Download Print this page

ZyXEL Communications ZYWALL USG Series Reference Manual

Security firewalls

Hide thumbs Also See for ZYWALL USG Series:

Application notes (187 pages)

,

Application note (184 pages)

,

User manual (150 pages)

Table Of Contents

page of 426

/ 426
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

See also: User Manual

ZyWALL / USG (ZLD) Series

Security Firewalls

Version: 4.11

Edition 1, 04/2015

Quick Start Guide

CLI Reference Guide

Default Login Details

LAN Port IP Address

www.zyxel.com

User Name

Password

http://192.168.1.1

admin

1234

Copyright © 2011

Copyright © 2015 ZyXEL Communications Corporation

ZyXEL Communications Corporation

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the ZYWALL USG Series and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications ZYWALL USG Series

Page 1 ZyWALL / USG (ZLD) Series Security Firewalls Version: 4.11 Edition 1, 04/2015 Quick Start Guide CLI Reference Guide Default Login Details LAN Port IP Address http://192.168.1.1 www.zyxel.com User Name admin Password 1234 Copyright © 2011 Copyright © 2015 ZyXEL Communications Corporation ZyXEL Communications Corporation...
Page 2 This is a Reference Guide for a series of products intended for people who want to configure ZLD- based ZyWALL / USGs via Command Line Interface (CLI).  Some commands or command options in this guide may not be available in your product.
Page 3: Table Of Contents
Introduction ............................19 Command Line Interface .........................21 User and Privilege Modes ........................35 Reference ............................39 Object Reference ............................41 Status ..............................43 Registration .............................49 AP Management .............................53 Wireless LAN Profiles ..........................56 Rogue AP ..............................68 Wireless Frame Capture .........................72 Dynamic Channel Selection ........................74 Wireless Load Balancing .........................76 Auto-Healing ............................79 Interfaces ..............................81 Trunks ..............................
Page 4 Application Object ..........................276 Addresses .............................279 Services ..............................285 Schedules .............................289 AAA Server ............................291 Authentication Objects ..........................297 Authentication Server ..........................300 Certificates ............................303 ISP Accounts ............................307 SSL Application .............................309 DHCPv6 Objects ...........................312 System ..............................315 System Remote Management .......................327 File Manager ............................339 Logs ..............................359 Reports and Reboot ..........................365 Session Timeout ...........................371 Diagnostics ............................373...
Page 5: Table Of Contents
Table of Contents Table of Contents Table of Contents ..........................5 Part I: Introduction ..................19 Chapter 1 Command Line Interface........................21 1.1 Overview ............................21 1.1.1 The Configuration File ......................21 1.2 Accessing the CLI ..........................21 1.2.1 Console Port ..........................22 1.2.2 Web Configurator Console ......................22 1.2.3 Telnet ............................25 1.2.4 SSH (Secure SHell) .........................25 1.3 How to Find Commands in this Guide ....................25...
Page 6 Table of Contents 2.1 User And Privilege Modes .........................35 2.1.1 Debug Commands ........................36 Part II: Reference ..................... 39 Chapter 3 Object Reference ..........................41 3.1 Object Reference Commands ......................41 3.1.1 Object Reference Command Example ..................42 Chapter 4 Status ..............................43 Chapter 5 Registration............................49 5.1 myZyXEL.com Overview ........................49 5.1.1 Subscription Services Available on the ZyWALL / USG ............49...
Page 7 Table of Contents 8.2 Rogue AP Detection Commands ......................68 8.2.1 Rogue AP Detection Examples ....................69 8.3 Rogue AP Containment Overview ....................70 8.4 Rogue AP Containment Commands ....................71 8.4.1 Rogue AP Containment Example ....................71 Chapter 9 Wireless Frame Capture........................72 9.1 Wireless Frame Capture Overview ....................72 9.2 Wireless Frame Capture Commands ....................72 9.2.1 Wireless Frame Capture Examples ..................73 Chapter 10...
Page 8 Table of Contents 13.3 Ethernet Interface Specific Commands ..................100 13.3.1 MAC Address Setting Commands ..................100 13.3.2 Port Grouping Commands ....................101 13.4 Virtual Interface Specific Commands ....................102 13.4.1 Virtual Interface Command Examples .................102 13.5 PPPoE/PPTP Specific Commands ....................103 13.5.1 PPPoE/PPTP Interface Command Examples ..............104 13.6 Cellular Interface Specific Commands ..................105 13.6.1 Cellular Status ........................107 13.6.2 Cellular Interface Command Examples ................109...
Page 9 Table of Contents 16.2.3 OSPF Area Commands .......................131 16.2.4 Virtual Link Commands ......................131 16.2.5 Learned Routing Information Commands ................132 16.2.6 show ip route Command Example ..................132 Chapter 17 Zones ..............................133 17.1 Zones Overview ..........................133 17.2 Zone Commands Summary ......................134 17.2.1 Zone Command Examples ....................135 Chapter 18 DDNS..............................137 18.1 DDNS Overview ..........................137...
Page 10 Table of Contents Chapter 23 IP/MAC Binding..........................157 23.1 IP/MAC Binding Overview ......................157 23.2 IP/MAC Binding Commands ......................157 23.3 IP/MAC Binding Commands Example ..................158 Chapter 24 Layer 2 Isolation ..........................160 24.1 Layer 2 Isolation Overview ......................160 24.2 Layer 2 Isolation Commands ......................161 24.2.1 Layer 2 Isolation White List Sub-Commands ..............161 24.3 Layer 2 Isolation Commands Example ..................162 Chapter 25...
Page 11 Table of Contents Chapter 28 IPSec VPN............................185 28.1 IPSec VPN Overview ........................185 28.2 IPSec VPN Commands Summary ....................186 28.2.1 IPv4 IKEv1 SA Commands ....................187 28.2.2 IPv4 IPSec SA Commands (except Manual Keys) ..............188 28.2.3 IPv4 IPSec SA Commands (for Manual Keys) ..............191 28.2.4 VPN Concentrator Commands ....................191 28.2.5 VPN Configuration Provisioning Commands ...............192 28.2.6 SA Monitor Commands .......................193...
Page 12 Table of Contents 31.2.1 Bandwidth Sub-Commands ....................210 31.3 Bandwidth Management Commands Examples ................213 Chapter 32 Application Patrol ..........................215 32.1 Application Patrol Overview ......................215 32.2 Application Patrol Commands Summary ..................215 32.2.1 Application Patrol Commands .....................216 Chapter 33 Anti-Virus............................219 33.1 Anti-Virus Overview ........................219 33.2 Anti-virus Commands ........................219 33.2.1 General Anti-virus Commands ....................220 33.2.2 Anti-Virus Profile ........................220...
Page 13 Table of Contents 35.4 Content Filter Command Input Values ..................238 35.5 General Content Filter Commands ....................239 35.6 Content Filter Filtering Profile Commands ..................241 35.7 Content Filtering Statistics ......................243 35.7.1 Content Filtering Statistics Example ..................243 35.8 Content Filtering Commands Example ..................243 Chapter 36 Anti-Spam ............................247 36.1 Anti-Spam Overview ........................247...
Page 14 Table of Contents 39.2.1 User Commands ........................270 39.2.2 User Group Commands .......................271 39.2.3 User Setting Commands .....................271 39.2.4 MAC Auth Commands ......................273 39.2.5 Additional User Commands ....................274 Chapter 40 Application Object ..........................276 40.1 Application Object Commands Summary ..................276 40.1.1 Application Object Commands ....................276 40.1.2 Application Object Group Commands .................277 Chapter 41 Addresses ............................279...
Page 15 Table of Contents 44.2.8 aaa group server Command Example .................296 Chapter 45 Authentication Objects........................297 45.1 Authentication Objects Overview ....................297 45.2 aaa authentication Commands .....................297 45.2.1 aaa authentication Command Example ................298 45.3 test aaa Command ........................298 45.3.1 Test a User Account Command Example ................298 Chapter 46 Authentication Server ........................300 46.1 Authentication Server Overview ....................300...
Page 16 Table of Contents 51.1 System Overview ..........................315 51.2 Customizing the WWW Login Page ....................315 51.3 Host Name Commands .........................317 51.4 Time and Date ..........................317 51.4.1 Date/Time Commands ......................318 51.5 Console Port Speed ........................318 51.6 DNS Overview ..........................319 51.6.1 Domain Zone Forwarder .....................319 51.6.2 DNS Commands ........................320 51.6.3 DNS Command Examples ....................322 51.7 Authentication Server Overview ....................322...
Page 17 Table of Contents 52.8.4 SNMP Commands Examples ....................336 52.9 ICMP Filter ...........................337 Chapter 53 File Manager............................339 53.1 File Directories ..........................339 53.2 Configuration Files and Shell Scripts Overview ................339 53.2.1 Comments in Configuration Files or Shell Scripts ...............340 53.2.2 Errors in Configuration Files or Shell Scripts ...............341 53.2.3 ZyWALL / USG Configuration File Details ................341 53.2.4 Configuration File Flow at Restart ..................342 53.3 File Manager Commands Input Values ..................342...
Page 18 Table of Contents 55.2 Email Daily Report Commands .....................367 55.2.1 Email Daily Report Example ....................368 55.3 Reboot ............................370 Chapter 56 Session Timeout ..........................371 Chapter 57 Diagnostics ............................373 57.1 Diagnostics ............................373 57.2 Diagnosis Commands ........................373 57.3 Diagnosis Commands Example ....................373 Chapter 58 Packet Flow Explore.........................375 58.1 Packet Flow Explore ........................375 58.2 Packet Flow Explore Commands ....................375...
Page 19: Introduction
Introduction...
Page 21: Command Line Interface
H A PT ER Command Line Interface This chapter describes how to access and use the CLI (Command Line Interface). 1.1 Overview If you have problems with your ZyWALL / USG, customer support may request that you issue some of these commands to assist them in troubleshooting. Use of undocumented commands or misconfiguration can damage the ZyWALL / USG and possibly render it unusable.
Page 22: Console Port
Chapter 1 Command Line Interface 1.2.1 Console Port The default settings for the console port are as follows. Table 1 Managing the ZyWALL / USG: Console Port SETTING VALUE Speed 115200 bps Data Bits Parity None Stop Bit Flow Control When you turn on your ZyWALL / USG, it performs several internal tests as well as line initialization.
Page 23 Chapter 1 Command Line Interface When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the ZyWALL / USG. Follow the steps below to access the web console. Log into the web configurator. Click the Console icon in the top-right corner of the web configurator screen.
Page 24 Chapter 1 Command Line Interface Note: The default login username is admin. It is case-sensitive. Figure 5 Web Console: Connecting Then, the Password screen appears. Figure 6 Web Console: Password Enter the password for the user name you specified earlier, and click OK. If you enter the password incorrectly, you get an error message, and you may have to close the console window and open it again.
Page 25: Telnet
Chapter 1 Command Line Interface 1.2.3 Telnet Use the following steps to Telnet into your ZyWALL / USG. If your computer is connected to the ZyWALL / USG over the Internet, skip to the next step. Make sure your computer IP address and the ZyWALL / USG IP address are on the same subnet. In Windows, click Start (usually in the bottom left corner) and Run.
Page 26: How Commands Are Explained
Chapter 1 Command Line Interface 1.4 How Commands Are Explained Each chapter explains the commands for one keyword. The chapters are divided into the following sections. 1.4.1 Background Information (Optional) Note: See the User’s Guide for background information about most features. This section provides background information about features that you cannot configure in the web configurator.
Page 27: Changing The Password
Chapter 1 Command Line Interface • Enter exactly as it appears, followed by two numbers between 1 and 65535. range 1.4.6 Changing the Password It is highly recommended that you change the password for accessing the ZyWALL / USG. See Section 39.2 on page 270 for the appropriate commands.
Page 28: Shortcuts And Help
Chapter 1 Command Line Interface 1.6 Shortcuts and Help 1.6.1 List of Available Commands A list of valid commands can be found by typing at the command prompt. To view a list of [TAB] available commands within a command group, enter <command>...
Page 29: Entering Partial Commands
Chapter 1 Command Line Interface 1.6.3 Entering Partial Commands The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press to have the ZyWALL / USG automatically display the full command. [TAB] For example, if you enter and press...
Page 30: Input Values
Chapter 1 Command Line Interface 1.7 Input Values You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen.
Page 31 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES domain name Used in content filtering lower-case letters, numbers, or .- Used in ip dns server 0-247 alphanumeric or .- first character: alphanumeric or - Used in domainname, ip dhcp pool, and ip domain 0-254 alphanumeric or ._-...
Page 32 Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES key length 512, 768, 1024, 1536, 2048 license key “S-” + 6 upper-case letters or numbers + “-” + 16 upper-case letters or numbers mac address aa:bb:cc:dd:ee:ff (hexadecimal)
Page 33: Ethernet Interfaces
Chapter 1 Command Line Interface Table 3 Input-Value Formats for Strings in CLI Commands (continued) # VALUES LEGAL VALUES 1-511 alphanumeric or '()+,/:.=?;!*#@$_%- Used in content filtering redirect “http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%, “https://”+ starts with “http://” or “https://” may contain one pound sign (#) Used in other content filtering commands “http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%,...
Page 34: Logging Out
Chapter 1 Command Line Interface 1.10 Logging Out Enter the or end command in configure mode to go to privilege mode. exit Enter the command in user mode or privilege mode to log out of the CLI. exit ZyWALL / USG (ZLD) CLI Reference Guide...
Page 35: User And Privilege Modes
H A PT ER User and Privilege Modes This chapter describes how to use these two modes. 2.1 User And Privilege Modes This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the ZyWALL / USG uses.
Page 36: Debug Commands
Chapter 2 User and Privilege Modes Table 4 User (U) and Privilege (P) Mode Commands (continued) COMMAND MODE DESCRIPTION Dials or disconnects an interface. interface no packet-trace U/P Turns off packet tracing. Resolves an IP address to a host name and vice-versa. nslookup Performs a packet trace.
Page 37 Chapter 2 User and Privilege Modes Table 5 Debug Commands (continued) COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT Certificate debug commands debug ca (*) Content Filtering debug commands debug content-filter Device HA debug commands debug device-ha (*) Authentication policy debug commands debug force-auth (*) GUI cgi related debug commands debug gui (*)
Page 38 Chapter 2 User and Privilege Modes ZyWALL / USG (ZLD) CLI Reference Guide...
Page 39: Reference
Reference...
Page 41: Object Reference
H A PT ER Object Reference This chapter describes how to use object reference commands. 3.1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
Page 42: Object Reference Command Example
Chapter 3 Object Reference Table 6 show reference Commands (continued) COMMAND DESCRIPTION Displays which configuration settings reference the specified DHCPv6 show reference object dhcp6-lease-object lease object. [object_name] Displays which configuration settings reference the specified DHCPv6 show reference object dhcp6-request- request object. object [object_name] Displays which configuration settings reference the specified user group show reference object-group username...
Page 43: Status
H A PT ER Status This chapter explains some commands you can use to display information about the ZyWALL / USG’s current operational state. Table 7 Status Show Commands COMMAND DESCRIPTION Displays details about the ZyWALL / USG’s startup state. show boot status Displays whether the console is on or off.
Page 44 Chapter 4 Status Here are examples of the commands that display the CPU and disk utilization. Router(config)# show cpu status CPU utilization: 0 % CPU utilization for 1 min: 0 % CPU utilization for 5 min: 0 % Router(config)# show disk <cr>...
Page 45 Chapter 4 Status Here is an example of the command that displays the listening ports. Router(config)# show socket listen Proto Local_Address Foreign_Address State =========================================================================== 0.0.0.0:2601 0.0.0.0:0 LISTEN 0.0.0.0:2602 0.0.0.0:0 LISTEN 127.0.0.1:10443 0.0.0.0:0 LISTEN 0.0.0.0:2604 0.0.0.0:0 LISTEN 0.0.0.0:80 0.0.0.0:0 LISTEN 127.0.0.1:8085 0.0.0.0:0 LISTEN 1.1.1.1:53...
Page 46 Chapter 4 Status Here is an example of the command that displays the open ports. Router(config)# show socket open Proto Local_Address Foreign_Address State =========================================================================== 172.23.37.240:22 172.23.37.10:1179 ESTABLISHED 127.0.0.1:64002 0.0.0.0:0 0.0.0.0:520 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0 0.0.0.0:138 0.0.0.0:0...
Page 47 Here are examples of the commands that display the system uptime and model, firmware, and build information. Router> show system uptime system uptime: 04:18:00 Router> show version ZyXEL Communications Corp. model : ZyWALL USG 110 firmware version: 2.20(AQQ.0)b3 BM version : 1.08...
Page 48 Chapter 4 Status ZyWALL / USG (ZLD) CLI Reference Guide...
Page 49: Registration
H A PT ER Registration This chapter introduces myzyxel.com and shows you how to register the ZyWALL / USG for IDP/ AppPatrol, anti-virus, content filtering, and SSL VPN services using commands. 5.1 myZyXEL.com Overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL / USG and manage subscription services available for the ZyWALL / USG.
