ZyXEL Communications ZYWALL - CLI Reference Manual

Zld based

page of 394

/ 394
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

ZyWALL (ZLD)

CLI Reference Guide

Version 2.20, 2.21

2/2011

Edition 3

DEFAULT LOGIN

User Name admin

Password

1234

www.zyxel.com

Table of Contents

Summary of Contents for ZyXEL Communications ZYWALL - CLI

Page 1 ZyWALL (ZLD) CLI Reference Guide Version 2.20, 2.21 2/2011 Edition 3 DEFAULT LOGIN User Name admin Password 1234 www.zyxel.com...
Page 3 See your User’s Guide for a list of supported features and details about feature implementation. Please refer to www.zyxel.com or your product’s CD for product specific User Guides and product certifications. How To Use This Guide...
Page 4 Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 5 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL (ZLD) CLI Reference Guide...
Page 6 Document Conventions ZyWALL (ZLD) CLI Reference Guide...
Page 7: Table Of Contents
Contents Overview Contents Overview Introduction ..........................9 Command Line Interface ......................11 User and Privilege Modes ......................27 Object Reference ........................31 Status ............................33 Registration ..........................37 Network ........................... 45 Interfaces ........................... 47 Trunks ............................85 Route ............................91 Routing Protocol ........................99 Zones ............................
Page 8 Contents Overview Objects ..........................235 User/Group ..........................237 Addresses ..........................245 Services ........................... 249 Schedules ..........................253 AAA Server ..........................255 Authentication Objects ......................263 Certificates ..........................267 ISP Accounts ........................... 273 SSL Application ........................277 Endpoint Security ........................281 System ..........................
Page 9: Introduction
Introduction Command Line Interface (11) User and Privilege Modes (27) Object Reference (31) Status (33) Registration (37)
Page 11: Command Line Interface
H A P T E R Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your ZyWALL, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the ZyWALL and possibly render it unusable.
Page 12 Chapter 1 Command Line Interface The ZyWALL might force you to log out of your session if reauthentication time, lease time, or idle timeout is reached. See Chapter 25 on page 237 more information about these settings. 1.2.1 Console Port The default settings for the console port are as follows.
Page 13 Chapter 1 Command Line Interface Enter the user name and password at the prompts. The default login username is admin and password is 1234. The username and password are case-sensitive. 1.2.2 Web Configurator Console Before you can access the CLI through the web configurator, make sure your computer supports the Java Runtime Environment.
Page 14 Chapter 1 Command Line Interface Figure 4 Web Console: User Name 5 Enter the user name you want to use to log in to the console. The console begins to connect to the ZyWALL. The default login username is admin. It is case-sensitive. Figure 5 Web Console: Connecting Then, the Password screen appears.
Page 15 Chapter 1 Command Line Interface Figure 7 Web Console 7 To use most commands in this User’s Guide, enter . The prompt configure terminal should change to Router(config)# 1.2.3 Telnet Use the following steps to Telnet into your ZyWALL. 1 If your computer is connected to the ZyWALL over the Internet, skip to the next step. Make sure your computer IP address and the ZyWALL IP address are on the same subnet.
Page 16 Chapter 1 Command Line Interface Figure 8 SSH Login Example C:\>ssh2 admin@192.168.1.1 Host key not found from database. Key fingerprint: xolor-takel-fipef-zevit-visom-gydog-vetan-bisol-lysob-cuvun-muxex You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes Host key saved to C:/Documents and Settings/user/Application Data/SSH/ hostkeys/ ey_22_192.168.1.1.pub...
Page 17 Chapter 1 Command Line Interface 1.4.3 Command Summary This section lists the commands for the feature in one or more tables. 1.4.4 Command Examples (Optional) This section contains any examples for the commands in this feature. 1.4.5 Command Syntax The following conventions are used in this User’s Guide. •...
Page 18 Chapter 1 Command Line Interface Table 2 CLI Modes (continued) USER PRIVILEGE CONFIGURATION SUB-COMMAND What Limited- • Look at system • Look at system Unable to access Unable to access information (like information (like Admin users can Status screen) Status screen) •...
Page 19 Chapter 1 Command Line Interface Figure 9 Help: Available Commands Example 1 Router> ? <cr> apply atse clear configure ------------------[Snip]-------------------- shutdown telnet test traceroute write Router> Figure 10 Help: Available Command Example 2 Router> show ? <wlan ap interface> access-page account ad-server address-object...
Page 20 Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the ZyWALL automatically display the full command. [TAB] For example, if you enter and press , the full command of config...
Page 21 Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen.
Page 22 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES domain name Used in content filtering lower-case letters, numbers, or .- Used in ip dns server 0-247 alphanumeric or .- first character: alphanumeric or - Used in domainname, ip dhcp pool, and ip domain 0-254 alphanumeric or ._-...
Page 23 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES password: less than 15 1-15 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./ chars password: less than 8 alphanumeric or ;/?:@&=+$\.-_!~*'()%,#$ chars password Used in user and ip ddns 1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./ Used in e-mail log profile SMTP authentication...
Page 24 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES Used in content filtering redirect “http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%, “https://”+ starts with “http://” or “https://” may contain one pound sign (#) Used in other content filtering commands “http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%,...
Page 25 Chapter 1 Command Line Interface Always save the changes before you log out after each management session. All unsaved changes will be lost after the system restarts. 1.10 Logging Out Enter the or end command in configure mode to go to privilege mode. exit Enter the command in user mode or privilege mode to log out of the CLI.
Page 26 Chapter 1 Command Line Interface ZyWALL (ZLD) CLI Reference Guide...
Page 27: User And Privilege Modes
‘user mode’. All commands can be run in ‘privilege mode’. The htm and psm commands are for ZyXEL’s internal manufacturing process. Table 4 User (U) and Privilege (P) Mode Commands COMMAND...
Page 28 Goes to htm (hardware test module) mode for testing hardware components. You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting. Note: These commands are for ZyXEL’s internal manufacturing process. Dials or disconnects an interface.
Page 29 Debug commands marked with an asterisk (*) are not available when the debug flag is on and are for ZyXEL service personnel use only. The debug commands follow a syntax that is Linux-based, so if there is a Linux equivalent, it is displayed in this chapter for your reference.
Page 30 Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT debug no myzyxel server (*) Set the myZyXEL.com registration/ update server to the official site Policy route debug command debug policy-route (*) Content Filtering debug commands debug reset content-filter profiling Service registration debug command...
Page 31: Object Reference
H A P T E R Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specfic object. You can use this table when you want to delete an object because you have to remove references to the object first.
Page 32 Chapter 3 Object Reference Table 6 show reference Commands (continued) COMMAND DESCRIPTION Displays which configuration settings reference the show reference object isakmp specified VPN gateway object. policy [isakmp_name] Displays which configuration settings reference the show reference object sslvpn specified SSL VPN object. policy [profile] Displays which configuration settings reference the show reference object zone...
Page 33: Status
H A P T E R Status This chapter explains some commands you can use to display information about the ZyWALL’s current operational state. Table 7 Status Show Commands COMMAND DESCRIPTION Displays details about the ZyWALL’s startup state. show boot status Displays whether the console and auxiliary ports are on or off.
Page 34 Chapter 4 Status Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number. Router(config)# show fan-speed FAN1(F00)(rpm): limit(hi)=6500, limit(lo)=1400, max=6650, min=6642, avg=6644 FAN2(F01)(rpm): limit(hi)=6500, limit(lo)=1400, max=6809, min=6783, avg=6795 FAN3(F02)(rpm): limit(hi)=6500, limit(lo)=1400, max=6683, min=6666, avg=6674 FAN4(F03)(rpm): limit(hi)=6500, limit(lo)=1400, max=6633, min=6617, avg=6627 Router(config)# show mac MAC address: 28:61:32:89:37:61-28:61:32:89:37:67...
Page 35 Chapter 4 Status Here is an example of the command that displays the open ports. Router(config)# show socket open Proto Local_Address Foreign_Address State =========================================================================== 172.23.37.240:22 172.23.37.10:1179 ESTABLISHED 127.0.0.1:64002 0.0.0.0:0 0.0.0.0:520 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0...
Page 36 Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : ZyWALL USG 100 firmware version: 2.20(AQQ.0)b3 BM version : 1.08...
Page 37: Registration
AppPatrol, anti-virus, content filtering, and SSL VPN services using commands. 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 38 PIN number (license key) in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti-virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. If you were already using an iCard anti-virus subscription, any remaining time on your earlier subscription is automatically added to the new subscription.
Page 39 Activates all of the trial service subscriptions, service-register service-type trial service all including Kaspersky or ZyXEL anti-virus. {kav|zav} Activates a Kaspersky or ZyXEL anti-virus trial service-register service-type trial service av service subscription. {kav|zav} Changes from one anti-virus engine to the other.
Page 40 Chapter 5 Registration 5.2.1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time, and activate a trial service subscription. Router# configure terminal Router(config)# device-register username alexctsui password 123456 Router(config)# service-register service-type trial service content-filter The following command displays the account information and whether the device is...
Page 41 Chapter 5 Registration 5.3 Country Code The following table displays the number for each country. Table 10 Country Codes COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Afghanistan Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua & Barbuda Argentina Armenia Aruba Ascension Island...
Page 42 Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Faroe Islands Fiji Finland France France (Metropolitan) French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Great Britain Greece Greenland Grenada Guadeloupe Guam...
Page 43 Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Not Determined Oman Pakistan Palau Panama Papua New Guinea...
Page 44 Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Uruguay Uzbekistan Vanuatu Venezuela Vietnam Virgin Islands (British) Virgin Islands (USA) Wallis And Futuna Islands Western Sahara Western Samoa Yemen Yugoslavia Zambia Zimbabwe ZyWALL (ZLD) CLI Reference Guide...
Page 45: Route
Network Interfaces (47) Trunks (85) Route (91) Routing Protocol (99) Zones (103) DDNS (107) Virtual Servers (111) HTTP Redirect (117) ALG (121)
Page 47 H A P T E R Interfaces This chapter shows you how to use interface-related commands. 6.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 48 Chapter 6 Interfaces • Virtual interfaces (IP alias) provide additional routing information in the ZyWALL. There are three types: virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out.
Page 49 Chapter 6 Interfaces Table 12 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics (ZyWALL USG 100 and 200 Models) (continued) CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE PPP VIRTUAL DHCP client Routing metric Interface Parameters Bandwidth restrictions Packet size (MTU) Data size (MSS) DHCP DHCP server DHCP relay...
Page 50 Chapter 6 Interfaces ** - Cellular interfaces can be added to the WAN zone or no zone. 6.1.2 Relationships Between Interfaces In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports (or port groups). The relationships between interfaces are explained in the following table.
Page 51 Chapter 6 Interfaces 6.2 Interface General Commands Summary The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 15 Input Values for General Interface Commands LABEL DESCRIPTION interface_name The name of the interface. Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.
Page 52 Chapter 6 Interfaces Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Specifies the description for the specified interface. [no] description description command clears the description. description: You can use alphanumeric and characters, and it can be up ()+/:=?!*#@$_%- to 60 characters long.
Page 53 Chapter 6 Interfaces Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Resets the interface statistics TxPkts (transmitted interface reset packets) and RxPkts (received packets) counts to {interface_name|virtual_interface_name|all} 0. You can use the show interface summary all status command to see the interface statistics.
Page 54 Chapter 6 Interfaces This example shows how to modify the name of interface ge4 to “VIP”. First you have to check the interface system name (ge4 in this example) on the ZyWALL. Then change the name and display the result. Router>...
