Download Print this page

ZyXEL Communications ZyWALL Series Reference Manual

ZyXEL Communications ZyWALL Series Reference Manual

Hide thumbs Also See for ZyWALL Series:

Handbook (810 pages)

page of 665

/ 665
Bookmarks

Advertisement

Quick Links

Download this manual

ZyWALL Series

Default Login Details

Version 4.10–5.32 Ed. 1, 9/2022

LAN Port IP Address

https://192.168.1.1

User Name

admin

Password

1234

Copyright © 2022 Zyxel and/or its affiliates. All rights reserved.

Advertisement

Need help?

Need help?

Do you have a question about the ZyWALL Series and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications ZyWALL Series

Page 1 ZyWALL Series Default Login Details Version 4.10–5.32 Ed. 1, 9/2022 LAN Port IP Address https://192.168.1.1 User Name admin Password 1234 Copyright © 2022 Zyxel and/or its affiliates. All rights reserved.
Page 2 IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. This is a Reference Guide for a series of products intended for people who want to configure the Zyxel Device via Command Line Interface (CLI). Note: The version number on the cover page refers to the latest firmware version supported by the Zyxel Device.
Page 3 IP/MAC Binding ........................... 217 Layer 2 Isolation ..........................219 Secure Policy ............................222 Cloud CNM ............................242 Web Authentication ........................... 250 Hotspot ..............................261 IPSec VPN ............................276 SSL VPN ..............................295 L2TP VPN .............................. 299 ZyWALL Series CLI Reference Guide...
Page 4 Logs ..............................564 Reports and Reboot ........................... 571 Diagnostics and Remote Assistance ....................577 Session Timeout ........................... 580 Packet Flow Explore ........................... 581 Maintenance Tools ..........................585 Miscellaneous ............................. 596 Managed AP Commands ......................... 603 ZyWALL Series CLI Reference Guide...
Page 5 1.6.5 Command History ......................... 36 1.6.6 Navigation ..........................36 1.6.7 Erase Current Command ..................... 36 1.6.8 The no Commands ....................... 36 1.7 Input Values ............................ 36 1.8 Ethernet Interfaces ......................... 41 1.9 Saving Configuration Changes ....................41 ZyWALL Series CLI Reference Guide...
Page 6 6.2 AP Management Value ......................... 58 6.3 General AP Management Commands ..................59 6.3.1 AP Management Commands Example ................64 6.4 Remote AP ............................66 6.4.1 Remote AP Notes ........................68 6.4.2 Remote AP Commands ....................... 68 ZyWALL Series CLI Reference Guide...
Page 7 11.2 Wireless Health Commands ...................... 104 11.2.1 Wireless Health Radio and Station Settings ..............106 11.2.2 Wireless Health Radio and Station Actions ..............107 11.2.3 Wireless Health Command Examples ................107 Chapter 12 Wireless Frame Capture ........................109 ZyWALL Series CLI Reference Guide...
Page 8 16.2.7 OSPF Commands ......................137 16.2.8 Connectivity Check (Ping-check) Commands ............. 138 16.3 Ethernet Interface Specific Commands .................. 139 16.3.1 MAC Address Setting Commands .................. 140 16.3.2 Port Grouping Commands ....................140 16.4 Virtual Interface Specific Commands ..................142 ZyWALL Series CLI Reference Guide...
Page 9 18.2.2 Policy Route Command Example ................... 175 18.3 IP Static Route ..........................176 18.4 Static Route Commands ......................177 18.4.1 Static Route Commands Examples ................178 Chapter 19 Routing Protocol..........................179 19.1 Routing Protocol Overview ....................... 179 ZyWALL Series CLI Reference Guide...
Page 10 22.3.6 Virtual Server Load Balancing Commands ..............201 Chapter 23 HTTP Redirect ............................205 23.1 HTTP Redirect Overview ......................205 23.1.1 Web Proxy Server ......................205 23.2 HTTP Redirect Commands ......................205 23.2.1 HTTP Redirect Command Examples ................206 ZyWALL Series CLI Reference Guide...
Page 11 29.2.2 Security Services Multiple Profiles ..................228 29.2.3 Secure Policy Command Examples ................229 29.3 Session Limit Commands ......................233 29.4 ADP Commands Overview ....................... 235 29.4.1 ADP Command Input Values ..................236 29.4.2 ADP Activation Commands .................... 236 ZyWALL Series CLI Reference Guide...
Page 12 32.3 Billing Commands ........................261 32.3.1 Billing Profile Sub-commands ................... 263 32.3.2 Billing Command Example ....................263 32.3.3 Payment Service ....................... 265 32.4 Printer Manager Overview ......................268 32.5 Printer-manager Commands ....................268 32.5.1 Printer-manager Printer Sub-commands ................ 269 ZyWALL Series CLI Reference Guide...
Page 13 34.1.2 SSL Access Policy Limitations ................... 295 34.2 SSL VPN Commands ........................295 34.2.1 SSL VPN Commands ......................296 34.2.2 Setting an SSL VPN Rule Tutorial ..................297 Chapter 35 L2TP VPN............................299 35.1 L2TP VPN Overview ........................299 ZyWALL Series CLI Reference Guide...
Page 14 38.2.3 White and Black Lists ......................320 38.2.4 Signature Search Anti-Virus Command ................322 38.3 Update Anti-Virus Signatures ..................... 323 38.3.1 Update Signature Examples .................... 323 38.4 Anti-Virus Statistics ........................324 38.4.1 Anti-Virus Statistics Example ..................... 324 Chapter 39 RTLS ..............................325 ZyWALL Series CLI Reference Guide...
Page 15 42.3.3 Editing Rate Based Signatures Profiles ................353 42.3.4 Signature Search ....................... 355 42.4 IDP Custom Signatures ....................... 356 42.4.1 Custom Signature Examples .................... 357 42.5 Update IDP Signatures ....................... 360 42.5.1 Update Signature Examples .................... 361 ZyWALL Series CLI Reference Guide...
Page 16 44.3 Anti-Spam Statistics ........................410 44.3.1 Anti-Spam Statistics Example ................... 411 Chapter 45 Collaborative Detection & Response.....................412 45.1 Overview ............................. 412 45.1.1 CDR Example Scenario ....................412 45.2 Before You Begin ........................413 45.3 CDR Commands ........................415 ZyWALL Series CLI Reference Guide...
Page 17 48.5.2 Device HA Pro Commands ....................436 48.5.3 Device HA2 Command Example ..................438 Chapter 49 Device Insight...........................440 49.1 Device Insight Overview ......................440 49.1.1 Device Insight Commands ....................441 49.1.2 Device Insight Command Examples ................442 ZyWALL Series CLI Reference Guide...
Page 18 53.2.1 Service Object Commands ..................... 468 53.2.2 Service Group Commands ....................470 Chapter 54 Schedules ............................471 54.1 Schedule Overview ........................471 54.2 Schedule Commands Summary ....................471 54.2.1 Schedule Command Examples ..................472 Chapter 55 AAA Server ............................473 ZyWALL Series CLI Reference Guide...
Page 19 57.2.1 Authentication Server Command Examples ..............493 Chapter 58 Certificates ............................494 58.1 Certificates Overview ........................ 494 58.2 Certificate Commands ......................494 58.3 Certificates Commands Input Values ..................494 58.4 Certificates Commands Summary ................... 496 58.5 Certificates Commands Examples ................... 499 ZyWALL Series CLI Reference Guide...
Page 20 63.7 Authentication Server Overview ....................519 63.7.1 Authentication Server Commands ................. 520 63.7.2 Authentication Server Command Examples ..............521 63.8 Notification ..........................521 63.8.1 Mail Server Commands ....................521 63.8.2 SMS Service Commands ....................522 ZyWALL Series CLI Reference Guide...
Page 21 File Manager ............................540 65.1 File Directories ..........................540 65.2 Configuration Files and Shell Scripts Overview ..............540 65.2.1 Comments in Configuration Files or Shell Scripts ............541 65.2.2 Errors in Configuration Files or Shell Scripts ..............542 ZyWALL Series CLI Reference Guide...
Page 22 67.1.4 Packet Size Statistics Commands ..................573 67.2 Email Daily Report Commands ....................573 67.2.1 Email Daily Report Example ..................... 574 67.3 Reboot ............................576 Chapter 68 Diagnostics and Remote Assistance.....................577 68.1 Diagnostics ..........................577 ZyWALL Series CLI Reference Guide...
Page 23 73.2 Accessing the AP CLI ......................... 603 73.3 CAPWAP Client Commands ..................... 603 73.3.1 CAPWAP Client Commands Example ................604 73.4 DNS Server Commands ......................606 73.4.1 DNS Server Commands Example ..................606 73.4.2 DNS Server Commands and DHCP ................. 606 ZyWALL Series CLI Reference Guide...
Page 24 Table of Contents List of Commands (Alphabetical) ....................608 ZyWALL Series CLI Reference Guide...
Page 25 Introduction...
Page 26 • ZyWALL USG (Unified Security Gateway) • USG FLEX 50 (USG20-VPN) • USG FLEX 50W (USG20W-VPN) • ZyWALL USG FLEX • USG FLEX 100 • USG FLEX 100W • USG FLEX 200 • USG FLEX 500 • USG FLEX 700 ZyWALL Series CLI Reference Guide...
Page 27 Note: The Zyxel Device might force you to log out of your session if re-authentication time, lease time, or idle timeout is reached. See Chapter 49 on page 440 for more information about these settings. ZyWALL Series CLI Reference Guide...
Page 28 Note: Before you can access the CLI through the web configurator, make sure your computer supports the Java Runtime Environment. You will be prompted to download and install the Java plug-in if it is not already installed. ZyWALL Series CLI Reference Guide...
Page 29 Figure 4 Web Console: User Name Enter the user name you want to use to log in to the console. The console begins to connect to the Zyxel Device. Note: The default login username is admin. It is case-sensitive. ZyWALL Series CLI Reference Guide...
Page 30 If you enter the password correctly, the console screen appears. Figure 7 Web Console To use most commands in this User’s Guide, enter . The prompt should change configure terminal Router(config)# 1.2.3 Telnet Use the following steps to Telnet into your Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 31 Are you sure you want to continue connecting (yes/no)? yes Host key saved to C:/Documents and Settings/user/Application Data/SSH/ hostkeys/ ey_22_192.168.1.1.pub host key for 192.168.1.1, accepted by user Tue Aug 09 2005 07:38:28 admin's password: Authentication successful. ZyWALL Series CLI Reference Guide...
Page 32 • Required fields that have multiple choices are enclosed in curly brackets • A range of numbers is enclosed in angle brackets <> • Optional fields are enclosed in square brackets • The symbol means OR. ZyWALL Series CLI Reference Guide...
Page 33 After you log into the Zyxel Device, you will see this prompt Router> in User mode. Type enable and you will see this prompt Router# in Privilege mode. Type configure terminal and you will see this prompt Router(config)# in Configuration mode. ZyWALL Series CLI Reference Guide...
Page 34 1.6.1 List of Available Commands A list of valid commands can be found by typing at the command prompt. To view a list of [TAB] available commands within a command group, enter [TAB] <command> ? <command> ZyWALL Series CLI Reference Guide...
Page 35 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the Zyxel Device automatically display the full command. [TAB] ZyWALL Series CLI Reference Guide...
Page 36 You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may ZyWALL Series CLI Reference Guide...
Page 37 _-. file name first character: letter description Used in keyword criteria for log entries 1-64 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-. Used in other commands 1-61 alphanumeric, spaces, or '()+,/:=?;!*#@$_%- distinguished name 1-511 alphanumeric, spaces, or .@=,_- ZyWALL Series CLI Reference Guide...
Page 38 “.conf” at the end import shell script 1-26+”.zysh” alphanumeric or ;`~!@#$%^&()_+[]{}',.=- add “.zysh” at the end initial string 1-64 alphanumeric, spaces, or '()+,/:=!*#@$_%-.& isp account password 0-63 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./ isp account username 0-30 alphanumeric or -_@$./ ZyWALL Series CLI Reference Guide...
Page 39 - protocol name 0-30 alphanumeric or _- first character: letters or _- quoted string less 1-255 alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()%, than 127 chars quoted string less 1-63 alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()% than 63 chars ZyWALL Series CLI Reference Guide...
Page 40 1-15 alphanumeric or _- less than 15 chars week-day sequence, i.e. 1=first,2=second xauth method 1-31 alphanumeric or _- xauth password 1-31 alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- mac address 0-12 (even hexadecimal number) for example: aa aabbcc aabbccddeeff ZyWALL Series CLI Reference Guide...
Page 41 Note: This procedure removes the current configuration. Note that there is a space after apply in the command. Figure 14 Resetting the Zyxel Device Router> apply /conf/system-default.conf ZyWALL Series CLI Reference Guide...
Page 42 Use ‘configure terminal’ to enter configuration mode. configure Copies configuration files. copy For support personnel only! The device needs to have the debug flag enabled. debug (*) Deletes configuration files. delete Performs diagnostic commands. details ZyWALL Series CLI Reference Guide...
Page 43 Zyxel Device restarts. Subsequent chapters in this guide describe the configuration commands. User/privilege mode commands that are also configuration commands (for example, ‘show’) are described in more detail in the related configuration command chapter. ZyWALL Series CLI Reference Guide...
Page 44 Reference...
Page 45 [profile-name] Displays which configuration settings reference the specified SSL VPN show reference object sslvpn application object. application [object_name] Displays which configuration settings reference the specified VPN show reference object crypto map connection object. [crypto_name] ZyWALL Series CLI Reference Guide...
Page 46 This example shows how to check which configuration is using an address object named LAN1_SUBNET. For the command output, firewall rule 3 named LAN1-to-USG-2000 is using the address object. Router(config)# show reference object address LAN1_SUBNET LAN1_SUBNET References: Category Rule Priority Rule Name Description =========================================================================== Security Policy Control LAN1-to-USG-2000 Router(config)# ZyWALL Series CLI Reference Guide...
Page 47 AP’s MAC address. usage} {24G | 5G | timer: a period of time (from 1 to 24 hours) over which the station number is recorded or all} timer the traffic flow occurred. ZyWALL Series CLI Reference Guide...
Page 48 You need the MAC address and serial number if you want to pass the Zyxel Device management to Nebula. Router(config)# show mac MAC address: 28:61:32:89:37:61-28:61:32:89:37:67 Router(config)# show mem status memory usage: 39% Router(config)# show ram-size ram size: 510MB Router(config)# show serial-number serial number: XXXXXXXXXXXXX ZyWALL Series CLI Reference Guide...
Page 49 0.0.0.0:0 LISTEN 1.1.1.1:53 0.0.0.0:0 LISTEN 172.16.37.205:53 0.0.0.0:0 LISTEN 10.0.0.8:53 0.0.0.0:0 LISTEN 172.16.37.240:53 0.0.0.0:0 LISTEN 192.168.1.1:53 0.0.0.0:0 LISTEN 127.0.0.1:53 0.0.0.0:0 LISTEN 0.0.0.0:21 0.0.0.0:0 LISTEN 0.0.0.0:22 0.0.0.0:0 LISTEN 127.0.0.1:953 0.0.0.0:0 LISTEN 0.0.0.0:443 0.0.0.0:0 LISTEN 127.0.0.1:1723 0.0.0.0:0 LISTEN ZyWALL Series CLI Reference Guide...
Page 50 0.0.0.0:0 127.0.0.1:30000 0.0.0.0:0 1.1.1.1:53 0.0.0.0:0 172.23.37.205:53 0.0.0.0:0 10.0.0.8:53 0.0.0.0:0 172.23.37.240:53 0.0.0.0:0 192.168.1.1:53 0.0.0.0:0 127.0.0.1:53 0.0.0.0:0 0.0.0.0:67 0.0.0.0:0 127.0.0.1:63046 0.0.0.0:0 127.0.0.1:65097 0.0.0.0:0 0.0.0.0:65098 0.0.0.0:0 192.168.1.1:500 0.0.0.0:0 1.1.1.1:500 0.0.0.0:0 10.0.0.8:500 0.0.0.0:0 172.23.37.205:500 0.0.0.0:0 172.23.37.240:500 0.0.0.0:0 127.0.0.1:500 0.0.0.0:0 ZyWALL Series CLI Reference Guide...
Page 51 Displays whether the security service, such as content filtering or show security-service status sandboxing is enabled on the Zyxel Device. Clears the URL Threat Filter statistics on the dashboard. threat-website dashboard statistics flush Clears the content-filter statistics on the dashboard. content-filter dashboard statistics flush ZyWALL Series CLI Reference Guide...
Page 52 Use this command to update the system protection signatures to system protection signature update the latest version. signature Make sure the Zyxel Device can access the Cloud Helper Server when you want to update the signatures. ZyWALL Series CLI Reference Guide...
Page 53 Application patrol conveniently manages the use of various applications on the network. After the service is activated, the Zyxel Device can download the up-to-date signature files from the update server. ZyWALL Series CLI Reference Guide...
Page 54 Web Configurator. The screen shows days | after-180-days | after-30-days | the security services which are not registered or disabled every-time | never} on the Zyxel Device. Displays whether the device is registered and account show device-register status information. ZyWALL Series CLI Reference Guide...
Page 55 The following command displays the account information and whether the device is registered. Router# configure terminal Router(config)# show device-register status username : example password : 123456 device register status : yes expiration self check : no ZyWALL Series CLI Reference Guide...
Page 56 The following command displays the FaaS license and network essentials service status. Router# configure terminal Router(config)# show device-subscription status type status: yes license state: activate Router(config)# show service-register status network-essentials Service Status Type Count Expiration Grace Purchasable Activatable =============================================================================== Network Essentials Activated Standard ZyWALL Series CLI Reference Guide...
Page 57 In the figure below, the repeater (Z) is connected to the root AP (X) using a WiFi connection. X is connected to a wired network. The monitor repeater (Y) is also connected to X using a WiFi connection. Y is monitoring the WiFi network. ZyWALL Series CLI Reference Guide...
Page 58 NWA5560-N supports up to 2 radio slots.) The wireless LAN radio profile name. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number. This value is case- sensitive. ZyWALL Series CLI Reference Guide...
Page 59 ZyMesh profile to the radio. } zymesh-profile_name Section 6.1.1 on page 57 for more information on different modes. See also Section 9.6 on page 98 for more information about ZyMesh. ZyWALL Series CLI Reference Guide...
Page 60 Sets the Zyxel Device to overwrite the AP’s output power, [no] override slot_name {output- radio or SSID profile settings for the specified radio. power | radio-setting | ssid- setting} Use the no command to not overwrite the specified settings. ZyWALL Series CLI Reference Guide...
Page 61 Forcibly disconnects the specified station from the network. capwap station kick sta_mac Displays information of all managed APs (all) or information show capwap ap {all | ap_mac} of an AP on the Specified MAC address (ap_mac). ZyWALL Series CLI Reference Guide...
Page 62 AP, in minutes, Displays a list of connected but as-of-yet unmanaged APs. show capwap ap wait-list This is known as the ‘wait list’. Displays the current manual add option. show capwap manual-add ZyWALL Series CLI Reference Guide...
Page 63 {lan_port | vlan_interface You can also set to display settings for a specified port, a | all| ethernet | uplink | vlan} sepcified VLAN, all physical Ethernet ports, the uplink port or all VLANs on the AP. ZyWALL Series CLI Reference Guide...
Page 64 1 Status: RUN, Loading: - AP MAC: 40:4A:03:05:82:1E Radio: 1, OP Mode: AP Profile: default, MAC: 40:4A:03:05:82:1F Description: AP-404A0305821E Model: NWA5160N Band: 2.4GHz, Channel: 6 Station: 0 RxPkt: 4463, TxPkt: 38848 RxFCS: 1083323, TxRetry: 198478 ZyWALL Series CLI Reference Guide...
Page 65 LED Status: N/A Suppress Mode Status: Enable Locator LED Status: N/A Locator LED Time: 0 Locator LED Time Lease: 0 Power Mode: Full Antenna Switch SW-Control: N/A Antenna Switch Radio 1: N/A Antenna Switch Radio 2: N/A ZyWALL Series CLI Reference Guide...
Page 66 This allows you to set up VPN-enabled WiFi APs in remote locations, such as in a branch office or at home. Clients connected to these APs can securely access your network through the VPN tunnel. ZyWALL Series CLI Reference Guide...
Page 67 Chapter 6 AP Management Figure 16 Remote AP: Secure Tunnel SSID Figure 17 Remote AP: Local Bridge SSID ZyWALL Series CLI Reference Guide...
Page 68 Traffic is tagged with the VLAN ID defined by vlan_id. Removes the SSID profile from the AP. no rap slot_name ssid-profile <1..6> Displays the current IPSec SA for each Remote AP. show sa monitor [ap-description desc] rap ZyWALL Series CLI Reference Guide...
Page 69 The interface of the RAP IPSec tunnel on the AP is assigned an IP address from this pool. Displays the start and end IPv4 address for the Remote AP show vpn-policy-pool VPN pool. ZyWALL Series CLI Reference Guide...
Page 70 [no] slot_name zymesh-profile repeater mode) uses to connect to a root AP or repeater. zymesh_profile_name Use the no command to remove the specified profile. Sets the AP group to which the built-in AP belongs. ap-group-profile ap-group- profile_name ZyWALL Series CLI Reference Guide...
Page 71 Use the no command to not overwrite the specified settings. Sets a name to identify the AP on a network. This is sysname system_name usually the AP’s fully qualified domain name. Use the no command to remove the specified setting. Exits sub-command mode. exit ZyWALL Series CLI Reference Guide...
Page 72 Specifies the SSID of the built-in AP that you want to apply the ap-group-member specified AP group profile and add to the group. ap_group_wlan_name[no] member local-ap Use the no command to remove the built-in AP from this group. ZyWALL Series CLI Reference Guide...
Page 73 | wac6503d-s | Use the no command to remove the specified port and VLAN wac6553d-e} ap_lan_port settings. activate pvid <1..4094> ap_lan_port: the Ethenet LAN port on the managed AP, such as lan1 or lan2. ZyWALL Series CLI Reference Guide...
Page 74 [slot1 | slot2] kickout interval in seconds. While load balancing is enabled, the kickInterval <1..255> AP periodically disconnects stations at intervals equal to this setting. This occurs until the load balancing threshold is no longer exceeded. ZyWALL Series CLI Reference Guide...
Page 75 Displays the settings of the AP group profile(s). show ap-group-profile {all | ap_group_profile_name} all: Displays all profiles. ap_group_profile_name: Displays the specified profile. Displays the load balancing configuration of the specified AP show ap-group-profile group profile. ap_group_profile_name load- balancing config ZyWALL Series CLI Reference Guide...
Page 76 Router(config)# show ap-group-profile GP1 load-balancing config AP Group Profile:GP1 load balancing config: Activate: yes Kickout: no Mode: station Max-sta: 1 Traffic-level: high Alpha: 5 Beta: 10 Sigma: 60 Timeout: 20 LIInterval: 10 KickoutInterval: 20 Router(config)# ZyWALL Series CLI Reference Guide...
Page 77 No. Name Active VID Member =========================================================================== vlan0 lan1,lan2,lan3 Router(config)# show ap-group-profile default lan-provision interface vlan0 model nwa5301-nj active: yes interface name: vlan0 VID: 1 member: lan1&lan2&lan3 lan1_tag: untag lan2_tag: untag lan3_tag: untag Router(config)# ZyWALL Series CLI Reference Guide...
Page 78 AP group. It also shows whether the lan1 port is enabled and what the port’s VLAN ID is. Router(config)# show ap-group-profile default lan-provision interface ethernet model nwa5301-nj No. Name Active PVID =========================================================================== uplink lan1 lan2 lan3 Router(config)# show ap-group-profile default lan-provision interface lan1 model nwa5301-nj Name Active PVID =========================================================================== lan1 Router(config)# ZyWALL Series CLI Reference Guide...
Page 79 Sets the 5 GHz channel used by this radio profile. The channel range is 36 ~ 165. wireless_channel_5g Note: Your choice of channel may be restricted by regional regulations. Sets the HT channel width. Select either 20, 20/40 or 20/40/80. wlan_htcw ZyWALL Series CLI Reference Guide...
Page 80 The default is 36. When you disable multicast to unicast, use this command to 5g-multicast-speed set the data rate { 6.0 | 9.0 | … } in Mbps for 5 GHz wlan_5g_basic_speed multicast traffic. ZyWALL Series CLI Reference Guide...