Page 50: Registration Commands
Chapter 5 Registration • The content filter allows or blocks access to web sites. Subscribe to category-based content filtering to block access to categories of web sites based on content. Your ZyWALL / USG accesses an external database that has millions of web sites categorized based on content. You can have the ZyWALL / USG block, block and/or log access to web sites based on these categories.
Page 51: Command Examples
Chapter 5 Registration 5.2.1 Command Examples The following command displays the account information and whether the device is registered. Router# configure terminal Router(config)# show device-register status username : example password : 123456 device register status : yes expiration self check : no The following command displays the service registration status and type and how many days remain before the service expires.
Page 52 Chapter 5 Registration ZyWALL / USG (ZLD) CLI Reference Guide...
Page 53: Ap Management
H A PT ER AP Management This chapter shows you how to configure wireless AP management options on your ZyWALL / USG. 6.1 AP Management Overview The ZyWALL / USG allows you to remotely manage all of the Access Points (APs) on your network. You can manage a number of APs without having to configure them individually as the ZyWALL / USG automatically handles basic configuration for you.
Page 54 Chapter 6 AP Management The following table describes the commands available for AP management. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 10 Command Summary: AP Management COMMAND DESCRIPTION Adds the specified AP to the ZyWALL / USG for management.
Page 55: Ap Management Commands Example
Chapter 6 AP Management 6.2.1 AP Management Commands Example The following example shows you how to add an AP to the management list, and then edit it. Router# show capwap ap wait-list index: 1 IP: 192.168.1.35, MAC: 00:11:11:11:11:FE Model: NWA5160N, Description: AP-00:11:11:11:11:FE index: 2 IP: 192.168.1.36, MAC: 00:19:CB:00:BB:03 Model: NWA5160N, Description: AP-00:19:CB:00:BB:03...
Page 56: Wireless Lan Profiles
H A PT ER Wireless LAN Profiles This chapter shows you how to configure wireless LAN profiles on your ZyWALL / USG. 7.1 Wireless LAN Profiles Overview The managed Access Points designed to work explicitly with your ZyWALL / USG do not have on- board configuration files, you must create “profiles”...
Page 57 Chapter 7 Wireless LAN Profiles Table 11 Input Values for General Radio and Monitor Profile Commands (continued) LABEL DESCRIPTION Sets the HT MCS rate. The available rates are: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, wlan_mcs_speed 12, 13, 14, 15.
Page 58 Chapter 7 Wireless LAN Profiles Table 12 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Fixes the channel bandwidth as 40 MHz. The no command has the [no] dot11n-disable-coexistence AP automatically choose 40 MHz if all the clients support it or 20 MHz if some clients only support 20 MHz.
Page 59 Chapter 7 Wireless LAN Profiles Table 12 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Activates MPDU frame aggregation for this profile. Use the no [no] amsdu parameter to disable it. Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header.
Page 60: Ap Profile Commands Example
Chapter 7 Wireless LAN Profiles Table 12 Command Summary: Radio Profile (continued) COMMAND DESCRIPTION Disables or sets the 5 GHz support rate. 5g-support-speed {disable | wlan_5g_support_speed} The default is 6.0~54.0. Sets the outgoing chain mask rate. tx-mask chain_mask Sets the incoming chain mask rate. rx-mask chain_mask Activates HT protection for this profile.
Page 61: Ap Monitor Profile Commands
Chapter 7 Wireless LAN Profiles It will also assign the SSID profile labeled ‘default’ in order to create WLAN VAP (wlan-1-1) functionality within the radio profile. Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# activate Router(config-profile-radio)# band 2.4G Router(config-profile-radio)# 2g-channel 6 Router(config-profile-radio)# ch-width 20m Router(config-profile-radio)# dtim-period 2 Router(config-profile-radio)# beacon-interval 100 Router(config-profile-radio)# ampdu...
Page 62: Ssid Profile Commands
Chapter 7 Wireless LAN Profiles Table 14 Command Summary: Monitor Profile (continued) COMMAND DESCRIPTION Enters configuration mode for the specified monitor profile. Use the [no] wlan-monitor-profile no parameter to remove the specified profile. monitor_profile_name Makes this profile active or inactive. [no] activate By default, this is enabled.
Page 63 Chapter 7 Wireless LAN Profiles Table 15 Input Values for General SSID Profile Commands (continued) LABEL DESCRIPTION Assigns an existing security profile to the SSID profile. You may use 1-31 securityprofile alphanumeric characters, underscores ( ), or dashes (-), but the first character cannot be a number.
Page 64: Ssid Profile Example
Chapter 7 Wireless LAN Profiles Table 16 Command Summary: SSID Profile (continued) COMMAND DESCRIPTION Enables intra-BSSID traffic blocking. Use the no parameter to [no] block-intra disable it in this profile. By default this is disabled. Sets the maximum incoming transmission data rate (either in downlink-rate-limit data_rate mbps or kbps) on a per-station basis.
Page 65: Security Profile Commands
Chapter 7 Wireless LAN Profiles 7.5 Security Profile Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 17 Input Values for General Security Profile Commands LABEL DESCRIPTION The security profile name.
Page 66: Security Profile Example
Chapter 7 Wireless LAN Profiles Table 18 Command Summary: Security Profile (continued) COMMAND DESCRIPTION Sets the WPA/WPA2 encryption cipher type. wpa-encrypt {tkip | aes | auto} auto: This automatically chooses the best available cipher based on the cipher in use by the wireless client that is attempting to make a connection.
Page 67: Mac Filter Profile Commands
Chapter 7 Wireless LAN Profiles 7.6 MAC Filter Profile Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 19 Input Values for General MAC Filter Profile Commands LABEL DESCRIPTION The MAC filter profile name.
Page 68: Rogue Ap
H A PT ER Rogue AP This chapter shows you how to set up Rogue Access Point (AP) detection and containment. 8.1 Rogue AP Detection Overview Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can potentially open holes in the network security.
Page 69: Rogue Ap Detection Examples
Chapter 8 Rogue AP Table 22 Command Summary: Rogue AP Detection (continued) COMMAND DESCRIPTION Sets the device that owns the specified MAC address as a rogue rogue-ap ap_mac description2 AP. You can also assign a description to this entry on the rogue AP list.
Page 70: Rogue Ap Containment Overview
Chapter 8 Rogue AP This example shows the friendly AP detection list. Router(config)# show rogue-ap detection list friendly description =========================================================================== 11:11:11:11:11:11 third floor 00:13:49:11:22:33 00:13:49:00:00:05 00:13:49:00:00:01 00:0D:0B:CB:39:33 dept1 This example shows the combined rogue and friendly AP detection list. Router(config)# show rogue-ap detection list all role description ===========================================================================...
Page 71: Rogue Ap Containment Commands
Chapter 8 Rogue AP 8.4 Rogue AP Containment Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 23 Input Values for Rogue AP Containment Commands LABEL DESCRIPTION Specifies the MAC address (in XX:XX:XX:XX:XX:XX format) of the AP to be ap_mac...
Page 72: Wireless Frame Capture
H A PT ER Wireless Frame Capture This chapter shows you how to configure and use wireless frame capture on the ZyWALL / USG. 9.1 Wireless Frame Capture Overview Troubleshooting wireless LAN issues has always been a challenge. Wireless sniffer tools like Ethereal can help capture and decode packets of information, which can then be analyzed for debugging.
Page 73: Wireless Frame Capture Examples
Chapter 9 Wireless Frame Capture The following table describes the commands available for wireless frame capture. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 26 Command Summary: Wireless Frame Capture COMMAND DESCRIPTION Enters sub-command mode for wireless frame capture.
Page 74: Dynamic Channel Selection
HAPTER Dynamic Channel Selection This chapter shows you how to configure and use dynamic channel selection on the ZyWALL / USG. 10.1 DCS Overview Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by passively listening to the area around it and determining what channels are currently being broadcast on by other devices.
Page 75: Dcs Examples
Chapter 10 Dynamic Channel Selection Table 28 Command Summary: DCS (continued) COMMAND DESCRIPTION When enabled, this ensures that an AP will not change channels dcs client-aware {enable|disable} as long as a client is connected to it. If disabled, the AP may change channels regardless of whether it has clients connected to it or not.
Page 76: Wireless Load Balancing
HAPTER Wireless Load Balancing This chapter shows you how to configure wireless load balancing. 11.1 Wireless Load Balancing Overview Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it. Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users.
Page 77: Wireless Load Balancing Examples
Chapter 11 Wireless Load Balancing Table 29 Command Summary: Load Balancing (continued) COMMAND DESCRIPTION Enables the kickout feature for load balancing and also sets the load-balancing kickInterval <1..255> kickout interval in seconds. While load balancing is enabled, the AP periodically disconnects stations at intervals equal to this setting.
Page 78 Chapter 11 Wireless Load Balancing The following example shows you how to configure AP load balancing in "by traffic" mode. The traffic level is set to low, and "disassociate station" is enabled. Router(config)# load-balancing mode traffic Router(config)# load-balancing traffic level low Router(config)# load-balancing kickout Router(config)# show load-balancing config load balancing config:...
Page 79: Auto-Healing
HAPTER Auto-Healing This chapter shows you how to configure auto-healing settings. 12.1 Auto-Healing Overview Auto-healing allows you to extend the wireless service coverage area of the managed APs when one of the managed APs fails. 12.2 Auto-Healing Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Page 80: Auto-Healing Examples
Chapter 12 Auto-Healing Table 31 Command Summary: Auto-Healing (continued) COMMAND DESCRIPTION Enters a number from 0 to 9. This value is used to calculate the auto-healing margin power level (power-threshold + margin) to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas.
Page 81: Interfaces
HAPTER Interfaces This chapter shows you how to use interface-related commands. 13.1 Interface Overview In general, an interface has the following characteristics. • An interface is a logical entity through which (layer-3) packets pass. • An interface is bound to a physical port or another interface. •...
Page 82 Chapter 13 Interfaces Port groups, and trunks have a lot of characteristics that are specific to each type of interface. These characteristics are listed in the following tables and discussed in more detail farther on. Table 32 Characteristics of Ethernet, VLAN, Bridge, PPPoE/PPTP, and Virtual Interface (for some ZyWALL / USG models) CHARACTERISTICS ETHERNET...
Page 83 Chapter 13 Interfaces Table 33 Ethernet, VLAN, Bridge, PPP, and Virtual Interface Characteristics (For other ZyWALL / USG models) (continued) CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE VIRTUAL DHCP relay Connectivity Check * - Each name consists of 2-4 letters (interface type), followed by a number (x). For most interfaces, x is limited by the maximum number of the type of interface.
Page 84: Relationships Between Interfaces
Chapter 13 Interfaces 13.1.2 Relationships Between Interfaces In the ZyWALL / USG, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports (or port groups). The relationships between interfaces are explained in the following table. Table 35 Relationships Between Different Types of Interfaces INTERFACE REQUIRED PORT / INTERFACE...
Page 85: Interface General Commands Summary
Chapter 13 Interfaces 13.2 Interface General Commands Summary The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 36 Input Values for General Interface Commands LABEL DESCRIPTION The name of the interface. interface_name Ethernet interface: For some ZyWALL / USG models, use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL / USG model.
Page 86 Chapter 13 Interfaces Table 37 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Displays the interval for how often the ZyWALL / USG refreshes the sent show interface send statistics interval packet statistics for the interfaces. Displays basic information about the interfaces.
Page 87 Chapter 13 Interfaces Table 37 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Turns on the IPv6 interface. enable Sets the IPv6 interface to accept IPv6 neighbor discovery router nd ra accept advertisement messages. Sets the IPv6 interface to send IPv6 neighbor discovery router nd ra advertise advertisement messages.
Page 88 Chapter 13 Interfaces Table 37 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Configures the network prefix to use a delegated prefix as the beginning nd ra prefix-advertisement part of the network prefix. dhcp6_profile dhcp6_suffix_64 dhcp6_profile: Specify the DHCPv6 request object to use for generating the network prefix for the network.
Page 89 Chapter 13 Interfaces Table 37 interface General Commands: Basic Properties and IP Address Assignment (continued) COMMAND DESCRIPTION Removes the maximum number of hops setting for router nd ra hop-limit advertisements and all IPv6 packets originating from the interface. Removes the minimum IPv6 router advertisement transmission interval nd ra min-rtr-interval setting.
Page 90 Chapter 13 Interfaces 13.2.1.1 Basic Interface Properties Command Examples The following commands make Ethernet interface ge1 a DHCP client. Router# configure terminal Router(config)# interface ge1 Router(config-if)# ip address dhcp Router(config-if)# exit This example shows how to modify the name of interface ge4 to “VIP”. First you have to check the interface system name (ge4 in this example) on the ZyWALL / USG.
Page 91: Igmp Proxy Commands
Chapter 13 Interfaces This example shows how to restart an interface. You can check all interface names on the ZyWALL / USG. Then use either the system name or user-defined name of an interface (ge4 or Customer in this example) to restart it. Router>...
Page 92: Dhcp Setting Commands
Chapter 13 Interfaces 13.2.2.1 IGMP Command Example The following commands activate IGMP version 2 upstream on the lan1 interface. Router> enable Router# Router# configure terminal Router(config)# interface lan1 Router(config-if-lan1)# igmp activate direction version Router(config-if-lan1)# igmp activate Router(config-if-lan1)# igmp direction downstream upstream Router(config-if-lan1)# igmp direction upstream Router(config-if-lan1)# igmp version...
Page 93 Chapter 13 Interfaces Table 39 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Use the following commands to create a static DHCP entry. If you do not use the command, the commands that are not in this host section have no effect, but you can still set them. Specifies the static IP address the ZyWALL / USG should assign.
Page 94 Chapter 13 Interfaces Table 39 interface Commands: DHCP Settings (continued) COMMAND DESCRIPTION Specifies the domain name assigned to DHCP clients. The no [no] domain-name domain_name command clears this field. Sets the IP start address and maximum pool size of the specified [no] starting-address ip pool-size DHCP pool.
Page 95 Chapter 13 Interfaces 13.2.3.1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST. Router# configure terminal Router(config)# ip dhcp pool DHCP_TEST Router(config-ip-dhcp-pool)# network 192.168.1.0 /24 Router(config-ip-dhcp-pool)# domain-name zyxel.com Router(config-ip-dhcp-pool)# first-dns-server 10.1.5.1 Router(config-ip-dhcp-pool)# second-dns-server ge1 1st-dns Router(config-ip-dhcp-pool)# third-dns-server 10.1.5.2 Router(config-ip-dhcp-pool)#...
Page 96: Interface Parameter Command Examples
Chapter 13 Interfaces 13.2.4 Interface Parameter Command Examples This table shows an example of each interface type’s sub-commands. The sub-commands vary for different interface types. Table 40 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE/PPTP Router(config)# interface wan1 Router(config)# interface wan1:1 Router(config)# interface wan1_ppp Router(config-if-wan1)# Router(config-if-vir)#...
Page 97: Rip Commands
Chapter 13 Interfaces Table 40 Examples for Different Interface Parameters BRIDGE TUNNEL Router(config)# interface br0 downstream Router(config-if-brg)# exit description downstream ipv6 exit metric ipv6 join ping-check shutdown traffic-prioritize tunnel ping-check upstream shutdown traffic-prioritize type upstream 13.2.5 RIP Commands This table lists the commands for RIP settings. Table 41 interface Commands: RIP Settings COMMAND DESCRIPTION...
Page 98 Chapter 13 Interfaces Table 42 interface Commands: OSPF Settings (continued) COMMAND DESCRIPTION Enters sub-command mode. interface interface_name Sets the priority of the specified interface to the specified value. The [no] ip ospf priority <0..255> command sets the priority to 1. Sets the cost to route packets through the specified interface.
Page 99: Connectivity Check (Ping-Check) Commands
Chapter 13 Interfaces 13.2.7 Connectivity Check (Ping-check) Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available. You specify how often the interface checks the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ZyWALL / USG stops routing to the gateway.
Page 100: Ethernet Interface Specific Commands
Chapter 13 Interfaces 13.2.7.1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1.1.1.2 Router# configure terminal Router(config)# interface wan1 Router(config-if-wan1)# ping-check 1.1.1.2 method tcp port 8080 Router(config-if-wan1)# exit Router(config)# show ping-check...
Page 101: Port Grouping Commands
Chapter 13 Interfaces Table 45 interface Commands: MAC Setting (continued) COMMAND DESCRIPTION Sets which type of network you will connect this interface. The ZyWALL / USG automatically type {internal | adds default route and SNAT settings for traffic it routes from internal interfaces to external external | general} interfaces;...
Page 102: Virtual Interface Specific Commands
Chapter 13 Interfaces 13.3.2.1 Port Grouping Command Examples The following commands add physical port 7 to representative interface lan2. Router# configure terminal Router(config)# show port-grouping No. Representative Name Port1 Port2 Port3 Port4 Port5 Port6 Port7 =============================================================================== wan1 wan2 lan1 lan2 reserved Router(config)# Router(config)# port-grouping lan2...
Page 103: Pppoe/Pptp Specific Commands
Chapter 13 Interfaces gateway 4.6.7.8, upstream bandwidth 345, downstream bandwidth 123, and description “I am vir interface”. Router# configure terminal Router(config)# interface ge1:1 Router(config-if-vir)# ip address 1.2.3.4 255.255.255.0 Router(config-if-vir)# ip gateway 4.6.7.8 Router(config-if-vir)# upstream 345 Router(config-if-vir)# downstream 123 Router(config-if-vir)# description I am vir interface Router(config-if-vir)# exit 13.5 PPPoE/PPTP Specific Commands This section covers commands that are specific to PPPoE/PPTP interfaces.
