Summary of Contents for ZyXEL Communications ZYWALL - CLI
Page 1
ZyWALL (ZLD) CLI Reference Guide Version 2.20, 2.21 2/2011 Edition 3 DEFAULT LOGIN User Name admin Password 1234 www.zyxel.com...
Page 3
See your User’s Guide for a list of supported features and details about feature implementation. Please refer to www.zyxel.com or your product’s CD for product specific User Guides and product certifications. How To Use This Guide...
Page 4
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 5
Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL (ZLD) CLI Reference Guide...
H A P T E R Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your ZyWALL, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the ZyWALL and possibly render it unusable.
Page 12
Chapter 1 Command Line Interface The ZyWALL might force you to log out of your session if reauthentication time, lease time, or idle timeout is reached. See Chapter 25 on page 237 more information about these settings. 1.2.1 Console Port The default settings for the console port are as follows.
Page 13
Chapter 1 Command Line Interface Enter the user name and password at the prompts. The default login username is admin and password is 1234. The username and password are case-sensitive. 1.2.2 Web Configurator Console Before you can access the CLI through the web configurator, make sure your computer supports the Java Runtime Environment.
Page 14
Chapter 1 Command Line Interface Figure 4 Web Console: User Name 5 Enter the user name you want to use to log in to the console. The console begins to connect to the ZyWALL. The default login username is admin. It is case-sensitive. Figure 5 Web Console: Connecting Then, the Password screen appears.
Page 15
Chapter 1 Command Line Interface Figure 7 Web Console 7 To use most commands in this User’s Guide, enter . The prompt configure terminal should change to Router(config)# 1.2.3 Telnet Use the following steps to Telnet into your ZyWALL. 1 If your computer is connected to the ZyWALL over the Internet, skip to the next step. Make sure your computer IP address and the ZyWALL IP address are on the same subnet.
Page 16
Chapter 1 Command Line Interface Figure 8 SSH Login Example C:\>ssh2 admin@192.168.1.1 Host key not found from database. Key fingerprint: xolor-takel-fipef-zevit-visom-gydog-vetan-bisol-lysob-cuvun-muxex You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes Host key saved to C:/Documents and Settings/user/Application Data/SSH/ hostkeys/ ey_22_192.168.1.1.pub...
Page 17
Chapter 1 Command Line Interface 1.4.3 Command Summary This section lists the commands for the feature in one or more tables. 1.4.4 Command Examples (Optional) This section contains any examples for the commands in this feature. 1.4.5 Command Syntax The following conventions are used in this User’s Guide. •...
Page 18
Chapter 1 Command Line Interface Table 2 CLI Modes (continued) USER PRIVILEGE CONFIGURATION SUB-COMMAND What Limited- • Look at system • Look at system Unable to access Unable to access information (like information (like Admin users can Status screen) Status screen) •...
Page 19
Chapter 1 Command Line Interface Figure 9 Help: Available Commands Example 1 Router> ? <cr> apply atse clear configure ------------------[Snip]-------------------- shutdown telnet test traceroute write Router> Figure 10 Help: Available Command Example 2 Router> show ? <wlan ap interface> access-page account ad-server address-object...
Page 20
Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the ZyWALL automatically display the full command. [TAB] For example, if you enter and press , the full command of config...
Page 21
Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen.
Page 22
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES domain name Used in content filtering lower-case letters, numbers, or .- Used in ip dns server 0-247 alphanumeric or .- first character: alphanumeric or - Used in domainname, ip dhcp pool, and ip domain 0-254 alphanumeric or ._-...
Page 23
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES password: less than 15 1-15 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./ chars password: less than 8 alphanumeric or ;/?:@&=+$\.-_!~*'()%,#$ chars password Used in user and ip ddns 1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./ Used in e-mail log profile SMTP authentication...
Page 24
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES Used in content filtering redirect “http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%, “https://”+ starts with “http://” or “https://” may contain one pound sign (#) Used in other content filtering commands “http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%,...
Page 25
Chapter 1 Command Line Interface Always save the changes before you log out after each management session. All unsaved changes will be lost after the system restarts. 1.10 Logging Out Enter the or end command in configure mode to go to privilege mode. exit Enter the command in user mode or privilege mode to log out of the CLI.
‘user mode’. All commands can be run in ‘privilege mode’. The htm and psm commands are for ZyXEL’s internal manufacturing process. Table 4 User (U) and Privilege (P) Mode Commands COMMAND...
Page 28
Goes to htm (hardware test module) mode for testing hardware components. You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting. Note: These commands are for ZyXEL’s internal manufacturing process. Dials or disconnects an interface.
Page 29
Debug commands marked with an asterisk (*) are not available when the debug flag is on and are for ZyXEL service personnel use only. The debug commands follow a syntax that is Linux-based, so if there is a Linux equivalent, it is displayed in this chapter for your reference.
Page 30
Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT debug no myzyxel server (*) Set the myZyXEL.com registration/ update server to the official site Policy route debug command debug policy-route (*) Content Filtering debug commands debug reset content-filter profiling Service registration debug command...
H A P T E R Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specfic object. You can use this table when you want to delete an object because you have to remove references to the object first.
Page 32
Chapter 3 Object Reference Table 6 show reference Commands (continued) COMMAND DESCRIPTION Displays which configuration settings reference the show reference object isakmp specified VPN gateway object. policy [isakmp_name] Displays which configuration settings reference the show reference object sslvpn specified SSL VPN object. policy [profile] Displays which configuration settings reference the show reference object zone...
H A P T E R Status This chapter explains some commands you can use to display information about the ZyWALL’s current operational state. Table 7 Status Show Commands COMMAND DESCRIPTION Displays details about the ZyWALL’s startup state. show boot status Displays whether the console and auxiliary ports are on or off.
Page 34
Chapter 4 Status Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number. Router(config)# show fan-speed FAN1(F00)(rpm): limit(hi)=6500, limit(lo)=1400, max=6650, min=6642, avg=6644 FAN2(F01)(rpm): limit(hi)=6500, limit(lo)=1400, max=6809, min=6783, avg=6795 FAN3(F02)(rpm): limit(hi)=6500, limit(lo)=1400, max=6683, min=6666, avg=6674 FAN4(F03)(rpm): limit(hi)=6500, limit(lo)=1400, max=6633, min=6617, avg=6627 Router(config)# show mac MAC address: 28:61:32:89:37:61-28:61:32:89:37:67...
Page 35
Chapter 4 Status Here is an example of the command that displays the open ports. Router(config)# show socket open Proto Local_Address Foreign_Address State =========================================================================== 172.23.37.240:22 172.23.37.10:1179 ESTABLISHED 127.0.0.1:64002 0.0.0.0:0 0.0.0.0:520 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0...
Page 36
Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : ZyWALL USG 100 firmware version: 2.20(AQQ.0)b3 BM version : 1.08...
AppPatrol, anti-virus, content filtering, and SSL VPN services using commands. 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 38
PIN number (license key) in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti-virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. If you were already using an iCard anti-virus subscription, any remaining time on your earlier subscription is automatically added to the new subscription.
Page 39
Activates all of the trial service subscriptions, service-register service-type trial service all including Kaspersky or ZyXEL anti-virus. {kav|zav} Activates a Kaspersky or ZyXEL anti-virus trial service-register service-type trial service av service subscription. {kav|zav} Changes from one anti-virus engine to the other.
Page 40
Chapter 5 Registration 5.2.1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time, and activate a trial service subscription. Router# configure terminal Router(config)# device-register username alexctsui password 123456 Router(config)# service-register service-type trial service content-filter The following command displays the account information and whether the device is...
Page 41
Chapter 5 Registration 5.3 Country Code The following table displays the number for each country. Table 10 Country Codes COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Afghanistan Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua & Barbuda Argentina Armenia Aruba Ascension Island...
Page 42
Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Faroe Islands Fiji Finland France France (Metropolitan) French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Great Britain Greece Greenland Grenada Guadeloupe Guam...
Page 43
Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Not Determined Oman Pakistan Palau Panama Papua New Guinea...
Page 44
Chapter 5 Registration Table 10 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Uruguay Uzbekistan Vanuatu Venezuela Vietnam Virgin Islands (British) Virgin Islands (USA) Wallis And Futuna Islands Western Sahara Western Samoa Yemen Yugoslavia Zambia Zimbabwe ZyWALL (ZLD) CLI Reference Guide...
Page 47
H A P T E R Interfaces This chapter shows you how to use interface-related commands. 6.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 48
Chapter 6 Interfaces • Virtual interfaces (IP alias) provide additional routing information in the ZyWALL. There are three types: virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out.
Page 50
Chapter 6 Interfaces ** - Cellular interfaces can be added to the WAN zone or no zone. 6.1.2 Relationships Between Interfaces In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports (or port groups). The relationships between interfaces are explained in the following table.
Page 51
Chapter 6 Interfaces 6.2 Interface General Commands Summary The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 15 Input Values for General Interface Commands LABEL DESCRIPTION interface_name The name of the interface. Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.
Page 52
Chapter 6 Interfaces Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Specifies the description for the specified interface. [no] description description command clears the description. description: You can use alphanumeric and characters, and it can be up ()+/:=?!*#@$_%- to 60 characters long.
Page 53
Chapter 6 Interfaces Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Resets the interface statistics TxPkts (transmitted interface reset packets) and RxPkts (received packets) counts to {interface_name|virtual_interface_name|all} 0. You can use the show interface summary all status command to see the interface statistics.
Page 54
Chapter 6 Interfaces This example shows how to modify the name of interface ge4 to “VIP”. First you have to check the interface system name (ge4 in this example) on the ZyWALL. Then change the name and display the result. Router>...
Page 55
Chapter 6 Interfaces This example shows how to restart an interface. You can check all interface names on the ZyWALL. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it. Router>...
Page 56
Chapter 6 Interfaces Table 17 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Specifies the static IP address the ZyWALL should [no] host ip assign. Use this command, along with , to create a static DHCP hardware-address entry. Note: The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool.
Page 57
Chapter 6 Interfaces Table 17 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Sets the IP start address and maximum pool size of [no] starting-address ip pool-size the specified DHCP pool. The final pool size is <1..65535> limited by the subnet mask. Note: You must specify the network first, and the start address...
Page 58
6.2.2.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.2 Router(config-ip-dhcp-pool)# default-router 192.168.1.1...
Page 60
Chapter 6 Interfaces Table 19 interface Commands: RIP Settings (continued) COMMAND DESCRIPTION Sets the send or receive version to the specified [no] ip rip {send | receive} version version number. The command sets the send or <1..2> received version to the current global setting for RIP.
