP.
Page 48: Service Smtp
100 CLI User Manual service smtp Use this command to configure how the freeGuard 100 handles antivirus scanning of large files in SMTP traffic, what ports the freeGuard 100 scans for SMTP, and how the freeGuard 100 handles interaction with an SMTP server for delivery of email with infected email file attachments.
Page 49 This example shows how to set the maximum file size that can be buffered to memory for scanning at 100 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 1 GB (1000 MB), and how to enable antivirus scanning on ports 25, and 465 for SMTP traffic.
Page 50: Config Firewall
IP address, and a netmask, or a name and IP address range. The freeGuard 100 comes configured with the default address All, which represents any IP address. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies.
Page 51 config firewall address delete <name_str> get firewall address [<name_str>] show firewall address [<name_str>] firewall address command keywords and variables Keywords & Variables Description subnet If type is set to ipmask, the IP Address can be the IP <address_ipv4mask> address of a single computer (for example, 192.45.46.45) or the address of asubnetwork (for example, 192.168.1.0).
Page 52: Addrgrp
100 CLI User Manual set type iprange set start_ip 13.1.1.10 set end_ip 13.1.1.30 This example shows how to display the firewall address list. get firewall address This example shows how to display the settings for the address User_Range. get firewall address User_Range This example shows how to display the configuration for the entire address list.
Page 53: Dnstranslation
delete <group-name_str> get firewall addrgrp [<name_str>] show firewall addrgrp [<name_str>] firewall addrgrp command keywords and variables Keywords and Description variables member <name_str> The names of the addresses to add to the address group. [<name_str> The member addresses must already have been added. [<name_str>...
Page 54 100 CLI User Manual DNS translation translates IP addresses in packets sent by a DNS server from the internal network to the external network. Use DNS translation if you have a DNS server on your internal network that can be accessed by users on the external network to find the IP addresses of servers on your internal network.
Page 55: Ipmacbinding Setting
Use this command to configure IP/MAC binding settings. You can enable or disable IP/MAC binding for traffic going to or through the FreeGuard 100. You can allow or block traffic not defined in the IP/MAC binding table. You can enable or disable IP/MAC binding for each individual FreeGuard 100 interface using the ipmac keyword with the interface command described on page 262.
Page 56 100 CLI User Manual Command syntax pattern config firewall ipmacbinding setting set <keyword> <variable> config firewall ipmacbinding setting unset <keyword> get firewall ipmacbinding setting show firewall ipmacbinding setting firewall ipmacbinding setting command keywords and variables Example Keywords & Variables...
Page 57: Ipmacbinding Table
Use this command to add IP and MAC address pairs to the IP/MAC binding table, or to edit or delete IP and MAC address pairs added to the IP/MAC binding table. You can enable or disable IP/MAC binding for each individual freeGuard 100 interface using the ipmac keyword.
Page 58: Ippool
100 CLI User Manual Thismeans that all packets with these IP addresses areallowed to continue through the firewall to bematched with a firewall policy. name <name_str> Optional name for this entry on the IP/MAC address table. status Enable or disable IP/MAC binding for this address pair.
Page 59 Use the following command to add an IP pool with these settings to the firewall configuration. • ID number: 1 • interface name: internal • start of IP address range: 192.168.1.100 • end of IP address range: 192.168.1.200 Default 0.0.0.0 No default.
Page 60: Multicast-Policy
100 CLI User Manual config firewall ippool edit 1 set startip 192.168.1.100 set endip 192.168.1.200 set interface internal This example shows how to display the settings for the firewall ippool command. get firewall ippool This example shows how to display the settings for the id 1 IP pool.
Page 61 1 set dstaddr 10.0.0.1 255.255.255.0 set dstintf dmz/ha set nat 10.0.1.1 set srcaddr 192.168.100.12 255.255.255.0 set srcintf internal This example shows how to display the settings for the firewall multicast-policy command. get firewall multicast-policy This example shows how to display the settings for the id 1 multicast policy.
Page 62: Policy
Firewall policies control all traffic passing through the freeGuard 100. Firewall policies are instructions used by the freeGuard 100 to decide what to do with a connection request. The policy directs the firewall to allow the connection, deny the connection, require authentication before the connection is allowed, or process the packet as an IPSec VPN packet.
Page 63 interface, and enable or disable fixedport so that the NAT policy does not translate the packet source port. Enter deny to deny packets that match the firewall policy. Enter encrypt to configure the policy tobe an encrypt policy for IPSec tunnels. If you enter encrypt you can also enable or disable inbound, natinbound, outbound, and natoutbound to control the VPN traffic allowed by the policy.
Page 64 IP addresses, the source addresses of outbound VPN packets are translated into the IP address of the freeGuard 100 external interface. If you use natip, the freeGuard 100unit uses a static mapping scheme to translate the...
Page 65 IPSec policy. The VPN tunnel name is case sensitive. Example On a freeGuard 100 use the following example to add policy number 2 that allows users on the external network to access a web server on a DMZ network. The policy: •...
Page 66 Applies network address translation (nat is enabled) • Applies traffic shaping to guarantee 100 KBytes/s of bandwidth is available, to limit the maximum bandwidth to 500 KBytes/second, and to set the priority for the traffic accepted by this policy to...
Page 67: Profile
• config firewall address • config firewall profile • config firewall schedule onetime • config firewall schedule recurring • config firewall service custom • config firewall service group profile Use this command to add, edit or delete protection profiles. Use protection profiles to apply different protection settings for traffic controlled by firewall policies.
Page 68 • Enter scan to enable scanning files for viruses and worms. • Enabled by default. Enter splice to enable the freeGuard 100 to simultaneously buffer a file for scanning and upload the file to an FTP server. If avirus is detected, the No default.
Page 69 100unit buffers the file for scanning before uploading itto the FTP server. If the file is clean, the freeGuard 100 allows the upload or download to continue. Enter all the actions you want this profile to use. Use a space to separate the options you enter.
Page 70 100 CLI User Manual • Enter scriptfilter to enable web script filtering. • Enter urlblock to enable URL blocking. • Enter urlexempt to enable URL exempt filtering. Enter all the actions you want this profile to use. Use a space to separate the options you enter.
Page 71 tag to enable tagging spam email with text configured using the imap_spamtagmsgkeywordand the location set using the imap_spamtagtype keyword. imap_spamtagmsg Enter the subject text or MIME header text withwhich <message_str> to tag spam messages. A tag of more thanone word (a phrase) must be enclosed in single quotes to be accepted by the CLI.
Page 72 100 CLI User Manual pop3 {bannedword block Select the actions that this profile uses for filtering content-archive fragmail POP3 traffic for a policy. • Enter bannedword to no-content-summary enable email content blocking based on the banned oversize scan word list. • Enter block to enable deleting files with...
Page 73 List (ORDBL) servers. • Enabled by default and automatically enabled when scan is enabled. Enter splice to enable the freeGuard 100 to simultaneously scan an email and send it to the SMTP server. If the freeGuard 100 detects a virus, it terminates the...
Page 74 Tagged allows you to append a custom tag tothe subject or header of email identified as spam. If you have scan or splice enabled, the freeGuard 100 can only discard spam email. Discardimmediately drops the connection. Without splice orscanning enabled, you can chose to discard, pass, or tag SMTP spam.
Page 75: Schedule Onetime
• add HTTP category blocking to the spammail profile created above • configure category blocking to deny access to web pages categorized as Games (20), Personals and Dating (37), Shopping and Auction (42) and the category group Objectionable or Controversial (g02) •...
Page 76 100 CLI User Manual Command syntax pattern config firewall schedule onetime edit <name_str> set <keyword> <variable> <variable> config firewall schedule onetime edit <name_str> unset <keyword> config firewall schedule onetime delete <name_str> get firewall schedule onetime [<name_str>] show firewall schedule onetime [<name_str>] firewall schedule onetime command keywords and variables Keywords &...
Page 77: Schedule Recurring
This example shows how to display the configuration for the firewall schedule onetime command. show firewall schedule onetime This example shows how to display the configuration for the Holiday onetime schedule. show firewall schedule onetime Holiday Command History Related Commands •...
Page 78 100 CLI User Manual day <name_str> Enter the names of one or more days of the week for which the schedule is valid. Separate names by a space. end <hh:mm> The ending time of the schedule. • hh can be 00 to 23 •...
Page 79: Service Custom
• policy • schedule onetime 5.12 service custom Use this command to add, edit, or delete custom firewall services. Add a custom service if you need to create a policy for a service that is not in the predefined service list.
