Page 1 ZyWALL (ZLD) CLI Reference Guide Version 2.11 6/2009 Edition 2 DEFAULT LOGIN User Name admin Password 1234 www.zyxel.com...
Page 3 See your User’s Guide for a list of supported features and details about feature implementation. Please refer to www.zyxel.com or your product’s CD for product specific User Guides and product certifications. How To Use This Guide...
Page 4 Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 5 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ZyWALL (ZLD) CLI Reference Guide...
Page 6 Document Conventions ZyWALL (ZLD) CLI Reference Guide...
Page 7: Table Of Contents
Contents Overview Contents Overview Introduction ..........................9 Command Line Interface ......................11 User and Privilege Modes ......................27 Status ............................31 Registration ..........................35 Network ........................... 43 Interfaces ........................... 45 Trunks ............................75 Route ............................81 Routing Protocol ........................87 Zones ............................91 DDNS ............................
Page 8: Table Of Contents
Contents Overview Objects ..........................209 User/Group ..........................211 Addresses ..........................219 Services ........................... 223 Schedules ..........................227 AAA Server ..........................229 Authentication Objects ......................235 Certificates ..........................237 ISP Accounts ........................... 243 SSL Application ........................247 System ..........................249 System ............................. 251 System Remote Management ....................
Page 9: Introduction
Introduction Command Line Interface (11) User and Privilege Modes (27) Registration (35)
Page 11: Command Line Interface
H A P T E R Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your ZyWALL, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the ZyWALL and possibly render it unusable.
Page 12 Chapter 1 Command Line Interface The ZyWALL might force you to log out of your session if reauthentication time, lease time, or idle timeout is reached. See Chapter 24 on page 211 more information about these settings. 1.2.1 Console Port The default settings for the console port are as follows.
Page 13 Chapter 1 Command Line Interface Enter the user name and password at the prompts. The default login username is admin and password is 1234. The username and password are case-sensitive. 1.2.2 Web Configurator Console Before you can access the CLI through the web configurator, make sure your computer supports the Java Runtime Environment.
Page 14 Chapter 1 Command Line Interface Figure 4 Web Console: User Name 5 Enter the user name you want to use to log in to the console. The console begins to connect to the ZyWALL. The default login username is admin. It is case-sensitive. Figure 5 Web Console: Connecting Then, the Password screen appears.
Page 15 Chapter 1 Command Line Interface Figure 7 Web Console 7 To use most commands in this User’s Guide, enter . The prompt configure terminal should change to Router(config)# 1.2.3 Telnet Use the following steps to Telnet into your ZyWALL. 1 If your computer is connected to the ZyWALL over the Internet, skip to the next step. Make sure your computer IP address and the ZyWALL IP address are on the same subnet.
Page 16 Chapter 1 Command Line Interface Figure 8 SSH Login Example C:\>ssh2 admin@192.168.1.1 Host key not found from database. Key fingerprint: xolor-takel-fipef-zevit-visom-gydog-vetan-bisol-lysob-cuvun-muxex You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes Host key saved to C:/Documents and Settings/user/Application Data/SSH/ hostkeys/ ey_22_192.168.1.1.pub...
Page 17 Chapter 1 Command Line Interface 1.4.3 Command Summary This section lists the commands for the feature in one or more tables. 1.4.4 Command Examples (Optional) This section contains any examples for the commands in this feature. 1.4.5 Command Syntax The following conventions are used in this User’s Guide. •...
Page 18 Chapter 1 Command Line Interface Table 2 CLI Modes (continued) USER PRIVILEGE CONFIGURATION SUB-COMMAND What Limited- • Look at system • Look at system Unable to access Unable to access information (like information (like Admin users can Status screen) Status screen) •...
Page 19 Chapter 1 Command Line Interface Figure 9 Help: Available Commands Example 1 Router> ? apply clear configure copy delete ------------------[Snip]-------------------- setenv show traceroute write Router> Figure 10 Help: Available Command Example 2 Router> show ? account address-object ------------------[Snip]-------------------- username users version vrrp zone...
Page 20 Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the ZyWALL automatically display the full command. [TAB] For example, if you enter and press , the full command of config...
Page 21 Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen.
Page 22 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES domain name Used in content filtering lower-case letters, numbers, or .- Used in ip dns server 0-247 alphanumeric or .- first character: alphanumeric or - Used in domainname, ip dhcp pool, and ip domain 0-254 alphanumeric or ._-...
Page 23 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES password: less than 15 1-15 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./ chars password: less than 8 alphanumeric or ;/?:@&=+$\.-_!~*'()%,#$ chars password Used in user and ip ddns 1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./ Used in e-mail log profile SMTP authentication...
Page 24 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES Used in content filtering redirect “http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%, “https://”+ starts with “http://” or “https://” may contain one pound sign (#) Used in other content filtering commands “http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%,...
Page 25 Chapter 1 Command Line Interface Always save the changes before you log out after each management session. All unsaved changes will be lost after the system restarts. 1.10 Logging Out Enter the or end command in configure mode to go to privilege mode. exit Enter the command in user mode or privilege mode to log out of the CLI.
Page 26 Chapter 1 Command Line Interface ZyWALL (ZLD) CLI Reference Guide...
Page 27: User And Privilege Modes
‘user mode’. All commands can be run in ‘privilege mode’. The htm and psm commands are for ZyXEL’s internal manufacturing process. Table 4 User (U) and Privilege (P) Mode Commands COMMAND...
Page 28 Goes from user mode to privilege mode enable Goes to a previous mode or logs out. exit Goes to htm (hardware test module) mode. Note: These commands are for ZyXEL’s internal manufacturing process. Dials or disconnects an interface. interface no packet-trace U/P Turns of packet tracing.
Page 29: Debug Commands
Chapter 2 User and Privilege Modes 2.1.1 Debug Commands Debug commands marked with an asterisk (*) are not available when the debug flag is on and are for service personnel use only. The debug commands follow a syntax that is Linux-based, so if there is a Linux equivalent, it is displayed in this chapter for your reference.
Page 30 Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT Shows IP routing to the specified IP debug system ip route get > ip route address ip_addr Shows IP routing information debug system ip route show table {default|local|main|num} Shows IP routing tables...
Page 31: Status
H A P T E R Status This chapter explains some commands you can use to display information about the ZyWALL’s current operational state. You must use the configure terminal command before you can use these commands. Table 6 Status Show Commands COMMAND DESCRIPTION Displays details about the ZyWALL’s startup state.
Page 32 Chapter 3 Status Here are examples of the commands that display the fan speed, MAC address, memory usage, RAM size, and serial number. Router(config)# show fan-speed FAN1(F00)(rpm): limit(hi)=6500, limit(lo)=1400, max=6650, min=6642, avg=6644 FAN2(F01)(rpm): limit(hi)=6500, limit(lo)=1400, max=6809, min=6783, avg=6795 FAN3(F02)(rpm): limit(hi)=6500, limit(lo)=1400, max=6683, min=6666, avg=6674 FAN4(F03)(rpm): limit(hi)=6500, limit(lo)=1400, max=6633, min=6617, avg=6627 Router(config)# show mac MAC address: 28:61:32:89:37:61-28:61:32:89:37:67...
Page 33 Chapter 3 Status Here is an example of the command that displays the open ports. Router(config)# show socket open Proto Local_Address Foreign_Address State =========================================================================== 172.23.37.240:22 172.23.37.10:1179 ESTABLISHED 127.0.0.1:64002 0.0.0.0:0 0.0.0.0:520 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0...
Page 34 Here are examples of the commands that display the system uptime and model, firmware, and build information. Router(config)# show system uptime system uptime: 13 days, 21:01:17 Router(config)# show version ZyXEL Communications Corp. model : ZyWALL 1050 firmware version: 2.00(XL.0)b3 BM version : 1.08...
Page 35: Registration
AppPatrol, anti-virus, content filtering, and SSL VPN services using commands. 4.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 36 PIN number (license key) in the Registration > Service screen. You must use the ZyXEL anti-virus iCard for the ZyXEL anti-virus engine and the Kaspersky anti-virus iCard for the Kaspersky anti-virus engine. If you were already using an iCard anti-virus subscription, any remaining time on your earlier subscription is automatically added to the new subscription.
Page 37 Activates all of the trial service subscriptions, service-register service-type trial service all including Kaspersky or ZyXEL anti-virus. {kav|zav} Activates a Kaspersky or ZyXEL anti-virus trial service-register service-type trial service av service subscription. {kav|zav} Changes from one anti-virus engine to the other.
Page 38 Chapter 4 Registration The following command displays the account information and whether the device is registered. Router# configure terminal Router(config)# show device-register status username : alexctsui password : 123456 device register status : yes expiration self check : no The following command displays the service registration status and type and how many days remain before the service expires.
Page 39 Chapter 4 Registration Table 9 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo, Democratic Republic of the...
Page 40 Chapter 4 Registration Table 9 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, Republic of Kuwait Kyrgyzstan Lao People’s Democratic Republic Latvia Lebanon Lesotho Liberia Liechtenstein Lithuania Luxembourg Macau Macedonia, Former Yugoslav Madagascar Republic Malawi...
Page 41 Chapter 4 Registration Table 9 Country Codes (continued) COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME Senegal Seychelles Sierra Leone Singapore Slovak Republic Slovenia Solomon Islands Somalia South Africa South Georgia and the South Sandwich Islands Spain Sri Lanka St Pierre and Miquelon St.
Page 42 Chapter 4 Registration ZyWALL (ZLD) CLI Reference Guide...
Page 43: Network
Network Interfaces (45) Trunks (75) Route (81) Routing Protocol (87) Zones (91) DDNS (95) Virtual Servers (99) HTTP Redirect (103) ALG (107)
Page 45: Interfaces
H A P T E R Interfaces This chapter shows you how to use interface-related commands. 5.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 46 Chapter 5 Interfaces • Virtual interfaces (IP alias) provide additional routing information in the ZyWALL. There are three types: virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces. • The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out.
Page 47 Chapter 5 Interfaces Table 11 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics (ZyWALL USG 100 and 200 Models) (continued) CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE PPP VIRTUAL DHCP client Routing metric Interface Parameters Bandwidth restrictions Packet size (MTU) Data size (MSS) DHCP DHCP server DHCP relay...
Page 48 Chapter 5 Interfaces ** - Cellular interfaces can be added to the WAN zone or no zone. 5.1.2 Relationships Between Interfaces In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports (or port groups). The relationships between interfaces are explained in the following table.