Page 61
Chapter 6 Interfaces Table 20 interface Commands: OSPF Settings (continued) COMMAND DESCRIPTION Sets the ID and password for OSPF MD5 ip ospf message-digest-key <1..255> md5 authentication in the specified interface. password password: 1-16 alphanumeric characters or underscores Clears the ID and password for OSPF MD5 no ip ospf message-digest-key authentication in the specified interface.
Page 62
Chapter 6 Interfaces 6.2.6 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL stops routing to the gateway.
Page 63
Chapter 6 Interfaces 6.2.6.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check...
Page 64
Chapter 6 Interfaces Table 23 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION Sets which type of network you will connect this type {internal|external|general} interface. The ZyWALL automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces; for example LAN to WAN traffic.
Page 65
Chapter 6 Interfaces Table 24 Basic Interface Setting Commands (continued) COMMAND DESCRIPTION Sets the port to use auto-negotiation to determine [no] negotiation auto the port speed and duplex. The no command turns off auto-negotiation. Sets the Ethernet port’s connection speed in Mbps. [no] speed <100,10>...
Page 66
Chapter 6 Interfaces 6.4 Virtual Interface Specific Commands Virtual interfaces use many of the general interface commands discussed at the beginning of Section 6.2 on page 51. There are no additional commands for virtual interfaces. 6.4.1 Virtual Interface Command Examples The following commands set up a virtual interface on top of Ethernet interface ge1.
Page 67
Chapter 6 Interfaces Table 26 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND DESCRIPTION Specifies the base interface for the PPPoE/PPTP [no] bind interface_name interface. The command removes the base interface. Specifies whether the specified PPPoE/PPTP [no] connectivity {nail-up | dial-on- interface is always connected (nail-up) or demand} connected only when used (dial-on-demand).
Page 68
Chapter 6 Interfaces The following commands show you how to connect and disconnect ppp0. Router# interface dial ppp0 Router# interface disconnect ppp0 6.6 Cellular Interface Specific Commands Use a 3G (Third Generation) cellular device with the ZyWALL for wireless broadband Internet access.
Page 69
Chapter 6 Interfaces Table 27 Cellular Interface Commands (continued) COMMAND DESCRIPTION Sets how much downstream and/or upstream data (in Mega [no] budget data active {download- bytes) can be transmitted via the 3G connection within one upload|download|upload} month. <1..100000> download: set a limit on the downstream traffic (from the ISP to the ZyWALL).
Page 70
Chapter 6 Interfaces Table 27 Cellular Interface Commands (continued) COMMAND DESCRIPTION Sets the ZyWALL to not create a log when the set percentage no budget log-percentage of time budget or data limit is exceeded. You can configure [recursive] the percentage using the budget percentage command. You can also specify recursive to have the ZyWALL only create a log one time when the set percentage of time budget or data limit is exceeded.
Page 71
Chapter 6 Interfaces 6.6.1 Cellular Status The following table describes the different kinds of cellular connection status on the ZyWALL. Table 28 Cellular Status STATUS DESCRIPTION No device no 3G device is connected to the ZyWALL. No service no 3G network is available in the area; you cannot connect to the Internet. Limited service returned by the service provider in cases where the SIM card is expired, the user failed to pay for the service and so on;...
Page 72
Chapter 6 Interfaces Table 28 Cellular Status STATUS DESCRIPTION PPP fail The ZyWALL failed to create a PPP connection for the cellular interface. Need auth-password You need to enter the password for the 3G card in the cellular edit screen. Device ready The ZyWALL successfully applied all of your configuration and you can use the 3G connection.
Page 73
Chapter 6 Interfaces This example shows the 3G connection profile settings for interface cellular2 on the ZyWALL. You have to dial *99***1# to use profile 1, but authentication is not required. Dail *99***2# to use profile 2 and authentication is required. Router(config)# show interface cellular2 device profile profile: 1 apn: internet...
Page 74
Chapter 6 Interfaces Table 29 USB Storage General Commands (continued) COMMAND DESCRIPTION Configures the maximum storage space (in percentage) for logging usb-storage flushThreshold storing syetem logs on the connected USB storage device. <1..100> Sets to have the ZyWALL save or stop saving the current [no] diag-info copy usb-storage system diagnostics information to the connected USB storage device.
Page 75
Chapter 6 Interfaces 6.8.1 WLAN General Commands Use these commands to configure global settings that apply to all of the wireless LAN interfaces you create on the WLAN card. Table 31 WLAN General Commands COMMAND DESCRIPTION Specifies the slot the WLAN card is installed in and enters wlan slot_name sub-command mode.
Page 76
Chapter 6 Interfaces 6.8.1.1 WLAN General Commands Example This example sets wireless slot 1 to use the IEEE 802.11b and IEEE 802.11g bands, channel 5, super mode, 50 % output power, and enables it. Router(config)# wlan slot1 Router(config-wlan-slot)# band bg Router(config-wlan-slot)# channel 5 Router(config-wlan-slot)# super Router(config-wlan-slot)# output-power 50%...
Page 77
Chapter 6 Interfaces Table 32 WLAN Interface Commands (continued) COMMAND DESCRIPTION Sets the WPA2 reauthentication timer. This is at what interval reauth <30..30000> wireless stations have to resend usernames and passwords in order to stay connected. If a RADIUS server authenticates wireless stations, the reauthentication timer on the RADIUS server has priority.
Page 78
Chapter 6 Interfaces Table 32 WLAN Interface Commands (continued) COMMAND DESCRIPTION Sets the IP address and port number of an external [no] security dot1x acct ip port accounting server. <1..65535> Sets the IP address and port number of an external [no] security dot1x auth ip port authentication (RADIUS) server.
Page 79
Chapter 6 Interfaces 6.8.3 WLAN MAC Filter Commands Use these commands to give specific wireless clients exclusive access to the ZyWALL (allow association) or block specific devices from accessing the ZyWALL (deny association) based on the devices’ MAC addresses. Table 33 WLAN General Commands COMMAND DESCRIPTION Specifies the MAC address (in XX:XX:XX:XX:XX:XX format)
Page 80
Chapter 6 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 34 Input Values for VLAN Interface Commands LABEL DESCRIPTION VLAN interface: vlanx, x = 0 - 4094 interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your...
Page 81
Chapter 6 Interfaces The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 36 Input Values for Bridge Interface Commands LABEL DESCRIPTION The name of the interface. interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.
Page 82
Chapter 6 Interfaces 6.11 Auxiliary Interface Specific Commands The first table below lists the auxiliary commands, and the second table explains interface the values you can input with these commands. Table 38 interface Commands: Auxiliary Interface COMMAND DESCRIPTION Dials or disconnects the auxiliary interface. interface dial aux interface disconnect aux Enters sub-command mode.
Page 83
Chapter 6 Interfaces 6.11.1 Auxiliary Interface Command Examples The following commands show you how to set up the auxiliary interface aux with the following parameters: phone-number 0340508888, tone dialing, port speed 115200, initial- string ATZ, timeout 10 seconds, retry count 2, retry interval 100 seconds, username kk, password kk@u2online, chap-pap authentication, and description “I am aux interface”.
Page 85
H A P T E R Trunks This chapter shows you how to configure trunks on your ZyWALL. 7.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk.
Page 86
Chapter 7 Trunks 7.3 Trunk Commands Input Values The following table explains the values you can input with the interface-group commands. Table 39 interface-group Command Input Values LABEL DESCRIPTION A descriptive name for the trunk. group-name For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-). The name cannot start with a number.
Page 87
Chapter 7 Trunks Table 40 interface-group Commands Summary (continued) COMMAND DESCRIPTION Use this command only if you use least load first or loadbalancing-index spill-over as the trunk’s load balancing algorithm. outbound|inbound|total Set either outbound, inbound or outbound and inbound traffic (total) to which the ZyWALL will apply the specified algorithm.
Page 88
Chapter 7 Trunks The following example creates a least load first trunk for Ethernet interface ge3 and VLAN 5, ZyWALL which will only apply to outgoing traffic through the trunk. The sends new session traffic through the least utilized of these interfaces. Router# configure terminal Router(config)# interface-group llf-example Router(if-group)# mode trunk...
Page 89
Chapter 7 Trunks 7.6 Link Sticking You can have the ZyWALL send each local computer’s traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file. If the user’s subsequent sessions came from a different WAN IP address, the file server would deny the request.
Page 90
Chapter 7 Trunks 7.7 Link Sticking Commands Summary The following table lists the ip load-balancing link-sticking commands for link sticking. (The link sticking commands have the prefix ip load-balancing because they affect the ZyWALL’s load balancing behavior.) You must use the configure command to enter the configuration mode before you can use these commands.
Page 91
H A P T E R Route This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL. 8.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 92
Chapter 8 Route Table 42 Input Values for General Policy Route Commands (continued) LABEL DESCRIPTION schedule_object The name of the schedule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 93
Chapter 8 Route Table 43 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Sets a custom DSCP code point (0~63). This is [no] dscp {any | <0..63>} the DSCP value of incoming packets to which this policy route applies. any means all DSCP value or no DSCP marker.
Page 94
Chapter 8 Route Table 43 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Sets the incoming interface to an SSL VPN [no] sslvpn tunnel_name tunnel. The command removes the SSL VPN tunnel through which the incoming packets are received. Sets a port triggering rule. The command [no] trigger <1..8>...
Page 95
Chapter 8 Route Table 43 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Displays the specified range of policy route show policy-route begin <1..200> end <1..200> settings. Displays whether the ZyWALL checks policy show policy-route controll-ipsec-dynamic-rules routes first before IPSec dynamic rules. Displays whether or not the ZyWALL forwards show policy-route override-direct-route packets that match a policy route according to...
Page 96
Chapter 8 Route 8.2.2 Policy Route Command Example The following commands create two address objects (TW_SUBNET and GW_1) and insert a policy that routes the packets (with the source IP address TW_SUBNET and any destination IP address) through the interface ge1 to the next-hop router GW_1. This route uses the IP address of the outgoing interface as the matched packets’...
Page 97
Chapter 8 Route Figure 15 Example of Static Routing Topology 8.4 Static Route Commands The following table describes the commands available for static route. You must use the command to enter the configuration mode before you can use these configure terminal commands.
Page 99
H A P T E R Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the ZyWALL. 9.1 Routing Protocol Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL then stores this routing information in the routing table, which it uses when it makes routing decisions.
Page 100
Chapter 9 Routing Protocol 9.2.1 RIP Commands This table lists the commands for RIP. Table 48 router Commands: RIP COMMAND DESCRIPTION Enters sub-command mode. router rip Enables RIP on the specified Ethernet interface. [no] network interface_name command disables RIP on the specified interface.
