Netgear SRX5308 Installation Manual

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

CLI Reference Manual

350 East Plumeria Drive San Jose, CA 95134 USA

August 2012 202-11138-01 v1.0

ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308

into any language in any form or by any means without the written permission of NETGEAR, Inc. NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of

NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice. Other brand and product names are registered trademarks or trademarks of their respective holders. © 2012 All rights reserved.

Tech nic al Suppo rt

Thank you for choosing NETGEAR. T o register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at

http://support.netgear.com.

Phone (US & Canada only): 1-888-NETGEAR Phone (Other Countries): Check the list of phone numbers at

http://support.netgear.com/app/answers/detail/a_id/984.

Statement of Conditions

To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use, or application of, the product(s) or circuit layout(s) described herein.

Revision History

Publication Part Number Version Publish Date Comments

202-11138-01 1.0 August 2012 First publication

Chapter 1 Introduction

Chapter 2 Overview of the Configuration Commands

Command Syntax and Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Command Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Description of a Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Common Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

The Four Categories of Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

The Four Main Modes for Configuration Commands . . . . . . . . . . . . . . . . .10

Save Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

The Three Basic Types of Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Command Autocompletion and Command Abbreviation . . . . . . . . . . . . . .15

CLI Line-Editing Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Network Settings (Net Mode) Configuration Commands . . . . . . . . . . . . . .17

Security Settings (Security Mode) Configuration Commands . . . . . . . . . .20

Administrative and Monitoring Settings (Sy s te m Mode )

Configuration Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

VPN Settings (VPN Mode) Configuration Commands . . . . . . . . . . . . . . . .24

Chapter 3 Net Mode Configuration Commands

General WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

IPv4 WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

IPv6 WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

IPv6 Tunnel Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Dynamic DNS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

IPv4 LAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

IPv6 LAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

IPv4 DMZ Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

IPv6 DMZ Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

WAN QoS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

IPv4 Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

IPv6 Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Chapter 4 Security Mode Configuration Commands

Security Services Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Security Schedules Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

IPv4 Add Firewall Rule and Edit Firewall Rule Commands . . . . . . . . . . .112

IPv4 General Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

IPv6 Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Attack Check Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162

Session Limit, Time-Out, and Advanced Commands. . . . . . . . . . . . . . . . 165

Address Filter and IP/MAC Binding Commands . . . . . . . . . . . . . . . . . . . 168

Port Triggering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

UPnP Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Bandwidth Profile Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Content Filtering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

Chapter 5 System Mode Configuration Commands

Remote Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Time Zone Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

WAN Traffic Meter Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Firewall Logs and Email Alerts Commands . . . . . . . . . . . . . . . . . . . . . . .201

Chapter 6 VPN Mode Configuration Commands

IPSec VPN Wizard Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208

IPSec IKE Policy Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

IPSec VPN Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

IPSec VPN Mode Config Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . .228

SSL VPN Portal Layout Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

SSL VPN Authentication Domain Commands . . . . . . . . . . . . . . . . . . . . .234

SSL VPN Authentication Group Commands . . . . . . . . . . . . . . . . . . . . . .238

SSL VPN User Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239

SSL VPN Port Forwarding Commands . . . . . . . . . . . . . . . . . . . . . . . . . .246

SSL VPN Client and Client Route Commands. . . . . . . . . . . . . . . . . . . . . 248

SSL VPN Resource Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

SSL VPN Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256

RADIUS Server Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263

PPTP Server Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

L2TP Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Chapter 7 Overview of the Show Commands

Network Settings (Net Mode) Show Commands . . . . . . . . . . . . . . . . . . . 267

Security Settings (Security Mode) Show Commands. . . . . . . . . . . . . . . . 269

Administrative and Monitoring Settings (System Mode)

Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270

VPN Settings (VPN Mode) Show Commands . . . . . . . . . . . . . . . . . . . . . 271

Chapter 8 Show Commands

Network Settings (Net Mode) Show Commands . . . . . . . . . . . . . . . . . . . 273

WAN IPv4 and WAN IPv6 Show Commands. . . . . . . . . . . . . . . . . . . .273

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Network Settings (Net Mode) Show Commands . . . . . . . . . . . . . . . . . . .273

WAN IPv4 and WAN IPv6 Show Commands. . . . . . . . . . . . . . . . . . . .273

IPv6 Mode, IPv6 Tunnel, and SIIT Show Commands . . . . . . . . . . . . .277

LAN DHCP Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278

Dynamic DNS Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279

IPv4 LAN Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

IPv6 LAN Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

DMZ Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286

Routing Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

Network Statistics Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . .289

Security Settings (Security Mode) Show Commands. . . . . . . . . . . . . . . .290

Services Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

Schedules Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Firewall Rules Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Attack Checks Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

Session Limits Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

Advanced Firewall Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . .296

Address Filter Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Port Triggering Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . .297

UPnP Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298

Bandwidth Profiles Show Command . . . . . . . . . . . . . . . . . . . . . . . . . .298

Content Filtering Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .299

Administrative and Monitoring Settings (System Mode)

Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300

Remote Management Show Command . . . . . . . . . . . . . . . . . . . . . . . .301