Page 49 Chapter 5 Interfaces 5.2 Interface Commands Summary The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 14 Input Values for General Interface Commands LABEL DESCRIPTION interface_name The name of the interface. Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.
Page 50 Chapter 5 Interfaces Table 15 interface Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Deactivates the specified interface. The [no] shutdown command activates it. Specifies the description for the specified interface. [no] description description command clears the description. description: You can use alphanumeric and characters, and it can be up ()+/:=?!*#@$_%-...
Page 51: Interface Commands: Dhcp Settings
Chapter 5 Interfaces Table 16 interface Commands: Interface Parameters (continued) COMMAND DESCRIPTION Applies traffic priority when the interface sends traffic-prioritize {tcp-ack|content- TCP-ACK traffic, traffic for querying the content filter|dns|ipsec-vpn|ssl-vpn} bandwidth filter, traffic for resolving domain names, or <0..1048576> priority <1..7> [maximize- encrypted traffic for an IPSec or SSL VPN tunnel.
Page 52 Chapter 5 Interfaces Table 17 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Specifies the static IP address the ZyWALL should [no] host ip assign. Use this command, along with , to create a static DHCP hardware-address entry. Note: The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool.
Page 53 Chapter 5 Interfaces Table 17 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Sets the IP start address and maximum pool size of [no] starting-address ip pool-size the specified DHCP pool. The final pool size is <1..65535> limited by the subnet mask. Note: You must specify the network first, and the start address...
Page 54 5.2.3.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com.tw Router(config-ip-dhcp-pool)# first-dns-server 172.23.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 172.23.5.2 Router(config-ip-dhcp-pool)# default-router 192.168.1.1...
Page 55: Connectivity Check Commands
Chapter 5 Interfaces 5.2.4 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL stops routing to the gateway.
Page 56 Chapter 5 Interfaces 5.2.4.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check...
Page 57 Chapter 5 Interfaces 5.2.5.2 RIP Commands This table lists the commands for RIP settings. Table 21 interface Commands: RIP Settings COMMAND DESCRIPTION Enters sub-command mode. router rip Enables RIP for the specified interface. The [no] network interface_name command disables RIP for the specified interface. Sets the RIP direction of the specified interface to [no] passive-interface interface_name in-only.
Page 58 Chapter 5 Interfaces Table 22 interface Commands: OSPF Settings (continued) COMMAND DESCRIPTION Makes OSPF authentication in the specified ip ospf authentication same-as-area interface follow the settings in the corresponding area. Sets the simple text password for OSPF text [no] ip ospf authentication-key password authentication in the specified interface.
Page 59 Chapter 5 Interfaces In CLI, representative interfaces are also called representative ports. Table 23 Basic Interface Setting Commands COMMAND DESCRIPTION Displays which physical ports are assigned to each show port-grouping representative interface. Adds the specified physical port to the specified port-grouping representative_interface port representative interface.
Page 60 Chapter 5 Interfaces 5.2.6.1 Port Grouping Command Examples The following commands add physical port 5 to representative interface ge1. Router# configure terminal Router(config)# show port-grouping No. Representative Name Port1 Port2 Port3 Port4 Port5 ========================================================= Router(config)# port-grouping ge1 Router(config-port-grouping)# port 5 Router(config-port-grouping)# exit Router(config)# show port-grouping No.
Page 61 Chapter 5 Interfaces This table lists the VLAN interface commands. Table 25 interface Commands: VLAN Interfaces COMMAND DESCRIPTION Creates the specified interface if necessary and interface interface_name enters sub-command mode. Specifies the Ethernet interface on which the VLAN [no] port interface_name interface runs.
Page 62 Chapter 5 Interfaces This table lists the bridge interface commands. Table 27 interface Commands: Bridge Interfaces COMMAND DESCRIPTION Creates the specified interface if necessary and interface interface_name enters sub-command mode. Adds the specified Ethernet interface or VLAN [no] join interface_name interface to the specified bridge.
Page 63 Chapter 5 Interfaces Table 29 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND DESCRIPTION Creates the specified interface if necessary and interface interface_name enters sub-command mode. Specifies whether the specified PPPoE/PPTP [no] connectivity {nail-up | dial-on- interface is always connected (nail-up) or demand} connected only when used (dial-on-demand).
Page 64 Chapter 5 Interfaces The following commands show you how to connect and disconnect ppp0. Router# interface dial ppp0 Router# interface disconnect ppp0 5.2.10 Auxiliary Interface Commands The first table below lists the auxiliary commands, and the second table explains interface the values you can input with these commands.
Page 65 Chapter 5 Interfaces Table 30 interface Commands: Auxiliary Interface (continued) COMMAND DESCRIPTION Specifies the description for the auxiliary interface. [no] description description command clears the description. description: You can use alphanumeric and characters, and it can be up ()+/:=?!*#@$_%- to 60 characters long. Activates the auxiliary interface.
Page 66 Chapter 5 Interfaces 5.2.11.1 Virtual Interface Command Examples The following commands set up a virtual interface on top of Ethernet interface ge1. The virtual interface is named ge1:1 with the following parameters: IP 1.2.3.4, subnet 255.255.255.0, gateway 4.6.7.8, upstream bandwidth 345, downstream bandwidth 123, and description “I am vir interface”.
Page 67 Chapter 5 Interfaces Table 31 Cellular Interface Commands (continued) COMMAND DESCRIPTION Sets (or clears) the cellular band that the cellular interface [no] band {auto|wcdma|gsm} uses. auto has the ZyWALL always use the fastest network that is in range. gsm has this interface only use a 2.5G or 2.75G network (respectively).
Page 68 Chapter 5 Interfaces 5.4.1 Cellular Interface Command Examples This example shows the configuration of a cellular interface named cellular2 for use with a Sierra Wireless AC850 3G card. It uses only a 3G (or 3.5G) connection, PIN code 1234, an MTU of 1200 bytes, a description of "This is cellular2”...
Page 69 Chapter 5 Interfaces Table 32 WLAN General Commands (continued) COMMAND DESCRIPTION Sets the Clear To Send/Request To Send threshold. CTS/ [no] ctsrts <256..2346> RTS reduces data collisions caused by wireless clients that are associated with the same AP but out of range of one another.
Page 70 Chapter 5 Interfaces Table 33 WLAN Interface Commands (continued) COMMAND DESCRIPTION Sets the (Service Set IDentity). This identifies the Service Set ssid ssid with which a wireless station is associated. Wireless stations associating to the ZyWALL must have the same SSID. ssid: Use up to 32 printable 7-bit ASCII characters as a name for the wireless LAN.
Page 71 Chapter 5 Interfaces Table 33 WLAN Interface Commands (continued) COMMAND DESCRIPTION Sets the IP address and port number of an external security external auth ip port authentication (RADIUS) server. <1..65535> Sets the WPA2 group key update timer. This is the interval in group-key <30..30000>...
Page 72 Chapter 5 Interfaces Table 33 WLAN Interface Commands (continued) COMMAND DESCRIPTION Section 5.2.4 on page 55 for the interface ping check [no] ping-check commands. Applies traffic priority when the interface sends TCP-ACK traffic-prioritize {tcp- traffic, traffic for querying the content filter, traffic for resolving ack|content-filter|dns|ipsec- domain names, or encrypted traffic for an IPSec or SSL VPN vpn|ssl-vpn} bandwidth...
Page 73 Chapter 5 Interfaces 5.5.3.1 WLAN MAC Filter Commands Example This example creates a MAC filter entry for MAC address 01:02:03:04:05:06 and sets the ZyWALL to allow wireless access from that entry’s MAC address only. Router(config)# wlan mac-filter 01:02:03:04:05:06 description example Router(config)# wlan mac-filter associate allow Router(config)# wlan mac-filter activate Router(config)# show wlan mac-filter status...
Page 74 Chapter 5 Interfaces ZyWALL (ZLD) CLI Reference Guide...
Page 75: Trunks
H A P T E R Trunks This chapter shows you how to configure trunks on your ZyWALL. 6.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the ZyWALL sends traffic through another member of the trunk.
Page 76 Chapter 6 Trunks 6.3 Trunk Commands Input Values The following table explains the values you can input with the interface-group commands. Table 35 interface-group Command Input Values LABEL DESCRIPTION A descriptive name for the trunk. group_name For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-). The name cannot start with a number.
Page 77 Chapter 6 Trunks 6.5 Trunk Command Examples The following example creates a weighted round robin trunk for Ethernet interfaces ge1 and ZyWALL ge2. The sends twice as much traffic through ge1. Router# configure terminal Router(config)# interface-group wrr-example Router(if-group)# mode trunk Router(if-group)# algorithm wrr Router(if-group)# interface 1 ge1 weight 2 Router(if-group)# interface 2 ge2 weight 1...
Page 78 Chapter 6 Trunks 6.6 Link Sticking You can have the ZyWALL send each local computer’s traffic through a single WAN interface for a specified period of time. This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file. If the user’s subsequent sessions came from a different WAN IP address, the file server would deny the request.
Page 79 Chapter 6 Trunks 6.7 Link Sticking Commands Summary The following table lists the ip load-balancing link-sticking commands for link sticking. (The link sticking commands have the prefix ip load-balancing because they affect the ZyWALL’s load balancing behavior.) You must use the configure command to enter the configuration mode before you can use these commands.
Page 80 Chapter 6 Trunks ZyWALL (ZLD) CLI Reference Guide...
Page 81: Route
H A P T E R Route This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL. 7.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet.
Page 82 Chapter 7 Route Table 38 Input Values for General Policy Route Commands (continued) LABEL DESCRIPTION schedule_object The name of the schedule. You may use 1-31 alphanumeric characters, underscores( ), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Page 83 Chapter 7 Route Table 39 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Sets the source IP address that the matched [no] source {address_object|any} packets must have. The command resets the source IP address to the default ( means all IP addresses. Sets the incoming interface to an SSL VPN [no] sslvpn tunnel_name tunnel.
Page 84 Chapter 7 Route 7.2.1 Policy Route Command Example The following commands set a policy that routes the packets (with the source IP address TW_SUBNET and any destination IP address) through the interface ge1 to the next-hop router GW_1. This route uses the IP address of the outgoing interface as the matched packets’ source IP address.
Page 85 Chapter 7 Route Figure 15 Example of Static Routing Topology 7.4 Static Route Commands The following table describes the commands available for static route. You must use the command to enter the configuration mode before you can use these configure terminal commands.
Page 86 Chapter 7 Route ZyWALL (ZLD) CLI Reference Guide...
Page 87: Routing Protocol
H A P T E R Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the ZyWALL. 8.1 Routing Protocol Overview Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL then stores this routing information in the routing table, which it uses when it makes routing decisions.
Page 88 Chapter 8 Routing Protocol 8.2.1 RIP Commands This table lists the commands for RIP. Table 43 router Commands: RIP COMMAND DESCRIPTION Enters sub-command mode. router rip Enables RIP on the specified Ethernet interface. [no] network interface_name command disables RIP on the specified interface.