Page 104: Pppoe/Pptp Interface Command Examples
Chapter 13 Interfaces Table 48 interface Commands: PPPoE/PPTP Interfaces (continued) COMMAND DESCRIPTION Specifies the maximum segment size (MSS) the interface can use. MSS is the [no] mss <536..1452> largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece.
Page 105: Cellular Interface Specific Commands
Chapter 13 Interfaces 2.2.2.2, MTU 1200, upstream bandwidth 345, downstream bandwidth 123, description “I am ppp0”, and dialed only when used. Router# configure terminal Router(config)# interface ppp0 Router(config-if-ppp)# account Hinet Router(config-if-ppp)# bind ge1 Router(config-if-ppp)# local-address 1.1.1.1 Router(config-if-ppp)# remote-address 2.2.2.2 Router(config-if-ppp)# mtu 1200 Router(config-if-ppp)# upstream 345 Router(config-if-ppp)# downstream 123 Router(config-if-ppp)# connectivity dial-on-demand...
Page 106 Chapter 13 Interfaces Table 49 Interface Cellular Commands (continued) COMMAND DESCRIPTION Home network is the network to which you are originally subscribed. [no] network-selection {auto|home} Home has the 3G device connect only to the home network. If the ZyWALL / USG home network is down, the 's 3G Internet connection is also unavailable.
Page 107: Cellular Status
Chapter 13 Interfaces Table 49 Interface Cellular Commands (continued) COMMAND DESCRIPTION budget percentage {ptime|pdata} <0..99> Sets a percentage (0~99) of time budget (ptime) or data (pdata) limit. When the specified limit is exceeded, the ZyWALL / USG takes the action configured using the budget {log-percentage|log- percentage-alert} command.
Page 108 Chapter 13 Interfaces Table 50 Cellular Status STATUS DESCRIPTION Limited service returned by the service provider in cases where the SIM card is expired, the user failed to pay for the service and so on; you cannot connect to the Internet. Device detected displays when you connect a 3G device.
Page 109: Cellular Interface Command Examples
Chapter 13 Interfaces 13.6.2 Cellular Interface Command Examples This example shows the configuration of a cellular interface named cellular2 for use with a Sierra Wireless AC850 3G card. It uses only a 3G (or 3.5G) connection, PIN code 1234, an MTU of 1200 bytes, a description of "This is cellular2”...
Page 110: Tunnel Interface Specific Commands
Chapter 13 Interfaces 13.7 Tunnel Interface Specific Commands The ZyWALL / USG uses tunnel interfaces in Generic Routing Encapsulation (GRE), IPv6 in IPv4, and 6to4 tunnels. This section covers commands specific to tunnel interfaces. Tunnel interfaces also use many of the general interface commands discussed at the beginning of Section 13.2 on page Use these commands to add, edit, activate, deactivate, or delete tunnel interfaces.
Page 111: Tunnel Interface Command Examples
Chapter 13 Interfaces 13.7.1 Tunnel Interface Command Examples This example creates a tunnel interface called tunnel0 that uses wan1 as the source, 168.168.168.168 as the destination, and 10.0.0.100 and 255.255.0.0 as the inner source IP. Router> configure terminal Router(config)# interface tunnel0 Router(config-if-tunnel)# tunnel source wan1 Router(config-if-tunnel)# tunnel destination 168.168.168.168 Router(config-if-tunnel)# ip address 10.0.0.100 255.255.0.0...
Page 112: Usb Storage General Commands Example
Chapter 13 Interfaces Table 52 USB Storage General Commands (continued) COMMAND DESCRIPTION Sets to have the ZyWALL / USG save or stop saving the current system diagnostics [no] diag-info copy usb-storage information to the connected USB storage device. You may need to send this file to customer support for troubleshooting.
Page 113: Vlan Interface Command Examples
Chapter 13 Interfaces This table lists the VLAN interface commands. Table 54 interface Commands: VLAN Interfaces COMMAND DESCRIPTION Creates the specified interface if necessary and enters sub-command mode. interface interface_name Specifies the Ethernet interface on which the VLAN interface runs. The command [no] port interface_name clears the port.
Page 114: Bridge Interface Command Examples
Chapter 13 Interfaces This table lists the bridge interface commands. Table 56 interface Commands: Bridge Interfaces COMMAND DESCRIPTION Creates the specified interface if necessary and enters sub-command mode. interface interface_name Adds the specified Ethernet interface or VLAN interface to the specified bridge. The no [no] join interface_name command removes the specified interface from the specified bridge.
Page 115: Trunks
HAPTER Trunks This chapter shows you how to configure trunks on your ZyWALL / USG. 14.1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability. If one interface’s connection goes down, the ZyWALL / USG sends traffic through another member of the trunk.
Page 116: Trunk Commands Input Values
Chapter 14 Trunks 14.3 Trunk Commands Input Values The following table explains the values you can input with the commands. interface-group Table 57 interface-group Command Input Values LABEL DESCRIPTION A descriptive name for the trunk. group-name ZyWALL / USG uses up to 31 characters (a-zA-Z0-9_-). The name cannot start with a number. This value is case-sensitive.
Page 117: Trunk Command Examples
Chapter 14 Trunks Table 58 interface-group Commands Summary (continued) COMMAND DESCRIPTION Use this command only if you use least load first or spill-over as the loadbalancing-index trunk’s load balancing algorithm. <inbound|outbound|total> Set either inbound, outbound, or total (outbound and inbound) traffic to which the ZyWALL / USG will apply the specified algorithm.
Page 118 Chapter 14 Trunks The following example creates a spill-over trunk for Ethernet interfaces ge1 and ge3, which will apply to both incoming and outgoing traffic through the trunk. The ZyWALL / USG sends traffic through ge1 until it hits the limit of 1000 kbps. The ZyWALL / USG sends anything over 1000 kbps through ge3.
Page 119: Route
HAPTER Route This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL / USG. 15.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL / USG takes the shortest path to forward a packet.
Page 120 Chapter 15 Route Table 59 Input Values for General Policy Route Commands (continued) LABEL DESCRIPTION The name of the interface. interface_name Ethernet interface: Some ZyWALL / USG models use gex, x = 1 - N, where N equals the highest numbered Ethernet interface for your ZyWALL / USG model. Other ZyWALL / USG models use a name such as wan1, wan2, opt, lan1, ext- wlan, or dmz.
Page 121 Chapter 15 Route Table 60 Command Summary: Policy Route (continued) COMMAND DESCRIPTION When you set tunnel as the next-hop type (using the next-hop [no] auto-destination tunnel command) for this route, you can use this command to have the ZyWALL / USG use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of what you configure by using the destination command.
Page 122 Chapter 15 Route Table 60 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Sets the schedule. The command removes the schedule setting to [no] schedule schedule_object the default ( means any time. none none Sets the IP protocol. The command resets service settings to the [no] service {service_name|any} default ( means all services.
Page 123 Chapter 15 Route Table 60 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Sets how the ZyWALL / USG handles the DSCP value of the outgoing dscp-marking class {default | packets that match this route. Set this to default to have the ZyWALL dscp_class} / USG set the DSCP value of the packets to 0.
Page 124: Assured Forwarding (Af) Phb For Diffserv
Chapter 15 Route Table 60 Command Summary: Policy Route (continued) COMMAND DESCRIPTION Gives policy routes priority over NAT virtual server rules (1-1 SNAT). [no] policy controll-virtual-server-rules Use the no command to give NAT virtual server rules priority over activate policy routes. Has the ZyWALL / USG forward IPv6 packets that match a policy route [no] policy6 override-direct-route according to the policy route instead of sending the packets to a...
Page 125: Policy Route Command Example
Chapter 15 Route the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets. Table 61 Assured Forwarding (AF) Behavior Group CLASS 1 CLASS 2 CLASS 3 CLASS 4 Low Drop Precedence AF11 (10) AF21 (18) AF31 (26) AF41 (34) Medium Drop Precedence...
Page 126: Static Route Commands
Chapter 15 Route network N3 because it doesn't know that there is a route through the same gateway R1 (via gateway R2). The static routes are for you to tell the ZyWALL / USG about the networks beyond the network connected to the ZyWALL / USG directly. Figure 14 Example of Static Routing Topology 15.4 Static Route Commands The following table describes the commands available for static route.
Page 127: Static Route Commands Examples
Chapter 15 Route 15.4.1 Static Route Commands Examples The following command sets a static route with IP address 10.10.10.0 and subnet mask 255.255.255.0 and with the next-hop interface ge1. Then use the show command to display the setting. Router(config)# ip route 10.10.10.0 255.255.255.0 ge1 Router(config)# Router(config)# show ip route-settings Route...
Page 128 Chapter 15 Route ZyWALL / USG (ZLD) CLI Reference Guide...
Page 129: Routing Protocol
HAPTER Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the ZyWALL / USG. 16.1 Routing Protocol Overview Routing protocols give the ZyWALL / USG routing information about the network from other routers. The ZyWALL / USG then stores this routing information in the routing table, which it uses when it makes routing decisions.
Page 130: Rip Commands
Chapter 16 Routing Protocol 16.2.1 RIP Commands This table lists the commands for RIP. Table 65 router Commands: RIP COMMAND DESCRIPTION Enters sub-command mode. router rip Enables RIP on the specified Ethernet interface. The [no] network interface_name command disables RIP on the specified interface. Enables redistribution of routing information learned from [no] redistribute {static | ospf} the specified source.
Page 131: Ospf Area Commands
Chapter 16 Routing Protocol 16.2.3 OSPF Area Commands This table lists the commands for OSPF areas. Table 67 router Commands: OSPF Areas COMMAND DESCRIPTION Enters sub-command mode. router ospf Adds the specified interface to the specified area. The [no] network interface area IP command removes the specified interface from the specified area.
Page 132: Learned Routing Information Commands
Chapter 16 Routing Protocol Table 68 router Commands: Virtual Links in OSPF Areas (continued) COMMAND DESCRIPTION Sets the MD5 ID in the specified virtual link area IP virtual-link IP message-digest-key <1..255> encrypted-authentication-key Clears the MD5 ID in the specified virtual link. no area IP virtual-link IP message-digest- key <1..255>...
Page 133: Zones
HAPTER Zones Set up zones to configure network security and network policies in the ZyWALL / USG. 17.1 Zones Overview A zone is a group of interfaces and VPN tunnels. The ZyWALL / USG uses zones, not interfaces, in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap.
Page 134: Zone Commands Summary
Chapter 17 Zones 17.2 Zone Commands Summary The following table describes the values required for many zone commands. Other values are discussed with the corresponding commands. Table 70 Input Values for Zone Commands LABEL DESCRIPTION The name of a zone, or the name of a VPN tunnel. profile_name For some ZyWALL / USG modelsuse up to 31 characters (a-zA-Z0-9_-).
Page 135: Zone Command Examples
Chapter 17 Zones 17.2.1 Zone Command Examples The following commands add Ethernet interfaces ge1 and ge2 to zone A. Router# configure terminal Router(config)# zone A Router(zone)# interface ge1 Router(zone)# interface ge2 Router(zone)# exit Router(config)# show zone No. Name Member =========================================================================== ge1,ge2 Router(config)# show zone A No.
Page 136 Chapter 17 Zones ZyWALL / USG (ZLD) CLI Reference Guide...
Page 137: Ddns
HAPTER DDNS This chapter describes how to configure dynamic DNS (DDNS) services for the ZyWALL / USG. 18.1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.
Page 138: Ddns Commands Summary
Chapter 18 DDNS 18.2 DDNS Commands Summary The following table describes the values required for many DDNS commands. Other values are discussed with the corresponding commands. Table 73 Input Values for DDNS Commands LABEL DESCRIPTION The name of the DDNS profile. You may use 1-31 alphanumeric characters, profile_name underscores( ), or dashes (-), but the first character cannot be a number.
Page 139: Ddns Commands Example
Chapter 18 DDNS Table 74 ip ddns Commands (continued) COMMAND DESCRIPTION Enables the mail exchanger and sets the fully-qualified [no] mx {ip | domain_name} domain name of the mail server to which mail from this domain name is forwarded. The command disables the mail exchanger.
Page 140 Chapter 18 DDNS ZyWALL / USG (ZLD) CLI Reference Guide...
Page 141: Virtual Servers
HAPTER Virtual Servers This chapter describes how to set up, manage, and remove virtual servers. Virtual server commands configure NAT. 19.1 Virtual Server Overview Virtual server is also known as port forwarding or port translation. Virtual servers are computers on a private network behind the ZyWALL / USG that you want to make available outside the private network.
Page 142 Chapter 19 Virtual Servers The following table lists the virtual server commands. Table 76 ip virtual-server Commands COMMAND DESCRIPTION show ip virtual-server [profile_name] Displays information about the specified virtual server or about all the virtual servers. Deletes the specified virtual server. no ip virtual-server profile_name Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name...
Page 143: Virtual Server Command Examples
Chapter 19 Virtual Servers Table 76 ip virtual-server Commands (continued) COMMAND DESCRIPTION Creates or modifies the specified virtual server and maps the specified ip virtual-server profile_name (destination IP address, protocol, and service object) to the specified interface interface_name original-ip (destination IP address and service object).
Page 144: Tutorial - How To Allow Public Access To A Server
Chapter 19 Virtual Servers 19.2.2 Tutorial - How to Allow Public Access to a Server This is an example of making an HTTP (web) server in the DMZ zone accessible from the Internet (the WAN zone). You will use a public IP address of 1.1.1.2 on the ge2 (or wan1 on some models) interface and map it to the HTTP server’s private IP address of 192.168.3.7.
Page 145: Http Redirect
HAPTER HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL / USG. 20.1 HTTP Redirect Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ZyWALL / USG) to a web proxy server. 20.1.1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services.
Page 146: Http Redirect Commands
Chapter 20 HTTP Redirect 20.2 HTTP Redirect Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 77 Input Values for HTTP Redirect Commands LABEL DESCRIPTION The name to identify the rule. You may use 1-31 alphanumeric characters, description underscores( ), or dashes (-), but the first character cannot be a number.
Page 147: Http Redirect Command Examples
Chapter 20 HTTP Redirect 20.2.1 HTTP Redirect Command Examples The following commands create a HTTP redirect rule, disable it and display the settings. Router# configure terminal Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 Router(config)# ip http-redirect example1 interface ge1 redirect-to 10.10.2.3 80 deactivate Router(config)# show ip http-redirect Name...
Page 148 Chapter 20 HTTP Redirect ZyWALL / USG (ZLD) CLI Reference Guide...
Page 149: Alg
HAPTER This chapter covers how to use the ZyWALL / USG’s ALG feature to allow certain applications to pass through the ZyWALL / USG. 21.1 ALG Introduction The ZyWALL / USG can function as an Application Layer Gateway (ALG) to allow certain NAT un- friendly applications (such as SIP) to operate properly through the ZyWALL / USG’s NAT.
Page 150: Alg Commands
Chapter 21 ALG 21.2 ALG Commands The following table lists the commands. You must use the command to configure terminal enter the configuration mode before you can use these commands. Table 79 alg Commands COMMAND DESCRIPTION Turns on or configures the ALG. [no] alg sip [direct-media | direct-signalling | Use direct-media to to set the ZyWALL / USG to allow SIP audio...
Page 151: Alg Commands Example
Chapter 21 ALG 21.3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H.323. Router# configure terminal Router(config)# alg sip Router(config)# no alg h323 ZyWALL / USG (ZLD) CLI Reference Guide...
Page 152 Chapter 21 ALG ZyWALL / USG (ZLD) CLI Reference Guide...
Page 153: Upnp
HAPTER UPnP 22.1 UPnP and NAT-PMP Overview The ZyWALL / USG supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly. Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 154: Upnp & Nat-Pmp Commands Example
Chapter 22 UPnP Table 80 ip upnp Commands (continued) COMMAND DESCRIPTION Enables NAT-PMP on the ZyWALL / USG. [no] nat-pmp activate The no command disables NAT-PMP on the ZyWALL / USG. Enables UPnP on the ZyWALL / USG. [no] upnp-igd activate The no command disables UPnP on the ZyWALL / USG.
Page 155 Chapter 22 UPnP The following example displays the ZyWALL / USG’s port mapping entries and removes the entry with the specified port number and protocol type. Router# configure terminal Router(config) # show ip upnp port-mapping No: 0 Remote Host: (null) Client Type: upnp External Port: 1122 Protocol: tcp...
Page 156 Chapter 22 UPnP ZyWALL / USG (ZLD) CLI Reference Guide...
Page 157: Ip/Mac Binding
HAPTER IP/MAC Binding 23.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ZyWALL / USG uses DHCP to assign IP addresses and records to MAC address it assigned each IP address.
Page 158: Ip/Mac Binding Commands Example
Chapter 23 IP/MAC Binding 23.3 IP/MAC Binding Commands Example The following example enables IP/MAC binding on the LAN1 interface and displays the interface’s IP/MAC binding status. Router# configure terminal Router(config)# ip ip-mac-binding lan1 activate Router(config)# show ip ip-mac-binding lan1 Name: lan1 Status: Enable Log: No Binding Count: 0...
Page 159 Chapter 23 IP/MAC Binding ZyWALL / USG (ZLD) CLI Reference Guide...
Page 160: Layer 2 Isolation
HAPTER Layer 2 Isolation 24.1 Layer 2 Isolation Overview Layer-2 isolation is used to prevent connected devices from communicating with each other in the ZyWALL / USG’s local network(s), on which layer-2 isolation is enabled, except the devices in the white list.
Page 161: Layer 2 Isolation Commands
Chapter 24 Layer 2 Isolation 24.2 Layer 2 Isolation Commands The following table lists the l2-isolation commands. You must use the configure terminal command to enter the configuration mode before you can use these commands. Table 82 l2-isolation Commands COMMAND DESCRIPTION Enters the layer 2 isolation sub-command mode to enable Layer-2 isolation l2-isolation...
Page 162: Layer 2 Isolation Commands Example
Chapter 24 Layer 2 Isolation Table 83 l2-isolation white-list Sub-commands (continued) COMMAND DESCRIPTION Sets a descriptive name (up to 60 printable ASCII [no] description description characters) for a rule. The no command removes the descriptive name from the rule. Sets an IPv4 address associated with this rule. The no [no] ip-address ip command removes the IP address.
Page 163: Secure Policy
HAPTER Secure Policy This chapter introduces the ZyWALL / USG’s secure policies and shows you how to configure them. Note: In the guide Secure Policy commands may also be referred to as Firewall in general descriptions. 25.1 Secure Policy Overview A secure policy is a template of security settings that can be applied to specific traffic at specific times.
