Download Print this page

ZyXEL Communications ZyWall Reference Manual

ZyXEL Communications ZyWall Reference Manual

Hide thumbs Also See for ZyWall:

Support note (44 pages)

,

Troubleshooting manual (26 pages)

,

Quick start manual (2 pages)

Table Of Contents

page of 386

/ 386
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

See also: Cli Reference Manual

ZyWALL (ZLD) Series

Security Firewalls

Versions: 3.10

Edition 2, 12/2013

Quick Start Guide

CLI Reference Guide

Default Login Details

LAN Port IP Address

User Name

www.zyxel.com

Password

http://192.168.1.1

admin

1234

Copyright © 2011

Copyright © 2013 ZyXEL Communications Corporation

ZyXEL Communications Corporation

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the ZyWall and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications ZyWall

Page 1 ZyWALL (ZLD) Series Security Firewalls Versions: 3.10 Edition 2, 12/2013 Quick Start Guide CLI Reference Guide Default Login Details LAN Port IP Address http://192.168.1.1 User Name admin www.zyxel.com Password 1234 Copyright © 2011 Copyright © 2013 ZyXEL Communications Corporation ZyXEL Communications Corporation...
Page 2 Related Documentation • Quick Start Guide The Quick Start Guide shows how to connect the ZyWALL and access the Web Configurator wizards. (See the wizard real time help for information on configuring each screen.) It also contains a connection diagram and package contents list.
Page 3: Table Of Contents
Authentication Objects ......................255 Certificates ..........................259 ISP Accounts ........................... 264 SSL Application ........................266 Endpoint Security ........................269 DHCPv6 Objects ........................276 System ............................. 279 System Remote Management ....................285 File Manager ..........................299 ZyWALL (ZLD) CLI Reference Guide...
Page 4 Logs ............................317 Reports and Reboot ........................ 323 Session Timeout ........................329 Diagnostics ..........................331 Packet Flow Explore ........................ 333 Packet Flow Filter ........................337 Maintenance Tools ........................341 Watchdog Timer ........................347 ZyWALL (ZLD) CLI Reference Guide...
Page 5: Table Of Contents
1.6.6 Navigation ..........................27 1.6.7 Erase Current Command ......................27 1.6.8 The no Commands ........................27 1.7 Input Values ............................28 1.8 Ethernet Interfaces ..........................31 1.9 Saving Configuration Changes ......................31 1.10 Logging Out .............................32 Chapter 2 User and Privilege Modes ........................33 ZyWALL (ZLD) CLI Reference Guide...
Page 6 3.1.1 Object Reference Command Example ..................40 Chapter 4 Status ..............................41 Chapter 5 Registration............................45 5.1 myZyXEL.com Overview ........................45 5.1.1 Subscription Services Available on the ZyWALL ..............45 5.2 Registration Commands ........................46 5.2.1 Command Examples .......................47 5.3 Country Code ............................48 Chapter 6 Interfaces.............................53 6.1 Interface Overview ..........................53...
Page 7 8.4 Static Route Commands .........................105 8.4.1 Static Route Commands Examples ..................106 Chapter 9 Routing Protocol..........................107 9.1 Routing Protocol Overview ......................107 9.2 Routing Protocol Commands Summary ..................107 9.2.1 RIP Commands ........................108 9.2.2 General OSPF Commands ....................108 ZyWALL (ZLD) CLI Reference Guide...
Page 8 ALG ..............................127 14.1 ALG Introduction ...........................127 14.2 ALG Commands ..........................128 14.3 ALG Commands Example ......................129 Chapter 15 IP/MAC Binding..........................131 15.1 IP/MAC Binding Overview ......................131 15.2 IP/MAC Binding Commands ......................131 15.3 IP/MAC Binding Commands Example ..................132 ZyWALL (ZLD) CLI Reference Guide...
Page 9 19.5.1 Configuring the Default L2TP VPN Gateway Example ............161 19.5.2 Configuring the Default L2TP VPN Connection Example ............161 19.5.3 Configuring the L2TP VPN Settings Example ..............161 19.5.4 Configuring the Policy Route for L2TP Example ..............162 ZyWALL (ZLD) CLI Reference Guide...
Page 10 22.3.5 Editing System Protect ......................188 22.3.6 Signature Search .........................188 22.4 IDP Custom Signatures .........................191 22.4.1 Custom Signature Examples ....................192 22.5 Update IDP Signatures .........................195 22.5.1 Update Signature Examples ....................196 22.6 IDP Statistics ..........................196 22.6.1 IDP Statistics Example ......................197 ZyWALL (ZLD) CLI Reference Guide...
Page 11 25.5 Legacy Mode (VRRP) Device HA ....................225 25.6 Legacy Mode (VRRP) Device HA Commands ................225 25.6.1 VRRP Group Commands ....................226 25.6.2 VRRP Synchronization Commands ..................226 25.6.3 Link Monitoring Commands ....................227 Chapter 26 User/Group ............................229 26.1 User Account Overview .........................229 ZyWALL (ZLD) CLI Reference Guide...
Page 12 30.2.4 radius-server Command Example ..................251 30.2.5 aaa group server ad Commands ..................251 30.2.6 aaa group server ldap Commands ..................252 30.2.7 aaa group server radius Commands ...................253 30.2.8 aaa group server Command Example .................254 Chapter 31 Authentication Objects........................255 ZyWALL (ZLD) CLI Reference Guide...
Page 13 Chapter 36 DHCPv6 Objects..........................276 36.1 DHCPv6 Object Commands Summary ..................276 36.1.1 DHCPv6 Object Commands ....................276 36.1.2 DHCPv6 Object Command Examples .................277 Chapter 37 System ...............................279 37.1 System Overview ..........................279 37.2 Customizing the WWW Login Page ....................279 ZyWALL (ZLD) CLI Reference Guide...
Page 14 38.2 Common System Command Input Values ..................286 38.3 HTTP/HTTPS Commands ......................286 38.3.1 HTTP/HTTPS Command Examples ..................288 38.4 SSH ...............................288 38.4.1 SSH Implementation on the ZyWALL ..................288 38.4.2 Requirements for Using SSH ....................288 38.4.3 SSH Commands ........................289 38.4.4 SSH Command Examples ....................289 38.5 Telnet ............................290...
Page 15 39.6.2 Command Line FTP Configuration File Upload Example ............305 39.6.3 Command Line FTP File Download ..................305 39.6.4 Command Line FTP Configuration File Download Example ..........306 39.7 ZyWALL File Usage at Startup ......................306 39.8 Notification of a Damaged Recovery Image or Firmware .............307 39.9 Restoring the Recovery Image ......................308 39.10 Restoring the Firmware .......................310...
Page 16 46.1 Maintenance Command Examples ....................343 46.1.1 Packet Capture Command Example ...................344 Chapter 47 Watchdog Timer..........................347 47.1 Hardware Watchdog Timer ......................347 47.2 Software Watchdog Timer ......................347 47.3 Application Watchdog ........................348 47.3.1 Application Watchdog Commands Example ................348 List of Commands (Alphabetical)....................351 ZyWALL (ZLD) CLI Reference Guide...
Page 17: Introduction
Introduction...
Page 19: Command Line Interface
When you configure the ZyWALL using either the CLI (Command Line Interface) or the web configurator, the settings are saved as a series of commands in a configuration file on the ZyWALL. You can store more than one configuration file on the ZyWALL. However, only one configuration file is used at a time.
Page 20: Console Port
Stop Bit Flow Control When you turn on your ZyWALL, it performs several internal tests as well as line initialization. You can view the initialization information using the console port. • Garbled text displays if your terminal emulation program’s speed is set lower than the ZyWALL’s.
Page 21 Chapter 1 Command Line Interface When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the ZyWALL. Follow the steps below to access the web console. Log into the web configurator. Click the Console icon in the top-right corner of the web configurator screen.
Page 22 If you enter the password correctly, the console screen appears. Figure 7 Web Console To use most commands in this User’s Guide, enter . The prompt should configure terminal change to Router(config)# ZyWALL (ZLD) CLI Reference Guide...
Page 23: Telnet
Use the following steps to Telnet into your ZyWALL. If your computer is connected to the ZyWALL over the Internet, skip to the next step. Make sure your computer IP address and the ZyWALL IP address are on the same subnet.
Page 24: How Commands Are Explained
Enter the name of the object where you see object-name. Enter , depending on the service object you want to create. Finally, do one of the following. • Enter exactly as it appears, followed by a number between 1 and 65535. ZyWALL (ZLD) CLI Reference Guide...
Page 25: Changing The Password
1 and 65535. range 1.4.6 Changing the Password It is highly recommended that you change the password for accessing the ZyWALL. See Section 26.2 on page 230 for the appropriate commands.
Page 26: Shortcuts And Help
Figure 11 Help: Sub-command Information Example Router(config)# ip telnet server ? <cr> port rule Router(config)# ip telnet server Figure 12 Help: Required User Input Example Router(config)# ip telnet server port ? <1..65535> Router(config)# ip telnet server port ZyWALL (ZLD) CLI Reference Guide...
Page 27: Entering Partial Commands
1.6.5 Command History The ZyWALL keeps a list of commands you have entered for the current CLI session. You can use any commands in the history again by pressing the up () or down () arrow key to scroll through...
Page 28: Input Values
Router(config)# interface ge1 Router(config-if-ge)# description <description> When you use the example above, note that ZyWALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz. The following table provides more information about input values like <description>...
Page 29 Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015, 2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15. ZyWALL (ZLD) CLI Reference Guide...
Page 30 -_ chars string: less than 63 1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./ chars string alphanumeric or -_@ subject 1-61 alphanumeric, spaces, or '()+,./:=?;!*#@$_%- system type hexadecimal timezone [-+]hh -12 through +12 (with or without “+”) ZyWALL (ZLD) CLI Reference Guide...
Page 31: Ethernet Interfaces
1.8 Ethernet Interfaces How you specify an Ethernet interface depends on the ZyWALL model. • For the ZyWALL USG 300 and above, use gex, x = 1~N, where N equals the highest numbered Ethernet interface for your ZyWALL model. • The ZyWALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
Page 32: Logging Out
Chapter 1 Command Line Interface 1.10 Logging Out Enter the or end command in configure mode to go to privilege mode. exit Enter the command in user mode or privilege mode to log out of the CLI. exit ZyWALL (ZLD) CLI Reference Guide...
Page 33: User And Privilege Modes
Provided for support personnel to collect internal system information. It is not recommended diag that you use these. Has the ZyWALL create a new diagnostic file. diag-info Lists files in a directory. Goes from privilege mode to user mode...
Page 34: Debug Commands
Traces the route to the specified host name or IPv6 address. traceroute6 Saves the current configuration to the ZyWALL. All unsaved changes are lost after the ZyWALL write restarts. Subsequent chapters in this guide describe the configuration commands. User/privilege mode commands that are also configuration commands (for example, ‘show’) are described in more detail...
Page 35 Category-based content filtering debug debug show content-filter server command Myzyxel.com debug commands debug show myzyxel server status Lists the ZyWALL‘s received cards debug show ipset Myzyxel.com debug commands debug show myzyxel server status SSL VPN debug commands debug sslvpn...
Page 36 Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT IPv6 debug commands debug system ipv6 ZLD internal debug commands debug [cmdexec|corefile|ip |kernel|mac-id- rewrite|observer|switch |system|zyinetpkt|zysh-ipt-op] Update server debug command debug update server (*) ZyWALL (ZLD) CLI Reference Guide...
Page 37: Reference
Reference...
Page 39: Object Reference
[crypto_name] Displays which configuration settings reference the specified VPN gateway show reference object isakmp policy object. [isakmp_name] Displays which configuration settings reference the specified SSL VPN show reference object sslvpn policy object. [object_name] ZyWALL (ZLD) CLI Reference Guide...
Page 40: Object Reference Command Example
This example shows how to check which configuration is using an address object named LAN1_SUBNET. For the command output, firewall rule 3 named LAN1-to-USG-2000 is using the address object. Router(config)# show reference object address LAN1_SUBNET LAN1_SUBNET References: Category Rule Priority Rule Name Description =========================================================================== Firewall LAN1-to-USG-2000 Router(config)# ZyWALL (ZLD) CLI Reference Guide...
Page 41: Status
Displays the size of the ZyWALL’s on-board RAM. show ram-size Displays the status of the ZyWALL’s power modules. The ZyWALL has two power modules. It can show redundant- continue operating on a single power module if one fails.
Page 42 0.0.0.0:0 LISTEN 1.1.1.1:53 0.0.0.0:0 LISTEN 172.23.37.205:53 0.0.0.0:0 LISTEN 10.0.0.8:53 0.0.0.0:0 LISTEN 172.23.37.240:53 0.0.0.0:0 LISTEN 192.168.1.1:53 0.0.0.0:0 LISTEN 127.0.0.1:53 0.0.0.0:0 LISTEN 0.0.0.0:21 0.0.0.0:0 LISTEN 0.0.0.0:22 0.0.0.0:0 LISTEN 127.0.0.1:953 0.0.0.0:0 LISTEN 0.0.0.0:443 0.0.0.0:0 LISTEN 127.0.0.1:1723 0.0.0.0:0 LISTEN ZyWALL (ZLD) CLI Reference Guide...
