Page 1 ZyWALL (ZLD) CLI Reference Guide Version 2.00 7/2007 Edition 1 DEFAULT LOGIN LAN Port IP Address http://192.168.1.1 User Name admin Password 1234 www.zyxel.com...
Page 3 • Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information. • ZyXEL Web Site ZyWALL (ZLD) CLI Reference Guide for how to access and use the CLI (Command Line to learn about the CLI user and privilege modes.
Page 4 Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.
Page 5: Document Conventions
Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 6 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Server Switch Computer Notebook computer Firewall Telephone Router ZyWALL (ZLD) CLI Reference Guide...
Page 7: Safety Warnings
For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. •...
Page 8 Safety Warnings ZyWALL (ZLD) CLI Reference Guide...
Page 9: Table Of Contents
Introduction ... 11 Command Line Interface ... 13 User and Privilege Modes ... 29 Status ... 33 Registration ... 37 Network ... 45 Interfaces ... 47 Trunks ... 65 Route ... 69 Routing Protocol ... 75 Zones ... 79 DDNS ... 83 Virtual Servers ...
Page 10 Contents Overview Certificates ... 195 ISP Accounts ... 201 SSL Application ... 203 System ... 205 System ... 207 System Remote Management ...211 Maintenance and Index ... 225 File Manager ... 227 Logs ... 245 Reports and Reboot ... 251 Session Timeout ...
Page 11: Introduction
Introduction Command Line Interface (13) User and Privilege Modes (29) Registration (37)
Page 13: Command Line Interface
H A P T E R Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your ZyWALL, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the ZyWALL and possibly render it unusable.
Page 14: Console Port
Chapter 1 Command Line Interface The ZyWALL might force you to log out of your session if reauthentication time, lease time, or idle timeout is reached. See more information about these settings. 1.2.1 Console Port The default settings for the console port are as follows. Table 1 Managing the ZyWALL: Console Port SETTING VALUE...
Page 15: Web Configurator Console
Figure 2 Login Screen Welcome to ZyWALL 1050 Username: Enter the user name and password at the prompts. The default login username is admin and password is 1234. The username and password are case-sensitive. 1.2.2 Web Configurator Console Before you can access the CLI through the web configurator, make sure your computer supports the Java Runtime Environment.
Page 16 Chapter 1 Command Line Interface Figure 3 Web Console: Security Warnings Finally, the User Name screen appears. Figure 4 Web Console: User Name 5 Enter the user name you want to use to log in to the console. The console begins to connect to the ZyWALL.
Page 17 Figure 5 Web Console: Connecting Then, the Password screen appears. Figure 6 Web Console: Password 6 Enter the password for the user name you specified earlier, and click OK. If you enter the password incorrectly, you get an error message, and you may have to close the console window and open it again.
Page 18: How To Find Commands In This Guide
Chapter 1 Command Line Interface 1 If your computer is connected to the ZyWALL over the Internet, skip to the next step. Make sure your computer IP address and the ZyWALL IP address are on the same subnet. 2 In Windows, click Start (usually in the bottom left corner) and Run. Then type and the ZyWALL’s IP address.
Page 19: How Commands Are Explained
• Commands in Order of Appearance commands in the order that they appear in this guide. • List of Commands (Alphabetical) in alphabetical order that they appear in this guide. If you are looking at the CLI Reference Guide electronically, you might have additional options (for example, bookmarks or Find...) as well.
Page 20: Changing The Password
Chapter 1 Command Line Interface For example, look at the following command to create a TCP/UDP service object. service-object object-name {tcp | udp} {eq <1..65535> | range <1..65535> <1..65535>} 1 Enter service-object 2 Enter the name of the object where you see object-name. 3 Enter 4 Finally, do one of the following.
Page 21: Shortcuts And Help
Chapter 23 on page 171 log in, look at (but not run) the available commands in User mode, and log out. Limited- Admin users can look at the configuration in the web configurator and CLI, and they can run basic diagnostics in the CLI. Admin users can configure the ZyWALL in the web configurator or CLI.
Page 22: Entering Partial Commands
Chapter 1 Command Line Interface Figure 11 Help: Sub-command Information Example Router(config)# ip telnet server ? <cr> access-group port Router(config)# ip telnet server Figure 12 Help: Required User Input Example Router(config)# ip telnet server port ? <1..65535> Router(config)# ip telnet server port 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands.
Page 23: Erase Current Command
1.6.7 Erase Current Command Press to erase whatever you have currently typed at the prompt (before pressing [CTRL]+U [ENTER] 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command.
Page 24: Chapter 1 Command Line Interface
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES domain name Used in content filtering Used in ip dns server 0-247 Used in domainname, ip dhcp pool, and ip domain 0-254 email 1-63 e-mail 1-64...
Page 25 Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES password: less than 15 1-15 chars password: less than 8 chars password Used in user and ip ddns 1-63 Used in e-mail log profile SMTP authentication 1-63 Used in device HA synchronization 1-63 Used in registration 6-20...
Page 26: Ethernet Interfaces
1.8 Ethernet Interfaces When you need to specify an Ethernet interface, remember that the number of interfaces available depends on the ZyWALL model. For example, the ZyWALL 1050 has 5 Ethernet interfaces and the ZyWALL USG 300 has 7. 1.9 Saving Configuration Changes Use the command to save the current configuration to the ZyWALL.
Page 27: Logging Out
1.10 Logging Out Enter the or end command in configure mode to go to privilege mode.. exit Enter the command in user mode or privilege mode to log out of the CLI. exit ZyWALL (ZLD) CLI Reference Guide Chapter 1 Command Line Interface...
Page 28 Chapter 1 Command Line Interface ZyWALL (ZLD) CLI Reference Guide...
Page 29: User And Privilege Modes
‘user mode’. All commands can be run in ‘privilege mode’. The htm and psm commands are for ZyXEL’s internal manufacturing process. Table 4 User (U) and Privilege (P) Mode Commands COMMAND...
Page 30 Goes from user mode to privilege mode enable Goes to a previous mode or logs out. exit Goes to htm (hardware test module) mode. Note: These commands are for ZyXEL’s internal manufacturing Dials or disconnects an interface. interface no packet-trace U/P Turns of packet tracing.
Page 31: Debug Commands
2.1.1 Debug Commands Debug commands marked with an asterisk (*) are not available when the debug flag is on and are for service personnel use only. The debug commands follow a syntax that is Linux-based, so if there is a Linux equivalent, it is displayed in this chapter for your reference. Table 5 Debug Commands COMMAND SYNTAX debug app...
Page 32 Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX debug system iptables list chain {forward|prerouting|postrou ting|input|output|pre_id} debug system iptables list table {nat|filter|mangle|vpn|zyma rk|vpnid|cfilter} debug system lsmod (*) debug system ps debug system show conntrack Shows system sessions list debug system show cpu status debug system show ksyms (*) Shows kernel symbols...
Page 33: Status
H A P T E R This chapter explains some commands you can use to display information about the ZyWALL’s current operational state. You must use the configure terminal command before you can use these commands. Table 6 Status Show Commands COMMAND DESCRIPTION Displays the CPU utilization.
Page 34 Chapter 3 Status Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number. Router(config)# show fan-speed FAN1(F00)(rpm): limit(hi)=6500, limit(lo)=1400, max=6650, min=6642, avg=6644 FAN2(F01)(rpm): limit(hi)=6500, limit(lo)=1400, max=6809, min=6783, avg=6795 FAN3(F02)(rpm): limit(hi)=6500, limit(lo)=1400, max=6683, min=6666, avg=6674 FAN4(F03)(rpm): limit(hi)=6500, limit(lo)=1400, max=6633, min=6617, avg=6627 Router(config)# show mac MAC address: 00:13:49:82:18:28-2c...
Page 35 Here is an example of the command that displays the open ports. Router(config)# show socket open Proto Local_Address =========================================================================== 172.23.37.240:22 127.0.0.1:64002 0.0.0.0:520 0.0.0.0:138 0.0.0.0:138 0.0.0.0:138 0.0.0.0:138 0.0.0.0:138 0.0.0.0:138 0.0.0.0:138 0.0.0.0:32779 192.168.1.1:4500 1.1.1.1:4500 10.0.0.8:4500 172.23.37.205:4500 172.23.37.240:4500 127.0.0.1:4500 127.0.0.1:63000 127.0.0.1:63001 127.0.0.1:63002 0.0.0.0:161 127.0.0.1:63009 192.168.1.1:1701 1.1.1.1:1701...
Page 36 Here are examples of the commands that display the system uptime and model, firmware, and build information. Router(config)# show system uptime system uptime: 13 days, 21:01:17 Router(config)# show version ZyXEL Communications Corp. model firmware version: 2.00(XL.0)b3 BM version build date : ZyWALL 1050 : 1.08 : 2007-03-30 17:42:56 ZyWALL (ZLD) CLI Reference Guide...
Page 37: Registration
IDPIDP/AppPatrol, anti-virus, and content filtering services using commands. 4.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 38: Registration Commands
Application patrol conveniently manages the use of various applications on the network. After the service is activated, the ZyWALL can download the up-to-date signature files from the update server (http://myupdate.zywall.zyxel.com). • SSL VPN tunnels provide secure network access to remote users. You can purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels.
Page 39: Command Examples
Table 8 Command Summary: Registration (continued) COMMAND service-register checkexpire service-register service-type standard license- key key_value service-register service-type trial service {all|content-filter|idp|av} show device-register status show service-register status {all|content- filter|idp|sslvpn|av} 4.2.1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time, and activate a trial service subscription.
Page 40: Country Code
Chapter 4 Registration 4.3 Country Code The following table displays the number for each country. Table 9 Country Codes COUNTRY CODE COUNTRY NAME Afghanistan Algeria Andorra Anguilla Antigua & Barbuda Armenia Ascension Island Austria Bahamas Bangladesh Belarus Belize Bermuda Bolivia Botswana Brazil Brunei Darussalam...