Page 81 A-MPDU except in environments that are prone to high error rates. By default this is enabled. Sets the maximum frame size to be aggregated using MPDU. limit-amsdu <2290..4096> The default is 4096. ZyWALL Series CLI Reference Guide...
Page 82 Be sure to select the correct/same country for both radios on an AP and all connected APs, in order to prevent roaming failure and interference to other systems. country_code: 2-letter country-codes, such as TW, DE, or FR. ZyWALL Series CLI Reference Guide...
Page 83 Sets what time of day (in 24-hour format) the AP starts to use dcs schedule <hh:mm> DCS on the specified day(s) of the week. {mon|tue|wed|thu|fri|sat|sun} ZyWALL Series CLI Reference Guide...
Page 84 WiFi clients. The country code tells clients where the AP is located. Note: Run this command if WiFi clients are unable to connect to the AP because of an incompatible country code. max-sw-retries <0..10> ZyWALL Series CLI Reference Guide...
Page 85 Assigns an SSID profile to this radio profile. Requires an existing [no] ssid-profile SSID profile. Use the no parameter to disable it. wlan_interface_index ssid_profile subframe-ampdu <2..64> ZyWALL Series CLI Reference Guide...
Page 86 <1~10000> packets per second. Exits configuration mode for this profile. exit Disables Ethernet broadcast and multicast storm control, and no storm-control ethernet ap removes all Ethernet storm control settings for the specified mac_address ZyWALL Series CLI Reference Guide...
Page 87 [no] 5g-scan-channel frequency range. Use the no parameter to disable it. wireless_channel_5g Sets the duration in milliseconds that the device using this scan-dwell <100..1000> profile scans each channel. Exits configuration mode for this profile. exit ZyWALL Series CLI Reference Guide...
Page 88 Router(config-profile-radio)# dtim-period 2 Router(config-profile-radio)# beacon-interval 100 Router(config-profile-radio)# ampdu Router(config-profile-radio)# limit-ampdu 65535 Router(config-profile-radio)# subframe-ampdu 64 Router(config-profile-radio)# amsdu Router(config-profile-radio)# limit-amsdu 4096 Router(config-profile-radio)# block-ack Router(config-profile-radio)# guard-interval short Router(config-profile-radio)# tx-mask 5 Router(config-profile-radio)# rx-mask 7 Router(config-profile-radio)# output-power 21dBm Router(config-profile-radio)# ssid-profile 1 default ZyWALL Series CLI Reference Guide...
Page 89 Gives an existing SSID profile (ssid_profile_name1) a new wlan-ssid-profile rename name (ssid_profile_name2). ssid_profile_name1 ssid_profile_name2 Enters configuration mode for the specified SSID profile. Use the [no] wlan-ssid-profile no parameter to remove the specified profile. ssid_profile_name ZyWALL Series CLI Reference Guide...
Page 90 In this mode, all of the wireless station’s traffic is routed through the associated AP’s gateway and tagged with the VLAN ID set by command vlan-id This is the default data forwarding mode. ZyWALL Series CLI Reference Guide...
Page 91 Applies to each SSID profile that uses localbridge. If the VLAN vlan-id <1..4094> ID is equal to the AP’s native VLAN ID then traffic originating from the SSID is not tagged. The default VLAN ID is 1. Exits configuration mode for this profile. exit ZyWALL Series CLI Reference Guide...
Page 92 Gives existing security profile (security_profile_name1) a wlan-security-profile rename new name, (security_profile_name2). security_profile_name1 security_profile_name2 Enters configuration mode for the specified security profile. Use [no] wlan-security-profile the no parameter to remove the specified profile. security_profile_name ZyWALL Series CLI Reference Guide...
Page 93 The default is 300. Allows the Zyxel Device to act as a proxy server and forward [no] internal-eap-proxy the authentication packets to the connected RADIUS server. activate Use the no parameter to disable it. ZyWALL Series CLI Reference Guide...
Page 94 Clears the server authentication setting. no server-auth <1..2> Enables backward compatibility when used with WPA3 or [no] transition-mode Enhanced Open security mode. WPA3 falls back to WPA2, while Enhanced Open falls back to open (none). ZyWALL Series CLI Reference Guide...
Page 95 The following example creates a security profile with the name ‘SECURITY01’. Router(config)# wlan-security-profile SECURITY01 Router(config-security-profile)# mode wpa2 Router(config-security-profile)# wpa-encrypt aes Router(config-security-profile)# wpa-psk 12345678 Router(config-security-profile)# idle 3600 Router(config-security-profile)# reauth 1800 Router(config-security-profile)# group-key 1800 Router(config-security-profile)# exit Router(config)# ZyWALL Series CLI Reference Guide...
Page 96 Router(config-wlan-security GuestSecurity)# mode wpa2 Router(config-wlan-security GuestSecurity)# wpa-psk guest123 Router(config-wlan-security GuestSecurity)# exit Router(config)# Enter the Guest SSID profile sub command mode. Apply the GuestSecurity security profile to this SSID. Router(config)# wlan-ssid-profile Guest Router(config-wlan-ssid Guest)# security GuestSecurity ZyWALL Series CLI Reference Guide...
Page 97 9.5.1 MAC Filter Profile Example The following example creates a MAC filter profile with the name ‘MACFILTER01’. Router(config)# wlan-macfilter-profile MACFILTER01 Router(config-macfilter-profile)# filter-action deny Router(config-macfilter-profile)# 01:02:03:04:05:06 description MAC01 Router(config-macfilter-profile)# 01:02:03:04:05:07 description MAC02 Router(config-macfilter-profile)# 01:02:03:04:05:08 description MAC03 Router(config-macfilter-profile)# exit Router(config)# ZyWALL Series CLI Reference Guide...
Page 98 Table 29 Input Values for General ZyMesh Profile Commands LABEL DESCRIPTION The ZyMesh profile name. You may use 1-31 alphanumeric characters, underscores zymesh_profile_name ), or dashes (-), but the first character cannot be a number. This value is case- sensitive. ZyWALL Series CLI Reference Guide...
Page 99 Exits configuration mode for this profile. exit Enters the ZyMesh Provision Group MAC address of the primary AP zymesh provision-group ac_mac controller in your network to use this Zyxel Device to replace the primary AP controller. ZyWALL Series CLI Reference Guide...
Page 100 Table 32 Command Summary: Rogue AP Detection COMMAND DESCRIPTION Enters sub-command mode for rogue AP detection. rogue-ap detection Activates rogue AP detection. Use the no parameter [no] activate to deactivate rogue AP detection. ZyWALL Series CLI Reference Guide...
Page 101 Router(config)# rogue-ap detection Router(config-detection)# rogue-ap 00:13:49:11:11:11 rogue Router(config-detection)# friendly-ap 00:13:49:11:11:22 friendly Router(config-detection)# no rogue-ap 00:13:49:11:11:11 Router(config-detection)# exit This example displays the rogue AP detection list. Router(config)# show rogue-ap detection list rogue description contain =========================================================================== 00:13:49:18:15:5A ZyWALL Series CLI Reference Guide...
Page 102 APs). This means if we add a MAC address of a device to the containment list, then every AP on the network will respect it. Note: Containing a rogue AP means broadcasting unviable login data at it, preventing legitimate wireless clients from connecting to it. This is a kind of Denial of Service attack. ZyWALL Series CLI Reference Guide...
Page 103 10.4.1 Rogue AP Containment Example This example contains the device associated with MAC address 00:13:49:11:11:12 then displays the containment list for confirmation. Router(config)# rogue-ap containment Router(config-containment)# activate Router(config-containment)# contain 00:13:49:11:11:12 Router(config-containment)# exit Router(config)# show rogue-ap containment list ===================================================================== 00:13:49:11:11:12 ZyWALL Series CLI Reference Guide...
Page 104 10 alert {2.4G | the most times. 5G | all} Displays how many times the client is in a poor state of wireless show sta-info top 10 alert {2.4G health. | 5G | all} ZyWALL Series CLI Reference Guide...
Page 105 Configure wireless health settings for the wireless clients sta: which are connected to the supported APs in Zyxel Device networks. See Section 11.2.1 on page 106 for more information on station settings commands. ZyWALL Series CLI Reference Guide...
Page 106 Device will steer the wireless clients to an AP with a strong signal if the AP the clients is connected to has to try 10 times before it can send out packets successfully. Configure the time period over data-collect-interval: which the client wireless health state is recorded. ZyWALL Series CLI Reference Guide...
Page 107 Table 39 Wireless Health Action Aggressiveness Comparison AGGRESSIVENESS LEVEL TRAFFIC LEVEL CHANGE CHANNEL BANDWIDTH/DCS Little traffic Medium traffic Heavy traffic High Little traffic Medium traffic Heavy traffic ZyWALL Series CLI Reference Guide...
Page 108 The example below shows you how to accomplish this task. Router> configure terminal Router(config)# wireless-health-action aggressiveness high standard Router(config)# wireless-health-action aggressiveness low Router(config)# exit Router# show wireless-health-action radio-24g: none radio-5g: none station: none aggressiveness: low ZyWALL Series CLI Reference Guide...
Page 109 The file name prefix for each captured file. The default prefix is monitor while the file_name default file name is monitor.dump. You can use 1-31 alphanumeric characters, underscores or dashes but the first character cannot be a number. This string is case sensitive. ZyWALL Series CLI Reference Guide...
Page 110 12.2.2 Remote Packet Capture Remote packet capture allows you to capture network traffic going through an AP, and output the captured packets to a packet analyzer (also known as network or protocol analyzer) such as Wireshark. ZyWALL Series CLI Reference Guide...
Page 111 DESCRIPTION Lists all connected APs, and shows whether they support show capwap ap all lite2 packet capture and remote packet capture. show remote-capture status Shows whether remote capture is currently running on the Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 112 Table 43 Command Summary: DCS COMMAND DESCRIPTION Sets the managed AP to scan for and select an available channel dcs now {ap_mac | profile_name} immediately. ZyWALL Series CLI Reference Guide...
Page 113 APs three times. Sets a minimum signal strength. A managed AP is auto-healing healing-threshold added to the neighbor lists only when the signal strength of the AP is stronger than the specified threshold. ZyWALL Series CLI Reference Guide...
Page 114 AP increase their output power. Router(config)# auto-healing activate Router(config)# auto-healing power-threshold -70 Router(config)# show auto-healing config auto-healing activate: yes auto-healing interval: 10 auto-healing power threshold: -70 dBm auto-healing healing threshold: -85 dBm auto-healing margin: 0 Router(config)# ZyWALL Series CLI Reference Guide...
Page 115 15.2.1 LED Suppression Commands Example The following example activates LED suppression mode on the AP with the MAC address 00:a0:c5:01:23:45 and displays the settings. Router(config)# led_suppress 00:a0:c5:01:23:45 enable Router(config)# show led_suppress 00:a0:c5:01:23:45 status Suppress Mode Status : Enable Router(config)# ZyWALL Series CLI Reference Guide...
Page 116 00:a0:c5:01:23:45, sets how long the locator LED stays blinking, and also displays the settings. Router(config)# led_locator 00:a0:c5:01:23:45 blink-timer 5 Router(config)# led_locator 00:a0:c5:01:23:45 on Router(config)# show led_locator 00:a0:c5:01:23:45 status Locator LED Status : ON Locator LED Time : 5 Router(config)# ZyWALL Series CLI Reference Guide...
Page 117 • VPN Tunnel Interface (VTI) encrypts or decrypts IPv4 traffic from or to the interface according to the IP routing table. • Link Aggregation Group (LAG) interfaces combine multiple physical Ethernet interfaces into a single logical interface, thus increasing uplink bandwidth and availability in the event a link goes down. ZyWALL Series CLI Reference Guide...
Page 118 VLAN BRIDGE VIRTUAL Name* wan1, wan2 lan1, ext- vlanx pppx wlan, dmz Configurable Zone IP Address Assignment Static IP address DHCP client Routing metric Interface Parameters Bandwidth restrictions Packet size (MTU) Data size (MSS) DHCP ZyWALL Series CLI Reference Guide...
Page 119 For WLAN interfaces, the first number identifies the slot and the second number identifies the individual interface. ** - Cellular interfaces can be added to the WAN zone or no zone. ZyWALL Series CLI Reference Guide...
Page 120 You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPPoE/PPTP interface on top of it. ZyWALL Series CLI Reference Guide...
Page 121 {interface_name | IPv6 interfaces. all} Displays the static IPv6 addresses configured on the specified show ipv6 static address interface IPv6 interface. Displays the specified IPv6 interface’s IPv6 router show ipv6 nd ra status advertisement configuration. config_interface ZyWALL Series CLI Reference Guide...
Page 122 Specifies the Maximum Transmission Unit, which is the [no] mtu <576..1500> maximum number of bytes in each packet moving through this interface. The Zyxel Device divides larger packets into smaller fragments. The command resets the MTU to 1500. ZyWALL Series CLI Reference Guide...
Page 123 <3..1350> interval. Sets the maximum IPv6 router advertisement transmission nd ra max-rtr-interval <4..1800> interval. Sets the amount of time a remote IPv6 node is considered nd ra reachable-time reachable after a reachability confirmation event. <0..3600000> ZyWALL Series CLI Reference Guide...
Page 124 For a DHCPv6 server interface, specify the profile of DHCPv6 dhcp6-lease-object dhcp6_profile lease settings to offer to DHCPv6 clients. For a DHCPv6 client interface, specify the profile of DHCPv6 dhcp6-request-object request settings that determine what additional information dhcp6_profile to get from the DHCPv6 server. ZyWALL Series CLI Reference Guide...
Page 125 Has the Zyxel Device use the full four-step DHCPv6 message dhcp6 rapid-commit exchange process. Note: Make sure you also disable this option in the DHCPv6 clients. Removes the specified profile of DHCPv6 lease settings to dhcp6-lease-object dhcp6_profile offer to DHCPv6 clients. ZyWALL Series CLI Reference Guide...
Page 126 Modifies the user-defined name of a PPP or an Ethernet interface-rename interface. old_user_defined_name new_user_defined_name 16.2.1.1 Basic Interface Properties Command Examples The following commands make Ethernet interface ge1 a DHCP client. Router# configure terminal Router(config)# interface ge1 Router(config-if)# ip address dhcp Router(config-if)# exit ZyWALL Series CLI Reference Guide...
Page 127 This example also shows how to change the user defined name from Partner to Customer using the “interface-name” command. Router(config)# interface-rename VIP Partner Router(config)# show interface-name System Name User Defined Name =========================================================================== Partner Router(config)# Router(config)# interface-name ge4 Customer Router(config)# show interface-name System Name User Defined Name =========================================================================== Customer ZyWALL Series CLI Reference Guide...
Page 128 - enable on the interface which connects to a router running IGMP that is closer to the multicast server Sets the IGMP version to be used on this Zyxel Device interface. igmp version <1..3> ZyWALL Series CLI Reference Guide...
Page 129 Zyxel Device will answer ARP requests coming from the WAN only if it contains 192.168.1.5 as the target IP address. command disables the proxy ARP target IP address, IP address range or IP address subnet on this interface. ZyWALL Series CLI Reference Guide...
Page 130 Uses this to show the specified interface and to which devices it has assigned static IP addresses. Shows the DHCP extended option settings. show ip dhcp dhcp-options Shows information about the specified DHCP pool or about all DHCP pools. show ip dhcp pool [profile_name] ZyWALL Series CLI Reference Guide...
Page 131 Specifies the host name that appears in the DHCP client list. The [no] client-name command clears this field. host_name host_name: You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case- sensitive. ZyWALL Series CLI Reference Guide...
Page 132 Sets the third DNS server to the specified IP address, the specified [no] third-dns-server interface’s first, second, or third DNS server, or the Zyxel Device itself. The {ip | interface_name command resets the setting to its default value. {1st-dns | 2nd-dns | 3rd-dns} | ZyWALL} ZyWALL Series CLI Reference Guide...
Page 133 Displays information about DHCP bindings for the specified IP address or for show ip dhcp binding [ip] all IP addresses. Removes the DHCP bindings for the specified IP address or for all IP clear ip dhcp binding {ip | addresses. ZyWALL Series CLI Reference Guide...
Page 134 IP address to provide to the SIP clients. Router# configure terminal Router(config)# ip dhcp DHCP_TEST Router(config-ip-dhcp-)# dhcp-option 120 sip ip 192.168.1.20 Router(config-ip-dhcp-)# exit 16.2.4.3 CSV File Example The following example shows how to configure a csv file. ZyWALL Series CLI Reference Guide...
Page 135 ZyWALL Series CLI Reference Guide...
Page 136 Chapter 19 on page 179 for more information about routing protocols. Enables RIP-2 packets using subnet broadcasting. The [no] ip rip v2-broadcast command uses multi-casting. Displays RIP settings. show rip {global | interface {all | interface_name}} ZyWALL Series CLI Reference Guide...
Page 137 Sets the number of seconds the Zyxel Device waits for an [no] ip ospf retransmit-interval acknowledgment in response to a link state advertisement <1..65535> before it re-sends the advertisement. Link state advertisements (LSA) are used to share the link state and routing information between routers. ZyWALL Series CLI Reference Guide...
Page 138 TCP connectivity check. probe-condition: if you ping two IP addresses or domain names, determines whether the ping fails only if both addresses do not respond (any) or if at least one does not respond (all). ZyWALL Series CLI Reference Guide...
Page 139 When you configure the WAN or the LAN IPv4 networks, please note that they must not conflict with each other. The Zyxel Device will not automatically change the LAN IPv4 subnet if the WAN IPv4 address conflicts with the LAN IPv4 networks you configure. ZyWALL Series CLI Reference Guide...
Page 140 Note: In CLI, representative interfaces are also called representative ports. Table 63 Basic Interface Setting Commands COMMAND DESCRIPTION Displays which physical ports are assigned to each representative show port-grouping interface. Enters a sub-command mode to configure the specified port’s settings. port status Port<1..x> ZyWALL Series CLI Reference Guide...
Page 141 =============================================================================== wan1 wan2 lan1 lan2 reserved Router(config)# Router(config)# port-grouping lan2 Router(config-port-grouping)# port 7 Router(config-port-grouping)# exit Router(config)# show port-grouping No. Representative Name Port1 Port2 Port3 Port4 Port5 Port6 Port7 =============================================================================== wan1 wan2 lan1 lan2 reserved Router(config)# ZyWALL Series CLI Reference Guide...
Page 142 Zyxel Device model supports. The name of the ISP account. You may use 1-31 alphanumeric characters, underscores( profile_name or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL Series CLI Reference Guide...
Page 143 DHCPv6 message exchange process. Get this interface’s IPv6 address from the DHCPv6 server. The no [no] ipv6 dhcp6 address- command has the Zyxel Device not get this interface’s IPv6 address request from the DHCPv6 server. ZyWALL Series CLI Reference Guide...
Page 144 The following commands show you how to connect and disconnect ppp0. Router# interface dial ppp0 Router# interface disconnect ppp0 16.6 Cellular Interface Specific Commands Use a 3G (Third Generation) cellular device with the Zyxel Device for wireless broadband Internet access. ZyWALL Series CLI Reference Guide...
Page 145 Sets the amount of time (in hours) that the 3G connection [no] budget time active <1..672> can be used within one month. If you change the value, the Zyxel Device resets the statistics. Use the no command to disable time budget control. ZyWALL Series CLI Reference Guide...
Page 146 <1..65535>] exceeded. You can configure the percentage using the budget percentage command. You can also set how often (from 1 to 65535 minutes) to send the log or alert. ZyWALL Series CLI Reference Guide...
Page 147 SIM card is expired, the user failed to pay for the service and so on; you cannot connect to the Internet. Device detected displays when you connect a 3G device. ZyWALL Series CLI Reference Guide...
Page 148 Need auth-password You need to enter the password for the 3G card in the cellular edit screen. Device ready The Zyxel Device successfully applied all of your configuration and you can use the 3G connection. ZyWALL Series CLI Reference Guide...
Page 149 USB 1 service provider: Chunghwa Telecom cellular system: WCDMA signal strength: -95 dBm signal quality: Poor device type: WCDMA device manufacturer: Huawei device model: E220/E270/E800A device firmware: 076.11.07.106 device IMEI/ESN: 351827019784694 SIM card IMSI: 466923100565274 ZyWALL Series CLI Reference Guide...
Page 150 Configures the outer destination IP address of the tunneled tunnel destination ipv4 IPv4 packets. Sets the inner source IP of packets sent through the tunnel ip address ipv4 ipv4 interface. Sets this interface to use GRE tunnel mode. tunnel mode ip gre ZyWALL Series CLI Reference Guide...
Page 151 Turns off traffic priority settings for when the interface sends the traffic-prioritize {tcp- specified type of traffic. ack|content-filter|dns} priority-code <0..7> deactivate Leaves the sub-command mode. exit Displays the specified tunnel’s settings. show interface tunnel_iface Displays the status of the tunnel interfaces. show interface tunnel status ZyWALL Series CLI Reference Guide...
Page 152 Device send a warning message when the remaining USB storage space <percentage|megabyte> is less than the set value. Mounts the connected USB storage device. usb-storage mount Unmounts the connected USB storage device. usb-storage umount ZyWALL Series CLI Reference Guide...
Page 153 Insert the USB stick into the Zyxel Device. The firmware uploads to the standby system space. The SYS LED blinks when the Zyxel Device automatically reboots making the upgraded firmware in standby become the running firmware. ZyWALL Series CLI Reference Guide...
Page 154 Sets a warning to display when available USB storage falls below the usb-storage warn specified percentage. <10..99> percentage Sets a warning to display when available USB storage falls below the usb-storage warn specified number of megabytes. <100..9999> megabyte ZyWALL Series CLI Reference Guide...
Page 155 Ethernet interface: For some Zyxel Device models, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your Zyxel Device model. For other Zyxel Devicemodels use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz. ZyWALL Series CLI Reference Guide...
Page 156 For other Zyxel Device models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz. VLAN interface: vlanx, x = 0 - 4094 bridge interface: brx, x = 0 - N, where N depends on the number of bridge interfaces your Zyxel Device model supports. ZyWALL Series CLI Reference Guide...
Page 157 Note: At the time of writing, up to 4 ports can be grouped into a LAG and up to 4 LAGs can be configured on a Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 158 • mii monitoring monitors the state of the local interface; it can’t tell if the link can transmit or receive packets. • none means no link monitoring is done. ZyWALL Series CLI Reference Guide...
Page 159 Displays the available slaves that could be added to a LAG. show lag available slaves Displays interface details for all LAG interfaces. show interface lag Displays interface details for LAG x. show interface lagx ZyWALL Series CLI Reference Guide...
Page 160 0.0.0.0 gateway: metric: 0 igmp active: yes igmp direction: upstream igmp version: IGMPv3 upstream: 1048576 downstream: 1048576 MTU: 1500 MSS: 0 tcp-ack traffic prioritize: active : yes bandwidth : 1048576 priority maximize-bandwidth-usage : yes ZyWALL Series CLI Reference Guide...
Page 161 Ethernet interface: For some Zyxel Device models use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your Zyxel Device model. For other Zyxel Device models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz. VLAN interface: vlanx, x = 0 - 4094 ZyWALL Series CLI Reference Guide...
Page 162 DR or BDR. command sets the priority to 1. Sets the cost (between 1 and 65,535) to route packets through this interface. ip ospf cost <1..65535> command sets the priority to 10 ZyWALL Series CLI Reference Guide...
Page 163 WAN interface is down or disabled, the Zyxel Device will discard the outgoing VPN traffic instead of forwarding it through another active WAN interface. Note: The command takes effect after you restart the Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 164 IP address: 1.1.1.1 netmask: 255.255.255.0 upstream: 10000 downstream: 10000 metric: 5 Router(config)# Router(config)# crypto map test Router(config-crypto test)# scenario vpn-tunnel-interface Router(config-crypto test)# exit Router(config)# binding interface vti0 crypto-map test Router(config)# ZyWALL Series CLI Reference Guide...