Page 89 Chapter 8 Routing Protocol Table 44 router Commands: General OSPF Configuration (continued) COMMAND DESCRIPTION Sets the direction to “In-Only” for the specified [no] passive-interface interface_name interface. The command sets the direction to “BiDir”. Sets the 32-bit ID (in IP address format) of the [no] router-id IP ZyWALL.
Page 90 Chapter 8 Routing Protocol Table 46 router Commands: Virtual Links in OSPF Areas (continued) COMMAND DESCRIPTION Enables MD5 authentication in the specified virtual [no] area IP virtual-link IP link. The command disables authentication in authentication message-digest the specified virtual link. Sets the password for text authentication in the [no] area IP virtual-link IP specified virtual link.
Page 91: Zones
H A P T E R Zones Set up zones to configure network security and network policies in the ZyWALL. 9.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management.
Page 92 Chapter 9 Zones 9.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands.s Table 48 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone, or the name of a VPN tunnel. profile_name For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-).
Page 93 Chapter 9 Zones 9.2.1 Zone Command Examples The following commands add Ethernet interfaces ge1 and ge2 to zone A and block intra-zone traffic. Router# configure terminal Router(config)# zone A Router(zone)# interface ge1 Router(zone)# interface ge2 Router(zone)# block Router(zone)# exit Router(config)# show zone No.
Page 94 Chapter 9 Zones ZyWALL (ZLD) CLI Reference Guide...
Page 95: Ddns
H A P T E R DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the ZyWALL. 10.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.
Page 96 Chapter 10 DDNS 10.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 51 Input Values for DDNS Commands LABEL DESCRIPTION The name of the DDNS profile. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number.
Page 97 Chapter 10 DDNS Table 52 ip ddns Commands (continued) COMMAND DESCRIPTION Sets the WAN interface in the specified DDNS [no] wan-iface interface_name profile. The command clears it. Sets the backup WAN interface in the specified [no] backup-iface interface_name DDNS profile. The command clears it.
Page 98 Chapter 10 DDNS ZyWALL (ZLD) CLI Reference Guide...
Page 99: Virtual Servers
H A P T E R Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. 11.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the ZyWALL that you want to make available outside the private network.
Page 100 Chapter 11 Virtual Servers Table 54 ip virtual-server Commands (continued) COMMAND DESCRIPTION Creates or modifies the specified virtual server and ip virtual-server profile_name interface maps the specified destination IP address (for all interface_name original-ip {any | ip | destination ports) to the specified destination address_object} [netmask subnet_mask] map-to address object or IP address.
Page 101 Chapter 11 Virtual Servers The following command shows information about all the virtual servers in the ZyWALL. Router(config)# show ip virtual-server virtual server: WAN-LAN_H323 active: yes NAT-loopback active: yes interface: wan1 original IP: 10.0.0.8, netmask: 255.255.255.255, mapped IP: 192.168.1.56 mapping type: port, protocol type: tcp original service: none, mapped service: none original start port: 1720, original end port: none mapped start port: 1720, mapped end port: none...
Page 102 Chapter 11 Virtual Servers ZyWALL (ZLD) CLI Reference Guide...
Page 103: Http Redirect
H A P T E R HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL. 12.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. 12.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Page 104 Chapter 12 HTTP Redirect 12.2 HTTP Redirect Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 55 Input Values for HTTP Redirect Commands LABEL DESCRIPTION The name to identify the rule. You may use 1-31 alphanumeric characters, description underscores( ), or dashes (-), but the first character cannot be a number.
Page 105 Chapter 12 HTTP Redirect 12.2.1 HTTP Redirect Command Examples The following commands create a HTTP redirect rule, disable it and display the settings. Router# configure terminal Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 deactivate Router(config)# show ip http-redirect Name...
Page 106 Chapter 12 HTTP Redirect ZyWALL (ZLD) CLI Reference Guide...
Page 107 H A P T E R This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 13.1 ALG Introduction The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the ZyWALL’s NAT.
Page 108 Chapter 13 ALG 13.2 ALG Commands The following table lists the commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 57 alg Commands COMMAND DESCRIPTION Turns on or configures the ALG. [no] alg sip [ (signal-port <1025..65535>) |(signal-extra- Use signal-port with a listening port number (1025...
Page 109: Firewall
Firewall Firewall (111)
Page 111 H A P T E R Firewall This chapter introduces the ZyWALL’s firewall and shows you how to configure your ZyWALL’s firewall. 14.1 Firewall Overview The ZyWALL’s firewall is a stateful inspection firewall. The ZyWALL restricts access by screening data packets against defined access rules. It can also inspect sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Page 112 Chapter 14 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL), source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them).
Page 113 Chapter 14 Firewall Table 59 Command Summary: Firewall (continued) COMMAND DESCRIPTION Sets the action the ZyWALL takes when action <allow|deny|reject> packets match this rule. Enables a firewall rule. The command [no] activate disables the firewall rule. Sets a descriptive name (up to 60 printable [no] description description ASCII characters) for a firewall rule.
Page 114 Chapter 14 Firewall Table 59 Command Summary: Firewall (continued) COMMAND DESCRIPTION Removes a direction specific through- firewall zone_object {zone_object|ZyWALL} delete ZyWALL rule or to-ZyWALL rule. <1..5000> <1..5000> : the index number in a direction specific firewall rule list. Removes all direction specific through- firewall zone_object {zone_object|ZyWALL} flush ZyWALL rule or to-ZyWALL rules.
Page 115 Chapter 14 Firewall • Set the destination IP address(es). • Set the service to which this rule applies. • Set the action the ZyWALL is to take on packets which match this rule. Router# configure terminal Router(config)# service-object MyService tcp eq 1234 Router(config)# address-object Dest_1 10.0.0.10-10.0.0.15 Router(config)# firewall insert 3 Router(firewall)# from WAN...
Page 116 Chapter 14 Firewall 14.3 Session Limit Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 60 Input Values for General Session Limit Commands LABEL DESCRIPTION The priority number of a session limit rule, 1 - 1000. rule_number The name of the IP address (group) object.
Page 117 Chapter 14 Firewall Table 61 Command Summary: Session Limit (continued) COMMAND DESCRIPTION Shows the session-limit configuration. show session-limit Shows the settings for a range of session-limit show session-limit begin rule_number end rules. rule_number Shows the session-limit rule’s settings. show session-limit rule_number Shows the general session-limit settings.
Page 118 Chapter 14 Firewall ZyWALL (ZLD) CLI Reference Guide...
Page 119 IPSec VPN (121) SSL VPN (129) L2TP VPN (133)
Page 121: Ipsec Vpn
H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. 15.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Page 122 Chapter 15 IPSec VPN Figure 19 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Page 123 Chapter 15 IPSec VPN Table 62 Input Values for IPSec VPN Commands (continued) LABEL DESCRIPTION A domain name. You can use up to 511 alphanumeric, characters, spaces, distinguished_name or .@=,_- characters. Sort the list of currently connected SAs by one of the following sort_order classifications.
Page 124 Chapter 15 IPSec VPN Table 63 isakmp Commands: IKE SAs (continued) COMMAND DESCRIPTION Sets the remote gateway address(es) to the peer-ip {ip | domain_name} [ip | specified IP address(es) or domain name(s). domain_name] Specifies whether to use a pre-shared key or a authentication {pre-share | rsa-sig} certificate for authentication.
Page 125 Chapter 15 IPSec VPN Table 64 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Creates the specified IPSec SA if necessary and [no] crypto map map_name enters sub-command mode. The command deletes the specified IPSec SA. Renames the specified IPSec SA (first map_name) crypto map rename map_name map_name to the specified name (second map_name).
Page 126 Chapter 15 IPSec VPN Table 64 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Drops traffic whose source and destination IP [no] policy-enforcement addresses do not match the local and remote policy. This makes the IPSec SA more secure. The command allows traffic whose source and destination IP addresses do not match the local and remote policy.
Page 127 Chapter 15 IPSec VPN 15.2.3 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 65 crypto map Commands: IPSec SAs (Manual Keys) COMMAND DESCRIPTION crypto map map_name Sets the active protocol, SPI (<256..4095>), set session-key {ah <256..4095>...
Page 128 Chapter 15 IPSec VPN Table 66 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION Adds the specified IPSec SA to the specified VPN [no] crypto map_name concentrator. The command removes the specified IPSec SA from the specified VPN concentrator. Renames the specified VPN concentrator (first vpn-concentrator rename profile_name profile_name) to the specified name (second profile_name...
Page 129 H A P T E R SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. 16.1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: •...
Page 130 Chapter 16 SSL VPN Table 68 Input Values for SSL VPN Commands (continued) LABEL DESCRIPTION The name of an SSL application object. You may use up to 31 characters application_object (“0-9”, “a-z”, “A-Z”, “-” and “_”). No spaces are allowed. The name of a user (group).
Page 131 Chapter 16 SSL VPN Table 69 SSL VPN Commands COMMAND DESCRIPTION Displays the SSLVPN resources available to each user when logged show workspace application into SSLVPN. Displays the shared folders available to each user when logged into show workspace cifs SSLVPN.
Page 132 Chapter 16 SSL VPN ZyWALL (ZLD) CLI Reference Guide...
Page 133: L2Tp Vpn
H A P T E R L2TP VPN This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL. 17.1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’...
Page 134 Chapter 17 L2TP VPN • Not be a manual key VPN connection. • Use Pre-Shared Key authentication. • Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address. 17.2.1 Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN.
Page 135 Chapter 17 L2TP VPN 17.4 L2TP VPN Commands The following table describes the values required for some L2TP VPN commands. Other values are discussed with the corresponding commands. Table 70 Input Values for L2TP VPN Commands LABEL DESCRIPTION The name of an IP address (group) object. You may use 1-31 alphanumeric address_object characters, underscores( ), or dashes (-), but the first character cannot be a...
Page 136 Chapter 17 L2TP VPN Table 71 L2TP VPN Commands COMMAND DESCRIPTION Specifies how the ZyWALL authenticates a remote user before allowing l2tp-over-ipsec access to the L2TP VPN tunnel. authentication aaa The authentication method has the ZyWALL check a user’s user name and authentication profile_name password against the ZyWALL’s local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these.
Page 137 Chapter 17 L2TP VPN Figure 22 L2TP VPN Example 172.23.37.205 L2TP_POOL: 192.168.10.10~192.168.10.20 LAN_SUBNET: 192.168.1.1/24 • The ZyWALL has a static IP address of 172.23.37.205 for the ge3 interface. • The remote user has a dynamic public IP address and connects through the Internet. •...