Page 43 0.0.0.0:0 127.0.0.1:30000 0.0.0.0:0 1.1.1.1:53 0.0.0.0:0 172.23.37.205:53 0.0.0.0:0 10.0.0.8:53 0.0.0.0:0 172.23.37.240:53 0.0.0.0:0 192.168.1.1:53 0.0.0.0:0 127.0.0.1:53 0.0.0.0:0 0.0.0.0:67 0.0.0.0:0 127.0.0.1:63046 0.0.0.0:0 127.0.0.1:65097 0.0.0.0:0 0.0.0.0:65098 0.0.0.0:0 192.168.1.1:500 0.0.0.0:0 1.1.1.1:500 0.0.0.0:0 10.0.0.8:500 0.0.0.0:0 172.23.37.205:500 0.0.0.0:0 172.23.37.240:500 0.0.0.0:0 127.0.0.1:500 0.0.0.0:0 ZyWALL (ZLD) CLI Reference Guide...
Page 44 BM version : 1.08 build date : 2009-11-21 01:18:06 This example shows the current LED states on the ZyWALL. The SYS LED lights on and green. The AUX and HDD LEDs are both off. Router> show led status sys: green...
Page 45: Registration
Licensing > Registration screens. Alternatively, go to http://www.myZyXEL.com with the ZyWALL’s serial number and LAN MAC address to register it. Refer to the web site’s on-line help for details. Note: To activate a service on a ZyWALL, you need to access myZyXEL.com via that ZyWALL.
Page 46: Registration Commands
PIN number (license key) in the Registration > Service screen. The one-year ZyXEL engine anti-virus service subscription is automatically extended to 18 months. • The IDP and application patrol features use the IDP/AppPatrol signature files on the ZyWALL. IDP detects malicious or suspicious packets and responds immediately. Application patrol conveniently manages the use of various applications on the network.
Page 47: Command Examples
Displays BlueCoat or Commtouch service license show service-register status content-filter { bluecoat information. | commtouch } Displays which external web filtering service the ZyWALL show service-register content-filter-engine is set to use for content filtering. Sets whether the ZyWALL uses BlueCoat or Commtouch service-register content-filter-engine { bluecoat | for content filtering.
Page 48: Country Code
Not Licensed None SSLVPN Not Licensed None Content-Filter Not Licensed None The following command displays the seller details you have entered on the ZyWALL. Router# configure terminal Router(config)# show service-register reseller-info seller’s name: ABC seller’s e-mail: abc@example.com seller’s contact number: 12345678 vat number: 5.3 Country Code...
Page 49 Heard and McDonald Islands Holy See (City Vatican State) Honduras Hong Kong Hungary Iceland India Indonesia Ireland Isle of Man Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, Republic of Kuwait Kyrgyzstan Lao People’s Democratic Republic ZyWALL (ZLD) CLI Reference Guide...
Page 50 Saint Vincent and the Grenadines San Marino Sao Tome and Principe Saudi Arabia Senegal Seychelles Sierra Leone Singapore Slovak Republic Slovenia Solomon Islands Somalia South Africa South Georgia and the South Sandwich Islands Spain Sri Lanka ZyWALL (ZLD) CLI Reference Guide...
Page 51 US Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Venezuela Vietnam Virgin Islands (British) Virgin Islands (USA) Wallis And Futuna Islands Western Sahara Western Samoa Yemen Yugoslavia Zambia Zimbabwe ZyWALL (ZLD) CLI Reference Guide...
Page 52 Chapter 5 Registration ZyWALL (ZLD) CLI Reference Guide...
Page 53: Interfaces
• Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Unlike port groups, bridge interfaces can take advantage of some security features in the ZyWALL. You can also assign an IP address and subnet mask to the bridge.
Page 54 Chapter 6 Interfaces • The auxiliary interface, along with an external modem, provides an interface the ZyWALL can use to dial out. This interface can be used as a backup WAN interface, for example. The auxiliary interface controls the DIAL BACKUP port (labeled AUX on some models).
Page 55 Chapter 6 Interfaces Table 12 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics (ZyWALL USG 200 and Below Models) (continued) CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE VIRTUAL Packet size (MTU) Data size (MSS) DHCP DHCP server DHCP relay Connectivity Check * - Each name consists of 2-4 letters (interface type), followed by a number (x).
Page 56: Relationships Between Interfaces
Chapter 6 Interfaces 6.1.2 Relationships Between Interfaces In the ZyWALL, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports (or port groups). The relationships between interfaces are explained in the following table.
Page 57: Interface General Commands Summary
The name of the interface. interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model. ZyWALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext- wlan, or dmz.
Page 58 Table 16 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Displays the interval for how often the ZyWALL refreshes the sent show interface send statistics interval packet statistics for the interfaces. Displays basic information about the interfaces.
Page 59 Sets the IPv6 router advertisement retransmission interval in nd ra retrans-timer <0..4294967295> milliseconds. Has the ZyWALL obtain an IPv6 prefix from the ISP or a connected ipv6 address dhcp6_profile uplink router for an internal network, such as the LAN or DMZ.
Page 60 Specify the ending part of the IPv6 network address plus a slash (/) and the prefix length. The ZyWALL appends it to the selected delegated prefix. The combined address is the network prefix for the network.
Page 61 DHCP6_PROFILE DHCP6_SUFFIX_64 Sets the interface’s DHCPv6 setting back to the default. dhcp6 Has the ZyWALL not get this interface’s IPv6 address from the DHCPv6 dhcp6 address-request server. Has the ZyWALL use the full four-step DHCPv6 message exchange dhcp6 rapid-commit process.
Page 62 Router(config-if)# exit This example shows how to modify the name of interface ge4 to “VIP”. First you have to check the interface system name (ge4 in this example) on the ZyWALL. Then change the name and display the result. Router> show interface-name...
Page 63: Dhcp Setting Commands
Chapter 6 Interfaces This example shows how to restart an interface. You can check all interface names on the ZyWALL. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it.
Page 64 Note: The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool. When this command is used, the ZyWALL treats this DHCP pool like a static entry, regardless of the setting.
Page 65 Sets the first DNS server to the specified IP address, the specified [no] first-dns-server {ip | interface’s first, second, or third DNS server, or the ZyWALL itself. The interface_name {1st-dns | 2nd-dns | command resets the setting to its default value.
Page 66 The following example configures the DHCP_TEST pool with a SIP server (code 120) extended DHCP option with one IP address to provide to the SIP clients. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# dhcp-option 120 sip ip 192.168.1.20 Router(config-ip-dhcp-pool)# exit ZyWALL (ZLD) CLI Reference Guide...
Page 67: Interface Parameter Command Examples
ZyWALL (ZLD) CLI Reference Guide...
Page 68: Rip Commands
DESCRIPTION Enters sub-command mode. router ospf Makes the specified interface part of the specified area. The [no] network interface_name area ip command removes the specified interface from the specified area, disabling OSPF in this interface. ZyWALL (ZLD) CLI Reference Guide...
Page 69 [no] ip ospf hello-interval <1..65535> Sets the number of seconds between “hello” messages to peer routers. These messages let peer routers know the ZyWALL is available. The command sets the number of seconds to 10. See ip ospf dead- for more information.
Page 70: Connectivity Check (Ping-Check) Commands
ZyWALL stops routing to the gateway. The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check.
Page 71: Ethernet Interface Specific Commands
6.3.1 MAC Address Setting Commands This table lists the commands you can use to set the MAC address of an interface. On the ZyWALL USG 200 and below models, these commands only apply to a WAN or OPT interface.
Page 72: Port Grouping Commands
Table 23 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION Sets which type of network you will connect this interface. The ZyWALL automatically adds type {internal | default route and SNAT settings for traffic it routes from internal interfaces to external external | general} interfaces;...
Page 73: Virtual Interface Specific Commands
57. There are no additional commands for virtual interfaces. 6.4.1 Virtual Interface Command Examples The following commands set up a virtual interface on top of Ethernet interface ge1. The virtual interface is named ge1:1 with the following parameters: IP 1.2.3.4, subnet 255.255.255.0, ZyWALL (ZLD) CLI Reference Guide...
Page 74: Pppoe/Pptp Specific Commands
Specifies the IP address of the PPPoE/PPTP server. If the PPPoE/PPTP server is [no] remote-address ip not available at this IP address, no connection is made. The no command lets the ZyWALL get the IP address of the PPPoE/PPTP server automatically when it establishes the connection. ZyWALL (ZLD) CLI Reference Guide...
Page 75: Pppoe/Pptp Interface Command Examples
Sets the interface’s metric for IPv6 traffic. The no command clears it. [no] ipv6 metric <0..15> Has the ZyWALL obtain an IPv6 prefix from the ISP or a connected uplink router [no] ipv6 address for an internal network, such as the LAN or DMZ. The no command removes the...
Page 76: Cellular Interface Specific Commands
2.5G or 2.75G network (respectively). If you only have a GSM network available to you, you may want to use this so the ZyWALL does not spend time looking for a WCDMA network.
Page 77 <1..65535>] (from 1 to 65535 minutes) to generate a log or an alert. Sets the ZyWALL to not create a log when the time or data limit is no budget log [recursive] exceeded. Specify recursive to have the ZyWALL only create a log one time when the time or data limit is exceeded.
Page 78: Cellular Status
You can also set how often (from 1 to 65535 minutes) to send the log or alert. Sets the ZyWALL to not create a log when the set percentage of time no budget log-percentage budget or data limit is exceeded. You can configure the percentage using the budget percentage command.
Page 79 The ZyWALL failed to create a PPP connection for the cellular interface. Need auth-password You need to enter the password for the 3G card in the cellular edit screen. Device ready The ZyWALL successfully applied all of your configuration and you can use the 3G connection. ZyWALL (ZLD) CLI Reference Guide...
Page 80: Cellular Interface Command Examples
This second example shows specifying a new PIN code of 4567. Router(config)# interface cellular2 Router(config-if-cellular)# pin 4567 Router(config-if-cellular)# exit This example shows the 3G and SIM card information for interface cellular2 on the ZyWALL. Router(config)# show interface cellular2 device status interface name: cellular2 extension slot: USB 1...
Page 81: Tunnel Interface Specific Commands
Chapter 6 Interfaces 6.7 Tunnel Interface Specific Commands The ZyWALL uses tunnel interfaces in Generic Routing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels. This section covers commands specific to tunnel interfaces. Tunnel interfaces also use many of the general interface commands discussed at the beginning of Section 6.2 on page...
Page 82: Tunnel Interface Command Examples
Enables or disables the connected USB storage service. [no] usb-storage activate Sets a number and the unit (percentage or megabyte) to have the ZyWALL send a usb-storage warn number warning message when the remaining USB storage space is less than the set value.
Page 83: Usb Storage General Commands Example
Detail: none 6.9 WLAN Specific Commands You can install a compatible WLAN card to use the ZyWALL as an access point (AP) for a wireless network. The following table identifies the values required for several WLAN commands. Other input values are discussed with the corresponding commands.
Page 84: Wlan General Commands
Enables super mode (fast frame and packet bursting). [no] super Sets the ZyWALL to act as an AP (only the AP role is supported at the time of writing. role ap Sets the wireless output power. Reducing output power can help reduce interference with output-power [100% | other nearby APs.
Page 85: Wlan Interface Commands
Obscures the SSID in the outgoing beacon frame so a station cannot obtain the [no] hide SSID through scanning. Sets the WPA2 idle timeout. The ZyWALL automatically disconnects a wireless idle <30..30000> station that has been inactive for this number of seconds. The wireless station needs to enter the username and password again before access to the wired network is allowed.
Page 86 DESCRIPTION Specifies the Maximum Transmission Unit, which is the maximum number of bytes [no] mtu <576..2304> in each packet moving through this interface. The ZyWALL divides larger packets into smaller fragments. The command resets the MTU to 1500. Sets the WPA2 reauthentication timer. This is at what interval wireless stations reauth <30..30000>...
Page 87: Wlan Mac Filter Commands
DESCRIPTION Specifies the MAC address (in XX:XX:XX:XX:XX:XX format) of the wireless station that [no] wlan mac-filter is to be allowed or denied access to the ZyWALL. The no command removes the entry. mac_address [description description] description: You can use alphanumeric and...
Page 88: Vlan Interface Specific Commands
VLAN interface: vlanx, x = 0 - 4094 interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model. The ZyWALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
Page 89: Vlan Interface Command Examples
The name of the interface. interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model. The ZyWALL USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
Page 90: Bridge Interface Command Examples
You can use up to 64 characters. Semicolons (;) and backslashes (\) are not allowed. Specifies the password of the auxiliary interface. The command clears the [no] password password password. password: You can use up to 63 printable ASCII characters. Spaces are not allowed. ZyWALL (ZLD) CLI Reference Guide...
Page 91: Auxiliary Interface Command Examples
Router(config-if-aux)# password kk@u2online Router(config-if-aux)# authentication chap-pap Router(config-if-aux)# description I am aux interface Router(config-if-aux)# exit The following commands show how to dial, disconnect, and stop the auxiliary interface. Router# interface dial aux Router# interface disconnect aux ZyWALL (ZLD) CLI Reference Guide...
Page 92 Chapter 6 Interfaces ZyWALL (ZLD) CLI Reference Guide...
Page 93: Trunks
You can also define multiple trunks for the same physical interfaces. This allows you to send specific traffic types through the interface that works best for that type of traffic, and if that interface’s connection goes down, the ZyWALL can still send its traffic through another interface.