Page 164: Secure Policy Commands
Chapter 25 Secure Policy 25.2 Secure Policy Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 84 Input Values for Secure Policy Commands LABEL DESCRIPTION The name of the IP address (or address group) object. You may use 1-31 address_object alphanumeric characters, underscores( ), or dashes (-), but the first character...
Page 165 Chapter 25 Secure Policy Table 85 Command Summary: Secure Policy (continued) COMMAND DESCRIPTION Removes a direction specific through-ZyWALL rule or secure-policy zone_object {zone_object|ZyWALL} delete to-ZyWALL rule. <1..5000> <1..5000>: the index number in a direction specific secure policy rule list. Removes all direction specific through-ZyWALL rule or secure-policy zone_object {zone_object|ZyWALL} flush to-ZyWALL rules.
Page 166 Chapter 25 Secure Policy Table 85 Command Summary: Secure Policy (continued) COMMAND DESCRIPTION Enters the IPv6 secure policy sub-command mode to secure-policy6 zone_object {zone_object|ZyWALL} append add a direction specific through-ZyWALL rule or to- ZyWALL rule to the end of the global rule list. See Table 86 on page 167 for the sub-commands.
Page 167: Secure Policy Sub-Commands
Chapter 25 Secure Policy Table 85 Command Summary: Secure Policy (continued) COMMAND DESCRIPTION Enables or Disables ALG session updates session-status-update alg {active|inactive} Displays idle session timeout show session-status-update reply-time 25.2.1 Secure Policy Sub-Commands The following table describes the sub-commands for several secure-policy and secure-policy6 commands.
Page 168 Chapter 25 Secure Policy Table 86 firewall Sub-commands (continued) COMMAND DESCRIPTION Sets the source IP address(es). The no command resets [no] sourceip6 address_object the source IP address(es) to the default (any). any means all IP addresses. Sets the source port for a secure policy rule. The [no] sourceport {tcp|udp} {eq <1..65535>|range command removes the source port from the rule.
Page 169: Secure Policy Command Examples
Chapter 25 Secure Policy Table 86 firewall Sub-commands (continued) COMMAND DESCRIPTION Applies the (already-created) named anti- x profile to [no] ssl-profile <profile name> {[no log]|[log by- traffic that matches the secure-policy rule. Log by- profile]} {activate | deactivate} profile generates a log for all traffic that matches criteria in the anti- x profile.
Page 170 Chapter 25 Secure Policy The following command displays the default IPv4 secure policy rule that applies to the WAN to ZyWALL / USG packet direction. The secure policy rule number is in the rule’s priority number in the global rule list. Router(config)# show secure-policy WAN ZyWALL secure-policy rule: 11 name: WAN_to_Device...
Page 171: Session Limit Commands
Chapter 25 Secure Policy The following command displays the default IPv6 firewall rule that applies to the WAN to ZyWALL / USG packet direction. The firewall rule number is in the rule’s priority number in the global rule list. Router(config)# show secure-policy6 WAN ZyWALL secure-policy rule: 1 name: Device_Default_Allow_Service description:...
Page 172 Chapter 25 Secure Policy Table 87 Input Values for General Session Limit Commands (continued) LABEL DESCRIPTION The name of the IPv6 address (group) object. You may use 1-31 alphanumeric address6_object characters, underscores( ), or dashes (-), but the first character cannot be a number.
Page 173: Adp Commands Overview
Chapter 25 Secure Policy Table 88 Command Summary: Session Limit (continued) COMMAND DESCRIPTION Sets the IPv6 source IP address. The command sets this to [no] address6 address6_object which means all IP addresses. Sets a descriptive name (up to 64 printable ASCII characters) for a [no] description description session-limit rule.
Page 174: Adp Command Input Values
Chapter 25 Secure Policy 25.4.1 ADP Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 89 Input Values for ADP Commands LABEL DESCRIPTION The name of a zone. For some ZyWALL / USG models, use up to 31 characters (a-zA- zone profile Z0-9_-).
Page 175: Adp Add/Edit Profile Commands
Chapter 25 Secure Policy Table 92 ADP Zone-to-Zone Rule Commands (continued) LABEL DESCRIPTION Removes the ADP anomaly profile’s binding. no bind Specifies the zone the traffic is coming from. from-zone zone_profile Turns on the ADP anomaly profile to traffic direction binding. The no [no] activate command turns it off.
Page 176 Chapter 25 Secure Policy Table 93 ADP Add/Edit Profile Commands (continued) LABEL DESCRIPTION Deactivates tcp decoder log or alert options. no tcp-decoder {tcp-xxx} Sets tcp decoder action [no] tcp-decoder {tcp-xxx} action {drop | reject- sender | reject-receiver | reject-both}} Activates or deactivates udp decoder options [no] udp-decoder { bad- udp-l4-size | udp-land | udp-smurf } activate...
Page 177 Chapter 25 Secure Policy Table 93 ADP Add/Edit Profile Commands (continued) LABEL DESCRIPTION Shows flood-detection settings for the specified ADP profile. show idp anomaly profile flood-detection { tcp-flood | udp-flood | icmp-flood | icmp- flood } details Shows tcp-decoder settings for the specified ADP profile. show idp anomaly profile tcp- decoder all details Shows tcp-decoder settings for the specified ADP profile.
Page 178 Chapter 25 Secure Policy ZyWALL / USG (ZLD) CLI Reference Guide...
Page 179: Web Authentication
HAPTER Web Authentication 26.1 Web Authentication Overview Web authentication can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions.
Page 180: Web-Auth Policy Sub-Commands
Chapter 26 Web Authentication Table 94 web-auth Commands (continued) COMMAND DESCRIPTION Creates a new condition for forcing user authentication at the end of the web-auth policy append current list and enters sub-command mode. See Table 95 on page 180 the sub-commands. Creates a new condition for forcing user authentication at the specified web-auth policy insert <1..1024>...
Page 181: Sso Overview
Chapter 26 Web Authentication Table 95 web-auth policy Sub-commands (continued) COMMAND DESCRIPTION Sets an interface on which packets for the policy must be received. interface interface_name Sets the time criteria for the specified condition. The no command removes [no] schedule schedule_name the time criteria, making the condition effective all the time.
Page 182: Sso Show Commands
Chapter 26 Web Authentication 26.3.2 SSO Show Commands You don’t need to enter the configuration mode before you can use these commands. Use them to see SSO configurations done. Table 97 SSO Show Commands COMMAND DESCRIPTION Displays primary and secondary agent IP and Port configurations. show sso agent Displays primary agent IP and Port configurations.
Page 183: Rtls
HAPTER RTLS 27.1 RTLS Overview Ekahau RTLS (Real Time Location Service) tracks battery-powered Wi-Fi tags attached to APs managed by the ZyWALL / USG to create maps, alerts, and reports. The Ekahau RTLS Controller is the centerpiece of the RTLS system. This server software runs on a Windows computer to track and locate Ekahau tags from Wi-Fi signal strength measurements.
Page 184: Rtls Configuration Commands
Chapter 27 RTLS 27.1.1 RTLS Configuration Commands Use these commands to configure RTLS on the ZyWALL / USG. Table 99 RTLS Commands COMMAND DESCRIPTION Enables RTLS to use Wi-Fi to track the location of Ekahau Wi-Fi tags. The no [no] rtls ekahau activate command disables tracking.
Page 185: Ipsec Vpn
HAPTER IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL / USG. 28.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing.
Page 186: Ipsec Vpn Commands Summary
Chapter 28 IPSec VPN SA through which the ZyWALL / USG and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. Figure 20 VPN: IKE SA and IPSec SA In this example, a computer in network A is exchanging data with a computer in network B.
Page 187: Ipv4 Ikev1 Sa Commands
Chapter 28 IPSec VPN Table 100 Input Values for IPSec VPN Commands (continued) LABEL DESCRIPTION Sort the list of currently connected SAs by one of the following classifications. sort_order algorithm encapsulation inbound name outbound policy timeout uptime The name of the authentication profile. auth_method The following sections list the IPSec VPN commands.
Page 188: Ipv4 Ipsec Sa Commands (Except Manual Keys)
Chapter 28 IPSec VPN Table 101 isakmp Commands: IKE SAs (continued) COMMAND DESCRIPTION Sets the DHx group to the specified group. group1 group2 group5 group14 Enables NAT traversal. The command disables NAT traversal. [no] natt Sets the local gateway address to the specified IP address, domain local-ip {ip {ip | domain_name} | name, or interface.
Page 189 Chapter 28 IPSec VPN Table 102 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Dials the specified IPSec SA manually. This command does not crypto map dial map_name work for IPSec SAs using manual keys or for IPSec SAs where the remote gateway address is 0.0.0.0.
Page 190 Chapter 28 IPSec VPN Table 102 crypto Commands: IPSec SAs (continued) COMMAND DESCRIPTION Drops traffic whose source and destination IP addresses do not [no] policy-enforcement match the local and remote policy. This makes the IPSec SA more secure. The command allows traffic whose source and destination IP addresses do not match the local and remote policy.
Page 191: Ipv4 Ipsec Sa Commands (For Manual Keys)
Chapter 28 IPSec VPN 28.2.3 IPv4 IPSec SA Commands (for Manual Keys) This table lists the additional commands for IPSec SAs using manual keys (VPN connections using manual keys). Table 103 crypto map Commands: IPSec SAs (Manual Keys) COMMAND DESCRIPTION crypto map map_name Sets the active protocol, SPI (<256..4095>), authentication key and set session-key {ah <256..4095>...
Page 192: Vpn Configuration Provisioning Commands
Chapter 28 IPSec VPN Table 104 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION Adds the specified IPSec SA to the specified VPN concentrator. The [no] crypto map_name command removes the specified IPSec SA from the specified VPN concentrator. Renames the specified VPN concentrator (first profile_name) to the vpn-concentrator rename profile_name specified name (second profile_name).
Page 193: Sa Monitor Commands
Chapter 28 IPSec VPN 28.2.6 SA Monitor Commands This table lists the commands for the SA monitor. Table 106 sa Commands: SA Monitor COMMAND DESCRIPTION Displays the current IPSec SAs and the status of each one. You can specify a range of show sa monitor [{begin SA entries to display.
Page 194 Chapter 28 IPSec VPN Table 107 sa Commands: IPv4 IKEv2 (continued) COMMAND DESCRIPTION Set this to have the ZyWALL / USG reconnect to the primary address when it [no] fall-back becomes available again and stop using the secondary connection, if the connection to the primary address goes down and the ZyWALL / USG changes to using the secondary connection.
Page 195: Ipv6 Ikev2 Sa Commands
Chapter 28 IPSec VPN 28.2.8 IPv6 IKEv2 SA Commands This table lists the commands for the IPv4 IKEv2 SA. Table 108 sa Commands: IPv6 IKEv2 COMMAND DESCRIPTION Shows the specified IKEv2 SA or all IKEv2 SAs. show ikev2 policy6 [policy_name] Creates the specified IKEv2 SA if necessary and enters sub-command mode.
Page 196: Ipv6 Ipsec Sa Commands
Chapter 28 IPSec VPN Table 108 sa Commands: IPv6 IKEv2 (continued) COMMAND DESCRIPTION Enables extended authentication and specifies whether the ZyWALL/ USG is the [no] eap type {server server or client. If the ZyWALL / USG is the server, it also specifies the AAA auth_method user-id authentication method (aaa authentication profile_name);...
Page 197: Ipv6 Vpn Concentrator Commands
Chapter 28 IPSec VPN Table 109 crypto Commands: IPv6 IPSec SAs (continued) COMMAND DESCRIPTION Select the scenario that best describes your intended VPN scenario {site-to-site-static|site-to- connection. site-dynamic|remote-access-server|remote- access-client} Site-to-site: The remote IPSec router has a static IP address or a domain name. This ZyWALL / USG can initiate the VPN tunnel. site-to-site-dynamic: The remote IPSec router has a dynamic IP address.
Page 198 Chapter 28 IPSec VPN Table 110 vpn-concentrator Commands: VPN Concentrator (continued) COMMAND DESCRIPTION Adds the specified IPSec SA to the specified IPv6 VPN concentrator. The [no] crypto map_name command removes the specified IPSec SA from the specified IPv6 VPN concentrator. Renames the specified IPv6 VPN concentrator (first profile_name) to the vpn-concentrator6 rename profile_name specified name (second profile_name).
Page 199: Ssl Vpn
HAPTER SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login. 29.1 SSL Access Policy An SSL access policy allows the ZyWALL / USG to perform the following tasks: • limit user access to specific applications or files on the network. •...
Page 200: Ssl Vpn Commands
Chapter 29 SSL VPN The following sections list the SSL VPN commands. 29.2.1 SSL VPN Commands This table lists the commands for SSL VPN. You must use the command to configure terminal enter the configuration mode before you can use these commands. Table 112 SSL VPN Commands COMMAND DESCRIPTION...
Page 201: Setting An Ssl Vpn Rule Tutorial
Chapter 29 SSL VPN 29.2.2 Setting an SSL VPN Rule Tutorial Here is an example SSL VPN configuration. The SSL VPN rule defines: • Only users using the “tester” account can use the SSL VPN. • The ZyWALL / USG will assign an IP address from 192.168.100.1 to 192.168.100.10 (defined in object “IP-POOL”) to the computers which match the rule’s criteria.
Page 202 Chapter 29 SSL VPN Displays the SSL VPN rule settings. Router(config)# show sslvpn policy SSL_VPN_TEST index: 1 active: yes name: SSL_VPN_TEST description: user: tester ssl application: none network extension: yes traffic enforcement:no netbios broadcast: no ip pool: IP-POOL dns server 1: DNS1 dns server 2: DNS2 wins server 1: none wins server 2: none...
Page 203: L2Tp Vpn
HAPTER L2TP VPN This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL / USG. 30.1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers’ operating systems to securely connect to the network behind the ZyWALL / USG. The remote users do not need their own IPSec gateways or VPN client software.
Page 204: Using The Default L2Tp Vpn Connection
Chapter 30 L2TP VPN 30.2.1 Using the Default L2TP VPN Connection Default_L2TP_VPN_Connection is pre-configured to be convenient to use for L2TP VPN. If you use it, edit the following. Configure the local and remote policies as follows. • For the Local Policy, create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW.
Page 205: L2Tp Vpn Commands
Chapter 30 L2TP VPN 30.4 L2TP VPN Commands The following table describes the values required for some L2TP VPN commands. Other values are discussed with the corresponding commands. Table 113 Input Values for L2TP VPN Commands LABEL DESCRIPTION The name of an IP address (group) object. You may use 1-31 alphanumeric characters, address_object underscores( ), or dashes (-), but the first character cannot be a number.
Page 206: L2Tp Vpn Example
Chapter 30 L2TP VPN Table 114 L2TP VPN Commands COMMAND DESCRIPTION Select the certificate to use to identify the ZyWALL / USG for L2TP VPN certificate cert_name connections. The certificate is used with the EAP, PEAP, and MSCHAPv2 authentication protocols. The certificate must already be configured. Specifies the user or user group that can use the L2TP VPN tunnel.
Page 207: Configuring The Default L2Tp Vpn Gateway Example
Chapter 30 L2TP VPN • You configure an IP address pool object named L2TP_POOL to assign the remote users IP addresses from 192.168.10.10 to 192.168.10.20 for use in the L2TP VPN tunnel. • The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192.168.1.1/ 24 subnet.
Page 208: Configuring The Policy Route For L2Tp Example
Chapter 30 L2TP VPN • Enable the connection. Router(config)# l2tp-over-ipsec crypto Default_L2TP_VPN_Connection Router(config)# l2tp-over-ipsec pool L2TP_POOL Router(config)# l2tp-over-ipsec authentication default Router(config)# l2tp-over-ipsec user L2TP-test Router(config)# l2tp-over-ipsec activate Router(config)# show l2tp-over-ipsec L2TP over IPSec: activate : yes crypto : Default_L2TP_VPN_Connection address pool : L2TP_POOL authentication : default...
Page 209: Bandwidth Management
HAPTER Bandwidth Management 31.1 Bandwidth Management Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 31.1.1 BWM Type The ZyWALL / USG supports two types of bandwidth management: shared, per-user and per- source-ip.
Page 210: Bandwidth Sub-Commands
Chapter 31 Bandwidth Management Table 115 bwm Commands (continued) COMMAND DESCRIPTION Enters the config-bwm sub-command mode to create a bandwidth bwm <1..127> management policy. See Table 116 on page 210 for the sub-commands. Enters the config-bwm sub-command mode to edit a bandwidth bwm modify <1..127>...
Page 211 Chapter 31 Bandwidth Management Table 116 bwm Sub-commands (continued) COMMAND DESCRIPTION Sets the DSCP value to apply to the incoming packets that [no] inbound-dscp-mark {<0..63> | class {af11 | match this policy. af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs0 | cs1 | cs2 | default: to have the ZyWALL / USG set the DSCP value of cs3 | cs4 | cs5 | cs6 | cs7 | default | wmm_be0...
Page 212 Chapter 31 Bandwidth Management Table 116 bwm Sub-commands (continued) COMMAND DESCRIPTION Sets the destination interface of the traffic to which this [no] outgoing-interface {interface policy applies. interface_name | trunk group_name} interface_name: The name of the interface. This depends on the ZyWALL / USG model. See Table 36 on page 85 detailed information about the interface name.
Page 213: Bandwidth Management Commands Examples
Chapter 31 Bandwidth Management Table 116 bwm Sub-commands (continued) COMMAND DESCRIPTION When a packet matches BWM criteria, choose the VLAN marked-interface interface vlan<1..4064> interface(s) to which to apply the priority code using a marked-interface command. Marks matching outgoing traffic from the specfied VLAN with the configured priority code.
Page 214 Chapter 31 Bandwidth Management The following example adds a new bandwidth management policy for trial-users to limit incoming and outgoing bandwidth and sets the traffic priority to 3. It then displays the policy settings. Router# configure terminal Router(config)# bwm append Router(config-bwm append 6)# activate Router(config-bwm append 6)# description example Router(config-bwm append 6)# user trial-users...
Page 215: Application Patrol
HAPTER Application Patrol This chapter describes how to set up application patrol for the ZyWALL / USG. 32.1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network. It manages general protocols (for example, http and ftp) and instant messenger (IM), peer-to-peer (P2P), Voice over IP (VoIP), and streaming (RSTP) applications.
Page 216: Application Patrol Commands
Chapter 32 Application Patrol 32.2.1 Application Patrol Commands This table lists the application patrol commands. Table 118 app Commands: Application Patrol COMMAND DESCRIPTION Renames an existing profile app rename <profile-name> <profile-name> Generate a log when traffic matches a signature in this category. The [no] app log_sid no command disables it.
Page 217 Chapter 32 Application Patrol These are some other example application patrol usage commands Router(config)# show app statistics collect collect statistics: yes collect statistics time: since 2014-06-03 05:39:59 to 2014-06-10 06:20:17 Router(config)# show app signatures version version: 3.1.4.049 Router(config)# show app signatures date date: 2013-12-05 18:09:51 Router(config)# app john Router(config-app-patrol-profile-john)# description this is a dummy profile...
Page 218 Chapter 32 Application Patrol ZyWALL / USG (ZLD) CLI Reference Guide...
Page 219: Anti-Virus
HAPTER Anti-Virus This chapter introduces and shows you how to configure the anti-virus scanner. 33.1 Anti-Virus Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
Page 220: General Anti-Virus Commands
Chapter 33 Anti-Virus 33.2.1 General Anti-virus Commands The following table describes general anti-virus commands. You must use the configure command to enter the configuration mode before you can use these commands. terminal Note: You must register for the anti-virus service before you can use it (see Chapter 5 on page 49).
Page 221: White And Black Lists
Chapter 33 Anti-Virus Table 121 anti-virus profile Commands COMMAND DESCRIPTION Have the ZyWALL / USG not check files against a pattern list. [no] bypass {white-list | black-list} Enable file decompression to have the ZyWALL / USG attempt to to [no] file-decompression [unsupported decompress zipped files for further scanning.
Page 222: Signature Search Anti-Virus Command
Chapter 33 Anti-Virus Table 122 Commands for Anti-virus White and Black Lists (continued) COMMAND DESCRIPTION Adds or removes a black list file pattern. Turns a file pattern on or off. [no] anti-virus black-list file-pattern av_file_pattern {activate|deactivate} Replaces the specified black list file pattern with a new file pattern. anti-virus black-list replace old_av_file_pattern new_av_file_pattern {activate|deactivate}...
Page 223: Update Anti-Virus Signatures
Chapter 33 Anti-Virus 33.3 Update Anti-virus Signatures Use these commands to update new signatures. You should have already registered for anti-virus service. Table 124 Update Signatures COMMAND DESCRIPTION Immediately downloads signatures from an update server. anti-virus update signatures Enables (disables) automatic signature downloads at regular times and days. [no] anti-virus update auto Enables automatic signature download every hour.
Page 224: Anti-Virus Statistics
Chapter 33 Anti-Virus 33.4 Anti-virus Statistics The following table describes the commands for collecting and displaying anti-virus statistics. You must use the command to enter the configuration mode before you can use configure terminal these commands. Table 125 Commands for Anti-virus Statistics COMMAND DESCRIPTION Turn the collection of anti-virus statistics on or off.
Page 225: Idp Commands
HAPTER IDP Commands This chapter introduces IDP-related commands. 34.1 Overview Commands mostly mirror web configurator features. It is recommended you use the web configurator for IDP features such as searching for web signatures, creating/editing an IDP profile or creating/editing a custom signature. Some web configurator terms may differ from the command-line equivalent.
Page 226: Idp Profile Commands
Chapter 34 IDP Commands Table 127 IDP Activation COMMAND DESCRIPTION Displays IDP signature, or system protect service status. show idp {signature | system- protect} activation Recovers the IDP signatures. You should only need to do this if instructed to do so by a idp reload support technician.
Page 227: Editing/Creating Idp Signature Profiles
Chapter 34 IDP Commands 34.3.1.1 Example of Global Profile Commands In this example we rename an IDP signature profile from “old_profile” to “new_profile”, delete the “bye_profile” and show all base profiles available. Router# configure terminal Router(config)# idp rename signature old_profile new_profile Router(config)# no idp signature bye_profile Router(config)# show idp signature base profile Base Profile Name...
Page 228 Chapter 34 IDP Commands Note: It is recommended you use the web configurator to search for signatures. Table 130 Signature Search Command COMMAND DESCRIPTION Searches for signature(s) in a profile by the parameters idp search signature my_profile name quoted_string specified. The quoted string is any text within the sid SID severity severity_mask platform platform_mask signature name in quotes, for example, [idp search policytype policytype_mask service service_mask...
Page 229: Idp Custom Signatures
Chapter 34 IDP Commands The following table displays the command line service and action equivalent values. If you want to combine services in a search, then add their respective numbers together. For example, to search for signatures for DNS, Finger and FTP services, then type “7” as the service parameter. Table 132 Service and Action Command Values SERVICE SERVICE...
Page 230: Custom Signature Examples
Chapter 34 IDP Commands Note: It is recommended you use the web configurator to create/edit signatures using the web configurator Anti-X > UTM Profile > Custom Signatures screen. Note: You must use the web configurator to import a custom signature file. Table 133 Custom Signatures COMMAND DESCRIPTION...
Page 231 Chapter 34 IDP Commands This example shows you how to edit a custom signature. Router(config)# idp customize signature edit "alert tcp any any <> any any (msg : \"test edit\"; sid: 9000000 ; )" sid: 9000000 message: test edit policy type: severity: platform: all: no...
Page 232 Chapter 34 IDP Commands This example shows you how to display custom signature contents. Router(config)# show idp signatures custom-signature 9000000 contents sid: 9000000 Router(config)# show idp signatures custom-signature 9000000 non-contents sid: 9000000 ack: dport: 0 dsize: dsize_rel: flow_direction: flow_state: flow_stream: fragbits_reserve: fragbits_dontfrag: fragbits_morefrag:...
Page 233: Update Idp Signatures
Chapter 34 IDP Commands This example shows you how to display all details of a custom signature. Router(config)# show idp signatures custom-signature all details sid: 9000000 message: test edit policy type: severity: platform: all: no Win95/98: no WinNT: no WinXP/2000: no Linux: no FreeBSD: no Solaris: no...
Page 234: Update Signature Examples
Chapter 34 IDP Commands 34.5.1 Update Signature Examples These examples show how to enable/disable automatic IDP downloading, schedule updates, display the schedule, display the update status, show the (new) updated signature version number, show the total number of signatures and show the date/time the signatures were created. Router# configure terminal Router(config)# idp signature update signatures IDP signature update in progress.
Page 235: Idp Statistics Example
Chapter 34 IDP Commands 34.6.1 IDP Statistics Example This example shows how to collect and display IDP statistics. It also shows how to sort the display by the most common signature name, source IP address, or destination IP address. Router# configure terminal Router(config)# idp statistics collect Router(config)# no idp statistics activate Router(config)# idp statistics flush...
Page 236 Chapter 34 IDP Commands ZyWALL / USG (ZLD) CLI Reference Guide...
Page 237: Content Filtering
HAPTER Content Filtering This chapter covers how to use the content filtering feature to control web access. 35.1 Content Filtering Overview Content filtering allows you to block certain web features, such as cookies, and/or block access to specific web sites. It can also block access to specific categories of web site content. You can create different content filtering policies for different addresses, schedules, users or groups and content filtering profiles.
Page 238: Content Filter Command Input Values
Chapter 35 Content Filtering 35.4 Content Filter Command Input Values The following table explains the values you can input with the commands. content-filter Table 136 Content Filter Command Input Values LABEL DESCRIPTION The filtering profile defines how to filter web URLs or content. You may use 1-31 filtering_profile alphanumeric characters, underscores( ), or dashes (-), but the first character cannot...
Page 239: General Content Filter Commands
Chapter 35 Content Filtering Table 136 Content Filter Command Input Values (continued) LABEL DESCRIPTION The IP address or domain name of a forbidden web site. forbid_hosts Use a host name such as www.bad-site.com into this text field. Do not use the complete URL of the site –...
Page 240 Chapter 35 Content Filtering configuration mode to be able to use these commands. See Table 136 on page 238 for details about the values you can input with these commands. Table 137 content-filter General Commands COMMAND DESCRIPTION Sets the message to display when content filtering blocks [no] content-filter block message message access to a web page.
Page 241: Content Filter Filtering Profile Commands
Chapter 35 Content Filtering 35.6 Content Filter Filtering Profile Commands The following table lists the commands that you can use to configure a content filtering profile. Use command to enter the configuration mode to be able to use these configure terminal commands.
Page 242 Chapter 35 Content Filtering Table 138 content-filter Filtering Profile Commands Summary (continued) COMMAND DESCRIPTION Sets how many seconds the ZyWALL / USG is to wait for a [no] content-filter service-timeout service_timeout response from the external content filtering server. The command clears the setting. Sets a CommTouch content filtering profile to check for [no] content-filter profile filtering_profile specific web site categories.
Page 243: Content Filtering Statistics
Chapter 35 Content Filtering 35.7 Content Filtering Statistics The following table describes the commands for collecting and displaying content filtering statistics. You must use the command to enter the configuration mode before you configure terminal can use these commands. Table 139 Commands for Content Filtering Statistics COMMAND DESCRIPTION Turn the collection of content filtering statistics on or off.
Page 244 Chapter 35 Content Filtering You can also customize the filtering profile. The following commands block active-X, java and proxy access. Append a Secure Policy with content filter profile. Router# configure terminal Router(config)# address-object sales 172.2.3.0/24 Router(config)# schedule-object all_day 00:00 23:59 Router(config)# content-filter profile sales_CF_PROFILE Router(config)# content-filter profile sales_CF_PROFILE commtouch-url category job-search Router(config)# content-filter profile sales_CF_PROFILE commtouch-url category business...
Page 245 Chapter 35 Content Filtering Use this command to display the settings of the profile. Router(config)# show content-filter profile sales_CF_PROFILE commtouch service active : yes url match unsafe: action: warn, log: url match other : action: block, log: url unrate : action: warn, log: service offline : action: warn, log:...
Page 246 Chapter 35 Content Filtering ZyWALL / USG (ZLD) CLI Reference Guide...
Page 247: Anti-Spam
HAPTER Anti-Spam This chapter introduces and shows you how to configure the anti-spam scanner. 36.1 Anti-Spam Overview The anti-spam feature marks or discards spam. Activate the anti-spam subscription service for sender IP reputation checking, mail content analysis, and virus outbreak detection. Use the white list to identify legitimate e-mail.
Page 248 Chapter 36 Anti-Spam Table 141 Commands for Anti-Spam Profile Rules (continued) COMMAND DESCRIPTION Sets the protocols of traffic to scan for spam. [no] scan {smtp | pop3} Sets the action to take when the ZyWALL / USG detects a spam POP3 e- [no] match-action pop3 {forward | mail.
Page 249 Chapter 36 Anti-Spam Table 141 Commands for Anti-Spam Profile Rules (continued) COMMAND DESCRIPTION Display the action the ZyWALL / USG takes on POP3 mail if querying the show anti-spam mail-scan query-timeout mail scan server times out. pop3 Display how many seconds the ZyWALL / USG waits for a reply from the show anti-spam mail-scan query-timeout mail scan server before taking the relevant timeout action.
Page 250: White And Black Lists
Chapter 36 Anti-Spam 36.2.2 White and Black Lists The following table identifies values used in these commands. Other input values are discussed with the corresponding commands. Table 142 Input Values for White and Black list Anti-Spam Commands LABEL DESCRIPTION The name part of an e-mail header (the part that comes before the colon). Use up mail_header to 63 ASCII characters.
Page 251: Regular Expressions In Black Or White List Entries
Chapter 36 Anti-Spam Table 143 Commands for Anti-spam White and Black Lists (continued) COMMAND DESCRIPTION Adds, edits, or removes a black list entry to check e-mail for a [no] anti-spam black-list [rule_number] e- specific source e-mail address or domain name. Also turns the mail email {activate|deactivate} entry on or off.
Page 252: Dnsbl Anti-Spam Commands
Chapter 36 Anti-Spam • The wildcard can be anywhere in the text string and you can use more than one wildcard. You cannot use two wildcards side by side, there must be other characters between them. • The ZyWALL / USG checks the first header with the name you specified in the entry. So if the e- mail has more than one “Received”...
Page 253 Chapter 36 Anti-Spam Table 145 DNSBL Commands COMMAND DESCRIPTION Displays the ZyWALL / USG’s configured anti-spam DNSBL domain show anti-spam dnsbl domain entries. Displays how many sender and relay server IP addresses in the mail show anti-spam dnsbl max-query-ip header anti-spam checks against the DNSBL. Displays the order in which anti-spam checks e-mail header IP addresses show anti-spam dnsbl ip-check-order against the DNSBLs.
Page 254: Anti-Spam Statistics
Chapter 36 Anti-Spam • Displays the DNSBL statistics. Router(config)# anti-spam dnsbl domain DNSBL-example.com activate Router(config)# show anti-spam dnsbl domain Status Domain =========================================================================== DNSBL-example.com Router(config)# anti-spam dnsbl activate Router(config)# show anti-spam dnsbl status anti-spam dnsbl status: yes Router(config)# anti-spam dnsbl query-timeout pop3 forward-with-tag Router(config)# show anti-spam dnsbl query-timeout pop3 dnsbl query timeout action: forward-with-tag...
Page 255: Anti-Spam Statistics Example
Chapter 36 Anti-Spam Table 146 Commands for Anti-spam Statistics (continued) COMMAND DESCRIPTION Displays the mail sender IP reputation checking statistics. show anti-spam ip-reputation statistics Displays the mail scan statistics. show anti-spam mail-scan statistics 36.3.1 Anti-Spam Statistics Example This example shows how to collect anti-spam statistics and display a summary. Router(config)# anti-spam statistics collect Router(config)# show anti-spam statistics collect...
Page 256 Chapter 36 Anti-Spam ZyWALL / USG (ZLD) CLI Reference Guide...
Page 257: Ssl Inspection
HAPTER SSL Inspection This chapter describes how to set up SSL Inspection for the ZyWALL / USG. 37.1 SSL Inspection Overview Secure Socket Layer (SSL) traffic, such as https://www.google.com/HTTPS, FTPs, POP3s, SMTPs, etc. is encrypted, and cannot be inspected using Unified Threat Management (UTM) profiles such as App Patrol, Content Filter, Intrusion, Detection and Prevention (IDP), or Anti-Virus.
Page 258: Ssl Inspection Exclusion Commands
Chapter 37 SSL Inspection The following sections list the commands. 37.2.1 SSL Inspection Exclusion Commands There may be privacy and legality issues regarding inspecting a user's encrypted session. The legal issues may vary by locale, so it's important to check with your legal department to make sure that it’s OK to intercept SSL traffic from your ZyWALL / USG users.
Page 259: Ssl Inspection Certificate Cache
Chapter 37 SSL Inspection Table 149 SSL Inspection Profile Commands COMMAND DESCRIPTION When a new SSL session is found by SSL inspection, it will create follow-real-client-routing another independent session from the ZyWALL / USG to get {yes | no} information such as the certificate chain. However, since this traffic is sent from the ZyWALL / USG, it may not match the same routing policy of the original SSL session and may not reach the destination server.
Page 260: Ssl Inspection Statistics
Chapter 37 SSL Inspection Table 151 SSL Inspection Certificate Update Commands COMMAND DESCRIPTION Displays the default certificate update status. show ssl-inspection default- cert version Shows the current certificate update status. show ssl-inspection default- cert update Shows if automatically updating the certificate set is configured on the show ssl-inspection cert-update ZyWALL / USG.
Page 261: Ssl Inspection Command Examples
Chapter 37 SSL Inspection 37.2.6 SSL Inspection Command Examples These are some other example SSL Inspection usage commands Router(config)#Router(config)# ssl-inspection exclude-list-settings Router(ssl-inspection-exclude-list-settings)# no log Router(ssl-inspection-exclude-list-settings)# exit Router(config)# ssl-inspection exclude-list Router(ssl-inspection-exclude-list)# entry 1.1.1.1 Router(ssl-inspection-exclude-list)# entry abc@zyxel.com.tw Router(ssl-inspection-exclude-list)# exit Router(config)# show ssl-inspection exclude-list settings SSL Inspection Exclude List Global Information Log: no Router(config)# show ssl-inspection exclude-list...
Page 262 Chapter 37 SSL Inspection ZyWALL / USG (ZLD) CLI Reference Guide...
Page 263: Device Ha
HAPTER Device HA Use device HA to increase network reliability. Device HA lets a backup ZyWALL / USG (B) automatically take over if a master ZyWALL / USG (A) fails. Figure 24 Device HA Backup Taking Over for the Master 38.1 Device HA Overview Active-Passive Mode •...
Page 264: Before You Begin
Chapter 38 Device HA 38.1.1 Before You Begin • Configure a static IP address for each interface that you will have device HA monitor. Note: Subscribe to services on the backup ZyWALL / USG before synchronizing it with the master ZyWALL / USG. •...
Page 265: Active-Passive Mode Device Ha Commands
Chapter 38 Device HA • Each interface can also have a management IP address. You can connect to this IP address to manage the ZyWALL / USG regardless of whether it is the master or the backup. 38.4 Active-Passive Mode Device HA Commands The following table identifies the values required for many of these commands.
Page 266 Chapter 38 Device HA Table 155 device-ha ap-mode Commands (continued) COMMAND DESCRIPTION Has device HA monitor the status of an interface’s connection. [no] device-ha ap-mode interface_name activate This is for a master ZyWALL / USG. It specifies the password to require [no] device-ha ap-mode master sync from synchronizing backup ZyWALL / USGs.
Page 267: Active-Passive Mode Device Ha Command Example
Chapter 38 Device HA 38.4.2 Active-Passive Mode Device HA Command Example This example configures a ZyWALL / USG to be a master ZyWALL / USG for active-passive mode device HA. There is a management IP address of 192.168.1.3 on lan1. wan1 and lan1 are monitored.
Page 268 Chapter 38 Device HA ZyWALL / USG (ZLD) CLI Reference Guide...
Page 269: User/Group
HAPTER User/Group This chapter describes how to set up user accounts, user groups, and user settings for the ZyWALL / USG. You can also set up rules that control when users have to log in to the ZyWALL / USG before the ZyWALL / USG routes traffic for them.
Page 270: User/Group Commands Summary
Chapter 39 User/Group 39.2 User/Group Commands Summary The following table identifies the values required for many commands. username/groupname Other input values are discussed with the corresponding commands. Table 157 username/groupname Command Input Values LABEL DESCRIPTION The name of the user (account). You may use 1-31 alphanumeric characters, underscores( username or dashes (-), but the first character cannot be a number.
Page 271: User Group Commands