Page 138 Chapter 17 L2TP VPN • For the Remote Policy, create an address object that uses host type and an IP address of 0.0.0.0. It is named L2TP_HOST in this example. Router(config)# crypto map Default_L2TP_VPN_Connection Router(config-crypto Default_L2TP_VPN_Connection)# policy-enforcement Router(config-crypto Default_L2TP_VPN_Connection)# local-policy L2TP_IFACE Router(config-crypto Default_L2TP_VPN_Connection)# remote-policy L2TP_HOST Router(config-crypto Default_L2TP_VPN_Connection)# activate Router(config-crypto Default_L2TP_VPN_Connection)# exit...
Page 139 Chapter 17 L2TP VPN • Enable the policy route. Router(config)# policy 3 Router(policy-route)# source LAN_SUBNET Router(policy-route)# destination L2TP_POOL Router(policy-route)# service any Router(policy-route)# next-hop tunnel Default_L2TP_VPN_ConnectionRouter(policy-route)# no deactivate Router(policy-route)# exit Router(config)# show policy-route 3 index: 3 active: yes description: WIZ_VPN user: any schedule: none interface: ge1 tunnel: none...
Page 140 Chapter 17 L2TP VPN ZyWALL (ZLD) CLI Reference Guide...
Page 141: Application Patrol
Application Patrol Application Patrol (143)
Page 143 H A P T E R Application Patrol This chapter describes how to set up application patrol for the ZyWALL. 18.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Page 144 Chapter 18 Application Patrol 18.2 Application Patrol Commands Summary The following table describes the values required for many application patrol commands. Other values are discussed with the corresponding commands. Table 72 Input Values for Application Patrol Commands LABEL DESCRIPTION The name of a pre-defined application. These are listed by category. protocol_name smtp pop3...
Page 145 Chapter 18 Application Patrol Table 73 app Commands: Pre-Defined Applications (continued) COMMAND DESCRIPTION For port-base applications. Adds the specified port [no] app protocol_name defaultport <1..65535> to the list of ports used to identify the specified application. This port number can only be included in one application’s list.
Page 146 Chapter 18 Application Patrol Table 74 app Commands: Rules in Pre-Defined Applications (continued) COMMAND DESCRIPTION Displays the rule’s configuration show Deletes the specified rule. no app protocol_name rule rule_number Moves the specified rule (first index) to the app protocol_name rule move rule_number to specified location.
Page 147 Chapter 18 Application Patrol Table 76 app Commands: Rules in Other Applications (continued) COMMAND DESCRIPTION Limits inbound or outbound bandwidth, in kilobits bandwidth {inbound|outbound} <0..1048576> per second. 0 disables bandwidth management for traffic matching this rule. Enables maximize bandwidth usage to let the traffic [no] bandwidth excess-usage matching this policy “borrow”...
Page 148 Chapter 18 Application Patrol Table 77 app Commands: Pre-Defined Applications (continued) COMMAND DESCRIPTION Displays the default port settings for all show app all defaultport applications. Displays statistics for all applications. show app all statistics Displays protocols by category. show app {general|im|p2p|stream} Displays the supported actions of each Instant show app im support action Messenger application.
Page 149 Chapter 18 Application Patrol Router# configure terminal Router(config)# show app http config application: http active: yes mode: portless default access: forward bandwidth graph: yes Router# configure terminal Router(config)# show app http defaultport Port =========================================================================== Router# configure terminal Router(config)# show app http rule all index: default activate: yes port: 0...
Page 150 Chapter 18 Application Patrol Router# configure terminal Router(config)# show app other rule all index: 1 activate: yes port: 5963 schedule: none user: any from zone: any to zone: any source address: any destination address: any protocol: tcp access: forward bandwidth excess-usage: no bandwidth priority: 1 bandwidth inbound: 0 bandwidth outbound: 0...
Page 151: Anti-X
Anti-X Anti-Virus (153) IDP Commands (161) Content Filtering (179) Anti-Spam (189)
Page 153: Anti-Virus
H A P T E R Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 19.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
Page 154 Chapter 19 Anti-Virus 19.2.1 General Anti-virus Commands The following table describes general anti-virus commands. You must use the configure command to enter the configuration mode before you can use these commands. terminal You must register for the ant-virus service before you can use it (see Chapter 4 on page 35).
Page 155 Chapter 19 Anti-Virus Table 80 Commands for Zone to Zone Anti-Virus Rules (continued) COMMAND DESCRIPTION Enters the anti-virus sub-command mode to edit the anti-virus rule <1..32> specified direction specific rule. Turns a direction specific anti-virus rule on or off. [no] activate Sets the ZyWALL to create a log (and optionally an alert) [no] log [alert] when packets match this rule and are found to be virus-...
Page 156 Chapter 19 Anti-Virus 19.2.2.1 Zone to Zone Anti-virus Rule Example This example shows how to configure (and display) a WAN to LAN antivirus rule to scan HTTP traffic and destroy infected files. The white and black lists are ignored and zipped files are decompressed.
Page 157 Chapter 19 Anti-Virus Table 81 Commands for Anti-virus White and Black Lists (continued) COMMAND DESCRIPTION Turn on the black list to log and delete files with names that [no] anti-virus black-list activate match the black list patterns. Adds or removes a black list file pattern. Turns a file pattern [no] anti-virus black-list file-pattern on or off.
Page 158 Chapter 19 Anti-Virus 19.2.4 Signature Search Anti-virus Command The following table describes the command for searching for signatures. You must use the command to enter the configuration mode before you can use this configure terminal command. Table 82 Command for Anti-virus Signature Search COMMAND DESCRIPTION Search for signatures by their ID, name, severity, or...
Page 159 Chapter 19 Anti-Virus 19.3.1 Update Signature Examples These examples show how to enable/disable automatic anti-virus downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version number, show the total number of signatures and show the date/time the signatures were created.
Page 160 Chapter 19 Anti-Virus 19.4.1 Anti-virus Statistics Example This example shows how to collect and display anti-virus statistics. It also shows how to sort the display by the most common destination IP addresses. Router(config)# anti-virus statistics collect Router(config)# show anti-virus statistics collect collect statistics: yes Router(config)# show anti-virus statistics summary file scanned...
Page 161: Idp Commands
H A P T E R IDP Commands This chapter introduces IDP-related commands. 20.1 Overview Commands mostly mirror web configurator features. It is recommended you use the web configurator for IDP features such as searching for web signatures, creating/editing an IDP profile or creating/editing a custom signature.
Page 162 Chapter 20 IDP Commands This table shows the IDP signature, anomaly, and system-protect activation commands. Table 86 IDP Activation COMMAND DESCRIPTION Enables IDP signatures, anomaly detection, and/or system-protect. IDP signatures [no] idp use requires IDP service registration. If you don’t have a standard license, you can {signature | anomaly | register for a once-off trial one.
Page 163 Chapter 20 IDP Commands Table 87 Global Profile Commands COMMAND DESCRIPTION Lists the specified signature base profile’s settings. Use |more to display show idp signature base the settings page by page. profile {all|none|wan|lan|dmz} settings Displays all IDP signature profiles. show idp profiles 20.3.1.1 Example of Global Profile Commands In this example we rename an IDP signature profile from “old_profile”...
Page 164 Chapter 20 IDP Commands 20.3.2.1 Example of IDP Zone to Zone Rule Commands The following example creates IDP zone to zone rule one. The rule applies the LAN_IDP profile to all traffic going to the LAN zone. Router# configure terminal Router(config)# idp signature rule 1 Router(config-idp-signature-1)# Router(config-idp-signature-1)# exit...
Page 165 Chapter 20 IDP Commands 20.3.4 Editing/Creating Anomaly Profiles Use these commands to create a new anomaly profile or edit an existing one. It is recommended you use the web configurator to create/edit profiles. If you do not specify a base profile, the default base profile is none.
Page 166 Chapter 20 IDP Commands Table 90 Editing/Creating Anomaly Profiles (continued) COMMAND DESCRIPTION Activates or deactivates open port scan [no] scan-detection open-port {activate | log detection options. Also sets open port scan- [alert] | block} detection logs or alerts and blocking. deactivates open port scan detection, its logs, alerts or blocking.
Page 167 Chapter 20 IDP Commands Table 90 Editing/Creating Anomaly Profiles (continued) COMMAND DESCRIPTION Activates or deactivates icmp decoder options [no] icmp-decoder {truncated-header | truncated-timestamp-header | truncated- address-header} activate Sets icmp decoder log or alert options. icmp-decoder {truncated-header | truncated- timestamp-header | truncated-address-header} log [alert] Deactivates icmp decoder log options.
Page 168 Chapter 20 IDP Commands Table 90 Editing/Creating Anomaly Profiles (continued) COMMAND DESCRIPTION Shows http-inspection settings for the specified show idp anomaly profile http-inspection {ascii- IDP profile. encoding | u-encoding | bare-byte-unicode- encoding | base36-encoding | utf-8-encoding | iis-unicode-codepoint-encoding | multi-slash- encoding | iis-backslash-evasion | self- directory-traversal | directory-traversal | apache-whitespace | non-rfc-http-delimiter | non-...
Page 169 Chapter 20 IDP Commands 20.3.5 Editing System Protect Use these commands to edit the system protect profiles. Table 91 Editing System Protect Profiles COMMAND DESCRIPTION Configure the system protect profile. Enters idp system-protect sub-command mode. All the following commands relate to the new profile. Use exit to quit sub-command mode.
Page 170 Chapter 20 IDP Commands Table 92 Signature Search Command COMMAND DESCRIPTION Searches for signature(s) in a profile by the show idp search signature my_profile name parameters specified. The quoted string is any quoted_string sid SID severity severity_mask text within the signature name in quotes, for platform platform_mask policytype policytype_mask example, [idp search LAN_IDP name "WORM"...
Page 171 Chapter 20 IDP Commands The following table displays the command line service and action equivalent values. If you want to combine services in a search, then add their respective numbers together. For example, to search for signatures for DNS, Finger and FTP services, then type “7” as the service parameter.
Page 172 Chapter 20 IDP Commands You must use the web configurator to import a custom signature file. Table 95 Custom Signatures COMMAND DESCRIPTION Create a new custom signature. The quoted idp customize signature quoted_string string is the signature command string enclosed in quotes.
Page 173 Chapter 20 IDP Commands This example shows you how to edit a custom signature. Router(config)# idp customize signature edit "alert tcp any any <> any any (msg : \"test edit\"; sid: 9000000 ; )" sid: 9000000 message: test edit policy type: severity: platform: all: no...
Page 174 Chapter 20 IDP Commands This example shows you how to display custom signature contents. Router(config)# show idp signatures custom-signature 9000000 contents sid: 9000000 Router(config)# show idp signatures custom-signature 9000000 non-contents sid: 9000000 ack: dport: 0 dsize: dsize_rel: flow_direction: flow_state: flow_stream: fragbits_reserve: fragbits_dontfrag: fragbits_morefrag:...
Page 175 Chapter 20 IDP Commands This example shows you how to display all details of a custom signature. Router(config)# show idp signatures custom-signature all details sid: 9000000 message: test edit policy type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no...
Page 176 Chapter 20 IDP Commands Table 96 Update Signatures COMMAND DESCRIPTION Displays signature update schedule. show idp {signature | system-protect} update Displays signature update status. show idp {signature | system-protect} update status Displays signature information show idp {signature | system-protect} signatures {version | date | number} 20.5.1 Update Signature Examples These examples show how to enable/disable automatic IDP downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version...