SNMP Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301

Time Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Firmware Version Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . .302

Status Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

WAN Traffic Meter Show Command. . . . . . . . . . . . . . . . . . . . . . . . . . .306

Logging Configuration Show Commands . . . . . . . . . . . . . . . . . . . . . . .307

Logs Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309

VPN Settings (VPN Mode) Show Commands . . . . . . . . . . . . . . . . . . . . .311

IPSec VPN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311

SSL VPN Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

SSL VPN User Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . .316

RADIUS Server Show Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . .319

PPTP Server Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320

L2TP Server Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320

Chapter 9 Utility Commands

Overview Util Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321

Firmware Backup, Restore, and Upgrade Commands. . . . . . . . . . . . . . .322

Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323

CLI Command Index

1. Introduction

This document describes the command-line interface (CLI) for the NETGEAR ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308.

This chapter introduces the CLI interface. It includes the following sections:

• Command Syntax and Conventions

• The Four Categories of Commands

• The Four Main Modes for Configuration Commands

• Global Commands

• The Three Basic Types of Commands

• Command Autocompletion and Command Abbreviation

• Access the CLI

Note: For more information about the topics covered in this manual, visit

the support website at http://support.netgear.com.

Note: For more information about the features that you can configure

using the CLI, see the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual.

Note: You cannot generate and upload a certificate through the CLI. You

need to access the web management interface to manage these tasks.

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Command Syntax and Conventions

A command is one or more words that can be followed by one or more keywords and parameters. Keywords and parameters can be required or optional:

• A keyword is a predefined string (word) that narrows down the scope of a command. A

keyword can be followed by an associated parameter or by associated keywords. In many cases, these associated keywords are mutually exclusive, so you need to select one of them. In some cases, this manual refers to a group of words as a keyword.

• A parameter is a variable for which you need to type a value. You need to replace the

parameter name with the appropriate value, which might be a name or number. A parameter can be associated with a command or with a keyword.

This manual lists each command by its full command name and provides a brief description of the command. In addition, for each command, the following information is provided:

• Format. Shows the command keywords and the required and optional parameters.

• Mode. Identifies the command mode you need to be in to access the command. (With

some minor exceptions, the mode is always described using lower-case letters.)

• Related show command or commands. Identifies and links to the show command or

commands that can display the configured information.

For more complicated commands, in addition to the format, mode, and related show command or commands, the following information is provided:

• Table. Explains the keywords and parameters that you can use for the command.

• Example. Shows a CLI example for the command.

Command Conventions

In this manual, the following type font conventions are used:

• A command name is stated in bold font.

• A keyword name is stated in bold font.

• A parameter name is stated in italic font.

The keywords and parameters for a command might include mandatory values, optional values, or choices. The following table describes the conventions that this manual uses to distinguish between value types:

Table 1. Command conventions

Symbol Example Description

< > angle brackets <value> Indicate that you need to enter a value in place of the

brackets and text inside them. (value is the parameter.)

[ ] square brackets [value] Indicate an optional parameter that you can enter in place of

the brackets and text inside them. (value is the parameter.)

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 1. Command conventions (continued)

Symbol Example Description

{ } curly braces {choice1 | choice2} Indicate that you need to select a keyword from the list of

choices. (choice1 and choice1 are keywords.)

| vertical bars choice1 | choice2 Separate the mutually exclusive choices. (choice1 and

choice1 are keywords.)

[ { } ] braces within square brackets

[{choice1 | choice2}] Indicate a choice within an optional element. (choice1 and

choice1 are keywords.)

Description of a Command

The following example describes the net radvd pool lan edit <row id> command:

net radvd pool lan edit is the command name.

<row id> is the required parameter for which you need to enter a value after you type the command words.

The command lets you enter the net-config [radvd-pool-lan] mode, from which you can issue the following keywords and parameters:

prefix_type {6To4 {sla_id <id number>} | {Global-Local-ISATAP}

{prefix_address <ipv6-address>} {prefix_length <prefix length>}}

prefix_life_time <seconds>

Explanation of the keywords and parameters:

prefix_type is a keyword. The required associated keyword that you need to select is either 6To4 or Global-Local-ISATAP.

• If you select 6To4, you also need to issue the sla_id keyword and enter a

value for the <id number> parameter.

• If you select Global-Local-ISATAP, you also need to issue the

prefix_address keyword and enter a value for the <ipv6-address>

parameter, and you need to issue the prefix_length keyword and enter a value for the <prefix length> parameter.

prefix_life_time is a keyword. <seconds> is the required parameter for which you need to enter a value.