Page 165 Suppose ISP A has better connections to Europe while ISP B has better connections to Australia. You could use policy routing and trunks to send traffic for your European branch offices primarily through ISP A and traffic for your Australian branch offices primarily through ISP B. ZyWALL Series CLI Reference Guide...
Page 166 This subcommand adds an interface to a trunk. Sets the interface’s interface {num|append|insert num} number. It also sets the interface’s weight and spillover limit or sets it to be interface-name [weight passive. <1..10>|limit <1..2097152>|passive] ZyWALL Series CLI Reference Guide...
Page 167 The Zyxel Device sends new session traffic through the least utilized of these interfaces. Router# configure terminal Router(config)# interface-group llf-example Router(if-group)# mode trunk Router(if-group)# algorithm llf Router(if-group)# interface 1 ge3 Router(if-group)# interface 2 vlan5 Router(if-group)# loadbalancing-index outbound Router(if-group)# exit Router(config)# ZyWALL Series CLI Reference Guide...
Page 168 1000 kbps. The Zyxel Device sends anything over 1000 kbps through ge3. Router# configure terminal Router(config)# interface-group spill-example Router(if-group)# mode trunk Router(if-group)# algorithm spill-over Router(if-group)# interface 1 ge1 limit 1000 Router(if-group)# interface 2 ge3 limit 1000 Router(if-group)# loadbalancing-index total Router(if-group)# exit Router(config)# ZyWALL Series CLI Reference Guide...
Page 169 If clients are connected to LAN1 on the Zyxel Device, then you need to create two policy routes with SNAT enabled: • Client_Route - Incoming interface: LAN1, SNAT: 6.6.6.6. • Device_Route - Incoming interface: ZyWALL, SNAT: 6.6.6.7. ZyWALL Series CLI Reference Guide...
Page 170 The IPv6 prefix length, 0 - 128. prefix The IPv6 address of the specified gateway. gatewayv6 An IPv6 address. ipv6_addr An IPv6 address excluding the link-local address (fe80::). ipv6_global_addre An fe80:: IPv6 address. ipv6_link_local ZyWALL Series CLI Reference Guide...
Page 171 Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ on page 175 for more details. dscp_class can set cs0~cs7 too. ZyWALL Series CLI Reference Guide...
Page 172 [no] tunnel tunnel_name removes the IPSec VPN tunnel through which the incoming packets are received. Sets the user name. The no command resets the user name to the default [no] user user_name (any). any means all users. ZyWALL Series CLI Reference Guide...
Page 173 IP address to the default (any). any means all IP addresses. Sets the source port that the matched packets must have. The [no] srcport {profile_name|any} command resets the source port to the default ( means all ports. ZyWALL Series CLI Reference Guide...
Page 174 Displays whether or not policy routes have priority over NAT virtual server show policy-route controll-virtual- rules (1-1 SNAT). server-rules ZyWALL Series CLI Reference Guide...
Page 175 18.2.2 Policy Route Command Example The following commands create two address objects (TW_SUBNET and GW_1) and insert a policy that routes the packets (with the source IP address TW_SUBNET and any destination IP address) through the ZyWALL Series CLI Reference Guide...
Page 176 R1 (via gateway R2). The static routes are for you to tell the Zyxel Device about the networks beyond the network connected to the Zyxel Device directly. ZyWALL Series CLI Reference Guide...
Page 177 NAT virtual server rules. Use the no command to give NAT virtual server rules priority over static routes. Displays whether or not static routes have priority over show ip route control-virtual-server-rules NAT virtual server rules (1-1 SNAT). ZyWALL Series CLI Reference Guide...
Page 178 2001:12::12 2002:22:22:34:: Fe80::1:2 The following command deletes a specific static IPv6 route. Router(config)# no ip6 route 2002:22:22:34::/64 2001:12::12 The following command deletes all static IPv6 routes with the same prefix. Router(config)# no ip6 route 2002:22:22:34::/64 ZyWALL Series CLI Reference Guide...
Page 179 The 32-bit name of the area or virtual link in IP address format. The password for text or MD5 authentication. You may use alphanumeric characters or authkey underscores( text password: 1-8 characters long MD5 password: 1-16 characters long The following sections list the routing protocol commands. ZyWALL Series CLI Reference Guide...
Page 180 [no] passive-interface command sets the direction to “BiDir”. interface_name Sets the 32-bit ID (in IP address format) of the Zyxel Device. The [no] router-id IP command resets it to “default”, or the highest available IP address. ZyWALL Series CLI Reference Guide...
Page 181 Sets the password for text authentication in the specified virtual link. [no] area IP virtual-link IP command clears the password. authentication-key authkey Sets the ciphertext for text encryption in the specified virtual link. [no] area IP virtual-link IP encrypted- command clears the ciphertext. authentication-key <ciphertext> ZyWALL Series CLI Reference Guide...
Page 182 The Zyxel Device supports eBGP (exterior Border Gate Protocol) to route IPv4 traffic between routers in different Autonomous Systems (AS). An AS number is a number from 1 to 4294967295), that identifies an autonomous system. 4200000000 – 4294967294 are private AS numbers. ZyWALL Series CLI Reference Guide...
Page 183 System Default Allow From DMZ To ZyWALL Default_Allow_v6_WAN_To_ZyWALL Common System Default Allow IPv6 Form WAN To ZyWALL Default_Allow_v6_DMZ_To_ZyWALL Common System Default Allow IPv6 From DMZ to ZyWALL DHCPv6 Common Default_Allow_v6_any_to_ZyWALL System Default Allow IPv6 From any To ZyWALL Router(config)# ZyWALL Series CLI Reference Guide...
Page 184 Zyxel Device from attempting BGP connections to external peers on indirectly connected networks. Sets the maximum number of paths allowed to a peer BGP router in a [no] maximum-paths <1..255> neighboring AS. command clears the maximum paths. ZyWALL Series CLI Reference Guide...
Page 185 [summary | route | mem] Displays route information to the specified peer BGP router. show ip bgp neighbor ipv4 [advertised-routes | prefix-counts | routes] Displays IP Address/Netmask, gateway, interface, metric, flags and show ip route bgp persist information. ZyWALL Series CLI Reference Guide...
Page 186 Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface, and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run. Figure 19 Example: Zones ZyWALL Series CLI Reference Guide...
Page 187 IPSec VPN tunnel from the specified zone. profile_name Adds the specified SSL VPN tunnel to the specified zone. The command [no] sslvpn removes the specified SSL VPN tunnel from the specified zone. profile_name ZyWALL Series CLI Reference Guide...
Page 188 The following commands add Ethernet interfaces ge1 and ge2 to zone A. Router# configure terminal Router(config)# zone A Router(zone)# interface ge1 Router(zone)# interface ge2 Router(zone)# exit Router(config)# show zone No. Name Member =========================================================================== ge1,ge2 Router(config)# show zone A No. Type Member =========================================================================== interface interface ZyWALL Series CLI Reference Guide...
Page 189 Note: Record your DDNS account’s user name, password, and domain name to use to configure the Zyxel Device. After, you configure the Zyxel Device, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. ZyWALL Series CLI Reference Guide...
Page 190 Sets the static IP address in the specified DDNS profile. The [no] custom ip command clears it. Sets the static IP address for the backup interface in the [no] backup-custom ip specified DDNS profile. The command clears it. ZyWALL Series CLI Reference Guide...
Page 191 The following example sets up a DDNS profile where the interface is wan1 and uses HTTP.. Router# configure terminal Router(config)# ip ddns profile bbb # activate # service-type user-custom # username yjyeh001 password xxxxxx # host yjye007.dyndns.org # wan-iface wan1 # url /nic/update? # ddns-server members.dyndns.org # additional-ddns-options --dyndns_system dyndns@dyndns.org ZyWALL Series CLI Reference Guide...
Page 192 The name of the virtual server. You may use 1-31 alphanumeric characters, underscores( profile_name or dashes (-), but the first character cannot be a number. This value is case-sensitive. The following table lists the virtual server commands ZyWALL Series CLI Reference Guide...
Page 193 This makes computers on a private network behind the Zyxel Device available to [deactivate] | nat-1-1-map a public network outside the Zyxel Device (like the Internet). [deactivate] | deactivate] The deactivate command disables the virtual server rule. ZyWALL Series CLI Reference Guide...
Page 194 10.0.0.8 to 192.168.1.56. for TCP protocol traffic on port 1720. It also adds a NAT loopback entry. Router# configure terminal Router(config)# ip virtual-server WAN-LAN_H323 interface wan1 original-ip 10.0.0.8 map-to 192.168.1.56 map-type port protocol tcp original-port 1720 mapped-port 1720 nat-loopback Router(config)# ZyWALL Series CLI Reference Guide...
Page 195 You need a NAT rule to send HTTP traffic coming to IP address 1.1.1.2 on ge2 (wan1) to the HTTP server’s private IP address of 192.168.3.7. Use the following settings: • This NAT rule is for any HTTP traffic coming in on ge2 (wan1) to IP address 1.1.1.2. ZyWALL Series CLI Reference Guide...
Page 196 To resolve this, you set up three identical web servers on the DMZ behind the Zyxel Device (Figure 21 on page 197). The Zyxel Device then distributes incoming requests between the three servers. Clients only see one virtual web server with IP address 1.1.1.2. ZyWALL Series CLI Reference Guide...
Page 197 You create a virtual server load balancing rule using IP address 10.0.1.100 and port 25, and add two SMTP servers from LAN 2 to the rule. Now clients on LAN 1 can access the virtual server’s SMTP service by connecting to 10.0.1.100 port 25. Clients see a single mail server. ZyWALL Series CLI Reference Guide...
Page 198 Chapter 22 Virtual Servers Figure 22 Virtual Server on LAN 22.3.3 Virtual Server Load Balancing Process The following gives of an overview of how the Virtual Server Load Balancing process works. ZyWALL Series CLI Reference Guide...
Page 199 Note: One real server can belong to multiple load-balancing rules. Note: You can only add one interface, IP address, and port to each load balancing rule. Note: Virtual servers and real servers only support IPv4. ZyWALL Series CLI Reference Guide...
Page 200 CBA (Weights: A3, B2, C1) CBAA (Weights: A2, B2, C1) CBAAB (Weights: A2, B1, C1) CBAABA (Weights: A1, B1, C1) CBAABAC (Weights: A1, B1, C0) CBAABACB (Weights: A1, B0, C0) CBAABACBA (Weights: A0, B0, C0) ZyWALL Series CLI Reference Guide...
Page 201 192.168.100.100, or you can enter the name of an IPv4 interface object. : The name of a service object, for example SMTP. For details on creating service service objects, see Chapter 53 on page 468. ZyWALL Series CLI Reference Guide...
Page 202 When enabled, the Zyxel Device periodically sends a request to each real server. This request ensures that the server is available, and optionally ensures that a specific service on the server is running. ZyWALL Series CLI Reference Guide...
Page 203 Sets the fully qualified domain name (FQDN) to send to the real server when health dns query fqdn check type is set to DNS. Deletes the load balancing rule. no ip virtual-server load-balancer name Renames the load balancing rule. ip virtual-server load-balancer rename old_name new_name ZyWALL Series CLI Reference Guide...
Page 204 Displays statistics about how many requests and how much data each load show ip virtual- balancing rule has processed. server load-balancer statistics name Displays statistics about the average input and output speed for each load show ip virtual- balancing rule. server load-balance statistics rate name ZyWALL Series CLI Reference Guide...
Page 205 = the number of the bridge interface, y = 1 - 4 PPPoE/PPTP interface: pppx, x = 0 - N, where N depends on the number of PPPoE/PPTP interfaces your Zyxel Device model supports. ZyWALL Series CLI Reference Guide...
Page 206 Router# configure terminal Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 deactivate Router(config)# show ip http-redirect Name Interface Proxy Server Port Active =========================================================================== example1 10.10.2.3 ZyWALL Series CLI Reference Guide...
Page 207 24.2 SMTP Redirect SMTP redirect forwards the authenticated client’s SMTP message to a SMTP server, that handles all outgoing e-mail messages. The Zyxel Device forwards SMTP traffic using TCP port 25. ZyWALL Series CLI Reference Guide...
Page 208 [no] name profile_name The no command restores the name to default. Sets the service port for the Redirect rule. [no] port <1..65535> The no command restores the http-redirect port to 80, and the smtp-redirect port to 25. ZyWALL Series CLI Reference Guide...
Page 209 Inserts a new Redirect rule at the specified location and redirect-service insert <1..20> enters sub-command mode. Moves a Redirect rule to the specified location. redirect-service move <1..20> to <1..20> Displays details of the specified Redirect rule. show redirect-service <1..20> ZyWALL Series CLI Reference Guide...
Page 210 80 id: 2 redirect service rule: 4 active: yes name: test service: smtp-redirect user: admin incoming interface: ge4 source address: any server: 1.1.1.1 port: 11111 id: 3 Router(config)# ZyWALL Series CLI Reference Guide...
Page 211 VoIP traffic based on the firewall rules. You do not need to use a TURN (Traversal Using Relay NAT) server for VoIP devices behind the Zyxel Device when you enable the SIP ALG. ZyWALL Series CLI Reference Guide...
Page 212 H.323 or FTP data payload. The no command turns off the H.323 or FTP ALG or removes the settings that you specify. Displays the specified ALG’s configuration. show alg <sip | h323 | ftp> ZyWALL Series CLI Reference Guide...
Page 213 Chapter 25 ALG 25.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323. Router# configure terminal Router(config)# alg sip Router(config)# no alg h323 ZyWALL Series CLI Reference Guide...
Page 214 WAN interface. If the other WAN interface also does not work, the Zyxel Device drops outgoing packets from UPnP-enabled or NAT-PMP-enabled applications. Enables UPnP and/or NAT-PMP on an internal interface. [no] listen-interface interface_name The no command disables UPnP and/or NAT-PMP on the interface. ZyWALL Series CLI Reference Guide...
Page 215 Router(config-upnp)# listen-interface lan1 Router(config-upnp)# listen-interface lan2 Router(config-upnp)# exit Router(config)# show ip upnp status upnp active: yes nat-pmp active: yes bypass-firewall active: no link-sticking outgoing: all Router(config)# show ip upnp listen-interface interface =============================================================================== lan1 lan2 Router(config)# ZyWALL Series CLI Reference Guide...
Page 216 Router(config)# no ip upnp port-mapping port 5566 type tcp Router(config)# show ip upnp port-mapping No: 0 Remote Host: (null) Client Type: upnp External Port: 1122 Protocol: tcp Internal Port: 1122 Internal Client: 172.16.1.2 Description: test1 Router(config)# ZyWALL Series CLI Reference Guide...
Page 217 Displays the current IP/MAC bindings for all interfaces. show ip ip-mac-binding status all Shows the current IP/MAC binding exempt list. show ip ip-mac-binding exempt Resets the packet drop counter for the specified interface. ip ip-mac-binding clear-drop-count interface_name ZyWALL Series CLI Reference Guide...
Page 218 The following example enables IP/MAC binding on the LAN1 interface and displays the interface’s IP/ MAC binding status. Router# configure terminal Router(config)# ip ip-mac-binding lan1 activate Router(config)# show ip ip-mac-binding lan1 Name: lan1 Status: Enable Log: No Binding Count: 0 Drop Count: 0 Router(config)# ZyWALL Series CLI Reference Guide...
Page 219 AP are in the Vlan1. The IP address of network printer (C) is added to the white list. The connected AP then cannot communicate with the PC (D), but can access the network printer (C), server (B), wireless client (A) and the Internet. Figure 24 Layer-2 Isolation Application ZyWALL Series CLI Reference Guide...
Page 220 28.2.1 Layer 2 Isolation White List Sub-Commands The following table describes the sub-commands for l2-isolation white-list commands. Table 111 l2-isolation white-list Sub-commands COMMAND DESCRIPTION Enables the rule. The no command disables the rule. [no] activate ZyWALL Series CLI Reference Guide...
Page 221 Router(white-list)# ip-address 172.17.0.66 Router(white-list)# exit Router(config)# show l2-isolation interface =============================================================================== lan2 Router(config)# show l2-isolation activation Layer2 Isolation Status: yes Router(config)# show l2-isolation white-list layer2 isolation white list rule: 1 active: yes ip address: 172.17.0.66 description: Router(config)# ZyWALL Series CLI Reference Guide...
Page 222 Telnet session from within the LAN zone and the Zyxel Device allows the response. However, the Zyxel Device blocks incoming Telnet traffic initiated from the WAN zone and destined for the LAN zone. Figure 25 Default Directional Policy Example ZyWALL Series CLI Reference Guide...
Page 223 Displays if only SSL VPN clients from specified regions are allowed to access the Zyxel Device. Displays if backing up of secure policies when changes are done is show secure-policy backup status configured on the Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 224 During ICSA certification a connection automatically terminates firewall icsa {icmp-destroy- immediately once ICMP unreachable or ICMP TTL expired is session} {enable | disable} received. Use this command to turn off this behavior. ZyWALL Series CLI Reference Guide...
Page 225 IPv6 firewall. Enters the IPv6 secure policy sub-command mode to add a global secure-policy6 append firewall rule to the end of the global rule list. See Table 114 on page for the sub-commands. ZyWALL Series CLI Reference Guide...
Page 226 The following table describes the sub-commands for several secure-policy and secure-policy6 commands. Table 114 firewall Sub-commands COMMAND DESCRIPTION Sets the action the Zyxel Device takes when packets match this action {allow|deny|reject} rule. Enables a secure policy rule. The no command disables the rule. [no] activate ZyWALL Series CLI Reference Guide...
Page 227 Subcommands cannot be used with secure-policy6. Creates a secure policy rule. You may use 1-31 alphanumeric secure-policy <profile name> characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL Series CLI Reference Guide...
Page 228 By default, security services such as anti-malware, URL threat filter, and DNS filter, support multiple profiles in the CLI but only a single profile in the Web Configurator. To enable multiple profiles in the Web Configurator, you need to change the Zyxel Device’s display mode. ZyWALL Series CLI Reference Guide...
Page 229 • Enter the secure policy sub-command mode to add a secure policy rule. • Set the direction of travel of packets to which the rule applies. • Set the destination IP address(es). • Set the service to which this rule applies. ZyWALL Series CLI Reference Guide...
Page 230 ZyWALL Series CLI Reference Guide...
Page 231 The following commands activate secure-policy backup, displays its status and then shows where to fond the configuration files. Filenames beginning with autoback are automatic configuration files created when new firmware is uploaded. backup-2017-12-13-13-34-49.conf is the name of the ZyWALL Series CLI Reference Guide...
Page 232 Check the Security Policy status. Make sure the Zyxel Device Security Policy is activated to keep your network safe. Router# show secure-policy status secure-policy status: yes secure-policy asymmetrical route status: no secure-policy default rule: deny, log secure-policy tcp flag detect: yes Enter the Default_Allow_WAN_To_ZyWALL service group sub-command mode. ZyWALL Series CLI Reference Guide...
Page 233 ), or dashes (-), but the first character cannot be a number. This value is case-sensitive. The name of a user (group). You may use 1-31 alphanumeric characters, underscores ( user_name or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL Series CLI Reference Guide...
Page 234 Enables the IPv6 session-limit rule. The no command disables the session limit [no] activate rule. Sets the IPv6 source IP address. The command sets this to , which [no] address6 means all IP addresses. address6_object ZyWALL Series CLI Reference Guide...
Page 235 They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated when you upload new firmware. Protocol Anomalies Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes: • TCP Decoder • UDP Decoder ZyWALL Series CLI Reference Guide...
Page 236 Rename an ADP anomaly profile originally named profile1 to profile2. idp rename anomaly <profile1> <profile2> Delete an ADP profile named profile3. no idp anomaly <profile3> Displays all anomaly detection base profiles. show idp anomaly base profile ZyWALL Series CLI Reference Guide...
Page 237 Clears scan-detection sensitivity. The default sensitivity is medium. no scan-detection sensitivity Sets for how many seconds the ZyWALL / USG blocks all packets from scan-detection block- being sent to the victim (destination) of a detected anomaly attack. period <1..3600> ZyWALL Series CLI Reference Guide...
Page 238 | reject-sender | reject-receiver | reject-both} Deactivates udp decoder actions. no udp-decoder {bad- udp-l4-size | udp-land | udp-smurf} action Activates or deactivates icmp decoder options. [no] icmp-decoder {bad- icmp-l4-size | icmp- fragment | icmp-smurf} activate ZyWALL Series CLI Reference Guide...
Page 239 Shows flood-detection settings for the specified ADP profile. show idp anomaly profile flood-detection {tcp-flood | udp-flood | icmp-flood | icmp-flood} details Shows tcp-decoder settings for the specified ADP profile. show idp anomaly profile tcp-decoder all details ZyWALL Series CLI Reference Guide...
Page 240 Use any to match any source, destination, or service. obj | any} destination {dst- ipv4-obj | any} service {service_obj | any} Deletes the specified ADP Flood Detection Whitelist entry. no idp anomaly white- list rule-name ZyWALL Series CLI Reference Guide...
Page 241 Renames the specified ADP Flood Detection Whitelist entry. idp anomaly white-list rename rule-name new- rule-name Displays information about a single ADP Flood Detection Whitelist entry. All show idp anomaly displays the whole whitelist. white-list {all | rule-name} ZyWALL Series CLI Reference Guide...
Page 242 • View the location of managed devices on a map • Receive notification for events and alarms, such as when a device goes down • Graphically monitor individual devices and see related statistics • Directly access a device for remote configuration ZyWALL Series CLI Reference Guide...
Page 243 • They must be able to use Simple Authentication and Security Layer (SASL) to authenticate with the XMPP Server. A Username and Password are used as the credentials for the SASL authentication procedure. • They must be able to reestablish the connection to the XMPP Server if the connection is lost. ZyWALL Series CLI Reference Guide...
Page 244 [no] cnm-agent cnm-id myZyxel.Enter the CNM ID exactly as on the Cloud CNM SecuManager <ID> license. The CNM ID can be from 0 to 80 characters long using these characters:[a-zA-Z0-9-][\.a-zA-Z0-9_-]. The no command removes the CNM ID. ZyWALL Series CLI Reference Guide...
Page 245 [no] cnm-agent trigger- The valid range for the interval is in 10-second multiples where 0 means inform <0..8640> 0 to 10 seconds, 1 means 10 to 20 seconds, and so on. command removes the interval. ZyWALL Series CLI Reference Guide...
Page 246 The no command removes the XMPP account user name of the Cloud CNM SecuManager. Enter the XMPP account encrypted password of the Cloud CNM [no] cnm-agent encrypted- SecuManager. xmpp-password The no command removes the XMPP account encrypted password of the Cloud CNM SecuManager. ZyWALL Series CLI Reference Guide...
Page 247 How often to upload is determined by the upload interval (default every 300 seconds) or upload file size (default is when the temporary log file reaches 10 MB). More frequent uploads provides better real-time log analysis, but uses more bandwidth and CPU processing power. ZyWALL Series CLI Reference Guide...
Page 248 The activate command will have the Zyxel Device send IDP logs to secu-reporter idp SecuReporter for analysis and trend spotting. {activate|deactivate} The activate command will have the Zyxel Device send logs of secu-reporter interface- interface statistics to SecuReporter for analysis and trend spotting. statistics {activate|deactivate} ZyWALL Series CLI Reference Guide...
Page 249 Router# configure terminal Router(config)# secu-reporter activate yes Router(config)# secu-reporter traffic-log activate Router(config)# secu-reporter upload-filesize 5 Router(config)# secu-reporter upload-interval 100 Router(config)# exit Router# show secu-reporter status activate: yes send-reporter: yes upload-interval: 100 upload-filesize: 5 traffic-log: activate Router# ZyWALL Series CLI Reference Guide...
Page 250 • Verification code length: 6 digits. • Maximum verification code failed attempts: 3 • Backup code length: 8 digits • Google authenticator is supported in device High Availability (HA) mode. The secret keys are synchronized between all Zyxel Devices. ZyWALL Series CLI Reference Guide...