Page 101
Chapter 9 Routing Protocol Table 49 router Commands: General OSPF Configuration (continued) COMMAND DESCRIPTION Sets the direction to “In-Only” for the specified [no] passive-interface interface_name interface. The command sets the direction to “BiDir”. Sets the 32-bit ID (in IP address format) of the [no] router-id IP ZyWALL.
Page 102
Chapter 9 Routing Protocol Table 51 router Commands: Virtual Links in OSPF Areas (continued) COMMAND DESCRIPTION Enables MD5 authentication in the specified virtual [no] area IP virtual-link IP link. The command disables authentication in authentication message-digest the specified virtual link. Sets the password for text authentication in the [no] area IP virtual-link IP specified virtual link.
Page 103
H A P T E R Zones Set up zones to configure network security and network policies in the ZyWALL. 10.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management.
Page 104
Chapter 10 Zones 10.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands.s Table 53 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone, or the name of a VPN tunnel. profile_name For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-).
Page 105
Chapter 10 Zones 10.2.1 Zone Command Examples The following commands add Ethernet interfaces ge1 and ge2 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface ge1 Router(zone)# interface ge2 Router(zone)# block Router(zone)# exit Router(config)# show zone No.
Page 106
Chapter 10 Zones ZyWALL (ZLD) CLI Reference Guide...
Page 107
H A P T E R DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the ZyWALL. 11.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.
Page 108
Chapter 11 DDNS 11.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 56 Input Values for DDNS Commands LABEL DESCRIPTION The name of the DDNS profile. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number.
Page 109
Chapter 11 DDNS Table 57 ip ddns Commands (continued) COMMAND DESCRIPTION Sets the WAN interface in the specified DDNS [no] wan-iface interface_name profile. The command clears it. Sets the backup WAN interface in the specified [no] backup-iface interface_name DDNS profile. The command clears it.
Page 111
H A P T E R Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. Virtual server commands configure NAT. 12.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the ZyWALL that you want to make available outside the private network.
Page 112
Chapter 12 Virtual Servers The following table lists the virtual server commands. Table 59 ip virtual-server Commands COMMAND DESCRIPTION Displays information about the specified virtual show ip virtual-server [profile_name] server or about all the virtual servers. Deletes the specified virtual server. no ip virtual-server profile_name Creates or modifies the specified virtual server and ip virtual-server profile_name interface...
Page 113
Chapter 12 Virtual Servers Table 59 ip virtual-server Commands (continued) COMMAND DESCRIPTION Creates or modifies the specified virtual server and ip virtual-server profile_name interface maps the specified (destination IP address, interface_name original-ip {any | IP | protocol, and range of destination ports) to address_object} map-to {address_object | ip} specified (destination IP address and range of map-type...
Page 114
Chapter 12 Virtual Servers 12.2.1 Virtual Server Command Examples The following command creates virtual server WAN-LAN_H323 on the wan1 interface that maps IP addresses 10.0.0.8 to 192.168.1.56. for TCP protocol traffic on port 1720. It also adds a NAT loopback entry. Router# configure terminal Router(config)# ip virtual-server WAN-LAN_H323 interface wan1 original-ip 10.0.0.8 map-to 192.168.1.56 map-type port protocol tcp original-port 1720...
Page 115
Chapter 12 Virtual Servers Create two address objects. One is named DMZ_HTTP for the HTTP server’s private IP address of 192.168.3.7. The other one is named ge2_HTTP for the ge2 (wan1) public IP address of 1.1.1.2. Router# configure terminal Router(config)# address-object DMZ_HTTP 192.168.3.7 Router(config)# address-object ge2_HTTP 1.1.1.2 Router(config)# 2 Configure NAT...
Page 117
H A P T E R HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL. 13.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. 13.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Page 118
Chapter 13 HTTP Redirect 13.2 HTTP Redirect Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 60 Input Values for HTTP Redirect Commands LABEL DESCRIPTION The name to identify the rule. You may use 1-31 alphanumeric characters, description underscores( ), or dashes (-), but the first character cannot be a number.
Page 119
Chapter 13 HTTP Redirect 13.2.1 HTTP Redirect Command Examples The following commands create a HTTP redirect rule, disable it and display the settings. Router# configure terminal Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 deactivate Router(config)# show ip http-redirect Name...
Page 121
H A P T E R This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 14.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT.
Page 122
Chapter 14 ALG 14.2 ALG Commands The following table lists the commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 62 alg Commands COMMAND DESCRIPTION Turns on or configures the ALG. [no] alg sip [inactivity-timeout | signal-port <1025..65535>...
Page 123
Chapter 14 ALG 14.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323. Router# configure terminal Router(config)# alg sip Router(config)# no alg h323 ZyWALL (ZLD) CLI Reference Guide...
H A P T E R Firewall This chapter introduces the ZyWALL’s firewall and shows you how to configure your ZyWALL’s firewall. 15.1 Firewall Overview The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 128
Chapter 15 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them).
Page 129
Chapter 15 Firewall Table 64 Command Summary: Firewall (continued) COMMAND DESCRIPTION Enters the firewall sub-command mode to set firewall zone_object {zone_object|ZyWALL} a direction specific through-ZyWALL rule or rule_number to-ZyWALL rule. See Table 65 on page 130 the sub-commands. Enters the firewall sub-command mode to add firewall zone_object {zone_object|ZyWALL} append a direction specific through-ZyWALL rule or to-ZyWALL rule to the end of the global rule...
Page 130
Chapter 15 Firewall 15.2.1 Firewall Sub-Commands The following table describes the sub-commands for several firewall commands. Table 65 firewall Sub-commands COMMAND DESCRIPTION Sets the action the ZyWALL takes when packets action {allow|deny|reject} match this rule. Enables a firewall rule. The command disables [no] activate the firewall rule.
Page 131
Chapter 15 Firewall 15.2.2 Firewall Command Examples The following example shows you how to add a firewall rule to allow a MyService connection from the WAN zone to the IP addresses Dest_1 in the LAN zone. • Enter configuration command mode. •...
Page 132
Chapter 15 Firewall The following command displays the firewall rule(s) (including the default firewall rule) that applies to the packet direction from WAN to LAN. The firewall rule numbers in the menu are the firewall rules’ priority numbers in the global rule list. Router# configure terminal Router(config)# show firewall WAN LAN firewall rule: 3...
Page 133
Chapter 15 Firewall The following table describes the session-limit commands. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 67 Command Summary: Session Limit COMMAND DESCRIPTION Turns the session-limit feature on or off. [no] session-limit activate Sets the default number of concurrent NAT/ session-limit limit <0..8192>...
H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. 16.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Page 138
Chapter 16 IPSec VPN Figure 20 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Page 139
Chapter 16 IPSec VPN Table 68 Input Values for IPSec VPN Commands (continued) LABEL DESCRIPTION A domain name. You can use up to 511 alphanumeric, characters, spaces, distinguished_name or .@=,_- characters. Sort the list of currently connected SAs by one of the following sort_order classifications.
Page 140
Chapter 16 IPSec VPN Table 69 isakmp Commands: IKE SAs (continued) COMMAND DESCRIPTION Sets the encryption and authentication algorithms transform-set isakmp-algo [isakmp_algo for each proposal. [isakmp_algo]] ISAKMP_ALGO: {des-md5 | des-sha | 3des-md5 | 3des-sha | aes128-md5 | aes128-sha | aes192- md5 | aes192-sha | aes256-md5 | aes256-sha} Sets the IKE SA life time to the specified value.
Page 141
Chapter 16 IPSec VPN 16.2.2 IPSec SA Commands (except Manual Keys) This table lists the commands for IPSec SAs, excluding manual keys (VPN connections using VPN gateways). Table 70 crypto Commands: IPSec SAs COMMAND DESCRIPTION Fragment packets larger than the MTU (Maximum [no] crypto ignore-df-bit Transmission Unit) that have the “don’t”...
Page 142
Chapter 16 IPSec VPN Table 70 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Select the scenario that best describes your scenario {site-to-site-static|site-to- intended VPN connection. site-dynamic|remote-access-server|remote- Site-to-site: The remote IPSec router has a access-client} static IP address or a domain name. This ZyWALL can initiate the VPN tunnel.
Page 143
Chapter 16 IPSec VPN Table 70 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Configures in-bound traffic SNAT in the IPSec SA. in-snat source address_name destination address_name snat address_name Enables in-bound traffic DNAT in the IPSec SA. [no] in-dnat activate command disables in-bound traffic DNAT in the IPSec SA.
Page 144
Chapter 16 IPSec VPN 16.2.3 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 71 crypto map Commands: IPSec SAs (Manual Keys) COMMAND DESCRIPTION crypto map map_name Sets the active protocol, SPI (<256..4095>), set session-key {ah <256..4095>...
Page 145
Chapter 16 IPSec VPN Table 72 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION Adds the specified IPSec SA to the specified VPN [no] crypto map_name concentrator. The command removes the specified IPSec SA from the specified VPN concentrator. Renames the specified VPN concentrator (first vpn-concentrator rename profile_name profile_name) to the specified name (second profile_name...
Page 147
H A P T E R SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. 17.1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: •...
Page 148
Chapter 17 SSL VPN Table 74 Input Values for SSL VPN Commands (continued) LABEL DESCRIPTION The name of a user (group). You may use 1-31 alphanumeric characters, user_name underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 149
Chapter 17 SSL VPN Table 75 SSL VPN Commands COMMAND DESCRIPTION Moves the first specified endpoint security object to the second eps move <1..8> to <1..8> specified endpoint security object’s position. Sets whether to have the ZyWALL repeat the endpoint security [no] eps periodical-check check at a regular interval configured using the next command.The activate...
Page 150
Chapter 17 SSL VPN 1 First of all, configure 10.1.1.254/24 for the IP address of interface ge2 which is an external interface for public SSL VPN to access. Configure 172.16.10.254/24 for the IP address of interface ge3 which is an internal network. Router(config)# interface ge2 Router(config-if-ge)# ip address 10.1.1.254 255.255.255.0 Router(config-if-ge)# exit...
Page 151
Chapter 17 SSL VPN 5 Create an SSL VPN rule named SSL_VPN_TEST. Enable it and apply objects you just created. Router(config)# sslvpn policy SSL_VPN_TEST Router(policy SSL_VPN_TEST)# activate Router(policy SSL_VPN_TEST)# user tester Router(policy SSL_VPN_TEST)# network-extension activate Router(policy SSL_VPN_TEST)# network-extension ip-pool IP-POOL Router(policy SSL_VPN_TEST)# network-extension 1st-dns DNS1 Router(policy SSL_VPN_TEST)# network-extension 2nd-dns DNS2 Router(policy SSL_VPN_TEST)# network-extension network NETWORK1...