Command example:

SRX5308> net radvd pool lan edit 12 net-config[radvd-pool-lan]> prefix_type Global-Local-ISATAP net-config[radvd-pool-lan]> prefix_address 10FA:2203:6145:4201:: net-config[radvd-pool-lan]> prefix_length 10 net-config[radvd-pool-lan]> prefix_life_time 3600 net-config[radvd-pool-lan]> save

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Common Parameters

Parameter values might be names (strings) or numbers. To use spaces as part of a name parameter, enclose the name value in double quotes. For example, the expression “System Name with Spaces” forces the system to accept the spaces. Empty strings (“”) are not valid user-defined strings. The following table describes common parameter values and value formatting:

Table 2. Common parameters

Parameter Description

ipaddr This parameter is a valid IPv4 address. You need to enter the IP address in the a.b.c.d

format, in which each octet is a number in the range from 0 to 255 (both inclusive), for example, 10.12.140.218.

The CLI accepts decimal, hexadecimal, and octal formats through the following input formats (where n is any valid decimal, hexadecimal, or octal number):

• 0xn (CLI assumes hexadecimal format)

• 0n (CLI assumes octal format with leading zeros)

• n (CLI assumes decima l format)

ipv6-address This parameter is a valid IPv6 address. You can enter the IPv6 address in the following

formats:

• FE80:0000:0000:0000:020F:24FF:FEBF:DBCB, or

• FE80:0:0:0:20F:24FF:FEBF:DBCB, or

• FE80::20F:24FF:FEBF:DBCB, or

• FE80:0:0:0:20F:24FF:128:141:49:32 For additional information, see RFC 3513.

Character strings Use double quotation marks to identify character strings, for example, “System Name with

Spaces”. An empty string (“”) is not valid.

The Four Categories of Commands

There are four CLI command categories:

• Configuration commands with four main configuration modes. For more information, see

the following section, The Four Main Modes for Configuration Commands). Save commands also fall into this category (see Save Commands on page 12).

• Show commands that are available for the four main configuration modes (see Chapter 7,

Overview of the Show Commands and Chapter 8, Show Commands).

• Utility commands (see Chapter 9, Utility Commands).

• Global commands (see Global Commands on page 13).

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

The Four Main Modes for Configuration Commands

For the configuration commands, there are four main modes in the CLI: net, security , system, and vpn. Chapter 2, Overview of the Configuration Commands lists all commands in these modes, and each of these modes is described in detail in a separate chapter (see Chapter 3 through Chapter 6).

The following table lists the main configuration modes, the configuration modes, the features that you can configure in each configuration mode, and, for orientation, the basic web management interface (GUI) path to the feature.

Table 3. Main configuration modes

__________________________CLI________________________ ___Web Management Interface (GUI)___ Main Mode Submode Feature That You Can Configure Basic Path Network configuration commands

net ddns Dynamic DNS Network Configuration > Dynamic DNS

dmz DMZ for IPv4

DMZ for IPv6 ethernet VLAN assignment to LAN interface Network Configuration > LAN Setup ipv6 IPv4 or IPv4/IPv6 mode Network Configuration > WAN Settings ipv6_tunnel IPv6 tunnels Network Configuration > WAN Settings lan IPv4 LAN settings and VLANs

LAN groups for IPv4

Secondary IPv4 LAN addresses

Advanced IPv4 LAN settings

Fixed and reserved DHCP IPv4

addresses

LAN IPv4 traffic meter profiles

IPv6 LAN settings

Secondary IPv6 LAN addresses

IPv6 LAN DHCP address pools

IPv6 prefix delegation for the LAN protocol_binding Protocol bindings Network Configuration > Protocol Binding qos WAN QoS profiles Network Configuration > QoS radvd IPv6 RADVD and pools for the

LAN

IPv6 RADVD and pools for the

DMZ

Network Configuration > DMZ Setup

Network Configuration > LAN Setup

Network Configuration > LAN Setup Network Configuration > DMZ Setup

routing Dynamic IPv4 routes

Static IPv4 routes

Static IPv6 routes

Introduction

Network Configuration > Routing

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 3. Main configuration modes (continued)

__________________________CLI________________________ ___Web Management Interface (GUI)___ Main Mode Submode Feature That You Can Configure Basic Path

net (continued)

Security configuration commands

security address_filter Source MAC filters

siit Stateless IP/ICMP Translation Network Configuration > SIIT wan IPv4 WAN (Internet) settings

Secondary IPv4 WAN addresses

IPv6 WAN (Internet) setti n gs

MTU, port speed, and MAC

address, failure detection method,

and upload/download settings wan_settings NAT or Classical Routing

Load balancing settings for IPv4

IP/MAC bindings for IPv4

IP MAC bindings for IPv6 bandwidth Bandwidth profiles Security > Bandwidth Profile content_filter Group filtering

Blocked keywords

Web components

Trusted domains firewall All IPv4 firewall rules

All IPv6 firewall rules

Attack checks

Session limits and time-outs

SIP ALG

Network Configuration > WAN Settings

Security > Address Filter

Security > Content Filtering

Security > Firewall

porttriggering_rules Security > Port Triggering schedules Security > Schedule services Custom services

LAN and WAN IP groups

LAN QoS profiles upnp Security > UPnP

Administration and monitoring configuration commands

system logging Monitoring > Firewall Logs & E-mail

remote_management Administration > Remote Management snmp Administration > SNMP

Security > Services

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 3. Main configuration modes (continued)