Page 177 Chapter 20 IDP Commands Table 97 Commands for IDP Statistics (continued) COMMAND DESCRIPTION Displays whether the collection of IDP statistics is turned show idp statistics collect on or off. Query and sort the IDP statistics entries by signature show idp statistics ranking {signature- name, source IP address, or destination IP address.
Page 178 Chapter 20 IDP Commands ZyWALL (ZLD) CLI Reference Guide...
Page 179: Content Filtering
H A P T E R Content Filtering This chapter covers how to use the content filtering feature to control web access. 21.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites.
Page 180 Chapter 21 Content Filtering Figure 23 Content Filtering Lookup Procedure 1 A computer behind the ZyWALL tries to access a web site. 2 The ZyWALL looks up the web site in its cache. If an attempt to access the web site was made in the past, a record of that web site’s category will be in the ZyWALL’s cache.
Page 181 “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc. Use up to 63 case-insensitive characters (0-9a-z-). You can enter a single IP address in dotted decimal notation like 192.168.2.5. You can enter a subnet by entering an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address.
Page 182 Chapter 21 Content Filtering Table 98 Content Filter Command Input Values (continued) LABEL DESCRIPTION The hostname or IP address of the rating server. rating_server The value specifies the maximum querying time when rating a URL in zysh. query_timeout <1..60> seconds. The following table lists the content filtering web category names.
Page 183 Chapter 21 Content Filtering 21.6 General Content Filter Commands The following table lists the commands that you can use for general content filter configuration such as enabling content filtering, viewing and ordering your list of content filtering policies, creating a denial of access message or specifying a redirect URL and checking your external web filtering service registration status.
Page 184 Chapter 21 Content Filtering Table 100 content-filter General Commands (continued) COMMAND DESCRIPTION Displays the general content filtering settings. show content-filter settings Displays the contents of the content filtering URL show content-filter url-cache cache before discarding it. 21.7 Content Filter Filtering Profile Commands The following table lists the commands that you can use to configure a content filtering policy.
Page 185 Chapter 21 Content Filtering Table 101 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Sets a content filtering profile to only allow access [no] content-filter profile filtering_profile to web sites that are on the trusted list. The custom trust-only command has the profile allow access to web sites that are not on the trusted list.
Page 186 Chapter 21 Content Filtering Use the command to enter the configuration mode to be able to use configure terminal these commands. See Table 98 on page 180 for details about the values you can input with these commands. Table 102 content-filter cache Cache Commands COMMAND DESCRIPTION Sets how long the ZyWALL is to keep an entry in...
Page 187 Chapter 21 Content Filtering 1 First, create a sales address object. This example uses a subnet that covers IP addresses 172.21.3.1 to 172.21.3.254. 2 Then create a schedule for all day. 3 Create a filtering profile for the group. 4 You can use the following commands to block sales from accessing adult and pornography websites.
Page 188 Chapter 21 Content Filtering Use this command to display the settings of the profile. Router(config)# show content-filter profile sales_CF_PROFILE service active : yes url match : block: no, log: url unrate : block: no, log: service offline: block: no, log: category settings: Adult/Mature Content no, Pornography...
Page 189: Anti-Spam
H A P T E R Anti-Spam This chapter introduces and shows you how to configure the anti-spam scanner. 22.1 Anti-Spam Overview The anti-spam feature can mark or discard spam (unsolicited commercial or junk e-mail). Use the white list to identify legitimate e-mail. Use the black list to identify spam e-mail. The ZyWALL can also check e-mail against a DNS black list (DNSBL) of IP addresses of servers that are suspected of being used by spammers.
Page 190 Chapter 22 Anti-Spam 22.2.1.1 Activate/Deactivate Anti-Spam Example This example shows how to activate and deactivate anti-spam on the ZyWALL. Router# configure terminal Router(config)# anti-spam activate Router(config)# show anti-spam activation anti-spam activation: yes Router(config)# no anti-spam activate Router(config)# show anti-spam activation anti-spam activation: no Router(config)# 22.2.2 Zone to Zone Anti-spam Rules...
Page 191 Chapter 22 Anti-Spam 22.2.2.1 Zone to Zone Anti-spam Rule Example This example shows how to configure (and display) a WAN to DMZ anti-spam rule to scan POP3 and SMTP traffic. SMTP spam is forwarded. POP3 spam is marked with a spam tag. The ZyWALL logs the event when an e-mail matches the DNSBL (see Section 22.2.4 on page for more on DNSBL).
Page 192 Chapter 22 Anti-Spam Table 107 Input Values for White and Black list Anti-Spam Commands (continued) LABEL DESCRIPTION The index number of an anti-spam white or black list entry. 1 - X where X is rule_number the highest number of entries the ZyWALL model supports. See the ZyWALL’s User’s Guide for details.
Page 193 Chapter 22 Anti-Spam Table 108 Commands for Anti-spam White and Black Lists (continued) COMMAND DESCRIPTION Displays the current anti-spam black list. Use status to show anti-spam black-list [status] show the activation status only. Show the configured anti-spam black list tag. show anti-spam tag black-list 22.2.3.1 White and Black Lists Example This example shows how to configure and enable a white list entries for e-mails with...
Page 194 Chapter 22 Anti-Spam The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 109 Input Values for DNSBL Commands LABEL DESCRIPTION A domain that is maintaining a DNSBL. You may use 0-254 alphanumeric dnsbl_domain characters, or dashes (-).
Page 195 Chapter 22 Anti-Spam Table 110 DNSBL Commands COMMAND DESCRIPTION dnsbl displays the anti-spam tag for e-mails that have a show anti-spam tag {dnsbl | dnsbl- sender or relay IP address in the header that matches a timeout} blacklist maintained by a DNSBL domain. dnsbl-timeout displays the message or label to add to the mail subject of e-mails that the ZyWALL forwards if queries to the DNSBL domains time out.
Page 196 Chapter 22 Anti-Spam Router(config)# anti-spam dnsbl domain DNSBL-example.com activate Router(config)# show anti-spam dnsbl domain Status Domain =========================================================================== DNSBL-example.com Router(config)# anti-spam dnsbl activate Router(config)# show anti-spam dnsbl status anti-spam dnsbl status: yes Router(config)# anti-spam dnsbl query-timeout pop3 forward-with-tag Router(config)# show anti-spam dnsbl query-timeout pop3 dnsbl query timeout action: forward-with-tag Router(config)# anti-spam dnsbl max-query-ip 4...
Page 197 Chapter 22 Anti-Spam Table 111 Commands for Anti-spam Statistics (continued) COMMAND DESCRIPTION Displays whether the collection of anti-spam statistics is show anti-spam statistics collect turned on or off. Query and sort the anti-spam statistics entries by source IP show anti-spam statistics ranking address or mail address.
Page 198 Chapter 22 Anti-Spam ZyWALL (ZLD) CLI Reference Guide...
Page 199: Device Ha
Device HA Device HA (201)
Page 201 H A P T E R Device HA Use device HA to increase network reliability. Device HA lets a backup ZyWALL (B) automatically take over if a master ZyWALL (A) fails. Figure 24 Device HA Backup Taking Over for the Master 23.1 Device HA Overview Active-Passive Mode and Legacy Mode •...
Page 202 Chapter 23 Device HA Only ZyWALLs of the same model and firmware version can synchronize. Otherwise you must manually configure the master ZyWALL’s settings on the backup (by editing copies of the configuration files in a text editor for example). 23.1.1 Before You Begin •...
Page 203 Chapter 23 Device HA Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA monitors. If a monitored interface on the ZyWALL loses its connection, device HA has the backup ZyWALL take over. Enable monitoring for the same interfaces on the master and backup ZyWALLs. Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL.
Page 204 Chapter 23 Device HA Table 114 device-ha ap-mode Commands (continued) COMMAND DESCRIPTION Sets the authentication method the virtual router [no] device-ha ap-mode authentication {string uses. Every interface in a virtual router must use key | ah-md5 key} the same authentication method and password. The no command disables authentication.
Page 205 Chapter 23 Device HA Table 114 device-ha ap-mode Commands (continued) COMMAND DESCRIPTION Displays the master ZyWALL’s synchronization show device-ha ap-mode master sync settings. Displays the backup ZyWALL’s synchronization show device-ha ap-mode backup sync settings. Displays the backup ZyWALL’s current show device-ha ap-mode backup sync status synchronization status.
Page 206 Chapter 23 Device HA 23.6 Legacy Mode (VRRP) Device HA Commands The following table identify the values required for many commands. Other input device-ha values are discussed with the corresponding commands. Table 115 Input Values for device-ha Commands LABEL DESCRIPTION The name of the VRRP group.
Page 207 Chapter 23 Device HA Table 116 device-ha Commands: VRRP Groups (continued) COMMAND DESCRIPTION Specifies the description for the specified VRRP [no] description description group. The command clears the description. description: You can use alphanumeric and characters, and it can be up ()+/:=?!*#@$_%- to 60 characters long.
Page 208 Chapter 23 Device HA 23.6.3 Link Monitoring Commands This table lists the commands for link monitoring. Link monitoring has the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down. This way the backup ZyWALL takes over all of the master ZyWALL’s functions.
Page 209: Objects
VIII Objects User/Group (211) Addresses (219) Services (223) Schedules (227) AAA Server (229) Authentication Objects (235) Certificates (237) ISP Accounts (243) SSL Application (247)
Page 211: User/Group
H A P T E R User/Group This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 212 Chapter 24 User/Group 24.2 User/Group Commands Summary The following table identify the values required for many commands. username/groupname Other input values are discussed with the corresponding commands. Table 120 username/groupname Command Input Values LABEL DESCRIPTION The name of the user (account). You may use 1-31 alphanumeric characters, username underscores( ), or dashes (-), but the first character cannot be a number.
Page 213 Chapter 24 User/Group Table 121 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION Sets the lease time for the specified user. Set it to username username [no] logon-lease-time zero to set unlimited lease time. The command <0..1440> sets the lease time to five minutes (regardless of the current default setting for new users).
Page 214 Chapter 24 User/Group Table 123 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION Sets the default user type for each new user. The users default-setting [no] user-type <admin command sets the default user type to user. |ext-user|guest|limited-admin|user> Displays the current retry limit settings for users. show users retry-settings Enables the retry limit for users.
Page 215 Chapter 24 User/Group 24.2.4 Force User Authentication Commands This table lists the commands for forcing user authentication. Table 124 username/groupname Commands Summary: Forcing User Authentication COMMAND DESCRIPTION Creates the specified condition for forcing user force-auth policy <1..1024> authentication, if necessary, and enters sub- command mode.
Page 216 Chapter 24 User/Group 24.2.5 Additional User Commands This table lists additional commands for users. Table 125 username/groupname Commands Summary: Additional COMMAND DESCRIPTION Displays information about the users logged onto show users {username | all | current} the system. Displays users who are currently locked out. show lockout-users Unlocks the specified IP address.