H A P T E R L2TP VPN This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL. 18.1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’...
Page 154
Chapter 18 L2TP VPN • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. 18.2.1 Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN.
Page 155
Chapter 18 L2TP VPN 18.4 L2TP VPN Commands The following table describes the values required for some L2TP VPN commands. Other values are discussed with the corresponding commands. Table 76 Input Values for L2TP VPN Commands LABEL DESCRIPTION The name of an IP address (group) object. You may use 1-31 alphanumeric address_object characters, underscores( ), or dashes (-), but the first character cannot be a...
Page 156
Chapter 18 L2TP VPN Table 77 L2TP VPN Commands COMMAND DESCRIPTION Specifies how the ZyWALL authenticates a remote user before allowing l2tp-over-ipsec access to the L2TP VPN tunnel. authentication aaa The authentication method has the ZyWALL check a user’s user name and authentication profile_name password against the ZyWALL’s local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these.
Page 157
Chapter 18 L2TP VPN Figure 23 L2TP VPN Example 172.23.37.205 L2TP_POOL: 192.168.10.10~192.168.10.20 LAN_SUBNET: 192.168.1.1/24 • The ZyWALL has a static IP address of 172.23.37.205 for the ge3 interface. • The remote user has a dynamic public IP address and connects through the Internet. •...
Page 158
Chapter 18 L2TP VPN • For the Remote Policy, create an address object that uses host type and an IP address of 0.0.0.0. It is named L2TP_HOST in this example. Router(config)# crypto map Default_L2TP_VPN_Connection Router(config-crypto Default_L2TP_VPN_Connection)# policy-enforcement Router(config-crypto Default_L2TP_VPN_Connection)# local-policy L2TP_IFACE Router(config-crypto Default_L2TP_VPN_Connection)# remote-policy L2TP_HOST Router(config-crypto Default_L2TP_VPN_Connection)# activate Router(config-crypto Default_L2TP_VPN_Connection)# exit...
Page 159
Chapter 18 L2TP VPN • Enable the policy route. Router(config)# policy 3 Router(policy-route)# source LAN_SUBNET Router(policy-route)# destination L2TP_POOL Router(policy-route)# service any Router(policy-route)# next-hop tunnel Default_L2TP_VPN_ConnectionRouter(policy-route)# no deactivate Router(policy-route)# exit Router(config)# show policy-route 3 index: 3 active: yes description: WIZ_VPN user: any schedule: none interface: ge1 tunnel: none...
H A P T E R Application Patrol This chapter describes how to set up application patrol for the ZyWALL. 19.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Page 164
Chapter 19 Application Patrol 19.2 Application Patrol Commands Summary The following table describes the values required for many application patrol commands. Other values are discussed with the corresponding commands. Table 78 Input Values for Application Patrol Commands LABEL DESCRIPTION The name of a pre-defined application. These are listed by category. protocol_name smtp pop3...
Page 165
Chapter 19 Application Patrol Table 79 app Commands: Pre-Defined Applications (continued) COMMAND DESCRIPTION Specifies how the ZyWALL identifies this app protocol_name mode {portless | portbase} application. Creates log entries (and alerts) for the specified [no] app protocol_name log [alert] application. The command does not create any log entries.
Page 166
Chapter 19 Application Patrol Table 81 app protocol rule Sub-commands (continued) COMMAND DESCRIPTION This is how the ZyWALL handles the DSCP value [no] inbound-dscp-mark {<0..63> | class of the outgoing packets to a connection’s initiator {default | dscp_class}} that match this policy. Enter a DSCP value to have the ZyWALL apply that DSCP value.
Page 167
Chapter 19 Application Patrol 19.2.3.1 Exception Rule Sub-commands The following table describes the sub-commands for several application patrol exception rule commands. Note that not all rule commands use all the sub-commands listed here. Table 83 app patrol exception rule Sub-commands COMMAND DESCRIPTION Specifies the action when traffic matches the rule.
Page 168
Chapter 19 Application Patrol 19.2.4 Other Application Commands This table lists the commands for other applications in application patrol. Table 84 app Commands: Other Applications COMMAND DESCRIPTION Specifies the default action for other applications. app other {del | forward | drop | reject} Creates log entries (and alerts) for other [no] app other log [alert] applications.
Page 169
Chapter 19 Application Patrol Table 86 app patrol other rule Sub-commands (continued) COMMAND DESCRIPTION Blocks use of a specific feature. [no] action-block {login|message|audio|video|file-transfer} Limits inbound or outbound bandwidth, in kilobits bandwidth {inbound|outbound} <0..1048576> per second. 0 disables bandwidth management for traffic matching this rule.
Page 170
Chapter 19 Application Patrol Table 87 app Commands: Pre-Defined Applications (continued) COMMAND DESCRIPTION Sets traffic for unidentified applications to display [no] app other protocol_name bandwidth-graph on the bandwidth statistics graph. The command it not display on the bandwidth statistics graph. Globally enables bandwidth management.
Page 171
Chapter 19 Application Patrol Table 87 app Commands: Pre-Defined Applications (continued) COMMAND DESCRIPTION Displays whether or not the option to maximize the show app highest sip bandwidth priority throughput of SIP traffic is enabled. Displays whether or not the global setting for show bwm activation bandwidth management on the ZyWALL is enabled.
Page 172
Chapter 19 Application Patrol Router# configure terminal Router(config)# show app http rule all index: default activate: yes port: 0 schedule: none user: any from zone: any to zone: any source address: any destination address: any access: forward action login: na action message: na action audio: na action video: na...
Page 173
Chapter 19 Application Patrol Router# configure terminal Router(config)# show app other rule all index: 1 activate: yes port: 5963 schedule: none user: any from zone: any to zone: any source address: any destination address: any protocol: tcp access: forward DSCP inbound marking: preserve DSCP outbound marking: preserve bandwidth excess-usage: no bandwidth priority: 1...
H A P T E R Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 20.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
Page 178
Chapter 20 Anti-Virus 20.2.1 General Anti-virus Commands The following table describes general anti-virus commands. You must use the configure command to enter the configuration mode before you can use these commands. terminal You must register for the ant-virus service before you can use it (see Chapter 5 on page 37).
Page 179
Chapter 20 Anti-Virus Table 90 Commands for Zone to Zone Anti-Virus Rules (continued) COMMAND DESCRIPTION Enters the anti-virus sub-command mode to edit the anti-virus rule <1..32> specified direction specific rule. Turns a direction specific anti-virus rule on or off. [no] activate Sets the ZyWALL to create a log (and optionally an alert) [no] log [alert] when packets match this rule and are found to be virus-...
Page 180
Chapter 20 Anti-Virus 20.2.2.1 Zone to Zone Anti-virus Rule Example This example shows how to configure (and display) a WAN to LAN antivirus rule to scan HTTP traffic and destroy infected files. The white and black lists are ignored and zipped files are decompressed.
Page 181
Chapter 20 Anti-Virus Table 91 Commands for Anti-virus White and Black Lists (continued) COMMAND DESCRIPTION Turn on the black list to log and delete files with names that [no] anti-virus black-list activate match the black list patterns. Adds or removes a black list file pattern. Turns a file pattern [no] anti-virus black-list file-pattern on or off.
Page 182
Chapter 20 Anti-Virus 20.2.4 Signature Search Anti-virus Command The following table describes the command for searching for signatures. You must use the command to enter the configuration mode before you can use this configure terminal command. Table 92 Command for Anti-virus Signature Search COMMAND DESCRIPTION Search for signatures by their ID, name, severity, or...
Page 183
Chapter 20 Anti-Virus 20.3.1 Update Signature Examples These examples show how to enable/disable automatic anti-virus downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version number, show the total number of signatures and show the date/time the signatures were created.
Page 184
Chapter 20 Anti-Virus 20.4.1 Anti-virus Statistics Example This example shows how to collect and display anti-virus statistics. It also shows how to sort the display by the most common destination IP addresses. Router(config)# anti-virus statistics collect Router(config)# show anti-virus statistics collect collect statistics: yes Router(config)# show anti-virus statistics summary file scanned...
H A P T E R IDP Commands This chapter introduces IDP-related commands. 21.1 Overview Commands mostly mirror web configurator features. It is recommended you use the web configurator for IDP features such as searching for web signatures, creating/editing an IDP profile or creating/editing a custom signature.
Page 186
Chapter 21 IDP Commands This table shows the IDP signature, anomaly, and system-protect activation commands. Table 96 IDP Activation COMMAND DESCRIPTION Enables IDP signatures, anomaly detection, and/or system-protect. IDP signatures [no] idp use requires IDP service registration. If you don’t have a standard license, you can {signature | anomaly | register for a once-off trial one.
Page 187
Chapter 21 IDP Commands Table 97 Global Profile Commands COMMAND DESCRIPTION Lists the specified signature base profile’s settings. Use |more to display show idp signature base the settings page by page. profile {all|none|wan|lan|dmz} settings Displays all IDP signature profiles. show idp profiles 21.3.1.1 Example of Global Profile Commands In this example we rename an IDP signature profile from “old_profile”...
Page 188
Chapter 21 IDP Commands 21.3.2.1 Example of IDP Zone to Zone Rule Commands The following example creates IDP zone to zone rule one. The rule applies the LAN_IDP profile to all traffic going to the LAN zone. Router# configure terminal Router(config)# idp signature rule 1 Router(config-idp-signature-1)# Router(config-idp-signature-1)# exit...
Page 189
Chapter 21 IDP Commands 21.3.4 Editing/Creating Anomaly Profiles Use these commands to create a new anomaly profile or edit an existing one. It is recommended you use the web configurator to create/edit profiles. If you do not specify a base profile, the default base profile is none.
Page 190
Chapter 21 IDP Commands Table 100 Editing/Creating Anomaly Profiles (continued) COMMAND DESCRIPTION Activates or deactivates open port scan [no] scan-detection open-port {activate | log detection options. Also sets open port scan- [alert] | block} detection logs or alerts and blocking. deactivates open port scan detection, its logs, alerts or blocking.
Page 193
Chapter 21 IDP Commands 21.3.5 Editing System Protect Use these commands to edit the system protect profiles. Table 101 Editing System Protect Profiles COMMAND DESCRIPTION Configure the system protect profile. Enters idp system-protect sub-command mode. All the following commands relate to the new profile. Use exit to quit sub-command mode.