__________________________CLI________________________ ___Web Management Interface (GUI)___ Main Mode Submode Feature That You Can Configure Basic Path

system (continued)

VPN configuration commands

vpn ipsec IKE policies

time Administration > Time Zone traffic_meter WAN traffic meters Monitoring > Traffic Meter

VPN policies

VPN IPSec Wizard

Mode Config records

RADIUS servers l2tp L2TP server VPN > L2TP Server pptp PPTP server VPN > PPTP Server sslvpn SSL policies

Resources and resource objects

Portal layouts

SSL VPN clients

Client routes

Port forwarding

Domains

Groups

User accounts

User login and IP policies

VPN > IPSec VPN

VPN > SSL VPN

Users

Save Commands

The following table describes the configuration commands that let you save or cancel configuration changes in the CLI. You can use these commands in any of the four main configuration modes. These commands are not preceded by a period.

Table 4. Save commands

Command Description

save Save the configuration changes. exit Save the configuration changes and exit the current configuration mode. cancel Roll back the configuration changes.

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Commands That Require Saving

After you have issued a command that includes the word configure, add, or edit, you enter a configuration mode from which you can issue keywords and associated parameters.

These are examples of commands for which you need to save your changes:

• net lan ipv4 configure <vlan id> lets you enter the net-config [lan-ipv4]

configuration mode. After you made your changes, issue save or exit to save your changes.

• security content_filter trusted_domain add lets you enter the

security-config [approved-urls] configuration mode. After you made your changes, issue save or exit to save your changes.

• vpn sslvpn users groups add lets you enter the vpn-config [user-groups]

configuration mode. After you made your changes, issue save or exit to save your changes.

Commands That Do Not Require Saving

You do not need to save your changes after you have issued a command that deletes, disables, or enables a row ID, name, IP address, or MAC address, or that lets you make a configuration change without entering another configuration mode.

These are examples of commands that you do not need to save:

• net lan dhcp reserved_ip delete <mac address>

• vpn ipsec vpnpolicy disable <vpn policy name>

• security firewall ipv4 enable <row id>

• security firewall ipv4 default_outbound_policy {Allow | Block}

Global Commands

The following table describes the global commands that you can use anywhere in the CLI. These commands need to be preceded by a period.

Table 5. Global CLI commands

Command Description

.exit Exit the current session. .help Display an overview of the CLI syntax. .top Return to the default command mode or root. .reboot Reboot the system. .history Display the command-line history of the current session.

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

The Three Basic Types of Commands

You can encounter the following three basic types of commands in the CLI:

• Entry commands to enter a configuration mode. Commands that let you enter a

configuration mode from which you can configure various keywords and associated parameters and keywords. For example, the net wan wan1 ipv4 configure command lets you enter the net-config [wan1-ipv4] mode, from which you can configure the IPv4 WAN settings.

This type of command is the most common in the CLI and is always indicated by two steps in this manual, each one showing the format and mode:

Step 1 Format net wan wan ipv4 configure <wan interface>

Mode net

Step 2 Format This section shows the keywords and associated parameters, for example:

isp_connection_type {STATIC | DHCPC | PPPoE | PPTP}

Mode net-config [wan1-ipv4]

Sometimes, you need to enter a parameter to enter a configuration mode. For example, security schedules edit <row id> requires you to enter the row ID parameter to enter the security-config [schedules] mode, from which you can modify various keywords and associated parameters and keywords.

• Commands with a single p arameter . Commands th at require you to supply on e or more

parameters and that do not let you enter another configuration mode. The parameter is usually a row ID or a name. For example, security firewall ipv4 delete <row id> requires you to enter the row ID parameter to delete the firewall rule.

For this type of command, the format and mode are shown in this manual:

Format security firewall ipv4 delete <row id> Mode security

• Commands without parameters. Commands that do not require you to supply a

parameter after the command and that do not let you enter another configuration mode. For example, util restore_factory_defaults does not require parameters.

For this type of command also, the format and mode are shown in this manual:

Format util restore_factory_defaults Mode util

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Command Autocompletion and Command Abbreviation

Command autocompletion finishes spelling the command when you type enough letters of a command to uniquely identify the command keyword. You need to type all of the required keywords and parameters before you can use autocompletion.

The following keys both perform autocompletion for the current command. If the command prefix is not unique, a subsequent repeat of the key displays possible completions.

• Enter or Return key. Autocompletes, synt ax-checks, and then executes the command. If

there is a syntax error, the offending part of the command is highlighted and explained.

• Spacebar. Autocompletes, or if the command is already resolved, inserts a space.

CLI Line-Editing Conventions

The following table describes the key combinations that you can use to edit commands or increase the speed of command entry. Access this list from the CLI by issuing .help.

Table 6. CLI editing conventions

Key or Key Sequence Description Invoking context-sensitive help

? Displays conte xt-sensitive help. The info rmation that displays consists either of a list of

possible command completions with summaries or of the full syntax of the current command. When a command has been resolved, a subsequent repeat of the help key displays a detailed reference.