Page 41 Table 9 Country Codes (continued) COUNTRY CODE COUNTRY NAME Faroe Islands Finland France (Metropolitan) French Polynesia Gabon Georgia Ghana Great Britain Greenland Guadeloupe Guatemala Guinea Guyana Heard and McDonald Islands Honduras Hungary India Ireland Italy Japan Jordan Kenya Korea, Republic of Kyrgyzstan Latvia Lesotho...
Page 42 Chapter 4 Registration Table 9 Country Codes (continued) COUNTRY CODE COUNTRY NAME Namibia Nepal Netherlands Antilles New Zealand Niger Niue Northern Mariana Islands Not Determined Pakistan Panama Paraguay Philippines Poland Puerto Rico Reunion Island Russian Federation Saint Kitts and Nevis Saint Vincent and the Grenadines Sao Tome and Principe Senegal...
Page 43 Table 9 Country Codes (continued) COUNTRY CODE COUNTRY NAME Uruguay Vanuatu Vietnam Virgin Islands (USA) Western Sahara Yemen Zambia ZyWALL (ZLD) CLI Reference Guide Chapter 4 Registration COUNTRY CODE COUNTRY NAME Uzbekistan Venezuela Virgin Islands (British) Wallis And Futuna Islands Western Samoa Yugoslavia Zimbabwe...
Page 44 Chapter 4 Registration ZyWALL (ZLD) CLI Reference Guide...
Page 45: Network
Network Interfaces (47) Trunks (65) Route (69) Routing Protocol (75) Zones (79) DDNS (83) Virtual Servers (85) HTTP Redirect (87) ALG (89)
Page 47: Interfaces
H A P T E R This chapter shows you how to use interface-related commands. 5.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 48: Relationships Between Interfaces
Chapter 5 Interfaces • The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the DIAL BACKUP port (labeled AUX on some models).
Page 49 Table 11 Relationships Between Different Types of Interfaces (continued) INTERFACE bridge interface PPPoE/PPTP interface virtual interface (virtual Ethernet interface) (virtual VLAN interface) (virtual bridge interface) trunk * - You cannot set up a PPPoE/PPTP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge.
Page 50: Basic Interface Properties And Ip Address Commands
Chapter 5 Interfaces 5.2.1 Basic Interface Properties and IP Address Commands This table lists basic properties and IP address commands. Table 13 interface Commands: Basic Properties and IP Address Assignment COMMAND show interface {ethernet | vlan | bridge | ppp | auxiliary} status show interface {interface_name | ethernet | vlan | bridge | ppp | virtual ethernet |...
Page 51: Dhcp Setting Commands
5.2.2 Interface Parameter Commands This table lists the commands for interface parameters (summarized in Table 14 interface Commands: Interface Parameters COMMAND interface interface_name [no] upstream <0..1048576> [no] downstream <0..1048576> [no] mtu <576..1500> traffic-prioritize {tcp-ack|content- filter|dns|ipsec-vpn|ssl-vpn} bandwidth <0..1048576> priority <1..7> [maximize- bandwidth-usage];...
Page 52 Chapter 5 Interfaces Table 15 interface Commands: DHCP Settings (continued) COMMAND [no] ip dhcp pool profile_name show [no] host ip [no] hardware-address mac_address [no] client-identifier mac_address [no] client-name host_name DESCRIPTION Creates a DHCP pool if necessary and enters sub- command mode. You can use the DHCP pool to create a static entry or to set up a range of IP addresses to assign dynamically.
Page 53 Table 15 interface Commands: DHCP Settings (continued) COMMAND network IP/<1..32> network ip mask no network [no] default-router ip [no] domain-name domain_name [no] starting-address ip pool-size <1..65535> [no] first-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd-dns} [no] second-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd- dns} [no] third-dns-server {ip | interface_name...
Page 54 Displays information about DHCP bindings for the specified IP address or for all IP addresses. Removes the DHCP bindings for the specified IP address or for all IP addresses. network 192.168.1.0 /24 domain-name zyxel.com.tw first-dns-server 172.23.5.1 second-dns-server ge1 1st-dns third-dns-server 172.23.5.2 default-router 192.168.1.1 lease 0 1 30 starting-address 192.168.1.10 pool-size 30...
Page 55 Table 16 interface Commands: Ping Check (continued) COMMAND [no] ping-check activate ping-check {domain_name | ip | default- gateway} ping-check {domain_name | ip | default- gateway} period <5..30> ping-check {domain_name | ip | default- gateway} timeout <1..10> ping-check {domain_name | ip | default- gateway} fail-tolerance <1..10>...
Page 56 Chapter 5 Interfaces Table 18 interface Commands: RIP Settings (continued) COMMAND [no] ip rip v2-broadcast show rip {global | interface {all | interface_name}} 5.2.5.2 OSPF Commands This table lists the commands for OSPF settings. Table 19 interface Commands: OSPF Settings COMMAND router ospf [no] network interface_name area ip...
Page 57 Table 19 interface Commands: OSPF Settings (continued) COMMAND [no] ip ospf hello-interval <1..65535> [no] ip ospf dead-interval <1..65535> [no] ip ospf retransmit-interval <1..65535> 5.2.6 Basic Interface Setting Commands This section identifies commands that support port grouping. In CLI, representative interfaces are called representative ports. Table 20 Basic Interface Setting Commands COMMAND show port-grouping...
Page 58 Chapter 5 Interfaces 5.2.6.1 Port Grouping Command Examples The following commands add physical port 5 to representative interface ge1. Router# configure terminal Router(config)# show port-grouping No. Representative Name ========================================================= Router(config)# port-grouping ge1 Router(config-port-grouping)# port 5 Router(config-port-grouping)# exit Router(config)# show port-grouping No.
Page 59: Bridge Commands
This table lists the VLAN interface commands. Table 22 interface Commands: VLAN Interfaces COMMAND interface interface_name [no] port interface_name [no] vlan-id <1..4094> show port vlanid 5.2.7.1 VLAN Interface Command Examples The following commands show you how to set up VLAN vlan100 with the following parameters: VLAN ID 100, interface ge1, IP 1.2.3.4, subnet 255.255.255.0, MTU 598, gateway 2.2.2.2, description "I am vlan100”, upstream bandwidth 345, and downstream bandwidth 123.
Page 60 Chapter 5 Interfaces This table lists the bridge interface commands. Table 24 interface Commands: Bridge Interfaces COMMAND interface interface_name [no] join interface_name show bridge available member 5.2.8.1 Bridge Interface Command Examples The following commands show you how to set up a bridge interface named br0 with the following parameters: member ge1, IP 1.2.3.4, subnet 255.255.255.0, MTU 598, gateway 2.2.2.2, upstream bandwidth 345, downstream bandwidth 123, and description “I am br0”.
Page 61 Table 26 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND interface interface_name [no] connectivity {nail-up | dial-on- demand} [no] account profile_name [no] bind interface_name [no] local-address ip [no] remote-address ip 5.2.9.1 PPPoE/PPTP Interface Command Examples The following commands show you how to configure PPPoE/PPTP interface ppp0 with the following characteristics: base interface ge1, ISP account Hinet, local address 1.1.1.1, remote address 2.2.2.2, MTU 1200, upstream bandwidth 345, downstream bandwidth 123, description “I am ppp0”, and dialed only when used.
Page 62 Chapter 5 Interfaces 5.2.10 Auxiliary Interface Commands The first table below lists the auxiliary the values you can input with these commands. Table 27 interface Commands: Auxiliary Interface COMMAND interface dial aux interface disconnect aux interface aux [no] phone-number phone [no] dialing-type {tone | pulse} [no] port-speed {9600 | 19200 | 38400 | 57600 | 115200}...
Page 63 5.2.10.1 Auxiliary Interface Command Examples The following commands show you how to set up the auxiliary interface aux with the following parameters: phone-number 0340508888, tone dialing, port speed 115200, initial- string ATZ, timeout 10 seconds, retry count 2, retry interval 100 seconds, username kk, password kk@u2online, chap-pap authentication, and description “I am aux interface”.
Page 64 Chapter 5 Interfaces ZyWALL (ZLD) CLI Reference Guide...
Page 65: Trunks
H A P T E R This chapter shows you how to configure trunks on your ZyWALL. 6.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk.
Page 66: Trunk Commands Input Values
Chapter 6 Trunks 6.3 Trunk Commands Input Values The following table explains the values you can input with the commands. Table 28 interface-group Command Input Values LABEL DESCRIPTION A descriptive name for the trunk. Use up to 31 characters (a-zA-Z0-9_-). The name group_name cannot start with a number.
Page 67: Trunk Command Examples
6.5 Trunk Command Examples The following example creates a weighted round robin trunk for Ethernet interfaces ge1 and ZyWALL ge2. The sends twice as much traffic through ge1. Router# configure terminal Router(config)# interface-group wrr-example Router(if-group)# mode trunk Router(if-group)# algorithm wrr Router(if-group)# interface 1 ge1 weight 2 Router(if-group)# interface 2 ge2 weight 1 Router(if-group)# exit...
Page 68 Chapter 6 Trunks ZyWALL (ZLD) CLI Reference Guide...
Page 69: Route
H A P T E R This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL. 7.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 70 Chapter 7 Route The following table describes the commands available for policy route. You must use the configure terminal commands. Table 31 Command Summary: Policy Route COMMAND [no] bwm activate policy {<1..5000>|append<1..5000>|insert<1..5000>} [no] bandwidth <1..1048576> priority <1..1024> [maximize-bandwidth-usage] [no] deactivate [no] description description [no] destination {address_object|any} [no] interface interface_name...
Page 71 Table 31 Command Summary: Policy Route (continued) COMMAND trigger delete <1..8> trigger insert <1..8> incoming service_name trigger service_name trigger move <1..8> to <1..8> [no] tunnel tunnel_name [no] user user_name policy default-route policy delete <1..5000> policy flush policy move <1..5000> to <1..5000> show policy-route [1..5000] show bwm activation show bwm-usage <...