Page 194
Chapter 21 IDP Commands Table 102 Signature Search Command COMMAND DESCRIPTION Searches for signature(s) in a profile by the show idp search signature my_profile name parameters specified. The quoted string is any quoted_string sid SID severity severity_mask text within the signature name in quotes, for platform platform_mask policytype policytype_mask example, [idp search LAN_IDP name "WORM"...
Page 195
Chapter 21 IDP Commands The following table displays the command line service and action equivalent values. If you want to combine services in a search, then add their respective numbers together. For example, to search for signatures for DNS, Finger and FTP services, then type “7” as the service parameter.
Page 196
Chapter 21 IDP Commands You must use the web configurator to import a custom signature file. Table 105 Custom Signatures COMMAND DESCRIPTION Create a new custom signature. The quoted idp customize signature quoted_string string is the signature command string enclosed in quotes.
Page 197
Chapter 21 IDP Commands This example shows you how to edit a custom signature. Router(config)# idp customize signature edit "alert tcp any any <> any any (msg : \"test edit\"; sid: 9000000 ; )" sid: 9000000 message: test edit policy type: severity: platform: all: no...
Page 198
Chapter 21 IDP Commands This example shows you how to display custom signature contents. Router(config)# show idp signatures custom-signature 9000000 contents sid: 9000000 Router(config)# show idp signatures custom-signature 9000000 non-contents sid: 9000000 ack: dport: 0 dsize: dsize_rel: flow_direction: flow_state: flow_stream: fragbits_reserve: fragbits_dontfrag: fragbits_morefrag:...
Page 199
Chapter 21 IDP Commands This example shows you how to display all details of a custom signature. Router(config)# show idp signatures custom-signature all details sid: 9000000 message: test edit policy type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no...
Page 200
Chapter 21 IDP Commands Table 106 Update Signatures COMMAND DESCRIPTION Displays signature update schedule. show idp {signature | system-protect} update Displays signature update status. show idp {signature | system-protect} update status Displays signature information show idp {signature | system-protect} signatures {version | date | number} 21.5.1 Update Signature Examples These examples show how to enable/disable automatic IDP downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version...
Page 201
Chapter 21 IDP Commands Table 107 Commands for IDP Statistics (continued) COMMAND DESCRIPTION Displays whether the collection of IDP statistics is turned show idp statistics collect on or off. Query and sort the IDP statistics entries by signature show idp statistics ranking {signature- name, source IP address, or destination IP address.
H A P T E R Content Filtering This chapter covers how to use the content filtering feature to control web access. 22.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites.
Page 204
Chapter 22 Content Filtering Figure 24 Content Filtering Lookup Procedure 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its . If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s .
Page 205
“http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc. Use up to 63 case-insensitive characters (0-9a-z-). You can enter a single IP address in dotted decimal notation like 192.168.2.5. You can enter a subnet by entering an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address.
Page 206
Chapter 22 Content Filtering Table 108 Content Filter Command Input Values (continued) LABEL DESCRIPTION The hostname or IP address of the rating server. rating_server The value specifies the maximum querying time when rating a URL in zysh. query_timeout <1..60> seconds. The following table lists the content filtering web category names.
Page 207
Chapter 22 Content Filtering Table 109 Content Filtering Web Category Names CATEGORY NAME CATEGORY NAME Web Applications Suspicious Alternative Sexuality/Lifestyles LGBT Non-viewable Content Servers Placeholders Open/Mixed Content Potentially Unwanted Software Greeting Cards Audio/Video Clips Media Sharing Radio/Audio Streams TV/Video Streams Internet Telephony Online Meetings Newsgroups/Forums...
Page 208
Chapter 22 Content Filtering Table 110 content-filter General Commands (continued) COMMAND DESCRIPTION Sets how long to keep records of sessions for content-filter passed warning timeout which the ZyWALL has given the user a warning <1..1440> before allowing access. Sets a content filtering policy. The command [no] content-filter policy policy_number removes it.
Page 209
Chapter 22 Content Filtering Table 111 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Adds a web site to a content filtering profile’s [no] content-filter profile filtering_profile forbidden list. The command removes a web custom forbid forbid_hosts site from the forbidden list. Sets a content filtering profile to block Java.
Page 210
Chapter 22 Content Filtering Table 111 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Tests whether or not a web site is saved in the content-filter url- test url ZyWALL’s database of restricted web pages. Tests whether or not a web site is saved in the content-filter url-server test url [server external content filter server’s database of rating_server] [timeout query_timeout]...
Page 211
Chapter 22 Content Filtering 22.9.1 Content Filtering Statistics Example This example shows how to collect and display content filtering statistics. Router(config)# content-filter statistics collect Router(config)# show content-filter statistics summary total web pages inspected web pages warned by category service : 0 web pages blocked by category service: 0 web pages blocked by custom service restricted web features...
Page 213
Chapter 22 Content Filtering Use this command to display the settings of the profile. Router(config)# show content-filter profile sales_CF_PROFILE service active : yes url match unsafe: block: no, warn: yes, log: url match other : block: yes, warn: no, log: url unrate : block: no, warn: yes, log:...
H A P T E R Anti-Spam This chapter introduces and shows you how to configure the anti-spam scanner. 23.1 Anti-Spam Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Page 216
Chapter 23 Anti-Spam 23.2.1.1 Activate/Deactivate Anti-Spam Example This example shows how to activate and deactivate anti-spam on the ZyWALL. Router# configure terminal Router(config)# anti-spam activate Router(config)# show anti-spam activation anti-spam activation: yes Router(config)# no anti-spam activate Router(config)# show anti-spam activation anti-spam activation: no Router(config)# 23.2.2 Zone to Zone Anti-spam Rules...
Page 217
Chapter 23 Anti-Spam 23.2.2.1 Zone to Zone Anti-spam Rule Example This example shows how to configure (and display) a WAN to DMZ anti-spam rule to scan POP3 and SMTP traffic. SMTP spam is forwarded. POP3 spam is marked with a spam tag. The ZyWALL logs the event when an e-mail matches the DNSBL (see Section 23.2.4 on page for more on DNSBL).
Page 218
Chapter 23 Anti-Spam Table 117 Input Values for White and Black list Anti-Spam Commands (continued) LABEL DESCRIPTION The index number of an anti-spam white or black list entry. 1 - X where X is rule_number the highest number of entries the ZyWALL model supports. See the ZyWALL’s User’s Guide for details.
Page 219
Chapter 23 Anti-Spam Table 118 Commands for Anti-spam White and Black Lists (continued) COMMAND DESCRIPTION Displays the current anti-spam black list. Use status to show anti-spam black-list [status] show the activation status only. Show the configured anti-spam black list tag. show anti-spam tag black-list 23.2.3.1 White and Black Lists Example This example shows how to configure and enable a white list entries for e-mails with...
Page 220
Chapter 23 Anti-Spam The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 119 Input Values for DNSBL Commands LABEL DESCRIPTION A domain that is maintaining a DNSBL. You may use 0-254 alphanumeric dnsbl_domain characters, or dashes (-).
Page 221
Chapter 23 Anti-Spam Table 120 DNSBL Commands COMMAND DESCRIPTION dnsbl displays the anti-spam tag for e-mails that have a show anti-spam tag {dnsbl | dnsbl- sender or relay IP address in the header that matches a timeout} blacklist maintained by a DNSBL domain. dnsbl-timeout displays the message or label to add to the mail subject of e-mails that the ZyWALL forwards if queries to the DNSBL domains time out.
Page 223
Chapter 23 Anti-Spam Table 121 Commands for Anti-spam Statistics (continued) COMMAND DESCRIPTION Displays whether the collection of anti-spam statistics is show anti-spam statistics collect turned on or off. Query and sort the anti-spam statistics entries by source IP show anti-spam statistics ranking address or mail address.
H A P T E R Device HA Use device HA to increase network reliability. Device HA lets a backup ZyWALL (B) automatically take over if a master ZyWALL (A) fails. Figure 25 Device HA Backup Taking Over for the Master 24.1 Device HA Overview Active-Passive Mode and Legacy Mode •...
Page 228
Chapter 24 Device HA Only ZyWALLs of the same model and firmware version can synchronize. Otherwise you must manually configure the master ZyWALL’s settings on the backup (by editing copies of the configuration files in a text editor for example). 24.1.1 Before You Begin •...
Page 229
Chapter 24 Device HA Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA monitors. If a monitored interface on the ZyWALL loses its connection, device HA has the backup ZyWALL take over. Enable monitoring for the same interfaces on the master and backup ZyWALLs. Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL.
Page 230
Chapter 24 Device HA Table 124 device-ha ap-mode Commands (continued) COMMAND DESCRIPTION Sets backup ZyWALL’s priority. The backup device-ha ap-mode priority <1..254> ZyWALL with the highest value takes over the role of the master ZyWALL if the master ZyWALL becomes unavailable. The priority must be between 1 and 254.
Page 231
Chapter 24 Device HA Table 124 device-ha ap-mode Commands (continued) COMMAND DESCRIPTION Synchronize now. device-ha ap-mode backup sync now Displays the device HA AP mode interface settings show device-ha ap-mode interfaces and status. Displays the next time and date (in hh:mm yyyy- show device-ha ap-mode next-sync-time mm-dd format) the ZyWALL will synchronize with the master.
Page 232
Chapter 24 Device HA VRRP Group Overview In the ZyWALL, you should create a VRRP group to add one of its interfaces to a virtual router. You can add any Ethernet interface, VLAN interface, or virtual interface (created on top of Ethernet interfaces or VLAN interfaces) with a static IP address. You can only enable one VRRP group for each interface, and you can only have one active VRRP group for each virtual router.
Page 233
Chapter 24 Device HA Table 126 device-ha Commands: VRRP Groups (continued) COMMAND DESCRIPTION Specifies the authentication method and password [no] authentication {string password | ah- for the specified VRRP group. The command md5 password} means that the specified VRRP group does not use authentication.
Page 234
Chapter 24 Device HA Table 127 device-ha Commands: Synchronization (continued) COMMAND DESCRIPTION Specifies the number of minutes between each [no] device-ha sync interval <5..1440> synchronization if the ZyWALL automatically synchronizes with the specified ZyWALL router. command resets the interval to five minutes.
H A P T E R User/Group This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 238
Chapter 25 User/Group 25.2 User/Group Commands Summary The following table identify the values required for many commands. username/groupname Other input values are discussed with the corresponding commands. Table 130 username/groupname Command Input Values LABEL DESCRIPTION The name of the user (account). You may use 1-31 alphanumeric characters, username underscores( ), or dashes (-), but the first character cannot be a number.