Autocompleting

Note: Command autocompletion finishes spelling the command when you type enough letters of a command

to uniquely identify the command keyword. However, you need to type all of the required keywords and parameters before you use autocompletion.

Enter (or Return) Autocompletes, syntax-checks, and then executes a command. If there is a syntax

error, the offending part of the command line is highlighted and explained. If the command prefix is not unique, a subsequent repeat of the key displays possi ble completions.

Spacebar Autocompletes, or if the command is already resolved, inserts a space. If the command

prefix is not unique, a subsequent repeat of the key displays possible completions.

Moving around

Ctrl-A Go to the beginning of the line. Ctrl-E Go to the end of the line. Up arrow Go to the previous line in the history buffer. Down arrow Go to the ne xt line in the history buffer. Left arrow Go backward one character.

Introduction

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 6. CLI editing conventions (continued)

Key or Key Sequence Description

Right arrow Go forward one character.

Deleting

Ctrl-C Delete the entire line. Ctrl-D Delete the next character. Ctrl-K Delete all characters to the end of the line from where the cursor is located. Backspace Delete the previous character.

Invoking escape sequences

!! Substitute the previous line. !N Substitute the Nth line, in which N is the absolute line number as displayed in the

output of the history command.

!-N Substitute the line that is located N lines before the current line, in which N is a relative

number in relation to the current lint.

Access the CLI

You can access the CLI by logging in with the same user credentials (user name and password) that you use to access the web management interface. SRX5308> is the CLI prompt.

SRX5308 login: admin Password: ************************************************ Welcome to SRX5308 Command Line Interface ************************************************ SRX5308>

Introduction

2. Overview of the Configuration

Commands

This chapter provides an overview of all configuration commands in the four configuration command modes. The keywords and associated parameters that are available for these commands are explained in the following chapters. The chapter includes the following sections:

• Network Settings (Net Mode) Configuration Commands

• Security Settings (Security Mode) Configuration Commands

• Administrative and Monitoring Settings (System Mode) Configuration Commands

• VPN Settings (VPN Mode) Configuration Commands

Network Settings (Net Mode) Configuration Commands

Enter the net ? command at the CLI prompt to display the submodes in the net mode. The following table lists the submodes and their commands in alphabetical order:

Table 7. Net mode configuration commands

Submode Command Name Purpose

ddns

dmz

ethernet

ipv6

ipv6_tunnel

net ddns configure Enable, configure, or disable DDNS service. net dmz ipv4 configure Enable, configure, or disable the IPv4 DMZ. net dmz ipv6 configure Enable, configure, or disable the IPv6 DMZ. net dmz ipv6 pool configure <ipv6 address> Configure a new or existing IPv6 DMZ DHCP

address pool.

net dmz pool ipv6 delete < ipv6 address> Delete an IPv6 DMZ DHCP address pool. net ethernet configure <interface name or

number> net ipv6 ipmode configure Configure the IP mode (IPv4 only or

net ipv6_tunnel isatap add Configure a new IPv6 ISATAP tunnel. net ipv6_tunnel isatap delete <row id> Delete an IPv6 ISATAP tunnel.

Configure a VLAN for a LAN interface.

IPv4/IPv6).

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 7. Net mode configuration commands (continued)

Submode Command Name Purpose

ipv6_tunnel (continued)

lan

net ipv6_tunnel isatap edit <row id> Configure an existing IPv6 ISATAP tunnel. net ipv6_tunnel six_to_four configure Enable or disable automatic (6to4) tunneling. net lan dhcp reserved_ip configure

net lan dhcp reserved_ip delete <mac address>

net lan ipv4 advanced configure Configure advanced LAN settings such as the

net lan ipv4 configure <vlan id> Configure a new or existing VLAN. net lan ipv4 default_vlan Configure the default VLAN for each port. net lan ipv4 delete <vlan id> Delete a VLAN. net lan ipv4 disable <vlan id> Disable a VLAN. net lan ipv4 enable <vlan id> Enable a VLAN. net lan ipv4 multi_homing add Configure a new secondary IPv4 address. net lan ipv4 multi_homing delete <row id> Delete a secondary IPv4 address. net lan ipv4 multi_homing edit <row id> Configure an existing secondary IPv4

net lan ipv4 traffic_meter configure <ip address>

Bind a MAC address to an IP address for DHCP reservation or change an existing binding, and assign a LAN group.

Delete the binding of a MAC address to an IP address.

MAC address for VLANs and ARP broadcast.

address. Configure a traffic meter profile for an IPv4

address.

net lan ipv4 traffic_meter delete <row id> Delete a traffic meter profile. net lan ipv6 configure Configure the IPv6 LAN address settings and

DHCPv6.

net lan ipv6 multi_homing add Configure a new secondary IPv6 address. net lan ipv6 multi_homing delete <row id> Delete a secondary IPv6 address. net lan ipv6 multi_homing edit <row id> Configure an existing secondary IPv6

address.

net lan ipv6 pool add Configure a new IPv6 LAN DHCP address

pool.

net lan ipv6 pool delete <row id> Delete an IPv6 LAN DHCP address pool. net lan ipv6 pool edit <row id> Configure an existing IPv6 LAN DHCP

address pool.

net lan ipv6 prefix_delegation add Configure a new prefix for IPv6 LAN prefix

delegation.