Page 80: Service Group
100 CLI User Manual numbers at www.iana.org. protocol {ICMP | IP | Enter the protocol used by the service. TCP | UDP} protocol-number Enter the Internet protocol number. You can findInternet <protocol_integer> protocol numbers at www.iana.org. Example This example shows how to add a custom service called Custom_1. The service can use any source port.
Page 81 config firewall service group edit <group-name_str> set <keyword> <variable> config firewall service group edit <group-name_str> unset <keyword> config firewall service group delete <group-name_str> get firewall service group [<group-name_str>] show firewall service group [<group-name_str>] firewall service group command keywords and variables Keywords &...
Page 82: Vip
100 CLI User Manual get firewall service group web_Services This example shows how to display the configuration for the firewall service group command. show firewall service group This example shows how to display the configuration for the web_Services service group.
Page 83 <name_str>. If the IP address of extintf <name_str>is set using PPPoE or DHCP, extip <address_ipv4> can be 0.0.0.0. The freeGuard 100 substitutes the IP address set for this interface using PPPoE or DHCP. The virtual IP address and the external IP address can be on different subnets.
Page 84 IP address for the web server. In this example, the IP address of the external interface is 192.168.100.99 and the real IP address of the web server on the internal network is 192.168.1.93.
Page 85 This example shows how to display the settings for the firewall vip command. get firewall vip This example shows how to display the settings for the web_Server VIP. get firewall vip web_Server This example shows how to display the configuration for the firewall vip command. show firewall vip This example shows how to display the configuration for the web_Server VIP.
Page 86: Config Ips
The freeGuard 100 IPS uses anomalies to identify network traffic that does not fit known or preset traffic patterns. The freeGuard 100 IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP protocols. Flooding If the number of sessions targeting a single destination in one second is over a threshold, the destination is experiencing flooding.
Page 87 The config ips anomaly command has 1 subcommand. config limit...
Page 88 100 CLI User Manual anomaly command keywords and variables Keywords & Description variables action Select an action for the FreeGuard 100 to take when traffic {clear_session | drop triggers this anomaly. | drop_session | clear_session pass | pass_session •...
Page 89 • The freeGuard 100 drops the packet that triggeredthe anomaly, sends a reset to the server, and removes the session from the freeGuard 100 session table. Used for TCP connections only. If you set this action for non-TCP connection clear_session. If the reset_server action is triggered before the TCP connection is fully established it acts as clear_session.
Page 90 You cannot edit the default entry. Addresses are matched from more specific to more general. For example, if you define thresholds for 192.168.100.0/24 and 192.168.0.0/16, the address with the 24 bit netmask is matched before the entry with the 16 bit netmask.
Page 91 You can create custom IPS signatures. The custom signatures you create are added to a single Custom signature group. Custom signatures provide the power and flexibility to customize the freeGuard 100 IPS for diverse network environments. The freeGuard 100 predefined signatures cover common attacks. If you are using an unusual or specialized application or an uncommon platform, you can add custom signatures based on the security alerts released by the application and platform vendors.
Page 92 100 CLI User Manual config ips custom delete <name_str> get ips custom [<name_str>] show ips custom [<name_str>] custom command keywords and variables Keywords & Variables Description signature Enter the custom signature. The signature must <‘signature_str’> be enclosed in single quotes.
Page 93 IPS generates. For example, the IPS detects a large number of web server attacks. If you do not provide access to a web server behind your freeGuard 100, you might want to disable all web server attack signatures.
Page 94 <codepoint_integer> tagging. When the action for p2p and im signatures is set to pass, the freeGuard 100 checks the codepoint. If the codepoint is set to a number from 1 to 63, the codepoint for the session is changed to the specified value.
Page 95 This example shows how to display the settings for the dos signature group. get ips group dos This example shows how to display the configuration for the ips group command. show ips group This example shows how to display the configuration for the dos signature group. show ips group dos config rule <rule-name_str>...
Page 96 Keywords & Variables Description action {clear_session | Select an action for the freeGuard 100 to take when traffic drop | drop_session | triggers this signature. pass | pass_session | clear_session • The freeGuard 100 drops the packet...
Page 97 before the TCP connection is fully established it acts as clear_session. log {disable | enable} Enable or disable logging for the signature. status {disable | Enable or disable this signature. enable} Example This example shows how to change the action for the NAPTHA signature in the dossignature group to drop.
Page 98: Config Log
Use the config log commands to set the logging type, the logging severity level, and the logging location for the freeGuard 100. For descriptions of log formats and specific log messages see the freeGuard 100 Log Message Reference Guide. {log | memory | syslogd | webtrends} filter...
Page 99 auth {disable | Enable or disable logging all firewall-related events, such as enable} user authentication in the event log. blocked {disable Enable or disable logging all instances of blocked files. | enable} cat_block Enable or disable logging of web pages blockedby FreeGuard {disable | enable} category filtering in the web filter log.
Page 100 {alert | Select the logging severity level. The freeGuard 100 logs all critical | debug | messages at and above the logging severity level you select.
Page 101: Log Setting
This example shows how to display the filter settings for logging to a freeGuard 100. get log memory filter This example shows how to display the configuration for logging to a syslog server.
Page 102 You can create anIPSec VPN tunnel if one or more freeGuard 100s are sending log messages to a unit across the Internet. Using an IPSec VPN tunnel means that all log messages sent by the freeGuard 100 are encrypted and secure. server Enter the IP address of the unit.
Page 103: Memory Setting
Use this command to configure log settings for logging to the freeGuard 100 system memory. The freeGuard 100 system memory has a limited capacity and only displays the most recent log entries. Traffic logs cannot be stored in the memory buffer. After all available memory is used, by default the freeGuard 100 begins to overwrite the oldest messages.
Page 104: Syslogd Setting
100 CLI User Manual set status enable This example shows how to display the log setting for logging to the freeGuard 100 system memory. get log memory setting This example shows how to display the configuration for logging to the freeGuard 100 system memory.
Page 105 <port_integer> server <address_ipv4> status {disable | enable} Example Description Enter enable to enable the freeGuard 100 to produce the log in Comma Separated Value(CSV) format. If you do not enable CSV format the freeGuard 100 produces plain text files.
Page 106: Trafficfilter
100 CLI User Manual This example shows how to enable logging to a remote syslog server, configure an IP address and port for the server, and enable logging in CSV format. config log syslogd setting set status enable set server 220.210.200.190...
Page 107 unset <keyword> get log trafficfilter show log trafficfilter The config log trafficfilter command has 1 subcommand. config rule log trafficfilter command keywords and variables Keywords & Variables Description display {name | port} Enter name to enable the display of the service name in the traffic log messages.
Page 108 100 CLI User Manual Command syntax pattern config rule edit <name_str> set <keyword> <variable> config rule edit <name_str> unset <keyword> config rule delete <name_str> get log trafficfilter show log trafficfilter rule command keywords and variables Keywords & Variables Description Enter the destination IP address and <address_ipv4mask>...
Page 109: Webtrends Setting
Use this command to configure log settings for logging to a remote computer running a NetIQ WebTrends firewall reporting server. freeGuard 100 log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with NetIQ WebTrends Security Reporting Center 2.0 and Firewall Suite 4.1.
Page 110 100 CLI User Manual Keywords & Variables Description server <address_ipv4> Enter the IP address of the WebTrends server that stores the logs. status {disable | Enter enable to enable logging to a enable} WebTrends server. Example This example shows how to enable logging to and set an IP address for a remote WebTrends server.
Page 111: Config Router
The freeGuard 100 attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny.
Page 112 100 CLI User Manual delete <name_str> get router access-list [<name_str>] show router access-list [<name_str>] The config router access-list command has 1 subcommand. config rule config rule Access the configrule subcommand using the config router access-list command. Use the config rule command to add, edit, or delete access list rules with the specified number.
Page 113 This example shows how to add an access list named acc_list1 with two rules. The first rule denies the subnet that exactly matches the prefix 192.168.50.0 255.255.255.0 and permits all other subnets that match the prefix 192.168.0.0 255.255.0.0. config router access-list edit acc_list1 config rule edit 1...
Page 114: Get Router Info Ospf
Autonomous System Boundary Router (ASBR) as a destination. database Show the entries in the OSPF routing database. interface Show the status of the freeGuard 100 interfaces and whether OSPF is enabled for each interface. neighbor Show information about OSPF neighbors.
Page 115: Get Router Info Rip
Keywords Description database Show the entries in the RIP routing database. interface Show the status of the FreeGuard 100 interfaces and whether RIP is enabled for each interface. Examples get router info rip database get router info rip interface Command History Related Commands •...