Page 55 Chapter 6 Interfaces This example shows how to restart an interface. You can check all interface names on the ZyWALL. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it. Router>...
Page 56 Chapter 6 Interfaces Table 17 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Specifies the static IP address the ZyWALL should [no] host ip assign. Use this command, along with , to create a static DHCP hardware-address entry. Note: The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool.
Page 57 Chapter 6 Interfaces Table 17 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Sets the IP start address and maximum pool size of [no] starting-address ip pool-size the specified DHCP pool. The final pool size is <1..65535> limited by the subnet mask. Note: You must specify the network first, and the start address...
Page 58 6.2.2.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.2 Router(config-ip-dhcp-pool)# default-router 192.168.1.1...
Page 59 Chapter 6 Interfaces Table 18 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE/PPTP Router(config)# interface cellular1 Router(config)# interface wlan-1-1 Router(config)# interface vlan1 Router(config-if-cellular)# Router(config-if-wlan)# Router(config-if-vlan)# account block-intra description band description downstream budget downstream exit connectivity exit description group-key device hide downstream idle...
Page 60 Chapter 6 Interfaces Table 19 interface Commands: RIP Settings (continued) COMMAND DESCRIPTION Sets the send or receive version to the specified [no] ip rip {send | receive} version version number. The command sets the send or <1..2> received version to the current global setting for RIP.
Page 61 Chapter 6 Interfaces Table 20 interface Commands: OSPF Settings (continued) COMMAND DESCRIPTION Sets the ID and password for OSPF MD5 ip ospf message-digest-key <1..255> md5 authentication in the specified interface. password password: 1-16 alphanumeric characters or underscores Clears the ID and password for OSPF MD5 no ip ospf message-digest-key authentication in the specified interface.
Page 62 Chapter 6 Interfaces 6.2.6 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL stops routing to the gateway.
Page 63 Chapter 6 Interfaces 6.2.6.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check...
Page 64 Chapter 6 Interfaces Table 23 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION Sets which type of network you will connect this type {internal|external|general} interface. The ZyWALL automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces; for example LAN to WAN traffic.
Page 65 Chapter 6 Interfaces Table 24 Basic Interface Setting Commands (continued) COMMAND DESCRIPTION Sets the port to use auto-negotiation to determine [no] negotiation auto the port speed and duplex. The no command turns off auto-negotiation. Sets the Ethernet port’s connection speed in Mbps. [no] speed <100,10>...
Page 66 Chapter 6 Interfaces 6.4 Virtual Interface Specific Commands Virtual interfaces use many of the general interface commands discussed at the beginning of Section 6.2 on page 51. There are no additional commands for virtual interfaces. 6.4.1 Virtual Interface Command Examples The following commands set up a virtual interface on top of Ethernet interface ge1.
Page 67 Chapter 6 Interfaces Table 26 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND DESCRIPTION Specifies the base interface for the PPPoE/PPTP [no] bind interface_name interface. The command removes the base interface. Specifies whether the specified PPPoE/PPTP [no] connectivity {nail-up | dial-on- interface is always connected (nail-up) or demand} connected only when used (dial-on-demand).
Page 68 Chapter 6 Interfaces The following commands show you how to connect and disconnect ppp0. Router# interface dial ppp0 Router# interface disconnect ppp0 6.6 Cellular Interface Specific Commands Use a 3G (Third Generation) cellular device with the ZyWALL for wireless broadband Internet access.
Page 69 Chapter 6 Interfaces Table 27 Cellular Interface Commands (continued) COMMAND DESCRIPTION Sets how much downstream and/or upstream data (in Mega [no] budget data active {download- bytes) can be transmitted via the 3G connection within one upload|download|upload} month. <1..100000> download: set a limit on the downstream traffic (from the ISP to the ZyWALL).
Page 70 Chapter 6 Interfaces Table 27 Cellular Interface Commands (continued) COMMAND DESCRIPTION Sets the ZyWALL to not create a log when the set percentage no budget log-percentage of time budget or data limit is exceeded. You can configure [recursive] the percentage using the budget percentage command. You can also specify recursive to have the ZyWALL only create a log one time when the set percentage of time budget or data limit is exceeded.
Page 71 Chapter 6 Interfaces 6.6.1 Cellular Status The following table describes the different kinds of cellular connection status on the ZyWALL. Table 28 Cellular Status STATUS DESCRIPTION No device no 3G device is connected to the ZyWALL. No service no 3G network is available in the area; you cannot connect to the Internet. Limited service returned by the service provider in cases where the SIM card is expired, the user failed to pay for the service and so on;...
Page 72 Chapter 6 Interfaces Table 28 Cellular Status STATUS DESCRIPTION PPP fail The ZyWALL failed to create a PPP connection for the cellular interface. Need auth-password You need to enter the password for the 3G card in the cellular edit screen. Device ready The ZyWALL successfully applied all of your configuration and you can use the 3G connection.
Page 73 Chapter 6 Interfaces This example shows the 3G connection profile settings for interface cellular2 on the ZyWALL. You have to dial *99***1# to use profile 1, but authentication is not required. Dail *99***2# to use profile 2 and authentication is required. Router(config)# show interface cellular2 device profile profile: 1 apn: internet...
Page 74 Chapter 6 Interfaces Table 29 USB Storage General Commands (continued) COMMAND DESCRIPTION Configures the maximum storage space (in percentage) for logging usb-storage flushThreshold storing syetem logs on the connected USB storage device. <1..100> Sets to have the ZyWALL save or stop saving the current [no] diag-info copy usb-storage system diagnostics information to the connected USB storage device.
Page 75 Chapter 6 Interfaces 6.8.1 WLAN General Commands Use these commands to configure global settings that apply to all of the wireless LAN interfaces you create on the WLAN card. Table 31 WLAN General Commands COMMAND DESCRIPTION Specifies the slot the WLAN card is installed in and enters wlan slot_name sub-command mode.
Page 76 Chapter 6 Interfaces 6.8.1.1 WLAN General Commands Example This example sets wireless slot 1 to use the IEEE 802.11b and IEEE 802.11g bands, channel 5, super mode, 50 % output power, and enables it. Router(config)# wlan slot1 Router(config-wlan-slot)# band bg Router(config-wlan-slot)# channel 5 Router(config-wlan-slot)# super Router(config-wlan-slot)# output-power 50%...
Page 77 Chapter 6 Interfaces Table 32 WLAN Interface Commands (continued) COMMAND DESCRIPTION Sets the WPA2 reauthentication timer. This is at what interval reauth <30..30000> wireless stations have to resend usernames and passwords in order to stay connected. If a RADIUS server authenticates wireless stations, the reauthentication timer on the RADIUS server has priority.
Page 78 Chapter 6 Interfaces Table 32 WLAN Interface Commands (continued) COMMAND DESCRIPTION Sets the IP address and port number of an external [no] security dot1x acct ip port accounting server. <1..65535> Sets the IP address and port number of an external [no] security dot1x auth ip port authentication (RADIUS) server.
Page 79 Chapter 6 Interfaces 6.8.3 WLAN MAC Filter Commands Use these commands to give specific wireless clients exclusive access to the ZyWALL (allow association) or block specific devices from accessing the ZyWALL (deny association) based on the devices’ MAC addresses. Table 33 WLAN General Commands COMMAND DESCRIPTION Specifies the MAC address (in XX:XX:XX:XX:XX:XX format)
Page 80 Chapter 6 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 34 Input Values for VLAN Interface Commands LABEL DESCRIPTION VLAN interface: vlanx, x = 0 - 4094 interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your...
Page 81 Chapter 6 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 36 Input Values for Bridge Interface Commands LABEL DESCRIPTION The name of the interface. interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.
Page 82 Chapter 6 Interfaces 6.11 Auxiliary Interface Specific Commands The first table below lists the auxiliary commands, and the second table explains interface the values you can input with these commands. Table 38 interface Commands: Auxiliary Interface COMMAND DESCRIPTION Dials or disconnects the auxiliary interface. interface dial aux interface disconnect aux Enters sub-command mode.
Page 83 Chapter 6 Interfaces 6.11.1 Auxiliary Interface Command Examples The following commands show you how to set up the auxiliary interface aux with the following parameters: phone-number 0340508888, tone dialing, port speed 115200, initial- string ATZ, timeout 10 seconds, retry count 2, retry interval 100 seconds, username kk, password kk@u2online, chap-pap authentication, and description “I am aux interface”.
Page 84 Chapter 6 Interfaces ZyWALL (ZLD) CLI Reference Guide...
Page 85 H A P T E R Trunks This chapter shows you how to configure trunks on your ZyWALL. 7.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk.
Page 86 Chapter 7 Trunks 7.3 Trunk Commands Input Values The following table explains the values you can input with the interface-group commands. Table 39 interface-group Command Input Values LABEL DESCRIPTION A descriptive name for the trunk. group-name For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-). The name cannot start with a number.
Page 87 Chapter 7 Trunks Table 40 interface-group Commands Summary (continued) COMMAND DESCRIPTION Use this command only if you use least load first or loadbalancing-index spill-over as the trunk’s load balancing algorithm. outbound|inbound|total Set either outbound, inbound or outbound and inbound traffic (total) to which the ZyWALL will apply the specified algorithm.
Page 88 Chapter 7 Trunks The following example creates a least load first trunk for Ethernet interface ge3 and VLAN 5, ZyWALL which will only apply to outgoing traffic through the trunk. The sends new session traffic through the least utilized of these interfaces. Router# configure terminal Router(config)# interface-group llf-example Router(if-group)# mode trunk...
Page 89 Chapter 7 Trunks 7.6 Link Sticking You can have the ZyWALL send each local computer’s traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file. If the user’s subsequent sessions came from a different WAN IP address, the file server would deny the request.
Page 90 Chapter 7 Trunks 7.7 Link Sticking Commands Summary The following table lists the ip load-balancing link-sticking commands for link sticking. (The link sticking commands have the prefix ip load-balancing because they affect the ZyWALL’s load balancing behavior.) You must use the configure command to enter the configuration mode before you can use these commands.
Page 91 H A P T E R Route This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL. 8.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 92 Chapter 8 Route Table 42 Input Values for General Policy Route Commands (continued) LABEL DESCRIPTION schedule_object The name of the schedule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 93 Chapter 8 Route Table 43 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Sets a custom DSCP code point (0~63). This is [no] dscp {any | <0..63>} the DSCP value of incoming packets to which this policy route applies. any means all DSCP value or no DSCP marker.
Page 94 Chapter 8 Route Table 43 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Sets the incoming interface to an SSL VPN [no] sslvpn tunnel_name tunnel. The command removes the SSL VPN tunnel through which the incoming packets are received. Sets a port triggering rule. The command [no] trigger <1..8>...
Page 95 Chapter 8 Route Table 43 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Displays the specified range of policy route show policy-route begin <1..200> end <1..200> settings. Displays whether the ZyWALL checks policy show policy-route controll-ipsec-dynamic-rules routes first before IPSec dynamic rules. Displays whether or not the ZyWALL forwards show policy-route override-direct-route packets that match a policy route according to...
Page 96 Chapter 8 Route 8.2.2 Policy Route Command Example The following commands create two address objects (TW_SUBNET and GW_1) and insert a policy that routes the packets (with the source IP address TW_SUBNET and any destination IP address) through the interface ge1 to the next-hop router GW_1. This route uses the IP address of the outgoing interface as the matched packets’...
Page 97 Chapter 8 Route Figure 15 Example of Static Routing Topology 8.4 Static Route Commands The following table describes the commands available for static route. You must use the command to enter the configuration mode before you can use these configure terminal commands.
Page 98 Chapter 8 Route ZyWALL (ZLD) CLI Reference Guide...
Page 99 H A P T E R Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the ZyWALL. 9.1 Routing Protocol Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL then stores this routing information in the routing table, which it uses when it makes routing decisions.
Page 100 Chapter 9 Routing Protocol 9.2.1 RIP Commands This table lists the commands for RIP. Table 48 router Commands: RIP COMMAND DESCRIPTION Enters sub-command mode. router rip Enables RIP on the specified Ethernet interface. [no] network interface_name command disables RIP on the specified interface.
Page 101 Chapter 9 Routing Protocol Table 49 router Commands: General OSPF Configuration (continued) COMMAND DESCRIPTION Sets the direction to “In-Only” for the specified [no] passive-interface interface_name interface. The command sets the direction to “BiDir”. Sets the 32-bit ID (in IP address format) of the [no] router-id IP ZyWALL.
Page 102 Chapter 9 Routing Protocol Table 51 router Commands: Virtual Links in OSPF Areas (continued) COMMAND DESCRIPTION Enables MD5 authentication in the specified virtual [no] area IP virtual-link IP link. The command disables authentication in authentication message-digest the specified virtual link. Sets the password for text authentication in the [no] area IP virtual-link IP specified virtual link.
Page 103 H A P T E R Zones Set up zones to configure network security and network policies in the ZyWALL. 10.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management.
Page 104 Chapter 10 Zones 10.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands.s Table 53 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone, or the name of a VPN tunnel. profile_name For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-).
Page 105 Chapter 10 Zones 10.2.1 Zone Command Examples The following commands add Ethernet interfaces ge1 and ge2 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface ge1 Router(zone)# interface ge2 Router(zone)# block Router(zone)# exit Router(config)# show zone No.
Page 106 Chapter 10 Zones ZyWALL (ZLD) CLI Reference Guide...
Page 107 H A P T E R DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the ZyWALL. 11.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.
Page 108 Chapter 11 DDNS 11.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 56 Input Values for DDNS Commands LABEL DESCRIPTION The name of the DDNS profile. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number.
Page 109 Chapter 11 DDNS Table 57 ip ddns Commands (continued) COMMAND DESCRIPTION Sets the WAN interface in the specified DDNS [no] wan-iface interface_name profile. The command clears it. Sets the backup WAN interface in the specified [no] backup-iface interface_name DDNS profile. The command clears it.
Page 110 Chapter 11 DDNS ZyWALL (ZLD) CLI Reference Guide...
Page 111 H A P T E R Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. Virtual server commands configure NAT. 12.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the ZyWALL that you want to make available outside the private network.
Page 112 Chapter 12 Virtual Servers The following table lists the virtual server commands. Table 59 ip virtual-server Commands COMMAND DESCRIPTION Displays information about the specified virtual show ip virtual-server [profile_name] server or about all the virtual servers. Deletes the specified virtual server. no ip virtual-server profile_name Creates or modifies the specified virtual server and ip virtual-server profile_name interface...
Page 113 Chapter 12 Virtual Servers Table 59 ip virtual-server Commands (continued) COMMAND DESCRIPTION Creates or modifies the specified virtual server and ip virtual-server profile_name interface maps the specified (destination IP address, interface_name original-ip {any | IP | protocol, and range of destination ports) to address_object} map-to {address_object | ip} specified (destination IP address and range of map-type...
Page 114 Chapter 12 Virtual Servers 12.2.1 Virtual Server Command Examples The following command creates virtual server WAN-LAN_H323 on the wan1 interface that maps IP addresses 10.0.0.8 to 192.168.1.56. for TCP protocol traffic on port 1720. It also adds a NAT loopback entry. Router# configure terminal Router(config)# ip virtual-server WAN-LAN_H323 interface wan1 original-ip 10.0.0.8 map-to 192.168.1.56 map-type port protocol tcp original-port 1720...
Page 115 Chapter 12 Virtual Servers Create two address objects. One is named DMZ_HTTP for the HTTP server’s private IP address of 192.168.3.7. The other one is named ge2_HTTP for the ge2 (wan1) public IP address of 1.1.1.2. Router# configure terminal Router(config)# address-object DMZ_HTTP 192.168.3.7 Router(config)# address-object ge2_HTTP 1.1.1.2 Router(config)# 2 Configure NAT...
Page 116 Chapter 12 Virtual Servers ZyWALL (ZLD) CLI Reference Guide...
Page 117 H A P T E R HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL. 13.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. 13.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Page 118 Chapter 13 HTTP Redirect 13.2 HTTP Redirect Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 60 Input Values for HTTP Redirect Commands LABEL DESCRIPTION The name to identify the rule. You may use 1-31 alphanumeric characters, description underscores( ), or dashes (-), but the first character cannot be a number.
Page 119 Chapter 13 HTTP Redirect 13.2.1 HTTP Redirect Command Examples The following commands create a HTTP redirect rule, disable it and display the settings. Router# configure terminal Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 deactivate Router(config)# show ip http-redirect Name...
Page 120 Chapter 13 HTTP Redirect ZyWALL (ZLD) CLI Reference Guide...
Page 121 H A P T E R This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 14.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT.
Page 122 Chapter 14 ALG 14.2 ALG Commands The following table lists the commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 62 alg Commands COMMAND DESCRIPTION Turns on or configures the ALG. [no] alg sip [inactivity-timeout | signal-port <1025..65535>...
Page 123 Chapter 14 ALG 14.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323. Router# configure terminal Router(config)# alg sip Router(config)# no alg h323 ZyWALL (ZLD) CLI Reference Guide...
Page 124 Chapter 14 ALG ZyWALL (ZLD) CLI Reference Guide...
Page 125: Firewall
Firewall Firewall (127)
Page 127: Firewall
H A P T E R Firewall This chapter introduces the ZyWALL’s firewall and shows you how to configure your ZyWALL’s firewall. 15.1 Firewall Overview The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 128 Chapter 15 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them).
Page 129 Chapter 15 Firewall Table 64 Command Summary: Firewall (continued) COMMAND DESCRIPTION Enters the firewall sub-command mode to set firewall zone_object {zone_object|ZyWALL} a direction specific through-ZyWALL rule or rule_number to-ZyWALL rule. See Table 65 on page 130 the sub-commands. Enters the firewall sub-command mode to add firewall zone_object {zone_object|ZyWALL} append a direction specific through-ZyWALL rule or to-ZyWALL rule to the end of the global rule...
Page 130 Chapter 15 Firewall 15.2.1 Firewall Sub-Commands The following table describes the sub-commands for several firewall commands. Table 65 firewall Sub-commands COMMAND DESCRIPTION Sets the action the ZyWALL takes when packets action {allow|deny|reject} match this rule. Enables a firewall rule. The command disables [no] activate the firewall rule.
Page 131 Chapter 15 Firewall 15.2.2 Firewall Command Examples The following example shows you how to add a firewall rule to allow a MyService connection from the WAN zone to the IP addresses Dest_1 in the LAN zone. • Enter configuration command mode. •...
Page 132 Chapter 15 Firewall The following command displays the firewall rule(s) (including the default firewall rule) that applies to the packet direction from WAN to LAN. The firewall rule numbers in the menu are the firewall rules’ priority numbers in the global rule list. Router# configure terminal Router(config)# show firewall WAN LAN firewall rule: 3...
Page 133 Chapter 15 Firewall The following table describes the session-limit commands. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 67 Command Summary: Session Limit COMMAND DESCRIPTION Turns the session-limit feature on or off. [no] session-limit activate Sets the default number of concurrent NAT/ session-limit limit <0..8192>...
Page 134 Chapter 15 Firewall ZyWALL (ZLD) CLI Reference Guide...
Page 135 IPSec VPN (137) SSL VPN (147) L2TP VPN (153)
Page 137: Ipsec Vpn
H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. 16.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Page 138 Chapter 16 IPSec VPN Figure 20 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Page 139 Chapter 16 IPSec VPN Table 68 Input Values for IPSec VPN Commands (continued) LABEL DESCRIPTION A domain name. You can use up to 511 alphanumeric, characters, spaces, distinguished_name or .@=,_- characters. Sort the list of currently connected SAs by one of the following sort_order classifications.
Page 140 Chapter 16 IPSec VPN Table 69 isakmp Commands: IKE SAs (continued) COMMAND DESCRIPTION Sets the encryption and authentication algorithms transform-set isakmp-algo [isakmp_algo for each proposal. [isakmp_algo]] ISAKMP_ALGO: {des-md5 | des-sha | 3des-md5 | 3des-sha | aes128-md5 | aes128-sha | aes192- md5 | aes192-sha | aes256-md5 | aes256-sha} Sets the IKE SA life time to the specified value.
Page 141 Chapter 16 IPSec VPN 16.2.2 IPSec SA Commands (except Manual Keys) This table lists the commands for IPSec SAs, excluding manual keys (VPN connections using VPN gateways). Table 70 crypto Commands: IPSec SAs COMMAND DESCRIPTION Fragment packets larger than the MTU (Maximum [no] crypto ignore-df-bit Transmission Unit) that have the “don’t”...
Page 142 Chapter 16 IPSec VPN Table 70 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Select the scenario that best describes your scenario {site-to-site-static|site-to- intended VPN connection. site-dynamic|remote-access-server|remote- Site-to-site: The remote IPSec router has a access-client} static IP address or a domain name. This ZyWALL can initiate the VPN tunnel.
Page 143 Chapter 16 IPSec VPN Table 70 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Configures in-bound traffic SNAT in the IPSec SA. in-snat source address_name destination address_name snat address_name Enables in-bound traffic DNAT in the IPSec SA. [no] in-dnat activate command disables in-bound traffic DNAT in the IPSec SA.
Page 144 Chapter 16 IPSec VPN 16.2.3 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 71 crypto map Commands: IPSec SAs (Manual Keys) COMMAND DESCRIPTION crypto map map_name Sets the active protocol, SPI (<256..4095>), set session-key {ah <256..4095>...
Page 145 Chapter 16 IPSec VPN Table 72 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION Adds the specified IPSec SA to the specified VPN [no] crypto map_name concentrator. The command removes the specified IPSec SA from the specified VPN concentrator. Renames the specified VPN concentrator (first vpn-concentrator rename profile_name profile_name) to the specified name (second profile_name...
Page 146 Chapter 16 IPSec VPN ZyWALL (ZLD) CLI Reference Guide...
Page 147 H A P T E R SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. 17.1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: •...
Page 148 Chapter 17 SSL VPN Table 74 Input Values for SSL VPN Commands (continued) LABEL DESCRIPTION The name of a user (group). You may use 1-31 alphanumeric characters, user_name underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 149 Chapter 17 SSL VPN Table 75 SSL VPN Commands COMMAND DESCRIPTION Moves the first specified endpoint security object to the second eps move <1..8> to <1..8> specified endpoint security object’s position. Sets whether to have the ZyWALL repeat the endpoint security [no] eps periodical-check check at a regular interval configured using the next command.The activate...
Page 150 Chapter 17 SSL VPN 1 First of all, configure 10.1.1.254/24 for the IP address of interface ge2 which is an external interface for public SSL VPN to access. Configure 172.16.10.254/24 for the IP address of interface ge3 which is an internal network. Router(config)# interface ge2 Router(config-if-ge)# ip address 10.1.1.254 255.255.255.0 Router(config-if-ge)# exit...
Page 151 Chapter 17 SSL VPN 5 Create an SSL VPN rule named SSL_VPN_TEST. Enable it and apply objects you just created. Router(config)# sslvpn policy SSL_VPN_TEST Router(policy SSL_VPN_TEST)# activate Router(policy SSL_VPN_TEST)# user tester Router(policy SSL_VPN_TEST)# network-extension activate Router(policy SSL_VPN_TEST)# network-extension ip-pool IP-POOL Router(policy SSL_VPN_TEST)# network-extension 1st-dns DNS1 Router(policy SSL_VPN_TEST)# network-extension 2nd-dns DNS2 Router(policy SSL_VPN_TEST)# network-extension network NETWORK1...
Page 152 Chapter 17 SSL VPN ZyWALL (ZLD) CLI Reference Guide...
Page 153: L2Tp Vpn
H A P T E R L2TP VPN This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL. 18.1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’...
Page 154 Chapter 18 L2TP VPN • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. 18.2.1 Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN.
Page 155 Chapter 18 L2TP VPN 18.4 L2TP VPN Commands The following table describes the values required for some L2TP VPN commands. Other values are discussed with the corresponding commands. Table 76 Input Values for L2TP VPN Commands LABEL DESCRIPTION The name of an IP address (group) object. You may use 1-31 alphanumeric address_object characters, underscores( ), or dashes (-), but the first character cannot be a...
Page 156 Chapter 18 L2TP VPN Table 77 L2TP VPN Commands COMMAND DESCRIPTION Specifies how the ZyWALL authenticates a remote user before allowing l2tp-over-ipsec access to the L2TP VPN tunnel. authentication aaa The authentication method has the ZyWALL check a user’s user name and authentication profile_name password against the ZyWALL’s local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these.
Page 157 Chapter 18 L2TP VPN Figure 23 L2TP VPN Example 172.23.37.205 L2TP_POOL: 192.168.10.10~192.168.10.20 LAN_SUBNET: 192.168.1.1/24 • The ZyWALL has a static IP address of 172.23.37.205 for the ge3 interface. • The remote user has a dynamic public IP address and connects through the Internet. •...
Page 158 Chapter 18 L2TP VPN • For the Remote Policy, create an address object that uses host type and an IP address of 0.0.0.0. It is named L2TP_HOST in this example. Router(config)# crypto map Default_L2TP_VPN_Connection Router(config-crypto Default_L2TP_VPN_Connection)# policy-enforcement Router(config-crypto Default_L2TP_VPN_Connection)# local-policy L2TP_IFACE Router(config-crypto Default_L2TP_VPN_Connection)# remote-policy L2TP_HOST Router(config-crypto Default_L2TP_VPN_Connection)# activate Router(config-crypto Default_L2TP_VPN_Connection)# exit...
Page 159 Chapter 18 L2TP VPN • Enable the policy route. Router(config)# policy 3 Router(policy-route)# source LAN_SUBNET Router(policy-route)# destination L2TP_POOL Router(policy-route)# service any Router(policy-route)# next-hop tunnel Default_L2TP_VPN_ConnectionRouter(policy-route)# no deactivate Router(policy-route)# exit Router(config)# show policy-route 3 index: 3 active: yes description: WIZ_VPN user: any schedule: none interface: ge1 tunnel: none...
Page 160 Chapter 18 L2TP VPN ZyWALL (ZLD) CLI Reference Guide...
Page 161: Application Patrol
Application Patrol Application Patrol (163)
Page 163: Application Patrol
H A P T E R Application Patrol This chapter describes how to set up application patrol for the ZyWALL. 19.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Page 164 Chapter 19 Application Patrol 19.2 Application Patrol Commands Summary The following table describes the values required for many application patrol commands. Other values are discussed with the corresponding commands. Table 78 Input Values for Application Patrol Commands LABEL DESCRIPTION The name of a pre-defined application. These are listed by category. protocol_name smtp pop3...
Page 165 Chapter 19 Application Patrol Table 79 app Commands: Pre-Defined Applications (continued) COMMAND DESCRIPTION Specifies how the ZyWALL identifies this app protocol_name mode {portless | portbase} application. Creates log entries (and alerts) for the specified [no] app protocol_name log [alert] application. The command does not create any log entries.
Page 166 Chapter 19 Application Patrol Table 81 app protocol rule Sub-commands (continued) COMMAND DESCRIPTION This is how the ZyWALL handles the DSCP value [no] inbound-dscp-mark {<0..63> | class of the outgoing packets to a connection’s initiator {default | dscp_class}} that match this policy. Enter a DSCP value to have the ZyWALL apply that DSCP value.
Page 167 Chapter 19 Application Patrol 19.2.3.1 Exception Rule Sub-commands The following table describes the sub-commands for several application patrol exception rule commands. Note that not all rule commands use all the sub-commands listed here. Table 83 app patrol exception rule Sub-commands COMMAND DESCRIPTION Specifies the action when traffic matches the rule.
Page 168 Chapter 19 Application Patrol 19.2.4 Other Application Commands This table lists the commands for other applications in application patrol. Table 84 app Commands: Other Applications COMMAND DESCRIPTION Specifies the default action for other applications. app other {del | forward | drop | reject} Creates log entries (and alerts) for other [no] app other log [alert] applications.
Page 169 Chapter 19 Application Patrol Table 86 app patrol other rule Sub-commands (continued) COMMAND DESCRIPTION Blocks use of a specific feature. [no] action-block {login|message|audio|video|file-transfer} Limits inbound or outbound bandwidth, in kilobits bandwidth {inbound|outbound} <0..1048576> per second. 0 disables bandwidth management for traffic matching this rule.
Page 170 Chapter 19 Application Patrol Table 87 app Commands: Pre-Defined Applications (continued) COMMAND DESCRIPTION Sets traffic for unidentified applications to display [no] app other protocol_name bandwidth-graph on the bandwidth statistics graph. The command it not display on the bandwidth statistics graph. Globally enables bandwidth management.
Page 171 Chapter 19 Application Patrol Table 87 app Commands: Pre-Defined Applications (continued) COMMAND DESCRIPTION Displays whether or not the option to maximize the show app highest sip bandwidth priority throughput of SIP traffic is enabled. Displays whether or not the global setting for show bwm activation bandwidth management on the ZyWALL is enabled.
Page 172 Chapter 19 Application Patrol Router# configure terminal Router(config)# show app http rule all index: default activate: yes port: 0 schedule: none user: any from zone: any to zone: any source address: any destination address: any access: forward action login: na action message: na action audio: na action video: na...
Page 173 Chapter 19 Application Patrol Router# configure terminal Router(config)# show app other rule all index: 1 activate: yes port: 5963 schedule: none user: any from zone: any to zone: any source address: any destination address: any protocol: tcp access: forward DSCP inbound marking: preserve DSCP outbound marking: preserve bandwidth excess-usage: no bandwidth priority: 1...
Page 174 Chapter 19 Application Patrol ZyWALL (ZLD) CLI Reference Guide...
Page 175: Anti-X
Anti-X Anti-Virus (177) IDP Commands (185) Content Filtering (203) Anti-Spam (215)
Page 177: Anti-Virus
H A P T E R Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 20.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
Page 178 Chapter 20 Anti-Virus 20.2.1 General Anti-virus Commands The following table describes general anti-virus commands. You must use the configure command to enter the configuration mode before you can use these commands. terminal You must register for the ant-virus service before you can use it (see Chapter 5 on page 37).
Page 179 Chapter 20 Anti-Virus Table 90 Commands for Zone to Zone Anti-Virus Rules (continued) COMMAND DESCRIPTION Enters the anti-virus sub-command mode to edit the anti-virus rule <1..32> specified direction specific rule. Turns a direction specific anti-virus rule on or off. [no] activate Sets the ZyWALL to create a log (and optionally an alert) [no] log [alert] when packets match this rule and are found to be virus-...
Page 180 Chapter 20 Anti-Virus 20.2.2.1 Zone to Zone Anti-virus Rule Example This example shows how to configure (and display) a WAN to LAN antivirus rule to scan HTTP traffic and destroy infected files. The white and black lists are ignored and zipped files are decompressed.
Page 181 Chapter 20 Anti-Virus Table 91 Commands for Anti-virus White and Black Lists (continued) COMMAND DESCRIPTION Turn on the black list to log and delete files with names that [no] anti-virus black-list activate match the black list patterns. Adds or removes a black list file pattern. Turns a file pattern [no] anti-virus black-list file-pattern on or off.
Page 182 Chapter 20 Anti-Virus 20.2.4 Signature Search Anti-virus Command The following table describes the command for searching for signatures. You must use the command to enter the configuration mode before you can use this configure terminal command. Table 92 Command for Anti-virus Signature Search COMMAND DESCRIPTION Search for signatures by their ID, name, severity, or...
Page 183 Chapter 20 Anti-Virus 20.3.1 Update Signature Examples These examples show how to enable/disable automatic anti-virus downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version number, show the total number of signatures and show the date/time the signatures were created.
Page 184 Chapter 20 Anti-Virus 20.4.1 Anti-virus Statistics Example This example shows how to collect and display anti-virus statistics. It also shows how to sort the display by the most common destination IP addresses. Router(config)# anti-virus statistics collect Router(config)# show anti-virus statistics collect collect statistics: yes Router(config)# show anti-virus statistics summary file scanned...
Page 185: Idp Commands
H A P T E R IDP Commands This chapter introduces IDP-related commands. 21.1 Overview Commands mostly mirror web configurator features. It is recommended you use the web configurator for IDP features such as searching for web signatures, creating/editing an IDP profile or creating/editing a custom signature.
Page 186 Chapter 21 IDP Commands This table shows the IDP signature, anomaly, and system-protect activation commands. Table 96 IDP Activation COMMAND DESCRIPTION Enables IDP signatures, anomaly detection, and/or system-protect. IDP signatures [no] idp use requires IDP service registration. If you don’t have a standard license, you can {signature | anomaly | register for a once-off trial one.
Page 187 Chapter 21 IDP Commands Table 97 Global Profile Commands COMMAND DESCRIPTION Lists the specified signature base profile’s settings. Use |more to display show idp signature base the settings page by page. profile {all|none|wan|lan|dmz} settings Displays all IDP signature profiles. show idp profiles 21.3.1.1 Example of Global Profile Commands In this example we rename an IDP signature profile from “old_profile”...
Page 188 Chapter 21 IDP Commands 21.3.2.1 Example of IDP Zone to Zone Rule Commands The following example creates IDP zone to zone rule one. The rule applies the LAN_IDP profile to all traffic going to the LAN zone. Router# configure terminal Router(config)# idp signature rule 1 Router(config-idp-signature-1)# Router(config-idp-signature-1)# exit...
Page 189 Chapter 21 IDP Commands 21.3.4 Editing/Creating Anomaly Profiles Use these commands to create a new anomaly profile or edit an existing one. It is recommended you use the web configurator to create/edit profiles. If you do not specify a base profile, the default base profile is none.
Page 190 Chapter 21 IDP Commands Table 100 Editing/Creating Anomaly Profiles (continued) COMMAND DESCRIPTION Activates or deactivates open port scan [no] scan-detection open-port {activate | log detection options. Also sets open port scan- [alert] | block} detection logs or alerts and blocking. deactivates open port scan detection, its logs, alerts or blocking.
Page 191 Chapter 21 IDP Commands Table 100 Editing/Creating Anomaly Profiles (continued) COMMAND DESCRIPTION Activates or deactivates icmp decoder options [no] icmp-decoder {truncated-header | truncated-timestamp-header | truncated- address-header} activate Sets icmp decoder log or alert options. icmp-decoder {truncated-header | truncated- timestamp-header | truncated-address-header} log [alert] Deactivates icmp decoder log options.
Page 192 Chapter 21 IDP Commands Table 100 Editing/Creating Anomaly Profiles (continued) COMMAND DESCRIPTION Shows http-inspection settings for the specified show idp anomaly profile http-inspection {ascii- IDP profile. encoding | u-encoding | bare-byte-unicode- encoding | base36-encoding | utf-8-encoding | iis-unicode-codepoint-encoding | multi-slash- encoding | iis-backslash-evasion | self- directory-traversal | directory-traversal | apache-whitespace | non-rfc-http-delimiter | non-...
Page 193 Chapter 21 IDP Commands 21.3.5 Editing System Protect Use these commands to edit the system protect profiles. Table 101 Editing System Protect Profiles COMMAND DESCRIPTION Configure the system protect profile. Enters idp system-protect sub-command mode. All the following commands relate to the new profile. Use exit to quit sub-command mode.
Page 194 Chapter 21 IDP Commands Table 102 Signature Search Command COMMAND DESCRIPTION Searches for signature(s) in a profile by the show idp search signature my_profile name parameters specified. The quoted string is any quoted_string sid SID severity severity_mask text within the signature name in quotes, for platform platform_mask policytype policytype_mask example, [idp search LAN_IDP name "WORM"...
Page 195 Chapter 21 IDP Commands The following table displays the command line service and action equivalent values. If you want to combine services in a search, then add their respective numbers together. For example, to search for signatures for DNS, Finger and FTP services, then type “7” as the service parameter.
Page 196 Chapter 21 IDP Commands You must use the web configurator to import a custom signature file. Table 105 Custom Signatures COMMAND DESCRIPTION Create a new custom signature. The quoted idp customize signature quoted_string string is the signature command string enclosed in quotes.
Page 197 Chapter 21 IDP Commands This example shows you how to edit a custom signature. Router(config)# idp customize signature edit "alert tcp any any <> any any (msg : \"test edit\"; sid: 9000000 ; )" sid: 9000000 message: test edit policy type: severity: platform: all: no...
Page 198 Chapter 21 IDP Commands This example shows you how to display custom signature contents. Router(config)# show idp signatures custom-signature 9000000 contents sid: 9000000 Router(config)# show idp signatures custom-signature 9000000 non-contents sid: 9000000 ack: dport: 0 dsize: dsize_rel: flow_direction: flow_state: flow_stream: fragbits_reserve: fragbits_dontfrag: fragbits_morefrag:...
Page 199 Chapter 21 IDP Commands This example shows you how to display all details of a custom signature. Router(config)# show idp signatures custom-signature all details sid: 9000000 message: test edit policy type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no...
Page 200 Chapter 21 IDP Commands Table 106 Update Signatures COMMAND DESCRIPTION Displays signature update schedule. show idp {signature | system-protect} update Displays signature update status. show idp {signature | system-protect} update status Displays signature information show idp {signature | system-protect} signatures {version | date | number} 21.5.1 Update Signature Examples These examples show how to enable/disable automatic IDP downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version...
Page 201 Chapter 21 IDP Commands Table 107 Commands for IDP Statistics (continued) COMMAND DESCRIPTION Displays whether the collection of IDP statistics is turned show idp statistics collect on or off. Query and sort the IDP statistics entries by signature show idp statistics ranking {signature- name, source IP address, or destination IP address.
Page 202 Chapter 21 IDP Commands ZyWALL (ZLD) CLI Reference Guide...
Page 203: Content Filtering
H A P T E R Content Filtering This chapter covers how to use the content filtering feature to control web access. 22.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites.
Page 204 Chapter 22 Content Filtering Figure 24 Content Filtering Lookup Procedure 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its . If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s .
Page 205 “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc. Use up to 63 case-insensitive characters (0-9a-z-). You can enter a single IP address in dotted decimal notation like 192.168.2.5. You can enter a subnet by entering an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address.
Page 206 Chapter 22 Content Filtering Table 108 Content Filter Command Input Values (continued) LABEL DESCRIPTION The hostname or IP address of the rating server. rating_server The value specifies the maximum querying time when rating a URL in zysh. query_timeout <1..60> seconds. The following table lists the content filtering web category names.
Page 207 Chapter 22 Content Filtering Table 109 Content Filtering Web Category Names CATEGORY NAME CATEGORY NAME Web Applications Suspicious Alternative Sexuality/Lifestyles LGBT Non-viewable Content Servers Placeholders Open/Mixed Content Potentially Unwanted Software Greeting Cards Audio/Video Clips Media Sharing Radio/Audio Streams TV/Video Streams Internet Telephony Online Meetings Newsgroups/Forums...
Page 208 Chapter 22 Content Filtering Table 110 content-filter General Commands (continued) COMMAND DESCRIPTION Sets how long to keep records of sessions for content-filter passed warning timeout which the ZyWALL has given the user a warning <1..1440> before allowing access. Sets a content filtering policy. The command [no] content-filter policy policy_number removes it.
Page 209 Chapter 22 Content Filtering Table 111 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Adds a web site to a content filtering profile’s [no] content-filter profile filtering_profile forbidden list. The command removes a web custom forbid forbid_hosts site from the forbidden list. Sets a content filtering profile to block Java.
Page 210 Chapter 22 Content Filtering Table 111 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Tests whether or not a web site is saved in the content-filter url- test url ZyWALL’s database of restricted web pages. Tests whether or not a web site is saved in the content-filter url-server test url [server external content filter server’s database of rating_server] [timeout query_timeout]...
Page 211 Chapter 22 Content Filtering 22.9.1 Content Filtering Statistics Example This example shows how to collect and display content filtering statistics. Router(config)# content-filter statistics collect Router(config)# show content-filter statistics summary total web pages inspected web pages warned by category service : 0 web pages blocked by category service: 0 web pages blocked by custom service restricted web features...
Page 212 Chapter 22 Content Filtering 7 Activate the customization. Router# configure terminal Router(config)# address-object sales 172.21.3.0/24 Router(config)# schedule-object all_day 00:00 23:59 Router(config)# content-filter profile sales_CF_PROFILE Router(config)# content-filter profile sales_CF_PROFILE url category adult-mature- content Router(config)# content-filter profile sales_CF_PROFILE url category pornography Router(config)# content-filter profile sales_CF_PROFILE url url-server Router(config)# content-filter profile sales_CF_PROFILE custom java Router(config)# content-filter profile sales_CF_PROFILE custom activex Router(config)# content-filter profile sales_CF_PROFILE custom proxy...
Page 213 Chapter 22 Content Filtering Use this command to display the settings of the profile. Router(config)# show content-filter profile sales_CF_PROFILE service active : yes url match unsafe: block: no, warn: yes, log: url match other : block: yes, warn: no, log: url unrate : block: no, warn: yes, log:...
Page 214 Chapter 22 Content Filtering ZyWALL (ZLD) CLI Reference Guide...
Page 215: Anti-Spam
H A P T E R Anti-Spam This chapter introduces and shows you how to configure the anti-spam scanner. 23.1 Anti-Spam Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Page 216 Chapter 23 Anti-Spam 23.2.1.1 Activate/Deactivate Anti-Spam Example This example shows how to activate and deactivate anti-spam on the ZyWALL. Router# configure terminal Router(config)# anti-spam activate Router(config)# show anti-spam activation anti-spam activation: yes Router(config)# no anti-spam activate Router(config)# show anti-spam activation anti-spam activation: no Router(config)# 23.2.2 Zone to Zone Anti-spam Rules...
Page 217 Chapter 23 Anti-Spam 23.2.2.1 Zone to Zone Anti-spam Rule Example This example shows how to configure (and display) a WAN to DMZ anti-spam rule to scan POP3 and SMTP traffic. SMTP spam is forwarded. POP3 spam is marked with a spam tag. The ZyWALL logs the event when an e-mail matches the DNSBL (see Section 23.2.4 on page for more on DNSBL).
Page 218 Chapter 23 Anti-Spam Table 117 Input Values for White and Black list Anti-Spam Commands (continued) LABEL DESCRIPTION The index number of an anti-spam white or black list entry. 1 - X where X is rule_number the highest number of entries the ZyWALL model supports. See the ZyWALL’s User’s Guide for details.
Page 219 Chapter 23 Anti-Spam Table 118 Commands for Anti-spam White and Black Lists (continued) COMMAND DESCRIPTION Displays the current anti-spam black list. Use status to show anti-spam black-list [status] show the activation status only. Show the configured anti-spam black list tag. show anti-spam tag black-list 23.2.3.1 White and Black Lists Example This example shows how to configure and enable a white list entries for e-mails with...
Page 220 Chapter 23 Anti-Spam The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 119 Input Values for DNSBL Commands LABEL DESCRIPTION A domain that is maintaining a DNSBL. You may use 0-254 alphanumeric dnsbl_domain characters, or dashes (-).
Page 221 Chapter 23 Anti-Spam Table 120 DNSBL Commands COMMAND DESCRIPTION dnsbl displays the anti-spam tag for e-mails that have a show anti-spam tag {dnsbl | dnsbl- sender or relay IP address in the header that matches a timeout} blacklist maintained by a DNSBL domain. dnsbl-timeout displays the message or label to add to the mail subject of e-mails that the ZyWALL forwards if queries to the DNSBL domains time out.
Page 222 Chapter 23 Anti-Spam Router(config)# anti-spam dnsbl domain DNSBL-example.com activate Router(config)# show anti-spam dnsbl domain Status Domain =========================================================================== DNSBL-example.com Router(config)# anti-spam dnsbl activate Router(config)# show anti-spam dnsbl status anti-spam dnsbl status: yes Router(config)# anti-spam dnsbl query-timeout pop3 forward-with-tag Router(config)# show anti-spam dnsbl query-timeout pop3 dnsbl query timeout action: forward-with-tag Router(config)# anti-spam dnsbl max-query-ip 4...
Page 223 Chapter 23 Anti-Spam Table 121 Commands for Anti-spam Statistics (continued) COMMAND DESCRIPTION Displays whether the collection of anti-spam statistics is show anti-spam statistics collect turned on or off. Query and sort the anti-spam statistics entries by source IP show anti-spam statistics ranking address or mail address.
Page 224 Chapter 23 Anti-Spam ZyWALL (ZLD) CLI Reference Guide...
Page 225: Device Ha
Device HA Device HA (227)
Page 227: Device Ha
H A P T E R Device HA Use device HA to increase network reliability. Device HA lets a backup ZyWALL (B) automatically take over if a master ZyWALL (A) fails. Figure 25 Device HA Backup Taking Over for the Master 24.1 Device HA Overview Active-Passive Mode and Legacy Mode •...
Page 228 Chapter 24 Device HA Only ZyWALLs of the same model and firmware version can synchronize. Otherwise you must manually configure the master ZyWALL’s settings on the backup (by editing copies of the configuration files in a text editor for example). 24.1.1 Before You Begin •...
Page 229 Chapter 24 Device HA Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA monitors. If a monitored interface on the ZyWALL loses its connection, device HA has the backup ZyWALL take over. Enable monitoring for the same interfaces on the master and backup ZyWALLs. Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL.
Page 230 Chapter 24 Device HA Table 124 device-ha ap-mode Commands (continued) COMMAND DESCRIPTION Sets backup ZyWALL’s priority. The backup device-ha ap-mode priority <1..254> ZyWALL with the highest value takes over the role of the master ZyWALL if the master ZyWALL becomes unavailable. The priority must be between 1 and 254.
Page 231 Chapter 24 Device HA Table 124 device-ha ap-mode Commands (continued) COMMAND DESCRIPTION Synchronize now. device-ha ap-mode backup sync now Displays the device HA AP mode interface settings show device-ha ap-mode interfaces and status. Displays the next time and date (in hh:mm yyyy- show device-ha ap-mode next-sync-time mm-dd format) the ZyWALL will synchronize with the master.
Page 232 Chapter 24 Device HA VRRP Group Overview In the ZyWALL, you should create a VRRP group to add one of its interfaces to a virtual router. You can add any Ethernet interface, VLAN interface, or virtual interface (created on top of Ethernet interfaces or VLAN interfaces) with a static IP address. You can only enable one VRRP group for each interface, and you can only have one active VRRP group for each virtual router.
Page 233 Chapter 24 Device HA Table 126 device-ha Commands: VRRP Groups (continued) COMMAND DESCRIPTION Specifies the authentication method and password [no] authentication {string password | ah- for the specified VRRP group. The command md5 password} means that the specified VRRP group does not use authentication.
Page 234 Chapter 24 Device HA Table 127 device-ha Commands: Synchronization (continued) COMMAND DESCRIPTION Specifies the number of minutes between each [no] device-ha sync interval <5..1440> synchronization if the ZyWALL automatically synchronizes with the specified ZyWALL router. command resets the interval to five minutes.
Page 235: Objects
VIII Objects User/Group (237) Addresses (245) Services (249) Schedules (253) AAA Server (255) Authentication Objects (263) Certificates (267) ISP Accounts (273) SSL Application (277) Endpoint Security (281)
Page 237: User/Group
H A P T E R User/Group This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 238 Chapter 25 User/Group 25.2 User/Group Commands Summary The following table identify the values required for many commands. username/groupname Other input values are discussed with the corresponding commands. Table 130 username/groupname Command Input Values LABEL DESCRIPTION The name of the user (account). You may use 1-31 alphanumeric characters, username underscores( ), or dashes (-), but the first character cannot be a number.
Page 239 Chapter 25 User/Group Table 131 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION Sets the lease time for the specified user. Set it to username username [no] logon-lease-time zero to set unlimited lease time. The command <0..1440> sets the lease time to five minutes (regardless of the current default setting for new users).
Page 240 Chapter 25 User/Group Table 133 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION Sets the default user type for each new user. The users default-setting [no] user-type <admin command sets the default user type to user. |ext-user|guest|limited-admin|user> Displays the current retry limit settings for users. show users retry-settings Enables the retry limit for users.
Page 241 Chapter 25 User/Group 25.2.4 Force User Authentication Commands This table lists the commands for forcing user authentication. Table 134 username/groupname Commands Summary: Forcing User Authentication COMMAND DESCRIPTION Enables force user authentication that force users [no] force-auth activate to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 242 Chapter 25 User/Group 25.2.4.1 force-auth Sub-commands The following table describes the sub-commands for several force-auth policy commands. Note that not all rule commands use all the sub-commands listed here. Table 135 force-auth policy Sub-commands COMMAND DESCRIPTION Activates the specified condition. The [no] activate command deactivates the specified condition.
Page 243 Chapter 25 User/Group Table 135 force-auth policy Sub-commands (continued) COMMAND DESCRIPTION Sets the time criteria for the specified condition. [no] schedule schedule_name command removes the time criteria, making the condition effective all the time. Sets the source criteria for the specified condition. [no] source {address_object | group_name} command removes the source criteria, making the condition effective for all sources.
Page 244 Chapter 25 User/Group 25.2.5.1 Additional User Command Examples The following commands display the users that are currently logged in to the ZyWALL and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all Name Type From...
Page 245: Addresses
H A P T E R Addresses This chapter describes how to set up addresses and address groups for the ZyWALL. 26.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups.
Page 246 Chapter 26 Addresses The following sections list the address object and address group commands. 26.2.1 Address Object Commands This table lists the commands for address objects. Table 138 address-object Commands: Address Objects COMMAND DESCRIPTION Displays information about the specified address or show address-object [object_name] all the addresses.
Page 247 Chapter 26 Addresses 26.2.2 Address Group Commands This table lists the commands for address groups. Table 139 object-group Commands: Address Groups COMMAND DESCRIPTION Displays information about the specified address show object-group address [group_name] group or about all address groups. Creates the specified address group if necessary [no] object-group address group_name and enters sub-command mode.
Page 248 Chapter 26 Addresses ZyWALL (ZLD) CLI Reference Guide...
Page 249: Services
H A P T E R Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 27.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 27.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
Page 250 Chapter 27 Services Table 141 service-object Commands: Service Objects (continued) COMMAND DESCRIPTION Creates the specified ICMP message using the service-object object_name icmp icmp_value specified parameters. icmp_value: <0..255> | alternate-address | conversion-error | echo | echo-reply | information- reply | information-request | mask-reply | mask- request | mobile-redirect | parameter-problem | redirect | router-advertisement | router-solicitation | source-quench | time-exceeded | timestamp-reply |...
Page 251 Chapter 27 Services Table 142 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION Adds the specified service group (second [no] object-group group_name group_name) to the specified service group (first group_name). The command removes the specified service group from the specified service group.
Page 252 Chapter 27 Services ZyWALL (ZLD) CLI Reference Guide...
Page 253: Schedules
H A P T E R Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. 28.1 Schedule Overview The ZyWALL supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat.
Page 254 Chapter 28 Schedules The following table lists the schedule commands. Table 144 schedule Commands COMMAND DESCRIPTION Displays information about the schedules in the show schedule-object ZyWALL. Deletes the schedule object. no schedule-object object_name Creates or updates a one-time schedule. schedule-object object_name date time date time date: yyyy-mm-dd date format;...
Page 255: Aaa Server
H A P T E R AAA Server This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers. 29.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network.
Page 256 Chapter 29 AAA Server 29.2.1 ad-server Commands The following table lists the commands you use to set the default AD server. ad-server Table 145 ad-server Commands COMMAND DESCRIPTION Displays the default AD server settings. show ad-server Sets a base distinguished name (DN) for the default AD server. A [no] ad-server basedn basedn base DN identifies an AD directory.
Page 257 Chapter 29 AAA Server Table 146 ldap-server Commands (continued) COMMAND DESCRIPTION Sets the LDAP port number. Enter a number between 1 and 65535. The [no] ldap-server port port_no default is 389. The command clears this setting. Sets the search timeout period (in seconds). Enter a number between 1 [no] ldap-server search-time- and 300.
Page 258 Chapter 29 AAA Server 29.2.5 aaa group server ad Commands The following table lists the commands you use to configure a aaa group server ad group of AD servers. Table 148 aaa group server ad Commands COMMAND DESCRIPTION Deletes all AD server groups or the specified AD clear aaa group server ad [group- server group.
Page 259 Chapter 29 AAA Server Table 148 aaa group server ad Commands (continued) COMMAND DESCRIPTION Sets the AD port number. Enter a number between 1 [no] server port port_no and 65535. The default is 389. The command clears this setting. Sets the search timeout period (in seconds). Enter a [no] server search-time-limit number between 1 and 300.
Page 260 Chapter 29 AAA Server Table 149 aaa group server ldap Commands (continued) COMMAND DESCRIPTION Sets the name of the attribute that the ZyWALL is to [no] server group-attribute check to determine to which group a user belongs. The group-attribute value for this attribute is called a group identifier; it determines to which group a user belongs.
Page 261 Chapter 29 AAA Server Table 150 aaa group server radius Commands (continued) COMMAND DESCRIPTION Sets the value of an attribute that the ZyWALL is used [no] server group-attribute to determine to which group a user belongs. <1-255> This attribute’s value is called a group identifier. You can add ext-group-user user objects to identify groups based on different group identifier values.
Page 262 Chapter 29 AAA Server ZyWALL (ZLD) CLI Reference Guide...
Page 263: Authentication Objects
H A P T E R Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 30.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the ZyWALL uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Page 264 Chapter 30 Authentication Objects Table 151 aaa authentication Commands (continued) COMMAND DESCRIPTION Sets the default profile to use the authentication method(s) in [no] aaa authentication the order specified. default member1 [member2] member = group ad, group ldap, group radius, or local. [member3] [member4] Note: You must specify at least one member for each profile.
Page 265 • Login-name-attribute: sAMAccountName The result shows the account exists on the AD server. Otherwise, the ZyWALL responds an error. Router> test aaa server ad host 172.16.50.1 port 389 base-dn DC=ZyXEL,DC=com bind-dn zyxel\engineerABC password abcdefg login-name-attribute sAMAccountName account userABC dn:: Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20=...
Page 266 Chapter 30 Authentication Objects ZyWALL (ZLD) CLI Reference Guide...
Page 267: Certificates
H A P T E R Certificates This chapter explains how to use the Certificates. 31.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Page 268 Chapter 31 Certificates Table 153 Certificates Commands Input Values (continued) LABEL DESCRIPTION Identify the organizational unit or department to which the certificate organizational_unit owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. Identify the company or group to which the certificate owner belongs.
Page 269 Chapter 31 Certificates Table 154 ca Commands Summary (continued) COMMAND DESCRIPTION Generates a PKCS#10 certification request. ca generate pkcs10 name certificate_name cn- type {ip cn cn_address|fqdn cn cn_domain_name|mail cn cn_email} [ou organizational_unit] [o organization] [c country] key-type {rsa|dsa} key-len key_length ca generate pkcs12 name name password password Generates a PKCS#12 certificate.
Page 270 Chapter 31 Certificates Table 154 ca Commands Summary (continued) COMMAND DESCRIPTION Sets the validation configuration for the specified ocsp url url [id name password password] remote (trusted) certificate where the directory [deactivate] server uses OCSP. url: Type the protocol, IP address and pathname of the OCSP server.
Page 271 Chapter 31 Certificates 31.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates.
Page 272 Chapter 31 Certificates ZyWALL (ZLD) CLI Reference Guide...
Page 273: Isp Accounts
H A P T E R ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/ PPTP interfaces. 32.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE or PPTP. 32.1.1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands.
Page 274 Chapter 32 ISP Accounts Table 155 PPPoE and PPTP ISP Account Commands (continued) COMMAND DESCRIPTION Sets the service name for the specified PPPoE ISP [no] service-name {ip | hostname | account. The command clears the service service_name} name. hostname: You may up to 63 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.
Page 275 Chapter 32 ISP Accounts Table 156 Cellular Account Commands (continued) COMMAND DESCRIPTION Sets the password for the specified ISP account. [no] password password command clears the password. password: Use up to 63 printable ASCII characters. Spaces are not allowed. Sets the authentication for the cellular account. [no] authentication {none | pap | chap} command sets the authentication to none.
Page 276 Chapter 32 ISP Accounts ZyWALL (ZLD) CLI Reference Guide...
Page 277: Ssl Application
H A P T E R SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 33.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network.
Page 278 Chapter 33 SSL Application Table 157 SSL Application Object Commands COMMAND DESCRIPTION Specifies the IP address, domain name or NetBIOS name (computer server-type file-sharing name) of the file server and the name of the share to which you want share-path share-path to allow user access.
Page 279 Chapter 33 SSL Application 33.1.2 SSL Application Command Examples The following commands create and display a server-type SSL application object named ZW5 for a web server at IP address 192.168.1.12. Router(config)# sslvpn application ZW5 Router(sslvpn application)# server-type web-server url http://192.168.1.12 Router(sslvpn application)# exit Router(config)# show sslvpn application SSL Application: ZW5...
Page 280 Chapter 33 SSL Application ZyWALL (ZLD) CLI Reference Guide...
Page 281: Endpoint Security
H A P T E R Endpoint Security This chapter describes how to configure endpoint security objects for use in authentication policy and SSL VPN. 34.1 Endpoint Security Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel.
Page 282 Chapter 34 Endpoint Security Requirements User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. 34.1.1 Endpoint Security Commands Summary The following table describes the values required for many endpoint security object commands.
Page 283 Chapter 34 Endpoint Security Table 159 Endpoint Security Object Commands COMMAND DESCRIPTION Sets a permitted personal firewall. If you want to enter multiple [no] personal-firewall personal firewalls, use this command for each of them. Use the list personal_firewall_software_na signature personal-firewall command to view the available me detect-auto-protection personal firewall software package options.
Page 284 Chapter 34 Endpoint Security Table 159 Endpoint Security Object Commands COMMAND DESCRIPTION Select the type of operating system the user’s computer must be os-type {windows | linux | using. Use the windows-version command to configure the mac-osx | others} checking items according to the set operating system. If you set this to mac-osx, there are no other checking items.
Page 285 Chapter 34 Endpoint Security Table 159 Endpoint Security Object Commands COMMAND DESCRIPTION Displays all the anti-virus software packages, personal firewall show eps signature {anti-virus | software packages or EPS signature information respectively. personal-firewall | status} The status command displays the EPS signature version, release date and the total number of software packages for which the ZyWALL’s endpoint security can check.
Page 286 Chapter 34 Endpoint Security Then he also needs to check the personal firewall software name defined on the ZyWALL. Copy and paste the name of the output item 11 for the setting later. Router(config)# show eps signature personal-firewall Name Detection ========================================================================= Kaspersky_Internet_Security_v2009 Kaspersky_Internet_Security_v2010...
Page 287 Chapter 34 Endpoint Security Then he leaves the sub-command mode and uses the show command to view the EPS object settings. Router(eps EPS-Example)# exit Router(config)# show eps profile name: EPS-Example description: os type: windows windows version: windows-xp matching criteria: all anti-virus activation: yes anti-virus: 1 name: Kaspersky_Anti-Virus_v2010...
Page 288 Chapter 34 Endpoint Security ZyWALL (ZLD) CLI Reference Guide...
Page 289: System
System System (291) System Remote Management (299)
Page 291: System
H A P T E R System This chapter provides information on the commands that correspond to what you can configure in the system screens. 35.1 System Overview Use these commands to configure general ZyWALL information, the system time and the console port connection speed for a terminal emulation program.
Page 292 Chapter 35 System Figure 27 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Page 293 Chapter 35 System Table 160 Command Summary: Customization (continued) COMMAND DESCRIPTION Sets a note to display at the bottom of the login screen. Use up to [no] login-page message-text % 64 printable ASCII characters. Spaces are allowed. message Sets the title for the top of the login screen. Use up to 64 login-page title title printable ASCII characters.
Page 294 Chapter 35 System 35.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use command to enter the configuration mode before you can use configure terminal these commands. Table 162 Command Summary: Date/Time COMMAND DESCRIPTION Sets the new date in year, month and day format...
Page 295 DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Page 296 Chapter 35 System 35.6.2 DNS Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 164 Input Values for General DNS Commands LABEL DESCRIPTION The name of the IP address (group) object. You may use 1-31 alphanumeric address_object characters, underscores( ), or dashes (-), but the first character cannot be a...
Page 297 {domain_zone_name|*} interface interface_name by the specified DNS server(s). domain_zone_name: This is a domain zone, not a host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query...
Page 298 Chapter 35 System ZyWALL (ZLD) CLI Reference Guide...
Page 299: System Remote Management
H A P T E R System Remote Management This chapter shows you how to determine which services/protocols can access which ZyWALL zones (if any) from which computers. To allow the ZyWALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL rule to block that traffic.
Page 300 Chapter 36 System Remote Management 36.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 166 Input Values for General System Commands LABEL DESCRIPTION The name of the IP address (group) object.
Page 301 Chapter 36 System Remote Management Table 167 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION [no] ip http secure-server cert certificate_name Specifies a certificate used by the HTTPS server. command resets the certificate used by the HTTPS server to the factory default default certificate_name: The name of the certificate.
Page 302 Chapter 36 System Remote Management 36.3.1 HTTP/HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service. Router# configure terminal Router(config)# ip http server table admin rule append access-group Marketing zone WAN action accept...
Page 303 Chapter 36 System Remote Management 36.4.3 SSH Commands The following table describes the commands available for SSH. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 168 Command Summary: SSH COMMAND DESCRIPTION Allows SSH access to the ZyWALL CLI.
Page 304 Chapter 36 System Remote Management This command sets a certificate (Default) to be used to identify the ZyWALL. Router# configure terminal Router(config)# ip ssh server cert Default 36.5 Telnet You can configure your ZyWALL for remote Telnet access. 36.6 Telnet Commands The following table describes the commands available for Telnet.
Page 305 Chapter 36 System Remote Management 36.6.1 Telnet Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using Telnet service. Router# configure terminal Router(config)# ip telnet server rule 11 access-group RD zone LAN action ->...
Page 306 Chapter 36 System Remote Management Table 170 Command Summary: FTP (continued) COMMAND DESCRIPTION Sets a service control rule for FTP service. ip ftp server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} address_object: The name of the IP address (group) object. You may use 1-31 alphanumeric zone {ALL|zone_object} action {accept|deny} characters, underscores( ), or dashes (-), but the...
Page 307 36.8.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 308 Chapter 36 System Remote Management Table 172 Command Summary: SNMP (continued) COMMAND DESCRIPTION Sets the SNMP service port number. The [no] snmp-server port <1..65535> command resets the SNMP service port number to the factory default ( Sets a service control rule for SNMP service. snmp-server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} address_object: The name of the IP address...
Page 309 Chapter 36 System Remote Management 36.9 ICMP Filter The ip icmp-filter commands are obsolete. See Chapter 15 on page 127 to configure firewall rules for ICMP traffic going to the ZyWALL to discard or reject ICMP packets destined for the ZyWALL. Configure the ICMP filter to help keep the ZyWALL hidden from probing attempts.
Page 310 Chapter 36 System Remote Management 36.10.3 Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the serial modem. The response strings have not been standardized; please consult the documentation of your serial modem to find the correct tags. 36.10.4 Dial-in Management Commands The following table describes the commands available for dial-in management.
Page 311 Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator.
Page 312 Chapter 36 System Remote Management Table 175 Command Summary: Vantage CNM COMMAND DESCRIPTION Configure the password of the ZyWALL for the ACS server to authenticate the [no] cnm-agent password ZyWALL using HTTP digest authentication. <TR-069 password> No removes the password of the ACS server authentication request. Configure the server type of the management server as either a Vantage cnm-agent server-type CNM server or a TR069 ACS server.
Page 313: Maintenance
Maintenance File Manager (315) Logs (333) Reports and Reboot (339) Diagnostics (347) Packet Flow Explore (349) Maintenance Tools (353)
Page 315: File Manager
H A P T E R File Manager This chapter covers how to work with the ZyWALL’s firmware, certificates, configuration files, custom IDP signatures, packet trace results, shell scripts and temporary files. 37.1 File Directories The ZyWALL stores files in the following directories. Table 177 FTP File Transfer Notes FILE NAME DIRECTORY FILE TYPE...
Page 316 Chapter 37 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 28 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 317 Chapter 37 File Manager “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode. Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface ge1 # this interface is a DHCP client Lines 1 and 2 are comments.
Page 318 Chapter 37 File Manager • When you change the configuration, the ZyWALL creates a startup-config.conf file of the current configuration. • The ZyWALL checks the startup-config.conf file for errors when it restarts. If there is an error in the startup-config.conf file, the ZyWALL copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf configuration file.
Page 319 Chapter 37 File Manager 37.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 180 File Manager Commands Summary COMMAND DESCRIPTION Has the ZyWALL use a specific configuration file. You apply /conf/file_name.conf [ignore-error] must still use the command to save your write...
Page 320 Chapter 37 File Manager Table 180 File Manager Commands Summary (continued) COMMAND DESCRIPTION Has the ZyWALL execute a specific shell script file. run /script/file_name.zysh You must still use the write command to save your configuration changes to the flash (“non-volatile” or “long term”) memory.
Page 321 Chapter 37 File Manager The firmware update can take up to five minutes. Do not turn off or reset the ZyWALL while the firmware update is in progress! If you lose power during the firmware upload, you may need to refer to Section 37.8 on page 323 to recover the firmware.
Page 322 Chapter 37 File Manager 37.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the ZyWALL and saves it on the computer as current.conf. Figure 30 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1.
Page 323 Chapter 37 File Manager 37.8 Notification of a Damaged Recovery Image or Firmware The ZyWALL’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the ZyWALL notifies you of a damaged recovery image or firmware file.
Page 324 37.9 Restoring the Recovery Image This procedure requires the ZyWALL’s recovery image. Download the firmware package from www.zyxel.com and unzip it. The recovery image uses a .ri extension, for example, "1.01(XL.0)C0.ri". Do the following after you have obtained the recovery image file.
Page 325 Chapter 37 File Manager Figure 36 atuk Command for Restoring the Recovery Image 4 Enter Y and wait for the “Starting XMODEM upload” message before activating XMODEM upload on your terminal. Figure 37 Starting Xmodem Upload 5 This is an example Xmodem configuration upload using HyperTerminal. Click Transfer, then Send File to display the following screen.
Page 326 37.10 Restoring the Firmware This procedure requires the ZyWALL’s firmware. Download the firmware package from www.zyxel.com and unzip it. The firmware file uses a .bin extension, for example, "1.01(XL.0)C0.bin". Do the following after you have obtained the firmware file. This section is not for normal firmware uploads. You only need to use this section if you need to recover the firmware.
Page 327 Chapter 37 File Manager 8 After the transfer is complete, “Firmware received” or “ZLD-current received” displays. Wait (up to four minutes) while the ZyWALL recovers the firmware. Figure 43 Firmware Received and Recovery Started 9 The console session displays “done” when the firmware recovery is complete. Then the ZyWALL automatically restarts.
Page 328 Chapter 37 File Manager Figure 45 Restart Complete 37.11 Restoring the Default System Database The default system database stores information such as the default anti-virus or IDP signatures. The ZyWALL can still operate if the default system database is damaged or missing, but related features (like anti-virus or IDP) may not function properly.
Page 329 Figure 48 Default System Database Missing Log: Anti-virus This procedure requires the ZyWALL’s default system database file. Download the firmware package from www.zyxel.com and unzip it. The default system database file uses a .db extension, for example, "1.01(XL.0)C0.db". Do the following after you have obtained the default system database file.
Page 330 Chapter 37 File Manager 37.11.1 Using the atkz -u Debug Command You only need to use the atkz -u command if the default system database is damaged. 1 Restart the ZyWALL. 2 When “Press any key to enter debug mode within 3 seconds.” displays, press a key to enter debug mode.
Page 331 Chapter 37 File Manager 8 Set the transfer mode to binary (type bin). 9 Transfer the firmware file from your computer to the ZyWALL. Type put followed by the path and name of the firmware file. This examples uses put e:\ftproot\ZLD FW \1.01(XL.0)C0.db.
Page 332 Chapter 37 File Manager Figure 55 Startup Complete ZyWALL (ZLD) CLI Reference Guide...
Page 333: Logs
H A P T E R Logs This chapter provides information about the ZyWALL’s logs. When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the ZyWALL.
Page 334 Chapter 38 Logs 38.1.2 System Log Commands This table lists the commands for the system log settings. Table 183 logging Commands: System Log Settings COMMAND DESCRIPTION Displays the current settings for the system log. show logging status system-log Specifies what kind of information, if any, is logged logging system-log category module_name in the system log and debugging log for the {disable | level normal | level all}...
Page 335 | local_3 | local_4 | local_5 | local_6 | local_7} [no] logging syslog <1..4> format {cef | vrpt} Sets the format of the log information. cef: Common Event Format, syslog-compatible format. vrpt: ZyXEL’s Vantage Report, syslog-compatible format. ZyWALL (ZLD) CLI Reference Guide...
Page 336 Chapter 38 Logs This table lists the commands for setting how often to send information to the VRPT (ZyXEL’s Vantage Report) server. Table 186 logging Commands: VRPT Settings COMMAND DESCRIPTION Sets the interval (in seconds) for how often the vrpt send device information interval ZyWALL sends a device information log to the <15..3600>...
Page 337 | mon | tue | wed | thu | fri | sat 38.1.4.1 E-mail Profile Command Examples The following commands set up e-mail log 1. Router# configure terminal Router(config)# logging mail 1 address mail.zyxel.com.tw Router(config)# logging mail 1 subject AAA Router(config)# logging mail 1 authentication username lachang.li password XXXXXX Router(config)# logging mail 1 send-log-to lachang.li@zyxel.com.tw...
Page 338 Chapter 38 Logs Table 188 logging Commands: Console Port Settings (continued) COMMAND DESCRIPTION Controls whether or not debugging information for logging console category module_name level the specified priority is displayed in the console log, {alert | crit | debug | emerg | error | info | if logging for this category is enabled.
Page 339: Reports And Reboot
H A P T E R Reports and Reboot This chapter provides information about the report associated commands and how to restart the ZyWALL using commands. It also covers the daily report e-mail feature. 39.1 Report Commands Summary The following sections list the report and session commands. 39.1.1 Report Commands This table lists the commands for reports.
Page 340 Chapter 39 Reports and Reboot 39.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report ge1 ip No. IP Address User Amount Direction =================================================================== 192.168.1.4 admin 1273(bytes) Outgoing 192.168.1.4...
Page 341 Chapter 39 Reports and Reboot 39.2 Email Daily Report Commands The following table identifies the values used in some of these commands. Other input values are discussed with the corresponding commands. Table 191 Input Values for Email Daily Report Commands LABEL DESCRIPTION An e-mail address.
Page 342 Chapter 39 Reports and Reboot Table 192 Email Daily Report Commands (continued) COMMAND DESCRIPTION Determines whether or not session usage daily-report [no] item session-usage statistics are included in the report e-mails. Determines whether or not port usage statistics daily-report [no] item port-usage are included in the report e-mails.
Page 343 Chapter 39 Reports and Reboot This displays the email daily report settings and has the ZyWALL send the report now. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp auth: yes smtp username: 12345 smtp password: pass12345...
Page 344 Chapter 39 Reports and Reboot ZyWALL (ZLD) CLI Reference Guide...
Page 345: Session Timeout
H A P T E R Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 193 Session Timeout Commands COMMAND DESCRIPTION Sets the timeout for UDP sessions to connect or session timeout {udp-connect <1..300>...
Page 346 Chapter 40 Session Timeout ZyWALL (ZLD) CLI Reference Guide...
Page 347: Diagnostics
H A P T E R Diagnostics This chapter covers how to use the diagnostics feature. 41.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
Page 348 Chapter 41 Diagnostics ZyWALL (ZLD) CLI Reference Guide...
Page 349: Packet Flow Explore
H A P T E R Packet Flow Explore This chapter covers how to use the packet flow explore feature. 42.1 Packet Flow Explore Use this to get a clear picture on how the ZyWALL determines where to forward a packet and how to change the source IP address of the packet according to your current settings.
Page 350 Chapter 42 Packet Flow Explore Table 195 Packet Flow Explore Commands (continued) COMMAND DESCRIPTION Displays activated NAT rules which use SNAT. show system snat nat-1-1 Displays activated activated NAT rules which use SNAT with NAT loopback enabled. show system snat nat-loopback Displays the default WAN trunk settings.
Page 351 Chapter 42 Packet Flow Explore The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn Source Destination VPN Tunnel =========================================================================== The following example shows the default WAN trunk’s settings. Router> show system route default-wan-trunk Source Destination Trunk =========================================================================== trunk_ex...
Page 352 Chapter 42 Packet Flow Explore The following example shows all activated policy routes which use SNAT and enable NAT loopback.. Router> show system snat nat-loopback Note: Loopback SNAT will be only applied only when the initiator is located at the network which the server locates at VS Name Source Destination...
Page 353: Maintenance Tools
H A P T E R Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the ZyWALL. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode. Table 196 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION...
Page 354 Chapter 43 Maintenance Tools Table 196 Maintenance Tools Commands in Privilege Mode (continued) COMMAND DESCRIPTION Sets a time limit in seconds for the capture. The duration <0..300> ZyWALL stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified using the files-size command below.