Overview of the Configuration Commands

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 7. Net mode configuration commands (continued)

Submode Command Name Purpose

net lan ipv6 prefix_delegation delete <row id> Delete a prefix for IPv6 LAN prefix delegation.

lan (continued)

protocol binding

qos

net lan ipv6 prefix_delegation edit <row id> Configure an existing prefix for IPv6 LAN

prefix delegation.

net lan lan_groups edit <row id> <new group name>

net protocol_binding add Configure a new protocol binding. net protocol_binding dele te Delete a protocol binding. net protocol_binding disable Disable a protocol binding. net protocol_binding edit <row id> Configure an existing protocol binding. net protocol_binding enable Enable a protocol binding. net qos configure Configure the QoS mode for the WAN

net qos profile add Configure a new WAN QoS profile. net qos profile delete <row id> Delete a WAN QoS profile. net qos profile disable <row id> Disable a WAN QoS profile. net qos profile edit <row id> Configure an existing WAN QoS profile. net qos profile enable <row id> Enable a WAN QoS profile.

Change an existing LAN default group name.

interfaces.

radvd

routing

siit

net radvd configure dmz Configure the IPv6 RADVD for the DMZ. net radvd configure lan Configure the IPv6 RADVD for the LAN. net routing dynamic configure Configure RIP and the associated MD5 key

information.

net routing static ipv4 configure <route name> Configure a new or existing IPv4 static route. net routing static ipv4 delete <route name> Delete an IPv4 static route. net routing static ipv4 delete_all Delete all IPv4 routes. net routing static ipv6 configure <route name> Configure a new or existing IPv6 static route. net routing static ipv6 delete <route name> Delete an IPv6 static route. net routing static ipv6 delete_all Delete all IPv6 routes. net siit configure Configure Stateless IP/ICMP Translation

Overview of the Configuration Commands

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 7. Net mode configuration commands (continued)

Submode Command Name Purpose

net wan port_setup configure <wan interface> Configure the MTU, port speed, and MAC

address of the VPN firewall.

net wan wan ipv4 configure <wan interface> Configure the IPv4 settings of the WAN

interface.

wan

wan_settings

net wan wan ipv4 secondary_address add <wan interface>

net wan wan ipv4 secondary_address delete <row id>

net wan wan ipv6 configure <wan interface> Configure the IPv6 settings of the WAN

net wan_settings load_balancing configure Configure the load balancing settings for two

net wan_settings wanmode configure Configure the mode of IPv4 routin g (NAT or

Configure a secondary IPv4 WAN address.

Delete a secondary IPv4 WAN address.

interface.

WAN interfaces that are configured for IPv4.

classical routing) between the WAN interface and LAN interfaces.

Security Settings (Security Mode) Configuration Commands

Enter the security ? command at the CLI prompt to display the submodes in the security mode. The following table lists the submodes and their commands in alphabetical order:

Table 8. Security mode configuration commands

Submode Command Name Purpose

security address_filter ip_or_mac_binding add Configure a new IP/MAC binding rule.

address_filter

security address_filter ip_or_mac_binding delete <row id>

security address_filter ip_or_mac_binding edit <row id>

security address_filter ip_or_mac_binding enable_email_log <ip version>

security address_filter mac_filter configure Configure the source MAC address filter. security address_filter mac_filter source add Configure a new MAC source address. security address_filter mac_filter source delete

Overview of the Configuration Commands

Delete an IP/MAC binding rule.

Configure an existing IP/MAC binding rule.

Configure the email log for IP/MAC Binding violations.

Delete a MAC source address.

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 8. Security mode configuration commands (continued)

Submode Command Name Purpose

security bandwidth profile add Configure a new bandwidth profile. security bandwidth profile delete <row id> Delete a bandwidth profile.

bandwidth

security bandwidth profile edit <row id> Configure an existing bandwidth profile.

content_filter

security bandwidth enable_bandwidth_profiles {Y | N}

security content_filter block_group disable Remove content filtering from groups. security content_filter block_group enable Apply content filtering to groups. security content_filter blocked_keywords add Configure a new blocked keyword. security content_filter blocked_keywords delete

<row id> security content_filter blocked_keywords edit

<row id> security content_filter content_filtering configure Configure web content filtering. security content_filter trusted_domain add Configure a new trusted domain. security content_filter trusted_domain delete

<row id> security content_filter trusted_domain edit

<row id> security firewall advanced algs Configure SIP support for the ALG. security firewall attack_checks configure ipv4 Configure WAN and LAN security attack

Enable or disable bandwidth profile globally.

Delete a blocked keyword.