Page 72: Policy Route Command Example
Chapter 7 Route 7.2.1 Policy Route Command Example The following commands set a policy that routes the packets (with the source IP address TW_SUBNET and any destination IP address) through the interface ge1 to the next-hop router GW_1. This route uses the IP address of the outgoing interface as the matched packets’ source IP address.
Page 73: Static Route Commands
Figure 14 Example of Static Routing Topology 7.4 Static Route Commands The following table describes the commands available for static route. You must use the configure terminal commands. Table 32 Command Summary: Static Route COMMAND [no] ip route {w.x.y.z} {w.x.y.z} {interface|w.x.y.z} <0..127>...
Page 74 Chapter 7 Route ZyWALL (ZLD) CLI Reference Guide...
Page 75: Routing Protocol
H A P T E R This chapter describes how to set up RIP and OSPF routing protocols for the ZyWALL. 8.1 Routing Protocol Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL then stores this routing information in the routing table, which it uses when it makes routing decisions.
Page 76: Rip Commands
Chapter 8 Routing Protocol 8.2.1 RIP Commands This table lists the commands for RIP. Table 35 router Commands: RIP COMMAND router rip [no] network interface_name [no] redistribute {static | ospf} redistribute {static | ospf} metric <0..16> [no] version <1..2> [no] passive-interface interface_name [no] authentication mode {md5 | text} [no] authentication string authkey authentication key <1..255>...
Page 77: Ospf Area Commands
Table 36 router Commands: General OSPF Configuration (continued) COMMAND [no] passive-interface interface_name [no] router-id IP 8.2.3 OSPF Area Commands This table lists the commands for OSPF areas. Table 37 router Commands: OSPF Areas COMMAND router ospf [no] network interface area IP [no] area IP [{stub | nssa}] [no] area IP authentication [no] area IP authentication message-digest Enables MD5 authentication in the specified area.
Page 78: Learned Routing Information Commands
Chapter 8 Routing Protocol Table 38 router Commands: Virtual Links in OSPF Areas (continued) COMMAND [no] area IP virtual-link IP authentication message-digest [no] area IP virtual-link IP authentication authentication-key authkey [no] area IP virtual-link IP authentication message-digest-key <1..255> md5 authkey [no] area IP virtual-link IP authentication same-as-area [no] area IP virtual-link IP...
Page 79: Zones
H A P T E R Set up zones to configure network security and network policies in the ZyWALL. 9.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap.
Page 80: Zone Commands Summary
Chapter 9 Zones 9.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands.s Table 40 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone, or the name of a VPN tunnel. You may use 1-31 profile_name alphanumeric characters, underscores( cannot be a number.
Page 81: Zone Command Examples
9.2.1 Zone Command Examples The following commands add Ethernet interfaces ge1 and ge2 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface ge1 Router(zone)# interface ge2 Router(zone)# block Router(zone)# exit Router(config)# show zone No. Name =========================================================================== Router(config)# show zone A blocking intra-zone traffic: yes...
Page 82 Chapter 9 Zones ZyWALL (ZLD) CLI Reference Guide...
Page 83: Ddns
H A P T E R This chapter describes how to configure dynamic DNS (DDNS) services for the ZyWALL. 10.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.
Page 84: Ddns Commands Summary
Chapter 10 DDNS 10.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 42 Input Values for DDNS Commands LABEL DESCRIPTION The name of the DDNS profile. You may use 1-31 alphanumeric characters, profile_name underscores( value is case-sensitive.
Page 85: Virtual Servers
H A P T E R This chapter describes how to set up, manage, and remove virtual servers. 11.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the ZyWALL that you want to make available outside the private network.
Page 86: Virtual Server Command Examples
Chapter 11 Virtual Servers Table 45 ip virtual-server Commands (continued) COMMAND ip virtual-server profile_name interface interface_name original-ip {any | IP | address_object} map-to IP map-type port protocol {any | tcp | udp} original-port <1..65535> mapped-port <1..65535> [deactivate] ip virtual-server profile_name interface interface_name original-ip {any | IP | address_object} map-to IP map-type ports protocol {any | tcp | udp} original-port-begin...
Page 87: Http Redirect
H A P T E R This chapter shows you how to configure HTTP redirection on your ZyWALL. 12.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. 12.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Page 88: Http Redirect Command Examples
Chapter 12 HTTP Redirect The following table describes the commands available for HTTP redirection. You must use the configure terminal commands. Table 47 Command Summary: HTTP Redirect COMMAND ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535> ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535>...
Page 89: Alg
H A P T E R This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 13.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT.
Page 90: Alg Commands
Chapter 13 ALG 13.2 ALG Commands The following table lists the command to enter the configuration mode before you can use these commands. Table 48 alg Commands COMMAND [no] alg sip [ (signal-port <1025..65535>) |(signal-extra- port <1025..65535>) | (media- timeout <1..86400>) | (signal- timeout <1..86400>) ] [no] alg <h323 | ftp>...
Page 91: Firewall And Vpn
Firewall and VPN Firewall (93) IPSec VPN (99) SSL VPN (107) L2TP VPN (111)
Page 93: Firewall
H A P T E R This chapter introduces the ZyWALL’s firewall and shows you how to configure your ZyWALL’s firewall. 14.1 Firewall Overview The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 94: Firewall Commands
Chapter 14 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them).
Page 95 Table 50 Command Summary: Firewall (continued) COMMAND [no] description description [no] destinationip address_object exit [no] from zone_object [no] log [alert] [no] schedule schedule_object [no] service service_name [no] sourceip address_object [no] sourceport {tcp|udp} {eq <1..65535>|range <1..65535> <1..65535>} [no] to {zone_object|ZyWALL} [no] user user_name firewall zone_object {zone_object|ZyWALL} <1..5000>...
Page 96 Chapter 14 Firewall Table 50 Command Summary: Firewall (continued) COMMAND firewall zone_object {zone_object|ZyWALL} delete <1..5000> firewall zone_object {zone_object|ZyWALL} flush firewall zone_object {zone_object|ZyWALL} insert <1..5000> firewall zone_object {zone_object|ZyWALL} move <1..5000> to <1..5000> [no] firewall activate firewall append firewall delete <1..5000> firewall flush firewall insert <1..5000>...
Page 97: Firewall Command Examples
14.2.1 Firewall Command Examples The following example shows you how to add a firewall rule to allow a MyService connection from the WAN zone to the IP addresses Dest_1 in the LAN zone. • Enter configuration command mode. • Create an IP address object. •...
Page 98 Chapter 14 Firewall The following command displays the firewall rule(s) (including the default firewall rule) that applies to the packet direction from WAN to LAN. The firewall rule numbers in the menu are the firewall rules’ priority numbers in the global rule list. Router# configure terminal Router(config)# show firewall WAN LAN firewall rule: 3...
Page 99: Ipsec Vpn
H A P T E R This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. 15.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Page 100: Ipsec Vpn Commands Summary
Chapter 15 IPSec VPN Figure 18 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Page 101: Ike Sa Commands
Table 51 Input Values for IPSec VPN Commands (continued) LABEL distinguished_name sort_order The following sections list the IPSec VPN commands. 15.2.1 IKE SA Commands This table lists the commands for IKE SAs (VPN gateways). Table 52 isakmp Commands: IKE SAs COMMAND show isakmp keepalive show isakmp policy [policy_name]...
Page 102 Chapter 15 IPSec VPN Table 52 isakmp Commands: IKE SAs (continued) COMMAND peer-ip {ip | domain_name} [ip | domain_name] authentication {pre-share | rsa-sig} keystring pre_shared_key certificate certificate-name local-id type {ip ip | fqdn domain_name | mail e_mail | dn distinguished_name} peer-id type {any | ip ip | fqdn domain_name | mail e_mail | dn distinguished_name}...
Page 103 Table 53 crypto map Commands: IPSec SAs (continued) COMMAND crypto map map_name activate deactivate ipsec-isakmp policy_name encapsulation {tunnel | transport} transform-set esp_crypto_algo [esp_crypto_algo [esp_crypto_algo]] transform-set {ah-md5 | ah-sha} [{ah-md5 | ah-sha} [{ah-md5 | ah-sha}]] set security-association lifetime seconds <180..3000000> set pfs {group1 | group2 | group5 | none} local-policy address_name remote-policy address_name [no] policy-enforcement...
Page 104 Chapter 15 IPSec VPN Table 53 crypto map Commands: IPSec SAs (continued) COMMAND [no] in-snat activate in-snat source address_name destination address_name snat address_name [no] in-dnat activate in-dnat delete <1..10> in-dnat move <1..10> to <1..10> in-dnat append protocol {all | tcp | udp} original-ip address_name <0..65535>...
Page 105: Vpn Concentrator Commands
15.2.3 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 54 crypto map Commands: IPSec SAs (Manual Keys) COMMAND crypto map map_name set session-key {ah <256..4095> auth_key | esp <256..4095>...
Page 106: Sa Monitor Commands
Chapter 15 IPSec VPN Table 55 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND [no] crypto map_name vpn-concentrator rename profile_name profile_name 15.2.5 SA Monitor Commands This table lists the commands for the SA monitor. Table 56 sa Commands: SA Monitor COMMAND show sa monitor [{begin <1..000>} | {end <1..000>} | {rsort sort_order} | {crypto-map regexp} |...
Page 107: Ssl Vpn
H A P T E R This chapter shows you how to set up secure SSL VPN access for remote user login. 16.1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: • limit user access to specific applications or files on the network. •...
Page 108 Chapter 16 SSL VPN Table 57 Input Values for SSL VPN Commands (continued) LABEL application_object user_name The following sections list the SSL VPN commands. 16.2.1 SSL VPN Commands This table lists the commands for SSL VPN. You must use the command to enter the configuration mode before you can use these commands.
Page 109 Table 58 SSL VPN Commands COMMAND show workspace application show workspace cifs 16.2.2 SSL Command Examples Here is an example SSL VPN configuration. Router(config)# interface ge2 Router(config-if-ge)# ip address 10.1.1.254 255.255.255.0 Router(config-if-ge)# exit Router(config)# interface ge3 Router(config-if-ge)# ip address 172.23.10.254 Router(config-if-ge)# exit Router(config)# address-object IP-POOL 192.168.100.1-192.168.100.10 Router(config)# address-object DNS1 172.23.5.1...