Page 116: Key-Chain
See “config system global” to ensure that the freeGuard 100 system date and time are correct. Command syntax pattern Add, edit or delete a key chain with the specified name.
Page 117 The config router key-chain command has 1 subcommand. config key config key Access the configkey subcommand using the config router key-chain command. Use the config key command to add, edit, or delete keys identified by the specified number. Command syntax pattern config key edit <id_integer>...
Page 118 100 CLI User Manual send-lifetime Set the time period during which the key can be sent. The {<hh:mm:ss day month first <hh:mm:ss day month year> variable sets the start year> {<hh:mm:ss day time. The second variable (a choice of three settings) month year>|...
Page 119: Ospf
Use this command to configure open shortest path first (OSPF) on the freeGuard 100. OSPF is an open protocol based on the shortest path first algorithm. OSPF is a link state protocol capable of routing larger networks than the simpler distance vector RIP protocol. An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area.
Page 120 Keywords & Variables Description abr-type {cisco | ibm | Specify the behavior of a freeGuard 100 acting as an OSPF shortcut | standard} area border router(ABR) when it has multiple attached areas and has no backbone connection. Selecting the ABR...
Page 121 Enter enable to advertise a default route into an OSPF originate {always | routing domain. Use always to advertise a default route disable | enable} even if the freeGuard 100 does not have a default route in its routing table. default-information- If you have set default-information-originate to route-map <name_str>...
Page 122 100 CLI User Manual set router-id 1.1.1.1 This example shows how to display the OSPF settings. get router ospf This example shows how to display the OSPF configuration. show router ospf config area Access the config area subcommand using the config router ospf command. Use the config area command to set OSPF area related parameters.
Page 123 show The configarea command has 3 subcommands. config filter-list config range config virtual-link Note: All area keywords are optional. area command keywords and variables Keywords & Variables Description authentication {md5 | Set the authentication type. Use the authentication keyword none | text} to define the authentication used for OSPF packets sent and received in this area.
Page 124 100 participate in the process for electing a translator for a NSSA. You can set the translator role to never to ensure this freeGuard 100 never acts as the translator if it is in a NSSA. shortcut {default | Use this command to specify area shortcut parameters.
Page 125 This example shows how to display the configuration for area 15.1.1.1. config router ospf config area edit 15.1.1.1 show config filter-list Access the config filter-list subcommand using the config area subcommand. Use filter lists to control the import and export of LSAs into and out of an area. You can use access or prefix lists for OSPF area filter lists.
Page 126 100 CLI User Manual direction {in | out} Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets. list <name_str> Enter the name of the access list or prefix list to use for this filter list.
Page 127 Use the area range command to summarize routes at an area boundary. If the network numbers in an area are contiguous, the ABR advertises a summary route that includes all the networks within the area that are within the specified range. Command syntax pattern The range id_integer can be 0 to 4 294 967 295.
Page 128 100 CLI User Manual {disable | enable} Example This example shows how to set the prefix for range 1 of area 15.1.1.1. config router ospf config area edit 15.1.1.1 config range edit 1 set prefix 1.1.0.0 255.255.0.0 This example shows how to display the settings for area 15.1.1.1.
Page 129 edit <name_str> set <keyword> <variable> config virtual-link edit <name_str> unset <keyword> config virtual-link delete <name_str> config virtual-link edit <name_str> config virtual-link edit <name_str> show Note: Only the peer keyword is required. All other keywords are optional. virtual-link command keywords and variables Keywords &...
Page 130 100 CLI User Manual the authentication-key is 15 characters. dead-interval The time, in seconds, to wait for a hello packet <seconds_integer> before declaring a router down. The value of the dead-interval should be four times the value of the hello-interval.
Page 131 This example shows how to display the settings for area 15.1.1.1. config router ospf config area edit 15.1.1.1 This example shows how to display the configuration for area 15.1.1.1. config router ospf config area edit 15.1.1.1 show config distribute-list Access the config distribute-list subcommand using the config router ospf command. Use this command to use an access list to filter the networks in routing updates.
Page 132 100 CLI User Manual config distribute-list edit <id_integer> show Note: Both keywords are required. distribute-list command keywords and variables Keywords & Variables Description access-list <name_str> Enter the name of the access list to use for this distribute list. protocol {connected |...
Page 133 show config neighbor Access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an OSPF neighbor on nonbroadcast networks. OSPF packets are unicast to the specified neighbor address. You can configure multiple neighbors. Command syntax pattern config neighbor edit <id_integer>...
Page 134 100 CLI User Manual seconds_integer is 1 to 65535. priority Enter a priority number for the neighbor. The validrange for <priority_integer> priority_integer is 0 to 255. Example This example shows how to manually add a neighbor. config router ospf...
Page 135 config network edit <id_integer> unset <keyword> config network delete <id_integer> config network edit <id_integer> config network edit <id_integer> show network command keywords and variables Keywords & Variables area <id_ipv4> prefix <address_ipv4mask> Example Use the following command to enable OSPF for the interfaces attached to networks specified by the IP address 10.0.0.0 and the netmask 255.255.255.0 and to add these interfaces to area 10.1.1.1.
Page 136 Note: The <interface-name_str> variable in the syntax pattern below represents a descriptive name for this OSPF configuration. To set the freeGuard 100 interface that this configuration will apply to, use the interface <name_str> keyword and variable in the table below.
Page 137 config ospf-interface edit <interface-name_str> show Note: The interface and ip keywords are required. All other keywords are optional. ospf-interface command keywords and variables Keywords & Variables authentication {md5 | none | text} authentication-key <password_str> cost <cost_integer> database-filter-out {disable | enable} dead-interval <seconds_integer>...
Page 138 100 CLI User Manual hello-interval <seconds_integer> interface <name_str> ip <address_ipv4> md5-key <id_integer> <key_str> mtu <mtu_integer> mtu-ignore {disable | enable} network-type {broadcast | non- broadcast | point-to-multipoint | point- to-point} priority <priority_integer> The time, in seconds, between hello packets. All routers on the network must use the same value for hello-interval.
Page 139 retransmit-interval <seconds_integer> status {disable | enable} transmit-delay <seconds_integer> Example This example shows how to assign an OSPF interface configuration named test to the interface named internal and how to configure text authentication for this interface. config router ospf config ospf-interface edit test set interface internal set ip 192.168.20.3...
Page 140 100 CLI User Manual config ospf-interface edit test This example shows how to display the configuration for the OSPF interface configuration named test. config router ospf config ospf-interface edit test show config redistribute Access the config redistribute subcommand using the config router ospf command.
Page 141 tag <tag_integer> Specify a tag for redistributed routes. The valid range for tag_integer is 0 to 4294967295. This example shows how to enable route redistribution from RIP, using a metric of 3 and a route map named rtmp2. config router ospf config redistribute ripset metric 3 set routemap rtmp2 set status enable...
Page 142 100 CLI User Manual get router ospf show router ospf Note: Only the prefix keyword is required. All other keywords are optional. summary-address command keywords and variables Keywords & Variables Description advertise {disable | Advertise or suppress the summary route that matches enable} the specified prefix.
Page 143: Policy
When the freeGuard 100 receives a packet, it starts at the top of the policy routing list and attempts to match the packet with a policy in ascending order. If no packets match the policy route, the freeGuard 100 routes the packet using the regular routing table (policy routing is processed before static routing).
Page 144 Example If a FreeGuard 100 provides Internet access for multiple internal subnets, you can use policy routing to control the route that traffic from each network takes to the Internet. For example, if the internal network includes the subnets 192.168.10.0 and 192.168.20.0 you can enter the following policy routes: •...
Page 145 • Enter the following command to route traffic from the 192.168.20.0 subnet to the 200.200.200.0 subnet. Force the packets to the next hop gateway at IP address 2.2.2.1 through the interface named external. config router policy edit 2 set input_device internal set src 192.168.20.0 255.255.255.0 set dst 200.200.200.0 255.255.255.0 set output_device external...
Page 146: Prefix-List
(permit or deny), and maximum and minimum prefix length settings. The freeGuard 100 attempts to match a packet against the rules in a prefix list starting at the top of the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny.
Page 147 get router prefix-list [<name_str>] show router prefix-list [<name_str>] The configrouter prefix-list command has 1 subcommand. config rule config rule Access the config rule subcommand using the router prefix-list command. Use the config rule command to add, edit, or delete prefix list rules with the specified number. Command syntax pattern config rule edit <id_integer>...
Page 148 This example shows how to add a prefix list named prf_list1 with three rules. The first rule permits subnets that match prefix lengths between 26 and 30 for the prefix 192.168.100.0 255.255.255.0. The second rule denies subnets that match the prefix lengths between 20 and 25 for the prefix 10.1.0.0 255.255.0.0.