Configure an existing blocked keyword.

Delete a trusted domain.

Configure an existing trusted domain.

checks for IPv4 traffic.

firewall

security firewall attack_checks configure ipv6 Configure WAN security attack checks

for IPv6 traffic.

security firewall attack_checks igmp configure Enable or disable multicast pass-through

for IPv4 traffic.

security firewall attack_checks vpn_passthrough configure

security firewall ipv4 add_rule dmz_wan inbound

security firewall ipv4 add_rule dmz_wan outbound

security firewall ipv4 add_rule lan_dmz inbound Configure a new IPv4 LAN DMZ inbound

security firewall ipv4 add_rule lan_dmz outbound

Configure VPN pass-through for IPv4 traffic.

Configure a new IPv4 DMZ WAN inbound firewall rule.

Configure a new IPv4 DMZ WAN outbound firewall rule.

firewall rule. Configure a new IPv4 LAN DMZ

outbound firewall rule.

Overview of the Configuration Commands

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 8. Security mode configuration commands (continued)

Submode Command Name Purpose

security firewall ipv4 add_rule lan_wan inbound Configure a new IPv4 LAN WAN

inbound firewall rule.

firewall (continued)

security firewall ipv4 add_rule lan_wan outbound

security firewall ipv4 default_outbound_policy {Allow | Block}

security firewall ipv4 delete <row id> Delete an IPv4 firewall rule. security firewall ipv4 disable <row id> Disable an IPv4 firewall rule. security firewall ipv4 edit_rule dmz_wan

inbound <row id> security firewall ipv4 edit_rule dmz_wan

outbound <row id> security firewall ipv4 edit_rule lan_dmz inbound

<row id> security firewall ipv4 edit_rule lan_dmz

outbound <row id> security firewall ipv4 edit_rule lan_wan inbound

<row id> security firewall ipv4 edit_rule lan_wan

outbound <row id> security firewall ipv4 enable <row id> Enable an IPv4 firewall rule.

Configure a new IPv4 LAN WAN outbound firewall rule.

Configure the default outbound policy for IPv4 traffic.

Configure an existing IPv4 DMZ WAN inbound firewall rule.

Configure an existing IPv4 DMZ WAN outbound firewall rule.

Configure an existing IPv4 LAN DMZ inbound firewall rule.

Configure an existing IPv4 LAN DMZ outbound firewall rule.

Configure an existing IPv4 LAN WAN inbound firewall rule.

Configure an existing IPv4 LAN WAN outbound firewall rule.

porttriggering_rules

security firewall ipv6 configure Configure a new IPv6 firewall rule. security firewall ipv6 default_outbound_policy

{Allow | Block} security firewall ipv6 delete <row id> Delete an IPv6 firewall rule. security firewall ipv6 disable <row id> Disable an IPv6 firewall rule. security firewall ipv6 edit <row id> Configure an existing IPv6 firewall rule. security firewall ipv6 enable <row id> Enable an IPv6 firewall rule. security firewall session_limit configure Configure global session limits. security firewall session_settings configure Configure global session time-outs. security porttriggering_rules add Configure a new port triggering rule. security porttriggering_rules delete <row id> Delete a port triggering rule. security porttriggering_rules edit <row id> Configure an existing port triggering rule.

Configure the default outbound policy for IPv6 traffic.

Overview of the Configuration Commands

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 8. Security mode configuration commands (continued)

Submode Command Name Purpose

schedules

services

upnp security upnp configure Configure UPnP.

security schedules edit {1 | 2 | 3} Configure one of the three security

schedules.

security services add Configure a new custom service. security services delete <row id> Delete a custom service. security services edit <row id> Configure an existing custom service. security services ip_group add Configure a new LAN or WAN IP group. security services ip_group add_ip_to

<group name> security services ip_group delete <row id> Delete a LAN or WAN IP gro up . security services ip_group delete_ip <row id> Remove an IP address from a LAN or

security services ip_group edit <row id> Configure an existing LAN or WAN IP

security services qos_profile add Add a QoS profile. security services qos_profile delete <row id> Delete a QoS profile. security services qos_profile edit <row id> Configure an existing QoS profile.

Add an IP address to a LAN or WAN IP group.

WAN IP group.

group.

Administrative and Monitoring Settings (System Mode) Configuration Commands

Enter the system ? command at the CLI prompt to display the submodes in the system mode. The following table lists the submodes and their commands in alphabetical order:

Table 9. System mode configuration commands

Submode Command Name Purpose

system logging configure Configure routing logs for accepted and

dropped IPv4 and IPv6 packets.

logging

system logging remote configure Configure email logs and alerts, schedule

email logs and alerts, and configure a syslog server.

Overview of the Configuration Commands

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 9. System mode configuration commands (continued)

Submode Command Name Purpose

remote_management

snmp

time

traffic_meter

system remote_management https configure

system remote_management telnet configure

system snmp sys configure Configure the SNMP system information. system time configure Configure the system time, date, and NTP

system traffic_meter configure <wan interface>

Configure remote management over HTTPS.