Page 94: Trunk Commands Input Values
Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model.
Page 95: Trunk Command Examples
<1..8> to <1..8> Removes an interface from the trunk. [no] interface {num|interface-name} Sets the ZyWALL to first attempt to use the the specified WAN trunk. system default-interface-group group-name Enables or disables Source NAT (SNAT). When SNAT is enabled, the...
Page 96: Link Sticking
WAN1 WAN2 LAN user A tries to download a file from server B on the Internet. The ZyWALL uses WAN1 to send the request to server B. However remote server B is actually a redirect server. So server B sends a file list to LAN user A.
Page 97: Link Sticking Commands Summary
File server C finds that the request comes from WAN2’s IP address instead of WAN1’s IP address and rejects the request. If link sticking had been configured, the ZyWALL would have still used WAN1 to send LAN user A’s request to file server C and the file server would have given the file to A.
Page 98 Chapter 7 Trunks ZyWALL (ZLD) CLI Reference Guide...
Page 99: Route
The name of the interface. interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model. The ZyWALL USG 200 and lower models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
Page 100 [no] auto-destination tunnel command) for this route, you can use this command to have the ZyWALL use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of what you configure by using the destination command.
Page 101 See Assured Forwarding (AF) PHB for DiffServ on page for more details. Sets a DSCP value to have the ZyWALL apply that DSCP value to the dscp-marking <0..63> route’s outgoing packets. Sets how the ZyWALL handles the DSCP value of the outgoing packets dscp-marking class {default | that match this route.
Page 102 See Assured Forwarding (AF) PHB for DiffServ on page for more details. Sets a DSCP value to have the ZyWALL apply that DSCP value to the dscp-marking <0..63> route’s outgoing packets. Sets how the ZyWALL handles the DSCP value of the outgoing packets dscp-marking class {default | that match this route.
Page 103 Sets the user name. The no command resets the user name to the [no] user user_name default (any). any means all users. Enables the ZyWALL to use policy routes to manually specify the [no] policy controll-ipsec-dynamic-rules destination addresses of dynamic IPSec rules. You must manually activate create these policy routes.
Page 104: Assured Forwarding (Af) Phb For Diffserv
DSCP code: any service: any nexthop type: Gateway nexthop: GW_1 nexthop state: Not support auto destination: no bandwidth: 0 bandwidth priority: 0 maximize bandwidth usage: no SNAT: outgoing-interface DSCP marking: preserve amount of port trigger: 0 Router(config)# ZyWALL (ZLD) CLI Reference Guide...
Page 105: Ip Static Route
Chapter 8 Route 8.3 IP Static Route The ZyWALL has no knowledge of the networks beyond the network that is directly connected to the ZyWALL. For instance, the ZyWALL knows about network N2 in the following figure through gateway R1. However, the ZyWALL is unable to route a packet to network N3 because it doesn't know that there is a route through the same gateway R1 (via gateway R2).
Page 106: Static Route Commands Examples
2002:22:22:34:: 2001:12::12 2002:22:22:34:: The following command deletes a specific static IPv6 route. Router(config)# no ip6 route 2002:22:22:34::/64 2001:12::12 The following command deletes all static IPv6 routes with the same prefix. Router(config)# no ip6 route 2002:22:22:34::/64 ZyWALL (ZLD) CLI Reference Guide...
Page 107: Routing Protocol
Routing protocols give the ZyWALL routing information about the network from other routers. The ZyWALL then stores this routing information in the routing table, which it uses when it makes routing decisions. In turn, the ZyWALL can also provide routing information via routing protocols to other routers.
Page 108: Rip Commands
Sets the direction to “In-Only” for the specified interface. The [no] passive-interface interface_name command sets the direction to “BiDir”. Sets the 32-bit ID (in IP address format) of the ZyWALL. The [no] router-id IP command resets it to “default”, or the highest available IP address.
Page 109: Ospf Area Commands
Sets the MD5 ID and password for MD5 authentication in the area IP virtual-link IP message-digest-key specified virtual link. <1..255> md5 authkey Clears the MD5 ID in the specified virtual link. no area IP virtual-link IP message-digest- key <1..255> ZyWALL (ZLD) CLI Reference Guide...
Page 110: Learned Routing Information Commands
9.2.6 show ip route Command Example The following example shows learned routing information on the ZyWALL. Router> show ip route Flags: A - Activated route, S - Static route, C - directly Connected O - OSPF derived, R - RIP derived, G - selected Gateway...
Page 111: Zones
Set up zones to configure network security and network policies in the ZyWALL. 10.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyWALL uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management.
Page 112: Zone Commands Summary
The name of a zone, or the name of a VPN tunnel. profile_name For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-). The name cannot start with a number. This value is case-sensitive. About the pre-defined zones in the ZyWALL USG 200 and below models: •...
Page 113: Zone Command Examples
Router(config)# zone A Router(zone)# interface ge1 Router(zone)# interface ge2 Router(zone)# block Router(zone)# exit Router(config)# show zone No. Name Block Member =========================================================================== ge1,ge2 Router(config)# show zone A blocking intra-zone traffic: yes No. Type Member =========================================================================== interface interface ZyWALL (ZLD) CLI Reference Guide...
Page 114 Chapter 10 Zones ZyWALL (ZLD) CLI Reference Guide...
Page 115: Ddns
Set up a dynamic DNS account with a supported DNS service provider to be able to use Dynamic DNS services with the ZyWALL. When registration is complete, the DNS service provider gives you a password or key. At the time of writing, the ZyWALL supports the following DNS service providers.
Page 116: Ddns Commands Summary
You may up to 254 alphanumeric characters, dashes (-), or periods (.), but the first character must be alphanumeric. Sets the WAN interface in the specified DDNS profile. The [no] wan-iface interface_name command clears it. ZyWALL (ZLD) CLI Reference Guide...
Page 117 Sets the HA interface in the specified DDNS profile. The [no] ha-iface interface_name command clears it. Enables the backup mail exchanger. The command [no] backmx disables it. Enables the wildcard feature. The command disables it. [no] wildcard ZyWALL (ZLD) CLI Reference Guide...
Page 118 Chapter 11 DDNS ZyWALL (ZLD) CLI Reference Guide...
Page 119: Virtual Servers
Many 1:1 NAT - If you have a range of private network servers that will initiate sessions to the outside clients and a range of public IP addresses, use many 1:1 NAT to have the ZyWALL translate the source IP address of each server’s outgoing traffic to the same one of the public IP addresses that the outside clients use to access the server.
Page 120 Using this command without nat-1-1-map means the NAT type is Virtual Server. This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL (like the Internet). The deactivate command disables the virtual server rule.
Page 121: Virtual Server Command Examples
Router(config)# ip virtual-server WAN-LAN_H323 interface wan1 original-ip 10.0.0.8 map-to 192.168.1.56 map-type port protocol tcp original-port 1720 mapped-port 1720 nat-loopback Router(config)# The following command shows information about all the virtual servers in the ZyWALL. Router(config)# show ip virtual-server virtual server: WAN-LAN_H323 active: yes...
Page 122: Tutorial - How To Allow Public Access To A Server
Router(config)# firewall insert 1 Router(firewall)# description To-VirtualServer-WWW Router(firewall)# from WAN Router(firewall)# to DMZ Router(firewall)# destinationip DMZ_HTTP Router(firewall)# service HTTP Router(firewall)# exit Router(config)# write Router(config)# Now the public can go to IP address 1.1.1.2 to access the HTTP server. ZyWALL (ZLD) CLI Reference Guide...
Page 123: Http Redirect
HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL. 13.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL) to a web proxy server. 13.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Page 124: Http Redirect Commands
The name of the interface. interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model. The ZyWALL USG 200 and lower models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
Page 125: Http Redirect Command Examples
Router# configure terminal Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 deactivate Router(config)# show ip http-redirect Name Interface Proxy Server Port Active =========================================================================== example1 10.10.2.3 ZyWALL (ZLD) CLI Reference Guide...
Page 126 Chapter 13 HTTP Redirect ZyWALL (ZLD) CLI Reference Guide...
Page 127: Alg
WAN to the LAN. The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL’s NAT. The firewall allows related sessions for VoIP applications that register with a server. The firewall allows or blocks peer to peer VoIP traffic based on the firewall rules.
Page 128: Alg Commands
SIP signaling session to remain idle (without SIP packets) before dropping it. Use transformation to have the ZyWALL modify IP addresses and port numbers embedded in the SIP data payload. You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload.
Page 129: Alg Commands Example
Chapter 14 ALG 14.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323. Router# configure terminal Router(config)# alg sip Router(config)# no alg h323 ZyWALL (ZLD) CLI Reference Guide...
Page 130 Chapter 14 ALG ZyWALL (ZLD) CLI Reference Guide...
Page 131: Ip/Mac Binding
IP address. The ZyWALL then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the ZyWALL. Suppose you configure access privileges for IP address 192.168.1.27 and use static DHCP to assign it to Tim’s computer’s MAC address of 12:34:56:78:90:AB.
Page 132: Ip/Mac Binding Commands Example
The following example enables IP/MAC binding on the LAN1 interface and displays the interface’s IP/MAC binding status. Router# configure terminal Router(config)# ip ip-mac-binding lan1 activate Router(config)# show ip ip-mac-binding lan1 Name: lan1 Status: Enable Log: No Binding Count: 0 Drop Count: 0 Router(config)# ZyWALL (ZLD) CLI Reference Guide...
Page 133: Firewall
For example, if you want to allow a specific user from any computer to access one zone by logging in to the ZyWALL, you can set up a rule based on the user name only. If you also apply a schedule to the firewall rule, the user can only access the network at the scheduled time.
Page 134: Firewall Commands
), or dashes (-), but the first character cannot be a number. This value is case-sensitive. The name of the zone. For the ZyWALL USG 300 and above, use up to 31 characters zone_object (a-zA-Z0-9_-). The name cannot start with a number. This value is case-sensitive.
Page 135 ZyWALL Sets the highest number of IPv6 sessions that the [no] connlimit6 max-per-host <1..8192> ZyWALL will permit a host to have at one time. The command removes the setting. Enters the IPv6 firewall sub-command mode to set a firewall6 rule_number firewall rule.
Page 136 Displays the highest number of IPv6 sessions that the show connlimit6 max-per-host ZyWALL will permit a host to have at one time. Displays all IPv6 firewall settings. show firewall6 Displays a IPv6 firewall rule’s settings.
Page 137: Firewall Sub-Commands
(any) meaning all interfaces or VPN tunnels. Sets the ZyWALL to create a log (and optionally an alert) [no] log [alert] when packets match this rule. The no command sets the ZyWALL not to create a log or alert when packets match this rule.
Page 138: Firewall Command Examples
Router(firewall)# service MyService Router(firewall)# action allow The following command displays the default IPv4 firewall rule that applies to the WAN to ZyWALL packet direction. The firewall rule number is in the rule’s priority number in the global rule list. Router(config)# show firewall WAN ZyWALL...
Page 139: Session Limit Commands
Chapter 16 Firewall The following command displays the default IPv6 firewall rule that applies to the WAN to ZyWALL packet direction. The firewall rule number is in the rule’s priority number in the global rule list. Router(config)# show firewall6 WAN ZyWALL...
Page 140 Shows the settings for a range of IPv6 session-limit rules. show session-limit6 begin rule_number end rule_number Shows the IPv6 session-limit rule’s settings. show session-limit6 rule_number Shows the general IPv6 session-limit settings. show session-limit6 status ZyWALL (ZLD) CLI Reference Guide...
Page 141: Ipsec Vpn
The following figure is one example of a VPN tunnel. Figure 19 VPN: Example The VPN tunnel connects the ZyWALL (X) and the remote IPSec router (Y). These routers then connect the local network (A) and remote network (B). A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use.
Page 142: Ipsec Vpn Commands Summary
Chapter 17 IPSec VPN which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. Figure 20 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B. Inside networks A and B, the data is transmitted the same way data is normally transmitted in the networks.
Page 143: Ike Sa Commands
Enables Dead Peer Detection (DPD). The command disables [no] dpd DPD. Set this to have the ZyWALL reconnect to the primary address when [no] fall-back it becomes available again and stop using the secondary connection, if the connection to the primary address goes down and the ZyWALL changes to using the secondary connection.
Page 144: Ipsec Sa Commands (Except Manual Keys)
Enables extended authentication and specifies whether the ZyWALL [no] xauth type {server xauth_method | is the server or client. If the ZyWALL is the server, it also specifies client name username password password} the extended authentication method ( aaa authentication profile_name);...
Page 145 Only the clients can initiate the VPN tunnel. remote-access-client: Choose this to connect to an IPSec server. This ZyWALL is the client (dial-in user) and can initiate the VPN tunnel. Sets the IPSec SA life time.
Page 146 Creates or revises the specified rule and maps the specified IP in-dnat <1..10> protocol {all | tcp | address and port range (original-ip) to the specified IP address and udp} original-ip address_name <0..65535> port range (mapped-ip). <0..65535> mapped-ip address_name <0..65535> <0..65535> ZyWALL (ZLD) CLI Reference Guide...
Page 147: Ipsec Sa Commands (For Manual Keys)
For example, "0x0123456789ABCDEF" is in hexadecimal format; in “0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you must enter twice as many characters. The ZyWALL automatically ignores any characters above the minimum number of characters required by the algorithm. For example, if you enter...
Page 148: Vpn Configuration Provisioning Commands
Specifies a user or group of users allowed to use the ZyWALL IPSec VPN client to user username retrieve the associated VPN rule settings. A user may belong to a number of groups.
Page 149: Sa Monitor Commands
VPN connection or policy name would still match. A VPN connection or policy name named “testacc” for example would not match. A * in the middle of a VPN connection or policy name has the ZyWALL check the beginning and end and ignore the middle. For example, with “abc*123”, any VPN connection or policy name starting with “abc”...
Page 150 Chapter 17 IPSec VPN ZyWALL (ZLD) CLI Reference Guide...
Page 151: Ssl Vpn
This chapter shows you how to set up secure SSL VPN access for remote user login. 18.1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks: • limit user access to specific applications or files on the network.
Page 152: Ssl Vpn Commands
Displays the settings of the specified SSL VPN access policy. show sslvpn policy [profile_name] show ssl-vpn network-extension local-ip Displays the IP address that the ZyWALL uses in setting up the SSL VPN. Displays a list of the users who are currently logged into the VPN SSL client show sslvpn monitor portal.
Page 153: Setting An Ssl Vpn Rule Tutorial
• The ZyWALL will assign two DNS server settings (172.16.1.1 and 172.16.1.2 defined in objects DNS1 and DNS2) to the computers which match the rule’s criteria. • The SSL VPN users are allowed to access the ZyWALL’s local network, 172.16.10.0/24 (defined in object “Network1”).
Page 154 Router(policy SSL_VPN_TEST)# network-extension activate Router(policy SSL_VPN_TEST)# network-extension ip-pool IP-POOL Router(policy SSL_VPN_TEST)# network-extension 1st-dns DNS1 Router(policy SSL_VPN_TEST)# network-extension 2nd-dns DNS2 Router(policy SSL_VPN_TEST)# network-extension network NETWORK1 Router(policy SSL_VPN_TEST)# eps activate Router(policy SSL_VPN_TEST)# eps 1 EPS-1 Router(policy SSL_VPN_TEST)# exit ZyWALL (ZLD) CLI Reference Guide...
Page 155 1: DNS1 dns server 2: DNS2 wins server 1: none wins server 2: none network: NETWORK1 cache clean: no eps periodical check activation: no eps periodical check: 1 eps activation: yes eps: EPS-1 reference count: 0 ZyWALL (ZLD) CLI Reference Guide...
Page 156 Chapter 18 SSL VPN ZyWALL (ZLD) CLI Reference Guide...
Page 157: L2Tp Vpn
L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL. The remote users do not need their own IPSec gateways or VPN client software.
Page 158: Using The Default L2Tp Vpn Connection
• Set the policy route’s Source Address to the address object that you want to allow the remote users to access (LAN_SUBNET in the following figure). • Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users (L2TP_POOL in the following figure).
Page 159: L2Tp Vpn Commands
The name of the interface. interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model. The ZyWALL USG 200 and lower models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
Page 160: L2Tp Vpn Example
Specifies the user or user group that can use the L2TP VPN tunnel. If you do not [no] l2tp-over-ipsec user configure this, any user with a valid account and password on the ZyWALL to log in. user_name The no command removes the user name setting.
Page 161: Configuring The Default L2Tp Vpn Gateway Example
• Configure an IP address pool for the range of 192.168.10.10 to 192.168.10.20. In this example it is already created and called L2TP_POOL. • This example uses the default authentication method (the ZyWALL’s local user data base). • Select a user or group of users that can use the tunnel. Here a user account named L2TP-test has been created.
Page 162: Configuring The Policy Route For L2Tp Example
• Set the policy route’s Source Address to the address object that you want to allow the remote users to access (LAN_SUBNET in this example). • Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users (L2TP_POOL in this example).
Page 163: Application Patrol
Note: The ZyWALL checks firewall rules before application patrol rules for traffic going through the ZyWALL. To use a service, make sure both the firewall and application patrol allow the service’s packets to go through the ZyWALL. Application patrol examines every TCP and UDP connection passing through the ZyWALL and identifies what application is using the connection.
Page 164: Pre-Defined Application Commands
Specifies what action the ZyWALL should take when it identifies this app protocol_name {forward | drop | reject} application. app protocol_name mode {portless | portbase} Specifies how the ZyWALL identifies this application. Creates log entries (and alerts) for the specified application. The [no] app protocol_name log [alert] command does not create any log entries.
Page 165 {default | dscp_class}} Enter a DSCP value to have the ZyWALL apply that DSCP value. Set this to the class default to have the ZyWALL set the DSCP value to 0. Creates log entries (and alerts) for traffic that matches the rule.
Page 166: Exception Commands For Pre-Defined Applications
{default | dscp_class}} Enter a DSCP value to have the ZyWALL apply that DSCP value. Set this to the class default to have the ZyWALL set the DSCP value to Creates log entries (and alerts) for traffic that matches the rule. The [no] log [alert] command does not create any log entries.
Page 167: Other Application Commands
{default | dscp_class}} Enter a DSCP value to have the ZyWALL apply that DSCP value. Set this to the class default to have the ZyWALL set the DSCP value to Specifies the destination port. 0 means any. port <0..65535>...
Page 168: General Commands For Application Patrol
{default | dscp_class}} Enter a DSCP value to have the ZyWALL apply that DSCP value. Set this to the class default to have the ZyWALL set the DSCP value to 0. Creates log entries (and alerts) for traffic that matches the rule.
Page 169 Displays the configurations of all the rules for other show app other rule all applications. Displays all the rule statistics for other applications. show app other rule all statistics ZyWALL (ZLD) CLI Reference Guide...
Page 170 SIP traffic is enabled. Displays whether or not the global setting for bandwidth show bwm activation management on the ZyWALL is enabled. 20.2.6.1 General Command Examples The following examples show the information that is displayed by some of the commands.
Page 171 DSCP inbound marking: preserve DSCP outbound marking: preserve bandwidth excess-usage: no bandwidth priority: 1 bandwidth inbound: 0 bandwidth outbound: 0 log: no ZyWALL (ZLD) CLI Reference Guide...
Page 172 Chapter 20 Application Patrol ZyWALL (ZLD) CLI Reference Guide...
Page 173: Anti-Virus
A file named “test.zipa” for example would not match. A * in the middle of a pattern has the ZyWALL check the beginning and end of the file name and ignore the middle. For example, with “abc*.zip”, any file starting with “abc”...
Page 174: General Anti-Virus Commands
Displays whether or not anti-virus checks files for which the ZyWALL cannot identify show anti-virus skip-unknown- a type. file-type activation Has the ZyWALL add a notification text file to an e-mail after destroying a virus- anti-virus mail-infect-ext infected e-mail attachment. activate...
Page 175 [no] scan {http | ftp | imap4 | smtp | pop3} Sets the action to take when the ZyWALL detects a virus in a file. The [no] infected-action {destroy | send- file can be destroyed (filled with zeros from the point where the virus win-msg} was found).
Page 176: White And Black Lists
Table 94 Commands for Anti-virus White and Black Lists COMMAND DESCRIPTION Turn on the white list to have the ZyWALL not perform the anti-virus check [no] anti-virus white-list activate on files with names that match the white list patterns. Adds or removes a white list file pattern. Turns a file pattern on or off.
Page 177: Signature Search Anti-Virus Command
This search is not case-sensitive. severity: type the severity level of the signatures you want to find (high, medium, or low). ZyWALL (ZLD) CLI Reference Guide...
Page 178: Update Anti-Virus Signatures
| wed | thu | fri | sat} <0..23> Displays signature update schedule. show anti-virus update Displays signature update status. show anti-virus update status Displays details about the current signature set. show anti-virus signatures status ZyWALL (ZLD) CLI Reference Guide...
Page 179: Update Signature Examples
IP address, or virus name. virus-name: lists the most common viruses {destination | source | virus-name} detected. source: lists the source IP addresses of the most virus-infected files. destination: lists the most common destination IP addresses for virus- infected files. ZyWALL (ZLD) CLI Reference Guide...
Page 180: Anti-Virus Statistics Example
IP addresses. Router(config)# anti-virus statistics collect Router(config)# show anti-virus statistics collect collect statistics: yes Router(config)# show anti-virus statistics summary file scanned virus detected: 0 Router(config)# show anti-virus statistics ranking destination ZyWALL (ZLD) CLI Reference Guide...
Page 181: Idp Commands
Table 98 Input Values for IDP Commands LABEL DESCRIPTION The name of a zone. For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0- zone_profile 9_-). The name cannot start with a number. This value is case-sensitive.
Page 182: Idp Profile Commands
Recovers the IDP signatures. You should only need to do this if instructed to do so by a idp reload support technician. 22.2.1.1 Activate/Deactivate IDP Example This example shows how to activate and deactivate signature-based IDP on the ZyWALL. Router# configure terminal Router(config)# idp signature activate Router(config)# show idp signature activation...
Page 183: Idp Zone To Zone Rules
<1..32> | move <1..32> to <1..32> } Removes an IDP profile to traffic direction entry. no idp {signature| anomaly } rule <1..32> Displays the IDP zone to zone rules. show idp {signature| anomaly } rules ZyWALL (ZLD) CLI Reference Guide...
Page 184: Editing/Creating Idp Signature Profiles
Use these commands to create a new anomaly profile or edit an existing one. It is recommended you use the web configurator to create/edit profiles. If you do not specify a base profile, the default base profile is none. ZyWALL (ZLD) CLI Reference Guide...
Page 185 {low | medium | high} Clears scan-detection sensitivity. The default sensitivity no scan-detection sensitivity is medium. Sets for how many seconds the ZyWALL blocks all scan-detection block-period <1..3600> packets from being sent to the victim (destination) of a detected anomaly attack.
Page 186 {drop | reject-sender | reject-receiver | reject-both}} Deactivates icmp decoder actions. no icmp-decoder {truncated-header | truncated- timestamp-header | truncated-address-header} action Shows all scan-detection settings of the specified IDP show idp anomaly profile scan-detection [all details] profile. ZyWALL (ZLD) CLI Reference Guide...
Page 187 Shows all icmp-decoder settings for the specified IDP show idp anomaly profile icmp-decoder all details profile. Shows specified icmp-decoder settings for the specified show idp anomaly profile icmp-decoder {truncated-header IDP profile. | truncated-timestamp-header | truncated-address- header} details ZyWALL (ZLD) CLI Reference Guide...
Page 188: Editing System Protect
Deactivates an action for an IDP signature. no signature SID action Displays the system protect profile details. show idp system-protect all details 22.3.6 Signature Search Use this command to search for signatures in the named profile. ZyWALL (ZLD) CLI Reference Guide...
Page 189 “worm” within the signature name. 22.3.6.1 Search Parameter Tables The following table displays the command line severity, platform and policy type equivalent values. If you want to combine platforms in a search, then add their respective numbers together. For ZyWALL (ZLD) CLI Reference Guide...
Page 190 33554432 = WEB_IIS 1024 = ORACLE 67108864 = WEB_MISC 2048 = P2P 134217728 = WEB_PHP 4096 = POP2 268435456 = MISC_BACKDOOR 8192 = POP3 536870912 = MISC_DDOS 16384 = RPC 1073741824 = MISC_EXPLOIT 32768 = RSERVICES ZyWALL (ZLD) CLI Reference Guide...
Page 191: Idp Custom Signatures
Displays custom signature information. show idp signatures custom-signature custom_sid {details | contents | non-contents} Displays all custom signatures’ information. show idp signatures custom-signature all details Displays the total number of custom signatures. show idp signatures custom-signature number ZyWALL (ZLD) CLI Reference Guide...
Page 192: Custom Signature Examples
\"test edit\"; sid: 9000000 ; )" sid: 9000000 message: test edit policy type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no SGI: no other-Unix: no network-device: no service: outbreak: no ZyWALL (ZLD) CLI Reference Guide...
Page 193 Router(config)# show idp signatures custom-signature 9000000 details sid: 9000000 message: test edit policy type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no SGI: no other-Unix: no network-device: no service: outbreak: no ZyWALL (ZLD) CLI Reference Guide...
Page 194 0 tcp_flag_ack: tcp_flag_fin: tcp_flag_push: tcp_flag_r1: tcp_flag_r2: tcp_flag_rst: tcp_flag_syn: tcp_flag_urg: threshold_type: threshold_track: threshold_count: threshold_second: tos: tos_rel: transport: tcp ttl: ttl_rel: window: window_rel: ZyWALL (ZLD) CLI Reference Guide...
Page 195: Update Idp Signatures
This example shows you how to display the number of custom signatures on the ZyWALL. Router(config)# show idp signatures custom-signature number signatures: 22.5 Update IDP Signatures Use these commands to update new signatures. You register for IDP service before you can update IDP signatures, although you do not have to register in order to update system-protect signatures.
Page 196: Update Signature Examples
{signature-name | source | destination} signature-name: lists the most commonly detected signatures. source: lists the source IP addresses from which the ZyWALL has detected the most intrusion attempts. destination: lists the most common destination IP addresses for detected intrusion attempts.
Page 197: Idp Statistics Example
4 Router(config)# show idp statistics ranking destination ranking: 1 destination ip: 172.23.5.19 occurence: 22 ranking: 2 destination ip: 172.23.5.1 occurence: 4 Router(config)# show idp statistics ranking source ranking: 1 source ip: 192.168.1.34 occurence: 26 ZyWALL (ZLD) CLI Reference Guide...
Page 198 Chapter 22 IDP Commands ZyWALL (ZLD) CLI Reference Guide...
Page 199: Content Filtering
• Apply a content filtering profile that you have custom-tailored. 23.3 External Web Filtering Service When you register for and enable the external web filtering service, your ZyWALL accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL block, block and/or log access to web sites based on these categories.
Page 200: Content Filter Command Input Values
The number of the policy <0 - X > where X depends on the number of content filtering policy_number policies the ZyWALL model supports. See the CLI help for details. The name (up to 63 characters) of an existing address object or group to which the address policy should be applied.
Page 201: General Content Filter Commands
URL and checking your external web filtering service registration status. Use the command to enter the configuration configure terminal ZyWALL (ZLD) CLI Reference Guide...
Page 202 [no] content-filter block redirect redirect_url web access is blocked by content filtering. The command clears the setting. Sets how long the ZyWALL is to keep an entry in the content [no] content-filter -timeout _timeout filtering URL before discarding it. The command clears the setting.
Page 203: Content Filter Filtering Profile Commands
(([*a-z0-9\-]){1,63}\.)+([*a-z0-9\-]){1,63} tld: top level domain. Leaves the sub-command mode. exit Displays the ZyWALL’s record of sessions for which it has given show content-filter passed warning the user a warning before allowing access. Displays the content filtering policies. show content-filter policy Displays the general content filtering settings.
Page 204 Has the ZyWALL not log attempted access to web pages no content-filter profile filtering_profile url that match the profile’s selected managed categories. match {log} Has the ZyWALL not log access to web pages if the external no content-filter profile filtering_profile url content filtering database is unavailable. offline {log}...
Page 205: Content Filter Url Cache Commands
23.8 Content Filter URL Cache Commands The following table lists the commands that you can use to view and configure your ZyWALL’s URL caching. You can configure how long a categorized web site address remains in the as well as view those web site addresses to which access has been allowed or blocked based on the responses from the external content filtering server.
Page 206: Content Filtering Statistics
Enters the sub-command mode for testing whether or not a content-filter url-cache test web site is saved in the ZyWALL’s database of restricted web pages. Tests whether or not a web site is saved in the ZyWALL’s database of restricted web pages. Leaves the sub-command mode. exit 23.9 Content Filtering Statistics...
Page 207: Content Filtering Statistics Example
Note: You must register for the external web filtering service before you can use it (see Chapter 5 on page 45). You can also customize the filtering profile. The following commands block active-X, java and proxy access. Append a content filter policy. ZyWALL (ZLD) CLI Reference Guide...
Page 208 Router(config)# content-filter profile sales_CF_PROFILE url url-server Router(config)# content-filter profile sales_CF_PROFILE custom java Router(config)# content-filter profile sales_CF_PROFILE custom activex Router(config)# content-filter profile sales_CF_PROFILE custom proxy Router(config)# content-filter profile sales_CF_PROFILE custom Router(config)# content-filter policy append all_day any RD RD_CF_PROFILE Router(config)# content-filter activate ZyWALL (ZLD) CLI Reference Guide...
Page 209 Potentially Unwanted Software no, Greeting Cards Audio/Video Clips no, Media Sharing Radio/Audio Streams no, TV/Video Streams Internet Telephony no, Online Meetings Newsgroups/Forums no, Art/Culture Entertainment no, Games Sports/Recreation no, Translation Alternative Spirituality/Belief : no, Society/Daily Living --------------------------------------SNIP!----------------------------------------- ZyWALL (ZLD) CLI Reference Guide...
Page 210 Chapter 23 Content Filtering ZyWALL (ZLD) CLI Reference Guide...
Page 211: Anti-Spam
ZyWALL model supports. See the ZyWALL’s User’s Guide for details. The name of the zone. The ZyWALL USG 200 and lower models use pre-defined zone names zone_object like DMZ, LAN1, SSL VPN, WLAN, IPSec VPN, OPT, and WAN.
Page 212: Zone To Zone Anti-Spam Rules
Turns a direction specific anti-spam rule on or off. [no] activate Sets the ZyWALL to create a log (and optionally an alert) when packets [no] log [alert] match this rule and are found to be spam. The command sets the ZyWALL not to create a log or alert when packets match this rule.
Page 213 [timeout] Specify the label to add to the mail subject of e-mails the ZyWALL tags and anti-spam tag query-timeout [tag] forwards when queries to the mail scan servers time out.
Page 214: White And Black Lists
This example shows how to configure (and display) a WAN to DMZ anti-spam rule to scan POP3 and SMTP traffic. SMTP spam is forwarded. POP3 spam is marked with a spam tag. The ZyWALL logs the event when an e-mail matches the DNSBL (see Section 24.2.4 on page 216...
Page 215 The index number of an anti-spam white or black list entry. 1 - X where X is the rule_number highest number of entries the ZyWALL model supports. See the ZyWALL’s User’s Guide for details. A keyword in the content of the e-mail Subject headers. Use up to 63 ASCII subject characters.
Page 216: Dnsbl Anti-Spam Commands
• The ZyWALL checks the first header with the name you specified in the entry. So if the e-mail has more than one “Received” header, the ZyWALL checks the first one.
Page 217 Displays the order in which anti-spam checks e-mail header IP addresses show anti-spam dnsbl ip-check-order against the DNSBLs. Displays how the ZyWALL handles SMTP or POP3 mail if the queries to the show anti-spam dnsbl query-timeout {smtp DNSBL domains time out.
Page 218 • Turns DNSBL checking on. • Sets the ZyWALL to forward POP3 mail with a tag if the queries to the DNSBL domains time out. • Sets the ZyWALL to check up to 4 sender and relay server IP addresses in e-mail headers against the DNSBL.
Page 219: Anti-Spam Statistics
0 spam detected by mail content: 0 spam detected by dnsbl: 0 spam detected with virus: 0 total virus mails: 0 dnsbl timeout: 0 mail session forwarded: 0 mail session dropped: 0 ZyWALL (ZLD) CLI Reference Guide...
Page 220 Chapter 24 Anti-Spam ZyWALL (ZLD) CLI Reference Guide...
Page 221: Device Ha
You can configure a separate management IP address for each interface. You can use it to access the ZyWALL for management whether the ZyWALL is the master or a backup. The management IP address should be in the same subnet as the interface IP address.
Page 222: Before You Begin
Virtual Router The master and backup ZyWALL form a single ‘virtual router’. Cluster ID You can have multiple ZyWALL virtual routers on your network. Use a different cluster ID to identify each virtual router. Monitored Interfaces in Active-Passive Mode Device HA You can select which interfaces device HA monitors.
Page 223: Active-Passive Mode Device Ha Commands
The name of the interface. This depends on the ZyWALL model. interface_name For the ZyWALL USG 300 and above, use gex, x = 1 ~ N, where N equals the highest numbered Ethernet interface for your ZyWALL model. For the ZyWALL USG 200 and below, use a name such as wan1, wan2, opt, lan1, ext- wlan, or dmz.
Page 224 Displays the backup ZyWALL’s synchronization settings. show device-ha ap-mode backup sync summary If you apply Device HA on a bridge interface on a backup ZyWALL, you can show device-ha ap-mode forwarding-port use this command to see which port in the bridge interface is chosen to interface_name receive VRRP packets used to monitor if the master ZyWALL goes down.
Page 225: Active-Passive Mode Device Ha Command Example
VRRP. VRRP Group Overview In the ZyWALL, you should create a VRRP group to add one of its interfaces to a virtual router. You can add any Ethernet interface, VLAN interface, or virtual interface (created on top of Ethernet interfaces or VLAN interfaces) with a static IP address.
Page 226: Vrrp Group Commands
VRRP group. [no] activate 25.6.2 VRRP Synchronization Commands This table lists the commands for synchronization. You can synchronize with other ZyWALL’s of the same model that are running the same firmware version. Table 129 device-ha Commands: Synchronization...
Page 227: Link Monitoring Commands
[no] device-ha sync now 25.6.3 Link Monitoring Commands This table lists the commands for link monitoring. Link monitoring has the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down. This way the backup ZyWALL takes over all of the master ZyWALL’s functions.
Page 228 Chapter 25 Device HA ZyWALL (ZLD) CLI Reference Guide...
Page 229: User/Group
This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL. You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them.
Page 230: User/Group Commands Summary
DESCRIPTION Displays information about the specified user or about all users show username [username] set up in the ZyWALL. Creates the specified user (if necessary), disables the password, username username nopassword user-type {admin | and sets the user type for the specified user.
Page 231: User Group Commands
COMMAND DESCRIPTION Displays information about the specified user group or about all user groups show groupname [groupname] set up in the ZyWALL. Creates the specified user group if necessary and enters sub-command [no] groupname groupname mode. The command deletes the specified user group.
Page 232 Router# configure terminal Router(config)# show users simultaneous-logon-settings enable simultaneous logon limitation for administration account: yes maximum simultaneous logon per administration account enable simultaneous logon limitation for access account : yes maximum simultaneous logon per access account ZyWALL (ZLD) CLI Reference Guide...
Page 233: Force User Authentication Commands
Users do not need to be authenticated. no log | log [alert]: Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or not (no log) for packets that match this default policy.
Page 234 ZyWALL only perform the <1..1440> endpoint security check when users log in to the ZyWALL. Forces users to log in to the ZyWALL if the specified condition is satisfied. [no] force command means that users do not log in to the ZyWALL.
Page 235: Additional User Commands
{username | all | current} Displays users who are currently locked out. show lockout-users Unlocks the specified IP address. unlock lockout-users {ip | console| ipv6_addr} Logs out the specified login. users force-logout username | ip | ipv6_addr ZyWALL (ZLD) CLI Reference Guide...
Page 236 Chapter 26 User/Group 26.2.5.1 Additional User Command Examples The following commands display the users that are currently logged in to the ZyWALL and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all...
Page 237: Addresses
For the USG 300 and above, use gex, x = 1 ~ N, where N equals the highest numbered Ethernet interface for your ZyWALL model. For the ZyWALL USG 200 and below, use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
Page 238: Address Object Commands
Creates the specified IPv6 address object based on the specified [no]adderss6-object object_name interface- interface gateway object. Specify whether it is a SLAAC or static gateway interface { slaac | static} IPv6 address. The no command removes the specified address {addr_index} object. ZyWALL (ZLD) CLI Reference Guide...
Page 239 Router(config)# address-object A2 192.168.1.0/24 Router(config)# show address-object Object name Type Address Ref. ===================================================================== HOST 192.168.1.1 RANGE 192.168.1.1-192.168.1.20 SUBNET 192.168.1.0/24 Router(config)# no address-object A2 Router(config)# show address-object Object name Type Address Ref. ===================================================================== HOST 192.168.1.1 RANGE 192.168.1.1-192.168.1.20 ZyWALL (ZLD) CLI Reference Guide...
Page 240: Address Group Commands
Adds the specified address group (second group_name) to the specified [no] object-group group_name address group (first group_name). The command removes the specified address group from the specified address group. ZyWALL (ZLD) CLI Reference Guide...
Page 241 Router(config)# object-group address RD Router(group-address)# address-object A1 Router(group-address)# address-object A2 Router(group-address)# exit Router(config)# show object-group address Group name Reference Description =========================================================================== TW_TEAM Router(config)# show object-group address RD Object/Group name Type Reference =========================================================================== Object 1 Object 1 ZyWALL (ZLD) CLI Reference Guide...
Page 242 Chapter 27 Addresses ZyWALL (ZLD) CLI Reference Guide...
Page 243: Services
[object_name] the services. Deletes the specified service. no service-object object_name Creates the specified TCP service or UDP service using the service-object object_name {tcp | udp} {eq specified parameters. <1..65535> | range <1..65535> <1..65535>} ZyWALL (ZLD) CLI Reference Guide...
Page 244: Service Group Commands
Creates the specified service group if necessary and enters sub-command [no] object-group service group_name mode. The command removes the specified service group. Adds the specified service to the specified service group. The command [no] service-object object_name removes the specified service from the specified group. ZyWALL (ZLD) CLI Reference Guide...
Page 245 Router(config)# object-group service SG1 Router(group-service)# service-object ICMP_ECHO Router(group-service)# exit Router(config)# show service-object ICMP_ECHO Object name Protocol Minmum port Maxmum port Ref. =========================================================================== ICMP_ECHO ICMP Router(config)# show object-group service SG1 Object/Group name Type Reference =========================================================================== ICMP_ECHO Object 1 ZyWALL (ZLD) CLI Reference Guide...
Page 246 Chapter 28 Services ZyWALL (ZLD) CLI Reference Guide...
Page 247: Schedules
29.1 Schedule Overview The ZyWALL supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat. Note: Schedules are based on the current date and time in the ZyWALL.
Page 248: Schedule Command Examples
Object name Type Start/End Ref. =========================================================================== SCHEDULE1 Recurring 11:00/12:00 ===MonTueWedThuFri=== 0 SCHEDULE2 Once 2006-07-29 11:00/2006-07-31 12:00 0 Router(config)# no schedule-object SCHEDULE1 Router(config)# show schedule-object Object name Type Start/End Ref. =========================================================================== SCHEDULE2 Once 2006-07-29 11:00/2006-07-31 12:00 0 ZyWALL (ZLD) CLI Reference Guide...
Page 249: Aaa Server
HAPTER AAA Server This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers. 30.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the ZyWALL supports.
Page 250: Ldap-Server Commands
Table 147 ad-server Commands (continued) COMMAND DESCRIPTION Sets the user name the ZyWALL uses to log into the default AD server. The [no] ad-server binddn binddn command clears this setting. Sets the unique common name (cn) to identify a record. The...
Page 251: Radius-Server Commands
Sets a password (up to 15 alphanumeric characters) as the key to be shared [no] radius-server key secret between the RADIUS server and the ZyWALL. The command clears this setting. Sets the search timeout period (in seconds). Enter a number between 1 and [no] radius-server timeout time 300.
Page 252: Aaa Group Server Ldap Commands
Sets the base DN to point to the AD directory on the AD server group. The [no] server basedn basedn no command clears this setting. Sets the user name the ZyWALL uses to log into the AD server group. The no [no] server binddn binddn command clears this setting.
Page 253: Aaa Group Server Radius Commands
Sets the base DN to point to the LDAP directory on the LDAP server group. [no] server basedn basedn command clears this setting. Sets the user name the ZyWALL uses to log into the LDAP server group. The [no] server binddn binddn no command clears this setting.
Page 254: Aaa Group Server Command Example
[no] server description up to 60 printable ASCII characters. The command clears the setting. description Sets the value of an attribute that the ZyWALL is used to determine to which [no] server group-attribute <1- group a user belongs. 255> This attribute’s value is called a group identifier. You can add ext-group- user user objects to identify groups based on different group identifier values.
Page 255: Authentication Objects
31.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the ZyWALL uses to authenticate users (using VPN or managing through HTTP/HTTPS). 31.2 aaa authentication Commands...
Page 256: Aaa Authentication Command Example
31.3.1 Test a User Account Command Example The following example shows how to test whether a user account named userABC exists on the AD authentication server which uses the following settings: • IP address: 172.16.50.1 • Port: 389 • Base-dn: DC=ZyXEL,DC=com ZyWALL (ZLD) CLI Reference Guide...
Page 257 • Password: abcdefg • Login-name-attribute: sAMAccountName The result shows the account exists on the AD server. Otherwise, the ZyWALL responds an error. Router> test aaa server ad host 172.16.50.1 port 389 base-dn DC=ZyXEL,DC=com bind-dn zyxel\engineerABC password abcdefg login-name-attribute sAMAccountName account...
Page 258 Chapter 31 Authentication Objects ZyWALL (ZLD) CLI Reference Guide...
Page 259: Certificates
This chapter explains how to use the Certificates. 32.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
Page 260: Certificates Commands Summary
32.4 Certificates Commands Summary The following table lists the commands that you can use to display and manage the ZyWALL’s summary list of certificates and certification requests. You can also create certificates or certification requests. Use the...
Page 261 389 is the default server port number for LDAP. The ZyWALL may need to authenticate itself in order to access the CRL directory server. Type the login name (up to 31 characters) from the entity maintaining the server (usually a certification authority).
Page 262 {text|pem}] certificates) or the details of a specified certificate. Displays the validation configuration for the specified show ca validation name name remote (trusted) certificate. Displays the storage space in use by certificates. show ca spaceusage ZyWALL (ZLD) CLI Reference Guide...
Page 263: Certificates Commands Examples
IP valid from: none valid to: none certificate: test_x509 type: SELF subject: CN=10.0.0.58 issuer: CN=10.0.0.58 status: VALID ID: 10.0.0.58 type: IP valid from: 2006-05-29 10:26:08 valid to: 2009-05-28 10:26:08 Router(config)# no ca category local pkcs12request ZyWALL (ZLD) CLI Reference Guide...
Page 264: Isp Accounts
You may up to 63 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period. service_name: You can use up to 63 alphanumeric characters, underscores (_), dashes (-), and characters. @$./ ZyWALL (ZLD) CLI Reference Guide...
Page 265: Cellular Account Commands
[no] authentication {none | authentication to none. pap | chap} Sets the idle timeout for the cellular account. Zero disables the idle timeout. The [no] idle <0..360> command sets the idle timeout to zero. ZyWALL (ZLD) CLI Reference Guide...
Page 266: Ssl Application
(Outlook Web Access) to allow users to access e-mails, contacts, calenders via an Microsoft Outlook-like interface using supported web browsers. The ZyWALL supports one OWA object. web-server: to allow access to the specified web site hosted on the local network.
Page 267 Specify the listening ports of the LAN computer(s) running remote desktop program-path] server software. The ZyWALL uses a port number from this range to send traffic to the LAN computer that is being remotely managed. program-path: specify an application to open when a remote user logs into the remote desktop application.
Page 268: Ssl Application Command Examples
Router(config)# sslvpn application ZW5 Router(sslvpn application)# server-type web-server url http://192.168.1.12 Router(sslvpn application)# exit Router(config)# show sslvpn application SSL Application: ZW5 Server Type: web-server URL: http://192.168.1.12 Entry Point: Encrypted URL: ~aHR0cDovLzE5Mi4xNjguMS4xMi8=/ Web Page Encryption: yes Reference: 1 ZyWALL (ZLD) CLI Reference Guide...
Page 269: Endpoint Security
This allows checking of computers with different OSs or security settings. When a client attempts to log in, the ZyWALL checks the client’s computer against the endpoint security objects one-by-one. The client’s computer must match one of the force authentication or SSL VPN policy’s endpoint security policies in order to gain access.
Page 270: Endpoint Security Commands Summary
The user’s computer must have one of the listed anti-virus software packages to pass this checking item. For some anti-virus software the ZyWALL can also detect whether or not the anti-virus software is activated; in those cases it must also be activated.
Page 271 The user’s computer must have one of the listed personal firewalls to pass this checking item. For some personal firewalls the ZyWALL can also detect whether or not the firewall is activated; in those cases it must also be activated.
Page 272 <1..10> installed. The user’s computer must have this service pack or higher. For example, “2” means service pack 2. The no command means to have the ZyWALL ignore the Windows service pack number. If you set windows as the operating system (using the os-type command), you can [no] windows-security- use this command to set a Windows security patch that the user’s computer must...
Page 273: Endpoint Security Object Command Example
SSL VPN: • Operating system: Windows XP • Windows auto update: enabled • Windows service pack: 2 or above • Personal firewall: Windows firewall installed and enabled • Anti-Virus: Kaspersky Anti-Virus v2011 installed and enabled ZyWALL (ZLD) CLI Reference Guide...
Page 274 Avira_Antivir_Personal_v2010 Avira_Antivir_Premium_2009 Avira_Antivir_Premium_v10 Router(config)# Then he also needs to check the personal firewall software name defined on the ZyWALL. Copy and paste the name of the output item 4 for the setting later. Router(config)# show eps signature personal-firewall Name Detection...
Page 275 “Endpoint Security checking failed. Contact helpdesk at #7777 if you have any questions.” The following shows how to configure the error message. Router(config)# eps failure-messages "Endpoint Security checking failed. Contact helpdesk at #7777 if you have any questions." Router(config)# ZyWALL (ZLD) CLI Reference Guide...
Page 276: Dhcpv6 Objects
For the USG 300 and above, use gex, x = 1 ~ N, where N equals the highest numbered Ethernet interface for your ZyWALL model. For the ZyWALL USG 200 and below, use a name such as wan1, wan2, opt, lan1, ext- wlan, or dmz.
Page 277: Dhcpv6 Object Command Examples
This example makes “test1” into a DHCPv6 address pool lease object for IPv6 addresses 2004::10 to 2004::40. Router(config)# dhcp6-lease-object test1 address-pool 2004::10 2004::40 Router(config)# show dhcp6 lease-object DHCP6 Lease Object: test1 Object Type: address-pool Object Value: 2004::10 Ext Object Value: 2004::40 Bind Iface: REFERENCE: 0 ZyWALL (ZLD) CLI Reference Guide...
Page 278 This example creates a DHCPv6 pre-fix delegation request object named “pfx” and displays its settings. Router(config)# dhcp6-request-object pfx prefix-delegation Router(config)# show dhcp6 request-object DHCP6 Request Object: pfx Object Type: prefix-delegation Object Value: 2089:3::/48 Bind Iface: ge2 REFERENCE: 1 ZyWALL (ZLD) CLI Reference Guide...
Page 279: System
37.1 System Overview Use these commands to configure general ZyWALL information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which ZyWALL zones (if any) from which computers.
Page 280 Sets the title for the top of the login screen. Use up to 64 printable ASCII login-page title title characters. Spaces are allowed. Sets the title text color of the login page. login-page title-color {color-rgb | color-name | color-number} ZyWALL (ZLD) CLI Reference Guide...
Page 281: Host Name Commands
Lists the current logo background (banner) and floor (line below the show logo settings banner) settings. Lists whether the ZyWALL is set to use custom login and access pages or show page-customization the default ones. 37.3 Host Name Commands The following table describes the commands available for the hostname and domain name.
Page 282: Date/Time Commands
37.5 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program. The following table describes the console port commands.
Page 283: Dns Overview
The name of the interface. interface_name Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model. The ZyWALL USG 200 and lower models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
Page 284: Dns Command Example
DNS server through a VPN tunnel. Otherwise, use the interface command to set the interface through which the ZyWALL sends DNS queries to a DNS server. The auto means any interface that the ZyWALL uses to send DNS queries to a DNS server according to the routing rule.
Page 285: System Remote Management
The management session does not time out when a statistics screen is polling. Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires.
Page 286: Common System Command Input Values
The number of a service control rule. 1 - X where X is the highest number of rule_number rules the ZyWALL model supports. The name of the zone. For the ZyWALL USG 300 and above, use up to 31 zone_object characters (a-zA-Z0-9_-). The name cannot start with a number. This value is case-sensitive.
Page 287 Sets the encryption algorithms (up to four) that the ip http secure-server cipher-suite {cipher_algorithm} ZyWALL uses for the SSL in HTTPS connections and the [cipher_algorithm] [cipher_algorithm] sequence in which it uses them. The cipher_algorithm [cipher_algorithm] can be any of the following.
Page 288: Http/Https Command Examples
38.4.1 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the ZyWALL for remote management on port 22 (by default).
Page 289: Ssh Commands
SSH service. Router# configure terminal Router(config)# ip ssh server rule 2 access-group Marketing zone WAN action accept This command sets a certificate (Default) to be used to identify the ZyWALL. Router# configure terminal Router(config)# ip ssh server cert Default...
Page 290: Telnet
This value is case-sensitive. {ALL|zone_object} action {accept|deny} zone_object: The name of the zone. For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-). The name cannot start with a number. This value is case-sensitive.
Page 291: Configuring Ftp
======================================================================== Router(config)# 38.7 Configuring FTP You can upload and download the ZyWALL’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 38.7.1 FTP Commands The following table describes the commands available for FTP. You must use the configure command to enter the configuration mode before you can use these commands.
Page 292: Ftp Commands Examples
You can download the ZyWALL’s MIBs from www.zyxel.com. 38.8.2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs: Table 175 SNMP Traps OBJECT LABEL...
Page 293: Snmp Commands
(-), but the first character cannot be a number. This value is case-sensitive. zone_object: The name of the zone. For the ZyWALL USG 300 and above, use up to 31 characters (a-zA-Z0-9_-). The name cannot start with a number. This value is case-sensitive.
Page 294: Icmp Filter
Chapter 16 on page 133 to configure firewall rules for ICMP traffic going to the ZyWALL to discard or reject ICMP packets destined for the ZyWALL. Configure the ICMP filter to help keep the ZyWALL hidden from probing attempts. You can specify whether or not the ZyWALL is to respond to probing for unused ports.
Page 295: At Command Strings
Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH.
Page 296: Vantage Cnm
ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator or commands) without notifying the Vantage CNM administrator.
Page 297: Language Commands
{vantage or a TR069 ACS server. | tr069} 38.11.1.1 Vantage CNM Command Examples The following example turns on Vantage CNM management and sets the ZyWALL to register with a server at https://1.2.3.4/vantage/TR069. Router# configure terminal Router(config)# cnm-agent activate Router(config)# cnm-agent manager https://1.2.3.4/vantage/TR069...
Page 298: Ipv6 Commands
Table 181 Command Summary: IPv6 COMMAND DESCRIPTION Enables or disables IPv6 support. [no] ipv6 activate Displays whether IPv6 support is enabled or disabled. show ipv6 status ZyWALL (ZLD) CLI Reference Guide...
Page 299: File Manager
Shell scripts are files of commands that you can store on the ZyWALL and run when you need them. When you run a shell script, the ZyWALL only applies the commands that it contains. Other settings do not change.
Page 300: Comments In Configuration Files Or Shell Scripts
Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ZyWALL exit sub command mode. Note: “exit” or “!'” must follow sub commands if it is to make the ZyWALL exit sub command mode.
Page 301: Errors In Configuration Files Or Shell Scripts
The ZyWALL checks the first line and applies the line if no errors are detected. Then it continues with the next line. If the ZyWALL finds an error, it stops applying the configuration file or shell script and generates a log.
Page 302: Configuration File Flow At Restart
ZyWALL’s default settings. If there is a startup-config.conf, the ZyWALL checks it for errors and applies it. If there are no errors, the ZyWALL uses it and copies it to the lastgood.conf configuration file. If there is an error, the ZyWALL generates a log and copies the startup-config.conf configuration file to the startup-...
Page 303: File Manager Commands Summary
You can use the “apply /conf/system-default.conf” command to reset the ZyWALL to go back to its system defaults. Saves a duplicate of a file on the ZyWALL from the source file name to the copy {/cert | /conf | /idp | / target file name.
Page 304: File Manager Command Examples
Router(config)# schedule-run 1 aaa.zysh weekly 12:00 mon wed fri Router(config)# 39.6 FTP File Transfer You can use FTP to transfer files to and from the ZyWALL for advanced maintenance and support. 39.6.1 Command Line FTP File Upload Connect to the ZyWALL.
Page 305: Command Line Ftp Configuration File Upload Example
“get vpn_setup.zysh vpn.zysh” transfers the vpn_setup.zysh configuration file on the ZyWALL to your computer and renames it “vpn.zysh.” When you upload a custom signature, the ZyWALL appends it to the existing custom signatures stored in the "custom.rules” file. ZyWALL (ZLD) CLI Reference Guide...
Page 306: Command Line Ftp Configuration File Download Example
Chapter 39 File Manager 39.6.4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today.conf from the ZyWALL and saves it on the computer as current.conf. Figure 29 FTP Configuration File Download Example C:\>ftp 192.168.1.1 Connected to 192.168.1.1.
Page 307: Notification Of A Damaged Recovery Image Or Firmware
Use this section if your device has stopped responding for an extended period of time and you cannot access or ping it. Note that the ZyWALL does not respond while starting up. It takes less than five minutes to start up with the default configuration, but the start up time increases with the complexity of your configuration.
Page 308: Restoring The Recovery Image
Figure 33 Firmware Damaged 39.9 Restoring the Recovery Image This procedure requires the ZyWALL’s recovery image. Download the firmware package from www.zyxel.com and unzip it. The recovery image uses a .ri extension, for example, "1.01(XL.0)C0.ri". Do the following after you have obtained the recovery image file.
Page 309 Browse to search for it. Choose the 1K Xmodem protocol. Then click Send. Wait for about three and a half minutes for the Xmodem upload to finish. Figure 38 Recovery Image Upload Complete ZyWALL (ZLD) CLI Reference Guide...
Page 310: Restoring The Firmware
Chapter 39 File Manager Enter atgo. The ZyWALL starts up. If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged and you need to use the procedure in Section 39.10 on page 310...
Page 311 After the transfer is complete, “Firmware received” or “ZLD-current received” displays. Wait (up to four minutes) while the ZyWALL recovers the firmware. Figure 42 Firmware Received and Recovery Started The console session displays “done” when the firmware recovery is complete. Then the ZyWALL automatically restarts. Figure 43 Firmware Recovery Complete and Restart...
Page 312: Restoring The Default System Database
39.11 Restoring the Default System Database The default system database stores information such as the default anti-virus or IDP signatures. The ZyWALL can still operate if the default system database is damaged or missing, but related features (like anti-virus or IDP) may not function properly.
Page 313 Chapter 39 File Manager If the default system database file is not valid, the ZyWALL displays a warning message in your console session at startup or when reloading the anti-virus or IDP signatures. It also generates a log. Here are some examples. Use this section to restore the ZyWALL’s default system database.
Page 314: Using The Atkz -U Debug Command
The ZyWALL’s FTP server IP address for firmware recovery is 192.168.1.1, so set your computer to use a static IP address from 192.168.1.2 ~192.168.1.254. Use an FTP client on your computer to connect to the ZyWALL. For example, in the Windows command prompt, type ftp 192.168.1.1. Keep the console session connected in order to see when the default system database recovery finishes.
Page 315 Hit enter to log in anonymously. Set the transfer mode to binary (type bin). Transfer the firmware file from your computer to the ZyWALL. Type put followed by the path and name of the firmware file. This examples uses put e:\ftproot\ZLD FW \1.01(XL.0)C0.db.
Page 316 Chapter 39 File Manager 12 The username prompt displays after the ZyWALL starts up successfully. The default system database recovery process is now complete and the ZyWALL IDP and anti-virus features are ready to use again. Figure 54 Startup Complete...
Page 317: Chapter 40 Logs
DESCRIPTION interface_name The name of the interface. Ethernet interface: For the ZyWALL USG 300 and above, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL model. The ZyWALL USG 200 and lower models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
Page 318: Log Entries Commands
Enables log consolidation in the system log. The no command disables log [no] logging system-log suppression consolidation in the system log. Has the ZyWALL generate a log for each connectivity check. The no [no] connectivity-check continuous-log command has the ZyWALL only log the first connectivity check.
Page 319: Debug Log Commands
Sets the log consolidation interval for the debug log. The [no] logging debug suppression interval command sets the interval to ten. <10..600> Clears the debug log. clear logging debug buffer ZyWALL (ZLD) CLI Reference Guide...
Page 320: E-Mail Profile Commands
<15..3600> a device information log to the VRPT server. vrpt send interface statistics interval <15..3600> Sets the interval (in seconds) for how often the ZyWALL sends an interface statistics log to the VRPT server. Sets the interval (in seconds) for how often the ZyWALL sends vrpt send system status interval <15..3600>...
Page 321 You can use up to 63 alphanumeric characters, underscores (_), or dashes (-), and you must use the @ character. Sets the subject line when the ZyWALL mails to the specified e- [no] logging mail <1..2> subject subject mail profile. The command clears this field.
Page 322: Console Port Logging Commands
| debug | emerg | error | info | notice | warn} for this category is enabled. Enables logging for the specified category in the console [no] logging console category module_name log. The command disables logging. ZyWALL (ZLD) CLI Reference Guide...
Page 323: Chapter 41 Reports And Reboot
Begins data collection. The command stops data collection. [no] report Displays whether or not the ZyWALL is collecting data and how long it has collected show report status data. Clears the report for the specified interface or for all interfaces.
Page 324: Report Command Examples
Table 196 Packet Size Statistics Commands COMMAND DESCRIPTION Enables or disables packet size statistics data collection. [no] report packet size statistics show report packet size statistics status Shows whether packet size statistics data collection is enabled or disabled. ZyWALL (ZLD) CLI Reference Guide...
Page 325: Email Daily Report Commands
(.), or dashes (-), and you must use the @ character. Use these commands to have the ZyWALL e-mail you system statistics every day. You must use the command to enter the configuration mode before you can use these configure terminal commands.
Page 326: Email Daily Report Example
• Sets the sender as my-email@example.com. • Sets example-administrator@example.com as the first account to which to send the mail. • Has the ZyWALL not use the second and third mail-to options. • Sets my-email@example.com as the fourth mail-to option. • Has the ZyWALL not use the fifth mail-to option.
Page 327 Chapter 41 Reports and Reboot • Has the ZyWALL provide username 12345 and password 12345 to the SMTP server for authentication. • Sets the ZyWALL to send the report at 1:57 PM. • Has the ZyWALL not reset the counters after sending the report.
Page 328: Reboot
Chapter 41 Reports and Reboot This displays the email daily report settings and has the ZyWALL send the report. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp port: 25...
Page 329: Chapter 42 Session Timeout
Router(config)# session timeout udp-deliver 15 Router(config)# session timeout icmp 15 Router(config)# show session timeout udp UDP session connect timeout: 10 seconds UDP session deliver timeout: 15 seconds Router(config)# show session timeout icmp ICMP session timeout: 15 seconds ZyWALL (ZLD) CLI Reference Guide...
Page 330 Chapter 42 Session Timeout ZyWALL (ZLD) CLI Reference Guide...
Page 331: Chapter 43 Diagnostics
This chapter covers how to use the diagnostics feature. 43.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the ZyWALL’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
Page 332 Chapter 43 Diagnostics ZyWALL (ZLD) CLI Reference Guide...
Page 333: Chapter 44 Packet Flow Explore
This chapter covers how to use the packet flow explore feature. 44.1 Packet Flow Explore Use this to get a clear picture on how the ZyWALL determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems.
Page 334: Packet Flow Explore Commands Example
The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn Source Destination VPN Tunnel =========================================================================== The following example shows the default WAN trunk’s settings. Router> show system route default-wan-trunk Source Destination Trunk =========================================================================== trunk_ex ZyWALL (ZLD) CLI Reference Guide...
Page 335 Note: Loopback SNAT will be only applied only when the initiator is located at the network which the server locates at VS Name Source Destination SNAT =========================================================================== The following example shows all activated 1-to-1 NAT rules. Router> show system snat nat-1-1 VS Name Source Destination Outgoing SNAT =========================================================================== ZyWALL (ZLD) CLI Reference Guide...
Page 336 The following example shows the default WAN trunk settings. Router> show system snat default-snat Incoming Outgoing SNAT =========================================================================== Internal Interface External Interface Outgoing Interface IP Internal Interfaces: lan1, hidden, lan2, dmz External Interfaces: wan1, wan2, wan1_ppp, wan2_ppp Router> ZyWALL (ZLD) CLI Reference Guide...
Page 337: Chapter 45 Packet Flow Filter
For multi-core products the number ranges from 1 to the model’s limit. The following table lists the commands that you can use to have the ZyWALL display how the firewall and policy routes handle certain traffic. Use the configure terminal command to be able to use the commands that configure settings.
Page 338: Packet Flow Filter Commands Examples
Router# This example displays whether or not the packet flow filter is activated and whether the ring buffer is enabled or disabled. Router> show packet-flow status Packet Flow Debugger Status: Activation: Yes Ring Buffer: Disabled ZyWALL (ZLD) CLI Reference Guide...
Page 339 Src :192.168.30.33:138 Dst :192.168.30.255:138 Protocol: 17 Feature Info: Matched 'Firewall' Rule #3 #4 Tracking ID: 4 Feature: Firewall (type:IPTables) Action: Drop Pkt Info: Src :172.23.6.248:0 Dst :192.168.30.112:0 Protocol: 1 Feature Info: Matched 'Firewall' Rule #3 ZyWALL (ZLD) CLI Reference Guide...
Page 340 Chapter 45 Packet Flow Filter This example activates the packet flow ring buffer feature. Router> configure terminal Router(config)#packet-flow ring-buffer activate Router(config)#exit Router# ZyWALL (ZLD) CLI Reference Guide...
Page 341: Chapter 46 Maintenance Tools
HAPTER Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the ZyWALL. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode.
Page 342 Specify a maximum size limit in megabytes for the total combined size of files-size <1..10000> all the capture files on the ZyWALL, including any existing capture files and any new capture files you generate. The ZyWALL stops the capture and generates the capture file when either the file reaches this size or the time period specified ( using the duration command above) expires.
Page 343: Maintenance Command Examples
Chapter 46 Maintenance Tools Table 204 Maintenance Tools Commands in Privilege Mode (continued) COMMAND DESCRIPTION Displays the ZyWALL’s IPv6 neighbors. show ipv6 neighbor-list Displays current packet capture settings. show packet-capture config Here are maintenance tool commands that you can use in configuration mode.
Page 344: Packet Capture Command Example
0 host-ip: any file-suffix: -packet-capture snaplen: 1500 duration: 0 file-size: 10 split-size: 2 ring-buffer: 0 storage: 0 Then configure the following settings to capture packets going through the ZyWALL’s WAN1 interface only. ZyWALL (ZLD) CLI Reference Guide...
Page 345 Router(packet-capture)# duration 150 Router(packet-capture)# storage usbstorage Router(packet-capture)# ring-buffer disable Router(packet-capture)# split-size 100 Router(packet-capture)# Exit the sub-command mode and have the ZyWALL capture packets according to the settings you just configured. Router(packet-capture)# exit Router(config)# packet-capture activate Router(config)# Manually stop the running packet capturing.
Page 346 Chapter 46 Maintenance Tools ZyWALL (ZLD) CLI Reference Guide...
Page 347: Chapter 47 Watchdog Timer
HAPTER Watchdog Timer This chapter provides information about the ZyWALL’s watchdog timers. 47.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings.
Page 348: Application Watchdog
[no] app-watch-dog retry-count failed. The no command changes the setting back to the default. <1..5> Has the ZyWALL send an alert the user when the system is out of memory or disk [no] app-watch-dog alert space. Sets the percentage thresholds for sending a disk usage alert. The ZyWALL starts...
Page 349 Chapter 47 Watchdog Timer ZyWALL (ZLD) CLI Reference Guide...
Page 350 Chapter 47 Watchdog Timer ZyWALL (ZLD) CLI Reference Guide...
Page 351: List Of Commands (Alphabetical)
[no] ad-server binddn binddn ............250 [no] ad-server cn-identifier uid ............250 [no] ad-server host ad_server ............250 [no] ad-server password password ............250 [no] ad-server password-encrypted password ..........250 [no] ad-server port port_no ............250 [no] ad-server search-time-limit time ..........250 ZyWALL (ZLD) CLI Reference Guide...
Page 352 [no] app protocol_name log [alert] .............164 [no] application application_object ............152 [no] application forbidden-process process_name ........271 [no] application trusted-process process_name ..........271 [no] app-watch-dog activate ............348 [no] app-watch-dog alert ...............348 [no] app-watch-dog auto-recover ............348 [no] app-watch-dog console-print {always|once} .........348 ZyWALL (ZLD) CLI Reference Guide...
Page 353 [no] cache-clean activate ..............152 [no] case-sensitive ..............251 [no] case-sensitive ..............253 [no] case-sensitive ..............254 [no] client-identifier mac_address ............64 [no] client-name host_name ..............64 [no] clock daylight-saving .............282 [no] clock saving-interval begin {apr|aug|dec|feb|jan|jul|jun|mar|may|nov|oct|sep} {1|2|3|4|last} {fri|mon|sat|sun|thu|tue|wed} hh:mm end {apr|aug|dec|feb|jan|jul|jun|mar|may|nov|oct|sep} {1|2|3|4|last} ZyWALL (ZLD) CLI Reference Guide...
Page 354 [no] default-router ip ..............64 [no] description description ............100 [no] description description ............102 [no] description description ............137 [no] description description ............139 [no] description description ............140 [no] description description ............152 [no] description description ............226 [no] description description ............231 ZyWALL (ZLD) CLI Reference Guide...
Page 355 [no] eps <1..8> eps_object_name ............234 [no] eps <1..8> eps_profile_name ............152 [no] eps activate ..............152 [no] eps activate ..............234 [no] eps failure-messages failure_messages ..........270 [no] eps periodical-check <1..1440> ............153 [no] eps periodical-check <1..1440> ............234 [no] eps periodical-check activate .............152 ZyWALL (ZLD) CLI Reference Guide...
Page 356 [no] firewall asymmetrical-route activate ..........134 [no] firewall6 asymmetrical-route activate ..........136 [no] first-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd-dns} | ZyWALL} ..65 [no] first-wins-server ip ...............65 [no] flood-detection {tcp-flood | udp-flood | ip-flood | icmp-flood} {activate | log [alert] | block} ................185...
Page 357 [no] ip-select {iface | auto | custom} ..........116 [no] ip-select-backup {iface | auto | custom} ..........116 [no] ipv6 activate ..............298 [no] ipv6 address dhcp6_profile dhcp6_suffix_128 ........75 [no] ipv6 dhcp6 address-request ............75 [no] ipv6 dhcp6 rapid-commit ............75 ZyWALL (ZLD) CLI Reference Guide...
Page 358 [no] logging mail <1..2> category module_name level {alert | all} ......321 [no] logging mail <1..2> port <1..65535> ..........321 [no] logging mail <1..2> schedule {full | hourly} ........321 [no] logging mail <1..2> subject subject ..........321 [no] logging syslog <1..4> .............320 ZyWALL (ZLD) CLI Reference Guide...
Page 359 [no] outbound-dscp-mark {<0..63> | class {default | dscp_class}} .......165 [no] outbound-dscp-mark {<0..63> | class {default | dscp_class}} .......167 [no] outbound-dscp-mark {<0..63> | class {default | dscp_class}} .......168 [no] outonly-interface interface_name ..........108 [no] outonly-interface interface_name ...........68 ZyWALL (ZLD) CLI Reference Guide...
Page 360 [no] schedule profile_name .............168 [no] schedule schedule_name ............234 [no] schedule schedule_object ............101 [no] schedule schedule_object ............102 [no] schedule schedule_object ............137 [no] second-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd-dns} | ZyWALL} ..65 [no] second-wins-server ip ..............65 ZyWALL (ZLD) CLI Reference Guide...
Page 361 [no] snmp-server enable {informs|traps} ..........293 [no] snmp-server host {w.x.y.z} [community_string] ........293 [no] snmp-server location description ..........293 [no] snmp-server port <1..65535> ............293 [no] software-watchdog-timer <10..600> ..........347 [no] source {address6_object|any} ............103 [no] source {address_object | group_name} ..........234 ZyWALL (ZLD) CLI Reference Guide...
Page 362 [no] system default-snat ..............95 [no] tcp-decoder {tcp-xxx} action {drop | reject-sender | reject-receiver | reject-both}} 186 [no] tcp-decoder {tcp-xxx} activate ............186 [no] third-dns-server {ip | interface_name {1st-dns | 2nd-dns | 3rd-dns} | ZyWALL} ..65 [no] to {zone_object|ZyWALL} ............138 [no] to zone_name ..............165...
Page 363 [timeout] ........213 anti-spam rule append ..............212 anti-spam rule delete rule_number ............212 anti-spam rule insert rule_number ............212 anti-spam rule move rule_number to rule_number .........212 anti-spam rule rule_number .............212 anti-spam statistics flush .............219 ZyWALL (ZLD) CLI Reference Guide...
Page 364 <1..255> key-string authkey .........108 band <b | g | bg| bgn | gn> .............84 bandwidth {inbound | outbound} <0..1048576> ..........166 bandwidth {inbound|outbound} <0..1048576> ..........165 bandwidth {inbound|outbound} <0..1048576> ..........168 bandwidth priority <1..7> ..............165 bandwidth priority <1..7> ..............166 ZyWALL (ZLD) CLI Reference Guide...
Page 365 {block | log | warn | pass} content-filter profile filtering_profile commtouch-url unrate {block | log | warn | pass} 205 content-filter profile filtering_profile custom-list forbid ......203 content-filter profile filtering_profile custom-list keyword ......204 content-filter profile filtering_profile custom-list trust ......204 ZyWALL (ZLD) CLI Reference Guide...
Page 366 ............35 debug service-register ..............35 debug service-register erase service as ..........47 debug show content-filter server ............35 debug show ipset ................35 debug show myzyxel server status ............35 debug show myzyxel server status ............35 debug sslvpn ................35 ZyWALL (ZLD) CLI Reference Guide...
Page 367 <0..300> ..............341 enable ..................33 enable ..................59 enable ..................60 encapsulation {tunnel | transport} .............145 eps insert <1..8> eps_object_name ............234 eps insert <1..8> eps_profile_name .............152 eps move <1..8> to <1..8> ..............152 eps move <1..8> to <1..8> ..............234 ZyWALL (ZLD) CLI Reference Guide...
Page 368 {zone_object|ZyWALL} delete <1..5000> ......135 firewall zone_object {zone_object|ZyWALL} flush ........135 firewall zone_object {zone_object|ZyWALL} insert rule_number ......135 firewall zone_object {zone_object|ZyWALL} move rule_number to rule_number ....135 firewall zone_object {zone_object|ZyWALL} rule_number ........134 firewall6 append ...............136 firewall6 default-rule action {allow | deny | reject} { no log | log [alert] } ..136...
Page 369 <1..10> to <1..10> ............146 in-snat source address_name destination address_name snat address_name ....146 interface ................34 interface {num|append|insert num} interface-name [weight <1..10>|limit <1..2097152>|passive] interface aux ................90 interface cellular budget-auto-save <5..1440> ...........78 interface dial aux ..............90 ZyWALL (ZLD) CLI Reference Guide...
Page 370 {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny} ........290 ip telnet server rule move rule_number to rule_number ........290 ip virtual-server {activate | deactivate} profile_name .........121 ip virtual-server delete profile_name ..........121 ip virtual-server flush ..............121 ZyWALL (ZLD) CLI Reference Guide...
Page 371 <all|normal> ........82 logging usb-storage flushThreshold <1..100> ..........82 login-page background-color {color-rgb | color-name | color-number} ....280 login-page message-color {color-rgb | color-name | color-number} .......280 login-page title title ..............280 login-page title-color {color-rgb | color-name | color-number} ......280 ZyWALL (ZLD) CLI Reference Guide...
Page 372 {log} ...205 no content-filter profile filtering_profile commtouch-url offline {log} ....205 no content-filter profile filtering_profile commtouch-url unrate {log} ....205 no content-filter profile filtering_profile url match {log} ......204 no content-filter profile filtering_profile url match-unsafe {log} .....204 ZyWALL (ZLD) CLI Reference Guide...
Page 373 {truncated-header | undersize-len | oversize-len} action ....186 no udp-decoder {truncated-header | undersize-len | oversize-len} log ....186 no use-defined-mac ..............72 no user ................148 no username username ..............230 nslookup ................34 ntp sync ................282 object-group address rename group_name group_name ........241 ZyWALL (ZLD) CLI Reference Guide...
Page 374 .............145 rename ..................34 rename {/cert | /conf | /idp | /packet_trace | /script | /tmp}/old-file_name {/cert | /conf | /idp | /packet_trace | /script | /tmp}/new-file_name ......303 rename /script/old-file_name /script/new-file_name ........303 renew ...................34 ZyWALL (ZLD) CLI Reference Guide...
Page 375 ........47 session timeout {udp-connect <1..300> | udp-deliver <1..300> | icmp <1..300>} ..329 session timeout session {tcp-established | tcp-synrecv | tcp-close | tcp-finwait | tcp-synsent | tcp-closewait | tcp-lastack | tcp-timewait} <1..300> ......329 session-limit append ..............140 ZyWALL (ZLD) CLI Reference Guide...
Page 376 ..........213 show anti-spam mail-scan statistics ............219 show anti-spam mail-scan status ............213 show anti-spam rule [rule_number] ............212 show anti-spam statistics collect ............219 show anti-spam statistics ranking {source | mail-address} ......219 show anti-spam statistics summary ............219 ZyWALL (ZLD) CLI Reference Guide...
Page 377 ....262 show ca category {local|remote} name certificate_name certpath ......262 show ca spaceusage ..............262 show ca validation name name ............262 show clock date ................282 show clock status ..............282 show clock time ................282 show cnm-agent configuration ............296 ZyWALL (ZLD) CLI Reference Guide...
Page 378 {anti-virus | personal-firewall} ....272 show eps signature {anti-virus | personal-firewall | status} ......272 show eps warning-message {windows-auto-update | windows-security-patch | anti-virus | personal- firewall | windows-registry | process | file-path} .......272 show extension-slot ..............41 show fan-speed ................41 ZyWALL (ZLD) CLI Reference Guide...
Page 379 ...............135 show firewall block_rules ..............135 show firewall rule_number ..............135 show firewall status ..............135 show firewall zone_object {zone_object|ZyWALL} .........135 show firewall zone_object {zone_object|ZyWALL} rule_number ......135 show firewall6 .................136 show firewall6 any ZyWALL ..............136 show firewall6 block_rules .............136 show firewall6 rule_number .............136 show firewall6 status ..............136...
Page 380 ............333 show ip route-settings ..............105 show ip ssh server status ..............289 show ip telnet server status ............290 show ip virtual-server [profile_name] ..........120 show ipv6 dhcp6 binding ..............276 show ipv6 interface {interface_name | all} ..........57 ZyWALL (ZLD) CLI Reference Guide...
Page 381 ............103 show policy-route underlayer-rules .............103 show policy-route6 override-direct-route ..........103 show port setting ...............72 show port status ................72 show port vlan-id ...............89 show port-grouping ..............72 show radius-server ..............251 show ram-size ................41 show redundant-power status .............41 ZyWALL (ZLD) CLI Reference Guide...
Page 382 ........140 show session-limit6 rule_number ............140 show session-limit6 status .............140 show setenv-startup ..............304 show snmp status ...............293 show socket listen ..............41 show socket open ................41 show software-watchdog-timer log ............347 show software-watchdog-timer status ............347 ZyWALL (ZLD) CLI Reference Guide...
Page 383 ..........325 snaplen <68..1512> ..............342 snmp-server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny} ........293 snmp-server rule move rule_number to rule_number ........293 split-size <1..2048> ..............342 ssid ssid ................87 sslvpn network-extension local-ip ip ...........152 ZyWALL (ZLD) CLI Reference Guide...
Page 384 [no] logon-time-setting <default | manual> ......230 username username nopassword user-type {admin | guest | limited-admin | user} ..230 username username password password user-type {admin | guest | limited-admin | user} ...230 username username user-type ext-group-user associated-aaa-server server_profile group-id id ZyWALL (ZLD) CLI Reference Guide...
Page 385 <1..4> key ..............87 windows-version {windows-2000 | windows-xp | windows-2003 | windows-2008 | windows-vista | win- dows-7 | windows-2008r2} ............272 wlan mac-filter associate <allow | deny> ..........88 wlan slot_name ................84 write ..................304 write ...................34 zone profile_name ..............112 ZyWALL (ZLD) CLI Reference Guide...
Page 386 List of Commands (Alphabetical) ZyWALL (ZLD) CLI Reference Guide...

This manual is also suitable for:

Zywall zld series

Save PDF