Page 239
Chapter 25 User/Group Table 131 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION Sets the lease time for the specified user. Set it to username username [no] logon-lease-time zero to set unlimited lease time. The command <0..1440> sets the lease time to five minutes (regardless of the current default setting for new users).
Page 240
Chapter 25 User/Group Table 133 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION Sets the default user type for each new user. The users default-setting [no] user-type <admin command sets the default user type to user. |ext-user|guest|limited-admin|user> Displays the current retry limit settings for users. show users retry-settings Enables the retry limit for users.
Page 241
Chapter 25 User/Group 25.2.4 Force User Authentication Commands This table lists the commands for forcing user authentication. Table 134 username/groupname Commands Summary: Forcing User Authentication COMMAND DESCRIPTION Enables force user authentication that force users [no] force-auth activate to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 242
Chapter 25 User/Group 25.2.4.1 force-auth Sub-commands The following table describes the sub-commands for several force-auth policy commands. Note that not all rule commands use all the sub-commands listed here. Table 135 force-auth policy Sub-commands COMMAND DESCRIPTION Activates the specified condition. The [no] activate command deactivates the specified condition.
Page 243
Chapter 25 User/Group Table 135 force-auth policy Sub-commands (continued) COMMAND DESCRIPTION Sets the time criteria for the specified condition. [no] schedule schedule_name command removes the time criteria, making the condition effective all the time. Sets the source criteria for the specified condition. [no] source {address_object | group_name} command removes the source criteria, making the condition effective for all sources.
Page 244
Chapter 25 User/Group 25.2.5.1 Additional User Command Examples The following commands display the users that are currently logged in to the ZyWALL and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all Name Type From...
H A P T E R Addresses This chapter describes how to set up addresses and address groups for the ZyWALL. 26.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups.
Page 246
Chapter 26 Addresses The following sections list the address object and address group commands. 26.2.1 Address Object Commands This table lists the commands for address objects. Table 138 address-object Commands: Address Objects COMMAND DESCRIPTION Displays information about the specified address or show address-object [object_name] all the addresses.
Page 247
Chapter 26 Addresses 26.2.2 Address Group Commands This table lists the commands for address groups. Table 139 object-group Commands: Address Groups COMMAND DESCRIPTION Displays information about the specified address show object-group address [group_name] group or about all address groups. Creates the specified address group if necessary [no] object-group address group_name and enters sub-command mode.
H A P T E R Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 27.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 27.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
Page 251
Chapter 27 Services Table 142 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION Adds the specified service group (second [no] object-group group_name group_name) to the specified service group (first group_name). The command removes the specified service group from the specified service group.
H A P T E R Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. 28.1 Schedule Overview The ZyWALL supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat.
Page 254
Chapter 28 Schedules The following table lists the schedule commands. Table 144 schedule Commands COMMAND DESCRIPTION Displays information about the schedules in the show schedule-object ZyWALL. Deletes the schedule object. no schedule-object object_name Creates or updates a one-time schedule. schedule-object object_name date time date time date: yyyy-mm-dd date format;...
H A P T E R AAA Server This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers. 29.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network.
Page 256
Chapter 29 AAA Server 29.2.1 ad-server Commands The following table lists the commands you use to set the default AD server. ad-server Table 145 ad-server Commands COMMAND DESCRIPTION Displays the default AD server settings. show ad-server Sets a base distinguished name (DN) for the default AD server. A [no] ad-server basedn basedn base DN identifies an AD directory.
Page 257
Chapter 29 AAA Server Table 146 ldap-server Commands (continued) COMMAND DESCRIPTION Sets the LDAP port number. Enter a number between 1 and 65535. The [no] ldap-server port port_no default is 389. The command clears this setting. Sets the search timeout period (in seconds). Enter a number between 1 [no] ldap-server search-time- and 300.
Page 258
Chapter 29 AAA Server 29.2.5 aaa group server ad Commands The following table lists the commands you use to configure a aaa group server ad group of AD servers. Table 148 aaa group server ad Commands COMMAND DESCRIPTION Deletes all AD server groups or the specified AD clear aaa group server ad [group- server group.
Page 259
Chapter 29 AAA Server Table 148 aaa group server ad Commands (continued) COMMAND DESCRIPTION Sets the AD port number. Enter a number between 1 [no] server port port_no and 65535. The default is 389. The command clears this setting. Sets the search timeout period (in seconds). Enter a [no] server search-time-limit number between 1 and 300.
Page 260
Chapter 29 AAA Server Table 149 aaa group server ldap Commands (continued) COMMAND DESCRIPTION Sets the name of the attribute that the ZyWALL is to [no] server group-attribute check to determine to which group a user belongs. The group-attribute value for this attribute is called a group identifier; it determines to which group a user belongs.
Page 261
Chapter 29 AAA Server Table 150 aaa group server radius Commands (continued) COMMAND DESCRIPTION Sets the value of an attribute that the ZyWALL is used [no] server group-attribute to determine to which group a user belongs. <1-255> This attribute’s value is called a group identifier. You can add ext-group-user user objects to identify groups based on different group identifier values.
H A P T E R Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 30.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the ZyWALL uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Page 264
Chapter 30 Authentication Objects Table 151 aaa authentication Commands (continued) COMMAND DESCRIPTION Sets the default profile to use the authentication method(s) in [no] aaa authentication the order specified. default member1 [member2] member = group ad, group ldap, group radius, or local. [member3] [member4] Note: You must specify at least one member for each profile.
Page 265
• Login-name-attribute: sAMAccountName The result shows the account exists on the AD server. Otherwise, the ZyWALL responds an error. Router> test aaa server ad host 172.16.50.1 port 389 base-dn DC=ZyXEL,DC=com bind-dn zyxel\engineerABC password abcdefg login-name-attribute sAMAccountName account userABC dn:: Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20=...
H A P T E R Certificates This chapter explains how to use the Certificates. 31.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Page 268
Chapter 31 Certificates Table 153 Certificates Commands Input Values (continued) LABEL DESCRIPTION Identify the organizational unit or department to which the certificate organizational_unit owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. Identify the company or group to which the certificate owner belongs.
Page 269
Chapter 31 Certificates Table 154 ca Commands Summary (continued) COMMAND DESCRIPTION Generates a PKCS#10 certification request. ca generate pkcs10 name certificate_name cn- type {ip cn cn_address|fqdn cn cn_domain_name|mail cn cn_email} [ou organizational_unit] [o organization] [c country] key-type {rsa|dsa} key-len key_length ca generate pkcs12 name name password password Generates a PKCS#12 certificate.
Page 270
Chapter 31 Certificates Table 154 ca Commands Summary (continued) COMMAND DESCRIPTION Sets the validation configuration for the specified ocsp url url [id name password password] remote (trusted) certificate where the directory [deactivate] server uses OCSP. url: Type the protocol, IP address and pathname of the OCSP server.
Page 271
Chapter 31 Certificates 31.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates.
H A P T E R ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/ PPTP interfaces. 32.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE or PPTP. 32.1.1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands.
Page 274
Chapter 32 ISP Accounts Table 155 PPPoE and PPTP ISP Account Commands (continued) COMMAND DESCRIPTION Sets the service name for the specified PPPoE ISP [no] service-name {ip | hostname | account. The command clears the service service_name} name. hostname: You may up to 63 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.
Page 275
Chapter 32 ISP Accounts Table 156 Cellular Account Commands (continued) COMMAND DESCRIPTION Sets the password for the specified ISP account. [no] password password command clears the password. password: Use up to 63 printable ASCII characters. Spaces are not allowed. Sets the authentication for the cellular account. [no] authentication {none | pap | chap} command sets the authentication to none.
H A P T E R SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 33.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network.
Page 278
Chapter 33 SSL Application Table 157 SSL Application Object Commands COMMAND DESCRIPTION Specifies the IP address, domain name or NetBIOS name (computer server-type file-sharing name) of the file server and the name of the share to which you want share-path share-path to allow user access.
Page 279
Chapter 33 SSL Application 33.1.2 SSL Application Command Examples The following commands create and display a server-type SSL application object named ZW5 for a web server at IP address 192.168.1.12. Router(config)# sslvpn application ZW5 Router(sslvpn application)# server-type web-server url http://192.168.1.12 Router(sslvpn application)# exit Router(config)# show sslvpn application SSL Application: ZW5...
H A P T E R Endpoint Security This chapter describes how to configure endpoint security objects for use in authentication policy and SSL VPN. 34.1 Endpoint Security Overview Use Endpoint Security (EPS), also known as endpoint control, to make sure users’ computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel.
Page 282
Chapter 34 Endpoint Security Requirements User computers must have Sun’s Java (Java Runtime Environment or ‘JRE’) installed and enabled with a minimum version of 1.4. 34.1.1 Endpoint Security Commands Summary The following table describes the values required for many endpoint security object commands.
Page 283
Chapter 34 Endpoint Security Table 159 Endpoint Security Object Commands COMMAND DESCRIPTION Sets a permitted personal firewall. If you want to enter multiple [no] personal-firewall personal firewalls, use this command for each of them. Use the list personal_firewall_software_na signature personal-firewall command to view the available me detect-auto-protection personal firewall software package options.
Page 284
Chapter 34 Endpoint Security Table 159 Endpoint Security Object Commands COMMAND DESCRIPTION Select the type of operating system the user’s computer must be os-type {windows | linux | using. Use the windows-version command to configure the mac-osx | others} checking items according to the set operating system. If you set this to mac-osx, there are no other checking items.
Page 285
Chapter 34 Endpoint Security Table 159 Endpoint Security Object Commands COMMAND DESCRIPTION Displays all the anti-virus software packages, personal firewall show eps signature {anti-virus | software packages or EPS signature information respectively. personal-firewall | status} The status command displays the EPS signature version, release date and the total number of software packages for which the ZyWALL’s endpoint security can check.
Page 286
Chapter 34 Endpoint Security Then he also needs to check the personal firewall software name defined on the ZyWALL. Copy and paste the name of the output item 11 for the setting later. Router(config)# show eps signature personal-firewall Name Detection ========================================================================= Kaspersky_Internet_Security_v2009 Kaspersky_Internet_Security_v2010...
Page 287
Chapter 34 Endpoint Security Then he leaves the sub-command mode and uses the show command to view the EPS object settings. Router(eps EPS-Example)# exit Router(config)# show eps profile name: EPS-Example description: os type: windows windows version: windows-xp matching criteria: all anti-virus activation: yes anti-virus: 1 name: Kaspersky_Anti-Virus_v2010...
H A P T E R System This chapter provides information on the commands that correspond to what you can configure in the system screens. 35.1 System Overview Use these commands to configure general ZyWALL information, the system time and the console port connection speed for a terminal emulation program.
Page 292
Chapter 35 System Figure 27 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Page 293
Chapter 35 System Table 160 Command Summary: Customization (continued) COMMAND DESCRIPTION Sets a note to display at the bottom of the login screen. Use up to [no] login-page message-text % 64 printable ASCII characters. Spaces are allowed. message Sets the title for the top of the login screen. Use up to 64 login-page title title printable ASCII characters.
Page 294
Chapter 35 System 35.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use command to enter the configuration mode before you can use configure terminal these commands. Table 162 Command Summary: Date/Time COMMAND DESCRIPTION Sets the new date in year, month and day format...
Page 295
DNS server to resolve domain zones for features like VPN, DDNS and the time server. A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name.
Page 296
Chapter 35 System 35.6.2 DNS Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 164 Input Values for General DNS Commands LABEL DESCRIPTION The name of the IP address (group) object. You may use 1-31 alphanumeric address_object characters, underscores( ), or dashes (-), but the first character cannot be a...
Page 297
{domain_zone_name|*} interface interface_name by the specified DNS server(s). domain_zone_name: This is a domain zone, not a host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query...
Page 298
Chapter 35 System ZyWALL (ZLD) CLI Reference Guide...
H A P T E R System Remote Management This chapter shows you how to determine which services/protocols can access which ZyWALL zones (if any) from which computers. To allow the ZyWALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL rule to block that traffic.
Page 300
Chapter 36 System Remote Management 36.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 166 Input Values for General System Commands LABEL DESCRIPTION The name of the IP address (group) object.
Page 301
Chapter 36 System Remote Management Table 167 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION [no] ip http secure-server cert certificate_name Specifies a certificate used by the HTTPS server. command resets the certificate used by the HTTPS server to the factory default default certificate_name: The name of the certificate.
Page 302
Chapter 36 System Remote Management 36.3.1 HTTP/HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service. Router# configure terminal Router(config)# ip http server table admin rule append access-group Marketing zone WAN action accept...
Page 303
Chapter 36 System Remote Management 36.4.3 SSH Commands The following table describes the commands available for SSH. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 168 Command Summary: SSH COMMAND DESCRIPTION Allows SSH access to the ZyWALL CLI.
Page 304
Chapter 36 System Remote Management This command sets a certificate (Default) to be used to identify the ZyWALL. Router# configure terminal Router(config)# ip ssh server cert Default 36.5 Telnet You can configure your ZyWALL for remote Telnet access. 36.6 Telnet Commands The following table describes the commands available for Telnet.
Page 305
Chapter 36 System Remote Management 36.6.1 Telnet Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using Telnet service. Router# configure terminal Router(config)# ip telnet server rule 11 access-group RD zone LAN action ->...
Page 306
Chapter 36 System Remote Management Table 170 Command Summary: FTP (continued) COMMAND DESCRIPTION Sets a service control rule for FTP service. ip ftp server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} address_object: The name of the IP address (group) object. You may use 1-31 alphanumeric zone {ALL|zone_object} action {accept|deny} characters, underscores( ), or dashes (-), but the...
Page 307
36.8.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 308
Chapter 36 System Remote Management Table 172 Command Summary: SNMP (continued) COMMAND DESCRIPTION Sets the SNMP service port number. The [no] snmp-server port <1..65535> command resets the SNMP service port number to the factory default ( Sets a service control rule for SNMP service. snmp-server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} address_object: The name of the IP address...
Page 309
Chapter 36 System Remote Management 36.9 ICMP Filter The ip icmp-filter commands are obsolete. See Chapter 15 on page 127 to configure firewall rules for ICMP traffic going to the ZyWALL to discard or reject ICMP packets destined for the ZyWALL. Configure the ICMP filter to help keep the ZyWALL hidden from probing attempts.
Page 310
Chapter 36 System Remote Management 36.10.3 Response Strings The response strings tell the ZyWALL the tags, or labels, immediately preceding the various call parameters sent from the serial modem. The response strings have not been standardized; please consult the documentation of your serial modem to find the correct tags. 36.10.4 Dial-in Management Commands The following table describes the commands available for dial-in management.
Page 311
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator.
Page 312
Chapter 36 System Remote Management Table 175 Command Summary: Vantage CNM COMMAND DESCRIPTION Configure the password of the ZyWALL for the ACS server to authenticate the [no] cnm-agent password ZyWALL using HTTP digest authentication. <TR-069 password> No removes the password of the ACS server authentication request. Configure the server type of the management server as either a Vantage cnm-agent server-type CNM server or a TR069 ACS server.
H A P T E R File Manager This chapter covers how to work with the ZyWALL’s firmware, certificates, configuration files, custom IDP signatures, packet trace results, shell scripts and temporary files. 37.1 File Directories The ZyWALL stores files in the following directories. Table 177 FTP File Transfer Notes FILE NAME DIRECTORY FILE TYPE...
Page 316
Chapter 37 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 28 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 317
Chapter 37 File Manager “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode. Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface ge1 # this interface is a DHCP client Lines 1 and 2 are comments.
Page 318
Chapter 37 File Manager • When you change the configuration, the ZyWALL creates a startup-config.conf file of the current configuration. • The ZyWALL checks the startup-config.conf file for errors when it restarts. If there is an error in the startup-config.conf file, the ZyWALL copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf configuration file.
Page 319
Chapter 37 File Manager 37.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 180 File Manager Commands Summary COMMAND DESCRIPTION Has the ZyWALL use a specific configuration file. You apply /conf/file_name.conf [ignore-error] must still use the command to save your write...
Page 320
Chapter 37 File Manager Table 180 File Manager Commands Summary (continued) COMMAND DESCRIPTION Has the ZyWALL execute a specific shell script file. run /script/file_name.zysh You must still use the write command to save your configuration changes to the flash (“non-volatile” or “long term”) memory.
Page 321
Chapter 37 File Manager The firmware update can take up to five minutes. Do not turn off or reset the ZyWALL while the firmware update is in progress! If you lose power during the firmware upload, you may need to refer to Section 37.8 on page 323 to recover the firmware.
Page 322
Chapter 37 File Manager 37.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the ZyWALL and saves it on the computer as current.conf. Figure 30 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1.
Page 323
Chapter 37 File Manager 37.8 Notification of a Damaged Recovery Image or Firmware The ZyWALL’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the ZyWALL notifies you of a damaged recovery image or firmware file.
Page 324
37.9 Restoring the Recovery Image This procedure requires the ZyWALL’s recovery image. Download the firmware package from www.zyxel.com and unzip it. The recovery image uses a .ri extension, for example, "1.01(XL.0)C0.ri". Do the following after you have obtained the recovery image file.
Page 325
Chapter 37 File Manager Figure 36 atuk Command for Restoring the Recovery Image 4 Enter Y and wait for the “Starting XMODEM upload” message before activating XMODEM upload on your terminal. Figure 37 Starting Xmodem Upload 5 This is an example Xmodem configuration upload using HyperTerminal. Click Transfer, then Send File to display the following screen.
Page 326
37.10 Restoring the Firmware This procedure requires the ZyWALL’s firmware. Download the firmware package from www.zyxel.com and unzip it. The firmware file uses a .bin extension, for example, "1.01(XL.0)C0.bin". Do the following after you have obtained the firmware file. This section is not for normal firmware uploads. You only need to use this section if you need to recover the firmware.
Page 327
Chapter 37 File Manager 8 After the transfer is complete, “Firmware received” or “ZLD-current received” displays. Wait (up to four minutes) while the ZyWALL recovers the firmware. Figure 43 Firmware Received and Recovery Started 9 The console session displays “done” when the firmware recovery is complete. Then the ZyWALL automatically restarts.
Page 328
Chapter 37 File Manager Figure 45 Restart Complete 37.11 Restoring the Default System Database The default system database stores information such as the default anti-virus or IDP signatures. The ZyWALL can still operate if the default system database is damaged or missing, but related features (like anti-virus or IDP) may not function properly.
Page 329
Figure 48 Default System Database Missing Log: Anti-virus This procedure requires the ZyWALL’s default system database file. Download the firmware package from www.zyxel.com and unzip it. The default system database file uses a .db extension, for example, "1.01(XL.0)C0.db". Do the following after you have obtained the default system database file.
Page 330
Chapter 37 File Manager 37.11.1 Using the atkz -u Debug Command You only need to use the atkz -u command if the default system database is damaged. 1 Restart the ZyWALL. 2 When “Press any key to enter debug mode within 3 seconds.” displays, press a key to enter debug mode.
Page 331
Chapter 37 File Manager 8 Set the transfer mode to binary (type bin). 9 Transfer the firmware file from your computer to the ZyWALL. Type put followed by the path and name of the firmware file. This examples uses put e:\ftproot\ZLD FW \1.01(XL.0)C0.db.
H A P T E R Logs This chapter provides information about the ZyWALL’s logs. When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the ZyWALL.
Page 334
Chapter 38 Logs 38.1.2 System Log Commands This table lists the commands for the system log settings. Table 183 logging Commands: System Log Settings COMMAND DESCRIPTION Displays the current settings for the system log. show logging status system-log Specifies what kind of information, if any, is logged logging system-log category module_name in the system log and debugging log for the {disable | level normal | level all}...
Page 335
| local_3 | local_4 | local_5 | local_6 | local_7} [no] logging syslog <1..4> format {cef | vrpt} Sets the format of the log information. cef: Common Event Format, syslog-compatible format. vrpt: ZyXEL’s Vantage Report, syslog-compatible format. ZyWALL (ZLD) CLI Reference Guide...
Page 336
Chapter 38 Logs This table lists the commands for setting how often to send information to the VRPT (ZyXEL’s Vantage Report) server. Table 186 logging Commands: VRPT Settings COMMAND DESCRIPTION Sets the interval (in seconds) for how often the vrpt send device information interval ZyWALL sends a device information log to the <15..3600>...
Page 337
| mon | tue | wed | thu | fri | sat 38.1.4.1 E-mail Profile Command Examples The following commands set up e-mail log 1. Router# configure terminal Router(config)# logging mail 1 address mail.zyxel.com.tw Router(config)# logging mail 1 subject AAA Router(config)# logging mail 1 authentication username lachang.li password XXXXXX Router(config)# logging mail 1 send-log-to lachang.li@zyxel.com.tw...
Page 338
Chapter 38 Logs Table 188 logging Commands: Console Port Settings (continued) COMMAND DESCRIPTION Controls whether or not debugging information for logging console category module_name level the specified priority is displayed in the console log, {alert | crit | debug | emerg | error | info | if logging for this category is enabled.
H A P T E R Reports and Reboot This chapter provides information about the report associated commands and how to restart the ZyWALL using commands. It also covers the daily report e-mail feature. 39.1 Report Commands Summary The following sections list the report and session commands. 39.1.1 Report Commands This table lists the commands for reports.
Page 340
Chapter 39 Reports and Reboot 39.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report ge1 ip No. IP Address User Amount Direction =================================================================== 192.168.1.4 admin 1273(bytes) Outgoing 192.168.1.4...
Page 341
Chapter 39 Reports and Reboot 39.2 Email Daily Report Commands The following table identifies the values used in some of these commands. Other input values are discussed with the corresponding commands. Table 191 Input Values for Email Daily Report Commands LABEL DESCRIPTION An e-mail address.
Page 342
Chapter 39 Reports and Reboot Table 192 Email Daily Report Commands (continued) COMMAND DESCRIPTION Determines whether or not session usage daily-report [no] item session-usage statistics are included in the report e-mails. Determines whether or not port usage statistics daily-report [no] item port-usage are included in the report e-mails.
Page 343
Chapter 39 Reports and Reboot This displays the email daily report settings and has the ZyWALL send the report now. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp auth: yes smtp username: 12345 smtp password: pass12345...
H A P T E R Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 193 Session Timeout Commands COMMAND DESCRIPTION Sets the timeout for UDP sessions to connect or session timeout {udp-connect <1..300>...
H A P T E R Diagnostics This chapter covers how to use the diagnostics feature. 41.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
H A P T E R Packet Flow Explore This chapter covers how to use the packet flow explore feature. 42.1 Packet Flow Explore Use this to get a clear picture on how the ZyWALL determines where to forward a packet and how to change the source IP address of the packet according to your current settings.
Page 350
Chapter 42 Packet Flow Explore Table 195 Packet Flow Explore Commands (continued) COMMAND DESCRIPTION Displays activated NAT rules which use SNAT. show system snat nat-1-1 Displays activated activated NAT rules which use SNAT with NAT loopback enabled. show system snat nat-loopback Displays the default WAN trunk settings.
Page 351
Chapter 42 Packet Flow Explore The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn Source Destination VPN Tunnel =========================================================================== The following example shows the default WAN trunk’s settings. Router> show system route default-wan-trunk Source Destination Trunk =========================================================================== trunk_ex...
Page 352
Chapter 42 Packet Flow Explore The following example shows all activated policy routes which use SNAT and enable NAT loopback.. Router> show system snat nat-loopback Note: Loopback SNAT will be only applied only when the initiator is located at the network which the server locates at VS Name Source Destination...
H A P T E R Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the ZyWALL. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode. Table 196 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION...
Page 354
Chapter 43 Maintenance Tools Table 196 Maintenance Tools Commands in Privilege Mode (continued) COMMAND DESCRIPTION Sets a time limit in seconds for the capture. The duration <0..300> ZyWALL stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified using the files-size command below.
Page 355
Chapter 43 Maintenance Tools Table 196 Maintenance Tools Commands in Privilege Mode (continued) COMMAND DESCRIPTION Displays whether a packet capture is ongoing. show packet-capture status Displays current packet capture settings. show packet-capture config 43.0.1 Command Examples Some packet-trace command examples are shown below. Router# packet-trace duration 3 tcpdump: listening on eth0 19:24:43.239798 192.168.1.10 >...
Page 356
Chapter 43 Maintenance Tools Router# traceroute www.zyxel.com traceroute to www.zyxel.com (203.160.232.7), 30 hops max, 38 byte packets 172.23.37.254 3.049 ms 1.947 ms 1.979 ms 172.23.6.253 2.983 ms 2.961 ms 2.980 ms 172.23.6.1 5.991 ms 5.968 ms 6.984 ms * * * Here are maintenance tool commands that you can use in configure mode.
Page 357
Chapter 43 Maintenance Tools Then configure the following settings to capture packets going through the ZyWALL’s WAN1 interface only (this means you have to remove LAN2 and WAN2 from the iface list). • IP address: any • Host IP: any •...
Page 358
Chapter 43 Maintenance Tools You can use FTP to download a capture file. Open and study it using a packet analyzer tool (for example, Ethereal or Wireshark). ZyWALL (ZLD) CLI Reference Guide...
H A P T E R Watchdog Timer This chapter provides information about the ZyWALL’s watchdog timers. 44.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings.
Page 360
Chapter 44 Watchdog Timer Table 199 software-watchdog-timer Commands (continued) COMMAND DESCRIPTION Displays the settings of the software watchdog show software-watchdog-timer status timer. Displays a log of when the software watchdog timer show software-watchdog-timer log took effect. 44.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the app- commands.Use the command to enter the configuration...
Page 361
Chapter 44 Watchdog Timer 44.3.1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring. Router# configure terminal Router(config)# show app-watch-dog config Application Watch Dog Setting: activate: yes alert: yes console print: always retry count: 3...
List of Commands (Alphabetical) List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. Commands and sub- commands appear at the same level.................. 95 ................. 95 [no] {anti-virus | personal-firewall} activate ........282 [no] aaa authentication default member1 [member2] [member3] [member4] ... 264 [no] aaa authentication profile-name ..........
Page 374
List of Commands (Alphabetical) [no] server ip ..............274 [no] server key secret ............261 [no] server password password ........... 258 [no] server password password ........... 260 [no] server port port_no ............259 [no] server port port_no ............260 [no] server search-time-limit time ..........259 [no] server search-time-limit time ..........
Page 375
List of Commands (Alphabetical) [no] usb-storage activate ............73 [no] user user_name ............. 130 [no] user user_name ............. 133 [no] user user_name ............. 149 [no] user username .............. 166 [no] user username .............. 167 [no] user username .............. 168 [no] user username .............. 239 [no] user username ..............
Page 381
List of Commands (Alphabetical) idp search system-protect my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate {any | yes | no} log {any | no | log | log-alert} action action_mask ..193 idp signature newpro [base {all | lan | wan | dmz | none}] ...... 188 idp statistics flush ............
Page 382
Li st of C om m ands ( A l phabet i cal ) ip http-redirect activate description ........... 118 ip http-redirect deactivate description ......... 118 ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535> ip http-redirect description interface interface_name redirect-to w.x.y.z <1..65535> de- activate ..............
Page 383
List of Commands (Alphabetical) | notice | warn} ............338 logging mail <1..2> schedule daily hour <0..23> minute <0..59> ....337 logging mail <1..2> schedule weekly day day hour <0..23> minute <0..59> ..337 logging mail <1..2> sending_now ..........336 logging system-log category module_name {disable | level normal | level all} ..
Page 384
List of Commands (Alphabetical) no network ............... 56 no packet-trace ..............28 no port <1..x> ..............64 no sa spi spi ..............145 no sa tunnel-name map_name ............145 no scan-detection sensitivity ........... 189 no schedule-object object_name ..........254 no security {none | wep | wpa | wpa-wpa2 | wpa2} ......... 78 no server-type ..............
Page 385
List of Commands (Alphabetical) port <1..65535> ending-port <1..65535>] ........278 port <1..65535> ending-port <1..65535>] [program-path program-path] .... 278 port-grouping representative_interface port <1..x> ....... 64 psm ................28 qos [none | wmm} ..............75 reauth <30..30000> ............... 77 reboot ................28 redistribute {static | ospf} metric <0..16>...
Page 386
List of Commands (Alphabetical) service-register service-type trial service all {kav|zav} ......39 service-register service-type trial service av {kav|zav} ......39 session timeout {udp-connect <1..300> | udp-deliver <1..300> | icmp <1..300>} ... 345 session timeout session {tcp-established | tcp-synrecv | tcp-close | tcp-finwait | tcp- synsent | tcp-closewait | tcp-lastack | tcp-timewait} <1..300>...
Page 387
List of Commands (Alphabetical) show anti-virus update ............182 show anti-virus update status ........... 182 show app {general|im|p2p|stream} ..........170 show app all ..............170 show app all defaultport ............170 show app all statistics ............170 show app config ..............170 show app highest sip bandwidth priority .........
Page 388
List of Commands (Alphabetical) show content-filter url- ............208 show content-filter url- ............210 show corefile copy usb-storage ........... 74 show cpu status ..............33 show crypto map [map_name] ............141 show daily-report status ............341 show ddns [profile_name] ............108 show device-ha ap-mode backup sync ..........
Page 389
List of Commands (Alphabetical) show idp anomaly profile http-inspection all details ......191 show idp anomaly profile icmp-decoder {truncated-header | truncated-timestamp-header | truncated-address-header} details ........192 show idp anomaly profile icmp-decoder all details ....... 192 show idp anomaly profile scan-detection [all details] ......191 show idp anomaly profile scan-detection {icmp-sweep | icmp-filtered-sweep | open-port} details ..............
Page 390
List of Commands (Alphabetical) show interface ppp user-define ........... 67 show interface send statistics interval .......... 51 show interface summary all ............51 show interface summary all status ..........51 show interface-group {system-default|user-define|group-name} ..... 86 show interface-name .............. 53 show ip dhcp binding [ip] ............57 show ip dhcp pool [profile_name] ..........
Page 391
List of Commands (Alphabetical) show policy-route controll-ipsec-dynamic-rules ........95 show policy-route override-direct-route .......... 95 show policy-route rule_count ............. 95 show policy-route underlayer-rules ..........95 show port setting ..............65 show port status ..............65 show port vlanid ..............80 show port-grouping ............... 64 show radius-server ..............
Page 392
List of Commands (Alphabetical) show ssl-vpn network-extension local-ip ......... 148 show sslvpn policy [profile_name] ..........148 show system default-interface-group ..........87 show system default-snat ............87 show system route default-wan-trunk ..........349 show system route dynamic-vpn ........... 349 show system route nat-1-1 ............349 show system route policy-route ..........
Page 393
List of Commands (Alphabetical) tcp-decoder {tcp-xxx} log [alert] ..........190 telnet ................28 test aaa ................. 28 test aaa {server|secure-server} {ad|ldap} host {hostname|ipv4-address} [host {host- name|ipv4-address}] port <1..65535> base-dn base-dn-string [bind-dn bind-dn- string password password] login-name-attribute attribute [alternative-login-name- attribute attribute] account account-name ........
Page 394
List of Commands (Alphabetical) ZyWALL (ZLD) CLI Reference Guide...