Configure remote management over Telnet.

servers. Configure the WA N tr affic meter.

VPN Settings (VPN Mode) Configuration Commands

Enter the vpn ? command at the CLI prompt to display the submodes in the vpn mode. The following table lists the submodes and their commands in alphabetical order:

Table 10. Configuration commands: vpn mode

Submode Command Name Purpose

vpn ipsec ikepolicy configure <ike policy name> Configure a new or existing manual IPSec

IKE policy.

vpn ipsec ikepolicy delete <ike policy name> Delete an IPSec policy. vpn ipsec mode_config configure <record name> Configure a new or existing Mode Config

record.

vpn ipsec mode_config delete <record name> Delete a Mode Config record. vpn ipsec radius configure Configure the RADIUS servers. vpn ipsec vpnpolicy configure <vpn policy name> Configure a new or existing auto IPSec

ipsec

vpn ipsec vpnpolicy connect <vpn policy name> Establish a VPN connection. vpn ipsec vpnpolicy delete <vpn policy name> Delete an IPSec VPN policy. vpn ipsec vpnpolicy disable <vpn policy name> Disable an IPSec VPN policy. vpn ipsec vpnpolicy drop <vpn policy name> Terminate an IPSec VPN connection. vpn ipsec vpnpolicy enable <vpn policy name> Enable an IPSec VPN policy. vpn ipsec wizard configure <Gateway | VPN_Client> Configure the IPSec VPN wizard for a

l2tp vpn l2tp server configure Configure the L2TP server.

VPN policy or manual IPSec VPN policy.

gateway-to-gateway or gateway-to-VPN client connection.

Overview of the Configuration Commands

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 10. Configuration commands: vpn mode (continued)

Submode Command Name Purpose

pptp vpn pptp server configure Configure the PPTP server. radius vpn ipsec radius configure Configure the RADIUS server.

vpn sslvpn client ipv4 Configure the SSL client IPv4 address

range.

vpn sslvpn client ipv6 Configure the SSL client IPv6 address

range.

vpn sslvpn policy add Configure a new SSL VPN policy. vpn sslvpn policy delete <row id> Delete an SSL VPN policy. vpn sslvpn policy edit <row id> Configure an existing SSL VPN policy. vpn sslvpn portal_layouts add Configure a new SSL VPN portal layout. vpn sslvpn portal_layout s de l et e <row id > Delete an SSL VPN portal layout.

sslvpn

vpn sslvpn portal_layouts edit <row id> Configure an existing SSL VPN portal

layout.

vpn sslvpn portal_layouts set-default <row id> Configure the default SSL VPN portal

layout.

vpn sslvpn portforwarding appconfig add Configure a ne w SSL port forwarding

application.

vpn sslvpn portforwarding appconfig delete <row id> Delete an SSL VPN port forwarding

application.

vpn sslvpn portforwarding hostconfig add Configure a new host name for an SSL port

forwarding application.

vpn sslvpn portforwarding hostconfig delete <row id>

vpn sslvpn resource add Add a new SSL VPN resource. vpn sslvpn resource configure add

<resource name> vpn sslvpn resource configure delete <row id> Deletes an SSL VPN resource object. vpn sslvpn resource delete <row id> Delete an SSL VPN resource. vpn sslvpn route add Add an SSL VPN client route.

Delete a host name for an SSL port forwarding application.

Configure an SSL VPN resource object.

vpn sslvpn route delete <row id> Delete an SSL VPN client route. vpn sslvpn users domains add Configure a new authentication domain. vpn sslvpn users domains delete <row id> Delete an authentication domain. vpn sslvpn users domains

disable_Local_Authentication {Y | N}

Enable or disable local authentication for users.

Overview of the Configuration Commands

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 10. Configuration commands: vpn mode (continued)

Submode Command Name Purpose

vpn sslvpn users domains edit <row id> Configure an existing authentication

domain.

vpn sslvpn users groups add Configure a new authentication group. vpn sslvpn users groups delete <row id> Delete an authentication group. vpn sslvpn users groups edit <row id> Configure an existing authentication group. vpn sslvpn users users add Add a new user account.

sslvpn (continued)

vpn sslvpn users users browser_policies <row id> Configure the client browsers from which a

user is either allowed or denied access.

vpn sslvpn users users delete <row id> Delete a user account. vpn sslvpn users users edit <row id> Configure an existing user account. vpn sslvpn users users ip_policies configure

<row id> vpn sslvpn users users ip_policies delete <row id> Delete a source IP address for a user. vpn sslvpn users users login_policies <row id> Configure the login policy for a user.

Configure source IP addresses from which a user is either allowed or denied access.

Overview of the Configuration Commands

3. Net Mode Configuration Commands

IMPORTANT:

This chapter explains the configuration commands, keywords, and associated parameters in the net mode. The chapter includes the following sections:

• General WAN Commands

• IPv4 WAN Commands

• IPv6 WAN Commands

• IPv6 Tunnel Commands

• