D-link DFL-2500, DFL-260, DFL-800, DFL-1600, DFL-860 User Manual

...

Download

Page 1

Security

Network Security Firewall

CLI Reference Guide

DFL-210/ 800/1600/ 2500 DFL-260/ 860

Ver. 1.01

Network Security Solution http://www.dlink.com

Page 2

CLI Reference Guide

DFL-210/260/800/860/1600/2500

NetDefendOS version 2.12

No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C.

D-Link Corporation

http://www.DLink.com

Published 2007-04-17

Page 3

CLI Reference Guide

DFL-210/260/800/860/1600/2500 NetDefendOS version 2.12

This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herein, may be reproduced without written consent of the author.

Disclaimer

The information in this document is subject to change without notice. The manufacturer makes no representations or warranties with respect to the contents hereof and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revision or changes.

Limitations of Liability

UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION, WORK STOPPAGE, LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.

Page 4

Preface ............................................................................................................... ix

1. Introduction ...................................................................................................... 1

1.1. Running a command ................................................................................ 1

1.2. Help ..................................................................................................... 2

1.2.1. Help for commands ....................................................................... 2

1.2.2. Help for object types ..................................................................... 2

1.3. Function keys ......................................................................................... 3

1.4. Command line history .............................................................................. 4

1.5. Tab completion ....................................................................................... 5

1.5.1. Inline help ................................................................................... 5

1.5.2. Autocompleting current value and default value .................................. 5

1.5.3. Configuration object type categories ................................................. 6

1.6. User roles .............................................................................................. 7

2. Command Reference .......................................................................................... 9

2.1. Configuration ......................................................................................... 9

2.1.1. activate ....................................................................................... 9

2.1.2. add ............................................................................................. 9

2.1.3. cancel ........................................................................................10

2.1.4. cc .............................................................................................11

2.1.5. cd .............................................................................................12

2.1.6. commit ......................................................................................12

2.1.7. copy ..........................................................................................12

2.1.8. delete ........................................................................................13

2.1.9. enter ..........................................................................................13

2.1.10. pskgen .....................................................................................13

2.1.11. reject .......................................................................................14

2.1.12. set ...........................................................................................15

2.1.13. show ........................................................................................16

2.1.14. undelete ...................................................................................18

2.2. Runtime ...............................................................................................20

2.2.1. about .........................................................................................20

2.2.2. arp ............................................................................................20

2.2.3. arpsnoop ....................................................................................21

2.2.4. ats .............................................................................................22

2.2.5. bigpond .....................................................................................22

2.2.6. blacklist .....................................................................................22

2.2.7. buffers .......................................................................................24

2.2.8. cam ...........................................................................................24

2.2.9. certcache ....................................................................................25

2.2.10. cfglog ......................................................................................25

2.2.11. connections ...............................................................................25

2.2.12. cpuid .......................................................................................26

2.2.13. crashdump ................................................................................27

2.2.14. customlog .................................................................................27

2.2.15. dhcp ........................................................................................27

2.2.16. dhcprelay ..................................................................................28

2.2.17. dhcpserver ................................................................................29

2.2.18. dns ..........................................................................................29

2.2.19. dynroute ...................................................................................30

2.2.20. frags ........................................................................................30

2.2.21. ha ............................................................................................31

2.2.22. httpposter .................................................................................32

2.2.23. hwaccel ....................................................................................32

2.2.24. ifstat ........................................................................................32

2.2.25. ikesnoop ...................................................................................33

2.2.26. ippool ......................................................................................33

2.2.27. ipsecglobalstats ..........................................................................34

Page 5

CLI Reference Guide

2.2.28. ipseckeepalive ...........................................................................34

2.2.29. ipsecstats ..................................................................................35

2.2.30. killsa .......................................................................................35

2.2.31. license .....................................................................................36

2.2.32. linkmon ....................................................................................36

2.2.33. lockdown ..................................................................................37

2.2.34. logout ......................................................................................37

2.2.35. memory ....................................................................................38

2.2.36. ospf .........................................................................................38

2.2.37. pipes ........................................................................................40

2.2.38. reconfigure ...............................................................................40

2.2.39. routemon ..................................................................................40

2.2.40. routes .......................................................................................41

2.2.41. rules ........................................................................................42

2.2.42. sessionmanager ..........................................................................42

2.2.43. shutdown ..................................................................................43

2.2.44. sshserver ..................................................................................44

2.2.45. stats .........................................................................................45

2.2.46. time .........................................................................................45

2.2.47. updatecenter ..............................................................................46

2.2.48. urlcache ...................................................................................46

2.2.49. userauth ...................................................................................47

2.2.50. vlan .........................................................................................48

2.2.51. vpnstats ....................................................................................48

2.2.52. zonedefense ..............................................................................48

2.3. Utility ..................................................................................................50

2.3.1. ping ..........................................................................................50

2.4. Misc ....................................................................................................51

2.4.1. help ...........................................................................................51

2.4.2. history .......................................................................................51

3. Configuration Reference ....................................................................................53

3.1. Access .................................................................................................54

3.2. Address ................................................................................................56

3.2.1. AddressFolder .............................................................................56

3.2.2. EthernetAddress ..........................................................................58

3.2.3. EthernetAddressGroup ..................................................................58

3.2.4. IP4Address .................................................................................58

3.2.5. IP4Group ...................................................................................58

3.2.6. IP4HAAddress ............................................................................58

3.3. AdvancedScheduleProfile ........................................................................59

3.3.1. AdvancedScheduleOccurrence .......................................................59

3.4. ALG ....................................................................................................60

3.4.1. ALG_FTP ..................................................................................60

3.4.2. ALG_H323 ................................................................................61

3.4.3. ALG_HTTP ...............................................................................61

3.4.4. ALG_SMTP ...............................................................................62

3.5. ARP ....................................................................................................64

3.6. BlacklistWhiteHost .................................................................................65

3.7. Certificate .............................................................................................66

3.8. Client ...................................................................................................67

3.8.1. DynDnsClientCjbNet ...................................................................67

3.8.2. DynDnsClientDLink ....................................................................67

3.8.3. DynDnsClientDyndnsOrg ..............................................................67

3.8.4. DynDnsClientDynsCx ..................................................................68

3.8.5. DynDnsClientPeanutHull ..............................................................68

3.8.6. LoginClientBigPond .....................................................................69

3.8.7. LoginClientTelia .........................................................................69

3.9. DateTime ..............................................................................................70

3.10. Device ................................................................................................71

3.11. DHCPRelay .........................................................................................72

3.12. DHCPServer ........................................................................................73

3.12.1. DHCPServerPoolStaticHost .........................................................73

3.12.2. DHCPServerCustomOption .........................................................74

Page 6

CLI Reference Guide

3.13. DNS ...................................................................................................75

3.14. Driver ................................................................................................76

3.14.1. IXP4NPEEthernetDriver .............................................................76

3.14.2. MarvellEthernetPCIDriver ...........................................................76

3.14.3. R8139EthernetPCIDriver .............................................................76

3.15. DynamicRoutingRule ............................................................................78

3.15.1. DynamicRoutingRuleExportOSPF ................................................79

3.15.2. DynamicRoutingRuleAddRoute ....................................................79

3.16. EthernetDevice ....................................................................................81

3.17. HighAvailability ...................................................................................82

3.18. HTTPPoster .........................................................................................83

3.19. IDList ................................................................................................84

3.19.1. ID ...........................................................................................84

3.20. IDPRule ..............................................................................................85

3.20.1. IDPRuleAction ..........................................................................85

3.21. IKEAlgorithms ....................................................................................87

3.22. Interface .............................................................................................88

3.22.1. DefaultInterface .........................................................................88

3.22.2. Ethernet ...................................................................................88

3.22.3. InterfaceGroup ..........................................................................89

3.22.4. IPSecTunnel .............................................................................89

3.22.5. L2TPClient ...............................................................................91

3.22.6. L2TPServer ..............................................................................93

3.22.7. PPPoETunnel ............................................................................94

3.22.8. VLAN .....................................................................................95

3.23. IPRule ................................................................................................97

3.24. IPRuleFolder .......................................................................................99

3.24.1. IPRule .....................................................................................99

3.25. IPSecAlgorithms ................................................................................ 100

3.26. LDAPServer ...................................................................................... 101

3.27. LocalUserDatabase ............................................................................. 102

3.27.1. User ...................................................................................... 102

3.28. LogReceiver ...................................................................................... 103

3.28.1. LogReceiverMemory ................................................................ 103

3.28.2. LogReceiverSMTP ................................................................... 103

3.28.3. LogReceiverSyslog .................................................................. 104

3.29. OSPFProcess ..................................................................................... 105

3.29.1. OSPFArea ..............................................................................106

3.30. Pipe .................................................................................................109

3.31. PipeRule ........................................................................................... 112

3.32. PSK .................................................................................................113

3.33. RadiusServer .....................................................................................114

3.34. RemoteManagement ........................................................................... 115

3.34.1. RemoteMgmtHTTP ..................................................................115

3.34.2. RemoteMgmtSNMP ................................................................. 115

3.34.3. RemoteMgmtSSH .................................................................... 115

3.35. RoutingRule ...................................................................................... 118

3.36. RoutingTable .....................................................................................119

3.36.1. Route ..................................................................................... 119

3.36.2. SwitchRoute ........................................................................... 120

3.37. ScheduleProfile ..................................................................................121

3.38. Service ............................................................................................. 122

3.38.1. ServiceGroup .......................................................................... 122

3.38.2. ServiceICMP ...........................................................................122

3.38.3. ServiceIPProto ........................................................................ 123

3.38.4. ServiceTCPUDP ...................................................................... 123

3.39. Settings ............................................................................................125

3.39.1. ARPTableSettings .................................................................... 125

3.39.2. ConnTimeoutSettings ............................................................... 125

3.39.3. DHCPRelaySettings ................................................................. 126

3.39.4. DHCPServerSettings ................................................................ 127

3.39.5. FragSettings ............................................................................ 127

3.39.6. ICMPSettings .......................................................................... 128

Page 7

CLI Reference Guide

3.39.7. IPSecTunnelSettings ................................................................. 128

3.39.8. IPSettings ............................................................................... 129

3.39.9. L2TPServerSettings .................................................................. 130

3.39.10. LengthLimSettings ................................................................. 131

3.39.11. LocalMgmtSettings ................................................................. 131

3.39.12. LocalReassSettings ................................................................. 132

3.39.13. LogSettings ........................................................................... 132

3.39.14. RemoteMgmtSettings .............................................................. 133

3.39.15. RoutingSettings ...................................................................... 133

3.39.16. SSLSettings ........................................................................... 134

3.39.17. StateSettings .......................................................................... 135

3.39.18. TCPSettings .......................................................................... 136

3.39.19. VLANSettings ....................................................................... 137

3.40. SSHClientKey ................................................................................... 138

3.41. ThresholdRule ................................................................................... 139

3.41.1. ThresholdAction ...................................................................... 139

3.42. UpdateCenter ..................................................................................... 141

3.43. UserAuthRule ....................................................................................142

3.44. ZoneDefenseBlock .............................................................................144

3.45. ZoneDefenseExcludeList ..................................................................... 145

3.46. ZoneDefenseSwitch ............................................................................ 146

Index ...............................................................................................................148

vii

Page 8

List of Examples

1. Command option notation .................................................................................. ix

1.1. Help for commands ......................................................................................... 2

1.2. Help for object types ........................................................................................ 2

1.3. Command line history ...................................................................................... 4

1.4. Tab completion ............................................................................................... 5

1.5. Inline help ..................................................................................................... 5

1.6. Edit an existing property value ........................................................................... 6

1.7. Using categories with tab completion .................................................................. 6

2.1. Create a new object ........................................................................................10

2.2. Change context ..............................................................................................11

2.3. Delete an object .............................................................................................13

2.4. Reject changes ...............................................................................................14

2.5. Set property values .........................................................................................16

2.6. Show objects .................................................................................................17

2.7. Undelete an object ..........................................................................................18

2.8. Block hosts ...................................................................................................23

2.9. frags ............................................................................................................31

2.10. Show a range of rules ....................................................................................42

viii

Page 9

Preface

Audience

The target audience for this reference guide is:

• Administrators that are responsible for configuring and managing the D-Link Firewall.

• Administrators that are responsible for troubleshooting the D-Link Firewall. This guide assumes that the reader is familiar with the D-Link Firewall, and has the necessary basic

knowledge in network security.

Notation

The following notation is used throughout this reference guide when specifying the options of a command:

Angle brackets <name> or

-option=<description> Square brackets [option] or

-option[=value] Curly brackets {value1 | value2 |

Used for specifying the name of an option or a description of a value.

Used for specifying that an option or a value for an option is optional and can be omitted.

Used for specifying the available values for an option.

value3} Ellipsis ...

Used for specifying that more than one value can be specified for the option.

Example 1. Command option notation

One of the usages for the help command looks like this:

help -category={COMMANDS | TYPES} [<Topic>]

This means that help has an option called category which has two possible values which are COMMANDS and TYPES. There is also an optional option called Topic which in this case is a search string used to specify what

help topic to display. Since the topic is optional, it is possible to exclude it when running the command. Both of the following examples are valid for the usage described above:

gw-world:/> help -category=COMMANDS gw-world:/> help -category=COMMANDS activate

The usage for the routes command is:

routes [-all] [-switched] [-flushl3cache[=<percent>]] [-num=<n>]

None of the options of this command are mandatory. The flushl3cache option also has an optional value. This is because that option has a default value, 100, which will be used if no value is specified.

The following two examples will yield the same result:

gw-world:/> routes -flushl3cache=100 gw-world:/> routes -flushl3cache

[-nonhost] [-tables] [-lookup=<ip address>] [-verbose] [-setmtu=<mtu>] [-cacheinfo] [<table name>]...

Page 10

Notation Preface

Because the table name option is followed by ellipses it is possible to specify more than one routing table. Since table name is optional as well, the user can specify zero or more policy-based routing tables.

gw-world:/> routes Virroute Virroute2

Page 11

Chapter 1. Introduction

• Running a command, page 1

• Help, page 2

• Function keys, page 3

• Command line history, page 4

• Tab completion, page 5

• User roles, page 7

This guide is a reference for all commands and configuration object types that are available in the command line interface for NetDefendOS.

1.1. Running a command

The commands described in this guide can be run by typing the command name and then pressing the return key. Many commands require options to be set to run. If a required option is missing a brief syntax help will be displayed.

Page 12

1.2. Help Chapter 1. Introduction

1.2. Help

1.2.1. Help for commands

There are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by -? or -h. This applies to all commands and is therefore not listed in the option list for each command in this guide. Using the help command gives a more detailed help corresponding to the information found in this guide. In most cases it is possible to simply type help followed by the command name to get the full help. See Section 2.4.1, “help” for a more detailed description. To list the available commands, just type help and press return.

Example 1.1. Help for commands

Brief help for the activate command:

gw-world:/> activate -? gw-world:/> activate -h

Full help for activate:

gw-world:/> help activate

Help for the arp command. Arp is also the name of a configuration object type, so it is necessary to specify that the help text for the command should be displayed:

gw-world:/> help -category=COMMANDS arp

List all available commands:

gw-world:/> help

1.2.2. Help for object types

To get help about configuration object types, use the help command. It is also possible to get information about each property in an object type, such as data type, default value, etc. by entering the ? character when entering the value of a property and pressing tab. More on this in Section 1.5.1, “Inline help”.

Example 1.2. Help for object types

Full help for IP4Address:

gw-world:/> help IP4Address

Help for the ARP configuration object type, which collides with the arp command:

gw-world:/> help -category=TYPES ARP

Page 13

1.3. Function keys Chapter 1. Introduction

1.3. Function keys

In addition to the return key there are a number of function keys that are used in the CLI.

Backspace Tab Ctrl-A or Home Ctrl-B or Left Arrow Ctrl-C

Ctrl-D or Delete Ctrl-E or End Ctrl-F or Right Arrow Ctrl-K Ctrl-N or Down Arrow Ctrl-P or Up Arrow Ctrl-T Ctrl-U Ctrl-W

Delete the character to the left of the cursor. Complete current word. Move the cursor to the beginning of the line. Move the cursor one character to the left. Clear line or cancel page view if more than one page of informa-

tion is shown. Delete the character to the right of the cursor. Move the cursor to the end of the line. Move the cursor one character to the right. Delete from the cursor to the end of the line. Show the next entry in the command history. Show the previous entry in the command history. Transpose the current and the previous character. Delete from the cursor to the beginning of line. Delete word backwards.

Page 14

1.4. Command line history Chapter 1. Introduction

1.4. Command line history

Every time a command is run, the command line is added to a history list. The up and down arrow keys are used to access previous command lines (up arrow for older command lines and down arrow to move back to a newer command line). See also Section 2.4.2, “history”.

Example 1.3. Command line history

Using the command line history via the arrow keys:

gw-world:/> show Address gw-world:/> (up arrow) gw-world:/> show Address (the previous commandline is displayed)

Page 15

1.5. Tab completion Chapter 1. Introduction

1.5. Tab completion

By using the tab function key in the CLI the names of commands, options, objects and object properties can be automatically completed. If the text entered before pressing tab only matches one possible item, e.g. "activate" is the only match for "acti" if a command is expected, the name will be autocompleted. Should there be more than one match the part common to all matches will be completed. At this point the user can either enter more characters or press tab again, which will display a list of the possible completions. This can also be done without entering any characters, but the resulting list might be long if there are many possible completions, e.g. all commands.

Example 1.4. Tab completion

An example of tab completion when using the add command:

gw-world:/> add Add (tab) gw-world:/> add Address ("ress" was autocompleted) gw-world:/> add Address i (tab) gw-world:/> add Address IP4 ("IP4" was autocompleted) gw-world:/> add Address IP4 (tab, or double tab if IP4 were entered manually) A list of all types starting with IP4 is listed. gw-world:/> add Address IP4a (tab) gw-world:/> add Address IP4Address ("Address" was autocompleted) gw-world:/> add Address IP4Address example_ip a (tab) gw-world:/> add Address IP4Address example_ip Address= ("Address=" was autocompleted) gw-world:/> add Address IP4Address example_ip Address=1.2.3.4

Tab completion of references:

gw-world:/> set Address IP4Group examplegroup Members= (tab, tab) A list of valid objects is displayed. gw-world:/> set Address IP4Group examplegroup Members=e (tab) gw-world:/> set Address IP4Group examplegroup Members=example_ip ("xample_ip" was autocompleted)

1.5.1. Inline help

It is possible to get help about available properties of configuration objects while a command line is being typed by using the ? character. Write ? instead of a property name and press tab and a help text for the available properties is shown. If ? is typed in stead of a property value and tab is pressed a help text for that property which contains more information such as data type, default value, etc. is displayed.

Example 1.5. Inline help

Get inline help for all properties of an IP4Address:

gw-world:/> set IP4Address example_ip ? (tab) A help text describing all available properties is displayed.

Getting inline help for the Address property:

gw-world:/> set IP4Address example_ip Address=? (tab) A more detailed help text about Address is displayed.

1.5.2. Autocompleting current value and default value

Another special character that can be used together with tab completion is <. If < is entered instead of a property value and tab is pressed it will be replaced by the current value of that property. This is

Page 16

1.5.3. Configuration object type categories

useful when editing an existing list of items or a long text value. If no value has been set yet for the property in question the default value, if one exists, will be used. Some values, such as binary data, cannot be autocompleted in this way.

Example 1.6. Edit an existing property value

Edit the current value:

gw-world:/> add IP4Address example_ip Address=1.2.3.4 gw-world:/> set IP4Address example_ip Address=< (tab) gw-world:/> set IP4Address example_ip Address=1.2.3.4 (the value was inserted) The value can now be edited by using the arrow keys or backspace.

gw-world:/> set IP4Group examplegroup Members=ip1,ip2,ip3,ip5 gw-world:/> set IP4Group examplegroup Members=< (tab) gw-world:/> set IP4Group examplegroup Members=ip1,ip2,ip3,ip5 (the value was inserted) It is now possible to add or remove a member to the list without having to enter all the other members again.

Edit the default value:

gw-world:/> add LogReceiverSyslog example Address=example_ip LogSeverity=< (tab) gw-world:/> add LogReceiverSyslog example Address=example_ip LogSeverity=Emergency, Alert,Critical,Error,Warning,Notice,Info (the default value was inserted) Now it is easy to remove a log severity.

Chapter 1. Introduction

1.5.3. Configuration object type categories

Some object types are grouped together in a category in the CLI. This only matters when using tab completion as they are used to limit the number of possible completions when tab completing object types. The category can always be omitted when running commands if the type name is entered manually.

Example 1.7. Using categories with tab completion

Accessing an IP4Address object with the use of categories:

gw-world:/> show ad (tab) gw-world:/> show Adress (the category is autocompleted) gw-world:/> show Adress ip4a (tab) gw-world:/> show Adress IP4Address (the type is autocompleted) gw-world:/> show Adress IP4Address example_ip

Accessing an IP4Address object without the use of categories:

gw-world:/> show IP4Address example_ip

Page 17

1.6. User roles Chapter 1. Introduction

1.6. User roles

Some commands and options cannot be used unless the logged in user has administrator priviege. This is indicated in this guide by a note following the command or "Admin only" written next to an option.

Page 18

1.6. User roles Chapter 1. Introduction

Page 19

Chapter 2. Command Reference

• Configuration, page 9

• Runtime, page 20

• Utility, page 50

• Misc, page 51

2.1. Configuration

2.1.1. activate

Activate changes.

Description

Activate the latest changes. This will issue a reconfiguration, using the new configuration. If the reconfiguration is successful a

commit command must be issued within the configured timeout interval in order to save the changes to media. If not, the system will revert to using the previous version of the configuration.

Usage

activate

2.1.2. add

Create a new object.

Description

Create a new object and add it to the configuration. Specify the type of object you want to create and the identifier, if the type has one, unless the object

is identified by an index. Set the properties of the object by writing the propertyname equals (=) and then the value. An optional category can be specified for some object types when using tab completion.

If a mandatory property isn't specified a list of errors will be shown after the object is created. If an invalid property or value type is specified or if the identifier is missing the command will fail and not create an object.

Note

Requires Administrator privilege.

Adjustments can be made after the object is created by using the set command.

Page 20

2.1.3. cancel Chapter 2. Command Reference

Example 2.1. Create a new object

Add objects with an identifier property (not index):

gw-world:/> add Address IP4Address example_ip Address=1.2.3.4 Comments="This is an example" gw-world:/> add IP4Address example_ip2 Address=2.3.4.5

Add an object with an index:

gw-world:/main> add Route Interface=lan

Add an object without identifier:

gw-world:/> add DynDnsClientDyndnsOrg DNSName=example Username=example

Usage

add [<Category>] <Type> [<Identifier>] [<key-value pair>]...

Options

<key-value pair>

<Type>

2.1.3. cancel

Cancel ongoing commit.

Description

Cancel commit operation immediately, without waiting for the timeout.

Usage

Category that groups object types. The property that identifies the configuration object. May not be applic-

able depending on the specified <Type>. One or more property-value pairs, i.e. <property name>=<value> or

<property name>="<value>". Type of configuration object to perform operation on.

Note

Requires Administrator privilege.

cancel

Note

Requires Administrator privilege.

Page 21

2.1.5. cd Chapter 2. Command Reference

2.1.4. cc

Change the current context.

Description

Change the current configuration context. A context is a group of objects that are dependent on and grouped by a parent object. Many objects

lie in the "root" context and do not have a specific parent. Other objects, e.g. User objects lie in a sub-context (or child context) of the root - in this case in a LocalUserDatabase. In order to add or modify users you have to be in the correct context, e.g. a LocalUserDatabase called "exampledb". Only objects in the current context can be accessed.

Example 2.2. Change context

Change to a sub/child context:

gw-world:/> cc LocalUserDatabase exampledb gw-world:/exampledb>

Go back to the parent context:

gw-world:/ospf1/area1> cc .. gw-world:/ospf1> cc .. gw-world:/>

Go back to the root context:

gw-world:/ospf1/area1> cc gw-world:/>

gw-world:/ospf1/area1> cc / gw-world:/>

Usage

cc [<Category>] <Type> <Identifier>

Change the current context.

cc -print

Print the current context.

Change to root context (same as "cc /").

Options

-print <Category> <Identifier>

<Type>

Print the current context. Category that groups object types. The property that identifies the configuration object. May not be applicable

depending on the specified <Type>. Type of configuration object to perform operation on.

Page 22

2.1.6. commit Chapter 2. Command Reference

2.1.5. cd

Alias for cc.

2.1.6. commit

Save new configuration to media.

Description

Save the new configuration to media. This command can only be issued after a successful activate command.

Usage

commit

2.1.7. copy

Copy object.

Description

Make a copy of a configuration object. The created copy will have identical values for all properties, except for the identifier, which is modified to be unique for the new object.

Some objects can't be copied. It is not possible to copy an object that has child objects. Also it is not possible to copy for example "DNS" and "DateTime", as there can only be a single instance of these object types.

Usage

copy [<Category>] <Type> [<Identifier>] [<Parent>]

Options

Note

Requires Administrator privilege.

Category that groups object types. The property that identifies the configuration object. May not be applicable

depending on the specified <Type>. Parent of new object. Type of configuration object to perform operation on.

Page 23

2.1.9. enter Chapter 2. Command Reference

2.1.8. delete

Delete specified objects.

Description

Delete the specified object, removing it from the configuration. Add the force flag to delete the object even if it is referenced by other objects or if it is a context that

has child objects that aren't deleted. This may cause objects referring to the specified object or one of its children to get errors that must be corrected before the configuration can be activated.

2.1.9. enter

Force object to be deleted even if it's used by other objects or has children. Category that groups object types. The property that identifies the configuration object. May not be applicable

depending on the specified <Type>. Type of configuration object to perform operation on.

Note

Requires Administrator privilege.

Alias for cc.

2.1.10. pskgen

Generate random pre-shared key.

Page 24

2.1.11. reject Chapter 2. Command Reference

Description

Generate a pre-shared key of specified size, containing randomized key data. If a key with the specified name exists, the existing key is modified. Otherwise a new key object is created.

Usage

pskgen <Name> [-comments=<String>] [-size={64 | 128 | 256 | 512 |

Options

-comments=<String>

-size={64 | 128 | 256 | 512 | 1024 | 2048 | 4096} <Name>

2.1.11. reject

Reject changes.

Description

1024 | 2048 | 4096}]

Comments for this key. Number of bits of data in the generated key. (Default: 64) Name of key.

Note

Requires Administrator privilege.

Reject the changes made to the specified object by reverting to the values of the last committed configuration.

All changes made to the object will be lost. If the object is added after the last commit, it will be removed.

To reject the changes in more than one object, use either the -recursive flag to delete a context and all its children recursively or the -all flag to reject the changes in all objects in the configuration.

2.1.12. set

Set property values.

Reject all changes in the configuration. Recursively reject changes. Category that groups object types. The property that identifies the configuration object. May not be applicable

depending on the specified <Type>. Type of configuration object to perform operation on.

Note

Requires Administrator privilege.

Description

Set property values of configuration objects. Specify the type of object you want to modify and the identifier, if the type has one. Set the proper-

ties of the object by writing the propertyname equals (=) and then the value. An optional category can be specified for some object types when using tab completion.

If a mandatory property hasn't been specified or if a property has an error a list of errors will be shown after the specified properties have been set. If an invalid property or value type is specified the command will fail and not modify the object.

Page 26

2.1.13. show Chapter 2. Command Reference

2.1.13. show

Disable object. This option is not available if the object is already disabled.

Enable object. This option is not available if the object is already enabled.

Category that groups object types. The property that identifies the configuration object. May not be applic-

able depending on the specified <Type>. One or more property-value pairs, i.e. <property name>=<value> or

<property name>="<value>". Type of configuration object to perform operation on.

Note

Requires Administrator privilege.

Show objects.

Description

Show objects. Show the properties of a specified object. There are a number of flags that can be specified to show

otherwise hidden properties. To show a list of object types and categories available in the current context, just type show. Show a table of all objects of a type by specifying a type or a category. Use

Page 27

2.1.13. show Chapter 2. Command Reference

the -errors or -changes flags to show what objects have been changed or have errors in the configuration.

When showing a table of all objects of a certain type, the status of each object since the last time the configuration was committed is indicated by a flag. The flags used are:

The object is deleted.

The object is disabled.

The object has errors.

The object is newly created.

The object is modified.

Unchanged objects are not indicated by a flag. When listing categories and object types, categories are indicated by [] and types where objects may

be contexts by /.

Example 2.6. Show objects

Show the properties of an individual object:

gw-world:/> show Address IP4Address example_ip gw-world:/main> show Route 1 gw-world:/> show Client DynDnsClientDyndnsOrg

Show a table of all objects of a type and a selection of their properties as well as their status:

gw-world:/> show Address IP4Address gw-world:/> show IP4Address

Show a table of all objects for each type in a category:

gw-world:/> show Address

Show objects with changes and errors:

gw-world:/> show -changes gw-world:/> show -errors

Show what objects use (refer to) a certain object:

gw-world:/> show Address IP4Address example_ip -references

Usage

show

Show the types and categories available in the current context.

show [<Category>] [<Type> [<Identifier>]] [-disabled] [-references]

Show an object or list a type or category.

show -errors [-verbose]

Show all errors.

show -changes

Show all changes.

Page 28

2.1.14. undelete Chapter 2. Command Reference

Options

-changes

-disabled

-errors

-references

-verbose <Category> <Identifier>

<Type>

2.1.14. undelete

Restore previously deleted objects.

Description

Restore a previously deleted object.

Show all changes in the current configuration. Show disabled properties. Show all errors in the current configuration. Show all references to this object from other objects. Show error details. Category that groups object types. The property that identifies the configuration object. May not be applicable

depending on the specified <Type>. Type of configuration object to perform operation on.

This is possible as long as the activate command has not been called. See also: delete

Example 2.7. Undelete an object

Undelete an unreferenced object:

gw-world:/> delete Address IP4Address example_ip gw-world:/> undelete Address IP4Address example_ip

Undelete a referenced object: (will remove the error in examplerule)

gw-world:/> set IPRule examplerule SourceNetwork=examplenet gw-world:/> delete Address IP4Address examplenet -force gw-world:/> undelete Address IP4Address examplenet

Usage

undelete [<Category>] <Type> [<Identifier>]

Options

Category that groups object types.

Page 29

2.1.14. undelete Chapter 2. Command Reference

<Type>

The property that identifies the configuration object. May not be applicable depending on the specified <Type>.

Type of configuration object to perform operation on.

Note

Requires Administrator privilege.

Page 30

2.2. Runtime Chapter 2. Command Reference

2.2. Runtime

2.2.1. about

Show copyright/build information.

Description

Show copyright and build information.

Usage

about [-verbose]

Options

-verbose

2.2.2. arp

Show ARP entries for given interface.

Description

List the ARP cache entries of specified interfaces. If no interface is given the ARP cache entries of all interfaces will be presented. The presented list can be filtered using the ip and hw options.

Usage

arp

Show all ARP entries.

arp -show [<Interface>] [-ip=<pattern>] [-hw=<pattern>] [-num=<n>]

Verbose.

Show ARP entries.

arp -hashinfo [<Interface>]

Show information on hash table health.

arp -flush [<Interface>]

Flush ARP cache of all specified interfaces.

Page 31

2.2.3. arpsnoop Chapter 2. Command Reference

arp -notify=<ip> [<Interface>] [-hwsender=<Ethernet address>]

Send gratuitous ARP for IP.

Options

-flush

-hashinfo

-hw=<pattern>

-hwsender=<Ethernet address>

-ip=<pattern>

-notify=<ip>

-num=<n>

-show <Interface>

2.2.3. arpsnoop

Toggle snooping and displaying of ARP requests.

Description

Flush ARP cache of all specified interfaces. Show information on hash table health. Show only hardware addresses matching pattern. Sender ethernet address. Show only IP addresses matching pattern. Send gratuitous ARP for <ip>. Show only the first <n> entries per interface. (Default: 20) Show ARP entries for given interface(s). Interface name.

Toggle snooping and displaying of ARP queries and responses on-screen. The snooped messages are displayed before the access section validates the sender IP addresses in

the ARP data.

Usage

arpsnoop

Show snooped interfaces.

arpsnoop -all [-verbose]

Snoop all interfaces.

arpsnoop <interface> [-verbose]

Snoop specified interface.

arpsnoop -disable

Disable all snooping.

Options

Page 32

2.2.4. ats Chapter 2. Command Reference

-all

-disable

-verbose <interface>

2.2.4. ats

Show active ARP Transaction States.

Description

Show active ARP Transaction States.

Usage

ats [-num=<n>]

Snoop all interfaces. Disable all snooping. Verbose. Interface name.

Options

-num=<n>

2.2.5. bigpond

Show BigPond information.

Description

Show the BigPond information about specified interface.

Usage

bigpond [<interface>]

Options

Limit list to <n> entries. (Default: 20)

2.2.6. blacklist

Blacklist.

Interface to show BigPond information.

Page 33

2.2.6. blacklist Chapter 2. Command Reference

Description

Block and unblock hosts on the black and white list. Note: Static blacklist hosts cannot be unblocked. If -force is not specified, only the exact host with the service, protocol/port and destiny specified

is unblocked.

Example 2.8. Block hosts

blacklist -show -black -listtime -info blacklist -block 100.100.100.0/24 -serv=FTP -dest=50.50.50.1 -time=6000

Usage

blacklist -show [-creationtime] [-dynamic] [-listtime] [-info]

[-black] [-white] [-all]

Show information about the blacklisted hosts.

blacklist -block <host> [-serv=<service>] [-prot={TCP | UDP | ICMP

| OTHER | TCPUDP | ALL}] [-port=<port number>] [-dest=<ip address>] [-time=<seconds>]

Block specified netobject.

blacklist -unblock <host> [-serv=<service>] [-prot={TCP | UDP |

ICMP | OTHER | TCPUDP | ALL}] [-port=<port number>] [-dest=<ip address>] [-time=<seconds>] [-force]

Unblock specified netobject.

Options

-all

-black

-block

Show all the information. Show blacklist hosts only. Block specified netobject. (Admin only)

-creationtime

-dest=<ip address>

-dynamic

-force

-info

-listtime

-port=<port number>

Show creation time. Destination address to block/unblock (ExceptExtablished flag

is set on). Show dynamic hosts only. Unblock all services for the host that matches to options. Show detailed information. Show time in list (for dynamic hosts). Number of the port to block/unblock.

Page 34

2.2.7. buffers Chapter 2. Command Reference

-prot={TCP | UDP | ICMP | OTHER | TCPUDP | ALL}

-serv=<service>

-show

-time=<seconds>

-unblock

-white <host>

2.2.7. buffers

List packet buffers or the contents of a buffer.

Description

Lists the 20 most recently freed packet buffers, or in-depth information about a specific buffer.

Usage

Protocol to block/unblock. Service to block/unblock. Show information about the blacklisted hosts. The time that the host will remain blocked. Unblock specified netobject. (Admin only) Show whitelist hosts only. IP address range.

buffers

List the 20 most recently freed buffers.

buffers -recent

Decode the most recently freed buffer.

buffers <Num>

Decode buffer number <Num>.

Options

-recent <Num>

2.2.8. cam

CAM table information.

Decode most recently freed buffer. Decode given buffer number.

Description

Show information about the CAM table(s) and their entries.

Page 35

2.2.9. certcache Chapter 2. Command Reference

Usage

cam [-num=<n>] [<Interface>] [-flush]

Options

-flush

-num=<n> <Interface>

2.2.9. certcache

Show the contents of the certificate cache.

Description

Show all certificates in the certificate cache.

Usage

certcache

Flush CAM table. If interface is specified, only entries using this interface are flushed. (Admin only)

Limit list to <n> entries per CAM table. (Default: 20) Interface.

2.2.10. cfglog

Display configuration log.

Description

Display the log of the last configuration read attempt.

Usage

cfglog

2.2.11. connections

List current state-tracked connections.

Description

Page 36

2.2.12. cpuid Chapter 2. Command Reference

List current state-tracked connections.

Usage

connections -show [-num=<n>] [-verbose] [-srciface=<interface>]

List connections.

connections

Same as "connections -show".

connections -hashinfo

Show information on hash table health.

connections -close [-all] [-srciface=<interface>]

Close connections.

[-destiface=<interface>] [-protocol=<name/num>] [-srcport=<port>] [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]

Options

-all

Mark all connections.

-close

-destiface=<interface>

-destip=<ip addr>

-destport=<port>

-hashinfo

-num=<n>

-protocol=<name/num>

-show

-srciface=<interface>

-srcip=<ip addr>

-srcport=<port>

-verbose

2.2.12. cpuid

Close all connections that match the filter expression. (Admin only)

Filter on destination interface. Filter on destination IP address. Show only given destination TCP/UDP port. Show information on hash table health. Limit list to <n> connections. (Default: 20) Show only given IP protocol. Show connections. Filter on source interface. Filter on source IP address. Show only given source TCP/UDP port. Verbose (more information).

Page 37

2.2.13. crashdump Chapter 2. Command Reference

Display info about the cpu.

Description

Display the make and model of the machine's CPU.

Usage

cpuid

2.2.13. crashdump

Show the contents of the crash.dmp file.

Description

Show the contents of the crash.dmp file, if it exists.

Usage

crashdump

2.2.14. customlog

Show custom configured log messages.

Description

Show list of custom configured log messages.

Usage

customlog [-num=<num>]

Options

-num=<num>

2.2.15. dhcp

Display information about a DHCP-enabled interface.

Maximum number of items to list. (Default: 10)

Page 38

2.2.16. dhcprelay Chapter 2. Command Reference

Description

Display information about a DHCP-enabled interface.

Usage

dhcp <interface> [-lease={RENEW | RELEASE}]

Options

-lease={RENEW | RELEASE} <interface>

2.2.16. dhcprelay

Show DHCP/BOOTP relayer ruleset.

Description

Display the content of the DHCP/BOOTP relayer ruleset and the current routed DHCP relays. Display filter filters relays based on interface/ip (example: if1 192.168.*)

Usage

dhcprelay -show [-rules] [-routes] [<display filter>]...

Show DHCP/BOOTP relayer ruleset.

dhcprelay -release <ip address> [-interface=<Interface>]

Modify interface's lease. DHCP Interface.

Terminate relayed session.

Options

-interface=<Interface>

-release

-routes

-rules

-show <display filter> <ip address>

Interface. Terminate relayed session <[interface:]ip>. (Admin only) Show the currently relayed DHCP sessions. Show the DHCP/BOOTP relayer ruleset. Show ruleset. Display filter, filters relays based on interface/ip. IP address.

Page 39

2.2.18. dns Chapter 2. Command Reference

2.2.17. dhcpserver

Show content of the DHCP server ruleset.

Description

Show the content of the DHCP server ruleset and various information about active/inactive leases. Display filter filters leases based on interface/mac/ip (example: if1 192.168.*)

Usage

dhcpserver -show [-rules] [-leases] [-mappings]

Show DHCP server ruleset.

dhcpserver -release={STATIC | BLACKLIST}

Release static or blacklisted IP.

dhcpserver -releaseip <interface> <ip address>

Release an active IP.

[<display filter>]...

Options

-leases

-mappings

-release={STATIC | BLACKLIST}

-releaseip

-rules

Show dhcp server leases. Show dhcp server IP->MAC mappings. Release static or blacklisted IP. (Admin only) Release an active IP. (Admin only) Show dhcp server rules.

-show <display filter>

2.2.18. dns

DNS client and queries.

Description

Show status of the DNS client and manage pending DNS queries.

Show ruleset. Display filters for leases based on interface/mac/ip (eg. if1

192.168.*). Interface. IP address.

Page 40

2.2.19. dynroute Chapter 2. Command Reference

Usage

dns [-query=<domain name>] [-list] [-remove]

Options

-list

-query=<domain name>

-remove

2.2.19. dynroute

Show dynamic routing policy.

Description

Show the dynamic routing policy filter ruleset and current exports. In the "Flags" field of the dynrouting exports, the following letters are used:

Route describe the optimal path to the network

Route is unexported

Usage

List pending DNS queries. Resolve domain name. Remove all pending DNS queries.

dynroute [-rules] [-exports]

Options

-exports

-rules

2.2.20. frags

Show active fragment reassemblies.

Description

List active fragment reassemblies.

Show current exports. Show dynamic routing, filter ruleset.

Page 41

2.2.21. ha Chapter 2. Command Reference

More detailed information can optionally be obtained for specific reassemblies:

NEW ALL

0..1023

Example 2.9. frags

frags NEW frags 254

Newest reassembly All reassemblies Assembly 'N'

Usage

frags [{NEW | ALL | <reassembly id>}] [-free] [-done] [-num=<n>]

Options

-done

List done (lingering) reassemblies.

-free

-num=<n> {NEW | ALL | <reassembly id>}

2.2.21. ha

Show current HA status.

Description

Show current HA status.

Usage

ha [-activate] [-deactivate]

Options

List free instead of active. List <n> entries. (Default: 20) Show in-depth info about reassembly <n>. (Default: all)

-activate

-deactivate

Go active. Go inactive.

Page 42

2.2.23. hwaccel Chapter 2. Command Reference

2.2.22. httpposter

Display HTTPPoster_URLx status.

Description

Display configuration and status of configured HTTPPoster_URLx targets.

Usage

httpposter [-repost] [-display]

Options

-display

-repost

2.2.23. hwaccel

List configured Hardware Accelerators.

Description

Display information about configured Hardware Accelarators.

Usage

hwaccel

2.2.24. ifstat

Show interface statistics.

Display status. Re-post all URLs now. (Admin only)

Description

Show list of attached interfaces, or in-depth information about a specific interface.

Usage

ifstat [<Interface>] [-filter=<expr>] [-pbr=<table name>]

[-num=<n>] [-restart] [-allindepth]

Options

Page 43

2.2.25. ikesnoop Chapter 2. Command Reference

-allindepth

-filter=<expr>

-num=<n>

-pbr=<table name>

-restart <Interface>

2.2.25. ikesnoop

Enable or disable IKE-snooping.

Description

Turn IKE on-screen snooping on/off. Useful for troubleshooting IPsec connections.

Usage

Show in-depth information about all interfaces. Filter list of interfaces. Limit list to <n> lines. (Default: 20) Only list members of given PBR table(s). Stop and restart the interface. (Admin only) Name of interface.

ikesnoop

Show IKE snooping status.

ikesnoop -on [<ip address>] [-verbose]

Enable IKE snooping.

ikesnoop -off

Disable IKE snooping.

Options

-off

-on

-verbose <ip address>

2.2.26. ippool

Turn IKE snooping off. Turn IKE snooping on. Enable IKE snooping with verbose output. IP address to snoop.

Show IP pool information.

Description

Show information about the current state of the configured IP pools.

Page 44

2.2.27. ipsecglobalstats Chapter 2. Command Reference

Usage

ippool -release [<ip address>] [-all]

Forcibly free IP assigned to subsystem.

ippool -show [-verbose]

Show IP pool information.

Options

-all

-release

-show

-verbose <ip address>

Free all IP addresses. Forcibly free IP assigned to subsystem. (Admin only) Show IP pool information. Verbose output. IP address to free.

2.2.27. ipsecglobalstats

Show global ipsec statistics.

Description

List global IPsec statistics.

Usage

ipsecglobalstats [-verbose]

Options

-verbose

Show all statistics.

2.2.28. ipseckeepalive

Show status of the IPsec ping keepalives.

Description

Show status of the IPsec ping keepalives.

Page 45

2.2.29. ipsecstats Chapter 2. Command Reference

Usage

ipseckeepalive [-num=<n>]

Options

-num=<n>

Maximum number of entries to display (default: 48).

2.2.29. ipsecstats

Show the SAs in use.

Description

List the currently active IKE and IPsec SAs, optionally only showing SAs matching the pattern given for the argument "tunnel".

Usage

ipsecstats [-ike] [-ipsec] [-u] [-verbose] [-num={ALL | <Integer>}]

Options

-ike

[<tunnel>]...

Show IKE SAs.

-ipsec

-num={ALL | <Integer>}

-u

-verbose <tunnel>

2.2.30. killsa

Kill all SAs belonging to the given remote SG/peer.

Description

Kill all (IPsec and IKE) SAs associated with a given remote IKE peer IP or optional all SA:s in the system. IKE delete messages are sent.

Show IPsec SAs. Maximum number of entries to show (default: 40/8). Show detailed SA statistics information. Show verbose information. Only show SAs matching pattern.

Page 46

2.2.31. license Chapter 2. Command Reference

Usage

killsa <ip address>

Delete SAs belonging to provided remote SG/peer.

killsa -all

Delete all SAs.

Options

-all <ip address>

2.2.31. license

Show contents of the license file.

Description

Show contents of the license file.

Usage

license

Kill all SAs. IP address of remote SG/peer.

Note

Requires Administrator privilege.

2.2.32. linkmon

Display link montitoring stats.

Description

When enabled linkmon will monitor host reachability to detect link/NIC problems. It will ping a list of hosts and take action (currently only reconfigure) if too many are unreachable.

Display statistics by not providing any options.

Usage

linkmon [-on] [-off]

Page 47

2.2.33. lockdown Chapter 2. Command Reference

Options

-off

-on

Temporarily disable linkmon. (Admin only) Reenable linkmon. (Admin only)

2.2.33. lockdown

Enable / disable lockdown.

Description

During local lockdown, only traffic from admin nets to the security gateway itself is allowed. Everything else is dropped.

Lockdown will not affect traffic that does not actually pass through the ruleset, e.g. traffic allowed by IPsecBeforeRules, NetconBeforeRules, SNMPBeforeRules, if such settings are enabled.

Note: If local lockdown has been set by the core itself due to licensing / configuration problems, this command will NOT remove such a lock.

Usage

lockdown

Show lockdown status.

lockdown {ON | OFF}

Enable / disable lockdown.

Options

{ON | OFF}

2.2.34. logout

Logout user.

Description

Logout current user.

Enable / disable lockdown.

Note

Requires Administrator privilege.

Usage

Page 48

2.2.35. memory Chapter 2. Command Reference

logout

2.2.35. memory

Show memory information.

Description

Show core memory consumption. Also show detailed memory use of some components and lists.

Usage

memory

2.2.36. ospf

Show runtime OSPF information.

Description

Show runtime information about the OSPF router process(es). Note: -process is only required if there are >1 OSPF router processes.

Usage

ospf

Show runtime information.

ospf -iface [<interface>] [-process=<OSPF router process>]

Show interface information.

ospf -area [<OSPF area>] [-process=<OSPF router process>]

Show area information.

ospf -neighbor [<OSPF neighbor>] [-process=<OSPF router process>]

Show neighbor information.

ospf -route [{HA | ALT}] [-process=<OSPF router process>]

Show the internal OSPF process routingtable.

ospf -database [-verbose] [-process=<OSPF router process>]

Show the LSA database.

Page 49

2.2.37. pipes Chapter 2. Command Reference

ospf -lsa <lsaID> [-process=<OSPF router process>]

Show details for a specified LSA.

ospf -snoop={ON | OFF} [-process=<OSPF router process>]

Show troubleshooting messages on the console.

ospf -ifacedown <interface> [-process=<OSPF router process>]

Take specified interface offline.

ospf -ifaceup <interface> [-process=<OSPF router process>]

Take specified interface online.

ospf -execute={STOP | START | RESTART}

[-process=<OSPF router process>]

Start/stop/restart OSPF process.

Options

-area

-database

-execute={STOP | START | RESTART}

-iface

-ifacedown

-ifaceup

-lsa

-neighbor

-process=<OSPF router process>

-route

-snoop={ON | OFF}

-verbose

Show area information. Show the LSA database. Start/stop/restart OSPF process. (Admin only) Show interface information. Take specified interface offline. (Admin only) Take specified interface online. (Admin only) Show details for a specified LSA <lsaID>. Show neighbor information. Required if there are >1 OSPF router processes. Show the internal OSPF process routingtable. Show troubleshooting messages on the console. Increase amount of information to display.

<interface> <interface> <lsaID> <OSPF area> <OSPF neighbor> {HA | ALT}

OSPF enabled interface. OSPF enabled interface. LSA ID. OSPF Area. Neighbor. Show HA routingtable.

Page 50

2.2.38. reconfigure Chapter 2. Command Reference

2.2.37. pipes

Show pipes information.

Description

Show list of configured pipes / pipe details / pipe users. Note: The "pipes" command is not executed right away; it is queued until the end of the second,

when pipe values are calculated.

Usage

pipes [-users] [<Pipe>]

Options

-users <Pipe>

List users of a given pipe. Show pipe details.

2.2.38. reconfigure

Initiates a configuration re-read.

Description

Restart the Security Gateway using the currently active configuration.

Usage

reconfigure

Note

Requires Administrator privilege.

2.2.39. routemon

List the currently monitored interfaces and gateways.

Description

List the currently monitored interfaces and/or gateways.

Usage

Page 51

2.2.40. routes Chapter 2. Command Reference

routemon

2.2.40. routes

Display routing lists.

Description

Display information about the routing table(s):

Contents of a (named) routing table.

The list of routing tables, along with a total count of route entries in each table, as well as how many of the entries are single-host routes.

Note that "core" routes for interface IP addresses are not normally shown. Use the -all switch to show core routes also.

Use the -switched switch to show only switched routes. Explanation of Flags field of the routing tables:

Learned via OSPF

Route is Disabled

Route is Monitored

Published via Proxy ARP

Dynamic (from e.g. DHCP relay, IPsec, L2TP/PPP servers, etc.)

HA synced from cluster peer

Usage

routes [-all] [<table name>] [-switched] [-flushl3cache] [-num=<n>]

[-nonhost] [-tables] [-lookup=<ip address>] [-verbose]

Options

-all

-flushl3cache

-lookup=<ip address>

-nonhost

-num=<n>

Also show routes for interface addresses. Flush Layer 3 Cache. Lookup the route for the given IP address. Do not show single-host routes. Limit display to <n> entries. (Default: 20)

Page 52

2.2.41. rules Chapter 2. Command Reference

-switched

-tables

-verbose <table name>

2.2.41. rules

Show rules lists.

Description

Show the contents of the various rulesets, i.e. main ruleset, pipe ruleset, etc.

Example 2.10. Show a range of rules

rules -verbose 1-5 7-9

Only show switched routes and L3C entries. Display list of named (PBR) routing tables. Verbose. Name of routing table.

Usage

rules [-ruleset={MAIN | PBR | PIPE | INTRUSION | THRESHOLD}]

[-verbose] [-schedule] [<rules>]...

Options

-ruleset={MAIN | PBR | PIPE | INTRUSION | THRESHOLD}

-schedule

-verbose <rules>

2.2.42. sessionmanager

Session Manager.

Ruleset to display. (Default: main) Filter out rules that are not currently allowed by selected

schedules. Verbose: show all parameters of the rules. Range of rules to display. (default: all rules).

Description

Show information about the Session Manager, and list currently active users. Explanation of Timeout flags for sessions:

Session is disabled

Page 53

2.2.43. shutdown Chapter 2. Command Reference

Session uses a timeout in its subsystem

Session does not use timeout

Usage

sessionmanager

Show Session Manager status.

sessionmanager -status

Show Session Manager status.

sessionmanager -list [-num=<n>]

List active sessions.

sessionmanager -info <session name> <database>

Show in-depth information about session.

sessionmanager -message <session name> <database> <message text>

Send message to session with console.

sessionmanager -disconnect <session name> <database>

Forcibly terminate session.

Options

-disconnect

-info

-list

-message

-num=<n>

-status <database>

Forcibly terminate session. (Admin only) Show in-depth information about session. List active sessions. Send message to session. List <n> number of session. Show Session Manager status. Name of user database.

2.2.43. shutdown

Initiate core shutdown.

Message to send. Name of session.

Page 54

2.2.44. sshserver Chapter 2. Command Reference

Description

Initiate shutdown of the core. The core will normally be restarted by an external script/application.

Usage

shutdown [<seconds>]

Options

Seconds until shutdown. (Default: 5)

Note

Requires Administrator privilege.

2.2.44. sshserver

SSH Server.

Description

Show SSH Server status, or start/stop/restart SSH Server.

Usage

sshserver -status [-verbose]

Show server status and list all connected clients.

sshserver -keygen [-b=<bits>] [-t={RSA | DSA}]

Generate SSH Server private keys.

sshserver -start <ssh server>

Start SSH Server.

sshserver -stop <ssh server>

Stop SSH Server.

sshserver -restart <ssh server>

Restart SSH Server.

Options

Page 55

2.2.45. stats Chapter 2. Command Reference

-b=<bits>

-keygen

-restart

-start

-status

-stop

-t={RSA | DSA}

-verbose <ssh server>

2.2.45. stats

Bitsize. (Default: 1024) Generate SSH Server private keys. This operation may take a long time to

finish, up to several minutes! Stop and start the SSH Server. Start the SSH Server. Show server status and list all connected clients. Stop the SSH Server. Type, (default: both RSA and DSA keys will be created). Verbose output. SSH Server.

Note

Requires Administrator privilege.

Display various general firewall statistics.

Description

Display general information about the firewall, such as uptime, CPU load, resource consumption and other performance data.

Usage

stats

2.2.46. time

Display current system time.

Description

Display/set the system date and time.

Usage

time

Display current system time.

time -set <date> <time>

Page 56

2.2.47. updatecenter Chapter 2. Command Reference

Set system local time: <YYYY-MM-DD> <HH:MM:SS>.

time -sync [-force]

Synchronize time with timeserver(s) (specified in settings).

Options

-force

-set

-sync <date> <time>

Force synchronization regardless of the MaxAdjust setting. Set system local time: <YYYY-MM-DD> <HH:MM:SS>. Synchronize time with timeserver(s) (specified in settings). Date YYYY-MM-DD. Time HH:MM:SS.

2.2.47. updatecenter

Show autoupdate status and manage IDP/AV databases.

Description

Show autoupdate mechanism status or force an update.

Usage

updatecenter [-servers] [-update[={ANTIVIRUS | IDP | ALL}]]

[-status[={ANTIVIRUS | IDP | ALL}]] [-removedb={ANTIVIRUS | IDP}]

Options

-removedb={ANTIVIRUS | IDP}

-servers

-status[={ANTIVIRUS | IDP | ALL}]

-update[={ANTIVIRUS | IDP | ALL}]

2.2.48. urlcache

List contents of the URL cache.

Description

Remove the database for the specified service. Show autoupdate server info. Show update status and database information. (Admin only;

Default: all) Force an update now for the specified service. (Admin only;

Default: all)

Page 57

2.2.49. userauth Chapter 2. Command Reference

List contents of the URL cache. Used for testing during development of HTTPALG.

Usage

urlcache [-verbose] [-count] [-num=<n>] [-server[={STATUS | CONNECT

| DISCONNECT}]]

Options

-count

-num=<n>

-server[={STATUS | CONNECT | DISCONNECT}]

-verbose

2.2.49. userauth

Show logged-on users.

Description

Show currently logged-on users and other information. Also allows logged-on users to be forcibly logged out.

Only display cache count. Limit list to <n> entries. (Default: 20) Web Content Filtering Server options. (Default: status) Verbose.

Note: In the user listing -list, only privileges actually used by the policy are displayed.

Usage

userauth -list [-num=<n>]

List all authenticated users.

userauth -privilege

List all known privileges (usernames and groups).

userauth -user <user ip>

Show all information for user(s) with this IP address.

userauth -remove <user ip> <Interface>

Forcibly log out an authenticated user.

Options

-list

List all authenticated users.

Page 58

2.2.50. vlan Chapter 2. Command Reference

-num=<n>

-privilege

-remove

-user <Interface> <user ip>

2.2.50. vlan

Show information about VLAN.

Description

Show list of attached Virtual LAN Interfaces, or in-depth information about a specified VLAN.

Usage

Limit list of authenticated users. (Default: 20) List all known privileges (usernames and groups). Forcibly log out an authenticated user. (Admin only) Show all information for user(s) with this IP address. Interface. IP address for user(s).

vlan [-vlan=<vlan>] [-interface=<Interface>]

Options

-interface=<Interface>

-vlan=<vlan>

2.2.51. vpnstats

Alias for ipsecstats.

2.2.52. zonedefense

Zonedefense.

Description

Block/unblock IP addresses/net and ethernet addresses.

List VLANs connected to physical interface <Interface>. VLAN to show information about.

Usage

zonedefense [-save] [-blockip=<ip address>]

[-blockenet=<ethernet address>] [-eraseip=<ip address>] [-eraseenet=<ethernet address>] [-status] [-show]

Page 59

2.2.52. zonedefense Chapter 2. Command Reference

Options

-blockenet=<ethernet address>

-blockip=<ip address>

-eraseenet=<ethernet address>

-eraseip=<ip address>

-save

-show

-status

Block the specified ethernet address. Block the specified IP address/net. Unblock the specified ethernet address. Unblock the specified IP address/net. Save the current zonedefense state on all switches. Show the current block database. Show the current status of the zonedefense state machine.

Page 60

2.3. Utility Chapter 2. Command Reference

2.3. Utility

2.3.1. ping

Ping host.

Description

Sends one or more ICMP ECHO datagrams to the specified IP address of a host. All datagrams are sent preloaded-style (all at once).

The data size -length given is the ICMP data size. 1472 bytes of ICMP data results in a 1500-byte IP datagram (1514 bytes ethernet).

Usage

ping <host> [-recvif=<interface>] [-srcip=<ip address>]

[-pbr=<table>] [-count=<1...10>] [-length=<Integer>] [-verbose]

Options

-count=<1...10>

-length=<Integer>

-pbr=<table>

-recvif=<interface>

-srcip=<ip address>

-verbose <host>

Number of packets to send. (Default: 1) Packet size. (Default: 4) Route using PBR Table. Pass packet through the rule set, simulating that the packet was re-

ceived by <recvif>. Use this source IP. Verbose (more information). IP address of host to ping.

Page 61

2.4. Misc Chapter 2. Command Reference

2.4. Misc

2.4.1. help

Show help for selected topic.

Description

The help system contains information about commands and configuration object types. The fastest way to get help is to simply type help followed by the topic that you want help with. A

topic can be for example a command name (e.g. set) or the name of a configuration object type (e.g. User).

When you don't know the name of what you are looking for you can specify the category of the wanted topic with the -category option and use tab-completion to display a list of matching topics.

Usage

help

List commands alphabetically.

help <Topic>

Display help about selected topic from any category.

help -category={COMMANDS | TYPES} [<Topic>]

Display help from a specific topic category.

Options

-category={COMMANDS | TYPES} <Topic>

2.4.2. history

Dump history to screen.

Topic category. Help topic.

Description

List recently typed commands that have been stored in the command history.

Usage

history

Page 62

2.4.2. history Chapter 2. Command Reference

Page 63

Chapter 3. Configuration Reference

• Access, page 54

• Address, page 56

• AdvancedScheduleProfile, page 59

• ALG, page 60

• ARP, page 64

• BlacklistWhiteHost, page 65

• Certificate, page 66

• Client, page 67

• DateTime, page 70

• Device, page 71

• DHCPRelay, page 72

• DHCPServer, page 73

• DNS, page 75

• Driver, page 76

• DynamicRoutingRule, page 78

• EthernetDevice, page 81

• HighAvailability, page 82

• HTTPPoster, page 83

• IDList, page 84

• IDPRule, page 85

• IKEAlgorithms, page 87

• Interface, page 88

• IPRule, page 97

• IPRuleFolder, page 99

• IPSecAlgorithms, page 100

• LDAPServer, page 101

• LocalUserDatabase, page 102

• LogReceiver, page 103

• OSPFProcess, page 105

• Pipe, page 109

• PipeRule, page 112

Page 64

3.1. Access Chapter 3. Configuration Reference

• PSK, page 113

• RadiusServer, page 114

• RemoteManagement, page 115

• RoutingRule, page 118

• RoutingTable, page 119

• ScheduleProfile, page 121

• Service, page 122

• Settings, page 125

• SSHClientKey, page 138

• ThresholdRule, page 139

• UpdateCenter, page 141

• UserAuthRule, page 142

• ZoneDefenseBlock, page 144

• ZoneDefenseExcludeList, page 145

• ZoneDefenseSwitch, page 146

3.1. Access

Description

Use an access rule to allow or block specific source IP addresses on a specific interface.

Properties

Index Name Action Interface

Network

The index of the object, starting at 1. (Identifier) Specifies a symbolic name for the object. Accept, Expect or Drop. (Default: Drop) The interface the packet must arrive on for this rule to be carried out. Excep-

tion: the Expect rule. The IP span that the sender must belong to for this rule to be carried out.

LogEnabled LogSeverity

Comments

Enable logging. (Default: No) Specifies with what severity log events will be sent to the specified log receiv-

ers. (Default: Default) Text describing the current object. (Optional)

Page 65

3.1. Access Chapter 3. Configuration Reference

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

Page 66

3.2. Address Chapter 3. Configuration Reference

3.2. Address

This is a category that groups the following object types.

3.2.1. AddressFolder

Description

An address folder can be used to group related address objects for better overview.

Properties

Name Comments

Specifies a symbolic name for the network object. (Identifier) Text describing the current object. (Optional)

3.2.1.1. EthernetAddress

Description

Use an Ethernet Address item to define a symbolic name for an Ethernet MAC address.

Properties

Name Address UserAuthGroups

NoDefinedCredentials

Specifies a symbolic name for the network object. (Identifier) Ethernet MAC address, e.g. "12-34-56-78-ab-cd". Groups and user names that belong to this object. Objects that fil-

ter on credentials can only be used as source networks and destinations networks in rules. (Optional)

If this property is enabled the object requires user authentication, but has no credentials (user names or groups) defined. This means that the object only requires that a user is authenticated, but ignores any kind of group membership. (Default: No)

Comments

Text describing the current object. (Optional)

3.2.1.2. EthernetAddressGroup

Description

An Ethernet Address Group is used for combining several Ethernet Address objects for simplified management.

Properties

Name

Specifies a symbolic name for the network object. (Identifier)

Page 67

3.2.1. AddressFolder Chapter 3. Configuration Reference

Members UserAuthGroups

NoDefinedCredentials

Comments

3.2.1.3. IP4Address

Description

Use an IP4 Address item to define a name for a specific IP4 host, network or range.

Properties

Name

Group members. Groups and user names that belong to this object. Objects that fil-

ter on credentials can only be used as source networks and destinations networks in rules. (Optional)

Text describing the current object. (Optional)

Specifies a symbolic name for the network object. (Identifier)

Address

UserAuthGroups

NoDefinedCredentials

Comments

3.2.1.4. IP4Group

Description

An IP4 Address Group is used for combining several IP4 Address objects for simplified management.

Properties

IP address, e.g. "172.16.50.8", "192.168.30.7,192.168.30.11", "192.168.7.0/24" or "172.16.25.10-172.16.25.50".

Groups and user names that belong to this object. Objects that filter on credentials can only be used as source networks and destinations networks in rules. (Optional)

Text describing the current object. (Optional)

Name Members UserAuthGroups

NoDefinedCredentials

Specifies a symbolic name for the network object. (Identifier) Group members. Groups and user names that belong to this object. Objects that fil-

ter on credentials can only be used as source networks and destinations networks in rules. (Optional)

If this property is enabled the object requires user authentication,

Page 68

3.2.2. EthernetAddress Chapter 3. Configuration Reference

but has no credentials (user names or groups) defined. This means that the object only requires that a user is authenticated, but ignores any kind of group membership. (Default: No)

Comments

3.2.1.5. IP4HAAddress

Description

Use an IP4 HA Address item to define a name for a specific IP4 host, network or range for each node in a high availability cluster.

Properties

Name Address

UserAuthGroups

NoDefinedCredentials

Text describing the current object. (Optional)

Specifies a symbolic name for the network object. (Identifier) An IP address with one instance for each node in the high availab-

ility cluster. Groups and user names that belong to this object. Objects that fil-

ter on credentials can only be used as source networks and destinations networks in rules. (Optional)

Comments

Text describing the current object. (Optional)

3.2.2. EthernetAddress

The definitions here are the same as in Section 3.2.1.1, “EthernetAddress”.

3.2.3. EthernetAddressGroup

The definitions here are the same as in Section 3.2.1.2, “EthernetAddressGroup”.

3.2.4. IP4Address

The definitions here are the same as in Section 3.2.1.3, “IP4Address”.

3.2.5. IP4Group

The definitions here are the same as in Section 3.2.1.4, “IP4Group”.

3.2.6. IP4HAAddress

The definitions here are the same as in Section 3.2.1.5, “IP4HAAddress”.

Page 69

3.3. AdvancedScheduleProfile Chapter 3. Configuration Reference

3.3. AdvancedScheduleProfile

Description

An advanced schedule profile contains definitions of occurrences used by various policies in the system.

Properties

Name Comments

Specifies a symbolic name for the service. (Identifier) Text describing the current object. (Optional)

3.3.1. AdvancedScheduleOccurrence

Description

An advanced schedule occurrence specifies an occurrence that should happen between certain times for days in month/week

Properties

Index StartTime EndTime Occurrence Weekly

The index of the object, starting at 1. (Identifier) Start Time of occurence in the format HH:MM. For example 13:30. End Time of occurence in the format HH:MM. For example 14:15. Specify type of occurrence. (Default: Weekly) Specifies days in week the schedule occurrence should be activated. Monday cor-

responds to 1 and Sunday 7. (Default: 1-7)

Monthly

Comments

Specifies days in month the schedule occurrence should be activated. The schedule only occurs at days that exists in the month. (Default: 1-31)

Text describing the current object. (Optional)

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

Page 70

3.4. ALG Chapter 3. Configuration Reference

3.4. ALG

This is a category that groups the following object types.

3.4.1. ALG_FTP

Description

Use an FTP Application Layer Gateway to manage FTP traffic through the system.

Properties

Name AllowServerPassive

ServerPorts AllowClientActive

ClientPorts AllowUnknownCommands AllowSITEEXEC MaxLineLength MaxCommandRate Allow8BitStrings AllowResumeTransfer

Antivirus ScanExclude

Specifies a symbolic name for the ALG. (Identifier) Allow server to use passive mode (unsafe for server). (Default:

No) Server data ports. (Default: 1024-65535) Allow client to use active mode (unsafe for client). (Default:

No) Client data ports. (Default: 1024-65535) Allow unknown commands. (Default: No) Allow SITE EXEC. (Default: No) Maximum line length in control channel. (Default: 256) Maximum number of commands per second. (Default: 20) Allow 8-bit strings in control channel. (Default: Yes) Allow RESUME even in case of content scanning. (Default:

No) Disabled, Audit or Protect. (Default: Disabled) List of files to exclude from antivirus scanning. (Optional)

CompressionRatio

CompressionRatioAction

FileListType

FailModeBehavior File VerifyContentMimetype

Comments

A compression ratio higher than this value will trigger the action in Compression Ratio Action, a value of zero will disable all compression checks. (Default: 20)

The action to take when high compression threshold is violated, all actions are logged. (Default: Drop)

Specifies if the file list contains files to allow or deny. (Default: Block)

Standard behaviour on error: Allow or Deny. (Default: Deny) List of file types to allow or deny. (Optional) Verify that file extentions correspond to the MIME type.

(Default: No) Text describing the current object. (Optional)

Page 71

3.4.3. ALG_HTTP Chapter 3. Configuration Reference

3.4.2. ALG_H323

Description

Use an H.323 Application Layer Gateway to manage H.323 multimedia traffic.

Properties

Name AllowTCPDataChannels MaxTCPDataChannels

TranslateAddresses TranslateLogicalChannelAd-

dresses MaxGKRegLifeTime

Comments

3.4.3. ALG_HTTP

Description

Use an HTTP Application Layer Gateway to filter HTTP traffic.

Properties

Specifies a symbolic name for the ALG. (Identifier) Allow TCP data channels (T.120). (Default: Yes) Maximum number of TCP data channels per call. (Default:

10) Automatic or Specific. (Default: Automatic) Translate logical channel addresses. (Default: Yes) Max Gatekeeper Registration Lifetime. (Default: 1800) Text describing the current object. (Optional)

Name RemoveCookies RemoveScripts RemoveApplets RemoveActiveX VerifyUTF8URL

BlackURLDisplayReason

MaxDownloadSize FileListType

FailModeBehavior File VerifyContentMimetype

Specifies a symbolic name for the ALG. (Identifier) Remove cookies. (Default: No) Remove Javascript/VBScript. (Default: No) Remove Java applets. (Default: No) Remove ActiveX objects (including Flash). (Default: No) Verify that URLs does not contain invalid UTF8 encoding.

(Default: No) Message to show when there is an attempt to access a black-

listed site. (Optional) The maximal allowed file size in kB. (Optional) Specifies if the file list contains files to allow or deny.

(Default: Block) Standard behaviour on error: Allow or Deny. (Default: Deny) List of file types to allow or deny. (Optional) Verify that file extentions correspond to the MIME type.

Page 72

3.4.4. ALG_SMTP Chapter 3. Configuration Reference

(Default: No)

Antivirus ScanExclude CompressionRatio

CompressionRatioAction

WebContentFilteringMode FilteringCategories AllowFilteringOverride AllowFilteringReclassification Comments

3.4.3.1. ALG_HTTP_URL

Description

Disabled, Audit or Protect. (Default: Disabled) List of files to exclude from antivirus scanning. (Optional) A compression ratio higher than this value will trigger the ac-

tion in Compression Ratio Action, a value of zero will disable all compression checks. (Default: 20)

The action to take when high compression threshold is violated, all actions are logged. (Default: Drop)

Disabled, Audit or Enable. (Default: Disabled) Web content categories to block. (Optional) Allow the user to display a blocked site. (Default: No) Allow reclassification of sites. (Default: No) Text describing the current object. (Optional)

Blacklist URLs to deny access to complete sites, to file types by extension, or to URLs with certain words in them.

Properties

Index Action URL Comments

The index of the object, starting at 1. (Identifier) Whitelist or Blacklist. (Default: Blacklist) Specifies the URL to blacklist or whitelist. Text describing the current object. (Optional)

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.4.4. ALG_SMTP

Description

Use an SMTP Application Layer Gateway to manage SMTP traffic through the system.

Properties

Name

Specifies a symbolic name for the ALG. (Identifier)

Page 73

3.4.4. ALG_SMTP Chapter 3. Configuration Reference

VerifySenderEmail MaxEmailPerMinute

FileListType

FailModeBehavior File VerifyContentMimetype

Antivirus ScanExclude CompressionRatio

CompressionRatioAction

Comments

Enable to verify sender E-mail address. (Default: No) Specifies the maximum amount of E-mails per minute.

(Optional) Specifies if the file list contains files to allow or deny. (Default:

Block) Standard behaviour on error: Allow or Deny. (Default: Deny) List of file types to allow or deny. (Optional) Verify that file extentions correspond to the MIME type.

(Default: No) Disabled, Audit or Protect. (Default: Disabled) List of files to exclude from antivirus scanning. (Optional) A compression ratio higher than this value will trigger the ac-

tion in Compression Ratio Action, a value of zero will disable all compression checks. (Default: 20)

The action to take when high compression threshold is violated, all actions are logged. (Default: Drop)

Text describing the current object. (Optional)

3.4.4.1. ALG_SMTP_Email

Description

Used to whitelist or blacklist an E-mail sender/recipient.

Properties

Index Type Action

Email Comments

The index of the object, starting at 1. (Identifier) Specifies if the E-mail address is the sender or the recipient. (Default: Sender) Specifies whether to whitelist (allow) or blacklist (deny) this address. (Default:

Blacklist) Specifies the Recipient E-mail to blacklist or whitelist. Text describing the current object. (Optional)

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

Page 74

3.5. ARP Chapter 3. Configuration Reference

3.5. ARP

Description

Use an ARP entry to publish additional IP addresses and/or MAC addresses on a specified interface.

Properties

Index Mode Interface

IP MACAddress

Comments

The index of the object, starting at 1. (Identifier) Static, Publish or XPublish. (Default: Publish) Indicates the interface to which the ARP entry applies; e.g. the interface the ad-

dress shall be published on. The IP address to be published or statically bound to a hardware address. The hardware address associated with the IP address. (Default:

00:00:00:00:00:00) Text describing the current object. (Optional)

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

Page 75

3.6. BlacklistWhiteHost Chapter 3. Configuration Reference

3.6. BlacklistWhiteHost

Description

Manually configured whitelist hosts are used to prevent from blocking a host/network on either by default or based on a schedule.

Properties

Index Addresses Service Schedule Comments

The index of the object, starting at 1. (Identifier) Specifies the addresses that will be whitelisted. Specifies the service that will be whitelisted. The schedule when the whitelist should be active. (Optional) Text describing the current object. (Optional)

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

Page 76

3.7. Certificate Chapter 3. Configuration Reference

3.7. Certificate

Description

An X. 509 certificate is used to authenticate a VPN client or gateway when establishing an IPsec tunnel.

Properties

Name Type CertificateData PrivateKey NoCRLs Comments

Specifies a symbolic name for the certificate. (Identifier) Local, Remote or Request. Certificate data. Private key. Disable CRLs (Certificate Revocation Lists). (Default: No) Text describing the current object. (Optional)

Page 77

3.8. Client Chapter 3. Configuration Reference

3.8. Client

This is a category that groups the following object types.

3.8.1. DynDnsClientCjbNet

Description

Configure the parameters used to connect to the Cjb.net DynDNS service.

Properties

Username Password Comments

Username. The password for the specified username. (Optional) Text describing the current object. (Optional)

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

3.8.2. DynDnsClientDLink

Description

Configure the parameters used to connect to the D-Link DynDNS service.

Properties

DNSName Username

The DNS name excluding the .dlinkddns.com suffix. Username.

Password Comments

The password for the specified username. (Optional) Text describing the current object. (Optional)

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

3.8.3. DynDnsClientDyndnsOrg

Description

Configure the parameters used to connect to the dyndns.org DynDNS service.

Page 78

3.8.4. DynDnsClientDynsCx Chapter 3. Configuration Reference

Properties

DNSName Username Password Comments

The DNS name excluding the .dyndns.org suffix. Username. The password for the specified username. (Optional) Text describing the current object. (Optional)

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

3.8.4. DynDnsClientDynsCx

Description

Configure the parameters used to connect to the dyns.cx DynDNS service.

Properties

DNSName

The DNS name excluding the .dyns.cx suffix.

Username Password Comments

Username. The password for the specified username. (Optional) Text describing the current object. (Optional)

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

3.8.5. DynDnsClientPeanutHull

Description

Configure the parameters used to connect to the Peanut Hull DynDNS service.

Properties

Index DNSNames

The index of the object, starting at 1. (Identifier) Specifies the DNS names separated by ";".

Username Password

Username. The password for the specified username. (Optional)

Page 79

3.8.6. LoginClientBigPond Chapter 3. Configuration Reference

Comments

Text describing the current object. (Optional)

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.8.6. LoginClientBigPond

Description

Configure the parameters used to provide automatic logon to BigPond Internet service.

Properties

Username Password Comments

Username. The password for the specified username. (Optional) Text describing the current object. (Optional)

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

3.8.7. LoginClientTelia

Description

Configure the parameters used to provide automatic logon to Telia Internet service.

Properties

Username Password Comments

Username. The password for the specified username. (Optional) Text describing the current object. (Optional)

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

Page 80

3.9. DateTime Chapter 3. Configuration Reference

3.9. DateTime

Description

Set the date, time and time zone information for this system.

Properties

TimeZone DSTEnabled DSTOffset DSTStartMonth DSTStartDay DSTEndMonth DSTEndDay TimeSynchronization TimeSyncServerType

TimeSyncServer1 TimeSyncServer2 TimeSyncServer3 TimeSyncInterval TimeSyncMaxAdjust

Specifies the time zone. (Default: GMT) Enable daylight saving time. (Default: Yes) Daylight saving time offset in minutes. (Default: 60) What month daylight saving time starts. (Default: April) What day of month daylight saving time starts. (Default: 1) What month daylight saving time ends. (Default: October) What day of month daylight saving time ends. (Default: 1) Enable time synchronization. (Default: Disable) Type of server for time synchronization, UDPTime or SNTP

(Simple Network Time Protocol). (Default: SNTP) DNS hostname or IP Address of Timeserver 1. DNS hostname or IP Address of Timeserver 2. (Optional) DNS hostname or IP Address of Timeserver 3. (Optional) Seconds between each resynchronization. (Default: 86400) Maximum time drift in seconds that a server is allowed to ad-

just. (Default: 600)

TimeSyncGroupIntervalSize

Comments

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

Interval according to which server responses will be grouped. (Default: 10)

Text describing the current object. (Optional)

Page 81

3.10. Device Chapter 3. Configuration Reference

3.10. Device

Description

Global parameters of this device.

Properties

Name ConfigVersion Comments

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

Name of the device. (Default: Device) Version number of the configuration. (Default: 1) Text describing the current object. (Optional)

Page 82

3.11. DHCPRelay Chapter 3. Configuration Reference

3.11. DHCPRelay

Description

Use a DHCP Relay to dynamically alter the routing table according to relayed DHCP leases.

Properties

Name Action SourceInterface TargetDHCPServer

IPOfferFilter

AddRoute

AddRouteLocalIP

AddRouteGatewayIP RoutingTable

MaxRelaysPerInterface

AgentIP

Specifies a symbolic name for the relay rule. (Identifier) Ignore, Relay or BootpFwd. (Default: Ignore) The source interface of the DHCP packet. (Optional) Specifies the IP of the server to send the relayed DHCP packets

to. Specifies the span of IP addresses that are allowed to be relayed

from the DHCP server. (Default: 1) Enable dynamic adding of routes as leases are added and re-

moved. (Default: No) The IP Address specified here will automatically be published

on the interfaces where a route is added. (Optional) The IP used as gateway to reach hosts on this route. (Optional) Specifies the routing table the clients host route should be added

to. (Default: main) Specifies how many relays are allowed per interface, that means,

how many DHCP clients are allowed to be relayed through each interface. (Optional)

Define what IP the relay should use as gateway IP when passing the requests to the DHCP server. (Default: Recv)

AllowNULLOffers

ProxyARPAllInterfaces

ProxyARPInterfaces

LogEnabled LogSeverity

Comments

Accept server responses offering IP address "0.0.0.0" (no IP address offered). (Default: No)

Always select all interfaces, including new ones, for publishing routes needed for the relay via Proxy ARP. (Default: No)

Specifies the interface/interfaces on which the security gateway should publish routes needed for the relay via Proxy ARP. (Optional)

Enable logging. (Default: No) Specifies with what severity log events will be sent to the spe-

cified log receivers. (Default: Default) Text describing the current object. (Optional)

Page 83

3.12. DHCPServer Chapter 3. Configuration Reference

3.12. DHCPServer

Description

A DHCP Server determines a set of IP addresses and host configuration parameters to hand out to DHCP clients attached to a given interface.

Properties

Name Interface

IPAddressPool

Netmask DefaultGateway

Domain LeaseTime

DNS1 DNS2 NBNS1

NBNS2

Specifies a symbolic name for the DHCP Server rule. (Identifier) The source interface to listen for DHCP requests on. This can be a single

interface or a group of interfaces. A range, group or network that the DHCP Server will use as IP address

pool to give out DHCP leases from. Netmask sent to the DHCP Client. Specifies what IP should be sent to the client for use as default gateway. If

unspecified or if 0.0.0.0 is specified, the IP given to the client will be sent as gateway. (Optional)

Domain name used for DNS resolution. (Optional) The time, in seconds, that a DHCP lease should be provided to a host after

this the client have to renew the lease. (Default: 86400) IP of the primary DNS server. (Optional) IP of the secondary DNS server. (Optional) IP of the primary Windows Internet Name Service (WINS) server that is

used in Microsoft environments which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names. (Optional)

IP of the primary Windows Internet Name Service (WINS) server that is used in Microsoft environments which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names. (Optional)

NextServer LogEnabled LogSeverity

Comments

IP address of next server in the boot process. (Optional) Enable logging. (Default: No) Specifies with what severity log events will be sent to the specified log re-

ceivers. (Default: Default) Text describing the current object. (Optional)

3.12.1. DHCPServerPoolStaticHost

Description

Static DHCP Server host entry

Properties

Page 84

3.12.2. DHCPServerCustomOption Chapter 3. Configuration Reference

Index Host MACAddress Comments

The index of the object, starting at 1. (Identifier) IP Address of the host. The hardware address of the host. Text describing the current object. (Optional)

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.12.2. DHCPServerCustomOption

Description

Extend the DHCP Server functionality by adding custom options that will be handed out to the DHCP clients.

Properties

Code Type Param

Comments

The DHCP option code. (Identifier) What type the option is, i.e. STRING, IP4 and so on. (Default: UINT8) The parameter sent with the code, this can be one parameter or a comma separated

list. (Optional) Text describing the current object. (Optional)

Page 85

3.13. DNS Chapter 3. Configuration Reference

3.13. DNS

Description

Configure the DNS (Domain Name System) client settings.

Properties

DNSServer1 DNSServer2 DNSServer3 Comments

IP of the primary DNS Server. (Optional) IP of the secondary DNS Server. (Optional) IP of the tertiary DNS Server. (Optional) Text describing the current object. (Optional)

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

Page 86

3.14. Driver Chapter 3. Configuration Reference

3.14. Driver

This is a category that groups the following object types.

3.14.1. IXP4NPEEthernetDriver

Description

Intel (IXP4xxNPE) Fast Ethernet Adaptor.

Properties

Comments

Text describing the current object. (Optional)

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

3.14.2. MarvellEthernetPCIDriver

Description

Marvell (88E8001,88E8053,88E8062) Fast and Gigabit Ethernet Adaptor.

Properties

Comments

Text describing the current object. (Optional)

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

3.14.3. R8139EthernetPCIDriver

Description

RealTek (8139) Fast Ethernet Adaptor.

Properties

Comments

Text describing the current object. (Optional)

Page 87

3.14.3. R8139EthernetPCIDriver Chapter 3. Configuration Reference

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

Page 88

3.15. DynamicRoutingRule Chapter 3. Configuration Reference

3.15. DynamicRoutingRule

Description

A Dynamic Routing Policy rule creates a filter to catch statically configured or OSPF learned routes. The matched routes can be controlled by the action rules to be either exported to OSPF processes or to be added to one or more routing tables.

Properties

Index Name From OSPFProcess

RoutingTable

DestinationInterface DestinationNetworkExactly

DestinationNetworkIn

NextHop

MetricRange

RouterID

The index of the object, starting at 1. (Identifier) Specifies a symbolic name for the rule. (Optional) OSPF or Routing table. (Default: OSPF) Specifies from which OSPF process the route should be im-

ported from into either a routing table or another OSPF process.

Specifies from which routing table a route should be imported into the OSPF AS or copied into another routing table.

The interface that the policy has to match. (Optional) Specifies if the route needs to match a specific network ex-

actly. (Optional) Specifies if the route just needs to be within a specific net-

work. (Optional) The next hop (router) on the route that this policy has to

match. (Optional) Specifies an interval that the metric of the routes needs to be

within. (Optional) Specifies if the policy should filter on router ID. (Optional)

OSPFRouteType

OSPFTagRange

LogEnabled LogSeverity

Comments

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

Specifies if the policy should filter on OSPF router type. (Optional)

Specifies an interval that the tag of the routers need to be within. (Optional)

Enable logging. (Default: No) Specifies with what severity log events will be sent to the spe-

cified log receivers. (Default: Default) Text describing the current object. (Optional)

Page 89

3.15.2. DynamicRoutingRuleAddRoute Chapter 3. Configuration Reference

3.15.1. DynamicRoutingRuleExportOSPF

Description

An OSPF action is used to manipulate and export new or changed routes to an OSPF Router Process.

Properties

Index ExportToProcess SetTag

SetRouteType OffsetMetric LimitMetricRange

SetForward Comments

The index of the object, starting at 1. (Identifier) Specifies to which OSPF Process the route change should be exported. Specifies a tag for this route. This tag can be used in other routers for

filtering. (Optional) The external route type. (Optional) Increases the metric of the imported route by this value. (Optional) Limits the metrics for these routes to a minimum and maximum value, if

a route has a higher or lower value then specified it will be set to the specified value. (Optional)

IP to route over. (Optional) Text describing the current object. (Optional)

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.15.2. DynamicRoutingRuleAddRoute

Description

A routing action is used to manipulate and insert new or changed routes to one or more local routing tables.

Properties

Index Destination

OverrideStatic OverwriteDefault OffsetMetric OffsetMetricType2

The index of the object, starting at 1. (Identifier) Specifies to which routing table the route changes to the OSPF

Process should be exported. Allow override of static routes. (Default: No) Allow overwrite of default route. (Default: No) Increases the metric by this value. (Optional) Increases the for Type2 routers metric by this value. (Optional)

Page 90

3.15.2. DynamicRoutingRuleAddRoute Chapter 3. Configuration Reference

LimitMetricRange

ProxyARPAllInterfaces

ProxyARPInterfaces

Comments

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

Limits the metrics for these routes to a minimum and maximum value, if a route has a higher or lower value then specified it will be set to the specified value. (Optional)

Always select all interfaces, including new ones, for publishing routes via Proxy ARP. (Default: No)

Specifies the interfaces on which the security gateway should publish routes via Proxy ARP. (Optional)

Text describing the current object. (Optional)

Page 91

3.16. EthernetDevice Chapter 3. Configuration Reference

3.16. EthernetDevice

Description

Hardware settings for an Ethernet interface.

Properties

Name EthernetDriver PCIBus PCISlot PCIPort

Media

Duplex

MACAddress Comments

Specifies a symbolic name for the device. (Identifier) The Ethernet PCI driver that should be used by the interface. PCI bus number where the Ethernet adapter is installed. PCI slot number used by the Ethernet adapter. Some Ethernet adapters have multiple ports that share the same bus and

slot number. This parameter specifies what port to be used. Specifies if the link speed should be auto-negotiated or locked to a static

speed. (Default: Auto) Specifies if the duplex should be auto-negotiated or locked to full or half

duplex. (Default: Auto) The hardware address for the interface. (Optional) Text describing the current object. (Optional)

Page 92

3.17. HighAvailability Chapter 3. Configuration Reference

3.17. HighAvailability

Description

Configure the High Availability cluster parameters for this system.

Properties

Enabled ClusterID

SyncIface NodeID HASyncBufSize

HASyncMaxPktBurst

HAInitialSilence

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

Enable high availability. (Default: No) A (locally) unique cluster ID to use in identifying this group of HA se-

curity gateways. (Default: 0) Specifies the interface used for state synchronization. Master or Slave. (Default: Master) How much sync data, in KB, to buffer while waiting for acknowledg-

ments from the cluster peer. (Default: 1024) The maximum number of state sync packets to send in a burst.

(Default: 20) The time to stay silent on startup or after reconfiguration. (Default: 5)

Page 93

3.18. HTTPPoster Chapter 3. Configuration Reference

3.18. HTTPPoster

Description

Use the HTTP poster for dynamic DNS or automatic logon to services using web-based authentication.

Properties

URL1 URL2 URL3 RepDelay Comments

The first URL that will be posted when the security gateway is loaded. (Optional) The second URL that will be posted when the security gateway is loaded. (Optional) The third URL that will be posted when the security gateway is loaded. (Optional) Delay in seconds until all URLs are refetched. (Default: 1200) Text describing the current object. (Optional)

Note

This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

Page 94

3.19. IDList Chapter 3. Configuration Reference

3.19. IDList

Description

An ID list contains IDs, which are used within the authentication process when establishing an IPsec tunnel.

Properties

Name Comments

3.19.1. ID

Description

An ID is used to define parameters that are matched against the subject field in an X.509 certificate when establishing an IPsec tunnel.

Properties

Name Type IP Hostname CommonName

Specifies a symbolic name for the ID list. (Identifier) Text describing the current object. (Optional)

Specifies a symbolic name for the object. (Identifier) IP, DNS, E-Mail or Distinguished name. IP address. Host name. Common name of the owner of the certificate. (Optional)

OrganizationName OrganizationalUnit Country LocalityName EMailAddress Comments

Organization name of the owner of the certificate. (Optional) Organizational unit of the owner of the certificate. (Optional) Specifies the country. (Optional) Locality. (Optional) E-mail address. (Optional) Text describing the current object. (Optional)

Page 95

3.20. IDPRule Chapter 3. Configuration Reference

3.20. IDPRule

Description

An IDP Rule defines a filter for matching specific network traffic. When the filter criteria is met, the IDP Rule Actions are evaluated and possible actions taken.

Properties

Index Name SourceInterface

SourceNetwork

DestinationInterface

DestinationNetwork

Service

Schedule

AlwaysInspect Comments

The index of the object, starting at 1. (Identifier) Specifies a symbolic name for the rule. (Optional) Specifies the name of the receiving interface to be compared to

the received packet. Specifies the sender span of IP addresses to be compared to the re-

ceived packet. Specifies the the destination interface to be compared to the re-

ceived packet. Specifies the span of IP addresses to be compared to the destina-

tion IP of the received packet. Specifies a service that will be used as a filter parameter when

matching traffic with this rule. By adding a schedule to a rule, the security gateway will only al-

low that rule to trigger at those designated times. (Optional) Enable to also inspect dropped packets. (Default: No) Text describing the current object. (Optional)

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

3.20.1. IDPRuleAction

Description

An IDP Rule Action specifies what signatures to search for in the network traffic, and what action to take if those signatures are found.

Properties

Index Action

The index of the object, starting at 1. (Identifier) Specifies what action to take if the given signature is found.

(Default: Audit)

Page 96

3.20.1. IDPRuleAction Chapter 3. Configuration Reference

IDPSeverity Signatures

ZoneDefense BlackList BlackListTimeToBlock

BlackListBlockOnlyService

BlackListIgnoreEstablished LogEnabled LogSeverity

Comments

Note

If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

Signature severity group. (Default: Attack) Specifies what signature(s) to search for in the network

traffic. (Optional) Activate ZoneDefense. (Default: No) Activate BlackList. (Default: No) The number of seconds that the dynamic black list should re-

main. (Optional) Only block the service that triggered the blacklisting.

(Default: No) Do not drop existing connection. (Default: No) Enable logging. (Default: No) Specifies with what severity log events will be sent to the spe-

cified log receivers. (Default: Default) Text describing the current object. (Optional)

Page 97

3.21. IKEAlgorithms Chapter 3. Configuration Reference

3.21. IKEAlgorithms

Description

Configure algorithms which are used in the IKE phase of an IPsec session.

Properties

Name NULLEnabled DESEnabled DES3Enabled AESEnabled BlowfishEnabled TwofishEnabled CAST128Enabled BlowfishMinKeySize BlowfishKeySize BlowfishMaxKeySize TwofishMinKeySize TwofishKeySize TwofishMaxKeySize

Specifies a symbolic name for the object. (Identifier) Enable plaintext. (Default: No) Enable DES encryption algorithm. (Default: No) Enable 3DES encryption algorithm. (Default: No) Enable AES encryption algorithm. (Default: No) Enable Blowfish encryption algorithm. (Default: No) Enable Twofish encryption algorithm. (Default: No) Enable CAST128 encryption algorithm. (Default: No) Specifies the minimum Blowfish key size in bits. (Default: 128) Specifies the Blowfish prefered key size in bits. (Default: 128) Specifies the maximum Blowfish key size in bits. (Default: 448) Specifies the minimum Twofish key size in bits. (Default: 128) Specifies the Twofish prefered key size in bits. (Default: 128) Specifies the maximum Twofish key size in bits. (Default: 256)

AESMinKeySize AESKeySize AESMaxKeySize MD5Enabled SHA1Enabled Comments

Specifies the minimum AES key size in bits. (Default: 128) Specifies the prefered AES key size in bits. (Default: 128) Specifies the maximum AES key size in bits. (Default: 256) Enable MD5 integrity algorithm. (Default: No) Enable SHA1 integrity algorithm. (Default: No) Text describing the current object. (Optional)

Page 98

3.22. Interface Chapter 3. Configuration Reference

3.22. Interface

This is a category that groups the following object types.

3.22.1. DefaultInterface

Description

A special interface used to represent internal mechanisms in the system as well as an abstract "any" interface.

Properties

Name MTU

Comments

3.22.2. Ethernet

Description

An Ethernet interface represents a logical endpoint for Ethernet traffic.

Properties

Name IP Network DefaultGateway

Specifies a symbolic name for the interface. (Identifier) Specifies the size (in bytes) of the largest packet that can be passed onward.

(Default: 1500) Text describing the current object. (Optional)

Specifies a symbolic name for the interface. (Identifier) The IP address of the interface. The network of the interface. The default gateway of the interface. (Optional)

Broadcast PrivateIP

NOCHB

Metric DHCPEnabled

EthernetDevice AutoSwitchRoute

The broadcast address of the connected network. (Optional) The private IP address of this high availability node.

(Optional) This will disable sending Cluster Heartbeats from this inter-

face (used by HA to detect if a node is online and working). (Optional)

Specifies the metric for the auto-created route. (Default: 100) Specifies that DHCP should be enabled on this interface.

(Default: No) Hardware settings for the Ethernet interface. Enable transparent mode, which means that a switch route is

added automatically for this interface. (Default: No)

Page 99

3.22.3. InterfaceGroup Chapter 3. Configuration Reference

AutoInterfaceNetworkRoute

AutoDefaultGatewayRoute

DHCPDNS1 DHCPDNS2 ReceiveMulticastTraffic

MTU

Comments

3.22.3. InterfaceGroup

Description

Use an interface group to combine several interfaces for a simplified security policy.

Properties

Automatically add a route for this interface using the given network. (Default: Yes)

Automatically add a default route for this interface using the given default gateway. (Default: Yes)

IP of the primary DNS server. (Optional) IP of the secondary DNS server. (Optional) Sets the multicast receive mode of the interface. (Default:

Auto) Specifies the size (in bytes) of the largest packet that can be

passed onward. (Default: 1500) Text describing the current object. (Optional)

Name Equivalent

Members Comments

Specifies a symbolic name for the interface. (Identifier) Specifies if the interfaces should be considered security equivalent, that means

that if enabled the interface group can be used as a destination interface in rules where connections might need to be moved between the two interfaces. (Default: No)

Specifies the interfaces that are included in the interface group. Text describing the current object. (Optional)

3.22.4. IPSecTunnel

Description

An IPsec tunnel item is used to define IPsec endpoint and will appear as a logical interface in the system.

Properties

Index Name

The index of the object, starting at 1. (Identifier) Specifies a symbolic name for the interface.

LocalNetwork

RemoteNetwork

The network on "this side" of the IPsec tunnel. The IPsec tunnel will be established between this network and the remote network.

The network connected to the remote gateway. The IPsec tun-

Page 100

3.22.4. IPSecTunnel Chapter 3. Configuration Reference

nel will be established between the local network and this network.

RemoteEndpoint

IKEAlgorithms IPSecAlgorithms IKELifeTimeSeconds

IPSecLifeTimeSeconds

IPSecLifeTimeKilobytes EncapsulationMode

AuthMethod PSK LocalIDType

Specifies the IP address of the remote endpoint. This is the address the security gateway will establish the IPsec tunnel to. It also dictates from where inbound IPsec tunnels are allowed. (Optional)

Specifies the IKE Proposal list used with the tunnel. Specifies the IPsec Proposal list used with the tunnel. The lifetime of the IKE connection in seconds. Whenever it

expires, a new phase-1 exchange will be performed. (Default:

28800) The lifetime of the IPsec connection in seconds. Whenever

it's exceeded, a re-key will be initiated, providing new IPsec encryption and authentication session keys. (Default: 3600)

The lifetime of the IPsec connection in kilobytes. (Default: 0) Specifies if the IPsec tunnel should use Tunnel or Transport

mode. (Default: Tunnel) Certificate or Pre-shared key. (Default: PSK) Selects the Pre-shared key to use with this IPsec Tunnel. Selects the type of Local ID to use. (Default: Auto)

LocalIDValue GatewayCertificate

RootCertificates

IDList

XAuth

XAuthUsername

XAuthPassword

DHCPOverIPSec

AddRouteToRemoteNet

PlaintextMTU

Specify the local identity of the tunnel ID. Selects the certificate the security gateway uses to authentic-

ate itself to the other IPsec peer. Selects one or more root certificates to use with this IPsec

Tunnel. Selects the identification list to use with this IPsec Tunnel. An

identification list is a list of the identities that are allowed to establish a IPsec tunnel. (Optional)

Off, Required for inbound or Pass to peer gateway. (Default: Off)

Specifies the username to pass to the remote gateway vie IKE XAuth.

Specifies the password to pass to the remote gateway vie IKE XAuth.

Allow DHCP over IPsec from single-host clients. (Default: No)

Dynamically add route to the remote networks when a tunnel is established. (Default: No)

Specifies the size in bytes at which to fragment plaintext packets (rather than fragmenting IPsec). (Default: 1424)

OriginatorIPType

Specifies what IP address to use as source IP in e.g. NAT. (Default: LocalInterface)

D-link DFL-2500, DFL-260, DFL-800, DFL-1600, DFL-860 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

CLI Reference Guide

Table of Contents

Preface

Chapter 1. Introduction

1.1. Running a command

1.2. Help

1.2.1. Help for commands

1.2.2. Help for object types

1.3. Function keys

1.4. Command line history

1.5. Tab completion

1.5.1. Inline help

1.5.2. Autocompleting current value and default value

1.5.3. Configuration object type categories

1.6. User roles

Chapter 2. Command Reference

2.1. Configuration

2.1.1. activate

2.1.2. add

2.1.3. cancel

2.1.4. cc

2.1.5. cd

2.1.6. commit

2.1.7. copy

2.1.8. delete

2.1.9. enter

2.1.10. pskgen

2.1.11. reject

2.1.12. set

2.1.13. show

2.1.14. undelete

2.2. Runtime

2.2.1. about

2.2.2. arp

2.2.3. arpsnoop

2.2.4. ats

2.2.5. bigpond

2.2.6. blacklist

2.2.7. buffers

2.2.8. cam

2.2.9. certcache

2.2.10. cfglog

2.2.11. connections

2.2.12. cpuid

2.2.13. crashdump

2.2.14. customlog

2.2.15. dhcp

2.2.16. dhcprelay

2.2.17. dhcpserver

2.2.18. dns

2.2.19. dynroute

2.2.20. frags

2.2.21. ha

2.2.22. httpposter

2.2.23. hwaccel

2.2.24. ifstat

2.2.25. ikesnoop

2.2.26. ippool

2.2.27. ipsecglobalstats

2.2.28. ipseckeepalive

2.2.29. ipsecstats

2.2.30. killsa

2.2.31. license

2.2.32. linkmon

2.2.33. lockdown

2.2.34. logout

2.2.35. memory

2.2.36. ospf

2.2.37. pipes

2.2.38. reconfigure

2.2.39. routemon

2.2.40. routes

2.2.41. rules

2.2.42. sessionmanager

2.2.43. shutdown

2.2.44. sshserver