Page 149: Rip
Use this command to configure routing information protocol (RIP) on the FreeGuard 100. The freeGuard 100 implementation of RIP supports both RIP version 1 as defined by RFC 1058, and RIP version 2 as defined by RFC 2453. RIP version 2 enables RIP messages to carry more information, and to support simple authentication and subnet masks.
Page 150 For non-default routes in the static routing table and directly <metric_integer> connected networks the default metricis the metric that the freeGuard 100 advertises to adjacent routers. This metric is added to the metrics of learned routes. The default metric can be a number from 1 to 16.
Page 151 • enable advertising a default static route into RIP, • enable sending and receiving RIP version 1 packets, • set the default metric to 5. config router rip set default-information-originate enable set version 1 set default-metric 5 This example shows how to display the RIP settings. get router rip This example shows how to display the RIP configuration.
Page 152 100 CLI User Manual show router rip distance command keywords and variables Example Keywords & Variables Description access-list <name_str> Enter the name of an access list. The distances associated with the routes in the access list will be modified. To create an access list, see “config router access-list”...
Page 153 set <keyword> <variable> config distribute-list edit <id_integer> unset <keyword> <variable> config distribute-list delete <id_integer> get router rip show router rip distribute-list command keywords and variables Keywords & Variables Description direction {in | out} Set the direction for the filter. Enter in to filter incoming packets. Enter out to filter outgoing packets.
Page 154 100 CLI User Manual This example shows how to display the RIP settings. get router rip This example shows how to display the RIP configuration. show router rip config interface Access the config interface subcommand using the config router rip command.
Page 155 authenticity of the update packet, not the confidentiality of the routing information in the packet. In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network.
Page 156 100 CLI User Manual set send-version 2 set auth-mode md5 set auth-keychain test1 This example shows how to display the RIP settings. get router rip This example shows how to display the RIP configuration. show router rip config neighbor Access the config neighbor subcommand using the config router rip command.
Page 157 ip <address_ipv4> Enter the IP address of the neighboring router to which to send unicast updates. Example This example shows how to set the router at 192.168.21.20 as a neighbor. config router rip config neighbor edit 1 set ip 192.168.21.20 This example shows how to display the RIP settings.
Page 158 100 CLI User Manual show router rip network command keywords and variables Keywords & Variables Description prefix Enter the IP address and netmask for the RIP network. <address_ipv4mask> Example Use the following command to enable RIP for the interfaces attached to networks specified by the IP address 10.0.0.0 and the netmask 255.255.255.0.
Page 159 get router rip show router rip offset-list command keywords and variables Keywords & Variables Description access-list <name_str> Enter the name of the access list to use for this offset list. The access list is used to determine which routes to add the metric direction {in | out} Enter in to apply the offset to the metrics of incoming routes.
Page 160 100 CLI User Manual Command syntax pattern config redistribute {connected | static | ospf | bgp} set <keyword> <variable> config redistribute {connected | static | ospf | bgp} unset <keyword> get router rip show router rip redistribute command keywords and variables Keywords &...
Page 161: Route-Map
The freeGuard 100 attempts to match a packet against the rules in a route map starting at the top of the list. If it finds a match it makes the changes defined in the set statements and then takes the action specified for the rule.
Page 162 100 CLI User Manual config rule Access the config rule subcommand using the config router route-map command. Use the config rule subcommand to add, edit, or delete route map rules with the specified number. Command syntax pattern config rule edit <id_integer>...
Page 163 set-metric Set a metric value of 1 to 16 for a matched route. <metric_integer> set-metric-type {1 | 2} Set the type for a matched route. set-tag <tag_integer> Set a tag value for a matched route. Example This example shows how to add a route map list named rtmp2 with two rules. The first rule denies routes that match the IP addresses in an access list named acc_list2.
Page 164: Static
The freeGuard 100 assigns routes using a best match algorithm. To select a route for a packet, the freeGuard 100 searches through the routing table for a route that best matches the destination address of the packet. If a match is not found, the freeGuard 100 routes the packet using the default route.
Page 165 <destinationaddress_ipv4mask> gateway <gatewayaddress_ipv4> This example shows how to add a static route that has the sequence number 2. config router static edit 2 set dev internal set dst 192.168.22.0 255.255.255.0 set gateway 192.168.22.44 This example shows how to display the list of static route numbers. get router static This example shows how to display the settings for static route 2.
Page 166: Static6
The freeGuard 100 assigns routes using a best match algorithm. To select a route for a packet, the freeGuard 100 searches through the routing table for a route that best matches the destination address of the packet. If a match is not found, the freeGuard 100 routes the packet using the default route.
Page 167 Example This example shows how to add an IPV6 static route that has the sequence number 2. config router static6 edit 2 set dev internal set dst 12AB:0:0:CD30::/60 set gateway 12AB:0:0:CD30:123:4567:89AB:CDEF This example shows how to display the list of IPV6 static route numbers. get router static6 This example shows how to display the settings for IPV6 static route 2.
Page 168: Config Spamfilter
127 characters long. If you enter a single word, the freeGuard 100 blocks all email that contain that word. If you enter a phrase, the freeGuard 100 blocks all email containing the exact phrase. To block any word in a phrase, use Perl regular expressions.
Page 169 config spamfilter bword edit <banned-word_integer> set <keyword> <variable> config spamfilter bword edit <banned-word_integer> unset <keyword> config spamfilter bword delete <banned-word_integer> get spamfilter bword [<banned-word_integer>] show spamfilter bword [<banned-word_integer>] spamfilter bword command keywords and variables Keywords & Variables Description action {clear | spam} Enter clear to allow the email.
Page 170: Emailbwl
100 CLI User Manual set language ASCII set pattern bad* set pattern_type wildcard set where bodynext edit 11 set status enable set action spam set language ASCII set pattern ^worse set pattern_type regexp set where body This example shows how to display the spamfilter banned word list.
Page 171 If no match is found, the email is passed on to the next spam filter. The freeGuard 100 can filter email from specific senders or all email from a domain (such as sample.net). You can mark each email address as clear or spam.
Page 172 Enable or disable scanning for each email address. disable} Example This example shows how to add and enable the email address spammer@somewhere.com (mark as spam) and the email address *@freedom9.com (mark as clear) to the list as the tenth and eleventh entries. config spamfilter emailbwl edit 10...
Page 173: Shield
• bword: Banned words The antispam system from freedom9 that includes an IP address black list, a URL black list, and spam filtering tools. The IP address black list contains IP addresses of email servers known to be used to generate Spam.
Page 174 URL appears as the source of an email. The cache is configured touse 6% of the of the freeGuard 100 RAM. When the cache is full, the least recently used IP address or URL is deleted. cache_ttl <ttl_integer>...
Page 175: Ipbwl
MIME headers • bword: Banned words The freeGuard 100 uses the IP address list to filter incoming email. The freeGuard 100 compares the IP address of the sender to the list in sequence. If a match is found, the corresponding protection...
Page 176 62.128.69.100/24 You can configure the freeGuard 100 to filter email from specific IP addresses. You can mark each IP address as clear, spam, or reject. You can filter single IP addresses, or a range of addresses at the network level by configuring an address and mask.
Page 177: Mheader
• config spamfilter rbl mheader Use this command to filter email based on the MIME header. The freeGuard 100 spam filters are generally applied in the following order: • Antispam Service • ipbwl : IP address list •...
Page 178 • bword: Banned words The freeGuard 100 compares the MIME header key-value pair of incoming email to the list pair in sequence. If a match is found, the corresponding action is taken. If no match is found, the email is passed on to the next spam filter.
Page 179 delete <mime_integer> get spamfilter mheader [<mime_integer>] show spamfilter mheader [<mime_integer>] spamfilter mheader command keywords and variables Keywords & Variables Description action {clear | spam} Enter clear to exempt the email from the rest of the spam filters. Enter spam to apply the spam action configured in the protection profile.
Page 180: Rbl
Banned words The freeGuard 100 compares the IP address or domain name of the sender to any database lists you configure in sequence. If a match is found, the corresponding action is taken. If no match is found, the...
Page 181 Note: Because the freeGuard 100 uses the server domain name to connect to the DNSBL or ORDBL server, it must be able to look up this name on the DNS server. For information on configuring DNS, see “config system dns”...
Page 182 100 CLI User Manual config spamfilter rbl edit 2 set action reject set server bl.spamcop.net set status enable next edit 3 set action spam set server relays.ordb.org set status enable This example shows how to display the spamfilter DNSBL list.
Page 184: Config System
100 CLI User Manual config system accprofile admin autoupdate clientoverride autoupdate override autoupdate push-update autoupdate schedule autoupdate tunneling bug-report console dhcp exclude_range dhcp ipmacbinding dhcp server get system performance get system status global interface ipv6_tunnel mac-address-table manageip modem oobm interface oobm route replacemsg {alertmail | catblock | ftp | http | mail | spam} <message-type_str>...
Page 185: Accprofile
10.1 accprofile Use this command to add access profiles that control administrator access to freeGuard 100 features. Each freeGuard 100 administrator account must include an access profile. You can create access profiles that deny access to or allow read only, write only, or both read and write access to freeGuard 100 features.
Page 186 Use the following commands to add a new access profile named policy_profile that allows read and write access to firewall policies and that denies access to all other freeGuard 100 features. An administrator account with this access profile can view and edit firewall policies, but cannot view or change any other freeGuard 100 settings or features.
Page 187: Admin
edit policy_profile set secgrp rw This example shows how to display the settings for the system accprofile command. get system accprofile This example shows how to display the settings for the policy_profile access profile. get system accprofile policy_profile This example shows how to display the configuration for the system accprofile command. show system accprofile This example shows how to display the configuration for the policy_profile access profile.
Page 188 Use the following commands to add a new administrator account named new_admin with the password set to p8ssw0rd and that includes an access profile named policy_profile. Administrators that log in to this account will have administrator access to the freeGuard 100 from any IP address. config system admin...
Page 189: Autoupdate Clientoverride
This example shows how to display the settings for the system admin command. get system admin This example shows how to display the settings for the new_admin administrator account. get system admin new_admin This example shows how to display the configuration for the system admin command. show system admin Command History Related Commands...
Page 190: Autoupdate Override
Use this command to add the IP address of an override FDS server. If you cannot connect to the FDN or if your organization provides updates using their own server, you can add an override FDS server so that the freeGuard 100 connects to this IP address instead of the FDN.
Page 191: Autoupdate Push - Update
You must register the freeGuard 100 before it can receive push updates. When you configure a freeGuard 100 to allow push updates, the freeGuard 100 sends a SETUP message to the FDN. The next time an update is released, the FDN notifies all freeGuard 100s that are configured for push updates that a new update is available.
Page 192 Using this command you can enable or disable push updates. You can also configure push IP address and port override. If the FDN must connect to the freeGuard 100 through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update override configuration.
Page 193: Autoupdate Schedule
<day_str> can be Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, or Saturday. frequency {every | daily Schedule the freeGuard 100 to check for updates every hour, | weekly} once a day, or once a week. every • Check for updates periodically. Set time to the time interval to wait between updates.
Page 194: Autoupdate Tunneling
Use this command to configure the freeGuard 100 to use a proxy server to connect to the FDN. To use the proxy server you must enable tunneling and add the IP address and port required to connect to the proxy server.
Page 195 The user name to connect to the proxy server. Example This example shows how to enable tunneling where the freeGuard 100 must connect to a proxy server with IP address 67.35.50.34 that uses port 8080, requires the user id proxy_user and the password proxy_pwd.
Page 196: Bug - Report
10.8 bug-report Use this command to configure a custom email relay for sending problem reports to Freedom9 customer support. For more information on sending problem reports, see the System Maintenance chapter of the Administration Guide. Command syntax pattern config system bug-report set <keyword>...
Page 197: Console
password If the SMTP server requires authentication, enter the <password_str> password required. server <name_str> The SMTP server to use for sending bug report email. The default server is freedom9virussubmit.com username <name_str> A valid user name on the specified SMTP server. Thedefault user name is bug_report.
Page 198: Dhcp Exclude Range
Command History 10.10 dhcp exclude_range Use this command to add up to 16 exclusion ranges of IP addresses that freeGuard 100 DHCP servers cannot assign to DHCP clients. Exclusion ranges apply to all freeGuard 100 DHCP servers. Note: For this configuration to take effect you must set the interface to DHCP server mode using the dhcpserver-mode keyword in the config system interface command.
Page 199 set <keyword> <variable> config system dhcp exclude_range delete <index_integer> get system dhcp exclude_range [<index_integer>] show system dhcp exclude_range [<index_integer>] exclude_range command keywords and variables Keywords & Variables Description end_ip <address_ipv4> The end IP address in the exclusion range. The start IP and end IP must be in the same subnet.
Page 200: Dhcp Ipmacbinding
100 CLI User Manual Command History Related Commands • dhcp ipmacbinding • dhcp server • interface 10.11 dhcp ipmacbinding Use this command to reserve an IP address for a particular device on the network according to the MAC address of the device. When you add the MAC address and an IP address to the IP/MAC binding list, the DHCP server always assigns this IP address to the MAC address.
Page 201: Dhcp Server
• interface 10.12 dhcp server Use this command to add one or more DHCP servers for any freeGuard 100 interface. As a DHCP server, the interface dynamically assigns IP addresses to hosts on a network connected to the interface. You can add more than one DHCP server to a single interface to be able to provide DHCP services to multiple networks.
Page 202 100 CLI User Manual set <keyword> <variable> config system dhcp server edit <name_str> unset <keyword> config system dhcp server delete <name_str> get system dhcp server [<name_str>] show system dhcp server [<name_str>] dhcp server command keywords and variables Keywords & Variables...
Page 203 The IP addresses assigned are in the range 192.168.33.100 to 192.168.33.200. The example DHCP configuration also sets the netmask, default gateway, two DNS server IP addresses, the lease time, and one WINS server.
Page 204: Dns
• dhcp ipmacbinding • interface 10.13 dns Use this command to set the DNS server addresses. Several freeGuard 100 functions, including sending email alerts and URL blocking, use DNS. Command syntax pattern config system dns set <keyword> <variable> config system dns unset <keyword>...
Page 205 Enter the secondary DNS IP serveraddress. <address_ipv4> Example This example shows how to set the primary FreeGuard 100 DNS server IP address to 45.37.121.76 and the secondary freeGuard 100 DNS server IP address to 45.37.121.77. config system dns set primary 45.37.121.76 set secondary 45.37.121.77...
Page 206: Get System Performance
Enter the IP address of a Manager Server. status {enable | Enable or disable remote administration with Manager. disable} Example This example shows how to set the freeGuard 100 to be managed by a Server: config system fm set id FMServer_Gateway set ip 192.20.120.100 Command History Related Commands •...
Page 207: Global
• current HA status Command syntax pattern get system status 10.17 global Use this command to configure global settings that affect various freeGuard 100 systems and configurations. Command syntax pattern config system global set <keyword> <variable> config system global unset <keyword>...
Page 208 Enable to drop SYN packets after the connection has been | disable} established. daily-restart {enable | Enable to restart the freeGuard 100 every day at time set in disable} restart_time. dst {disable | enable} Enable or disable daylight saving time. If you enable daylight...
Page 209 Enabling this option may help resolveissues with a problematic {enable | disable} server, but it can make the freeGuard 100 more vulnerable to denial of service attacks. In most cases you should leave reset_sessionless_tcp disabled. The reset_sessionless_tcp command determines what the freeGuard 100 does if it receives a TCP packet but cannot find a corresponding session in its session table.
Page 210 HA configuration settings. Note: You cannot enable HA mode if one of the freeGuard 100 interfaces is configured using DHCP or PPPoE. If DHCP or PPPoE is configured, the config hamode keyword is not available.
Page 211 Command syntax pattern config system ha set <keyword> <variable> config system ha unset <keyword> get system ha show system ha system ha command keywords and variables Keywords & Description Variables arps <arp_integer> Set the number of gratuitous ARP packets sent by the primary unit.
Page 212 100 CLI User Manual responds to a failure. However, you can increase the heartbeat lost threshold if repeated failovers occur because cluster unitscannot sent heartbeat packets quickly enough. hb-interval The heartbeat interval, which is the time between sending <interval_integer>...
Page 213 100s. All members of an HA cluster must be set to the same HA mode. Enter standalone to remove the freeGuard 100 from an HA cluster. monitor {<interface- Enable or disable monitoring freeGuard 100 interfacesand 1_str>...
Page 214 100 CLI User Manual that this cluster unit always becomes the primary cluster unit. password Enter a password for the HA cluster. The password must be the <password_str> same for all freeGuard 100s in the HA cluster. The maximum password length is 15 characters.
Page 215 primary unit routing table changes. Once a routing table update is sent, the primary unit waits the route-hold time before sending the next update. Usually routing table updates are periodic and sporadic. Subordinate units should receive these changes as soon as possible so route-wait is set to 0 seconds.
Page 216 Examples This example shows how to configure a freeGuard 100 for active-active HA operation. The example shows how to enter the basic HA configuration (mode, group_id, and password). You would enter the exact same command on every freeGuard 100 in the cluster.
Page 217 200 set monitor internal enable set monitor_priority internal 100 set monitor dmz enable set monitor_priority internal 50 The following example shows how to configure weighted round robin weights for a cluster of three freeGuard 100s.
Page 218: Interface
• execute ha synchronize 10.19 interface Use this command to edit the configuration of a freeGuard 100 physical interface or VLAN subinterface. In the following table, VLAN subinterface can be substituted for interface in most places except that you can only configure VLAN subinterfaces with static IP addresses. Use the edit command to add a VLAN subinterface.
Page 219 Enable or disable using a Dynamic DNS service(DDNS). If the enable} freeGuard 100 uses a dynamic IP address, you can arrange with a DDNS service provider to use a domain name to provideredirection of traffic to your network whenever the IP address changes.
Page 220 The FreeGuard 100 also returns responses from the DHCP server to the DHCP clients. The DHCP server must have a route to the freeGuard 100 configured as the DHCP relay so that the packetssent by the DHCP server to the DCHP client arrive at the freeGuard 100 performing DHCP relay.
Page 221 100 confirmsconnectivity is set using the failtime and interval keywords in the command “global” . idle-timeout Disconnect if the PPPoE connection is idle for the specified <seconds_integer> number of seconds. The interface IP address and netmask. <address_ipv4mas k> ipmac {disable | Enable or disable IP/MAC binding for the specified interface.
Page 222 Set custom maximum transmission unit (MTU) size in bytes. Ideally mtu should be the same as the smallest MTU of all the networks between this freeGuard 100 and the destination of the packets. For static mode the <mtu_integer> range is 576 to 1500 bytes.
Page 223 • 10full, 10 Mbps, full duplex • 10half, 10 Mbps, half duplex • 100full, 100 Mbps, full duplex • 100half, 100 Mbps, half duplex • 1000full, 1000 Mbps, full duplex • 1000half, 1000 Mbps, half duplex status {down | up} Start or stop the interface.
Page 224 100 CLI User Manual This example shows how to set the freeGuard 100 internal interface IP address and netmask to 192.168.100.159 255.255.255.0, and the management access to ping, https, and ssh. config system interface edit internal set allowaccess ping https ssh set ip 192.168.110.26 255.255.255.0...
Page 225 <ping_ip> IP address. The frequency with which the freeGuard 100 confirms connectivity is set using the set system option interval command. ip <address_ipv4mask> Add or change the secondary static IP address andnetmask for the interface. The secondary IP address can be on any subnet, including the same subnet as the primary IP address.
Page 226: Ipv 6_ Tunnel
100 CLI User Manual Example This example shows how to add a secondary IP address and netmask of 192.176.23.180 255.255.255.0 to the internal interface. Also configure ping and https management access to this secondary IP address. config system interface...
Page 227 Command syntax pattern config system ipv6_tunnel edit <name_str> set <keyword> <variable> config system ipv6_tunnel edit <name_str> unset <keyword> config system ipv6_tunnel delete <name_str> get system interface <name_str> show system interface <name_str> ipv6_tunnel command keywords and variables Keywords & Variables Description destination The destination IPv4 address for this tunnel.
Page 228: Mac-Address-Table
100 CLI User Manual This example shows how to display the settings for the system ipv6_tunnel command. get system ipv6_tunnel This example shows how to display the configuration for the system ipv6_tunnel command. show system ipv6_tunnel This example shows how to display the settings for the ipv6_tunnel named test_tunnel.
Page 229: Manageip
Configure the Transparent mode management IP address. Use the management IP address for management access to the freeGuard 100 running in Transparent mode. The Distribution Network (FDN) also connects to the management IP address for antivirus and attack definition and engine updates.
Page 230: Modem
100 or freeGuard 100 USB port. You can add the information to connect to up to three dialup accounts. The freeGuard 100 or freeGuard 100 modem interface can act as a backup interface for one of the freeGuard 100 ethernet interfaces or as a standalone dialup interface.
Page 231 Used only when the modem is configured as a backup for an <seconds_integer> interface. Set the time (1-60seconds) that the freeGuard 100 waits before switching from the modem interface to the primary interface, after the primary interface has been restored.
Page 232 WAN1 interface. Only one dialup account is configured. The freeGuard 100 and modem will attempt to dial this account 10 times. The freeGuard 100 will wait 5 seconds after the WAN1 interface recovers before switching back to the WAN1 interface.
Page 233: Replacemsg Alertmail Catblock Ftp Http Mail Spam Message Type Str
100 adds to content streams such as email messages, web pages, and FTP sessions. The freeGuard 100 adds replacement messages to a variety of content streams. For example, if a virus is found in an email message, the file is removed from the email and replaced with a replacement message.
Page 234 100 CLI User Manual <message-type_str> Name <message-type_str> Alertmail Alert email messages sent to system administrators. alertmail_test alertmail_virus alertmail_block alertmail_nids_event alertmail_crit_event catblock Messages that appear on web pages blocked by category blocking. cat_block Messages added to FTP sessions when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected.
Page 235 The antivirus system blocks an email message that is too large to be virus scanned. The freeGuard 100 deletes a part of a fragmented email message. The antivirus system blocks a file in an SMTP email message that matches a file pattern.
Page 236 100 CLI User Manual smtp_spam_emailblack smtp_spam_mimeheader reversedns smtp_spam_bannedword Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message. Replacement message tags %%FILE%% %%VIRUS%% %%URL%%...
Page 237: Session-Helper
Example This example shows how to change the email message that is sent to test the alert email system. config system replacemsg alertmail alertmail_test set buffer "A test of the freeGuard 100 alert email system." Command History 10.25 session-helper A session-helper binds a service to a TCP port. By default, there are 14 session helpers binding services to standard ports.
Page 238: Session Ttl
100 CLI User Manual edit <id_integer> unset <keyword> config system session-helper delete <id_integer> system session_helper command keywords and variables Keywords & Variables name {dns_tcp | dns_udp | ftp | h245I | h2450 |h323 | ident | mms |pmap | pptp | ras | rtsp | sip | tftp | tns } port <port_integer>...
Page 239 get system session_ttl show system session_ttl The config system session_ttl command has 1 subcommand. config port session_ttl command keywords and variables Keywords & Variables Description default Enter a number of seconds to change the default session <seconds_integer> timeout. Example Use the following commands to increase the default session timeout. config system session_ttl set default 62000 This example shows how to display the settings for the session_ttl command.
Page 240: Snmp Community
Use this command to configure SNMP communities. Add SNMP communities so that SNMP managers can connect to the freeGuard 100 to view system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps.
Page 241 HA unit. intf_ip • The IP address of a freeGuard 100 interface changes. log_full • On a freeGuard 100 with a hard drive, hard drive usage exceeds 90%. mem_low • Memory usage exceeds 90%. nids_portscan • The IPS detects a port scan attack. nids_synflood •...
Page 242 100 CLI User Manual status {disable | Enable or disable the SNMP community. enable} trap_v1_lport <local- SNMP v1 local port number used for sending traps to the port_integer> SNMP managers added to this SNMP community. trap_v1_rport <remote- SNMP v1 remote port number used for sending traps to port_integer>...
Page 243 Access the hosts subcommand using the snmp community command. Use this command to add SNMP manager IP addresses to an SNMP community and to specify the freeGuard 100 interface that each SNMP manager connects to. Command syntax pattern config hosts edit <id_integer>...
Page 244: Snmp Sysinfo
10.28 snmp sysinfo Use this command to enable the freeGuard 100 SNMP agent and to enter basic freeGuard 100 system information that is used by the freeGuard 100 SNMP agent. Use system information to identify the freeGuard 100 so that when your SNMP manager receives configuration information or traps from the freeGuard 100 you can identify the freeGuard 100 that sent the information.
Page 245: Vdom
10.29 vdom Use this command to add virtual domains. By default, each freeGuard 100 runs a virtual domain named root. This virtual domain includes all of the freeGuard 100 physical interfaces, VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings.
Page 246: Zone
100 CLI User Manual By default all physical interfaces are in the root virtual domain. You cannot remove a physical interface from a virtual domain if firewall policies have been added for it. Delete the firewall policies or remove the interface from the firewall policies first.
Page 247 config system zone edit <name_str> unset <keyword> config system zone delete <name_str> get system zone <name_str> show system zone <name_str> zone command keywords and variables Keywords & Variables Description interface <name_str> Add the specified interface to this zone. You cannot add an interface if it belongs to another zone or if firewall policies are defined for it.
Page 248: Config User
100 checks for authentication. If user names are first, then the freeGuard 100 checks for a match with these local user names. If a match is not found, the freeGuard 100 checks the RADIUS or LDAP server. If a RADIUS or LDAP server is added first, the FreeGuard 100 checks the server and then the local user names.
Page 249 edit <groupname_str> config user group edit <groupname_str> get user group [<groupname_str>] show user group [<groupname_str>] user group command keywords and variable Keywords & Variables Description member <name_str> Enter the names of users, LDAP servers, or RADIUS servers [<name_str> to add to the user group. Separate names by spaces. To add or [<name_str>...
Page 250: Ldap
To authenticate with the freeGuard 100, the user enters a user name and password. The freeGuard 100 sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the user is successfully authenticated with the freeGuard 100. If the LDAP server cannot authenticate the user, the connection is refused by the FreeGuard 100.
Page 251 |<address_ipv4>} Example This example shows how to add an LDAP server called LDAP1 using the IP address 23.64.67.44, the default port, the common name cn, and the distinguished names ou=marketing,dc=freedom9,dc=com. config user ldap edit LDAP1 This example shows how to change the distinguished name in the example above to ou=accounts,ou=marketing,dc=freedom9,dc=com.
Page 252: Local
11.3 local Use this command to add local user names and configure user authentication for the freeGuard 100. To add authentication by LDAP or RADIUS server you must first add servers using the config userldap and config user radius commands.
Page 253 “radius” . status {disable | Enter enable to allow the local user to authenticate with the enable} freeGuard 100. type {ldap | password | Require the user to use a password, a RADIUS server, or radius} an LDAP server for authentication.
Page 254: Peer
This command refers to certificates imported into the freeGuard 100. You import CA certificates using the execute vpn certificate ca import command. You import local certificates using the execute vpn certificate key import or execute vpn certificate local import commands.
Page 255 Command syntax pattern config user peer edit <name_str> config user peer edit <name_str> config user peer delete <name_str> get user peer [<name_str>] show user peer [<name_str>] peer command keywords and variables Keywords & Variables Description Enter the CA certificate name, as returned by execute vpn certificate ca list.
Page 256: Peergrp
100 CLI User Manual get user peer This example shows how to display the settings for the peer branch_office. get user peer branch_office This example shows how to display the configuration for all the peers. show user peer This example shows how to display the configuration for the peer branch_office. show user peer...
Page 257 get user peergrp [<name_str>] show user peergrp [<name_str>] peergrp command keywords and variables Keywords & Variables Description member <name_str> Enter the names of peers to add to the peer [<name_str> group. Separate names by spaces. To add [<name_str> orremove names from the group you must re- [<name_str>...
Page 258: Radius
100 CLI User Manual 11.6 radius Use this command to add or edit the information used for RADIUS authentication. The default port for RADIUS traffic is 1812. If your RADIUS server is using a different port you can change the default RADIUS port. See config system global, and set “radius_port <port_integer>” .
Page 259 get user radius This example shows how to display the settings for the RADIUS server RAD1. get user radius RAD1 This example shows how to display the configuration for all the RADIUS servers. show user radius This example shows how to display the configuration for the RADIUS server RAD1. show user radius RAD1 Command History Related Commands...
Page 260: Config Vpn
Use this command to add IPSec phase 2 configurations (IPSec VPN tunnels) to a VPN concentrator. The VPN concentrator collects hub-and-spoke tunnels into a group. The concentrator allows VPN traffic to pass from one tunnel to the other through the freeGuard 100. The freeGuard 100 functions as a concentrator, or hub, in a hub-and-spoke network.
Page 261: Ipsec Manualkey
Use this command to configure manual key IPSec VPN tunnels. Configure a manual key tunnel to create an IPSec VPN tunnel between the freeGuard 100 and a remote IPSec VPN client or gateway that is also using manual key. A manual key VPN tunnel consists of a name for the tunnel, the IP address of the VPN gateway or client at the opposite end of the tunnel, and the encryption and authentication algorithms to use for the tunnel.
Page 262 100 CLI User Manual when you configure the tunnel, no negotiation is required for the VPN tunnel to start. However, the VPN gateway or client that connects to this tunnel must use the same encryption and authentication algorithms and must have the same encryption and authentication keys.
Page 263 encryption {3des | Select an encryption algorithm from the list. Make aes128 | aes192 | sure you use the samealgorithm at both ends of aes256 | des | null} the tunnel. enckey <encryption- If encryption is des, enter a 16 digit (8 byte) key_hex>...
Page 264: Ipsec Phase1
Use this command to add or edit IPSec phase 1 configurations. When you add a phase 1 configuration, you define how the freeGuard 100 and a remote VPN peer (gateway or client) authenticate themselves to each other as part of establishing an IPSec VPN tunnel.
Page 265 2, and 5. When using aggressive mode, DH groups cannot be negotiated. • If both VPN peers have static IP addresses and use aggressive mode, select a single DHgroup. The setting on the freeGuard 100 must be identical to the setting Default No default.
Page 266 DPD probe to determine the status of the link even ifthere is no traffic between the local peer and the remote peer. The dpd-idle clean up range is 100 to 28 800 and must be greater than the dpd-idle worry setting. dpd-idleworry The DPD short idle setting when dpd is set to enable.
Page 267 ID to authenticate itself to the remote VPN peer. If you add a local ID, the freeGuard 100 sends it as if it is a domain name. If you do not add a local...
Page 268 100 CLI User Manual • Enter dialup to authenticate dialup VPN clients that use unique peer IDs. In this case, you must create a group of dialup users for authentication purposes. Use the usrgrp keyword to set the user group name.
Page 269 Select disableto disable XAuth. Select clientto configure the | pap} freeGuard 100 to act as an XAuth client. Use the authuser keyword to add the XAuth user name and password. Select mixed, pap, or chap to configure the freeGuard 100 as an XAuth server.
Page 270: Ipsec Phase2
12.4 ipsec phase2 Use this command to add or edit an IPSec VPN phase 2 configuration. The freeGuard 100 uses the phase 2 configuration to create and maintain an IPSec VPN tunnel with a remote VPN peer (the VPN gateway or client). The phase 2 configuration consists of a name for the VPN tunnel, the name or names of already configured phase 1 remote gateways, the proposal settings (encryption and authentication algorithms) and DH group used for phase 2.
Page 271 If the tunnel will service remote dialup clients that enable} broadcast a DHCP request when connecting to the tunnel, enable dhcpipsec. The freeGuard 100 can relay the request to an external DHCP server. dhgrp {1 | 2 | 5} Select the Diffie-Hellman group to proposefor Phase 2 of the IPSec VPN connection.
Page 272 100 CLI User Manual dstport <port_integer> Enter the port number that the remote VPN peer uses to transport traffic related to the specified service (see protocol). The dstport range is 1 to 65535. To specify all ports, type 0.
Page 273 IPSec packet to see if it has been received before. If packets arrive out of sequence, the freeGuard 100s discards them. You can configure the freeGuard 100 to send an alert email when it detects a replay packet. See “config alert email”. selector { policy |...
Page 274 100 CLI User Manual local VPN peer. You must create the firewall address using the config firewall address command before you can select it here. For more information, see “config firewall address”. srcport <port_integer> Enter the port number that the local VPN peer uses to transport traffic related to the specified service (see protocol).
Page 275: Ipsec Vip
Each IPSec VIP entry is identified by an integer. An entry identifies the name of the freeGuard 100 interface to the destination network, and the IP address of a destination host on the destination network. Specify a VIP address for every host that needs to be accessed on the other side of the tunnel—you can define a...
Page 276 The following commands add IPSec VIP entries for two remote hosts that can be accessed by a freeGuard 100 through an IPSec VPN tunnel on the external interface of the freeGuard 100. Similar commands must be entered on the freeGuard 100 at the other end of the IPSec VPN tunnel. config vpn ipsec vip edit 1 set ip 192.168.12.1...
Page 277: L2Tp
L2TP clients must authenticate with the freeGuard 100 when a L2TP session starts. To support L2TP authentication on the freeGuard 100, you must define the L2TP users who need access and then add them to a user group. For more information, see “config user group”, “config user ldap” , “config user local”...
Page 278 100 CLI User Manual get vpn l2tp show vpn l2tp l2tp command keywords and variables Keywords & Variables Description eip <address_ipv4> The ending IP address of the L2TP address range. sip <address_ipv4> The starting IP address of the L2TP address range.