Page 110 Chapter 16 SSL VPN ZyWALL (ZLD) CLI Reference Guide...
Page 111: L2Tp Vpn
H A P T E R This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL. 17.1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or VPN client software.
Page 112: Using The Default L2Tp Vpn Connection
Chapter 17 L2TP VPN • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. 17.2.1 Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN.
Page 113 17.4 L2TP VPN Commands The following table describes the values required for some L2TP VPN commands. Other values are discussed with the corresponding commands. Table 59 Input Values for L2TP VPN Commands LABEL DESCRIPTION The name of an IP address (group) object. You may use 1-31 alphanumeric address_object characters, underscores( number.
Page 114: L2Tp Vpn Example
Chapter 17 L2TP VPN Table 60 L2TP VPN Commands COMMAND [no] l2tp-over-ipsec keepalive-timer <1..180> [no] l2tp-over-ipsec first- dns-server {ip | interface_name} {1st- dns|2nd-dns|3rd-dns}| {ppp_interface|aux}{1st- dns|2nd-dns}} [no] l2tp-over-ipsec second- dns-server {ip | interface_name} {1st- dns|2nd-dns|3rd-dns}| {ppp_interface|aux}{1st- dns|2nd-dns}} [no] l2tp-over-ipsec first- wins-server ip [no] l2tp-over-ipsec second- wins-server ip no l2tp-over-ipsec session...
Page 115: Configuring The Default L2Tp Vpn Gateway Example
• The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192.168.1.1/24 subnet. 17.5.1 Configuring the Default L2TP VPN Gateway Example The following commands configure the Default_L2TP_VPN_GW entry. • Configure the My Address setting. This example uses interface ge3 with static IP address 172.23.37.205.
Page 116: Configuring The Policy Route For L2Tp Example
Chapter 17 L2TP VPN • Enable the connection. Router(config)# l2tp-over-ipsec crypto Default_L2TP_VPN_Connection Router(config)# l2tp-over-ipsec pool L2TP_POOL Router(config)# l2tp-over-ipsec authentication default Router(config)# l2tp-over-ipsec user L2TP-test Router(config)# l2tp-over-ipsec activate Router(config)# show l2tp-over-ipsec L2TP over IPSec: activate crypto address pool authentication user keepalive timer first dns server second dns server : aux 1st-dns first wins server :...
Page 117 • Enable the policy route. Router(config)# policy 3 Router(policy-route)# source LAN_SUBNET Router(policy-route)# destination L2TP_POOL Router(policy-route)# service any Router(policy-route)# next-hop tunnel Default_L2TP_VPN_ConnectionRouter(policy-route)# no deactivate Router(policy-route)# exit Router(config)# show policy-route 3 index: 3 active: yes description: WIZ_VPN user: any schedule: none interface: ge1 tunnel: none sslvpn: none source: PC_SUBNET...
Page 118 Chapter 17 L2TP VPN ZyWALL (ZLD) CLI Reference Guide...
Page 119: Application Patrol & Anti-X
Application Patrol & Anti-X Application Patrol (121) Anti-Virus (129) IDP Commands (137) Content Filtering (155)
Page 121: Application Patrol
H A P T E R This chapter describes how to set up application patrol for the ZyWALL. 18.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Page 122 Chapter 18 Application Patrol 18.2 Application Patrol Commands Summary The following table describes the values required for many application patrol commands. Other values are discussed with the corresponding commands. Table 61 Input Values for Application Patrol Commands LABEL protocol_name zone_name schedule_name The following sections list the application patrol commands.
Page 123 18.2.2 Rule Commands for Pre-defined Applications This table lists the commands for rules in each pre-defined application. Table 63 app Commands: Rules in Pre-Defined Applications COMMAND app protocol_name rule insert <1..64> app protocol_name rule append app protocol_name rule <1..64> app protocol_name rule default [no] activate [no] port <0..65535>...
Page 124 Chapter 18 Application Patrol 18.2.3 Other Application Commands This table lists the commands for other applications in application patrol. Table 64 app Commands: Other Applications COMMAND app other {forward | drop | reject} [no] app other log [alert] 18.2.4 Rule Commands for Other Applications This table lists the commands for rules in other applications.
Page 125 Table 65 app Commands: Rules in Other Applications (continued) COMMAND show no app other <1..64> app other move <1..64> to <1..64> 18.2.5 General Commands for Application Patrol You must register for the IDP/AppPatrol signature service (at least the trial) before you can use it. See This table lists the general commands for application patrol.
Page 126 Chapter 18 Application Patrol Table 66 app Commands: Pre-Defined Applications (continued) COMMAND show app protocol_name rule <1..64> statistics Displays the rule statistics of this application. show app protocol_name rule default show app protocol_name rule default statistics Displays the default rule statistics of this show app protocol_name rule all show app protocol_name rule all statistics show app other config...
Page 127 Router# configure terminal Router(config)# show app http rule all index: default activate: yes port: 0 schedule: none user: any from zone: any to zone: any source address: any destination address: any access: forward action login: na action message: na action audio: na action video: na action file-transfer: na bandwidth excess-usage: no...
Page 128 Chapter 18 Application Patrol Router# configure terminal Router(config)# show app other rule all index: 1 activate: yes port: 5963 schedule: none user: any from zone: any to zone: any source address: any destination address: any protocol: tcp access: forward bandwidth excess-usage: no bandwidth priority: 1 bandwidth inbound: 0 bandwidth outbound: 0...
Page 129: Anti-Virus
H A P T E R This chapter introduces and shows you how to configure the anti-virus scanner. 19.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
Page 130 Chapter 19 Anti-Virus 19.2.1 General Anti-virus Commands The following table describes general anti-virus commands. You must use the command to enter the configuration mode before you can use these commands. terminal You must register for the ant-virus service before you can use it (see 19 on page 129).
Page 131 Table 69 Commands for Zone to Zone Anti-Virus Rules (continued) COMMAND [no] log [alert] [no] from zone_object [no] to zone_object [no] scan {http | ftp | imap4 | smtp | pop3} [no] infected-action {destroy | send-win-msg} [no] bypass {white-list | black- list} [no] file-decompression [unsupported destroy]...
Page 132 Chapter 19 Anti-Virus 19.2.2.1 Zone to Zone Anti-virus Rule Example This example shows how to configure (and display) a WAN to LAN antivirus rule to scan HTTP traffic and destroy infected files. The white and black lists are ignored and zipped files are decompressed.
Page 133 Table 70 Commands for Anti-virus White and Black Lists (continued) COMMAND [no] anti-virus black-list activate [no] anti-virus black-list file-pattern av_file_pattern {activate|deactivate} anti-virus black-list replace old_av_file_pattern new_av_file_pattern {activate|deactivate} 19.2.3.1 White and Black Lists Example This example shows how to enable the white list and configure an active white list entry for files with a .exe extension.
Page 134 Chapter 19 Anti-Virus 19.2.4 Signature Search Anti-virus Command The following table describes the command for searching for signatures. You must use the configure terminal command. Table 71 Command for Anti-virus Signature Search COMMAND anti-virus search signature {all | category category | id id | name name | severity severity [{from id to id}] 19.2.4.1 Signature Search Example This example shows how to search for anti-virus signatures with MSN in the name.
Page 135 19.3.1 Update Signature Examples These examples show how to enable/disable automatic anti-virus downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version number, show the total number of signatures and show the date/time the signatures were created.
Page 136 Chapter 19 Anti-Virus 19.4.1 Anti-virus Statistics Example This example shows how to collect and display anti-virus statistics. It also shows how to sort the display by the most common destination IP addresses. Router(config)# anti-virus statistics collect Router(config)# show anti-virus statistics collect collect statistics: yes Router(config)# show anti-virus statistics summary file scanned...
Page 137: Idp Commands
H A P T E R This chapter introduces IDP-related commands. 20.1 Overview Commands mostly mirror web configurator features. It is recommended you use the web configurator for IDP features such as searching for web signatures, creating/editing an IDP profile or creating/editing a custom signature. Some web configurator terms may differ from the command-line equivalent.
Page 138 Chapter 20 IDP Commands This table shows the IDP signature, anomaly, and system-protect activation commands. Table 75 IDP Activation COMMAND DESCRIPTION Enables IDP signatures, anomaly detection, and/or system-protect. IDP signatures [no] idp use requires IDP service registration. If you don’t have a standard license, you can {signature | anomaly | register for a once-off trial one.
Page 139 20.3.1.1 Example of Global Profile Commands In this example we rename an IDP signature profile from “old_profile” to “new_profile”, delete the “bye_profile” and show all base profiles available. Router# configure terminal Router(config)# idp rename signature old_profile new_profile Router(config)# no idp signature bye_profile Router(config)# show idp signature base profile Base Profile Name ==============================================================...
Page 140 Chapter 20 IDP Commands 20.3.2.1 Example of IDP Zone to Zone Rule Commands The following example creates IDP zone to zone rule one. The rule applies the LAN_IDP profile to all traffic going to the LAN zone. Router# configure terminal Router(config)# idp signature rule 1 Router(config-idp-signature-1)# Router(config-idp-signature-1)# exit...
Page 141 20.3.4 Editing/Creating Anomaly Profiles Use these commands to create a new anomaly profile or edit an existing one. It is recommended you use the web configurator to create/edit profiles. If you do not specify a base profile, the default base profile is none. You CANNOT change the base profile later! Table 79 Editing/Creating Anomaly Profiles COMMAND...
Page 142 Chapter 20 IDP Commands Table 79 Editing/Creating Anomaly Profiles (continued) COMMAND [no] scan-detection open-port {activate | log [alert] | block} flood-detection block-period <1..3600> [no] flood-detection {tcp-flood | udp-flood | ip-flood | icmp-flood} {activate | log [alert] | block} [no] http-inspection {http-xxx} activate http-inspection {http-xxx} log [alert] no http-inspection {http-xxx} log [no] http-inspection {http-xxx} action {drop...