Page 251 1. Web Authentication Portal - Username/password 2. Web Authentication Portal - Google Authenticator code Yes (Active None needed (if user is using Windows) Directory SSO) Yes (Active None needed (if user is using Windows) Directory SSO) ZyWALL Series CLI Reference Guide...
Page 252 Set the Fully-Qualified Domain Name (FQDN) of the Zyxel Device interface to [no] web-auth redirect- which the clients connect. fqdn host_str The no command removes the specified FQDN. host_str: the fully qualified domain name for the host. ZyWALL Series CLI Reference Guide...
Page 253 Displays whether a client is to authenticate with the Zyxel Device through the show web-auth method specifically designated web portal when web authentication is enabled. Displays details about the policies for forcing user authentication. show web-auth policy {<1..1024> | all} ZyWALL Series CLI Reference Guide...
Page 254 Sets an IP address that users can use to terminate their sessions [no] logout-ip manually by entering the IP address in the address bar of the web ipv4_address browser. The no command removes the IP address. ZyWALL Series CLI Reference Guide...
Page 255 | default- web-portal | Note: If you set the authentication type to facebook-wifi, the facebook-wifi} destination address must be any. Note: You can configure the web-portal and user-agreement profile using the web-auth type profile commands. ZyWALL Series CLI Reference Guide...
Page 256 To successfully authenticate, Google Authentication must already be enabled on the user’s account and configured on their mobile device. For details, see Section 56.4 on page 482. Displays information about the specified condition. show sso { agent | port | presharekey} ZyWALL Series CLI Reference Guide...
Page 257 • SSO does not support IPv6 or RADIUS; you must use it in an IPv4 network environment with Windows AD (Active Directory) or LDAP (Lightweight Directory Access Protocol) authentication databases. • You must enable Web Authentication to use SSO. ZyWALL Series CLI Reference Guide...
Page 258 Displays secondary agent IP and Port configurations. show sso agent secondary Displays primary and secondary agent status. show sso agent status Displays the ZySSO port configured. show sso port Shows the configured ZySSO presharekey. show sso presharekey ZyWALL Series CLI Reference Guide...
Page 259 ZySSO presharekey: 12345678 Router# 31.3.4 Two-Factor Web Authentication Command Example The following example shows how to enable web authentication with two-factor authentication for clients on LAN1, and then configure Google Authenticator for a user account. ZyWALL Series CLI Reference Guide...
Page 260 Router# configure terminal Router(config)# web-auth activate Router(config)# web-auth policy 1 Router(config-web-auth-1)# google-auth Router(config-web-auth-1)# exit Router(config)# username TestUser google-auth Router(config)# show username TestUser google-auth qrcode qrcode-url# otpauth://totp/ admin?secret=XXXXXXXXXXXXXXXXXXXXXXXXXX&issuer=atp100w Router(config)# username TestUser google-auth verify-code 123456 Verify: Success ZyWALL Series CLI Reference Guide...
Page 261 Sets the number of decimal places to be used for billing. billing decimal-places <2> Sets the Zyxel Device to use a dot (.) or a comma (,) for the decimal point. billing decimal-symbol {comma | dot} ZyWALL Series CLI Reference Guide...
Page 262 Displays billing discount settings. show billing discount status Displays settings for all or the specified billing profile. show billing profile [profile_name] Displays the general billing settings, such as the accounting method or tax rate. show billing status ZyWALL Series CLI Reference Guide...
Page 263 This example sets the accounting method to time-to-finish and configures the idle timeout that elapses before the Zyxel Device disconnects a user. Router# configure terminal Router(config)# billing accounting-method time-to-finish Router(config)# billing accumulation idle-detection timeout 30 Router(config)# ZyWALL Series CLI Reference Guide...
Page 264 A when it is selected as the button to assign the base charge. Router# configure terminal Router(config)# printer-manager button a billing_1hour Router(config)# show billing discount default rule Conditions Unit Unit price =========================================================================== ==== default when >= 2,00 Router(config)# ZyWALL Series CLI Reference Guide...
Page 265 The message must be from 1 to 256 characters long and can contain spaces and the following characters ([0-9a-zA-Z '`()+,/:;=~!*#@$_%- \.\&\?\[\]\{\}\*\|\^\\\<\>\+\"]) The default message is “Sorry! We can’t handle your payment transaction at this time.” ZyWALL Series CLI Reference Guide...
Page 266 (0,0,255), or type a color_name such as red, or enter the hex color format (#00FF00). Displays how the Zyxel Device provides dynamic guest account information show payment-service account- after the user’s online payment is done (onscreen or sms). delivery ZyWALL Series CLI Reference Guide...
Page 267 Defines the PayPal ID token. payment-service provider paypal identity-token paypal_token: Enter the ID token provided to you by PayPal after successfully paypal_token applying for your PayPal account. Removes the PayPal ID token. payment-service provider paypal no identity-token ZyWALL Series CLI Reference Guide...
Page 268 The no command removes the specified printer from the printer list. Enters the printer-manager printer sub-command mode to add a printer printer-manager printer append to the end of the printer list. See Table 135 on page 263 for the sub-commands. ZyWALL Series CLI Reference Guide...
Page 269 This example adds a printer to the managed printer list and displays the printer settings. Router# configure terminal Router(config)# printer-manager printer 1 Router(printer-manager)# activate Router(printer-manager)# description cafe Router(printer-manager)# printer-ip 172.16.0.123 Router(printer-manager)# exit Router(config)# show printer-manager printer printer: 1 activate: yes IPv4 address: 172.16.0.123 description: cafe Router(config)# ZyWALL Series CLI Reference Guide...
Page 270 Internet. time_period time_period: x - y, where x and y depend on the Zyxel Device model. The no command resets the setting to its default value (30). Displays the free time settings. show free-time status ZyWALL Series CLI Reference Guide...
Page 271 [no] ip ipnp activate Enters the IPnP sub-command mode to enable IPnP on specific internal ip ipnp config interface(s). Enables IPnP on a specific internal interface. The command disables IPnP for [no] interface interface_name the specified interface. ZyWALL Series CLI Reference Guide...
Page 272 Section Table 143 on page 273 for the rule sub-commands. Creates a new walled garden URL entry at the end of the current list and enters walled-garden rule append sub-command mode. See Table 143 on page 273 for the sub-commands. ZyWALL Series CLI Reference Guide...
Page 273 Sets the URL or IP address of the web site. Use “http://” followed by up to 262 [no] url url characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%). For example, http:// www.example.com or http://172.16.1.35. command removes the web site address. ZyWALL Series CLI Reference Guide...
Page 274 Router# configure terminal Router(config)# walled-garden activate Router(config)# walled-garden rule insert 1 Router(walled-garden)# activate Router(walled-garden)# name Example1 Router(walled-garden)# url http://www.example.com Router(walled-garden)# exit Router(config)# show walled-garden walled garden rule: 1 active: yes url: http://www.example.com name: Example1 Router(config)# ZyWALL Series CLI Reference Guide...
Page 275 This example shows how to set an advertisement rule and displays the rule settings. Router# configure terminal Router(config)# advertisement activate Router(config)# advertisement name example url http://www.example.com Router(config)# show advertisement advertisement rule: 1 name: example url: http://www.example.com Router(config)# ZyWALL Series CLI Reference Guide...
Page 276 The second phase uses the IKE SA to securely establish an IPSec SA through which the Zyxel Device and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. ZyWALL Series CLI Reference Guide...
Page 277 An e-mail address. You can use up to 63 alphanumeric characters, underscores (_), e_mail dashes (-), or @ characters. A domain name. You can use up to 511 alphanumeric, characters, spaces, or .@=,_- distinguished_na characters. ZyWALL Series CLI Reference Guide...
Page 278 Users will lose their VPN connection briefly while the Zyxel Device changes back to the primary connection. To use this, the peer device at the secondary address cannot be set to use a nailed-up VPN connection. ZyWALL Series CLI Reference Guide...
Page 279 IP address, domain name, or e-mail address. domain_name | mail e_mail | dn distinguished_name} Enables two-factor authentication. The command [no] twofa-auth disables two-factor authentication. Section 56.4 on page 482 Section 56.5 on page for more information on configuring two-factor authentication settings. ZyWALL Series CLI Reference Guide...
Page 280 The command deletes the specified IPSec SA. Renames the specified IPSec SA (first map_name) to the crypto map rename map_name map_name specified name (second map_name). Activates or deactivates the specified IPSec SA. activate deactivate ZyWALL Series CLI Reference Guide...
Page 281 Enables Perfect Forward Secrecy group. set pfs {group1 | group2 | group5 | none} Sets the address object for the local policy (local local-policy address_name network). Sets the address object for the remote policy (remote remote-policy address_name network). ZyWALL Series CLI Reference Guide...
Page 282 IP address and port range (mapped-ip). <0..65535> <0..65535> mapped-ip address_name <0..65535> <0..65535> Enables configuration payload in server role. The no [no] configuration-payload-provide command disables it. activate Sets configuration payload address . The no command configuration-payload-provide disables it address- {} ZyWALL Series CLI Reference Guide...
Page 283 Specifies the DNS server IP address to assign to the [no] mode-config {first-dns | second- remote users. The second-dns server's IP address is dns} checked if first-dns is unavailable. The no command removes the setting. ZyWALL Series CLI Reference Guide...
Page 284 IP addresses responds. Sets the probe-condition all if you want the check to pass only when both domain names or IP addresses respond. ZyWALL Series CLI Reference Guide...
Page 285 DES encryption key, the Zyxel Device only uses . The Zyxel Device still stores the longer key. 12345678 Sets the local gateway address to the specified IP address. local-ip ip Sets the remote gateway address to the specified IP address. peer-ip ip ZyWALL Series CLI Reference Guide...
Page 286 Leaves sub-command mode. exit Deletes or moves the specified VPN configuration provisioning rule. vpn-configuration-provision rule { delete conf_index | move conf_index to conf_index } Turns the VPN configuration provisioning service on or off. [no] vpn-configuration-provision activate ZyWALL Series CLI Reference Guide...
Page 287 Types of VPN supported are: • L2TP • IKEv1 Cisco VPN • IKEv2 (for iOS 9.3 and later) command disables over-the-air VPN provisioning for mobile Apple (iOS) devices using a Safari browser. ZyWALL Series CLI Reference Guide...
Page 288 2-8 hexadecimal (0-9, A-F) characters Deletes the specified IPSec SA. no sa tunnel-name map_name Displays the IPSec VPN tunnels that are currently established. show sa counter Displays VPN traffic statistics. show vpn-counters ZyWALL Series CLI Reference Guide...
Page 289 Sets the local gateway address to the specified IP address, domain name, local-ip {ip {ip | or interface. domain_name} | interface interface_name} Sets the remote gateway address(es) to the specified IP address(es) or peer-ip {ip | domain name(s). domain_name} [ip | domain_name] ZyWALL Series CLI Reference Guide...
Page 290 Activates or deactivates the specified IKEv2 SA. activate deactivate Specifies whether to use a pre-shared key or a certificate for authentication {pre- authentication share | rsa-sig} Sets the certificate that can be used for authentication. certificate certificate-name ZyWALL Series CLI Reference Guide...
Page 291 It can be up to 31 characters long. Renames the specified IKEv2 SA (first policy_name) to the specified name ikev2 policy rename (second policy_name). policy_name policy_name Enables two-factor authentication. The command disables two-factor [no] twofa-auth authentication. ZyWALL Series CLI Reference Guide...
Page 292 | esp-aes256-md5 | esp-aes256-sha | esp- aes256-sha256 | esp-aes256-sha512 Sets the active protocol to AH and sets the encryption transform-set crypto_algo_ah and authentication algorithms for each proposal. [crypto_algo_ah [crypto_algo_ah]] crypto_algo_ah: ah-md5 | ah-sha | ah-sha256 | ah- sha512 ZyWALL Series CLI Reference Guide...
Page 293 Sets configuration payload address . The no command configuration-payload-provide disables it address- {} Sets configuration payload address dns server. The no [no] configuration-payload-provide command disables it {first-dns IPv6|second-dns IPv6} Enables policy narrowed. The no command disables it [no] narrowed ZyWALL Series CLI Reference Guide...
Page 294 [no] crypto map_name concentrator. The command removes the specified IPSec SA from the specified IPv6 VPN concentrator. Renames the specified IPv6 VPN concentrator (first vpn-concentrator6 rename profile_name) to the specified name (second profile_name). profile_name profile_name ZyWALL Series CLI Reference Guide...
Page 295 Z”, “-” and “_”). No spaces are allowed. The name of a user (group). You may use 1-31 alphanumeric characters, underscores( user_name or dashes (-), but the first character cannot be a number. This value is case-sensitive. ZyWALL Series CLI Reference Guide...
Page 296 Forces all SSL VPN client traffic to be sent through the SSL VPN tunnel. [no] network-extension The no command disables this setting. traffic-enforcement Allows netbios broadcast packets to pass through the SSL VPN tunnel. [no] network-extension netbios-broadcast ZyWALL Series CLI Reference Guide...
Page 297 Router(config)# address-object IP- 192.168.100.1-192.168.100.10 Router(config)# address-object DNS1 172.16.5.1 Router(config)# address-object DNS2 172.16.5.2 Router(config)# address-object NETWORK1 172.16.10.0/24 Create the SSL VPN user account named tester with password 1234. Router(config)# username tester password 1234 user-type user ZyWALL Series CLI Reference Guide...
Page 298 : IP- dns server 1: DNS1 dns server 2: DNS2 wins server 1: none wins server 2: none network: NETWORK1 reference count: 0 ZyWALL Series CLI Reference Guide...
Page 299 You must configure an IPSec VPN connection for L2TP VPN to use (see Chapter 33 on page 276 details). The IPSec VPN connection must: • Be enabled. • Use transport mode. • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. ZyWALL Series CLI Reference Guide...
Page 300 Figure 29 Policy Route for L2TP VPN 35.4 WAN Policy Route You must configure a policy route with SNAT to let VPN users send traffic out through the WAN interface, for example to the Internet. ZyWALL Series CLI Reference Guide...
Page 301 The name of an L2TP VPN account. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number. This value is case- sensitive. The following sections list the L2TP VPN commands. ZyWALL Series CLI Reference Guide...
Page 302 Specifies the second WINS server IP address to assign to the remote users. [no] l2tp-over-ipsec second- The no command removes the setting. wins-server ip Deletes the specified L2TP VPN tunnel. no l2tp-over-ipsec session tunnel-id <0..65535> ZyWALL Series CLI Reference Guide...
Page 303 Specifies the IP address of this interface. local-address w.x.y.z Disconnects the L2TP tunnel on this interface. Interface disconnect Connects the L2TP tunnel on this interface. Interface dial wan1_ppp Displays details of each PPP interface connection. show interface ppp ZyWALL Series CLI Reference Guide...
Page 304 • For the Local Policy, create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW. The address object in this example uses IP address 172.23.37.205 and is named L2TP_IFACE. ZyWALL Series CLI Reference Guide...
Page 305 (LAN_SUBNET in this example). • Set the Destination Address to the IP address that the Zyxel Device assigns to the remote users (L2TP_ in this example). • Set the next hop to be the Default_L2TP_VPN_Connection tunnel. ZyWALL Series CLI Reference Guide...
Page 306 • Check that the default zone VPN_To_WAN_SNAT exists. • Add the L2TP VPN profile to the VPN_To_WAN_SNAT zone. Router# show zone VPN_To_WAN_SNAT No. Type Member ======================================================================== Router# configure terminal Router(config)# zone VPN_To_WAN_SNAT Router(zone)# crypto WIZ_VPN ZyWALL Series CLI Reference Guide...
Page 307 Specifies a number between 1 and 7 to set the priority for outgoing traffic that bwm default outbound priority matches the default policy. <1..7> Removes a policy. bwm delete <1..127> ZyWALL Series CLI Reference Guide...
Page 308 DSCP value or no DSCP marker. default | wmm_be0 | wmm_be24 | wmm_bk16 | The no command resets the DSCP code to the default (any). wmm_bk8 | wmm_vi32 | wmm_vi40 | wmm_vo48 | wmm_vo56}} ZyWALL Series CLI Reference Guide...
Page 309 1 and 7 to set the priority for traffic that matches this policy. The smaller the number, the higher the priority. Outbound refers to the traffic the UAG sends out from a connection’s initiator. The no command resets the outbound guarantee bandwidth to the default (0). ZyWALL Series CLI Reference Guide...
Page 310 The no command resets the bandwidth management type to the default (shared). Sets a user name or user group to which to apply the policy. [no] user user_name command resets the user name to the default (any). any means all users. ZyWALL Series CLI Reference Guide...
Page 311 BWM rule 1 marks matching outgoing traffic from VLAN 1 to priority code 4. Router(config)# interface vlan1 Router(config-if-vlan)# priority-code 3 Router(config-if-vlan)# exit Router(config)# bwm 1 Router(config-bwm modify 1)# vlan-priority-code 4 Router(config-bwm modify 1)# marked-interface interface vlan1 Router(config-bwm modify 1)# exit Router(config)# ZyWALL Series CLI Reference Guide...
Page 312 Dst: any Service_Type: service-object Service_Name: any Inbound_Excess: no Inbound_Prio: 3 Inbound: 800 Inbound_Ceiling: 0 Outbound_Excess: no Outbound_Prio: 3 Outbound: 700 Outbound_Ceiling: 0 DSCP_Code: any DSCP_Inbound: preserve DSCP_Outbound: preserve Log: no Router(config-bwm append 6)# exit Router(config)# ZyWALL Series CLI Reference Guide...
Page 313 ), or <profile- dashes (-), but the first character cannot be a number. This value is case-sensitive. name> This is a description of the App Patrol Profile. description The following sections list the application patrol commands. ZyWALL Series CLI Reference Guide...
Page 314 Shows the description, application name, and object reference number show app profiles <profile-name> associated with the named profile within a specific or all categories. application category {category_id | all} Searches for applications that contain the specified keyword. show app search-name <application_keyword> ZyWALL Series CLI Reference Guide...
Page 315 Displays whether the security services are enabled on the Zyxel Device. show security-service status 37.2.1.1 Application Patrol Command Examples This command shows details of an application patrol profile created. Router# show app profiles APP-patrol: 1 profile name: app1 description: application: ultrasurf_app ref: 1 ZyWALL Series CLI Reference Guide...
Page 316 0 APP-patrol: 2 profile name: test description: this is a test application: ref: 0 APP-patrol: 3 profile name: john description: this is a dummy profile application: ref: 0 Router(config)# ZyWALL Series CLI Reference Guide...
Page 317 The whole file name has to match if you do not use a question mark or asterisk. If you do not use a wildcard, the Zyxel Device checks up to the first 80 characters of a file name. ZyWALL Series CLI Reference Guide...
Page 318 Has the Zyxel Device not add a notification text file to an e-mail after identifying an no anti-virus mail-infect- infected file. ext activate Turns on anti-virus on the Zyxel Device. [no] security-service anti- virus activate The no command disables anti-virus. ZyWALL Series CLI Reference Guide...
Page 319 Sets the traffic protocols you want to scan for viruses. [no] scan {http | ftp | imap4 | smtp | pop3} Displays the details of the anti-virus rule you are configuring or all the show [all] rules. Leaves the sub-command mode. exit ZyWALL Series CLI Reference Guide...
Page 320 Adds an MD5 hash pattern or file pattern to the black list if it did not already anti-virus black-list {md5-hash md5- exist, and then activates or deactivates the pattern. pattern | file-pattern file-pattern} {activate|deactivate} ZyWALL Series CLI Reference Guide...
Page 321 The new pattern can be a file pattern or an MD5 hash pattern. <1..256> |file-pattern file-pattern md5-hash md5-pattern <1..256>: The index number of the file pattern or MD5 hash pattern that you want to replace. file-pattern: The new file pattern. md5-pattern: The new MD5 hash pattern. ZyWALL Series CLI Reference Guide...
Page 322 {all | name virus_name} [{from id to id}] 38.2.4.1 Signature Search Example This example shows how to search for anti-virus signatures with MSN in the name. Router(config)# anti-virus search signature name MSN signature: 1 virus name: MSN ZyWALL Series CLI Reference Guide...
Page 323 Tue Apr 17 10:18:00 2007 last update time: 2007/04/07 10:41:01 Router(config)# show anti-virus signatures status current version : 1.046 release date : 2007/04/06 10:41:29 signature number: 686000 SSII (signature) number: 6000 SSII(md5 checksum) number: 680000 ZyWALL Series CLI Reference Guide...
Page 324 This example shows how to collect and display anti-virus statistics. It also shows how to sort the display by the most common destination IP addresses. Router(config)# anti-virus statistics collect Router(config)# show anti-virus statistics collect collect statistics: yes Router(config)# show anti-virus statistics summary virus detected: 0 Router(config)# show anti-virus statistics ranking destination ZyWALL Series CLI Reference Guide...
Page 325 Ekahau T201 tag maintenance protocol and Ekahau RTLS Controller user interface. 8552 Ekahau Location Protocol 8553 Ekahau Maintenance Protocol 8554 Ekahau T301 firmware update. 8560 Ekahau Vision web interface 8562 Ekahau T301W firmware update. 8569 Ekahau TZSP Listener Port ZyWALL Series CLI Reference Guide...
Page 326 8569 Router# The following command displays the commands run on the AP. Router(config)# show rtls ekahau cli rtls ekahau flush rtls ekahau ip port 11111 rtls ekahau ip address 1.1.1.1 rtls ekahau activate Router(config)# ZyWALL Series CLI Reference Guide...
Page 327 - Type "SOA" ... The Zyxel Device replies with a DNS reply packet containing a fake IP address for type "A", and replies with a DNS reply packet with server failure code for remaining types. ZyWALL Series CLI Reference Guide...
Page 328 The Zyxel Device creates a log message each time an IPv4 address is [no] ip-reputation log-all scanned using IP reputation. Displays the action and log settings for IP reputation. show ip-reputation status Displays the date and time the signature set was released. show ip-reputation signatures date ZyWALL Series CLI Reference Guide...
Page 329 Note: In Firmware v4.55 or later, the phishing option does nothing and is only included for compatibility. Displays whether each category of packet coming from the Internet or show ip-reputation webroot {incoming-category | Internet and local networks is filtered. outgoing-category} ZyWALL Series CLI Reference Guide...
Page 330 40.2.3 IP Reputation External Black List The following table describes the commands for enabling and configuring an external database of black listed IP addresses. The Zyxel Device blocks incoming and outgoing packets from the addresses in ZyWALL Series CLI Reference Guide...
Page 331 Sets the Zyxel Device to check for updates to the external black list once ip-reputation ebl update per day, at the specified hour. For example, the time format is the 24 hour daily <0..23> clock, so ‘23’ means 11 PM. ZyWALL Series CLI Reference Guide...
Page 332 Enables or disables the URL Threat Filter black list. [no] threat-website forbid- list activate Displays the date and time the signature set was released. show anti-botnet signatures date Displays the number of signatures in this set. show anti-botnet signatures number ZyWALL Series CLI Reference Guide...
Page 333 | spam-urls | spyware- • compromised, malware, botnets -> malicious-sites adware-keyloggers} Enters sub command mode, where you can add or remove web site threat-website {trust | entries in the white list (trust) or black list (forbid). forbid} ZyWALL Series CLI Reference Guide...
Page 334 Access to this website • Browser Exploits • www.google.com is not allowed. • Malicious • www.yahoo.com Downloads • Malicious Sites • Phishing • Spam URLs Configure the URL threat filer settings as the parameters given above. ZyWALL Series CLI Reference Guide...
Page 335 Table 182 URL Threat Filter Profile Commands COMMAND DESCRIPTION Renames the URL Threat Filter profile. threat-website rename old_profile_name new_profile_name Creates the specified URL Threat Filter profile, if it does not already exist. threat-website profile profile_name ZyWALL Series CLI Reference Guide...