Page 279: Pinggen
Related Commands config user group config firewall policy 12.7 pinggen Use this command to generate periodic traffic on one or two VPN tunnels. The ping generator generates traffic in an IPSec VPN tunnel to keep the tunnel connection open at times when no traffic is being generated inside the tunnel.
Page 280: Pptp
PPTP clients must authenticate with the freeGuard 100 when a PPTP session starts. To support PPTP authentication on the freeGuard 100, you must define the PPTP users who need access and then add them to a user group. For more information, see “config user group”, “config user ldap”, “config user local”...
Page 281 “config user local” and “config user radius”. Example This example shows how to enable PPTP and set the PPTP address range for the first time using a starting address of 192.168.1.100, an ending address of 192.168.1.130 and an existing group of PPTP Default 0.0.0.0 0.0.0.0...
Page 282 100 CLI User Manual users named PPTP_users: config vpn pptp set sip 192.168.1.100 set eip 192.168.1.130 set status enable set usrgrp PPTP_users This example shows how to display the settings for the vpn pptp command. get vpn pptp This example shows how to display the configuration for the vpn pptp command.
Page 283: Config Webfilter
If you enter a single word, the freeGuard 100 blocks all Web pages that contain that word. You can add phrases by enclosing the phrase in ‘single quotes’. If you enter a phrase, the freeGuard 100 blocks all Web pages containing any word in the phrase.
Page 284 100 CLI User Manual get webfilter bword [<word_str>] show webfilter bword [<word_str>] bword command keywords and variables Keywords & Variables Description language {french | Enter the language character set used for the japanese | korean | banned word or phrase. Choose from French,...
Page 285: Catblock
Web pages into a wide variety of categories that users can allow, block, or monitor. Categories are also organized into broader groups to make configuration fast and easy. The freeGuard 100 accesses the nearest freeGuard server to determine the category of a requested web page and then follows the firewall policy configured for that user or interface.
Page 286 URL is accessed. The cache is configured to use 6% of the of the freeGuard 100 RAM. When the cache is full, the least recently accessed URL is deleted cache_ttl <ttl_integer>...
Page 287: Script
13.3 script Use this command to configure the freeGuard 100 to block Java applets, cookies, ActiveX controls, or scripts from Web pages. Note: Blocking any of these items may prevent some Web pages from functioning and displaying correctly.
Page 288: Urlblock
100 blocks Web pages matching any specified URLs and displays a replacement message instead. You can configure the freeGuard 100 to block all pages on a website by adding the top-level URL or IP address. You can also block individual pages on a website by including the full path and filename of the web page to block.
Page 289 www.finance.badsite.com, and so on. Command syntax pattern config webfilter urlblock edit <url_str> set <keyword> <variable> config webfilter urlblock edit <url_str> unset <keyword> config webfilter urlblock delete <url_str> get webfilter urlblock [<url_str>] show webfilter urlblock [<url_str>] urlblock command keywords and variables Keywords &...
Page 290: Urlexm
100 CLI User Manual This example shows how to display the settings for the URL www.badsite.com. get webfilter urlblock www.badsite.com This example shows how to display the configuration for the entire URL block list. show webfilter urlblock If the show command returns you to the prompt, there are no URLs in the list.
Page 291 [<url_str>] urlexm command keywords and variables Keywords & Variables status {disable | enable} Example Use the following commands to enable and add the Web page www.freedom9.com to the URL exempt list. config webfilter urlexm edit www.freedom9.com set status enable This example shows how to display the webfilter URL exempt list.
Page 292: Urlpat
Use this command to block all URLs that match patterns you create using text and regular expressions (or wildcard characters). For example, badsite.* matches badsite.com, badsite.org, badsite.net and so on. The freeGuard 100 blocks Web pages that match any configured pattern and displays a replacement message instead.
Page 293 This example shows how to enable and add the pattern badsite.* to the URL block list. config webfilter urlpat edit badsite.* set status enable This example shows how to display the webfilter URL pattern block list. get webfilter urlpat This example shows how to display the settings for the URL pattern www.badsite.*. get webfilter urlpat www.badsite.* This example shows how to display the configuration for the entire URL pattern block list.
Page 294: Execute
14.1 backup Backup the freeGuard 100 configuration file or IPS user defined signatures file to a TFTP server. Command syntax execute backup allconfig <filename_str> <tftp-server_ipv4> <password_str> execute backup config <filename_str> <tftp-server_ipv4> execute backup ipsuserdefsig <filename_str> <tftp-server_ipv4>...
Page 295: Date
The password required to open the configuration file. Example This example shows how to backup a system configuration file from the freeGuard 100 to a TFTP server. The name to give the configuration file on the TFTP sever is fgt.cfg. The IP address of the TFTP server is 192.168.1.23.
Page 296: Dhcpclear
Reset the freeGuard 100 configuration to factory default settings. Command syntax execute factoryreset Caution: This procedure deletes all changes that you have made to the freeGuard 100 configuration and reverts the ! system to its original configuration, including resetting interface addresses. Related Commands...
Page 297: Ha Synchronize
• Configuration changes made to the primary unit (normal system configuration, firewall configuration, VPN configuration and so on stored in the FreeGuard 100 configuration file), • Antivirus engine and antivirus definition updates received by the primary unit from the FDN.
Page 298: Modem Dial
Example From the CLI on a subordinate unit, use the following commands to synchronize the antivirus and attack definitions on the subordinate freeGuard 100 with the primary unit after the FDN has pushed new definitions to the primary unit. execute ha synchronize avupd...
Page 299: Modem Hangup
Related Commands config system modem execute modem dial 14.10 ping Send an ICMP echo request (ping) to test the network connection between the freeGuard 100 and another network device. Command syntax execute ping {<address_ipv4> | <host-name_str>} Example This example shows how to ping a host with the IP address 192.168.1.23.
Page 300 Display the current ping-option settings. Example Use the following command to increase the number of pings sent. execute ping-options repeat-count 10 Use the following command to send all pings from the freeGuard 100 interface with IP address Default No default. auto...
Page 301: Ping6
Related commands execute ping execute ping6 execute traceroute 14.12 ping6 Send an ICMP echo request (ping) to test the network connection between the freeGuard 100 and an IPv6 capable network device. Command syntax execute ping6 {<address_ipv6> | <host-name_str>} Example This example shows how to ping a host with the IPv6 address 12AB:0:0:CD30:123:4567:89AB:CDEF.
Page 302: Restore
The password required to be able to open the configuration file. Example This example shows how to upload a configuration file from a TFTP server to the freeGuard 100 and restart the freeGuard 100 with this configuration. The name of the configuration file on the TFTP server is backupconfig.
Page 303: Router Restart-Graceful
This example shows how to restart the RIP demon with a grace period of 120 seconds. execute router restart-graceful 120 Related Commands get router info protocols get router info rip get router info routing_table config router rip 14.17 shutdown Shut down the freeGuard 100. Command syntax...
Page 304: Time
This example sets the system time to 15:31:03: execute time 15:31:03 14.19 traceroute Test the connection between the freeGuard 100 and another network device, and display information about the network hops between the device and the freeGuard 100. Command syntax execute traceroute {<address_ipv4>...
Page 305: Vpn Certificate Ca
14.21 vpn certificate ca Use this command to import a CA certificate from a TFTP server to the freeGuard 100, or to download a CA certificate from the freeGuard 100 to a TFTP server. Before using this command you must obtain a CA certificate issued by a CA.
Page 306: Vpn Certificate Key
Export or import a local certificate and private key as a password protected PKCS12 file. When you backup a freeGuard 100 configuration that includes IPSec VPN tunnels using certificates, you must also backup the local certificate and private key in a password protected PKCS12 file. Before restoring the configuration, you must import the PKCS12 file and set the certificate name to the same as it was in the original configuration.
Page 307: Vpn Certificate Local
Use this command to generate a local certificate, to download a local certificate from the freeGuard 100 to a TFTP server, and to import a local certificate from a TFTP server to the freeGuard 100. Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants.
Page 308 Use the following command to download the local certificate request generated in the above example from the freeGuard 100 to a TFTP server. The example uses the file name testcert for the downloaded file and the TFTP server address 192.168.21.54.
Page 309 100 from a TFTP server with the address 192.168.21.54. set vpn certificates local import branch_cert 192.168.21.54...
Page 310: Certifications
100 CLI User Manual Certifications This equipment has been tested and found to comply with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference (2) This device must accept any interference received. Including interference that may cause undesired operation.

Freedom9 freeGuard 100 Command Line Interface Manual

Quick Links

Need help?

Questions and answers

Related Manuals for Freedom9 freeGuard 100

Summary of Contents for Freedom9 freeGuard 100

Table of Contents