Chapter 39 User/Group Table 158 username/groupname Commands Summary: Users (continued) COMMAND DESCRIPTION Sets the lease time for the specified user. Set it to zero to set username username [no] logon-lease-time unlimited lease time. The command sets the lease time to <0..1440>...
Page 272 Chapter 39 User/Group Table 160 username/groupname Commands Summary: Settings (continued) COMMAND DESCRIPTION Sets the default reauthorization time (in minutes) for each type of users default-setting [no] user-type <admin new user. Set it to zero for unlimited reauthorization time. The |ext-user|guest|limited-admin|user|ext-group- command sets the default reauthorization time to thirty.
Page 273: Mac Auth Commands
Chapter 39 User/Group 39.2.4 MAC Auth Commands This table lists the commands for mappings MAC addresses to MAC address user accounts. Table 161 mac-auth Commands Summary COMMAND DESCRIPTION Maps the specified MAC address authenticated by an [no] mac-auth database mac mac_address type ext-mac- external server to the specified MAC role (MAC address address mac-role username description description user account).
Page 274: Additional User Commands
Chapter 39 User/Group • Use upper case letters in the account MAC addresses Router(config)# username ZyXEL-mac user-type mac-address Router(config)# mac-auth database mac 00:13:49:11:a0:c4 type ext-mac-address mac-role ZyXEL-mac description zyxel mac 3. Modify wlan-security-profile Router(config)# wlan-security-profile secureWLAN1 Router(config-wlan-security default)# mac-auth activate Router(config-wlan-security default)# mac-auth auth-method Auth1 Router(config-wlan-security default)# mac-auth delimiter account colon Router(config-wlan-security default)# mac-auth case account upper...
Page 275 Chapter 39 User/Group 39.2.5.1 Additional User Command Examples The following commands display the users that are currently logged in to the ZyWALL / USG and forces the logout of all logins from a specific IP address. Router# configure terminal Router(config)# show users all No: 0 Name: admin Type: admin...
Page 276: Chapter 40 Application Object
HAPTER Application Object Check that you have the latest IDP and App Patrol signatures. 40.1 Application Object Commands Summary The following table describes the values required for many application object commands. Other values are discussed with the corresponding commands. Table 163 Input Values for Application Object Commands LABEL DESCRIPTION Type the name of the object.
Page 277: Application Object Group Commands
Chapter 40 Application Object 40.1.1.1 Examples application-object These are some example usage commands. Router(config)# show application-object Name Description Content =============================================================================== tests New Create Facebook Game (access) Router(config)# show application-object tests Name: tests Description: New Create Category Application Application ID =============================================================================== Social Network Facebook Game (access) 402685702...
Page 278 Chapter 40 Application Object 40.1.2.1 Examples object-group application These are some example usage commands. Router(config)# show object-group application Name Description Member =============================================================================== Router(config)# object-group application may Router(group-application)# description rinse after use Router(group-application)# exit Router(config)# show object-group application Name Description Member =============================================================================== rinse after use tests...
Page 279: Chapter 41 Addresses
HAPTER Addresses This chapter describes how to set up addresses and address groups for the ZyWALL / USG. 41.1 Address Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. You can create IP address objects based on an interface’s IP address, subnet, or gateway.
Page 280: Address Object Commands
Chapter 41 Addresses The following sections list the address object and address group commands. 41.2.1 Address Object Commands This table lists the commands for address objects. Table 167 address-object and address6-object Commands COMMAND DESCRIPTION Displays information about the specified object or all the objects of show {address-object | address6-object | the specified type.
Page 281 Chapter 41 Addresses 41.2.1.1 Address Object Command Examples The following example creates three IPv4 address objects and then deletes one. Router# configure terminal Router(config)# address-object A0 192.168.1.1 Router(config)# address-object A1 192.168.1.1-192.168.1.20 Router(config)# address-object A2 192.168.1.0/24 Router(config)# show address-object Object name Type Address Ref.
Page 282: Address Group Commands
Chapter 41 Addresses The following example creates host, range, subnet, and link local IPv6 address objects and then deletes the subnet IPv6 address object. > enable Router# configure terminal Router(config)# address6-object B0 fe80::211:85ff:fe0e:cdec Router(config)# address6-object B1 fe80::211:85ff:fe0e:1-fe80::211:85ff:fe0e:ff Router(config)# address6-object B2 fe80::211:85ff:fe0e:cdec/128 Router(config)# address6-object B3 interface-ip ge1 link-local Router(config)# show address6-object Object name...
Page 283 Chapter 41 Addresses Table 168 object-group Commands: Address Groups (continued) COMMAND DESCRIPTION Sets the description to the specified value. The command clears the [no] description description description. description: You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Renames the specified address group from the first group_name to the object-group address rename group_name second group_name.
Page 284 Chapter 41 Addresses ZyWALL / USG (ZLD) CLI Reference Guide...
Page 285: Chapter 42 Services
HAPTER Services Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 42.1 Services Overview See the appendices in the web configurator’s User Guide for a list of commonly-used services. 42.2 Services Commands Summary The following table describes the values required for many service object and service group commands.
Page 286: Service Group Commands
Chapter 42 Services Table 170 service-object Commands: Service Objects (continued) COMMAND DESCRIPTION Creates the specified ICMP message using the specified service-object object_name icmp icmp_value parameters. icmp_value: <0..255> | alternate-address | conversion-error | echo | echo-reply | information-reply | information-request | mask-reply | mask-request | mobile-redirect | parameter- problem | redirect | router-advertisement | router-solicitation | source-quench | time-exceeded | timestamp-reply |...
Page 287 Chapter 42 Services Table 171 object-group Commands: Service Groups (continued) COMMAND DESCRIPTION Adds the specified service group (second group_name) to the specified [no] object-group group_name service group (first group_name). The command removes the specified service group from the specified service group. Sets the description to the specified value.
Page 288 Chapter 42 Services ZyWALL / USG (ZLD) CLI Reference Guide...
Page 289: Chapter 43 Schedules
HAPTER Schedules Use schedules to set up one-time and recurring schedules for policy routes, firewall rules, application patrol, and content filtering. 43.1 Schedule Overview The ZyWALL / USG supports two types of schedules: one-time and recurring. One-time schedules are effective only once, while recurring schedules usually repeat. Note: Schedules are based on the current date and time in the ZyWALL / USG.
Page 290: Schedule Command Examples
Chapter 43 Schedules Table 173 schedule Commands (continued) COMMAND DESCRIPTION Creates or updates a one-time schedule. schedule-object object_name date time date time date: yyyy-mm-dd date format; yyyy-<01..12>-<01..31> Creates or updates a recurring schedule. schedule-object object_name time time [day] [day] [day] [day] [day] [day] [day] day: 3-character day of the week;...
Page 291: Chapter 44 Aaa Server
HAPTER AAA Server This chapter introduces and shows you how to configure the ZyWALL / USG to use external authentication servers. 44.1 AAA Server Overview You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The following lists the types of authentication server the ZyWALL / USG supports.
Page 292: Ldap-Server Commands
Chapter 44 AAA Server Table 174 ad-server Commands (continued) COMMAND DESCRIPTION Sets the user name the ZyWALL / USG uses to log into the default AD server. The [no] ad-server binddn binddn command clears this setting. Sets the unique common name (cn) to identify a record. The command clears [no] ad-server cn-identifier uid this setting.
Page 293: Radius-Server Commands
Chapter 44 AAA Server 44.2.3 radius-server Commands The following table lists the commands you use to set the default RADIUS server. radius-server Table 176 radius-server Commands COMMAND DESCRIPTION Displays the default RADIUS server settings. show radius-server Sets the RADIUS server address and service port number. Enter the IP address [no] radius-server host (in dotted decimal notation) or the domain name of a RADIUS server.
Page 294: Aaa Group Server Ldap Commands
Chapter 44 AAA Server Table 177 aaa group server ad Commands (continued) COMMAND DESCRIPTION Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name” or “e-mail address”. The command clears this setting.
Page 295: Aaa Group Server Radius Commands
Chapter 44 AAA Server Table 178 aaa group server ldap Commands (continued) COMMAND DESCRIPTION Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the second type of identifier that the users can use to log in if any. For [no] server alternative-cn- example “name”...
Page 296: Aaa Group Server Command Example
Chapter 44 AAA Server Table 179 aaa group server radius Commands (continued) COMMAND DESCRIPTION Enter the sub-command mode. aaa group server radius group-name Specify whether or not the server checks the username case. Set this to be [no] case-sensitive the same as the server’s behavior. Sets the descriptive information for the RADIUS server group.
Page 297: Authentication Objects
HAPTER Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database. 45.1 Authentication Objects Overview After you have created the AAA server objects, you can specify the authentication objects (containing the AAA server information) that the ZyWALL / USG uses to authenticate users (using VPN or managing through HTTP/HTTPS).
Page 298: Aaa Authentication Command Example
Chapter 45 Authentication Objects Table 180 aaa authentication Commands (continued) COMMAND DESCRIPTION Sets the profile to use the authentication method(s) in the order specified. aaa authentication profile-name member1 [member2] [member3] = group ad, group ldap, group radius, or local. member [member4] Note: You must specify at least one member for each profile.
Page 299 Chapter 45 Authentication Objects • Password: abcdefg • Login-name-attribute: sAMAccountName The result shows the account exists on the AD server. Otherwise, the ZyWALL / USG responds an error. Router> test aaa server ad host 172.16.50.1 port 389 base-dn DC=ZyXEL,DC=com bind-dn zyxel\engineerABC password abcdefg login-name-attribute sAMAccountName account userABC dn:: Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20=...
Page 300: Authentication Server
HAPTER Authentication Server This chapter shows you how to configure the ZyWALL / USG as an authentication server for access points. 46.1 Authentication Server Overview The ZyWALL / USG can also work as a RADIUS server to exchange messages with other APs for user authentication and authorization.
Page 301: Authentication Server Command Examples
Chapter 46 Authentication Server Table 182 Command Summary: Authentication Server (continued) COMMAND DESCRIPTION Sets the description for the profile. The command clears this [no] description description setting. description: You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long. Displays the ZyWALL / USG’s authentication server settings.
Page 302 Chapter 46 Authentication Server ZyWALL / USG (ZLD) CLI Reference Guide...
Page 303: Chapter 47 Certificates
HAPTER Certificates This chapter explains how to use the Certificates. 47.1 Certificates Overview The ZyWALL / USG can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Page 304: Certificates Commands Summary
Chapter 47 Certificates Table 183 Certificates Commands Input Values (continued) LABEL DESCRIPTION Identify the company or group to which the certificate owner belongs. You can use organization up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Page 305 Chapter 47 Certificates Table 184 ca Commands Summary (continued) COMMAND DESCRIPTION Turns certificate revocation on or off. When it is turned on, cdp {activate|deactivate} the ZyWALL / USG validates a certificate by getting a Certificate Revocation List (CRL) through HTTP or LDAP (can be configured after activating the LDAP checking option) and online responder (can be configured after activating the OCSP checking option).
Page 306: Certificates Commands Examples
Chapter 47 Certificates Table 184 ca Commands Summary (continued) COMMAND DESCRIPTION Displays a summary of the certificates in the specified show ca category {local|remote} [name category (local for my certificates or remote for trusted certificate_name format {text|pem}] certificates) or the details of a specified certificate. Displays the validation configuration for the specified show ca validation name name remote (trusted) certificate.
Page 307: Chapter 48 Isp Accounts
HAPTER ISP Accounts Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE, PPTP and cellular interfaces. 48.1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE, PPTP, or cellular. 48.1.1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands.
Page 308: Cellular Account Commands
Chapter 48 ISP Accounts Table 185 PPPoE and PPTP ISP Account Commands (continued) COMMAND DESCRIPTION Sets the service name for the specified PPPoE ISP account. The [no] service-name {ip | hostname command clears the service name. | service_name} hostname: You may up to 63 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.
Page 309: Chapter 49 Ssl Application
HAPTER SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN. 49.1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group.
Page 310 Chapter 49 SSL Application Table 187 SSL Application Object Commands COMMAND DESCRIPTION Specifies the IP address, domain name or NetBIOS name (computer name) server-type file-sharing share- of the file server and the name of the share to which you want to allow user path share-path access.
Page 311: Ssl Application Command Examples
Chapter 49 SSL Application 49.1.2 SSL Application Command Examples The following commands create and display a server-type SSL application object named ZW5 for a web server at IP address 192.168.1.12. Router(config)# sslvpn application ZW5 Router(sslvpn application)# server-type web-server url http://192.168.1.12 Router(sslvpn application)# exit Router(config)# show sslvpn application SSL Application: ZW5...
Page 312: Dhcpv6 Objects
HAPTER DHCPv6 Objects This chapter describes how to configure and view DHCPv6 request and lease objects. 50.1 DHCPv6 Object Commands Summary The following table identifies the values required for many DHCPv6 object commands. Other input values are discussed with the corresponding commands. Table 188 DHCPv6 Object Command Input Values LABEL DESCRIPTION...
Page 313: Dhcpv6 Object Command Examples
Chapter 50 DHCPv6 Objects Table 189 DHCPv6 Object Commands (continued) COMMAND DESCRIPTION Renames the specified DHCPv6 lease object to the specified dhcp6-lease-object rename dhcp6_profile name. dhcp6_profile Deletes the specified DHCPv6 lease object. no dhcp6-lease-object dhcp6_profile Creates or edits the specified SIP server, DNS server, NTP dhcp6-request-object dhcp6_profile { dns-server server, prefix-delegation, or SIP server DHCP request object.
Page 314 Chapter 50 DHCPv6 Objects This example creates and displays a DHCPv6 prefix delegation lease object named “pfx” for IPv6 address prefix 2005::/64 and DUID 00:01:02:03:04:05:06:07, then renames it to “pd”. Router(config)# dhcp6-lease-object pfx prefix-delegation 2005::/64 duid 00:01:02:03:04:05:06:07 Router(config)# show dhcp6 lease-object pfx DHCP6 Lease Object: pfx Object Type: prefix-delegation Object Value: 2005::/64...
Page 315: Chapter 51 System
HAPTER System This chapter provides information on the commands that correspond to what you can configure in the system screens. 51.1 System Overview Use these commands to configure general ZyWALL / USG information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which ZyWALL / USG zones (if any) from which computers.
Page 316 Chapter 51 System Figure 26 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Window Background You can specify colors in one of the following ways: • color-rgb: Enter red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)”...
Page 317: Host Name Commands
Chapter 51 System Table 190 Command Summary: Customization (continued) COMMAND DESCRIPTION Sets the color of the login page’s window border. login-page window-color {color-rgb | color-name | color-number} Sets the color of the logo banner across the top of the login screen and logo background-color {color-rgb | access page.
Page 318: Date/Time Commands
Chapter 51 System 51.4.1 Date/Time Commands The following table describes the commands available for date and time setup. You must use the command to enter the configuration mode before you can use these configure terminal commands. Table 192 Command Summary: Date/Time COMMAND DESCRIPTION Sets the new date in year, month and day format...
Page 319: Dns Overview
Chapter 51 System 51.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 51.6.1 Domain Zone Forwarder A domain zone forwarder contains a DNS server’s IP address.
Page 320: Dns Commands
Chapter 51 System 51.6.2 DNS Commands The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 194 Input Values for General DNS Commands LABEL DESCRIPTION The name of the IP address (group) object. You may use 1-31 alphanumeric characters, address_object underscores( ), or dashes (-), but the first character cannot be a number.
Page 321 Chapter 51 System Table 195 Command Summary: DNS (continued) COMMAND DESCRIPTION Sets a domain zone forwarder record that specifies a fully qualified [no] ip dns server zone-forwarder domain name. You can also use a star (*) if all domain zones are {<1..32>|append|insert <1..32>} served by the specified DNS server(s).
Page 322: Dns Command Examples
Chapter 51 System Table 195 Command Summary: DNS (continued) COMMAND DESCRIPTION Selects to use the default security option or profile ‘1’. The ip dns security-options { default | 1 }] default allows any address to use additional-from-cache and recursion. Names the DNS security options profile. name DNS_OPTIONS_NAME Sets the address object to be any or a previously created one.
Page 323: Authentication Server Commands
Chapter 51 System 51.7.1 Authentication Server Commands The following table lists the authentication server commands you use to configure the ZyWALL / USG’s built-in authentication server settings. Table 196 Command Summary: Authentication Server COMMAND DESCRIPTION Sets the ZyWALL / USG to act as an authentication server for other [no] auth-server activate RADIUS clients, such as APs.
Page 324: Authentication Server Command Examples
Chapter 51 System 51.7.2 Authentication Server Command Examples The following example shows you how to enable the authentication server feature on the ZyWALL / USG and sets a trusted RADIUS client profile. This example also shows you the authentication server and client profile settings. Router# configure terminal Router(config)# auth-server activate Router(config)# auth-server trusted-client AP-1...
Page 325: Ipv6 Commands
Chapter 51 System 51.9 IPv6 Commands Use the ipv6 commands to enable or disable IPv6 support. You must use the configure command to enter the configuration mode before you can use the commands that terminal configure settings. Table 198 Command Summary: IPv6 COMMAND DESCRIPTION Enables or disables IPv6 support.
Page 326: Zon Examples
Chapter 51 System Table 199 Command Summary: ZON (continued) COMMAND DESCRIPTION Sets the interval (in seconds) at which the ZyWALL / USG sends a zon lldp server tx-interval <1..600> LLDP packet to the neighbor. Activates ZDP discovery on the ZyWALL / USG. zon zdp server Displays the the ZyWALL / USG’s neighboring devices via LLDP.
Page 327: System Remote Management
HAPTER System Remote Management This chapter shows you how to determine which services/protocols can access which ZyWALL / USG zones (if any) from which computers. Note: To access the ZyWALL / USG from a specified computer using a service, make sure no service control rules or to-ZyWALL / USG firewall rules block that traffic.
Page 328: Common System Command Input Values
Chapter 52 System Remote Management 52.2 Common System Command Input Values The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands. Table 200 Input Values for General System Commands LABEL DESCRIPTION The name of the IP address (group) object.
Page 329 Chapter 52 System Remote Management Table 201 Command Summary: HTTP/HTTPS (continued) COMMAND DESCRIPTION Specifies a certificate used by the HTTPS server. The [no] ip http secure-server cert certificate_name command resets the certificate used by the HTTPS server to the factory default ( default certificate_name: The name of the certificate.
Page 330: Http/Https Command Examples
Chapter 52 System Remote Management 52.3.1 HTTP/HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service. Router# configure terminal Router(config)# ip http server table admin rule append access-group Marketing zone WAN action accept...
Page 331: Ssh Commands
Chapter 52 System Remote Management 52.4.3 SSH Commands The following table describes the commands available for SSH. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 202 Command Summary: SSH COMMAND DESCRIPTION Allows SSH access to the ZyWALL / USG CLI.
Page 332: Telnet
Chapter 52 System Remote Management 52.5 Telnet You can configure your ZyWALL / USG for remote Telnet access. 52.6 Telnet Commands The following table describes the commands available for Telnet. You must use the configure command to enter the configuration mode before you can use these commands. terminal Table 203 Command Summary: Telnet COMMAND...
Page 333: Configuring Ftp
Chapter 52 System Remote Management 52.7 Configuring FTP You can upload and download the ZyWALL / USG’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 52.7.1 FTP Commands The following table describes the commands available for FTP. You must use the configure command to enter the configuration mode before you can use these commands.
Page 334: Snmp
Chapter 52 System Remote Management This command displays FTP settings. Router# configure terminal Router(config)# show ip ftp server status active : yes port : 21 certificate: default : no service control: Zone Address Action ======================================================================== 52.8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices.
Page 335: Snmp Commands
Chapter 52 System Remote Management Table 205 SNMP Traps (continued) OBJECT LABEL OBJECT ID DESCRIPTION vpnTunnelDisconnec 1.3.6.1.4.1.890.1. This trap is sent when an IPSec VPN tunnel is disconnected. 6.22.2.3 vpnTunnelName 1.3.6.1.4.1.890.1. This trap is sent along with the vpnTunnelDisconnected trap. This 6.22.2.2.1.1 trap carries the disconnected tunnel’s IPSec SA name.
Page 336: Snmp Commands Examples
Chapter 52 System Remote Management Table 206 Command Summary: SNMP (continued) COMMAND DESCRIPTION Sets the authentication, privacy and privilege for an SNMPv3 snmp-server v3user username description user. authentication {md5 | sha} privacy {none | des | aes} privilege {ro | rw} Sets the SNMP version for the ZyWALL / USG.
Page 337: Icmp Filter
Chapter 52 System Remote Management 52.9 ICMP Filter The ip icmp-filter commands are obsolete. See Chapter 25 on page 163 to configure secure policy rules for ICMP traffic going to the ZyWALL / USG to discard or reject ICMP packets destined for the ZyWALL / USG.
Page 338 Chapter 52 System Remote Management ZyWALL / USG (ZLD) CLI Reference Guide...
Page 339: Chapter 53 File Manager
HAPTER File Manager This chapter covers how to work with the ZyWALL / USG’s firmware, certificates, configuration files, custom IDP signatures, packet trace results, shell scripts and temporary files. 53.1 File Directories The ZyWALL / USG stores files in the following directories. Table 208 FTP File Transfer Notes FILE NAME DIRECTORY FILE TYPE...
Page 340: Comments In Configuration Files Or Shell Scripts
Chapter 53 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 27 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure ge3...
Page 341: Errors In Configuration Files Or Shell Scripts
Chapter 53 File Manager Line 3 in the following example exits sub command mode. interface ge1 ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. interface ge1 # this interface is a DHCP client Lines 1 and 2 are comments.
Page 342: Configuration File Flow At Restart
Chapter 53 File Manager • When the ZyWALL / USG reboots, if the startup-config.conf file passes the error check, the ZyWALL / USG keeps a copy of the startup-config.conf file as the lastgood.conf configuration file for you as a back up file. If you upload and apply a configuration file with an error, you can apply lastgood.conf to return to a valid configuration.
Page 343: File Manager Commands Summary
Chapter 53 File Manager 53.4 File Manager Commands Summary The following table lists the commands that you can use for file management. Table 211 File Manager Commands Summary COMMAND DESCRIPTION Has the ZyWALL / USG use a specific configuration file. You must still use apply /conf/file_name.conf [ignore- command to save your configuration changes to the flash write...
Page 344: File Manager Dual Firmware Commands
Chapter 53 File Manager Table 211 File Manager Commands Summary (continued) COMMAND DESCRIPTION Displays the settings of the configuration file that the system is using. show running-config Has the ZyWALL / USG ignore any errors in the startup-config.conf file setenv-startup stop-on-error off and apply all of the valid commands.
Page 345: File Manager Command Examples
Terminate All Processes: OK kill_process_and_umountfs() returns -7 Restarting system. <snipped> Welcome to USG110 Username: admin Password: Router> configure terminal Router(config)# show version ZyXEL Communications Corp. image number model firmware version build date boot status =============================================================================== USG110 V4.11(AAPH.0)b3s1 2015-01-11 21:53:44 Standby USG110 V4.11(AAPH.0)
Page 346: Command Line Ftp File Upload
Chapter 53 File Manager 53.7.1 Command Line FTP File Upload Connect to the ZyWALL / USG. Enter “bin” to set the transfer mode to binary. You can upload the firmware after you log in through FTP. To upload other files, use “cd” to change to the corresponding directory.
Page 347: Command Line Ftp Configuration File Download Example
Chapter 53 File Manager Enter “bin” to set the transfer mode to binary. Use “cd” to change to the directory that contains the files you want to download. Use “dir” or “ls” if you need to display a list of the files in the directory. Use "get”...
Page 348: Notification Of A Damaged Recovery Image Or Firmware
Chapter 53 File Manager The boot module performs a basic hardware test. You cannot restore the boot module if it is damaged. The boot module also checks and loads the recovery image. The ZyWALL / USG notifies you if the recovery image is damaged. The recovery image checks and loads the firmware.
Page 349: Restoring The Recovery Image
Chapter 53 File Manager If the console session displays “Invalid Firmware”, or “Invalid Recovery Image”, or the console freezes at "Press any key to enter debug mode within 3 seconds" for more than one minute, go to Section 53.10 on page 349 to restore the recovery image.
Page 350 Chapter 53 File Manager Enter atuk to initialize the recovery process. If the screen displays “ERROR”, enter atur to initialize the recovery process. Note: You only need to use the atuk or atur command if the recovery image is damaged. Figure 35 atuk Command for Restoring the Recovery Image Enter Y and wait for the “Starting XMODEM upload”...
Page 351: Restoring The Firmware
Chapter 53 File Manager Enter atgo. The ZyWALL / USG starts up. If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged and you need to use the procedure in Section 53.11 on page 351 to recover the firmware.
Page 352 Chapter 53 File Manager Wait for the file transfer to complete. Figure 41 FTP Firmware Transfer Complete After the transfer is complete, “Firmware received” or “ZLD-current received” displays. Wait (up to four minutes) while the ZyWALL / USG recovers the firmware. Figure 42 Firmware Received and Recovery Started The console session displays “done”...
Page 353: Restoring The Default System Database
Chapter 53 File Manager 10 The username prompt displays after the ZyWALL / USG starts up successfully. The firmware recovery process is now complete and the ZyWALL / USG is ready to use. Figure 44 Restart Complete 53.12 Restoring the Default System Database The default system database stores information such as the default anti-virus or IDP signatures.
Page 354 Chapter 53 File Manager a log. Here are some examples. Use this section to restore the ZyWALL / USG’s default system database. Figure 45 Default System Database Console Session Warning at Startup: Anti-virus Figure 46 Default System Database Console Session Warning When Reloading IDP Figure 47 Default System Database Missing Log: Anti-virus This procedure requires the ZyWALL / USG’s default system database file.
Page 355: Using The Atkz -U Debug Command
Chapter 53 File Manager for example, "1.01(XL.0)C0.db". Do the following after you have obtained the default system database file. 53.12.1 Using the atkz -u Debug Command Note: You only need to use the atkz -u command if the default system database is damaged.
Page 356 Chapter 53 File Manager Hit enter to log in anonymously. Set the transfer mode to binary (type bin). Transfer the firmware file from your computer to the ZyWALL / USG. Type put followed by the path and name of the firmware file. This examples uses put e:\ftproot\ZLD FW \1.01(XL.0)C0.db. Figure 51 FTP Default System Database Transfer Command 10 Wait for the file transfer to complete.
Page 357 Chapter 53 File Manager 12 The username prompt displays after the ZyWALL / USG starts up successfully. The default system database recovery process is now complete and the ZyWALL / USG IDP and anti-virus features are ready to use again. Figure 54 Startup Complete ZyWALL / USG (ZLD) CLI Reference Guide...
Page 358 Chapter 53 File Manager ZyWALL / USG (ZLD) CLI Reference Guide...
Page 359: Chapter 54 Logs
HAPTER Logs This chapter provides information about the ZyWALL / USG’s logs. Note: When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. See the User’s Guide for the maximum number of system log messages in the ZyWALL / USG.
Page 360: Log Entries Commands
Chapter 54 Logs 54.1.1 Log Entries Commands This table lists the commands to look at log entries. Table 214 logging Commands: Log Entries COMMAND DESCRIPTION Displays the specified entries in the system log. show logging entries [priority pri] [category module_name] [srcip ip] [srcip6 ipv6_addr] pri: alert | crit | debug | emerg | error | info | notice | warn [dstip ip] [dstip6 ipv6_addr] [service service_name] [begin <1..512>...
Page 361: Debug Log Commands
Chapter 54 Logs 54.1.2.1 System Log Command Examples The following command displays the current status of the system log. Router# configure terminal Router(config)# show logging status system-log 512 events logged suppression active : yes suppression interval: 10 category settings content-filter : normal , forward-web-sites : no blocked-web-sites : normal , user : normal ,...
Page 362 Chapter 54 Logs This table lists the commands for the remote syslog server settings. For the purposes of this device’s CLI, Access Points are referred to as WTPs Table 217 logging Commands: Remote Syslog Server Settings COMMAND DESCRIPTION Displays the current settings for the remote servers. show logging status syslog Enables the specified remote server.
Page 363: E-Mail Profile Commands
Chapter 54 Logs Table 218 logging Commands: VRPT Settings (continued) COMMAND DESCRIPTION {user| zysh| built-in-service| system| routing-protocol| pki| MODULE_NAME_WTP_ interface| account| force-auth| file-manage| wlan| daily- report| dhcp| default| capwap| wlan-station-info| all} {sun|mon|tue|wed|thu|fri|sat} WEEKDAYS 54.1.4 E-mail Profile Commands This table lists the commands for the e-mail profile settings. Table 219 logging Commands: E-mail Profile Settings COMMAND DESCRIPTION...
Page 364: Console Port Logging Commands
Chapter 54 Logs Table 219 logging Commands: E-mail Profile Settings (continued) COMMAND DESCRIPTION Specifies what kind of information is logged for the specified [no] logging mail <1..2> category module_name category. The command disables logging for the specified level {alert | all} category.
Page 365: Chapter 55 Reports And Reboot
HAPTER Reports and Reboot This chapter provides information about the report associated commands and how to restart the ZyWALL / USG using commands. It also covers the daily report e-mail feature. 55.1 Report Commands Summary The following sections list the report, session, and packet size statistics commands. 55.1.1 Report Commands This table lists the commands for reports.
Page 366: Report Command Examples
Chapter 55 Reports and Reboot 55.1.2 Report Command Examples The following commands start collecting data, display the traffic reports, and stop collecting data. Router# configure terminal Router(config)# show report ge1 ip No. IP Address User Amount Direction =================================================================== 192.168.1.4 admin 1273(bytes) Outgoing 192.168.1.4...
Page 367: Email Daily Report Commands
Chapter 55 Reports and Reboot Table 223 Packet Size Statistics Commands (continued) COMMAND DESCRIPTION Displays the specified interface’s packet size distribution statistics. You show report packet size statistics can also specify the packet size interval into which to group the {interface_name} [interval interval] statistics.
Page 368: Email Daily Report Example
Chapter 55 Reports and Reboot Table 225 Email Daily Report Commands (continued) COMMAND DESCRIPTION See above. [no] mail-to-3 e_mail See above. [no] mail-to-4 e_mail See above. [no] mail-to-5 e_mail Determines whether or not anti-spam statistics are included in [no] item as-report the report e-mails.
Page 369 Chapter 55 Reports and Reboot • Has the ZyWALL / USG provide username 12345 and password 12345 to the SMTP server for authentication. • Sets the ZyWALL / USG to send the report at 1:57 PM. • Has the ZyWALL / USG not reset the counters after sending the report. •...
Page 370: Reboot
Chapter 55 Reports and Reboot This displays the email daily report settings and has the ZyWALL / USG send the report. Router(config)# show daily-report status email daily report status ========================= activate: yes scheduled time: 13:57 reset counter: no smtp address: example-SMTP-mail-server.com smtp port: 25 smtp auth: yes smtp username: 12345...
Page 371: Chapter 56 Session Timeout
HAPTER Session Timeout Use these commands to modify and display the session timeout values. You must use the configure terminal command before you can use these commands. Table 226 Session Timeout Commands COMMAND DESCRIPTION Sets the timeout for UDP sessions to connect or deliver session timeout {udp-connect <1..300>...
Page 372 Chapter 56 Session Timeout ZyWALL / USG (ZLD) CLI Reference Guide...
Page 373: Diagnostics
HAPTER Diagnostics This chapter covers how to use the diagnostics feature. 57.1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the ZyWALL / USG’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
Page 374 Chapter 57 Diagnostics ZyWALL / USG (ZLD) CLI Reference Guide...
Page 375: Chapter 58 Packet Flow Explore
HAPTER Packet Flow Explore This chapter covers how to use the packet flow explore feature. 58.1 Packet Flow Explore Use this to get a clear picture on how the ZyWALL / USG determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems.
Page 376: Packet Flow Explore Commands Example
Chapter 58 Packet Flow Explore 58.3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order. Router> show route order route order: Policy Route, Direct Route, 1-1 SNAT, SiteToSite VPN, Dynamic VPN, Static-Dynamic Route, Default WAN Trunk, Main Route The following example shows all SNAT related functions and their order.
Page 377 Chapter 58 Packet Flow Explore The following example shows all activated dynamic VPN rules. Router> show system route dynamic-vpn Source Destination VPN Tunnel =========================================================================== The following example shows all activated static-dynamic VPN rules. Router> show ip route static-dynamic Flags: A - Activated route, S - Static route, C - directly Connected O - OSPF derived, R - RIP derived, G - selected Gateway ! - reject, B - Black hole, L - Loop IP Address/Netmask...
Page 378 Chapter 58 Packet Flow Explore The following example shows the default WAN trunk settings. Router> show system snat default-snat Incoming Outgoing SNAT =========================================================================== Internal Interface External Interface Outgoing Interface IP Internal Interfaces: lan1, hidden, lan2, dmz External Interfaces: wan1, wan2, wan1_ppp, wan2_ppp Router>...
Page 379: Chapter 59 Maintenance Tools
HAPTER Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the ZyWALL / USG. The maintenance tools can help you to troubleshoot network problems. Here are maintenance tool commands that you can use in privilege mode. Table 229 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION...
Page 380 Chapter 59 Maintenance Tools Table 229 Maintenance Tools Commands in Privilege Mode (continued) COMMAND DESCRIPTION Specifies text to add to the end of the file name (before the dot and file-suffix <profile_name> filename extension) to help you identify the packet capture files. Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name.
Page 381: Maintenance Command Examples
Chapter 59 Maintenance Tools Table 229 Maintenance Tools Commands in Privilege Mode (continued) COMMAND DESCRIPTION Displays the path MTU for the target address. tracepath6 {ipv6 | hostname} Displays the ZyWALL / USG’s IPv6 neighbors. show ipv6 neighbor-list Displays current packet capture settings. show packet-capture config Here are maintenance tool commands that you can use in configuration mode.
Page 382: Packet Capture Command Example
Chapter 59 Maintenance Tools Router# traceroute www.zyxel.com traceroute to www.zyxel.com (203.160.232.7), 30 hops max, 38 byte packets 172.23.37.254 3.049 ms 1.947 ms 1.979 ms 172.23.6.253 2.983 ms 2.961 ms 2.980 ms 172.23.6.1 5.991 ms 5.968 ms 6.984 ms * * * Here are maintenance tool commands that you can use in configure mode.