Page 355 Chapter 43 Maintenance Tools Table 196 Maintenance Tools Commands in Privilege Mode (continued) COMMAND DESCRIPTION Displays whether a packet capture is ongoing. show packet-capture status Displays current packet capture settings. show packet-capture config 43.0.1 Command Examples Some packet-trace command examples are shown below. Router# packet-trace duration 3 tcpdump: listening on eth0 19:24:43.239798 192.168.1.10 >...
Page 356 Chapter 43 Maintenance Tools Router# traceroute www.zyxel.com traceroute to www.zyxel.com (203.160.232.7), 30 hops max, 38 byte packets 172.23.37.254 3.049 ms 1.947 ms 1.979 ms 172.23.6.253 2.983 ms 2.961 ms 2.980 ms 172.23.6.1 5.991 ms 5.968 ms 6.984 ms * * * Here are maintenance tool commands that you can use in configure mode.
Page 357 Chapter 43 Maintenance Tools Then configure the following settings to capture packets going through the ZyWALL’s WAN1 interface only (this means you have to remove LAN2 and WAN2 from the iface list). • IP address: any • Host IP: any •...
Page 358 Chapter 43 Maintenance Tools You can use FTP to download a capture file. Open and study it using a packet analyzer tool (for example, Ethereal or Wireshark). ZyWALL (ZLD) CLI Reference Guide...
Page 359: Watchdog Timer
H A P T E R Watchdog Timer This chapter provides information about the ZyWALL’s watchdog timers. 44.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings.
Page 360 Chapter 44 Watchdog Timer Table 199 software-watchdog-timer Commands (continued) COMMAND DESCRIPTION Displays the settings of the software watchdog show software-watchdog-timer status timer. Displays a log of when the software watchdog timer show software-watchdog-timer log took effect. 44.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the app- commands.Use the command to enter the configuration...
Page 361 Chapter 44 Watchdog Timer 44.3.1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring. Router# configure terminal Router(config)# show app-watch-dog config Application Watch Dog Setting: activate: yes alert: yes console print: always retry count: 3...
Page 362 Chapter 44 Watchdog Timer ZyWALL (ZLD) CLI Reference Guide...
Page 363: Command List
Command List List of Commands (Alphabetical) (365)
Page 365: List Of Commands (Alphabetical)
List of Commands (Alphabetical) List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. Commands and sub- commands appear at the same level.................. 95 ................. 95 [no] {anti-virus | personal-firewall} activate ........282 [no] aaa authentication default member1 [member2] [member3] [member4] ... 264 [no] aaa authentication profile-name ..........
Page 366 List of Commands (Alphabetical) tivate|deactivate} ............218 [no] anti-spam black-list [rule_number] subject subject {activate|deactivate} ... 218 [no] anti-spam black-list activate ..........218 [no] anti-spam dnsbl activate ........... 220 [no] anti-spam statistics collect ..........222 [no] anti-spam white-list [rule_number] e-mail email {activate|deactivate} ..218 [no] anti-spam white-list [rule_number] ip-address ip subnet_mask {activate|deactivate} [no] anti-spam white-list [rule_number] mail-header mail-header mail-header-value {ac- tivate|deactivate}...
Page 367 List of Commands (Alphabetical) [no] authentication {force | required} .......... 242 [no] authentication {none | pap | chap} ......... 275 [no] authentication {string password | ah-md5 password} ......233 [no] authentication mode {md5 | text} ........... 100 [no] authentication string authkey ..........100 [no] auto-destination ............
Page 368 List of Commands (Alphabetical) [no] content-filter profile filtering_profile custom forbid forbid_hosts ..209 [no] content-filter profile filtering_profile custom java ....... 209 [no] content-filter profile filtering_profile custom keyword keyword .... 209 [no] content-filter profile filtering_profile custom proxy ...... 209 [no] content-filter profile filtering_profile custom trust trust_hosts ..209 [no] content-filter profile filtering_profile custom trust-allow-features ..
Page 369 List of Commands (Alphabetical) [no] device-ha ap-mode master sync authentication password password ..... 230 [no] device-ha ap-mode preempt ..........229 [no] device-ha sync authentication password password ......233 [no] device-ha sync auto ............233 [no] device-ha sync from {hostname | ip} ........233 [no] device-ha sync interval <5..1440>...
Page 370 List of Commands (Alphabetical) [no] hide ................ 76 [no] host hostname .............. 108 [no] host ip ..............56 [no] hostname hostname ............293 [no] http-inspection {http-xxx} action {drop | reject-sender | reject-receiver | reject- both}} ..............190 [no] http-inspection {http-xxx} activate ........190 [no] icmp-decoder {truncated-header | truncated-timestamp-header | truncated-address- header} activate ............
Page 371 List of Commands (Alphabetical) [no] ip ospf dead-interval <1..65535> ..........61 [no] ip ospf hello-interval <1..65535> ........... 61 [no] ip ospf priority <0..255> ........... 60 [no] ip ospf retransmit-interval <1..65535> ........61 [no] ip rip {send | receive} version <1..2> ........60 [no] ip rip v2-broadcast ............
Page 372 List of Commands (Alphabetical) [no] logging syslog <1..4> facility {local_1 | local_2 | local_3 | local_4 | local_5 | local_6 | local_7} ............335 [no] logging syslog <1..4> format {cef | vrpt} ........335 [no] logging system-log suppression ..........334 [no] logging system-log suppression interval <10..600>...
Page 373 List of Commands (Alphabetical) [no] policy override-direct-route activate ........94 [no] policy-enforcement ............142 [no] port interface_name ............80 [no] port <0..65535> ............168 [no] port-speed {9600 | 19200 | 38400 | 57600 | 115200} ......310 [no] port-speed {9600 | 19200 | 38400 | 57600 | 115200} ......82 [no] preempt ..............
Page 374 List of Commands (Alphabetical) [no] server ip ..............274 [no] server key secret ............261 [no] server password password ........... 258 [no] server password password ........... 260 [no] server port port_no ............259 [no] server port port_no ............260 [no] server search-time-limit time ..........259 [no] server search-time-limit time ..........
Page 375 List of Commands (Alphabetical) [no] usb-storage activate ............73 [no] user user_name ............. 130 [no] user user_name ............. 133 [no] user user_name ............. 149 [no] user username .............. 166 [no] user username .............. 167 [no] user username .............. 168 [no] user username .............. 239 [no] user username ..............
Page 376 List of Commands (Alphabetical) algorithm {wrr|llf|spill-over} ........... 86 anti-spam dnsbl [1..5] domain dnsbl_domain {activate|deactivate} ....220 anti-spam dnsbl ip-check-order {forward | backward} ......220 anti-spam dnsbl max-query-ip [1..5] ..........220 anti-spam dnsbl query-timeout pop3 {forward | forward-with-tag} ....220 anti-spam dnsbl query-timeout smtp {drop | forward | forward-with-tag} ..220 anti-spam dnsbl query-timeout time [1..10] ........
Page 377 List of Commands (Alphabetical) arp IP mac_address .............. 356 atse ................27 authentication {pre-share | rsa-sig} ..........139 authentication key <1..255> key-string authkey ........100 band <b | g | bg> ..............75 bandwidth {inbound | outbound} <0..1048576> ........167 bandwidth {inbound|outbound} <0..1048576>...
Page 378 List of Commands (Alphabetical) content-filter policy policy_number shutdown ........208 content-filter statistics flush ..........210 content-filter url- test url ............ 208 content-filter url- test url ............ 210 content-filter url-server test url [ server rating_server ] [ timeout query_timeout ] content-filter url-server test url [server rating_server] [timeout query_timeout] 210 content-filter zsb port <1..65535>...
Page 379 List of Commands (Alphabetical) debug gui (*) ..............29 debug gui (*) ..............29 debug hardware (*) ............... 29 debug idp ................ 29 debug idp-av ..............29 debug interface ..............29 debug interface ifconfig [interface] ..........29 debug interface-group ............29 debug ip dns ..............
Page 380 List of Commands (Alphabetical) exit ................75 exit ................86 fall-back-check-interval <60..86400> ..........139 files-size <1..10000> ............354 file-suffix <profile_name> ............354 firewall append ..............129 firewall default-rule action {allow | deny | reject} { no log | log [alert] } ... 129 firewall delete rule_number .............
Page 381 List of Commands (Alphabetical) idp search system-protect my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate {any | yes | no} log {any | no | log | log-alert} action action_mask ..193 idp signature newpro [base {all | lan | wan | dmz | none}] ...... 188 idp statistics flush ............
Page 382 Li st of C om m ands ( A l phabet i cal ) ip http-redirect activate description ........... 118 ip http-redirect deactivate description ......... 118 ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535> ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535> de- activate ..............
Page 383 List of Commands (Alphabetical) | notice | warn} ............338 logging mail <1..2> schedule daily hour <0..23> minute <0..59> ....337 logging mail <1..2> schedule weekly day day hour <0..23> minute <0..59> ..337 logging mail <1..2> sending_now ..........336 logging system-log category module_name {disable | level normal | level all} ..
Page 384 List of Commands (Alphabetical) no network ............... 56 no packet-trace ..............28 no port <1..x> ..............64 no sa spi spi ..............145 no sa tunnel-name map_name ............145 no scan-detection sensitivity ........... 189 no schedule-object object_name ..........254 no security {none | wep | wpa | wpa-wpa2 | wpa2} ......... 78 no server-type ..............
Page 385 List of Commands (Alphabetical) port <1..65535> ending-port <1..65535>] ........278 port <1..65535> ending-port <1..65535>] [program-path program-path] .... 278 port-grouping representative_interface port <1..x> ....... 64 psm ................28 qos [none | wmm} ..............75 reauth <30..30000> ............... 77 reboot ................28 redistribute {static | ospf} metric <0..16>...
Page 386 List of Commands (Alphabetical) service-register service-type trial service all {kav|zav} ......39 service-register service-type trial service av {kav|zav} ......39 session timeout {udp-connect <1..300> | udp-deliver <1..300> | icmp <1..300>} ... 345 session timeout session {tcp-established | tcp-synrecv | tcp-close | tcp-finwait | tcp- synsent | tcp-closewait | tcp-lastack | tcp-timewait} <1..300>...
Page 387 List of Commands (Alphabetical) show anti-virus update ............182 show anti-virus update status ........... 182 show app {general|im|p2p|stream} ..........170 show app all ..............170 show app all defaultport ............170 show app all statistics ............170 show app config ..............170 show app highest sip bandwidth priority .........
Page 388 List of Commands (Alphabetical) show content-filter url- ............208 show content-filter url- ............210 show corefile copy usb-storage ........... 74 show cpu status ..............33 show crypto map [map_name] ............141 show daily-report status ............341 show ddns [profile_name] ............108 show device-ha ap-mode backup sync ..........
Page 389 List of Commands (Alphabetical) show idp anomaly profile http-inspection all details ......191 show idp anomaly profile icmp-decoder {truncated-header | truncated-timestamp-header | truncated-address-header} details ........192 show idp anomaly profile icmp-decoder all details ....... 192 show idp anomaly profile scan-detection [all details] ......191 show idp anomaly profile scan-detection {icmp-sweep | icmp-filtered-sweep | open-port} details ..............
Page 390 List of Commands (Alphabetical) show interface ppp user-define ........... 67 show interface send statistics interval .......... 51 show interface summary all ............51 show interface summary all status ..........51 show interface-group {system-default|user-define|group-name} ..... 86 show interface-name .............. 53 show ip dhcp binding [ip] ............57 show ip dhcp pool [profile_name] ..........
Page 391 List of Commands (Alphabetical) show policy-route controll-ipsec-dynamic-rules ........95 show policy-route override-direct-route .......... 95 show policy-route rule_count ............. 95 show policy-route underlayer-rules ..........95 show port setting ..............65 show port status ..............65 show port vlanid ..............80 show port-grouping ............... 64 show radius-server ..............
Page 392 List of Commands (Alphabetical) show ssl-vpn network-extension local-ip ......... 148 show sslvpn policy [profile_name] ..........148 show system default-interface-group ..........87 show system default-snat ............87 show system route default-wan-trunk ..........349 show system route dynamic-vpn ........... 349 show system route nat-1-1 ............349 show system route policy-route ..........
Page 393 List of Commands (Alphabetical) tcp-decoder {tcp-xxx} log [alert] ..........190 telnet ................28 test aaa ................. 28 test aaa {server|secure-server} {ad|ldap} host {hostname|ipv4-address} [host {host- name|ipv4-address}] port <1..65535> base-dn base-dn-string [bind-dn bind-dn- string password password] login-name-attribute attribute [alternative-login-name- attribute attribute] account account-name ........
Page 394 List of Commands (Alphabetical) ZyWALL (ZLD) CLI Reference Guide...

This manual is also suitable for:

Zywall series Zywall usg 300 Zywall usg 100 series Zywall usg 200 unified

ZyXEL Communications ZYWALL - CLI Reference Manual

Introduction

Network

Firewall

Vpn

Application Patrol

Anti-X

Device HA

Objects

System

Maintenance

Command List

Quick Links

Related Manuals for ZyXEL Communications ZYWALL - CLI

Summary of Contents for ZyXEL Communications ZYWALL - CLI

This manual is also suitable for:

Table of Contents