Page 217 Chapter 24 User/Group The following commands display the users that are currently locked out and then unlocks the user who is displayed. Router# configure terminal Router(config)# show lockout-users Username Tried From Lockout Time Remaining =========================================================================== From Failed Login Attempt Record Expired Timer =========================================================================== 172.23.23.60 Router(config)# unlock lockout-users 172.23.23.60...
Page 218 Chapter 24 User/Group ZyWALL (ZLD) CLI Reference Guide...
Page 219: Addresses
H A P T E R Addresses This chapter describes how to set up addresses and address groups for the ZyWALL. 25.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups.
Page 220 Chapter 25 Addresses The following sections list the address object and address group commands. 25.2.1 Address Object Commands This table lists the commands for address objects. Table 127 address-object Commands: Address Objects COMMAND DESCRIPTION Displays information about the specified address or show address-object [object_name] all the addresses.
Page 221 Chapter 25 Addresses 25.2.2 Address Group Commands This table lists the commands for address groups. Table 128 object-group Commands: Address Groups COMMAND DESCRIPTION Displays information about the specified address show object-group address [group_name] group or about all address groups. Creates the specified address group if necessary [no] object-group address group_name and enters sub-command mode.
Page 222 Chapter 25 Addresses ZyWALL (ZLD) CLI Reference Guide...
Page 223: Services
H A P T E R Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 26.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 26.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
Page 224 Chapter 26 Services Table 130 service-object Commands: Service Objects (continued) COMMAND DESCRIPTION Creates the specified ICMP message using the service-object object_name icmp icmp_value specified parameters. icmp_value: <0..255> | alternate-address | conversion-error | echo | echo-reply | information- reply | information-request | mask-reply | mask- request | mobile-redirect | parameter-problem | redirect | router-advertisement | router-solicitation | source-quench | time-exceeded | timestamp-reply |...
Page 225 Chapter 26 Services Table 131 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION Adds the specified service group (second [no] object-group group_name group_name) to the specified service group (first group_name). The command removes the specified service group from the specified service group.
Page 226 Chapter 26 Services ZyWALL (ZLD) CLI Reference Guide...
Page 227: Schedules
H A P T E R Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. 27.1 Schedule Overview The ZyWALL supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat.
Page 228 Chapter 27 Schedules The following table lists the schedule commands. Table 133 schedule Commands COMMAND DESCRIPTION Displays information about the schedules in the show schedule-object ZyWALL. Deletes the schedule object. no schedule-object object_name Creates or updates a one-time schedule. schedule-object object_name date time date time date: yyyy-mm-dd date format;...
Page 229: Aaa Server
H A P T E R AAA Server This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers. 28.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network.
Page 230 Chapter 28 AAA Server 28.2.1 ad-server Commands The following table lists the commands you use to set the default AD server. ad-server Table 134 ad-server Commands COMMAND DESCRIPTION Displays current AD server settings. show ad-server Sets a base distinguished name (DN) for the default AD server. A [no] ad-server basedn basedn base DN identifies an AD directory.
Page 231 Chapter 28 AAA Server Table 135 ldap-server Commands (continued) COMMAND DESCRIPTION Sets the search timeout period (in seconds). Enter a number between 1 [no] ldap-server search-time- and 300. The command clears this setting. limit time Enables the ZyWALL to establish a secure connection to the LDAP [no] ldap-server ssl server.
Page 232 Chapter 28 AAA Server 28.2.5 aaa group server ad Commands The following table lists the commands you use to configure a aaa group server ad group of AD servers. Table 137 aaa group server ad Commands COMMAND DESCRIPTION Deletes all AD server groups or the specified AD clear aaa group server ad [group- server group.
Page 233 Chapter 28 AAA Server 28.2.6 aaa group server ldap Commands The following table lists the commands you use to configure a aaa group server ldap group of LDAP servers. Table 138 aaa group server ldap Commands COMMAND DESCRIPTION Deletes all LDAP server groups or the specified LDAP clear aaa group server ldap server group.
Page 234 Chapter 28 AAA Server 28.2.7 aaa group server radius Commands The following table lists the commands you use to configure aaa group server radius a group of RADIUS servers. Table 139 aaa group server radius Commands COMMAND DESCRIPTION Deletes all RADIUS server groups or the specified clear aaa group server radius RADIUS server group.
Page 235: Authentication Objects
H A P T E R Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 29.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the ZyWALL uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Page 236 Chapter 29 Authentication Objects Table 140 aaa authentication Commands (continued) COMMAND DESCRIPTION Sets a descriptive name for the authentication profile. The [no] aaa authentication command deletes a profile. {profile-name} Sets the profile to use the authentication method(s) in the order aaa authentication specified.
Page 237: Certificates
H A P T E R Certificates This chapter explains how to use the Certificates. 30.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Page 238 Chapter 30 Certificates Table 141 Certificates Commands Input Values (continued) LABEL DESCRIPTION Identify the organizational unit or department to which the certificate organizational_unit owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. Identify the company or group to which the certificate owner belongs.
Page 239 Chapter 30 Certificates Table 142 ca Commands Summary (continued) COMMAND DESCRIPTION Generates a PKCS#10 certification request. ca generate pkcs10 name certificate_name cn- type {ip cn cn_address|fqdn cn cn_domain_name|mail cn cn_email} [ou organizational_unit] [o organization] [c country] key-type {rsa|dsa} key-len key_length ca generate pkcs12 name name password password Generates a PKCS#12 certificate.
Page 240 Chapter 30 Certificates Table 142 ca Commands Summary (continued) COMMAND DESCRIPTION Sets the validation configuration for the specified ocsp url url [id name password password] remote (trusted) certificate where the directory [deactivate] server uses OCSP. url: Type the protocol, IP address and pathname of the OCSP server.
Page 241 Chapter 30 Certificates 30.5 Certificates Commands Examples The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates.
Page 242 Chapter 30 Certificates ZyWALL (ZLD) CLI Reference Guide...
Page 243: Isp Accounts
H A P T E R ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/ PPTP interfaces. 31.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE or PPTP. 31.1.1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands.
Page 244 Chapter 31 ISP Accounts Table 143 PPPoE and PPTP ISP Account Commands (continued) COMMAND DESCRIPTION Sets the service name for the specified PPPoE ISP [no] service-name {ip | hostname | account. The command clears the service service_name} name. hostname: You may up to 63 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.
Page 245 Chapter 31 ISP Accounts Table 144 Cellular Account Commands (continued) COMMAND DESCRIPTION Sets the password for the specified ISP account. [no] password password command clears the password. password: Use up to 63 printable ASCII characters. Spaces are not allowed. Sets the authentication for the cellular account. [no] authentication {none | pap | chap} command sets the authentication to none.
Page 246 Chapter 31 ISP Accounts ZyWALL (ZLD) CLI Reference Guide...
Page 247: Ssl Application
H A P T E R SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 32.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network.
Page 248 Chapter 32 SSL Application Table 145 SSL Application Object Commands COMMAND DESCRIPTION Specifies the IP address, domain name or NetBIOS name (computer server-type file-sharing name) of the file server and the name of the share to which you want share-path share-path to allow user access.
Page 249: System
System System (251) System Remote Management (257)
Page 251: System
H A P T E R System This chapter provides information on the commands that correspond to what you can configure in the system screens. 33.1 System Overview Use these commands to configure general ZyWALL information, the system time and the console port connection speed for a terminal emulation program.
Page 252 Chapter 33 System Figure 26 Access Page Customization 1. Logo 2. Banner 3. Banner Floor 4. Title 5. Message (color of all text) 6. Note Message 7. Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Page 253 Chapter 33 System Table 146 Command Summary: Customization (continued) COMMAND DESCRIPTION Sets the title for the top of the login screen. Use up to 64 login-page title title printable ASCII characters. Spaces are allowed. Sets the color of the login page’s window border. login-page window-color {color-rgb | color-name | color-number} Sets the color of the logo banner across the top of the login...
Page 254 Chapter 33 System 33.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use command to enter the configuration mode before you can use configure terminal these commands. Table 148 Command Summary: Date/Time COMMAND DESCRIPTION Sets the new date in year, month and day format...
Page 255 Chapter 33 System 33.5 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program. The following table describes the console port commands. You must use the command to enter the configure terminal configuration mode before you can use these commands.
Page 256 Chapter 33 System The following table describes the commands available for DNS. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 151 Command Summary: DNS COMMAND DESCRIPTION Sets an A record that specifies the mapping of a [no] ip dns server a-record fqdn w.x.y.z fully qualified domain name (FQDN) to an IP address.
Page 257: System Remote Management
H A P T E R System Remote Management This chapter shows you how to determine which services/protocols can access which ZyWALL zones (if any) from which computers. To allow the ZyWALL to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-ZyWALL rule to block that traffic.
Page 258 Chapter 34 System Remote Management 34.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 152 Input Values for General System Commands LABEL DESCRIPTION The name of the IP address (group) object.
Page 259 Chapter 34 System Remote Management Table 153 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION [no] ip http secure-server cert certificate_name Specifies a certificate used by the HTTPS server. command resets the certificate used by the HTTPS server to the factory default default certificate_name: The name of the certificate.
Page 260 Chapter 34 System Remote Management 34.3.1 HTTP/HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service. Router# configure terminal Router(config)# ip http server table admin rule append access-group Marketing zone WAN action accept...
Page 261 Chapter 34 System Remote Management 34.4.3 SSH Commands The following table describes the commands available for SSH. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 154 Command Summary: SSH COMMAND DESCRIPTION Allows SSH access to the ZyWALL CLI.
Page 262 Chapter 34 System Remote Management This command sets a certificate (Default) to be used to identify the ZyWALL. Router# configure terminal Router(config)# ip ssh server cert Default 34.5 Telnet You can configure your ZyWALL for remote Telnet access. 34.6 Telnet Commands The following table describes the commands available for Telnet.
Page 263 Chapter 34 System Remote Management 34.6.1 Telnet Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using Telnet service. Router# configure terminal Router(config)# ip telnet server rule 11 access-group RD zone LAN action ->...
Page 264 Chapter 34 System Remote Management Table 156 Command Summary: FTP (continued) COMMAND DESCRIPTION Sets a service control rule for FTP service. ip ftp server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} address_object: The name of the IP address (group) object. You may use 1-31 alphanumeric zone {ALL|zone_object} action {accept|deny} characters, underscores( ), or dashes (-), but the...
Page 265 34.8.1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC-1213 and RFC-1215. The ZyWALL also supports private MIBs (zywall.mib and zyxel-zywall-ZLD-Common.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 266 Chapter 34 System Remote Management Table 158 Command Summary: SNMP (continued) COMMAND DESCRIPTION Sets the SNMP service port number. The [no] snmp-server port <1..65535> command resets the SNMP service port number to the factory default ( Sets a service control rule for SNMP service. snmp-server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} address_object: The name of the IP address...
Page 267 Chapter 34 System Remote Management 34.9 ICMP Filter The ip icmp-filter commands are obsolete. See Chapter 14 on page 111 to configure firewall rules for ICMP traffic going to the ZyWALL to discard or reject ICMP packets destined for the ZyWALL. 34.10 Dial-in Management Connect an external serial modem to the DIAL BACKUP port (or AUX port depending on your model) to provide a remote management connection in case the ZyWALL’s other WAN...
Page 268 Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator.
Page 269 Chapter 34 System Remote Management 34.11.1 Vantage CNM Commands The following table describes the commands available for dial-in management. You must use command to enter the configuration mode before you can use configure terminal these commands. Table 160 Command Summary: Vantage CNM COMMAND DESCRIPTION Sets up the URL of the Vantage server that the ZyWALL registers with.
Page 270 Chapter 34 System Remote Management 34.12 Language Commands Use the language commands to display what language the web configurator is using or change it. You must use the command to enter the configuration configure terminal mode before you can use these commands. Table 161 Command Summary: Language COMMAND DESCRIPTION...
Page 271: Maintenance
Maintenance File Manager (273) Logs (291) Reports and Reboot (297) Diagnostics (305) Maintenance Tools (307)
Page 273: File Manager
H A P T E R File Manager This chapter covers how to work with the ZyWALL’s firmware, certificates, configuration files, custom IDP signatures, packet trace results, shell scripts and temporary files. 35.1 File Directories The ZyWALL stores files in the following directories. Table 162 FTP File Transfer Notes FILE NAME DIRECTORY FILE TYPE...
Page 274 Chapter 35 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 27 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 275 Chapter 35 File Manager “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode. Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface ge1 # this interface is a DHCP client Lines 1 and 2 are comments.
Page 276 Chapter 35 File Manager • When you change the configuration, the ZyWALL creates a startup-config.conf file of the current configuration. • The ZyWALL checks the startup-config.conf file for errors when it restarts. If there is an error in the startup-config.conf file, the ZyWALL copies the startup-config.conf configuration file to the startup-config-bad.conf configuration file and tries the existing lastgood.conf configuration file.
Page 277 Chapter 35 File Manager 35.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 165 File Manager Commands Summary COMMAND DESCRIPTION Has the ZyWALL use a specific configuration file. You apply /conf/file_name.conf must still use the command to save your write...
Page 278 Chapter 35 File Manager 35.5 File Manager Command Example This example saves a back up of the current configuration before applying a shell script file. Router(config)# copy running-config /conf/backup.conf Router(config)# run /script/vpn_setup.zysh 35.6 FTP File Transfer You can use FTP to transfer files to and from the ZyWALL for advanced maintenance and support.
Page 279 Chapter 35 File Manager Figure 28 FTP Configuration File Upload Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1. 220 FTP Server (ZyWALL) [192.168.1.1] User (192.168.1.1:(none)): admin 331 Password required for admin. Password: 230 User admin logged in. ftp> cd conf 250 CWD command successful ftp>...
Page 280 Chapter 35 File Manager Figure 29 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1. 220 FTP Server (ZyWALL) [192.168.1.1] User (192.168.1.1:(none)): admin 331 Password required for admin. Password: 230 User admin logged in. ftp> bin 200 Type set to I ftp>...
Page 281 Chapter 35 File Manager 35.8 Notification of a Damaged Recovery Image or Firmware The ZyWALL’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the ZyWALL notifies you of a damaged recovery image or firmware file.
Page 282 35.9 Restoring the Recovery Image This procedure requires the ZyWALL’s recovery image. Download the firmware package from www.zyxel.com and unzip it. The recovery image uses a .ri extension, for example, "1.01(XL.0)C0.ri". Do the following after you have obtained the recovery image file.
Page 283 Chapter 35 File Manager Figure 35 atuk Command for Restoring the Recovery Image 4 Enter Y and wait for the “Starting XMODEM upload” message before activating XMODEM upload on your terminal. Figure 36 Starting Xmodem Upload 5 This is an example Xmodem configuration upload using HyperTerminal. Click Transfer, then Send File to display the following screen.
Page 284 35.10 Restoring the Firmware This procedure requires the ZyWALL’s firmware. Download the firmware package from www.zyxel.com and unzip it. The firmware file uses a .bin extension, for example, "1.01(XL.0)C0.bin". Do the following after you have obtained the firmware file. This section is not for normal firmware uploads. You only need to use this section if you need to recover the firmware.
Page 285 Chapter 35 File Manager 8 After the transfer is complete, “Firmware received” or “ZLD-current received” displays. Wait (up to four minutes) while the ZyWALL recovers the firmware. Figure 42 Firmware Received and Recovery Started 9 The console session displays “done” when the firmware recovery is complete. Then the ZyWALL automatically restarts.
Page 286 Chapter 35 File Manager Figure 44 Restart Complete 35.11 Restoring the Default System Database The default system database stores information such as the default anti-virus or IDP signatures. The ZyWALL can still operate if the default system database is damaged or missing, but related features (like anti-virus or IDP) may not function properly.
Page 287 Figure 47 Default System Database Missing Log: Anti-virus This procedure requires the ZyWALL’s default system database file. Download the firmware package from www.zyxel.com and unzip it. The default system database file uses a .db extension, for example, "1.01(XL.0)C0.db". Do the following after you have obtained the default system database file.
Page 288 Chapter 35 File Manager 35.11.1 Using the atkz -u Debug Command You only need to use the atkz -u command if the default system database is damaged. 1 Restart the ZyWALL. 2 When “Press any key to enter debug mode within 3 seconds.” displays, press a key to enter debug mode.
Page 289 Chapter 35 File Manager 8 Set the transfer mode to binary (type bin). 9 Transfer the firmware file from your computer to the ZyWALL. Type put followed by the path and name of the firmware file. This examples uses put e:\ftproot\ZLD FW \1.01(XL.0)C0.db.
Page 290 Chapter 35 File Manager Figure 54 Startup Complete ZyWALL (ZLD) CLI Reference Guide...
Page 291: Logs
H A P T E R Logs This chapter provides information about the ZyWALL’s logs. When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the ZyWALL.
Page 292 Chapter 36 Logs 36.1.2 System Log Commands This table lists the commands for the system log settings. Table 168 logging Commands: System Log Settings COMMAND DESCRIPTION Displays the current settings for the system log. show logging status system-log Specifies what kind of information, if any, is logged logging system-log category module_name in the system log and debugging log for the {disable | level normal | level all}...
Page 293 | local_3 | local_4 | local_5 | local_6 | local_7} [no] logging syslog <1..4> format {cef | vrpt} Sets the format of the log information. cef: Common Event Format, syslog-compatible format. vrpt: ZyXEL’s Vantage Report, syslog-compatible format. ZyWALL (ZLD) CLI Reference Guide...
Page 294 Chapter 36 Logs This table lists the commands for setting how often to send information to the VRPT (ZyXEL’s Vantage Report) server. Table 171 logging Commands: VRPT Settings COMMAND DESCRIPTION Sets the interval (in seconds) for how often the vrpt send device information interval ZyWALL sends a device information log to the <15..3600>...
Page 295 | mon | tue | wed | thu | fri | sat 36.1.4.1 E-mail Profile Command Examples The following commands set up e-mail log 1. Router# configure terminal Router(config)# logging mail 1 address mail.zyxel.com.tw Router(config)# logging mail 1 subject AAA Router(config)# logging mail 1 authentication username lachang.li password XXXXXX Router(config)# logging mail 1 send-log-to lachang.li@zyxel.com.tw...
Page 296 Chapter 36 Logs Table 173 logging Commands: Console Port Settings (continued) COMMAND DESCRIPTION Controls whether or not debugging information for logging console category module_name level the specified priority is displayed in the console log, {alert | crit | debug | emerg | error | info | if logging for this category is enabled.
Page 297: Reports And Reboot
H A P T E R Reports and Reboot This chapter provides information about the report associated commands and how to restart the ZyWALL using commands. It also covers the daily report e-mail feature. 37.1 Report Commands Summary The following sections list the report and session commands. 37.1.1 Report Commands This table lists the commands for reports.
Page 298 Chapter 37 Reports and Reboot 37.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report ge1 ip No. IP Address User Amount Direction =================================================================== 192.168.1.4 admin 1273(bytes) Outgoing 192.168.1.4...
Page 299 Chapter 37 Reports and Reboot Use these commands to have the ZyWALL e-mail you system statistics every day. You must use the command to enter the configuration mode before you can use configure terminal these commands. Table 177 Email Daily Report Commands COMMAND DESCRIPTION Turns daily e-mail reports on or off.
Page 300 Chapter 37 Reports and Reboot Table 177 Email Daily Report Commands (continued) COMMAND DESCRIPTION Determines whether or not network traffic daily-report [no] item traffic-report statistics are included in the report e-mails. Sets the time for sending out the report e-mails. daily-report schedule hour <0..23>...
Page 301 Chapter 37 Reports and Reboot This displays the email daily report settings and has the ZyWALL send the report now. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp auth: yes smtp username: 12345 smtp password: pass12345...
Page 302 Chapter 37 Reports and Reboot ZyWALL (ZLD) CLI Reference Guide...
Page 303: Session Timeout
H A P T E R Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 178 Session Timeout Commands COMMAND DESCRIPTION Sets the timeout for UDP sessions to connect or session timeout {udp-connect <1..300>...
Page 304 Chapter 38 Session Timeout ZyWALL (ZLD) CLI Reference Guide...
Page 305: Diagnostics
H A P T E R Diagnostics This chapter covers how to use the diagnostics feature. 39.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
Page 306 Chapter 39 Diagnostics ZyWALL (ZLD) CLI Reference Guide...
Page 307: Maintenance Tools
H A P T E R Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the ZyWALL. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode. Table 180 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION...
Page 308 07:26:53.752774 192.168.105.133 > 192.168.105.40: icmp: echo request (DF) 07:26:54.762887 192.168.105.133 > 192.168.105.40: icmp: echo request (DF) 8 packets received by filter 0 packets dropped by kernel Router# traceroute www.zyxel.com traceroute to www.zyxel.com (203.160.232.7), 30 hops max, 38 byte packets 172.23.37.254 3.049 ms 1.947 ms 1.979 ms 172.23.6.253...
Page 309: Maintenance Tools Commands In Configuration Mode
Chapter 40 Maintenance Tools Here are maintenance tool commands that you can use in configure mode. Table 181 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION Displays the current Address Resolution Protocol table. show arp-table Edits or creates an ARP table entry. arp IP mac_address Removes an ARP table entry.
Page 310 Chapter 40 Maintenance Tools ZyWALL (ZLD) CLI Reference Guide...
Page 311: Watchdog Timer
H A P T E R Watchdog Timer This chapter provides information about the ZyWALL’s watchdog timers. 41.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings.
Page 312 Chapter 41 Watchdog Timer Table 183 software-watchdog-timer Commands (continued) COMMAND DESCRIPTION Displays the settings of the software watchdog show software-watchdog-timer status timer. Displays a log of when the software watchdog timer show software-watchdog-timer log took effect. 41.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the app- commands.Use the command to enter the configuration...
Page 313 Chapter 41 Watchdog Timer 41.3.1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring. Router# configure terminal Router(config)# show app-watch-dog config Application Watch Dog Setting: activate: yes alert: yes console print: always retry count: 3...
Page 314 Chapter 41 Watchdog Timer ZyWALL (ZLD) CLI Reference Guide...
Page 315: Command List
Command List List of Commands (Alphabetical) (317)
Page 317: List Of Commands (Alphabetical)
List of Commands (Alphabetical) List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. Commands and sub- commands appear at the same level. [no] aaa authentication {profile-name} .......... 236 [no] aaa group server ad group-name ..........232 [no] aaa group server ldap group-name ...........
Page 318 List of Commands (Alphabetical) [no] anti-spam white-list [rule_number] subject subject {activate|deactivate} ... 192 [no] anti-spam white-list activate ..........192 [no] anti-virus activate ............154 [no] anti-virus black-list activate ..........157 [no] anti-virus black-list file-pattern av_file_pattern {activate|deactivate} ... 157 [no] anti-virus eicar activate ..........154 [no] anti-virus skip-unknown-file-type activate .........
Page 319 List of Commands (Alphabetical) [no] bwm activate ..............82 [no] bypass {white-list | black-list | dnsbl} ........190 [no] bypass {white-list | black-list} ........... 155 [no] client-identifier mac_address ..........52 [no] client-name host_name ............52 [no] clock daylight-saving ............254 [no] clock saving-interval begin {apr|aug|dec|feb|jan|jul|jun|mar|may|nov|oct|sep} {1|2|3|4|last} {fri|mon|sat|sun|thu|tue|wed} hh:mm end {apr|aug|dec|feb|jan|jul|jun|mar|may|nov|oct|sep} {1|2|3|4|last}...
Page 320 List of Commands (Alphabetical) [no] default-router ip ............52 [no] description description ............ 113 [no] description description ............ 116 [no] description description ............ 130 [no] description description ............ 207 [no] description description ............ 213 [no] description description ............ 215 [no] description description ............ 221 [no] description description ............
Page 321 List of Commands (Alphabetical) [no] from zone_object ............155 [no] from-zone zone_object ............190 [no] from-zone zone_profile ............. 163 [no] groupname groupname ............213 [no] groupname groupname ............213 [no] ha-iface interface_name ............. 97 [no] hardware-address mac_address ..........52 [no] hardware-watchdog-timer <4..37> ..........311 [no] hide ................
Page 322 List of Commands (Alphabetical) [no] ip http secure-server auth-client .......... 258 [no] ip http secure-server cert certificate_name ........ 259 [no] ip http secure-server force-redirect ........259 [no] ip http server ............. 259 [no] ip load-balancing link-sticking activate ........79 [no] ip load-balancing link-sticking timeout timeout ......79 [no] ip ospf ..............
Page 323 List of Commands (Alphabetical) [no] logging mail <1..2> address {ip | hostname} ........ 294 [no] logging mail <1..2> authentication ......... 294 [no] logging mail <1..2> authentication username username password password ..294 [no] logging mail <1..2> category module_name level {alert | all} ....295 [no] logging mail <1..2>...
Page 324 List of Commands (Alphabetical) [no] port interface_name ............61 [no] port <0..65535> ............145 [no] port <0..65535> ............146 [no] port-speed {9600 | 19200 | 38400 | 57600 | 115200} ......268 [no] port-speed {9600 | 19200 | 38400 | 57600 | 115200} ......64 [no] preempt ..............
Page 325 List of Commands (Alphabetical) [no] service-object object_name ..........224 [no] service-type {dyndns | dyndns_static | dyndns_custom | dynu-basic | dynu-premium | no-ip | peanut-hull | 3322-dyn | 3322-static} ......96 [no] session-limit activate ............. 116 [no] shutdown ..............50 [no] shutdown ..............65 [no] shutdown ..............
Page 326 List of Commands (Alphabetical) [no] users lockout-period <1..65535> ..........214 [no] users retry-count <1..99> ..........214 [no] users retry-limit ............214 [no] users simultaneous-logon {administration | access} enforce ....214 [no] users simultaneous-logon {administration | access} limit <1..1024> ..214 [no] users update-lease automation ..........
Page 327 List of Commands (Alphabetical) anti-virus rule delete <1..32> ..........155 anti-virus rule insert <1..32> ..........154 anti-virus rule move <1..32> to <1..32> ......... 155 anti-virus rule <1..32> ............155 anti-virus search signature {all | category category | id id | name name | severity se- verity [{from id to id}] ..........
Page 328 List of Commands (Alphabetical) channel <wireless_channel | auto> ..........68 clear ................27 clear aaa authentication profile-name ........... 235 clear aaa group server ad [group-name] .......... 232 clear aaa group server ldap [group-name] ........233 clear aaa group server radius group-name ........234 clear ip dhcp binding {ip | *} ...........
Page 329 List of Commands (Alphabetical) daily-report reset-counter-now ..........300 daily-report schedule hour <0..23> minute <00..59> ......300 daily-report send-now ............300 daily-report smtp-address {ip | hostname} ........299 daily-report smtp-auth username username password password ...... 299 deactivate ..............123 deactivate ..............125 debug (*) ................
Page 330 List of Commands (Alphabetical) device-ha ap-mode role {master|backup} .......... 203 device-ha link-monitoring activate ..........208 device-ha mode {active-passive | legacy} ........202 device-ha stop-stub-interface activate .......... 208 device-register checkuser user_name ..........37 device-register username user_name password password [e-mail user@domainname country- code country_code] ............
Page 331 List of Commands (Alphabetical) idp {signature | system-protect} update signatures ......175 idp {signature | system-protect} update weekly {sun | mon | tue | wed | thu | fri | sat} <0..23> ..............175 idp {signature| anomaly } rule { append | <1..32> | insert <1..32> } .... 163 idp {signature| anomaly } rule { delete <1..32>...
Page 332 List of Commands (Alphabetical) ip http secure-server table {admin|user} rule move rule_number to rule_number ... 259 ip http server table {admin|user} rule {rule_number|append|insert rule_number} access- group {ALL|address_object} zone {ALL|zone_object} action {accept|deny} ... 259 ip http server table {admin|user} rule move rule_number to rule_number ..259 ip http-redirect activate description ...........
Page 333 List of Commands (Alphabetical) logging mail <1..2> schedule weekly day day hour <0..23> minute <0..59> ..295 logging mail <1..2> sending_now ..........294 logging system-log category module_name {disable | level normal | level all} ..292 login-page background-color {color-rgb | color-name | color-number} ..... 252 login-page message-color {color-rgb | color-name | color-number} ....
Page 334 List of Commands (Alphabetical) no server-type ..............248 no service-object object_name ........... 223 no signature sid action ............164 no signature SID action ............169 no signature sid log ............164 no signature sid log ............169 no snmp-server rule rule_number ..........266 no sslvpn policy profile_name ...........
Page 335 List of Commands (Alphabetical) router ospf ..............57 router ospf ..............88 router ospf ..............89 router ospf ..............89 router rip ............... 57 router rip ............... 88 run ................28 run /script/file_name.zysh ............277 scan-detection block-period <1..3600> ........... 165 scan-detection sensitivity {low | medium | high} ........
Page 336 List of Commands (Alphabetical) show ................146 show ................147 show ................190 show ................213 show ................215 show ................28 show ................51 show [all] ..............155 show aaa authentication {group-name|default} ........235 show aaa group server ad group-name ..........232 show aaa group server ldap group-name ...........
Page 337 List of Commands (Alphabetical) show app protocol_name rule all ..........148 show app protocol_name rule all statistics ........148 show app protocol_name rule default ..........148 show app protocol_name rule default statistics ........148 show app protocol_name rule rule_number ......... 148 show app protocol_name rule rule_number statistics ......
Page 338 List of Commands (Alphabetical) show dial-in ..............268 show disk ................ 31 show extension-slot .............. 31 show fan-speed ..............31 show firewall ..............114 show firewall rule_number ............114 show firewall status ............114 show firewall zone_object {zone_object|ZyWALL} ........114 show firewall zone_object {zone_object|ZyWALL} rule_number ......
Page 339 List of Commands (Alphabetical) show idp search system-protect my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate {any | yes | no} log {any | no | log | log-alert} action action_mask .............. 170 show idp signature all details ..........162 show idp signature base profile {all|none|wan|lan|dmz} settings ....
Page 340 List of Commands (Alphabetical) show logo settings .............. 253 show mac ................. 31 show mem status ..............31 show ntp server ..............254 show object-group address [group_name] .......... 221 show object-group service group_name ..........224 show ospf area IP virtual-link ........... 89 show page-customization ............
Page 341 List of Commands (Alphabetical) show wlan mac-filter status ............72 show workspace application ............131 show workspace cifs ............. 131 show zone [profile_name] ............92 shutdown ................. 28 signature sid action {drop | reject-sender | reject-receiver | reject-both} ..164 signature sid action {drop | reject-sender | reject-receiver | reject-both} ..
Page 342 List of Commands (Alphabetical) vrpt send system status interval <15..3600> ........294 wlan mac-filter associate <allow | deny> ......... 72 wlan slot_name ..............68 write ................277 write ................28 zone profile_name ..............92 ZyWALL (ZLD) CLI Reference Guide...

This manual is also suitable for:

Zywall usg 300 Zywall series Zywall usg 100 series Zywall usg 200 unified

ZyXEL Communications ZYWALL USG CLI Reference Manual

Introduction

Network

Firewall

Vpn

Application Patrol

Anti-X

Device HA

Objects

System

Maintenance

Command List

Quick Links

Related Manuals for ZyXEL Communications ZYWALL USG CLI

Summary of Contents for ZyXEL Communications ZYWALL USG CLI

This manual is also suitable for:

Table of Contents