Page 383 Chapter 59 Maintenance Tools • IP address: any • Host IP: any • Host port: any (then you do not need to configure this setting) • File suffix: Example • File size: 10 megabytes • Duration: 150 seconds • Save the captured packets to: USB storage device •...
Page 384 Chapter 59 Maintenance Tools ZyWALL / USG (ZLD) CLI Reference Guide...
Page 385: Chapter 60 Watchdog Timer
HAPTER Watchdog Timer This chapter provides information about the ZyWALL / USG’s watchdog timers. 60.1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails. The hardware-watchdog-timer commands are for support engineers. It is recommended that you not modify the hardware watchdog timer settings.
Page 386: Application Watchdog
Chapter 60 Watchdog Timer 60.3 Application Watchdog The application watchdog has the system restart a process that fails. These are the app-watchdog commands. Use the command to enter the configuration mode to be able configure terminal to use these commands. Table 234 app-watchdog Commands COMMAND DESCRIPTION...
Page 387: Application Watchdog Commands Example
Chapter 60 Watchdog Timer 60.3.1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring. ZyWALL / USG (ZLD) CLI Reference Guide...
Page 388 Chapter 60 Watchdog Timer ZyWALL / USG (ZLD) CLI Reference Guide...
Page 389: List Of Commands (Alphabetical)
List of Commands (Alphabetical) List of Commands (Alphabetical) This section lists the commands and sub-commands in alphabetical order. Commands and subcommands appear at the same level. Ping {ipv4 | hostname} [source ipv4] [size <0..65507>] [forever| count <1..4096>] ..380 [isakmp_algo]] .................194 [isakmp_algo]] .................195 [no ]logging mail <1..2>...
Page 390 List of Commands (Alphabetical) [no] ad-server search-time-limit time ..........292 [no] ad-server ssl ..............292 [no] ampdu ................58 [no] amsdu ................59 [no] anti-spam black-list [rule_number] e-mail email {activate|deactivate} .....251 [no] anti-spam black-list [rule_number] ip6-address ipv6_subnet {activate|deactivate} ..250 [no] anti-spam black-list [rule_number] ip-address ip subnet_mask {activate|deactivate} [no] anti-spam black-list [rule_number] mail-header mail-header mail-header-value {activate|de- activate} ................251 [no] anti-spam black-list [rule_number] subject subject {activate|deactivate}...
Page 391 List of Commands (Alphabetical) [no] area IP authentication message-digest-key <1..255> md5 authkey ....131 [no] area IP virtual-link IP ............131 [no] area IP virtual-link IP authentication ..........131 [no] area IP virtual-link IP authentication authentication-key authkey ....131 [no] area IP virtual-link IP authentication message-digest ......131 [no] area IP virtual-link IP authentication message-digest-key <1..255>...
Page 392 List of Commands (Alphabetical) [no] connectivity {nail-up | dial-on-demand} ...........103 [no] connectivity-check continuous-log activate ........360 [no] connectivity-check continuous-log activate .........99 [no] console baud baud_rate ............318 [no] contain ap_mac ..............71 [no] content-filter block message message ..........240 [no] content-filter block redirect redirect_url ........240 [no] content-filter profile filtering_profile ..........241...
Page 393 List of Commands (Alphabetical) [no] device-ha ap-mode authentication {string key | ah-md5 key} ......265 [no] device-ha ap-mode backup sync authentication password password ....266 [no] device-ha ap-mode backup sync auto ..........266 [no] device-ha ap-mode backup sync from master_address port port .......266 [no] device-ha ap-mode backup sync interval <5..1440>...
Page 394 List of Commands (Alphabetical) [no] icmp-decoder { bad-icmp-l4-size | icmp-smurf } activate ......176 [no] idle <0..360> ..............307 [no] idle <0..360> ..............308 [no] idp ................225 [no] idp signature update auto ............233 [no] idp statistics collect ............234 [no] idp-profile <profile name> {[no log]|[log by-profile]} {activate | deactivate} ..168 [no] ikev2 policy policy_name ............193...
Page 395 List of Commands (Alphabetical) [no] ip ospf hello-interval <1..65535> ..........98 [no] ip ospf priority <0..255> ............98 [no] ip ospf retransmit-interval <1..65535> ..........98 [no] ip rip {send | receive} version <1..2> ..........97 [no] ip rip v2-broadcast ..............97 [no] ip route {w.x.y.z} {w.x.y.z} {interface|w.x.y.z} <0..127> ......126 [no] ip route control-virtual-server-rules activate ........126...
Page 396 List of Commands (Alphabetical) [no] load-balancing kickout .............76 [no] local-address <ip> ..............107 [no] local-address ip ..............103 [no] log ................258 [no] log [alert] ...............167 [no] log [alert] ...............211 [no] log [alert] ...............220 [no] log [alert] ...............247 [no] logging cef-format include year ...........360 [no] logging console ..............364...
Page 397 List of Commands (Alphabetical) [no] mx {ip | domain_name} .............139 [no] nail-up ................190 [no] nail-up ................197 [no] narrowed ................190 [no] narrowed ................197 [no] nat-pmp activate ..............154 [no] natt ................188 [no] negotiation auto ..............101 [no] netbios-broadcast ..............190 [no] network interface area IP ............131 [no] network interface_name ............130...
Page 398 List of Commands (Alphabetical) [no] radius-server timeout time ............293 [no] reauth <30..30000> ..............66 [no] redistribute {static | ospf} ............130 [no] redistribute {static | rip} ............130 [no] redistribute {static | rip} metric-type <1..2> metric <0..16777214> ....130 [no] remote-address <ip> ...............107 [no] remote-address ip ..............103 [no] replay-detection ..............190...
Page 399 List of Commands (Alphabetical) [no] server timeout time ...............296 [no] server-auth <1..2> ..............66 [no] server-auth <1..2> activate ............66 [no] service {service_name|any} ............122 [no] service {service_name|any} ............123 [no] service service_name ..............167 [no] service service-object {service_name | any} ........212 [no] service-name {ip | hostname | service_name} ........308 [no] service-object object_name ............286...
Page 400 List of Commands (Alphabetical) [no] url {URL TEXT} ..............139 [no] usb-storage activate ..............111 [no] user user_name ..............122 [no] user user_name ..............123 [no] user user_name ..............168 [no] user user_name ..............172 [no] user user_name ..............173 [no] user user_name ..............200 [no] user user_name ..............212 [no] user username ..............271...
Page 401 List of Commands (Alphabetical) 5g-multicast-speed {wlan_5g_basic_speed} ..........59 5g-support-speed {disable | wlan_5g_support_speed} ........60 aaa authentication [no] match-default-group ..........298 aaa authentication default member1 [member2] [member3] [member4] .......297 aaa authentication profile-name member1 [member2] [member3] [member4] ....298 aaa authentication rename profile-name-old profile-name-new ......297 aaa group server ad group-name ............293 aaa group server ad rename group-name group-name ........293...
Page 402 List of Commands (Alphabetical) anti-virus statistics flush ............224 anti-virus update daily <0..23> ............223 anti-virus update hourly ...............223 anti-virus update signatures ............223 anti-virus update weekly {sun | mon | tue | wed | thu | fri | sat} <0..23> .....223 anti-virus white-list replace old_av_file_pattern new_av_file_pattern {activate|deactivate} ap_mac ..................68 ap_mac...
Page 403 List of Commands (Alphabetical) bwm default inbound priority <1..7> ............209 bwm default outbound priority <1..7> ...........209 bwm delete <1..127> ..............209 bwm insert <1..127> ..............209 bwm modify <1..127> ..............210 bwm move <1..127> to <1..127> ............210 ca generate pkcs10 name certificate_name cn-type {ip cn ipv4 | ipv6 cn ipv6 |fqdn cn cn_domain_name|mail cn cn_email} [ou organizational_unit] [o organization] [c country] key-type {rsa|dsa} key-len key_length ..........304 ca generate pkcs12 name name password password...
Page 404 List of Commands (Alphabetical) content-filter url-server test commtouch ..........240 copy ..................35 copy {/conf | /idp | /packet_trace | /script | /tmp}file_name-a.conf {/conf | /idp | / packet_trace | /script | /tmp}/file_name-b.conf ........343 copy running-config /conf/file_name.conf ..........343 copy running-config startup-config .............343 crypto map dial map_name ...............189 crypto map map_name...
Page 405 List of Commands (Alphabetical) debug server register ..............37 debug service-register ..............37 debug show content-filter server ............37 debug show ipset ................37 debug show myzyxel-server status ............37 debug show myzyxel-server status ............50 debug sslvpn ................37 debug system ipv6 ...............37 delete ..................35 delete {/conf | /idp | /packet_trace | /script | /tmp}/file_name .......343 description ................220...
Page 406 List of Commands (Alphabetical) duration <0..300> ..............379 eap {external | internal auth_method} ...........66 eap auth_method AUTH_METHOD ............194 eap auth_method AUTH_METHOD ............195 enable ..................35 enable ..................87 enable ..................88 encapsulation {tunnel | transport} .............189 encapsulation {tunnel | transport} .............196 encrypted-password ciphertext ............307 encrypted-string ciphertext ............130 exit...
Page 407 List of Commands (Alphabetical) group14 ................194 group15 ................194 group16 ................194 group17 ................194 group18 ................194 group2 .................188 group2 .................194 group2 .................195 group5 .................188 group5 .................194 group5 .................195 group-key <30..30000> ..............66 groupname rename groupname groupname ...........271 guard-interval wlan_htgi ..............59 host-ip {ip-address | profile_name | any> ..........380 HOSTNAME ................362...
Page 408 List of Commands (Alphabetical) interface cellular budget-auto-save <5..1440> ..........107 interface dial interface_name ............103 interface disconnect interface_name ............103 interface interface_name ...............100 interface interface_name ...............103 interface interface_name ...............113 interface interface_name ...............114 interface interface_name ...............181 interface interface_name ..............94 interface interface_name ..............97 interface interface_name ..............98 interface interface_name ..............99...
Page 409 List of Commands (Alphabetical) ip telnet server rule {rule_number|append|insert rule_number} access-group {ALL|address_object} zone {ALL|zone_object} action {accept|deny} ........332 ip telnet server rule move rule_number to rule_number ........332 ip virtual-server {activate | deactivate} profile_name .........143 ip virtual-server delete profile_name ..........143 ip virtual-server flush ..............143 ip virtual-server profile_name interface interface_name original-ip {any | ip | address_object} map-to {address_object | ip} map-type any [nat-loopback [nat-1-1-map] [deactivate] | nat-...
Page 410 List of Commands (Alphabetical) load-balancing max sta <1..127> ............77 load-balancing mode {station | traffic} ..........77 load-balancing sigma <51..100> ............77 load-balancing timeout <1..255> ............77 load-balancing traffic level {high | low | medium} ........77 loadbalancing-index <inbound|outbound|total> ..........117 local-id type {ip ip | fqdn domain_name | mail e_mail | dn distinguished_name} ..188 local-id type {ip ip | fqdn domain_name | mail e_mail | dn distinguished_name} ..194...
Page 411 List of Commands (Alphabetical) nd ra max-rtr-interval <4..1800> ............87 nd ra min-rtr-interval ..............89 nd ra min-rtr-interval <3..1350> ............87 nd ra mtu ................88 nd ra mtu <1280..1500> | <0> ............87 nd ra other-config-flag ..............87 nd ra other-config-flag ..............88 nd ra prefix-advertisement dhcp6_profile dhcp6_suffix_64 ........88 nd ra prefix-advertisement DHCP6_PROFILE DHCP6_SUFFIX_64 ........89...
Page 412 List of Commands (Alphabetical) no ip http server table {admin|user} rule rule_number ........329 no ip http-redirect description ............146 no ip ospf authentication ...............98 no ip ospf message-digest-key ............98 no ip ssh server rule rule_number ............331 no ip telnet server rule rule_number ...........332 no ip virtual-server profile_name ............142...
Page 413 List of Commands (Alphabetical) peer-ip {ip IPv6] ..............195 peer-ip ip ................191 ping ..................36 ping6 ...................36 ping6{ipv6 | hostname} [source ipv6] [size <0..65527>] [forever| count <1..4096>] [interface {interface_name | virtual_interface_name}][extension filter_extension] ...380 ping-check {domain_name | ip | default-gateway} .........99 ping-check {domain_name | ip | default-gateway} fail-tolerance <1..10> ....99 ping-check {domain_name | ip | default-gateway} method {icmp | tcp} .....99...
Page 414 List of Commands (Alphabetical) router(config-sso-primary)# ............181 router(config-sso-secondary)# ............181 router(config-sso-secondary)# [no] port <1025..65535> ........181 Router(SIP Signaling Port)# [no] port <1025..65535> ........150 rssi-dbm <-20~-76> ..............57 rtls ekahau ip address <ip> ............184 rtls ekahau ip port <1..65535> ............184 ..................36 run /script/file_name.zysh .............343 rx-mask chain_mask ..............60 scan-detection block-period <1..3600>...
Page 415 List of Commands (Alphabetical) service-object object_name {tcp | udp} {eq <1..65535> | range <1..65535> <1..65535>} ...285 service-object object_name icmp icmp_value ..........286 service-object object_name icmpv6 {<0..255> | neighbor-solicitation | router-advertisement | echo | packet-toobig | router-solicitation | echo-reply | parameter-problem | time-ex- ceeded | neighbor-advertisement | redirect | unreachable} ......286 service-object object_name protocol <1..255>...
Page 416 List of Commands (Alphabetical) show anti-spam ip-reputation private-check ..........248 show anti-spam ip-reputation query-timeout time ........248 show anti-spam ip-reputation statistics ..........255 show anti-spam mail-scan query-timeout pop3 ..........249 show anti-spam mail-scan query-timeout smtp ..........248 show anti-spam mail-scan query-timeout time ..........249 show anti-spam mail-scan statistics ............255 show anti-spam mail-scan status ............249...
Page 417 List of Commands (Alphabetical) show ca category {local|remote} name certificate_name certpath ......305 show ca spaceusage ..............306 show ca validation name name ............306 show capwap ap {all | ap_mac} ............54 show capwap ap {all | ap_mac} config status ..........54 show capwap ap all statistics ............54 show capwap ap ap_mac slot_name detail ..........54...
Page 418 List of Commands (Alphabetical) show frame-capture status ...............73 show groupname [groupname] .............271 show hardware-watchdog-timer status ............385 show idp ................226 show idp {signature | anomaly} base profile ..........226 show idp anomaly base profile ............174 show idp anomaly profile flood-detection [all details] .........176 show idp anomaly profile flood-detection { tcp-flood | udp-flood | icmp-flood | icmp-flood } details ................177...
Page 419 List of Commands (Alphabetical) show interface summary all status ............86 show interface tunnel status ............110 show interface tunnel_iface ............110 show interface-group {system-default|user-define|group-name} ......116 show interface-name ..............89 show ip dhcp binding [ip] ...............94 show ip dhcp dhcp-options ...............92 show ip dhcp pool [profile_name] ............92 show ip dhcp pool profile_name dhcp-options ..........92...
Page 420 List of Commands (Alphabetical) show login-page default-title ............317 show login-page settings ...............317 show logo settings ..............317 show mac ................43 show mem status .................43 show ntp server ................318 show object-group {address | address6} [group_name] ........282 show object-group application <object> ..........277 show object-group service group_name ...........286 show ospf area IP virtual-link ............131...
Page 421 List of Commands (Alphabetical) show reference object-group username [username] .........42 show report [interface_name {ip | service | url}] ........365 show report packet size statistics {interface_name} [interval interval] ....367 show report packet size statistics status ..........366 show report status ..............365 show rip {global | interface {all | interface_name}} ........97 show rogue-ap containment config...
Page 422 List of Commands (Alphabetical) show socket listen ..............43 show socket open ................43 show software-watchdog-timer log ............385 show software-watchdog-timer status ............385 show ssl-inspection cert-list ............259 show ssl-inspection cert-update status ..........260 show ssl-inspection default-cert update ..........260 show ssl-inspection default-cert version ..........260 show ssl-inspection exclude-list [settings] ..........258 show ssl-inspection profile [SSI_profile_name] .........259...
Page 423 List of Commands (Alphabetical) show web-auth policy {<1..1024> | all} ..........180 show web-auth portal status ............180 show web-auth status ..............180 show wlan-macfilter-profile {all | macfilter_profile_name} ......67 show wlan-monitor-profile {all | monitor_profile_name} ........61 show wlan-radio-profile {all | radio_profile_name} ........57 show wlan-security-profile {all | security_profile_name} ........65 show wlan-ssid-profile {all | ssid_profile_name} ........63...
Page 424 List of Commands (Alphabetical) tcp-decoder {tcp-xxx} log [alert] ............175 telnet ..................36 test aaa ................36 test aaa {server|secure-server} {ad|ldap} host {hostname|ipv4-address} [host {hostname|ipv4- address}] port <1..65535> base-dn base-dn-string [bind-dn bind-dn-string password pass- word] login-name-attribute attribute [alternative-login-name-attribute attribute] ac- count account-name ...............298 tracepath6 {ipv6 | hostname} ............381 traceroute...
Page 425 List of Commands (Alphabetical) users default-setting [no] user-type <admin |ext-user|guest|limited-admin|user|ext-group-user> users default-setting [no] user-type <admin |ext-user|guest|limited-admin|user|ext-group-user> logon-lease-time <0..1440> ............271 users default-setting [no] user-type <admin |ext-user|guest|limited-admin|user|ext-group-user> logon-re-auth-time <0..1440> .............272 users force-logout {username | ip | ipv6_addr} .........274 vlan <1..4094> {tag | untag} ............54 vlan-id <1..4094>...
Page 426 List of Commands (Alphabetical) ZyWALL / USG (ZLD) CLI Reference Guide...