Page 143 Table 79 Editing/Creating Anomaly Profiles (continued) COMMAND [no] icmp-decoder {truncated-header | truncated-timestamp-header | truncated- address-header} activate icmp-decoder {truncated-header | truncated- timestamp-header | truncated-address-header} log [alert] no icmp-decoder {truncated-header | truncated-timestamp-header | truncated- address-header} log icmp-decoder {truncated-header | truncated- timestamp-header | truncated-address-header} action {drop | reject-sender | reject- receiver | reject-both}} no icmp-decoder {truncated-header |...
Page 144 Chapter 20 IDP Commands Table 79 Editing/Creating Anomaly Profiles (continued) COMMAND show idp anomaly profile http-inspection {ascii- encoding | u-encoding | bare-byte-unicode- encoding | base36-encoding | utf-8-encoding | iis-unicode-codepoint-encoding | multi-slash- encoding | iis-backslash-evasion | self- directory-traversal | directory-traversal | apache-whitespace | non-rfc-http-delimiter | non- rfc-defined-char | oversize-request-uri- directory | oversize-chunk-encoding | webroot-...
Page 145 20.3.5 Editing System Protect Use these commands to edit the system protect profiles. Table 80 Editing System Protect Profiles COMMAND idp system-protect [no] signature sid activate signature sid log [alert] no signature sid log signature sid action {drop | reject-sender | reject-receiver | reject-both} no signature SID action show idp system-protect all details...
Page 146 Chapter 20 IDP Commands Table 81 Signature Search Command COMMAND show idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate {any | yes | no} log {any | no | log | log-alert} action action_mask show idp search system-protect my_profile name quoted_string sid SID severity severity_mask...
Page 147 The following table displays the command line service and action equivalent values. If you want to combine services in a search, then add their respective numbers together. For example, to search for signatures for DNS, Finger and FTP services, then type “7” as the service parameter.
Page 148 Chapter 20 IDP Commands You must use the web configurator to import a custom signature file. Table 84 Custom Signatures COMMAND idp customize signature quoted_string idp customize signature edit quoted_string no idp customize signature custom_sid show idp signatures custom-signature custom_sid {details | contents | non-contents} show idp signatures custom-signature all details Displays all custom signatures’...
Page 149 This example shows you how to edit a custom signature. Router(config)# idp customize signature edit "alert tcp any any <> any any (msg : \"test edit\"; sid: 9000000 ; sid: 9000000 message: test edit policy type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no...
Page 150 Chapter 20 IDP Commands This example shows you how to display custom signature contents. Router(config)# show idp signatures custom-signature 9000000 contents sid: 9000000 Router(config)# show idp signatures custom-signature 9000000 non-contents sid: 9000000 ack: dport: 0 dsize: dsize_rel: flow_direction: flow_state: flow_stream: fragbits_reserve: fragbits_dontfrag: fragbits_morefrag:...
Page 151 This example shows you how to display all details of a custom signature. Router(config)# show idp signatures custom-signature all details sid: 9000000 message: test edit policy type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no SGI: no other-Unix: no...
Page 152 Chapter 20 IDP Commands Table 85 Update Signatures COMMAND show idp {signature | system-protect} update show idp {signature | system-protect} update status show idp {signature | system-protect} signatures {version | date | number} 20.5.1 Update Signature Examples These examples show how to enable/disable automatic IDP downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version number, show the total number of signatures and show the date/time the signatures were created.
Page 153 Table 86 Commands for IDP Statistics (continued) COMMAND show idp statistics collect show idp statistics ranking {signature- name | source | destination} 20.6.1 IDP Statistics Example This example shows how to collect and display IDP statistics. It also shows how to sort the display by the most common signature name, source IP address, or destination IP address.
Page 154 Chapter 20 IDP Commands ZyWALL (ZLD) CLI Reference Guide...
Page 155: Content Filtering
H A P T E R This chapter covers how to use the content filtering feature to control web access. 21.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites. It can also block access to specific categories of web site content. You can create different content filtering policies for different addresses, schedules, users or groups and content filtering profiles.
Page 156: Content Filtering Reports
Chapter 21 Content Filtering Figure 22 Content Filtering Lookup Procedure 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache.
Page 157 “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc. Use up to 63 case-insensitive characters (0-9a-z-). You can enter a single IP address in dotted decimal notation like 192.168.2.5. You can enter a subnet by entering an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address.
Page 158 Chapter 21 Content Filtering Table 87 Content Filter Command Input Values (continued) LABEL rating_server query_timeout The following table lists the content filtering web category names. Table 88 Content Filtering Web Category Names CATEGORY NAME Adult/Mature Content Sex Education Nudity Illegal/Questionable Violence/Hate/Racism Abortion Phishing...
Page 159: General Content Filter Commands
21.6 General Content Filter Commands The following table lists the commands that you can use for general content filter configuration such as enabling content filtering, viewing and ordering your list of content filtering policies, creating a denial of access message or specifying a redirect URL and checking your external web filtering service registration status.
Page 160: Content Filter Filtering Profile Commands
Chapter 21 Content Filtering 21.7 Content Filter Filtering Profile Commands The following table lists the commands that you can use to configure a content filtering policy. A content filtering policy defines which content filter profile should be applied, when it should be applied, and to whose web access it should be applied.
Page 161 Table 90 content-filter Filtering Profile Commands Summary (continued) COMMAND [no] content-filter profile filtering_profile url match {block | log | block_log} [no] content-filter profile filtering_profile url offline {block | log | block_log} [no] content-filter profile filtering_profile url unrate {block | log | block_log} [no] content-filter profile filtering_profile url url-server [no] content-filter service-timeout...
Page 162: Content Filtering Commands Example
Chapter 21 Content Filtering 21.9 Content Filtering Commands Example The following example shows how to limit the web access for a sales group. 1 First, create a sales address object. This example uses a subnet that covers IP addresses 172.21.3.1 to 172.21.3.254. 2 Then create a schedule for all day.
Page 163: Chapter 21 Content Filtering
Use this command to display the settings of the profile. Router(config)# show content-filter profile sales_CF_PROFILE service active : yes url match : block: no, log: url unrate : block: no, log: service offline: block: no, log: category settings: Adult/Mature Content Sex Education Nudity Illegal/Questionable...
Page 164 Chapter 21 Content Filtering ZyWALL (ZLD) CLI Reference Guide...
Page 165: Device Ha & Objects
Device HA & Objects Device HA (167) User/Group (171) Addresses (177) Services (181) Schedules (185) AAA Server (187) Authentication Objects (193) Certificates (195) ISP Accounts (201) SSL Application (203)
Page 167: Device Ha
H A P T E R Use device HA and Virtual Router Redundancy Protocol (VRRP) to increase network reliability. 22.1 Device HA Overview This section provides an overview of VRRP, VRRP groups, and synchronization. 22.1.1 Virtual Router Redundancy Protocol (VRRP) Overview Every computer on a network may send packets to a default gateway, which can become a single point of failure.
Page 168 Chapter 22 Device HA 22.2 Device HA Commands Summary The following table identify the values required for many values are discussed with the corresponding commands. Table 92 Input Values for device-ha Commands LABEL vrrp_group_name The following sections list the 22.2.1 VRRP Group Commands This table lists the commands for VRRP groups.
Page 169 Table 93 device-ha Commands: VRRP Groups (continued) COMMAND [no] description description [no] activate 22.2.2 Synchronization Commands This table lists the commands for synchronization. You can synchronize with other ZyWALL’s of the same model that are running the same firmware version. Table 94 device-ha Commands: Synchronization COMMAND show device-ha sync...
Page 170 Chapter 22 Device HA 22.2.3 Link Monitoring Commands This table lists the commands for link monitoring. Link monitoring has the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down. This way the backup ZyWALL takes over all of the master ZyWALL’s functions.
Page 171: User/Group
H A P T E R This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 172: User Commands
Chapter 23 User/Group 23.2 User/Group Commands Summary The following table identify the values required for many Other input values are discussed with the corresponding commands. Table 97 username/groupname Command Input Values LABEL username groupname The following sections list the 23.2.1 User Commands The first table lists the commands for users.
Page 173: User Group Commands
23.2.2 User Group Commands This table lists the commands for groups. Table 99 username/groupname Commands Summary: Groups COMMAND show groupname [groupname] [no] groupname groupname [no] description description [no] groupname groupname [no] user username show groupname rename groupname groupname 23.2.3 User Setting Commands This table lists the commands for user settings, except for forcing user authentication.
Page 174 Chapter 23 User/Group Table 100 username/groupname Commands Summary: Settings (continued) COMMAND show users simultaneous-logon-settings [no] users simultaneous-logon {administration | access} enforce [no] users simultaneous-logon {administration | access} limit <1..1024> show users update-lease-settings [no] users update-lease automation show users idle-detection-settings [no] users idle-detection [no] users idle-detection timeout <1..60>...
Page 175: Additional User Commands
Table 101 username/groupname Commands Summary: Forcing User Authentication (continued) COMMAND force-auth policy insert <1..1024> [no] activate [no] description description [no] destination {address_object | group_name} [no] force [no] schedule schedule_name [no] source {address_object | group_name} show force-auth policy delete <1..1024> force-auth policy flush force-auth policy move <1..1024>...
Page 176 Chapter 23 User/Group 23.2.5.1 Additional User Command Examples The following commands display the users that are currently logged in to the ZyWALL and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all Name Session Time ===========================================================================...
Page 177: Addresses
H A P T E R This chapter describes how to set up addresses and address groups for the ZyWALL. 24.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. Address objects and address groups are used in dynamic routes, firewall rules, application patrol, content filtering, and VPN connection policies.
Page 178: Address Object Commands
Chapter 24 Addresses 24.2.1 Address Object Commands This table lists the commands for address objects. Table 104 address-object Commands: Address Objects COMMAND show address-object [object_name] address-object object_name {ip | ip_range | ip_subnet} no address-object object_name address-object rename object_name object_name 24.2.1.1 Address Object Command Examples The following commands create the three types of address objects and then delete one.
Page 179 Table 105 object-group Commands: Address Groups (continued) COMMAND [no] object-group group_name [no] description description object-group address rename group_name group_name 24.2.2.1 Address Group Command Examples The following commands create three address objects A0, A1, and A2 and add A1 and A2 to address group RD.
Page 180 Chapter 24 Addresses ZyWALL (ZLD) CLI Reference Guide...
Page 181: Services
H A P T E R Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 25.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 25.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
Page 182: Service Group Commands
Chapter 25 Services Table 107 service-object Commands: Service Objects (continued) COMMAND service-object object_name icmp icmp_value service-object object_name protocol <1..255> service-object rename object_name object_name 25.2.1.1 Service Object Command Examples The following commands create four services, displays them, and then removes one of them. Router# configure terminal Router(config)# service-object TELNET tcp eq 23 Router(config)# service-object FTP tcp range 20 21...
Page 183 Table 108 object-group Commands: Service Groups (continued) COMMAND [no] object-group group_name [no] description description object-group service rename group_name group_name 25.2.2.1 Service Group Command Examples The following commands create service ICMP_ECHO, create service group SG1, and add ICMP_ECHO to SG1. Router# configure terminal Router(config)# service-object ICMP_ECHO icmp echo Router(config)# object-group service SG1 Router(group-service)# service-object ICMP_ECHO...
Page 184 Chapter 25 Services ZyWALL (ZLD) CLI Reference Guide...
Page 185: Schedules
H A P T E R Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. 26.1 Schedule Overview The ZyWALL supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat.
Page 186: Schedule Command Examples
Chapter 26 Schedules The following table lists the schedule commands. Table 110 schedule Commands COMMAND show schedule-object no schedule-object object_name schedule-object object_name date time date time schedule-object object_name time time [day] [day] [day] [day] [day] [day] [day] 26.2.1 Schedule Command Examples The following commands create recurring schedule SCHEDULE1 and one-time schedule SCHEDULE2 and then delete SCHEDULE1.
Page 187: Aaa Server
H A P T E R This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers. 27.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the ZyWALL supports.
Page 188 Chapter 27 AAA Server 27.2.1 ad-server Commands The following table lists the Table 111 ad-server Commands COMMAND show ad-server [no] ad-server basedn basedn [no] ad-server binddn binddn [no] ad-server cn-identifier uid Sets the unique common name (cn) to identify a record. [no] ad-server host ad_server [no] ad-server password password Sets the bind password.
Page 189 Table 112 ldap-server Commands (continued) COMMAND [no] ldap-server search-time- limit time [no] ldap-server ssl 27.2.3 radius-server Commands The following table lists the server. Table 113 radius-server Commands COMMAND show radius-server [no] radius-server host radius_server auth-port auth_port [no] radius-server key secret [no] radius-server timeout time 27.2.4 radius-server Command Example The following example sets the secret key and timeout period of the default RADIUS server...
Page 190: Aaa Group Server Ad Commands
Chapter 27 AAA Server 27.2.5 aaa group server ad Commands The following table lists the group of AD servers. Table 114 aaa group server ad Commands COMMAND clear aaa group server ad [group- name] show aaa group server ad group- name [no] aaa group server ad group- name...
Page 191: Aaa Group Server Ldap Commands
27.2.6 aaa group server ldap Commands The following table lists the group of LDAP servers. Table 115 aaa group server ldap Commands COMMAND clear aaa group server ldap [group-name] show aaa group server ldap group- name [no] aaa group server ldap group- name aaa group server ldap rename group-name group-name...
Page 192: Aaa Group Server Radius Commands
Chapter 27 AAA Server 27.2.7 aaa group server radius Commands The following table lists the a group of RADIUS servers. Table 116 aaa group server radius Commands COMMAND clear aaa group server radius group-name show aaa group server radius group-name [no] aaa group server radius group-name aaa group server radius rename...
Page 193: Authentication Objects
H A P T E R Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 28.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the ZyWALL uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Page 194: Aaa Authentication Command Example
Chapter 28 Authentication Objects Table 117 aaa authentication Commands (continued) COMMAND [no] aaa authentication {profile-name} aaa authentication profile-name[no] member1 [member2] [member3] 28.2.1 aaa authentication Command Example The following example creates an authentication profile to authentication users using the LDAP server group and then the local user database. Router# configure terminal Router(config)# aaa authentication LDAPuser group ldap local Router(config)# show aaa authentication LDAPuser...
Page 195: Certificates
H A P T E R This chapter explains how to use the Certificates. 29.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Page 196: Certificates Commands Summary
Chapter 29 Certificates Table 118 Certificates Commands Input Values (continued) LABEL organizational_unit organization country key_length password ca_name 29.4 Certificates Commands Summary The following table lists the commands that you can use to display and manage the ZyWALL’s summary list of certificates and certification requests. You can also create certificates or certification requests.
Page 197 Table 119 ca Commands Summary (continued) COMMAND ca generate pkcs10 name certificate_name cn- type {ip cn cn_address|fqdn cn cn_domain_name|mail cn cn_email} [ou organizational_unit] [o organization] [c country] key-type {rsa|dsa} key-len key_length ca generate pkcs12 name name password password Generates a PKCS#12 certificate. ca generate x509 name certificate_name cn-type {ip cn cn_address|fqdn cn cn_domain_name|mail cn cn_email} [ou organizational_unit] [o...
Page 198 Chapter 29 Certificates Table 119 ca Commands Summary (continued) COMMAND ocsp url url [id name password password] [deactivate] no ca category {local|remote} certificate_name Deletes the specified local (my certificates) or no ca validation name show ca category {local|remote} name certificate_name certpath show ca category {local|remote} [name certificate_name format {text|pem}] show ca validation name name...
Page 199: Certificates Commands Examples
29.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates. Finally it deletes the pkcs12request certification request. Router# configure terminal Router(config)# ca generate x509 name test_x509 cn-type ip cn 10.0.0.58 key- type rsa key-len 512...
Page 200 Chapter 29 Certificates ZyWALL (ZLD) CLI Reference Guide...
Page 201: Isp Accounts
H A P T E R Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/ PPTP interfaces. 30.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE or PPTP. 30.2 ISP Account Commands Summary The following table describes the values required for many ISP account commands.
Page 202 Chapter 30 ISP Accounts Table 121 account Commands (continued) COMMAND [no] compression {on | off} [no] idle <0..360> [no] service-name {ip | hostname | service_name} [no] server ip [no] encryption {nomppe | mppe-40 | mppe- 128} [no] connection-id connection_id DESCRIPTION Turns compression on or off for the specified ISP account.
Page 203: Ssl Application
H A P T E R This chapter describes how to configure SSL application objects for use in SSL VPN. 31.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network.
Page 204: Ssl Application Command Examples
Chapter 31 SSL Application Table 122 SSL Application Object Commands COMMAND server-type file-sharing share-path folder no server-type [no] webpage-encrypt 31.1.2 SSL Application Command Examples The following commands create and display a server-type SSL application object named ZW5 for a web server at IP address 192.168.1.12. Router(config)# sslvpn application ZW5 Router(sslvpn application)# server-type web-server url http://192.168.1.12 Router(sslvpn application)# exit...
Page 205: System
System System (207) System Remote Management (211)
Page 207: System
H A P T E R This chapter provides information on the system screens. 32.1 System Overview The system screens can help you configure general ZyWALL information, the system time and the console port connection speed for a terminal emulation program. The screens also allow you to configure DNS settings and determine which services/protocols can access which ZyWALL zones (if any) from which computers.
Page 208 Chapter 32 System 32.3.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use configure terminal these commands. Table 124 Command Summary: Date/Time COMMAND clock date yyyy-mm-dd time hh:mm:ss [no] clock daylight-saving [no] clock saving-interval begin {apr|aug|dec|feb|jan|jul|jun|mar|may|nov|oct|se p} {1|2|3|4|last} {fri|mon|sat|sun|thu|tue|wed} hh:mm end...
Page 209: Console Port Speed
32.4 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program. The following table describes the console port commands. You must use the configuration mode before you can use these commands.
Page 210: Dns Command Example
Chapter 32 System Table 127 Command Summary: DNS (continued) COMMAND [no] ip dns server mx-record domain_name {w.x.y.z|fqdn} ip dns server rule {<1..32>|append|insert <1..32>} access-group {ALL|address_object} zone {ALL|address_object} action {accept|deny} ip dns server rule move <1..32> to <1..32> [no] ip dns server zone-forwarder {<1..32>|append|insert <1..32>} {domain_name|*} {interface interface_name |user-defined w.x.y.z} [private]...
Page 211: System Remote Management
H A P T E R System Remote Management This chapter shows you how to determine which services/protocols can access which ZyWALL zones (if any) from which computers. To allow the ZyWALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL rule to block that traffic.
Page 212 Chapter 33 System Remote Management 33.2 HTTP/HTTPS Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 128 Input Values for General HTTP/HTTPS Commands LABEL address_object zone_object The following table describes the commands available for HTTP/HTTPS.
Page 213 Table 129 Command Summary: HTTP/HTTPS (continued) COMMAND ip http secure-server table {admin|user} rule {<1..32>|append|insert <1..32>} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny} ip http secure-server table {admin|user} rule move <1..32> to <1..32> [no] ip http server ip http server table {admin|user} rule {<1..32>|append|insert <1..32>} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny}...
Page 214: Ssh Implementation On The Zywall
Chapter 33 System Remote Management 33.3 SSH Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. 33.3.1 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour and Blowfish).
Page 215: Ssh Command Examples
Table 130 Command Summary: SSH (continued) COMMAND [no] ip ssh server v1 no ip ssh server rule <1..32> show ip ssh server status 33.3.4 SSH Command Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SSH service.