Page 336 Zyxel Device. • Each entry consists of a URL, domain name, or domain name with wildcard *. For example: https://www.zyxel.com/products_services/smb.shtml?t=s www.zyxel.com *.zyxel.* • The external black list file can contain a maximum of 50,000 entries. ZyWALL Series CLI Reference Guide...
Page 337 Shows the specified URL Threat Filter external black list profile. show threat-website ebl <profile name> Shows whether automatic external black list updates are enabled, and the show threat-website ebl schedule for the updates. signature update ZyWALL Series CLI Reference Guide...
Page 338 {sun | mon | tue | wed | thu | fri | sat} <0..23> Displays signature update schedule. show anti-botnet signature update Displays signature update status. show anti-botnet update status Displays details about all current signature sets. show security-service signature status ZyWALL Series CLI Reference Guide...
Page 339 Clears the collected IP blocking statistics. anti-botnet statistics flush Turns the collection of URL Threat Filter URL blocking statistics on or off. [no] threat-website statistics collect Clears the collected URL blocking statistics. threat-website statistics flush ZyWALL Series CLI Reference Guide...
Page 340 Alternatively, a peer-to-peer network approach is used. The infected computer scans and communicates with the peer devices in the same botnet to share commands or malware sent by the C&C server. These are botnet sites including command-and-control (C&C) servers ZyWALL Series CLI Reference Guide...
Page 341 Adware programs typically display blinking advertisements or pop-up windows when you perform a certain action. Adware programs are often installed in exchange for another service, such as the right to use a program without paying for it. ZyWALL Series CLI Reference Guide...
Page 342 IP address. The default redirect IP is the IP address of the DNS Threat Filter server (dnsft.cloud.zyxel.com). [no] black-list activate Enables or disables the DNS Threat Filter black list for this profile. ZyWALL Series CLI Reference Guide...
Page 343 Displays the total number of Fully Qualified Domain Names (FQDNs) that show dns-filter dashboard statistics summary the Zyxel Device has scanned, and the number of malicious FQDNs detected, as displayed on the Web Configurator dashboard. ZyWALL Series CLI Reference Guide...
Page 344 The no command sets the value you configure back to default. defaultport port number The default port through which the DoH query packets are sent is 443. The default port through which the DoT query packets are sent is 853. ZyWALL Series CLI Reference Guide...
Page 345 Table 189 DNS Threat General Settings Example ACTION WHEN DETECTING DNS OVER HTTPS/TLS PACKETS drop/log Configure the DNS threat filter general settings. Router# configure terminal Router(config)# Router(config)# dns-filter secure-dns action drop Router(config)# dns-filter secure-dns log ZyWALL Series CLI Reference Guide...
Page 346 This also sets the Zyxel Device to generate a log, log and alert or suspicious {allow | destroy} {log neither (no) when a suspicious file is detected. | log-alert | no} Removes sandboxing MDB files. sandbox mdb flush ZyWALL Series CLI Reference Guide...
Page 347 Displays the collected sandboxing statistics that are currently displayed on the show sandbox statistics dashboard web GUI dashboard. summary Displays the action and log settings for sandboxing. show sandbox status Displays whether the security services are enabled on the Zyxel Device. show security-service status ZyWALL Series CLI Reference Guide...
Page 348 Router(config)# This command sets the Zyxel Device to delete malicious files and generate a log when a malicious file is detected. Router# configure terminal Router(config)# sandbox malicious-action malicious destroy log Router(config)# ZyWALL Series CLI Reference Guide...
Page 349 Rate Based Signatures Rate based signatures are IDP signatures that allow the Zyxel Device to just respond when a certain number of malicious packets are identified within a specific time. Figure 31 IDP Signatures Example ZyWALL Series CLI Reference Guide...
Page 350 COMMAND DESCRIPTION Turns on IDP on the Zyxel Device. [no] security-service ips activate The no command disables IDP. Displays whether the security services such as IDP are enabled on the Zyxel show security-service Device. status ZyWALL Series CLI Reference Guide...
Page 351 This example shows how to activate and deactivate signature-based IDP on the Zyxel Device. Router# configure terminal Router(config)# idp signature activate Router(config)# show idp signature activation idp signature activation: yes Router(config)# no idp signature activate Router(config)# show idp signature activation idp signature activation: no ZyWALL Series CLI Reference Guide...
Page 352 Displays IDP profiles created. show idp signature profiles Displays the IDP scan mode. show idp signature mode Displays the IDP engine version. show idp engine version Displays specified signature details. show idp signature profile signature sid details ZyWALL Series CLI Reference Guide...
Page 353 IDP signatures identify traffic packets with suspicious malicious patterns. The Zyxel Device can then respond instantaneously according to the action you define. If you do not want the Zyxel Device to respond instantaneously for each suspicious packet detected, use rate based signatures. ZyWALL Series CLI Reference Guide...
Page 354 60 Router(config-idp-signature-profile-default_profile)# signature 130009 counts <1..300> Router(config-idp-signature-profile-default_profile)# signature 130009 counts 250 Router(config-idp-signature-profile-default_profile)# signature 130009 block_period <0..86400> Router(config-idp-signature-profile-default_profile)# signature 130009 block_period 500 Router(config-idp-signature-profile-default_profile)# signature 130009 action drop reject-both reject-receiver reject-sender Router(config-idp-signature-profile-default_profile)# signature 130009 action drop ZyWALL Series CLI Reference Guide...
Page 355 32 = FreeBSD 6 = Others 64 = Solaris 7 = P2P 128 = SGI 8 = IM 256 = Other-Unix 9 = Virtus/Worm 512 = Network-Device 10 = Botnet 11 = Web-Attack 12 = Spam ZyWALL Series CLI Reference Guide...
Page 356 Router(config)# idp search signature LAN_IDP name “ ” sid 12345 severity 1 platform 4 type 4 service 1 activate yes log log action 2 42.4 IDP Custom Signatures Use these commands to create a new signature or edit an existing one. ZyWALL Series CLI Reference Guide...
Page 357 (msg: \"test\"; sid: 9000000 ; )" sid: 9000000 message: test class type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no SGI: no other-Unix: no network-device: no service: outbreak: no ZyWALL Series CLI Reference Guide...
Page 358 Router(config)# show idp signatures custom-signature 9000000 details sid: 9000000 message: test edit class type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no SGI: no other-Unix: no network-device: no service: outbreak: no ZyWALL Series CLI Reference Guide...
Page 359 0 tcp_flag_ack: tcp_flag_fin: tcp_flag_push: tcp_flag_r1: tcp_flag_r2: tcp_flag_rst: tcp_flag_syn: tcp_flag_urg: threshold_type: threshold_track: threshold_count: threshold_second: tos: tos_rel: transport: tcp ttl: ttl_rel: window: window_rel: ZyWALL Series CLI Reference Guide...
Page 360 | wed | thu | fri | sat} <0..23> Displays signature update schedule. show idp signature update Displays signature update status. show idp signature update status Displays signature information show idp signature signatures {version | date | number} ZyWALL Series CLI Reference Guide...
Page 361 Table 201 Commands for IDP Statistics COMMAND DESCRIPTION Turn the collection of IDP statistics on or off. [no] idp statistics collect Clears the collected statistics. idp statistics flush ZyWALL Series CLI Reference Guide...
Page 362 IP addresses (IPv4 or IPv6) from which the Zyxel | rate-based} Device has detected the most intrusion attempts. destination(6): lists the most common destination IP addresses (IPv4 or IPv6) for detected intrusion attempts. rate-based: lists the detected rate based signatures. ZyWALL Series CLI Reference Guide...
Page 363 192.168.1.34 occurence: 26 42.7 IDP White List The Zyxel Device will exclude the incoming packets of the signature(s) in the IDP white list. These packets won’t be intercepted and will be passed through uninspected. ZyWALL Series CLI Reference Guide...
Page 364 Returns IDP packet capture settings to factory defaults. This command will: idp packet-capture default setting • Enable IDP packet capture. • Disable IDP packet capture select. • Clear all selected signature SIDs. ZyWALL Series CLI Reference Guide...
Page 365 1 user select sig_id enable: 0 ---------------------------------------------------------- current pkt count: 0 current sig count: 0 current session count: 0 current mem size: 0 current file size: 0 ---------------------------------------------------------- user select sig id count: 0 ZyWALL Series CLI Reference Guide...
Page 366 43.1.2 DNS Content Filter The DNS Content Filter allows the Zyxel Device to block access to specific websites by inspecting DNS queries made by users on your network. If the website in the DNS query contains prohibited material, ZyWALL Series CLI Reference Guide...
Page 367 Sets the URL of the web page to which to send users when content-filter report server their web access is blocked by content filtering. The {ip_address | hostname} command clears the setting. ZyWALL Series CLI Reference Guide...
Page 368 | software-hardware | sports | stock-trading | streaming-media | technical-business-forums | technical-information | text-spoken-only | text-translators | tobacco | travel | usenet-news | violence | visual-search-engine | weapons | web-ads | web-mail | web-meetings | web-phone} ZyWALL Series CLI Reference Guide...
Page 369 The message to display when a web site is blocked. Use up to 255 characters (0-9a-zA-Z;/ message ?:@&=+$\.-_!~*'()%,) in quotes. For example, “Access to this web page is not allowed. Please contact the network administrator.” ZyWALL Series CLI Reference Guide...
Page 370 Deletes the specified URL from the Zyxel Device’s local Web content-filter url-cache clear url Content Filter cache. Firmware v4.50 or earlier content-filter url-server test commtouch Enters the sub-command mode for testing URLs with the legacy external Web Content Filter. ZyWALL Series CLI Reference Guide...
Page 371 Name Indication (SNI) from a client request, check if it matches a category in the Web Content Filter and then take appropriate action. The keyword match is for the domain name only. command disables the HTTPs Domain Filter. ZyWALL Series CLI Reference Guide...
Page 372 Use the command show logging entries [priority pri] to display the specified level logs. Enters the sub-command for configuring the Web Content content-filter profile Filter profile’s list of forbidden hosts. filtering_profile custom-list forbid ZyWALL Series CLI Reference Guide...
Page 373 Sets the action for attempted access to web pages that match-unsafe {block | log | warn match the Web Content Filter profile’s selected legacy |pass} unsafe categories. Block access, log access, or allow access. ZyWALL Series CLI Reference Guide...
Page 374 [commtouch-url] The Zyxel Device creates a log message each time an IPv4 log-all address is scanned by the Web Content Filter service. The commtouch-url option has no effect, and is only included for compatibility. ZyWALL Series CLI Reference Guide...
Page 375 Sets how many seconds (1-60) to keep blocked HTTPS pages content-filter https-domain-filter in the cache. The default value is 5. block-cache-ttl <1~60> Sets how many minutes (1-1440) to keep forwarded HTTPS content-filter https-domain-filter pages in the cache. The default value is 60. forward-cache-ttl <1~1440> ZyWALL Series CLI Reference Guide...
Page 376 Displays the settings of the specified Web Content Filter profile, including which categories it blocks. Firmware v4.55 or later show content-filter profile [filtering_profile] Displays the settings of the specified Web Content Filter profile, including which categories it blocks. ZyWALL Series CLI Reference Guide...
Page 377 43.5.1 DNS Content Filter Commands The following table lists the commands that you can use for general DNS content filter configuration, Use command to enter the configuration mode to be able to use these configure terminal ZyWALL Series CLI Reference Guide...
Page 378 DNS Content Filter profile. profile {all | profileName} Runs a DNS query for the specified Fully Qualified Domain Name (FQDN) show dns-content-filter and returns the result according to the current DNS Content Filter rules. search FQDN ZyWALL Series CLI Reference Guide...
Page 379 DNS query packet. log-alert The Zyxel Device generates a log message and an alert when it detects a prohibited DNS query packet. [no] white-list activate Enables or disables the DNS Content Filter white list for this profile. ZyWALL Series CLI Reference Guide...
Page 380 Note: You must register for the external web filtering service before you can use it (see Chapter 5 on page 53). You can also customize the filtering profile. The following commands block active-X, java and proxy access. Append a Secure Policy with content filter profile. ZyWALL Series CLI Reference Guide...
Page 381 Health Humor/Comics no, Discrimination Instant Messaging no, Stock Trading Internet Radio/TV no, Job Search : yes Information Security no, Dating/Social Networking Mobile Phone no, Media Downloads Malicious Sites : yes, Usenet News Nudity no, Non-Profit/Advocacy/NGO ZyWALL Series CLI Reference Guide...
Page 382 Hate & Intolerance Sites that promote a supremacist political agenda, encouraging oppression of people or groups of people based on their race, religion, gender, age, disability, sexual orientation or nationality. ZyWALL Series CLI Reference Guide...
Page 383 Sites of a particularly gruesome nature such as shocking depictions of blood or wounds, or cruel animal treatment. Weapons Sites that depict, sell, review or describe guns and weapons, including for sport. ZyWALL Series CLI Reference Guide...
Page 384 Web pages that contain content or themes that are generally considered unsuitable for children. Alcohol Web pages that mainly sell, promote, or advocate the use of alcohol, such as beer, wine, and liquor. This category also includes cocktail recipes and home-brewing instructions. ZyWALL Series CLI Reference Guide...
Page 385 Web pages for businesses that provide the content servers • Web pages that allow users to browse photographs. See the Media Sharing category. • URLs for servers that serve only advertisements. See the Web Ads category. ZyWALL Series CLI Reference Guide...
Page 386 This category can also be used as an exception to allow web pages that do not pose a risk to children, or to access sites that have a primary educational or recreational focus for children, but are in other categories such as Games, Humor/Comics, Recreation/Hobbies, or Entertainment. ZyWALL Series CLI Reference Guide...
Page 387 Web pages that provide content about historical facts. This category includes content suitable for higher education, but the Education category includes content for primary education. For example, a site with Holocaust photographs might be offensive, but have academic value. ZyWALL Series CLI Reference Guide...
Page 388 Internet Service Providers, and broadband and telecommunications companies that provide web services. This category includes web utilities such as statistics and access logs, and web graphics like clip art. ZyWALL Series CLI Reference Guide...
Page 389 Bulletin boards, chat rooms, search engines, or web mail sites that are monitored by an individual or group who has the authority to block messages or content considered inappropriate. This category does not include sites with posted rules against offensive content. See the Forum/Bulletin Boards category. ZyWALL Series CLI Reference Guide...
Page 390 URLs for political parties, political campaigning, and opinions on various topics, including political debates. Pornography Web pages, which provide materials intended to be sexually arousing or erotic. This category includes fetish pages, animation, cartoons, stories, and illegal pornography. ZyWALL Series CLI Reference Guide...
Page 391 Computer users who are concerned about security or privacy might want to be informed about this software, and in some cases, they might want to remove this software from their computers. ZyWALL Series CLI Reference Guide...
Page 392 Web pages that promote plagiarism or cheating by providing free or fee-based term papers, written essays, or exam answers. This category does not include sites that offer student help, discuss literature, films, or books, or other content that is often the subject of research papers. ZyWALL Series CLI Reference Guide...
Page 393 Although users can post any type of content, these forums tend to present less risk of containing offensive content. Sites that offer a variety of forums with themes, including technical and business content, are only in the categories of Forum/Bulletin Boards or Chat. ZyWALL Series CLI Reference Guide...
Page 394 Taser guns, weapons facilities, such as shooting ranges, and government or military oriented weapons. This category does not include political action groups, such as the NRA. ZyWALL Series CLI Reference Guide...
Page 395 LAN to the Internet cannot access Facebook whether the traffic goes through the Zyxel Device or not. Figure 33 Web Content Filter Example Follow the steps below to block the Zyxel Device LAN users from accessing Facebook. Create a web content filter profile named facebook_block. ZyWALL Series CLI Reference Guide...
Page 396 Facebook, Instagram, Twitter... The company wants to make sure any traffic going from the LAN to the Internet cannot access social networks whether the traffic goes through the Zyxel Device or not. ZyWALL Series CLI Reference Guide...
Page 397 Router# configure terminal Router(config)# dns-content-filter profile SocialNetworks You then enter sub-command mode for the SocialNetworks profile to configure the DNS content filter profile’s forbidden categories. Sets the category to social-networking to block all social networks. ZyWALL Series CLI Reference Guide...
Page 398 Sets the action to redirect to redirect users that try to access FQDNs that are categorized as social networks. Sets the log to log to generate a log for all traffic that matches criteria in the profile. Exit sub- command mode. ZyWALL Series CLI Reference Guide...
Page 399 Router(secure-policy)# dns-cf-profile SocialNetworks Router(secure-policy)# dns-cf-profile SocialNetworks log by-profile activate deactivate Router(secure-policy)# dns-cf-profile SocialNetworks log by-profile activate Router(secure-policy)# exit Repeat step 7 and step 8 to apply the DNS content filter profile SocialNetworks to the security policy LAN2_Outgoing. ZyWALL Series CLI Reference Guide...
Page 400 Enters the anti-spam sub-command mode to append a profile. anti-spam profile append Enters the anti-spam sub-command mode to insert a profile. anti-spam profile insert rule_number Enters the anti-spam sub-command mode to edit the specified anti-spam profile rule_number direction specific rule. ZyWALL Series CLI Reference Guide...
Page 401 [no] anti-spam mail-content activate Sets whether or not to identify spam by content, such as malicious content. Sets whether or not to identify emails sent from suspicious [no] anti-spam mail-phishing websites known for phishing. activate ZyWALL Series CLI Reference Guide...
Page 402 [timeout] Specifies the label to add to the mail subject of e-mails the Zyxel anti-spam tag query-timeout [tag] Device tags and forwards when queries to the mail scan servers time out. ZyWALL Series CLI Reference Guide...
Page 403 Displays the label the Zyxel Device adds to the mail subject of e- show anti-spam tag query-timeout mails that it tags and forwards when queries to the mail scan servers time out. ZyWALL Series CLI Reference Guide...
Page 404 This example shows how to configure (and display) a WAN to DMZ anti-spam profile to scan POP3 and SMTP traffic. SMTP spam is forwarded. POP3 spam is marked with a spam tag. The Zyxel Device logs the ZyWALL Series CLI Reference Guide...
Page 405 A keyword in the content of the e-mail Subject headers. Use up to 63 ASCII characters. subject Spaces are not allowed, although you could substitute a question mark (?). See Section 44.2.2.2 on page 407 for more details. ZyWALL Series CLI Reference Guide...
Page 406 [status] show the activation status only. Displays the current anti-spam black list. Use status to show anti-spam black-list [status] show the activation status only. Shows the configured anti-spam black list tag. show anti-spam tag black-list ZyWALL Series CLI Reference Guide...
Page 407 This section describes the commands for checking the sender and relay IP addresses in e-mail headers against DNS (Domain Name Service)-based spam Black Lists (DNSBLs). You must use the configure command to enter the configuration mode before you can use these commands. terminal ZyWALL Series CLI Reference Guide...
Page 408 Displays the order in which anti-spam checks e-mail header IP show anti-spam dnsbl ip-check-order addresses against the DNSBLs. Displays how the Zyxel Device handles SMTP or POP3 mail if the show anti-spam dnsbl query-timeout queries to the DNSBL domains time out. {smtp | pop3} ZyWALL Series CLI Reference Guide...
Page 409 DNSBL. • Sets the Zyxel Device to start DNSBL checking from the first IP address in the mail header. • Sets the DNSBL tag to “DNSBL”. • Sets the DNSBL timeout tag to “DNSBL-timeout”. ZyWALL Series CLI Reference Guide...
Page 410 [no] anti-spam statistics collect Clears the collected statistics. anti-spam statistics flush Displays an overview of the collected statistics. show anti-spam statistics summary Displays whether the collection of anti-spam statistics is show anti-spam statistics collect turned on or off. ZyWALL Series CLI Reference Guide...
Page 411 0 spam detected by mail content: 0 spam detected by dnsbl: 0 spam detected with virus: 0 total virus mails: 0 dnsbl timeout: 0 mail session forwarded: 0 mail session dropped: 0 ZyWALL Series CLI Reference Guide...
Page 412 • Traffic from WiFi client C4 is isolated from the network through a quarantine VLAN. Quarantined traffic in a VLAN isolates traffic from other clients in the same subnet, and only broadcasts to other clients in that same VLAN. ZyWALL Series CLI Reference Guide...
Page 413 • Web Filtering (URL Threat Filtering), Anti-Malware (Anti-Virus) and IPS (IDP) signatures first identify malicious traffic and inform the CDR daemon. If these licenses have expired or are not active, then no checking for malicious traffic is done. ZyWALL Series CLI Reference Guide...
Page 414 • If you disable CDR or your CDR license expires, then all blocked and quarantined clients are released. • If you restart the Zyxel Device or restart an AP connected to the Zyxel Device, blocked and quarantined clients are still blocked until the block or quarantine period expires. ZyWALL Series CLI Reference Guide...
Page 415 Sets a URL in “http://domain” or “https://domain” format to an external cdr block redirect <url> notification page. The client is redirected here when a Block or Quarantine action is triggered. Make sure the external notification page is accessible from the Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 416 CDR email_address action was triggered. Unblocks an IP address that is currently being blocked or quarantined. This cdr unblock ipv4 ip_address removes the address from the CDR containment list. ZyWALL Series CLI Reference Guide...
Page 417 Immediately downloads the latest CDR signatures. cdr signature update Enables automatic CDR signature downloads, at the time and date set by [no] cdr update auto the daily/hourly/weekly command. Use the no command to disable auto updates. ZyWALL Series CLI Reference Guide...
Page 418 An alert email will only be sent once within the duration for the first occurrence of the threshold reached, not for every occurrence over the threshold. Router(config)# cdr counter-reset activate ZyWALL Series CLI Reference Guide...
Page 419 Device notification page. Router(config)# cdr block message Your device is trying to access malicious websites, so you are temporarily blocked. Please contact the network admin. Save the current configuration to the Zyxel Device. Router(config)# write ZyWALL Series CLI Reference Guide...
Page 420 This is additional information about this SSL Inspection profile. You can enter up to 60 description characters ("0-9", "a-z", "A-Z", "-" and "_"). This is a name of a certificate. cert_name The following sections list the commands. ZyWALL Series CLI Reference Guide...
Page 421 If a packet’s size is greater than this value, then the Zyxel Device <536..1460> splits the packet into two or more packets. The default value is 1460. Displays the current configuration of SSL inspection. show ssl-inspection status ZyWALL Series CLI Reference Guide...
Page 422 SSL traffic from your Zyxel Device users. To ensure individual privacy and meet legal requirements, you can configure an exclusion list to exclude matching sessions to destination servers. This traffic is not intercepted and passes through the Zyxel Device uninspected. ZyWALL Series CLI Reference Guide...
Page 423 DNS names. exclude-list address Displays the web categories that lets SSL traffic destined for websites that show ssl-inspection belong to these categories pass through the Zyxel Device without been exclude-list web-category inspected. ZyWALL Series CLI Reference Guide...
Page 424 | tls1_1 | tls1_2 | tls1_3} unsupported-suite action Select to pass or block unsupported traffic, such as traffic using {pass | block} {no log | unsupported cipher suites, compression, or client authentication. log [alert]} ZyWALL Series CLI Reference Guide...
Page 425 Download the latest certificate set from the myZyxel.com and update it ssl-inspection cert-update on the Zyxel Device. Displays the default certificate update status. show ssl-inspection default- cert version ZyWALL Series CLI Reference Guide...
Page 426 Shows SSL inspection statistics such as concurrent sessions, total ssl show ssl-inspection sessions, sessions inspected, decrypted Kbytes, encrypted Kbytes, statistics summary sessions blocked, and sessions passed. 46.2.8 SSL Inspection Command Examples These are some other example SSL Inspection usage commands. ZyWALL Series CLI Reference Guide...
Page 427 2014-06-20 05:47:37 to 2014-06-20 05:47:55 Router(config)# show ssl-inspection statistics summary maximum concurrent sessions : 1000 concurrent sessions total ssl sessions sessions inspected decrypted Kbytes encrypted Kbytes sessions blocked sessions passed Router(config)# ZyWALL Series CLI Reference Guide...
Page 428 The source or destination address of an IP packet. The address name can be any of the address_name following: • Address object name • Address group object name • FQDN object name • Geo IP object name For details on addresses, see Chapter 52 on page 460. ZyWALL Series CLI Reference Guide...
Page 429 Removes the specified IPv4 no security-service ip- exception profile_name rule. Removes the specified IPv6 no security-service ip6- exception profile_name rules Displays all IPv4 show security-service ip- exception rules Displays all IPv6 show security-service ip6-exception ZyWALL Series CLI Reference Guide...
Page 430 Note: Only Zyxel Devices of the same model and firmware version can synchronize. Otherwise you must manually configure the master Zyxel Device’s settings on the backup (by editing copies of the configuration files in a text editor for example). ZyWALL Series CLI Reference Guide...
Page 431 Failover Count Best case 10~30 seconds to rebuild 0~1 seconds. Failover delay connections. Monitored Ethernet Ethernet, VLAN, Bridge, LAG Interfaces Dedicated Heartbeat interface. monitor port Note: Remove Ethernet, VLAN, Bridge, LAG configurations from this port first. ZyWALL Series CLI Reference Guide...
Page 432 IP addresses. • Each interface can also have a management IP address. You can connect to this IP address to manage the Zyxel Device regardless of whether it is the master or the backup. ZyWALL Series CLI Reference Guide...
Page 433 (+-/*= :; .! @$&%#~ ‘ \ () ). Sets the management IP address for an interface. [no] device-ha ap-mode interface_name manage-ip ip subnet_mask Has device HA monitor the status of an interface’s connection. [no] device-ha ap-mode interface_name activate ZyWALL Series CLI Reference Guide...
Page 434 VRRP packets used to monitor if the master Zyxel Device goes down. interface_name: This is a bridge interface, For example, brx. Displays whether this Zyxel Device is in active-passive mode. show device-ha mode ZyWALL Series CLI Reference Guide...
Page 435 Licensing > Registration > Service in the active Zyxel Device. Make sure the passive Zyxel Device is offline, then enable Device HA in Device HA > General in the passive Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 436 Manually synchronizes the passive and active devices. Use this command device-ha2 sync_from_active on the passive device. This command is available in User or Privilege mode. Disables or enables (no) connection tracking session synchronization. [no] device-ha2 disable-session-sync ZyWALL Series CLI Reference Guide...
Page 437 Zyxel Device serial number, Virtual MAC address and synchronization progress. Displays the passive Zyxel Device heartbeat link status, the passive Zyxel show device-ha2 passive device- Device serial number, Virtual MAC address and synchronization progress. status ZyWALL Series CLI Reference Guide...
Page 438 48.5.3 Device HA2 Command Example This command shows whether Device HA2 is activated and related parameters. Srv-monitor shows if a monitored service daemon on the active Zyxel Device fails. Conn-chk monitor shows if there is ZyWALL Series CLI Reference Guide...
Page 439 Heartbeat Interval: 2 Heartbeat Fail Tolerence: 2 License-Sync: S122L23030003 Max Failover Count: 5 Current Failover Count: 0 Failover Reset Interval (days): 5 Failover Conn-chk Hold Time: 300 Virtual mac: B0B2DC69A5FE AP-Image-Sync: no Disable Session Sync: yes Router(config)# ZyWALL Series CLI Reference Guide...
Page 440 LAN/VLAN/DMZ networks behind the Zyxel Device. Information from clients that are in different IP subnets in the LAN/VLAN/DMZ networks might not be collected correctly as traffic must pass through another router or a layer-3 switch to the Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 441 Guest A has left for over a month and you’re sure he will not return in the near future. You can remove his device using this command. Please note that clients that are blocked cannot be removed. Make sure to unblock clients before you remove them. ZyWALL Series CLI Reference Guide...
Page 442 Table 245 Device Insight Profile Configuration Example OPERATING PROFILE NAME DESCRIPTION CATEGORY APPLIED POLICY SYSTEM MobilePhone profile for mobile mobile-phone- • Windows LAN2_To_LAN1 clients tablet • macOS • Linux • • Android • Others ZyWALL Series CLI Reference Guide...
Page 443 Router(secure-policy)# device MobilePhone The Zyxel Device will block clients if they match the settings you configure in the Device Insight profile and the security policy action is set to deny. Router(secure-policy)# action deny Router(secure-policy)# exit ZyWALL Series CLI Reference Guide...
Page 444 To remove a blocked client’s device from the Device Insight database, you need to unblock the client’s device first. Router(config)# no device block mac 00:00:5e:00:53:af % Set device unblock success Router(config)# device remove mac 00:00:5e:53:af ZyWALL Series CLI Reference Guide...
Page 445 External user account ext-group-user External group user account Note: The default admin account is always authenticated locally, regardless of the authentication method setting. (See Chapter 56 on page 480 for more information about authentication methods.) ZyWALL Series CLI Reference Guide...
Page 446 (second username). Sets the description for the specified user. The username username [no] description command clears the description. description description: You can use alphanumeric and characters, and it can be up ()+/:=?!*#@$_%- to 60 characters long. ZyWALL Series CLI Reference Guide...
Page 447 | <FQDN> | <IPv6 Address> | <W.X.Y.X>} accessible only if the user is in the LAN of this Zyxel Device, and there are no other Zyxel gateways in between. Sends a password expiration e-mail immediately. pwd-expiry expiration send-now ZyWALL Series CLI Reference Guide...
Page 448 Sets the default lease time (in minutes) for each new users default-setting [no] logon-lease- user. Set it to zero to set unlimited lease time. The time <0..1440> command sets the default lease time to five. ZyWALL Series CLI Reference Guide...
Page 449 The command disables logging them out. Sets the number of minutes of idle time before users are [no] users idle-detection timeout automatically logged out. The command sets the <1..60> idle-detection timeout to three minutes. ZyWALL Series CLI Reference Guide...
Page 450 You want to make the number of minutes unlimited so the admin account Max will not have to log in again after a certain time period. Table 253 Create User Account Example USER NAME PASSWORD USER TYPE 1234 admin Create an admin account using the parameters given above. ZyWALL Series CLI Reference Guide...
Page 451 Zyxel Device, the Zyxel Device will check the WiFi client MAC address to see if the WiFi client MAC address has been mapped with the MAC address user account. command deletes the mapping between the MAC address and the MAC role. ZyWALL Series CLI Reference Guide...
Page 452 • Modify the WLAN security profile named secureWLAN1 as follows: • Turn on MAC authentication • Use the authentication method named Auth1 • Use colons to separate the two-character pairs within account MAC addresses ZyWALL Series CLI Reference Guide...
Page 453 {username | all | current} Displays users who are currently locked out. show lockout-users Unlocks the specified IP address. unlock lockout-users {ip | console| ipv6_addr} Logs out the specified login. users force-logout {username | ip | ipv6_addr} ZyWALL Series CLI Reference Guide...
Page 454 Chapter 50 User/Group 50.2.5.1 Additional User Command Examples The following commands display the users that are currently logged in to the Zyxel Device and forces ZyWALL Series CLI Reference Guide...
Page 455 Idle_Time: unlimited Lease_Timeout: 24:00:00 Re_Auth_Timeout: 21:52:37 Remaining_Time: n/a Total_Quota: - Upload_quota: - Download_quota: - Upload_Bandwidth: unlimited Upload_Bandwidth_Priority: 7 Download_Bandwidth: unlimited Download_Bandwidth_Priority: 7 Session_Timeout: unlimited Acct. Status: - Profile Name: N/A User_Info: admin(admin) Mobile: N/A Email: N/A ZyWALL Series CLI Reference Guide...
Page 456 Failed Login Attempt Record Expired Timer =========================================================================== 172.16.1.5 Router(config)# unlock lockout-users 172.16.1.5 User from 172.16.1.5 is unlocked Router(config)# show lockout-users Username Tried From Lockout Time Remaining =========================================================================== From Failed Login Attempt Record Expired Timer =========================================================================== ZyWALL Series CLI Reference Guide...
Page 457 Write a valid signature ID for the object. The no command [no] application <sid> disables it. Deletes the object with the specified name. no application-object <object> Renames the specified object with a new name. application-object rename <object> <object> ZyWALL Series CLI Reference Guide...
Page 458 Creates an object group. The no command removes it. [no] object-group <object> Deletes the object group with the specified name. no object-group application <object> Renames the specified object group with a new name. object-group application rename <object> <object> ZyWALL Series CLI Reference Guide...
Page 459 These are some example usage commands. Router(config)# show object-group application Name Description Member ========================================================================= ====== Router(config)# object-group application may Router(group-application)# description rinse after use Router(group-application)# exit Router(config)# show object-group application Name Description Member ========================================================================= ====== rinse after use tests Router(config)# ZyWALL Series CLI Reference Guide...
Page 460 For some models, use gex, x = 1 ~ N, where N equals the highest numbered Ethernet interface for your Zyxel Device model. For other models, use a name such as wan1, wan2, opt, lan1, or dmz. The following sections list the address object and address group commands. ZyWALL Series CLI Reference Guide...
Page 461 <country code> all Use the command, geo-ip [no] geography <country_code> all address {ipv4 | ip6}, to configure the custom country-to-IP/continent-to-IP address mappings for a GEOGRAPHY object. Deletes the specified address object. no address-object object_name ZyWALL Series CLI Reference Guide...
Page 462 Zyxel Device in order to update FQDN - IP cache entries. Configures how often (1-5 seconds) the Zyxel Device fqdn-object sync-period <1..5> should query the DNS server configured on the Zyxel Device to update FQDN - IP cache entries. ZyWALL Series CLI Reference Guide...
Page 463 : usg110 domain name: none FQDN : usg110 Router# show fqdn-object query-period FQDN Object Query Period: 2 Router# show fqdn-object sync-period FQDN Object Sync Period: 1 Router(config)# fqdn-object test usg110 FQDN: usg110 Address =========================================================================== 127.0.0.1 Router(config)# ZyWALL Series CLI Reference Guide...
Page 464 Displays information about the specified address group or show object-group {address | about all address groups. address6} [group_name] Creates the specified address group if necessary and enters [no] object-group address sub-command mode. The no command deletes the specified group_name address group. ZyWALL Series CLI Reference Guide...
Page 465 FQDN can be used in Security Policy, Policy Route, BWM and Web Authentication profiles as source and destination criteria. FQDN with a wildcard (for example, *.zyxel.com) can be used in these profiles as destination criteria only. ZyWALL Series CLI Reference Guide...
Page 466 Shows the countries that belong to the continent. show geo-ip country-list region code Shows the 2-letter abbreviation for each continent. show geo-ip region-code Shows customized country-to-IPv4-address mappings. show geo-ip geography Shows customized country-to-IPv6-address mappings. show geo-ip geography6 ZyWALL Series CLI Reference Guide...
Page 467 : 20150921 country current version : 20150921 Router# show geo-ip geography Customize IPv4 to Geolocation: Geolocation Type Address Note =============================================================================== Router# show geo-ip geography6 Customize IPv6 to Geolocation: Geolocation Type Address Note =============================================================================== Router# ZyWALL Series CLI Reference Guide...
Page 468 [object_name] about all the services. Deletes the specified service. no service-object object_name Creates the specified TCP service or UDP service service-object object_name {tcp | udp} {eq using the specified parameters. <1..65535> | range <1..65535> <1..65535>} ZyWALL Series CLI Reference Guide...
Page 469 Router(config)# service-object MULTICAST protocol 2 Router(config)# show service-object Object name Protocol Minmum port Maxmum port Ref. =====================================================================TELNET ICMP_ECHO ICMP MULTICAST Router(config)# no service-object ICMP_ECHO Router(config)# show service-object Object name Protocol Minmum port Maxmum port Ref. =====================================================================TELNET MULTICAST ZyWALL Series CLI Reference Guide...
Page 470 Router(config)# object-group service SG1 Router(group-service)# service-object ICMP_ECHO Router(group-service)# exit Router(config)# show service-object ICMP_ECHO Object name Protocol Minmum port Maxmum port Ref. =========================================================================== ICMP_ECHO ICMP Router(config)# show object-group service SG1 Object/Group name Type Reference =========================================================================== ICMP_ECHO Object 1 ZyWALL Series CLI Reference Guide...
Page 471 24-hour time, hours and minutes; <0..23>:<0..59>. time The following table lists the schedule commands. Table 267 schedule Commands COMMAND DESCRIPTION Displays information about the schedules in the Zyxel show schedule-object Device. Deletes the schedule object. no schedule-object object_name ZyWALL Series CLI Reference Guide...
Page 472 Object name Type Start/End Ref. =========================================================================== SCHEDULE1 Recurring 11:00/12:00 ===MonTueWedThuFri=== 0 SCHEDULE2 Once 2006-07-29 11:00/2006-07-31 12:00 0 Router(config)# no schedule-object SCHEDULE1 Router(config)# show schedule-object Object name Type Start/End Ref. =========================================================================== SCHEDULE2 Once 2006-07-29 11:00/2006-07-31 12:00 0 ZyWALL Series CLI Reference Guide...
Page 473 RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location. 55.2 Authentication Server Command Summary This section describes the commands for authentication server settings. ZyWALL Series CLI Reference Guide...
Page 474 Sets the LDAP server address. Enter the IP address (in dotted decimal [no] ldap-server host notation) or the domain name. The command clears this setting. ldap_server Sets the bind password. The command clears this setting. [no] ldap-server password password ZyWALL Series CLI Reference Guide...
Page 475 (172.23.10.100) to “87643210” and 80 seconds. Router# configure terminal Router(config)# radius-server host 172.23.10.100 auth-port 1812 Router(config)# radius-server key 876543210 Router(config)# radius-server timeout 80 Router(config)# show radius-server host : 172.23.10.100 authentication port: 1812 : 876543210 timeout : 80 Router(config)# ZyWALL Series CLI Reference Guide...
Page 476 Sets the bind password (up to 15 alphanumerical characters). The [no] server password password command clears this setting. Sets the AD port number. Enter a number between 1 and 65535. [no] server port port_no The default is 389. The no command clears this setting. ZyWALL Series CLI Reference Guide...
Page 477 “management”. The command clears the setting. Enter the IP address (in dotted decimal notation) or the domain [no] server host ldap_server name of an LDAP server to add to this group. The command clears this setting. ZyWALL Series CLI Reference Guide...
Page 478 Enter the IP address (in dotted decimal notation) or the domain [no] server host name of a RADIUS server to add to this server group. The radius_server command clears this setting. ZyWALL Series CLI Reference Guide...
Page 479 Router(group-server-radius)# server key 12345678 Router(group-server-radius)# server timeout 100 Router(group-server-radius)# exit Router(config)# show aaa group server radius RADIUSGroup1 : 12345678 timeout : 100 description group attribute : 11 Host Member Auth. Port ========================================================================== 192.168.1.100 1812 172.23.22.100 1812 ZyWALL Series CLI Reference Guide...
Page 480 = group ad, group ldap, group radius, or local. member [member2] [member3] [member4] Note: You must specify at least one member for each profile. Each type of member can only be used once in a profile. ZyWALL Series CLI Reference Guide...
Page 481 Tests whether a user account exists on the specified authentication server. test aaa {server|secure- server} {ad|ldap} host {hostname|ipv4-address} [host {hostname|ipv4- address}] port <1..65535> base-dn base-dn-string [bind-dn bind-dn-string password password] login- name-attribute attribute [alternative-login-name- attribute attribute] account account-name ZyWALL Series CLI Reference Guide...
Page 482 Note: You can also configure two-factor authentication for non-VPN and non-admin users in web authentication. For details, see Section 31.1 on page 250. Note: The admin two-factor authentication settings override the web authentication two- factor authentication settings if both are configured. ZyWALL Series CLI Reference Guide...
Page 483 Figure 37 SMS/Email Two-Factor Authentication VPN Access A user runs a VPN client and enters their VPN user name and password. A VPN connection is created from the VPN client device to the Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 484 • Email-to-SMS Provider Authentication failed and no SMS was sent. Check that SMS is enabled on the Zyxel Device and credentials are correct. • Mail server authentication failed. Check if the mail server settings are correct on the Zyxel Device. • The authorization timed out. Extend the Valid Time. ZyWALL Series CLI Reference Guide...
Page 485 Device requests the admin user’s Google Authenticator code. The admin user enters the code displayed in the Google Authenticator app. If the Google Authenticator code is correct, the admin user can log into the Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 486 : a message edited using the default two-factor-auth message command or via the web configurator. : a message file uploaded from your computer using the file two- command or via the web configurator. factor-auth message ZyWALL Series CLI Reference Guide...
Page 487 For example, if you change this to port 8008 and the link is using a.b.c.d, the VPN clients will see this link in their email or SMS to access the network behind the Zyxel Device: https://a.b.c.d:8008. Displays current two-factor command settings for the VPN connection. show two-factor-auth ZyWALL Series CLI Reference Guide...
Page 488 @ character. For example, this is a valid email address: abc@example.com. Uses this command and the admin user requires two-factor authentication [no] two-factor-auth admin- for admin access. access user username command means the admin user does not require two-factor authentication. ZyWALL Series CLI Reference Guide...
Page 489 Device if you are unable to access the Google Authenticator app. Displays the default two-factor authentication method for new admin show two-factor-auth admin- accounts access 56.5.4 Admin Access Two-Factor Command Examples The following example shows how to set up two-factor authentication for an admin user. ZyWALL Series CLI Reference Guide...
Page 490 56.5.4.2 Admin Access Two-Factor Command Example: QR Code Please note that you need to add the QR code key generated by the Zyxel Device (secret=XXXXXXXXXXX) manually to the Google Authenticator app after running show username <USERNAME> google-auth qrcode. ZyWALL Series CLI Reference Guide...
Page 491 Enter Key Manually. Router(config)# two-factor-auth admin-access activate Router(config)# two-factor-auth admin-access user admin Router(config)# username admin google-auth Router(config)# show username admin google-auth qrcode qrcode-url# otpauth://totp/ admin?secret=XXXXXXXXXXXXXXXXXXXXXXXXXX&issuer=atp100w Router(config)# username admin google-auth verify-code 123456 Verify: Success Router(config)# write ZyWALL Series CLI Reference Guide...
Page 492 Sets the client’s IP address and subnet mask. The command clears [no] ip address ip this setting. subnet_mask Sets a password as the key to be shared between the Zyxel Device and [no] secret secret the client. The command clears this setting. ZyWALL Series CLI Reference Guide...
Page 493 Router(config-trusted-client-AP-1)# ip address 10.10.1.2 255.255.255.0 Router(config-trusted-client-AP-1)# secret 12345678 Router(config-trusted-client-AP-1)# exit Router(config)# show auth-server status activation: yes authentication method: default certificate: default Router(config)# show auth-server trusted-client AP-1 Client: AP-1 Activation: yes Description: IP: 10.10.1.2 Netmask: 255.255.255.0 Secret: VQEq907jWB8= Router(config)# ZyWALL Series CLI Reference Guide...
Page 494 A common name e-mail address identifies the certificate’s owner. The e-mail address is cn_email for identification purposes only and can be any string. The e-mail address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore. ZyWALL Series CLI Reference Guide...
Page 495 Identifies the state, province, or region in which the certificate owner is located. You can state use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. You can add multiple words by enclosing them in double quotes, for example “New Mexico”. ZyWALL Series CLI Reference Guide...
Page 496 | mail cn cn_email} [ou organizational_unit] [o organization] [l town] [s state] [c country] [usr-def user_definition] key-type {dsa | dsa-sha256 | ecdsa | ecdsa- sha256 | ecdsa-sha384 | rsa | rsa-sha256 | rsa- sha512} key-len key_length ZyWALL Series CLI Reference Guide...
Page 497 (usually a certification authority). You can use the following characters: a-zA-Z0- 9;|`~!@#$%^&*()_+\{}':,./<>=- Has the Zyxel Device check (or not check) ocsp {activate|deactivate} incoming certificates that are signed by this certificate against a directory server that uses OCSP (Online Certificate Status Protocol). ZyWALL Series CLI Reference Guide...
Page 498 Format dertmines.. Displays the validation configuration for the show ca validation name name specified remote (trusted) certificate. Displays the storage space in use by show ca spaceusage certificates. ZyWALL Series CLI Reference Guide...
Page 499 IP valid from: none valid to: none certificate: test_x509 type: SELF subject: CN=10.0.0.58 issuer: CN=10.0.0.58 status: VALID ID: 10.0.0.58 type: IP valid from: 2006-05-29 10:26:08 valid to: 2009-05-28 10:26:08 Router(config)# no ca category local pkcs12request ZyWALL Series CLI Reference Guide...
Page 500 [no] authentication {chap-pap command sets the authentication to chap-pap. | chap | pap | mschap | mschap-v2} Turns compression on or off for the specified ISP account. The [no] compression {yes | no} command turns off compression. ZyWALL Series CLI Reference Guide...
Page 501 (_), dashes (-), periods (.), and /@\$ Sets the password for the specified ISP account. The command [no] password password clears the password. password: Use up to 63 printable ASCII characters. Spaces are not allowed. ZyWALL Series CLI Reference Guide...
Page 502 [no] authentication {none | sets the authentication to none. pap | chap} Sets the idle timeout for the cellular account. Zero disables the idle [no] idle <0..360> timeout. The command sets the idle timeout to zero. ZyWALL Series CLI Reference Guide...
Page 503 “remote” directory. entry-point: optional. Specify the name of the directory or file on the local server as the home page or home directory on the user screen. ZyWALL Series CLI Reference Guide...
Page 504 If a link contains a file that is not within this domain, then SSL VPN users cannot access it. Remove the type of service configuration for this SSL application. no server-type Turn on web encrypt to prevent users from saving the web [no] webpage-encrypt content. ZyWALL Series CLI Reference Guide...
Page 505 Router(config)# sslvpn application ZW5 Router(sslvpn application)# server-type web-server url http://192.168.1.12 Router(sslvpn application)# exit Router(config)# show sslvpn application SSL Application: ZW5 Server Type: web-server URL: http://192.168.1.12 Entry Point: Encrypted URL: ~aHR0cDovLzE5Mi4xNjguMS4xMi8=/ Web Page Encryption: yes Reference: 1 ZyWALL Series CLI Reference Guide...
Page 506 Displays the specified DHCPv6 request object or all show dhcp6 request-object [dhcp6_profile] of them. Creates or edits the specified DHCP lease object dhcp6-lease-object dhcp6_profile address with the specified IPv6 address and DHCP Unique ipv6_addr duid duid IDentifier (DUID). ZyWALL Series CLI Reference Guide...
Page 507 This example makes “test1” into a DHCPv6 address lease object for IPv6 addresses 2004::10 to 2004::40. Router(config)# dhcp6-lease-object test1 address- 2004::10 2004::40 Router(config)# show dhcp6 lease-object DHCP6 Lease Object: test1 Object Type: address- Object Value: 2004::10 Ext Object Value: 2004::40 Bind Iface: REFERENCE: 0 ZyWALL Series CLI Reference Guide...
Page 508 This example creates a DHCPv6 prefix delegation request object named “pfx” and displays its settings. Router(config)# dhcp6-request-object pfx prefix-delegation Router(config)# show dhcp6 request-object DHCP6 Request Object: pfx Object Type: prefix-delegation Object Value: 2089:3::/48 Bind Iface: ge2 REFERENCE: 1 ZyWALL Series CLI Reference Guide...
Page 509 Creates a dynamic guest account (billing-user) with the specified user name [no] dynamic-guest user_name and enters the dynamic-guest sub-command mode to set the password and timeout settings. See Table 290 on page 510 for the sub-commands. The no command removes the specified dynamic-guest account. ZyWALL Series CLI Reference Guide...
Page 510 Sets how much downstream and/or upstream data in Megabytes can be quota {total | upload | transmitted through the external interface before the account expires. 0 download} megabytes <0..1023> means there is no data limit for the user account. ZyWALL Series CLI Reference Guide...
Page 511 Status Username Create Time Expiration Time Time Period Remaining Time Charge ayment Info Phone Num User Role =========================================================================== ========= Unused gn0ti7 2013-06-25 14:03 2013-06-26 14:00 1day 00:00:00 1day 00:00:00 eur 5,00 cash 0912345678 billing-users Router(config)# ZyWALL Series CLI Reference Guide...
Page 512 The following figures identify the parts you can customize in the login and access pages. Figure 39 Login Page Customization Logo Message Title (color of all text) Background Note Message (last line of text) ZyWALL Series CLI Reference Guide...
Page 513 Sets the title for the top of the login screen. Use up to 64 printable ASCII login-page title title characters. Spaces are allowed. Sets the title text color of the login page. login-page title-color {color-rgb | color-name | color-number} ZyWALL Series CLI Reference Guide...
Page 514 For effective scheduling and logging, the Zyxel Device system time must be accurate. The Zyxel Device’s Real Time Chip (RTC) keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server. ZyWALL Series CLI Reference Guide...
Page 515 Zyxel Device will not automatically update the time- zone. Displays the time-zone, daylight savings time start-date, show myzyxel-service get-cloud-timezone daylight savings time end-date and daylight savings time offset from the cloud server. ZyWALL Series CLI Reference Guide...
Page 516 Zyxel Device or a DNS server is disabled, they cannot forward DNS requests for resolution. A Domain Name Server (DNS) amplification attack is a kind of Distributed Denial of Service (DDoS) attack that uses publicly accessible open DNS servers to flood a victim with DNS response traffic. An ZyWALL Series CLI Reference Guide...
Page 517 [no] ip dns server mx-record domain_name handling the mail for a particular domain. The command deletes {w.x.y.z|fqdn} a MX record. Sets a service control rule for DNS requests. ip dns server rule {<1..32>|append|insert <1..32>} access-group {ALL|address_object} zone {ALL|address_object} action {accept|deny} ZyWALL Series CLI Reference Guide...
Page 518 “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain. Underscores are not allowed. Use "*." as a prefix in the FQDN for a wildcard domain name (for example, *.example.com). ZyWALL Series CLI Reference Guide...
Page 519 Address Object: any Additional Info from Cache: allow Recursion Query: allow Router(config)# 63.7 Authentication Server Overview The Zyxel Device can also work as a RADIUS server to exchange messages with other APs for user authentication and authorization. ZyWALL Series CLI Reference Guide...
Page 520 60 characters long. Displays the Zyxel Device’s authentication server settings. show auth-server status Displays all RADIUS client profile settings. show auth-server trusted- client Displays the specified RADIUS client profile settings. show auth-server trusted- client profile_name ZyWALL Series CLI Reference Guide...
Page 521 Determines whether the sending date-time will be appended at [no] mail-subject append subject of the notification e-mails. date-time Sets the time for sending out the notification e-mails. schedule hour <0..23> minute <00..59> Displays mail server settings. show ZyWALL Series CLI Reference Guide...
Page 522 Sets the user name for your ViaNett account. [no] username e-mail Selects if you use ViaNett to help forward SMS vianett sms-service provider-select messages. vianett {vianett|email-to-sms} Selects if you use another SMS gateway to help email-to-sms forward SMS messages. ZyWALL Series CLI Reference Guide...
Page 523 SMS messages. code Displays the ViaNett account information. show sms-service provider vianett Displays the settings of the SMS service provider you use. show sms-service provider email- to-sms ZyWALL Series CLI Reference Guide...
Page 524 You can specify the color as an RGB value, a Hex value, or as a CSS color {<rgb(0,0,255)> | <color name. name> | <#00FF00>} Shows the current response message settings. show respmsg url-filter block-page ZyWALL Series CLI Reference Guide...
Page 525 63.11 ZON Overview The Zyxel One Network (ZON) utility uses the Zyxel Discovery Protocol (ZDP) for discovering and configuring ZDP-aware Zyxel devices in the same broadcast domain as the computer on which ZON is installed. ZyWALL Series CLI Reference Guide...
Page 526 63.11.3 ZON Examples This example enables LLDP discovery and displays whether LLDP discovery is enabled on the Zyxel Device. Router(config)# zon lldp server Router(config)# zon lldp server status status: active Router(config)# ZyWALL Series CLI Reference Guide...
Page 527 Table 304 Command Summary: Fast Forwarding COMMAND DESCRIPTION Enables or disables fast forwarding on the Zyxel Device. fast forwarding {activate | deactivate} Displays whether fast forwarding is currently enabled. show fast forwarding status ZyWALL Series CLI Reference Guide...
Page 528 The management session does not time out when a statistics screen is polling. Each user is also forced to log in the Zyxel Device for authentication again when the reauthentication time expires. ZyWALL Series CLI Reference Guide...
Page 529 [no] ip http secure-port <1..65535> the HTTPS service port number to the factory default (443). Enables HTTPS access to the Zyxel Device web configurator. [no] ip http secure-server command disables HTTPS access to the Zyxel Device web configurator. ZyWALL Series CLI Reference Guide...
Page 530 Omits cross-site request forgery (CSRF) checking. CSRF ip http skip-csrf-check exploits the trust that a site has in a user's browser to transmit unauthorized commands as if they are from a user that the website trusts. ZyWALL Series CLI Reference Guide...
Page 531 Router# configure terminal Router(config)# ip http authentication Example This following example sets a certificate named MyCert used by the HTTPS server to authenticate itself to the SSL client. Router# configure terminal Router(config)# ip http secure-server cert MyCert ZyWALL Series CLI Reference Guide...
Page 532 For other Zyxel Device models, use pre-defined zone names like DMZ, LAN1, SSL VPN, IPSec VPN, OPT, and WAN. Changes the index number of a SSH service control rule. ip ssh server rule move rule_number to rule_number ZyWALL Series CLI Reference Guide...
Page 533 [no] ip telnet server access to the Zyxel Device CLI. Sets the Telnet service port number. The command resets the Telnet service [no] ip telnet server port number back to the factory default (23). port <1..65535> ZyWALL Series CLI Reference Guide...
Page 534 Zone Address Action ======================================================================== Router(config)# 64.7 Configuring FTP You can upload and download the Zyxel Device’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. ZyWALL Series CLI Reference Guide...
Page 535 This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using FTP service. Router# configure terminal Router(config)# ip ftp server rule 4 access-group Sales zone WAN action accept ZyWALL Series CLI Reference Guide...
Page 536 This trap is sent when the Ethernet link is down. linkUp 1.3.6.1.6.3.1.1.5.4 This trap is sent when the Ethernet link is up. authenticationFailure 1.3.6.1.6.3.1.1.5.5 This trap is sent when an SNMP request comes from non- authenticated hosts. ZyWALL Series CLI Reference Guide...
Page 537 31 characters (a-zA-Z0-9_-). The name cannot start with a number. This value is case-sensitive. For other Zyxel Device models, use pre-defined zone names like DMZ, LAN1, SSL VPN, IPSec VPN, OPT, and WAN. ZyWALL Series CLI Reference Guide...
Page 538 Router(config)# snmp-server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172.23.15.84 and the password (sent with each trap) to qwerty. Router# configure terminal Router(config)# snmp-server host 172.23.15.84 qwerty ZyWALL Series CLI Reference Guide...
Page 539 {accept|deny} Deletes an ICMP filter rule. no ip icmp-filter rule <1..64> Changes the index number of an ICMP filter rule. ip icmp-filter rule move <1..64> to <1..64> Displays ICMP filter settings. show ip icmp-filter status ZyWALL Series CLI Reference Guide...
Page 540 Other settings do not change. You can edit configuration files or shell scripts in a text editor and upload them to the Zyxel Device. Configuration files use a .conf extension and shell scripts use a .zysh extension. ZyWALL Series CLI Reference Guide...
Page 541 Zyxel Device treat the line as a comment. Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the Zyxel Device exit sub command mode. ZyWALL Series CLI Reference Guide...
Page 542 This lets the Zyxel Device apply most of your configuration in the configuration file you just uploaded. You can refer to the logs for what to fix. Use apply/conf/file_name.conf ignore-error rollback, for example, apply/conf/ ATPConfigFile.conf ignore-error rollback, to: ZyWALL Series CLI Reference Guide...
Page 543 Device generates a log and copies the startup-config.conf configuration file to the startup-config- bad.conf configuration file and tries the existing lastgood.conf configuration file. If there isn’t a lastgood.conf configuration file or it also has an error, the Zyxel Device applies the system-default.conf configuration file. ZyWALL Series CLI Reference Guide...
Page 544 Specify the directory and file name of the file that you want to script | /tmp}/file_name-b.conf copy and the directory and file name to use for the duplicate. Always copy the file into the same directory. ZyWALL Series CLI Reference Guide...
Page 545 65.5 File Manager Dual Firmware Commands The following table lists the commands that you can use for managing dual firmware. Firmware uploaded using FTP goes to the Running partition. Use the web configurator to upload firmware to the ZyWALL Series CLI Reference Guide...
Page 546 Welcome to USG110 Username: admin Password: Router> configure terminal Router(config)# show version Zyxel Communications Corp. image number model firmware version build date boot status =============================================================================== USG110 V4.11(AAPH.0)b3s1 2015-01-11 21:53:44 Standby USG110 V4.11(AAPH.0) 2015-03-13 03:47:52 Running ZyWALL Series CLI Reference Guide...
Page 547 The following example transfers a configuration file named tomorrow.conf from the computer and saves it on the Zyxel Device as next.conf. When you upload a custom signature, the Zyxel Device appends it to the existing custom signatures stored in the "custom.rules” file. ZyWALL Series CLI Reference Guide...
Page 548 “get vpn_setup.zysh vpn.zysh” transfers the vpn_setup.zysh configuration file on the Zyxel Device to your computer and renames it “vpn.zysh.” 65.7.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the Zyxel Device and saves it on the computer as current.conf. ZyWALL Series CLI Reference Guide...
Page 549 Sends a query to the Cloud Helper Server to get the latest App Patrol cloud-helper check app signature information. Sends a query to the Cloud Helper Server to get the latest cloud-helper check app_incr incremental App Patrol signature information. ZyWALL Series CLI Reference Guide...
Page 550 If you configure both weekly and daily commands, then the command that takes effect is the last one configured. Downloads the latest App Patrol signatures from the Cloud Helper cloud-helper get app server to the Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 551 Zyxel Device. <1..2> Enables the Cloud Helper notifications service, which checks for new [no] cloud-helper-notify new, app updates, and firmware updates. activate command disables the service and hides notifications. ZyWALL Series CLI Reference Guide...
Page 552 : Running =============================================================================== Cloud status : NORMAL firmware version : 4.20(AAPL.0)b5 firmware release : 2016-07-15T02:29:11Z firmware md5 : 752ed3f2d8296e669ea2146c29523bda firmware news file: YES firmware note file: YES firmware message file: NO boot status : Standby Router(config)# ZyWALL Series CLI Reference Guide...
Page 553 : Standby Router(config)# 65.9 Zyxel Device File Usage at Startup The Zyxel Device uses the following files at system startup. Figure 44 Zyxel Device File Usage at Startup 1. Boot Module 2. Recovery Image 3. Firmware ZyWALL Series CLI Reference Guide...
Page 554 If the console session displays “Invalid Firmware”, or “Invalid Recovery Image”, or the console freezes at "Press any key to enter debug mode within 3 seconds" for more than one minute, go to Section 65.11 on page 555 to restore the recovery image. ZyWALL Series CLI Reference Guide...
Page 555 When “Press any key to enter debug mode within 3 seconds.” displays, press a key to enter debug mode. Figure 48 Enter Debug Mode Enter atuk to initialize the recovery process. If the screen displays “ERROR”, enter atur to initialize the recovery process. ZyWALL Series CLI Reference Guide...
Page 556 Browse to search for it. Choose the 1K Xmodem protocol. Then click Send. Wait for about three and a half minutes for the Xmodem upload to finish. Figure 52 Recovery Image Upload Complete ZyWALL Series CLI Reference Guide...
Page 557 Transfer the firmware file from your computer to the Zyxel Device. Type put followed by the path and name of the firmware file. This examples uses put e:\ftproot\ZLD FW \1.01(XL.0)C0.bin. Figure 54 FTP Firmware Transfer Command Wait for the file transfer to complete. ZyWALL Series CLI Reference Guide...
Page 558 Figure 57 Firmware Recovery Complete and Restart 10 The username prompt displays after the Zyxel Device starts up successfully. The firmware recovery process is now complete and the Zyxel Device is ready to use. ZyWALL Series CLI Reference Guide...
Page 559 If the default system database file is not valid, the Zyxel Device displays a warning message in your console session at startup or when reloading the anti-virus or IDP signatures. It also generates a log. Here are some examples. Use this section to restore the Zyxel Device’s default system database. ZyWALL Series CLI Reference Guide...
Page 560 This procedure requires the Zyxel Device’s default system database file. Download the firmware package from www.zyxel.com and unzip it. The default system database file uses a .db extension, for example, "1.01(XL.0)C0.db". Do the following after you have obtained the default system database file. ZyWALL Series CLI Reference Guide...
Page 561 192.168.1.1. Keep the console session connected in order to see when the default system database recovery finishes. Hit enter to log in anonymously. Set the transfer mode to binary (type bin). ZyWALL Series CLI Reference Guide...
Page 562 Figure 67 Default System Database Received and Recovery Complete 12 The username prompt displays after the Zyxel Device starts up successfully. The default system database recovery process is now complete and the Zyxel Device IDP and anti-virus features are ready to use again. ZyWALL Series CLI Reference Guide...
Page 563 Chapter 65 File Manager Figure 68 Startup Complete ZyWALL Series CLI Reference Guide...
Page 564 To view a list of categories, run command show logging status system-log. The name of a protocol such as TCP, UDP, ICMP. protocol The following sections list the logging commands. ZyWALL Series CLI Reference Guide...
Page 565 Sets how many new log messages must be created on the Zyxel Device logging usb-storage flushThreshold before the new messages are written to the USB storage device. <1..100> ZyWALL Series CLI Reference Guide...
Page 566 You can use alphanumeric and [service service_name] [srciface ()+/:=?!*#@$_%- characters, and it can be up to 63 characters long. This searches interface_name] [dstiface interface_name] the message, source, destination, and notes fields. [protocol protocol] [begin <1..512> end <1..512>] [keyword keyword] ZyWALL Series CLI Reference Guide...
Page 567 VRPT server. Displays the interval (in seconds) for how often the Zyxel Device show vrpt send interface statistics interval sends an interface statistics log to the VRPT server. ZyWALL Series CLI Reference Guide...
Page 568 [ ], double quotation marks (“), question marks (?), tabs or spaces. It can be up to 63 characters long. Sets the port number of the mail server for the specified e-mail [no] logging mail <1..2> port <1..65535> profile. ZyWALL Series CLI Reference Guide...
Page 569 Table 327 logging Commands: Console Port Settings COMMAND DESCRIPTION Displays the current settings for the console log. (This log is not show logging status console discussed above.) Enables the console log. The command disables the [no] logging console console log. ZyWALL Series CLI Reference Guide...
Page 570 {alert | crit | debug | emerg | error | info | this category is enabled. notice | warn} Enables logging for the specified category in the console log. [no] logging console category module_name command disables logging. ZyWALL Series CLI Reference Guide...
Page 571 Displays the traffic report for the specified interface and controls the format of the report. show report Formats are: [interface_name {ip | service | url}] - traffic by IP address and direction - traffic by service and direction service - hits by URL ZyWALL Series CLI Reference Guide...
Page 572 Displays information about traffic session sorted by the destination. show conn ip-traffic destination Displays information about traffic session sorted by the source. show conn ip-traffic source Displays the number of active sessions. show conn status ZyWALL Series CLI Reference Guide...
Page 573 Sets the username and password for SMTP authentication. smtp-auth username username password password Resets the SMTP mail server configuration. no smtp-address Resets the authentication configuration. no smtp-auth username Sets the SMTP port. The no command deletes the setting. [no] smtp-port <1..65535> ZyWALL Series CLI Reference Guide...
Page 574 TLS for the daily report. The no command enables the default STARTTLS protocol. Leaves the sub-command mode. exit 67.2.1 Email Daily Report Example This example sets the following about sending a daily report e-mail: ZyWALL Series CLI Reference Guide...
Page 575 Router(config-daily-report)# smtp-auth username 12345 password pass12345 Router(config-daily-report)# schedule hour 13 minutes 57 Router(config-daily-report)# no reset-counter Router(config-daily-report)# item cpu-usage Router(config-daily-report)# item mem-usage Router(config-daily-report)# item port-usage Router(config-daily-report)# item session-usage Router(config-daily-report)# item traffic-report Router(config-daily-report)# activate Router(config-daily-report)# exit Router(config)# ZyWALL Series CLI Reference Guide...
Page 576 If you made changes in the CLI, you have to use the command to save the configuration before write you reboot. Otherwise, the changes are lost when you reboot. Use the command to restart the device. reboot ZyWALL Series CLI Reference Guide...
Page 577 Collects information on Access Points managed by the AP controller (the Zyxel diaginfo collect Device). Deletes information collected on the AP controller (the Zyxel Device). diaginfo delete / Deletes information collected on Access Points managed by the AP controller (the diaginfo delete / Zyxel Device). ZyWALL Series CLI Reference Guide...
Page 578 68.4 Remote Assistance Use Remote Assistance commands to configure and schedule external access to the Zyxel Device for troubleshooting. You can also specify the port numbers the services must use to connect to the Zyxel Device. ZyWALL Series CLI Reference Guide...
Page 579 DATE TIME date time Displays configured remote assistance settings including randomly generated show remote-assistance user name / password, addresses, access ports and schedule. Displays randomly generated user name / password for remote assistance. show remote-assistance generate ZyWALL Series CLI Reference Guide...
Page 580 Router(config)# session timeout udp-deliver 15 Router(config)# session timeout icmp 15 Router(config)# show session timeout udp UDP session connect timeout: 10 seconds UDP session deliver timeout: 15 seconds Router(config)# show session timeout icmp ICMP session timeout: 15 seconds ZyWALL Series CLI Reference Guide...
Page 581 Displays activated NAT rules which use SNAT. show system snat nat-1-1 Displays activated activated NAT rules which use SNAT with NAT show system snat nat-loopback loopback enabled. Displays the default WAN trunk settings. show system snat default-snat ZyWALL Series CLI Reference Guide...
Page 582 The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn Source Destination VPN Tunnel =========================================================================== The following example shows the default WAN trunk’s settings. Router> show system route default-wan-trunk Source Destination Trunk =========================================================================== trunk_ex ZyWALL Series CLI Reference Guide...
Page 583 VS Name Source Destination SNAT =========================================================================== The following example shows all activated 1-to-1 NAT rules. Router> show system snat nat-1-1 VS Name Source Destination Outgoing SNAT =========================================================================== ZyWALL Series CLI Reference Guide...
Page 584 The following example shows the default WAN trunk settings. Router> show system snat default-snat Incoming Outgoing SNAT =========================================================================== Internal Interface External Interface Outgoing Interface IP Internal Interfaces: lan1, hidden, lan2, dmz External Interfaces: wan1, wan2, wan1_ppp, wan2_ppp Router> ZyWALL Series CLI Reference Guide...
Page 585 0 means there is no time limit. ZyWALL Series CLI Reference Guide...
Page 586 <1..4096>] computer. size: specifies the number of data bytes to be sent count: Stop after sending this number of ECHO_REQUEST packets. forever: keep sending ECHO_REQUEST packets until you use Ctrl+c to stop. ZyWALL Series CLI Reference Guide...
Page 587 Set source address to specified interface IPv4 address. extension] interface_name: specifies a network interface to obtain the source IP address for outgoing probe packets. filter_extension: You can use 1-256 alphanumeric characters, spaces, or '()+,/:=?;!*#@$_%.- characters. ZyWALL Series CLI Reference Guide...
Page 588 19:24:44.258823 192.168.1.10 > 192.168.1.1: icmp: echo request 19:24:44.259219 192.168.1.1 > 192.168.1.10: icmp: echo reply 19:24:45.268839 192.168.1.10 > 192.168.1.1: icmp: echo request 19:24:45.269238 192.168.1.1 > 192.168.1.10: icmp: echo reply 6 packets received by filter 0 packets dropped by kernel ZyWALL Series CLI Reference Guide...
Page 589 Table 339 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION Displays the current Address Resolution Protocol show arp-table table. Edits or creates an ARP table entry. arp IP mac_address Removes an ARP table entry. no arp ip ZyWALL Series CLI Reference Guide...
Page 590 • Duration: 150 seconds • Save the captured packets to: USB storage device • Ring Buffer: Enable Check if there’s any packet capture running on the Zyxel Device. Router(config)# show packet-capture status Check the current packet capture settings. ZyWALL Series CLI Reference Guide...
Page 591 Manually stop the running packet capturing when you get the information you need. Otherwise, with Ring Buffer enabled, the Zyxel Device will keep capturing and overwriting old captured files. Router(config)# no packet-capture activate Router(config)# Check current packet capture status and list all stored packet captures. ZyWALL Series CLI Reference Guide...
Page 592 Download the captured files in the web configurator at Maintenance > Diagnostics > Packet Capture > Files. Open and study it using a packet analyzer tool (for example, Ethereal or Wireshark). 71.2 Scheduled Reboot Zyxel Device For stability, you can restart the periodically according to a user-defined schedule. ZyWALL Series CLI Reference Guide...
Page 593 Sets the device to restart once a month on the specified day, at schedule reboot monthly the specified hour and minute. <time,hh:mm> <day,dd> must be written as two digits. The valid range is 01–28. ZyWALL Series CLI Reference Guide...
Page 594 <user@domainname> addresses. Clears the receiving email address. conf-mail no {mail-to-1|mail-to- 2|mail-to-3|mail-to-4|mail-to-5} Adds an encryption password to the configuration file in the conf-mail attach password email. <attachment password> The password must consist of 1–31 ASCII characters. ZyWALL Series CLI Reference Guide...
Page 595 Exits subcommand mode. exit Enables or disables the automatic configuration file backup. [no] config-backup scheduler activate Backups up the configuration file now. config-backup run Shows the schedules configuration file backup settings. show config-backup status ZyWALL Series CLI Reference Guide...
Page 596 The no command turns the timer off. timer <4..37> Displays the settings of the hardware watchdog timer. show hardware-watchdog- timer status 72.2.2 Software Watchdog Timer The software watchdog has the system restart if the core firmware fails. ZyWALL Series CLI Reference Guide...
Page 597 The Zyxel Device stops sending alerts when the max <1..100> memory usage drops back below the minimum threshold (the first threshold you enter). The no command changes the setting back to the default. ZyWALL Series CLI Reference Guide...
Page 598 Displays the application watchdog reboot log. show app-watch-dog reboot-log 72.2.3.1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring. ZyWALL Series CLI Reference Guide...
Page 599 Chapter 72 Miscellaneous ZyWALL Series CLI Reference Guide...
Page 600 Sets the on threshold for UTM Features Bypass, in Megabytes (MB). [no] mem-conserve utm- bypass falling-threshold When the available memory of the Zyxel Device is equal to this value, the Zyxel <1..4000> Device enables UTM Features Bypass mode. ZyWALL Series CLI Reference Guide...
Page 601 Figure 70 Conserve Memory: Example Router# configure terminal Router(config)# mem-conserve utm-bypass falling-threshold 5 Router(config)# mem-conserve utm-bypass rising-threshold 10 Router(config)# mem-conserve utm-bypass sustained-time 4 The following figure shows the result of these commands: Figure 71 Converse Memory Example ZyWALL Series CLI Reference Guide...
Page 602 > Network > Routing > Policy Route > Add/Edit Policy Route. fromlocal-snat The no command prevents this setting from being configured. Note: This command is available in ZLD firmware 5.0 and later. [no] gui-visibility show-advanced Displays the current GUI visibility settings. show gui-visability status ZyWALL Series CLI Reference Guide...
Page 603 Use the CAPWAP client commands to configure the AP’s IP address and other related management interface settings. Do not use the original interface commands to configure the IP address and related settings on the AP, because the AP does not save interface command settings after rebooting. ZyWALL Series CLI Reference Guide...
Page 604 This example shows how to configure the AP’s management interface and how it connects to the AP controller (the Zyxel Device), and check the connecting status. The following commands: • Display how the AP finds the Zyxel Device ZyWALL Series CLI Reference Guide...
Page 605 AC IP: 192.168.1.1 192.168.1.2 Router(config)# exit Router# show capwap ap info AC-IP 192.168.1.1 Discovery type Static AC IP SM-State RUN(8) msg-buf-usage 0/10 (Usage/Max) capwap-version 10118 Radio Number 1/4 (Usage/Max) BSS Number 8/8 (Usage/Max) IANA ID 037a Description AP-0013499999FF ZyWALL Series CLI Reference Guide...
Page 606 The AP in the example in Section 73.4.1 on page 606 uses a static IP address. If the AP uses DHCP instead, you do not need to configure the DNS server’s IP address on the AP when you configure DHCP ZyWALL Series CLI Reference Guide...
Page 607 Chapter 73 Managed AP Commands option 6 on the DHCP server. For the example in Section 73.4.1 on page 606, you would just need to configure the management interface’s VLAN ID (capwap ap vlan vlan-id 3). ZyWALL Series CLI Reference Guide...
Page 608 [no] activate ................................308 [no] activate ................................492 [no] activate ................................520 [no] activate ................................573 [no] activate ................................81 [no] activate ................................87 [no] additional-ddns-options ..........................191 [no] address address_object ............234 [no] address6 address6_object ............234 ZyWALL Series CLI Reference Guide...
Page 609 ..........324 [no] anti-virus update auto ............. 323 [no] anti-virus white-list activate ..........321 [no] ap-group-profile ap_group_profile_name ........73 [no] ap-mode detection activate ........................71 [no] apn access_point_name ............501 [no] app <profile-name> ............314 ZyWALL Series CLI Reference Guide...
Page 610 ..........262 [no] billing discount unit <2..10> price price ........262 [no] billing profile profile_name ..........262 [no] billing replenish activate ..........262 [no] billing tax-rate activate ..........262 [no] billing wlan-ssid-profile profile_name ........262 ZyWALL Series CLI Reference Guide...
Page 611 [no] cnm-agent username ..........................246 [no] cnm-agent vantage certificate tr069_cert_file_name ....... 245 [no] cnm-agent xmpp-domain xmpp_domain ..........246 [no] cnm-agent xmpp-host xmpp_host ..........246 [no] cnm-agent xmpp-password xmpp_password ......... 246 [no] cnm-agent xmpp-resource xmpp_resource ......... 246 ZyWALL Series CLI Reference Guide...
Page 612 [no] description <description> ..........................457 [no] description <description> ..........................458 ............ 122 [no] description description ............ 132 [no] description description ............ 171 [no] description description ............ 173 [no] description description ............ 221 [no] description description ZyWALL Series CLI Reference Guide...
Page 613 [no] dns-filter drop-malform-packet log ......... 342 [no] dns-filter statistics collect ..........343 [no] dns-filter white-list activate ..........343 ............ 132 [no] domain-name domain_name [no] domainname domain_name ............. 514 [no] domain-name walled_garden_fqdn ..........274 [no] dot11n-disable-coexistence .......................... 84 ZyWALL Series CLI Reference Guide...
Page 614 ............191 [no] hardware-address mac_address ........... 131 [no] hardware-watchdog-timer <4..37> ..........596 [no] hash-auto ............................... 203 [no] health-check activate ..........................202 [no] hidden ................................273 .............. 190 [no] host hostname ..............131 [no] host ip ZyWALL Series CLI Reference Guide...
Page 615 [no] ip ftp server port <1..65535> ..........535 [no] ip ftp server tls-required ..........535 .............. 122 [no] ip gateway ip ............133 [no] ip helper-address ip [no] ip http authentication auth_method ......... 529 [no] ip http content-security-policy ..........529 ZyWALL Series CLI Reference Guide...
Page 616 [no] ipv6 address dhcp6_profile dhcp6_suffix_128 ........143 [no] ipv6 dhcp6 address-request ........................143 [no] ipv6 dhcp6 rapid-commit ..........................143 [no] ipv6 dhcp6-request-object dhcp6_profile .......... 144 [no] ipv6 enable ..............................143 [no] ipv6 metric <0..15> ............................143 ZyWALL Series CLI Reference Guide...
Page 617 ....... 567 [no] logging mail <1..2> ............568 [no] logging mail <1..2> {send-log-to | send-alerts-to} e_mail ....569 [no] logging mail <1..2> address {ip | hostname} ........ 568 [no] logging mail <1..2> authentication ......... 568 ZyWALL Series CLI Reference Guide...
Page 618 [no] metric <0..15> ..............................122 [no] metric <0..15> ..............................162 [no] mode-config {first-dns | second-dns} ......................283 [no] mode-config {first-wins | second-wins} ...................... 284 mss <536..1452> ............................143 [no] [no] mss <536..1460> ............................. 122 [no] mtu <576..1480> ............................151 ZyWALL Series CLI Reference Guide...
Page 619 | af43 | cs0 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | wmm_be0 | wmm_be24 | wmm_bk16 | wmm_bk8 | wmm_vi32 | wmm_vi40 | wmm_vo48 | wmm_vo56}} ..........310 [no] outgoing-interface {interface interface_name | trunk group_name} ..........310 ........... 136 [no] outonly-interface interface_name [no] outonly-interface interface_name ..........180 ZyWALL Series CLI Reference Guide...
Page 620 | pdf | rtf | unknow-type} ........346 [no] sandbox queue-packet ............347 [no] sandbox statistics collect ..........347 ........319 [no] scan {http | ftp | imap4 | smtp | pop3} ............401 [no] scan {smtp | pop3} ZyWALL Series CLI Reference Guide...
Page 621 [no] service {http-redirect | smtp-redirect} ....................... 209 ..........172 [no] service {service_name|any} ..........173 [no] service {service_name|any} [no] service application-group app_name ..........310 ............227 [no] service service_name [no] service service-object {service_name | any} ..................310 ZyWALL Series CLI Reference Guide...
Page 622 [no] sourceport {tcp|udp} {eq <1..65535>|range <1..65535> <1..65535>} [no] speed <100,10> ............................. 141 ..........172 [no] srcport {profile_name|any} ..........173 [no] srcport {profile_name|any} [no] ssid-profile wlan_interface_index ssid_profile ........85 [no] ssl-inspection cert-update auto ..........425 [no] ssl-inspection statistics collect .......... 426 ZyWALL Series CLI Reference Guide...
Page 623 [no] upstream <0..1048576> ..........................162 [no] url {URL TEXT} ..............................191 [no] url url ............... 273 [no] usb-storage activate ............................ 152 [no] usb-storage update-firmware enable ......................154 ............. 172 [no] user user_name ............. 174 [no] user user_name ZyWALL Series CLI Reference Guide...
Page 624 | malicious-sites | spyware-adware-keyloggers} ....... 336 | uint32 <0..4294967295> | ip ipv4 [ipv4 [ipv4]] | fqdn fqdn [fqdn [fqdn]] | text text | hex hex | vivc enter- prise_id hex_s [enterprise_id hex_s] | vivs enterprise_id hex_s [enterprise_id hex_s] 132 ZyWALL Series CLI Reference Guide...
Page 625 ....408 anti-spam dnsbl ip-check-order {forward | backward} ......408 anti-spam dnsbl max-query-ip [1..5] ..........408 anti-spam dnsbl query-timeout pop3 {forward | forward-with-tag} ....408 anti-spam dnsbl query-timeout smtp {drop | forward | forward-with-tag} ..408 ZyWALL Series CLI Reference Guide...
Page 626 {sun | mon | tue | wed | thu | fri | sat} <0..23> ..... 314 application <profile-name> action {forward|drop|reject} {no log|log [alert]} ..314 application-object <object> ............. 457 application-object rename <object> <object> ........457 ZyWALL Series CLI Reference Guide...
Page 627 {log-percentage|log-percentage-alert} [recursive <1..65535>] ............146 budget current-connection {keep|drop} ......................146 budget new-connection {allow|disallow} ......................146 budget percentage {ptime|pdata} <0..99> ..................... 146 budget reset-counters ............................146 budget reset-day <0..31> ............................. 146 bwm <1..127> ..............307 ZyWALL Series CLI Reference Guide...
Page 628 ............416 cdr rule rule_id threshold occurence duration duration action {alert| block| quarantine| block- alert| quarantine-alert} ..........416 cdr send-alerts-to email_address ..........416 cdr signature reload ............417 cdr signature update ............417 ZyWALL Series CLI Reference Guide...
Page 629 ........551 cloud-helper set {[retry_times <1..10>]} {[retry_period <2..60>]} {[retry_fail_period <180..720>]} .............. 551 cloud-helper set remind {every-time | never} ........551 cloud-helper set-read new_features_cdr .......... 551 cloud-helper set-read new_features_dns_cf ........551 cloud-helper set-read service_expired ........... 551 ZyWALL Series CLI Reference Guide...
Page 630 <string> ............................376 copy ................42 copy {/conf | /idp | /packet_trace | /script | /tmp}file_name-a.conf {/conf | /idp | /pack- et_trace | /script | /tmp}/file_name-b.conf ....... 544 copy running-config /conf/file_name.conf ........545 ZyWALL Series CLI Reference Guide...
Page 631 ..........433 device-ha ap-mode role {master|backup} .......... 433 device-ha mode active-passive ........... 432 device-ha2 ap-firmware-sync ............. 437 device-ha2 failover connchk-hold-time <60..86400> ....... 437 device-ha2 failover reset-interval <1..30> ........437 device-ha2 failover-count <5 ..50> ..........437 ZyWALL Series CLI Reference Guide...
Page 632 <1..256> FQDN {activate|deactivate} ....342 dns-filter fake-dns-response-ttl <300...86400> ........344 dns-filter profile profilename ..........342 dns-filter redirect-ip custom IPv4 ..........343 dns-filter redirect-ip default ..........343 dns-filter rename old_profile_name new_profile_name ......343 ZyWALL Series CLI Reference Guide...
Page 633 ................................... 254 exit ................................... 286 exit ................................... 319 exit ................................... 334 exit ................................... 364 exit ................................... 371 exit ................................... 371 exit ................................... 373 exit ................................... 373 exit ................................... 373 exit ................................... 423 exit ................................... 423 ZyWALL Series CLI Reference Guide...
Page 634 .................................. 289 group17 .................................. 289 group18 .................................. 289 ................279 group2 group2 ..................................289 group2 ..................................291 ................279 group5 group5 ..................................289 group5 ..................................291 groupname rename groupname groupname ..........448 guard-interval wlan_htgi ............84 ZyWALL Series CLI Reference Guide...
Page 635 <1..10> protocol {all | tcp | udp} original-ip address_name <0..65535> <0..65535> mapped-ip ad- dress_name <0..65535> <0..65535> ...................... 282 in-dnat move <1..10> to <1..10> .......................... 282 in-snat source address_name destination address_name snat address_name ....282 ZyWALL Series CLI Reference Guide...
Page 636 {admin|user} rule move rule_number to rule_number ..530 ip http skip-csrf-check ............530 ip http-redirect activate description ........... 206 ip http-redirect deactivate description ......... 206 ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535> 206 ZyWALL Series CLI Reference Guide...
Page 637 <0..23> .......... 331 ip-reputation ebl update hourly ..........331 ip-reputation ebl update weekly {sun |mon|tue|wed|thu|fri|sat} <0..23> ..332 ip-reputation statistics flush ..........330 ip-reputation update daily <0..23> ..........330 ip-reputation update hourly ............. 330 ZyWALL Series CLI Reference Guide...
Page 638 [slot1 | slot2] timeout <1..255> ....................75 load-balancing [slot1 | slot2] traffic level {high | low | medium} ..............75 load-balancing mode [slot1 | slot2] {station | traffic | smart-classroom} ............75 loadbalancing-index <inbound|outbound|total> ....................167 ZyWALL Series CLI Reference Guide...
Page 639 ..............................101 move <1..8> to <1..8> ............................167 mtu <576..1492> ..............................143 mtu <576..1492> ..............................147 multicast pps <1~10000> ............................86 multicast pps <1~10000> ............................87 myzyxel-service get-cloud-timezone ..........515 myzyxel-service set-timezone-according-cloud ........515 ZyWALL Series CLI Reference Guide...
Page 640 [commtouch-url] unrate {log} ..375 no content-filter profile filtering_profile commtouch-url match {log} ... 375 no content-filter profile filtering_profile commtouch-url match-unsafe {log} ..375 no content-filter profile filtering_profile commtouch-url offline {log} ..375 ZyWALL Series CLI Reference Guide...
Page 641 ..............288 no sa tunnel-name map_name ............288 no scan-detection sensitivity ..........................237 no schedule-object object_name ..........471 no security-service ip6-exception profile_name ........429 no security-service ip-exception profile_name ........429 no server-auth <1..2> .............................. 94 ZyWALL Series CLI Reference Guide...
Page 642 ......267 payment-service provider paypal exit ..........265 payment-service provider paypal gateway payment_gw_url ....... 268 payment-service provider paypal identity-token paypal_token ......267 payment-service provider paypal no account ....................267 payment-service provider paypal no identity-token ..................267 ZyWALL Series CLI Reference Guide...
Page 643 ................99 ................43 pwd-expiry expiration send-now ..........447 pwd-expiry link-to-device custom {myrouter | <FQDN> | <IPv6 Address> | <W.X.Y.X>} 447 quit ..................................184 quota {total | upload | download} gigabytes <0..100> ................. 263 ZyWALL Series CLI Reference Guide...
Page 644 ..............85 router bgp ..............184 router ospf ..............137 router ospf ..............180 router ospf ..............181 router ospf ..............181 router rip ..............136 router rip ..............180 Router(config)# ..............114 Router(config)# ..............526 ZyWALL Series CLI Reference Guide...
Page 645 1 file_name.zysh {daily | monthly | weekly} time {date | sun | mon | tue | wed | thu | fri | sat} ............545 secure policy <1...500> device <profile name> ........442 secure-policy <profile name> ............ 227 secure-policy activate ............223 ZyWALL Series CLI Reference Guide...
Page 646 ........469 service-register checkexpire ............. 54 service-register _setremind {after-10-days | after-180-days | after-30-days | every-time | nev- er} ................ 54 session timeout {udp-connect <1..300> | udp-deliver <1..300> | icmp <1..300>} ... 580 ZyWALL Series CLI Reference Guide...
Page 647 ..........340 show anti-botnet status ............333 show anti-botnet update status ..........338 show anti-spam black-list [status] ..........406 show anti-spam dashboard statistics summary ........51 show anti-spam dnsbl domain ............. 408 ZyWALL Series CLI Reference Guide...
Page 648 ............. 75 show ap-group-profile {all | ap_group_profile_name} ......75 show ap-group-profile ap_group_profile_name lan-provision interface {all | vlan | ethernet | ap_lan_port | vlan_interface} model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e} ..............76 ZyWALL Series CLI Reference Guide...
Page 649 {all | ap_mac} ............ 61 show capwap ap {all | ap_mac} ............ 62 show capwap ap {all | ap_mac} config ..........62 show capwap ap {all | ap_mac} config status ........62 ZyWALL Series CLI Reference Guide...
Page 650 .......... 377 show content-filter statistics summary .......... 377 show content-filter statistics summary .......... 377 show corefile copy usb-storage ..........153 show country-code list ............63 show cpu all ..............47 show cpu average ..............577 ZyWALL Series CLI Reference Guide...
Page 651 {white-list | black-list} ....... 378 show dns-content-filter dashboard statistics summary ......378 show dns-content-filter fake-dns-response-ttl ........379 show dns-content-filter profile {all | profileName} ......378 show dns-content-filter search FQDN ..........378 show dns-content-filter statistics collect ........380 ZyWALL Series CLI Reference Guide...
Page 652 ....239 show idp anomaly profile tcp-decoder {bad-tcp-flag | bad-tcp-l4-size | tcp-land} details 240 show idp anomaly profile tcp-decoder all details ........ 239 show idp anomaly profile udp-decoder {bad-udp-l4-size | udp-land | udp-smurf} details 240 ZyWALL Series CLI Reference Guide...
Page 653 ......... 122 show interface summary all ............122 show interface summary all status ..........122 show interface tunnel status ............ 151 show interface tunnel_iface ............. 151 show interface vti .............. 164 ZyWALL Series CLI Reference Guide...
Page 654 ......... 121 show ipv6 neighbor-list ............588 show ipv6 static address interface ..........121 show ipv6 status ..............525 show isakmp keepalive ............278 show isakmp policy [policy_name] ..........278 ZyWALL Series CLI Reference Guide...
Page 655 ........267 show payment-service mobile-page-customization ........267 show payment-service mobile-profile-page settings ....... 267 show payment-service mobile-sms-page settings ........267 show payment-service mobile-success-page settings ....... 267 show payment-service page-customization ......... 267 show payment-service profile-page settings ........267 ZyWALL Series CLI Reference Guide...
Page 656 [object_name] ........ 46 show reference object username [username] ........45 show reference object zone [object_name] ......... 46 show reference object-group aaa ad [group_name] ........46 show reference object-group aaa ldap [group_name] ........ 46 ZyWALL Series CLI Reference Guide...
Page 657 ..........226 show secure-policy6 filter from zone_object to zone_object srcip6 <ip-address> dstip6 <ip> ser- vice {any | tcp | udp | icmp | gre | esp | user-defined} port-number user user_name sch schedule_object ............225 ZyWALL Series CLI Reference Guide...
Page 658 ..............47 show software-watchdog-timer log ..........597 show software-watchdog-timer status ..........597 show ssl-inspection cert-list ........... 425 show ssl-inspection cert-update status .......... 426 show ssl-inspection default-cert update ......... 426 show ssl-inspection default-cert version ........425 ZyWALL Series CLI Reference Guide...
Page 659 ..........489 show usb-storage ..............152 show usb-storage space ............154 show usb-storage space ftp ............154 show usb-storage space tmp ............154 show usb-storage space usb ............154 show usb-storage update-firmware status ......... 154 ZyWALL Series CLI Reference Guide...
Page 660 ............187 show zone user-define ............187 show zymesh ap info .............. 99 show zymesh link info {repeater-ap | root-ap} ........99 show zymesh provision-group ............99 show zymesh-profile {all | zymesh_profile_name} ........99 ZyWALL Series CLI Reference Guide...
Page 661 {profile_name | profile_name append | profile_name insert <1..16>} sslvpn policy move <1..16> to <1..16> ........... 297 sslvpn policy rename profile_name profile_name ........297 sso agent primary ............... 258 sso agent secondary ............. 258 sso encrypted-presharekey <ciphertext> .......... 258 ZyWALL Series CLI Reference Guide...
Page 662 . 151 traffic-prioritize {tcp-ack|content-filter|dns} priority-code <0..7> deactivate . 158 traffic-prioritize {tcp-ack|content-filter|dns} priority-code <0..7> deactivate traffic-prioritize {tcp-ack|content-filter|dns|ipsec-vpn|ssl-vpn} bandwidth <0..1048576> prior- ity <1..7> [maximize-bandwidth-usage]; ........123 ..123 traffic-prioritize {tcp-ack|content-filter|dns|ipsec-vpn|ssl-vpn} deactivate transform-set crypto_algo_ah [crypto_algo_ah [crypto_algo_ah]] ............281 ZyWALL Series CLI Reference Guide...
Page 663 ..........447 username username [no] phone-verify ..........489 username username 2fa-auth-method {default|google-auth|pin-code} ....489 username username encrypted-password <password> ......... 446 username username google-auth backup-code create ........ 489 username username google-auth verify-code <verification code> ....489 ZyWALL Series CLI Reference Guide...
Page 664 {required | unnecessary} {no log | log [alert]} 252 web-auth google-auth valid-time <1..5> .......... 252 web-auth login setting ............252 web-auth method portal ............252 web-auth policy <1..1024> ............252 web-auth policy append ............252 web-auth policy delete <1..1024> ..........252 ZyWALL Series CLI Reference Guide...
Page 665 <1..10> ..........526 zon lldp server tx-interval <1..600> ..........526 zon zdp server ..............526 zone profile_name ............... 187 ZYLOG_SUBJECT ..............568 zymesh provision-group ac_mac ............ 99 zymesh-profile rename zymesh_profile_name1 zymesh_profile_name2 ....99 ZyWALL Series CLI Reference Guide...