Page 216: Telnet Commands Examples
Chapter 33 System Remote Management Table 131 Command Summary: Telnet (continued) COMMAND ip telnet server rule {<1..32>|append|insert <1..32>} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny} ip telnet server rule move <1..32> to <1..32> no ip telnet server rule <1..32> show ip telnet server status 33.5.1 Telnet Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using Telnet service.
Page 217: Ftp Commands
33.6.1 FTP Commands The following table describes the commands available for FTP. You must use the command to enter the configuration mode before you can use these commands. terminal Table 132 Command Summary: FTP COMMAND [no] ip ftp server [no] ip ftp server cert certificate_name [no] ip ftp server port <1..65535>...
Page 218: Supported Mibs
33.7.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 219: Snmp Commands
33.7.3 SNMP Commands The following table describes the commands available for SNMP. You must use the configure terminal commands. Table 134 Command Summary: SNMP COMMAND [no] snmp-server [no] snmp-server community community_string {ro|rw} [no] snmp-server contact description [no] snmp-server enable {informs|traps} [no] snmp-server host {w.x.y.z} [community_string] [no] snmp-server location description...
Page 220: Snmp Commands Examples
Chapter 33 System Remote Management 33.7.4 SNMP Commands Examples The following command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SNMP service. Router# configure terminal Router(config)# snmp-server rule 11 access-group Example zone WAN action accept The following command sets the password (secret) for read-write (...
Page 221: Dtr Signal
33.9.2 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH.
Page 222: Vantage Cnm
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator.
Page 223: Language Commands
33.10.1.1 Vantage CNM Command Examples The following example turns on Vantage CNM management and sets the ZyWALL to register with a server at https://1.2.3.4/vantage/TR069. Router# configure terminal Router(config)# cnm-agent activate Router(config)# cnm-agent manager https://1.2.3.4/vantage/TR069 Router(config)# show cnm-agent configuration Activate: YES ACS URL: https://1.2.3.4/vantage/TR069 Keepalive: ENABLE Keepalive Interval: 60...
Page 224 Chapter 33 System Remote Management ZyWALL (ZLD) CLI Reference Guide...
Page 225: Maintenance And Index
Maintenance and Index File Manager (227) Logs (245) Reports and Reboot (251) Diagnostics (255) Maintenance Tools (257) Command Index (327)
Page 227: File Manager
H A P T E R This chapter covers how to work with the ZyWALL’s firmware, certificates, configuration files, custom IDP signatures, packet trace results, shell scripts and temporary files. 34.1 File Directories The ZyWALL stores files in the following directories. Table 138 FTP File Transfer Notes DIRECTORY FILE TYPE Firmware (upload only)
Page 228: Comments In Configuration Files Or Shell Scripts
Chapter 34 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 23 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 229: Errors In Configuration Files Or Shell Scripts
“exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode. Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface ge1 # this interface is a DHCP client Lines 1 and 2 are comments.
Page 230: Configuration File Flow At Restart
Chapter 34 File Manager • When you change the configuration, the ZyWALL creates a startup-config.conf file of the current configuration. • The ZyWALL checks the startup-config.conf file for errors when it restarts. If there is an error in the startup-config.conf file, the ZyWALL copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf configuration file.
Page 231: File Manager Commands Summary
34.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 141 File Manager Commands Summary COMMAND apply /conf/file_name.conf copy {/cert | /conf | /idp | /packet_trace | /script | /tmp}file_name-a.conf {/cert | / conf | /idp | /packet_trace | /script | / tmp}/file_name-b.conf copy running-config startup-config...
Page 232: Ftp File Transfer
Chapter 34 File Manager 34.5 File Manager Command Example This example saves a back up of the current configuration before applying a shell script file. Router(config)# copy running-config /conf/backup.conf Router(config)# run /script/vpn_setup.zysh 34.6 FTP File Transfer You can use FTP to transfer files to and from the ZyWALL for advanced maintenance and support.
Page 233: Command Line Ftp File Download
Figure 24 FTP Configuration File Upload Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1. 220 FTP Server (ZyWALL) [192.168.1.1] User (192.168.1.1:(none)): admin 331 Password required for admin. Password: 230 User admin logged in. ftp> cd conf 250 CWD command successful ftp> bin 200 Type set to I ftp>...
Page 234 Chapter 34 File Manager Figure 25 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1. 220 FTP Server (ZyWALL) [192.168.1.1] User (192.168.1.1:(none)): admin 331 Password required for admin. Password: 230 User admin logged in. ftp> bin 200 Type set to I ftp>...
Page 235: Notification Of A Damaged Recovery Image Or Firmware
34.8 Notification of a Damaged Recovery Image or Firmware The ZyWALL’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the ZyWALL notifies you of a damaged recovery image or firmware file. Use this section if your device has stopped responding for an extended period of time and you cannot access or ping it.
Page 236: Restoring The Recovery Image
34.9 Restoring the Recovery Image This procedure requires the ZyWALL’s recovery image. Download the firmware package from www.zyxel.com and upzip it. The recovery image uses a .ri extension, for example, "1.01(XL.0)C0.ri". Do the following after you have obtained the recovery image file.
Page 237 Figure 31 atuk Command for Restoring the Recovery Image 4 Enter Y and wait for the “Starting XMODEM upload” message before activating XMODEM upload on your terminal. Figure 32 Starting Xmodem Upload 5 This is an example Xmodem configuration upload using HyperTerminal. Click Transfer, then Send File to display the following screen.
Page 238: Restoring The Firmware
34.10 Restoring the Firmware This procedure requires the ZyWALL’s firmware. Download the firmware package from www.zyxel.com and upzip it. The firmware file uses a .bin extension, for example, "1.01(XL.0)C0.bin". Do the following after you have obtained the firmware file. This section is not for normal firmware uploads. You only need to use this section if you need to recover the firmware.
Page 239 8 After the transfer is complete, “Firmware received” or “ZLD-current received” displays. Wait (up to four minutes) while the ZyWALL recovers the firmware. Figure 38 Firmware Received and Recovery Started 9 The console session displays “done” when the firmware recovery is complete. Then the ZyWALL automatically restarts.
Page 240 Chapter 34 File Manager Figure 40 Restart Complete 34.11 Restoring the Default System Database The default system database stores information such as the default anti-virus or IDP signatures. The ZyWALL can still operate if the default system database is damaged or missing, but related features (like anti-virus or IDP) may not function properly.
Page 241 Figure 43 Default System Database Missing Log: Anti-virus This procedure requires the ZyWALL’s default system database file. Download the firmware package from www.zyxel.com and upzip it. The default system database file uses a .db extension, for example, "1.01(XL.0)C0.db". Do the following after you have obtained the default system database file.
Page 242 Chapter 34 File Manager 34.11.1 Using the atkz -u Debug Command You only need to use the atkz -u command if the default system database is damaged. 1 Restart the ZyWALL. 2 When “Press any key to enter debug mode within 3 seconds.” displays, press a key to enter debug mode.
Page 243 8 Set the transfer mode to binary (type bin). 9 Transfer the firmware file from your computer to the ZyWALL. Type put followed by the path and name of the firmware file. This examples uses put e:\ftproot\ZLD FW \1.01(XL.0)C0.db. Figure 47 FTP Default System Database Transfer Command 10 Wait for the file transfer to complete.
Page 244 Chapter 34 File Manager Figure 50 Startup Complete ZyWALL (ZLD) CLI Reference Guide...
Page 245: Logs
H A P T E R This chapter provides information about the ZyWALL’s logs. When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the ZyWALL.
Page 246: System Log Commands
Chapter 35 Logs 35.1.2 System Log Commands This table lists the commands for the system log settings. Table 144 logging Commands: System Log Settings COMMAND show logging status system-log logging system-log category module_name {disable | level normal | level all} [no] logging system-log suppression interval <10..600>...
Page 247: Debug Log Commands
35.1.3 Debug Log Commands This table lists the commands for the debug log settings. Table 145 logging Commands: Debug Log Settings COMMAND show logging debug status show logging debug entries [priority pri] [category module_name] [srcip ip] [dstip ip] [service service_name] [begin <1..512> end <1..512>] [keyword keyword] show logging debug entries field field [begin <1..1024>...
Page 248 Chapter 35 Logs Table 147 logging Commands: E-mail Profile Settings (continued) COMMAND [no] logging mail <1..2> address {ip | hostname} logging mail <1..2> sending_now [no] logging mail <1..2> authentication [no] logging mail <1..2> authentication username username password password [no] logging mail <1..2> {send-log-to | send- alerts-to} e_mail [no] logging mail <1..2>...
Page 249: Console Port Logging Commands
35.1.4.1 E-mail Profile Command Examples The following commands set up e-mail log 1. Router# configure terminal Router(config)# logging mail 1 address mail.zyxel.com.tw Router(config)# logging mail 1 subject AAA Router(config)# logging mail 1 authentication username lachang.li password XXXXXX Router(config)# logging mail 1 send-log-to lachang.li@zyxel.com.tw Router(config)# logging mail 1 send-alerts-to lachang.li@zyxel.com.tw...
Page 250 Chapter 35 Logs ZyWALL (ZLD) CLI Reference Guide...
Page 251: Reports And Reboot
H A P T E R This chapter provides information about the report associated commands and how to restart the ZyWALL using commands. 36.1 Report Commands Summary The following sections list the report and session commands. 36.1.1 Report Commands This table lists the commands for reports. Table 149 report Commands COMMAND [no] report...
Page 252: Report Command Examples
Chapter 36 Reports and Reboot 36.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report ge1 ip No. IP Address =================================================================== 192.168.1.4 192.168.1.4 Router(config)# show report ge1 service No.
Page 253: Session Timeout
H A P T E R Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 151 Session Timeout Commands COMMAND session timeout {udp-connect <1..300> | udp- deliver <1..300>...
Page 254 Chapter 37 Session Timeout ZyWALL (ZLD) CLI Reference Guide...
Page 255: Diagnostics
H A P T E R This chapter covers how to use the diagnostics feature. 38.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
Page 256 Chapter 38 Diagnostics ZyWALL (ZLD) CLI Reference Guide...
Page 257: Maintenance Tools
H A P T E R Use the maintenance tool commands to check the conditions of other devices through the ZyWALL. The maintenance tools can help you to troubleshoot network problems. Here are maintenace tool commands that you can use in privilege mode. Table 153 Maintenance Tools Commands in Privilege Mode COMMAND packet-trace [interface interface_name] [ip-...
Page 258 07:26:53.752774 192.168.105.133 > 192.168.105.40: icmp: echo request (DF) 07:26:54.762887 192.168.105.133 > 192.168.105.40: icmp: echo request (DF) 8 packets received by filter 0 packets dropped by kernel Router# traceroute www.zyxel.com traceroute to www.zyxel.com (203.160.232.7), 30 hops max, 38 byte packets 172.23.37.254 172.23.6.253 172.23.6.1 * * * 3.049 ms...
Page 259 Here are maintenace tool commands that you can use in configure mode. Table 154 Maintenance Tools Commands in Configuration Mode COMMAND show arp-table arp IP mac_address no arp ip The following example creates an ARP table entry for IP address 192.168.1.10 and MAC address 01:02:03:04:05:06.
Page 260 Chapter 39 Maintenance Tools ZyWALL (ZLD) CLI Reference Guide...
Page 261: Watchdog Timer
H A P T E R This chapter provides information about the ZyWALL’s watchdog timers. 40.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings. Table 155 hardware-watchdog-timer Commands COMMAND [no] hardware-watchdog-timer <4..37>...
Page 262: Application Watchdog
Chapter 40 Watchdog Timer Table 156 software-watchdog-timer Commands (continued) COMMAND show software-watchdog-timer status show software-watchdog-timer log 40.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the commands.Use the watchdog mode to be able to use these commands. Table 157 app-watchdog Commands COMMAND DESCRIPTION...
Page 263: Application Watchdog Commands Example
40.3.1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring. Router# configure terminal Router(config)# show app-watch-dog config Application Watch Dog Setting: activate: yes alert: yes console print: always retry count: 3 interval: 60 mem threshold: 80% ~ 90%...
Page 264 Chapter 40 Watchdog Timer ZyWALL (ZLD) CLI Reference Guide...
Page 265 List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. The commands and sub-commands all appear at the same level. [no] aaa authentication {profile-name} ... 194 [no] aaa group server ad group-name ... 190 [no] aaa group server ldap group-name ... 191 [no] aaa group server radius group-name ...
Page 266 List of Commands (Alphabetical) [no] app-watch-dog interval <5..60> ... 262 [no] app-watch-dog mem-threshold min threshold_min max threshold_max ... 262 [no] app-watch-dog retry-count <1..5> ... 262 [no] area IP [{stub | nssa}] ... 77 [no] area IP authentication ... 77 [no] area IP authentication authentication-key authkey ... 77 [no] area IP authentication message-digest ...
Page 267 [no] content-filter profile filtering_profile custom keyword keyword ... 160 [no] content-filter profile filtering_profile custom proxy ... 160 [no] content-filter profile filtering_profile custom trust trust_hosts ... 160 [no] content-filter profile filtering_profile custom trust-allow-features ... 160 [no] content-filter profile filtering_profile custom trust-only ... 160 [no] content-filter profile filtering_profile custom ...
Page 268 List of Commands (Alphabetical) [no] from zone_name ... 124 [no] from zone_object ... 131 [no] from zone_object ... 95 [no] from-zone zone_profile ... 139 [no] groupname groupname ... 173 [no] groupname groupname ... 173 [no] ha-iface interface_name ... 84 [no] hardware-address mac_address ... 52 [no] hardware-watchdog-timer <4..37>...
Page 269 [no] ip ospf hello-interval <1..65535> ... 57 [no] ip ospf priority <0..255> ... 56 [no] ip ospf retransmit-interval <1..65535> ... 57 [no] ip rip {send | receive} version <1..2> ... 55 [no] ip rip v2-broadcast ... 56 [no] ip route {w.x.y.z} {w.x.y.z} {interface|w.x.y.z} <0..127> ... 73 [no] ip ssh server ...
Page 270 List of Commands (Alphabetical) [no] mute ... 221 [no] mx {ip | domain_name} ... 84 [no] nail-up ... 103 [no] natt ... 101 [no] negotiation auto ... 57 [no] netbios-broadcast ... 103 [no] network interface area IP ... 77 [no] network interface_name ... 55 [no] network interface_name ...
Page 271 List of Commands (Alphabetical) [no] schedule profile_name ... 123 [no] schedule profile_name ... 124 [no] schedule schedule_name ... 175 [no] schedule schedule_object ... 70 [no] schedule schedule_object ... 95 [no] second-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd-dns} ... 53 [no] second-wins-server ip ...
Page 272 List of Commands (Alphabetical) [no] third-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd-dns} ... 53 [no] to {zone_object|ZyWALL} ... 95 [no] to zone_name ... 123 [no] to zone_name ... 124 [no] to zone_object ... 131 [no] to-zone zone_profile ... 139 [no] trigger <1..8>...
Page 273: Apply /Conf/File_Name.conf
anti-virus rule insert <1..32> ... 130 anti-virus rule move <1..32> to <1..32> ... 131 anti-virus rule <1..32> ... 130 anti-virus search signature {all | category category | id id | name name | severity se- verity [{from id to id}] anti-virus statistics flush ...
Page 274: Copy Running-Config Startup-Config
List of Commands (Alphabetical) clear aaa group server ad [group-name] ... 190 clear aaa group server ldap [group-name] ... 191 clear aaa group server radius group-name ... 192 clear ip dhcp binding {ip | *} ... 54 clear logging debug buffer ... 247 clear logging system-log buffer ...
Page 275 debug system iptables list table {nat|filter|mangle|vpn|zymark|vpnid|cfilter} ... 32 debug system lsmod (*) ... 32 debug system ps ... 32 debug system show conntrack ... 32 debug system show cpu status ... 32 debug system show ksyms (*) ... 32 debug system show slabinfo ... 32 debug system tc {class|filter|qdisc} list ...
Page 276 List of Commands (Alphabetical) icmp-decoder {truncated-header | truncated-timestamp-header | truncated-address-header} log [alert] ... 143 idp {signature | system-protect} update daily <0..23> ... 151 idp {signature | system-protect} update hourly ... 151 idp {signature | system-protect} update signatures ... 151 idp {signature | system-protect} update weekly {sun | mon | tue | wed | thu | fri | sat} <0..23>...
Page 277 ip http secure-server table {admin|user} rule move <1..32> to <1..32> ... 213 ip http server table {admin|user} rule {<1..32>|append|insert <1..32>} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny} ip http server table {admin|user} rule move <1..32> to <1..32> ... 213 ip http-redirect activate description ... 88 ip http-redirect deactivate description ...
Page 278 List of Commands (Alphabetical) move <1..8> to <1..8> ... 66 network ip mask ... 53 network IP/<1..32> ... 53 no address-object object_name ... 178 no app other <1..64> ... 125 no app protocol_name rule <1..64> ... 123 no area IP virtual-link IP message-digest-key <1..255> ... 78 no arp ip ...
Page 279: Rename {/Cert | /Conf | /Idp | /Packet_Trace
packet-trace [interface interface_name] [ip-proto {<0..255> | protocol_name | any}] [src- host {ip | hostname | any}] [dst-host {ip | hostname | any}] [port {<1..65535> | any}] [file] [duration <1..3600>] [extension-filter filter_extension] peer-id type {any | ip ip | fqdn domain_name | mail e_mail | dn distinguished_name} peer-ip {ip | domain_name} [ip | domain_name] ...
Page 280 List of Commands (Alphabetical) setenv-startup stop-on-error off ... 231 show ... 123 show ... 125 show ... 173 show ... 175 show ... 30 show ... 52 show [all] ... 131 show aaa authentication {group-name|default} ... 193 show aaa group server ad group-name ... 190 show aaa group server ldap group-name ...
Page 281 show clock time ... 208 show cnm-agent configuration ... 222 show conn [user username] [service service-name] [source ip] [destination ip] [begin <1..128000>] [end <1..128000>] show conn status ... 252 show connlimit max-per-host ... 96 show console ... 209 show content-filter policy ... 159 show content-filter profile [filtering_profile] ...
Page 282 List of Commands (Alphabetical) tered-protocol-sweep} details show idp anomaly profile scan-detection {tcp-portscan | tcp-decoy-portscan | tcp-ports- weep | tcp-distributed-portscan | tcp-filtered-portscan | tcp-filtered-decoy- portscan | tcp-filtered-distributed-portscan | tcp-filtered-portsweep} details show idp anomaly profile scan-detection {udp-portscan | udp-decoy-portscan | udp-ports- weep | udp-distributed-portscan | udp-filtered-portscan | udp-filtered-decoy- portscan | ...
Page 283 show lockout-users ... 175 show logging debug entries [priority pri] [category module_name] [srcip ip] [dstip ip] [service service_name] [begin <1..512> end <1..512>] [keyword keyword] show logging debug entries field field [begin <1..1024> end <1..1024>] ... 247 show logging debug status ... 247 show logging entries [priority PRI] [category module_name] [srcip IP] [dstip IP] [service service_name] [begin <1..512>...
Page 284 List of Commands (Alphabetical) show workspace cifs ... 109 show zone [profile_name] ... 80 shutdown ... 30 signature sid action {drop | reject-sender | reject-receiver | reject-both} ... 140 signature sid action {drop | reject-sender | reject-receiver | reject-both} ... 145 signature sid log [alert] ...

This manual is also suitable for:

Zywall usg 1000 cli Zywall usg 300 cli Zywall

ZyXEL Communications 1050 Cli Reference Manual

Contents Overview

Chapter 1 Command Line Interface

Chapter 21 Content Filtering

34.4 File Manager Commands Summary

Chapter 34 File Manager

Quick Links

Chapters

Related Manuals for ZyXEL Communications 1050

Summary of Contents for ZyXEL Communications 1050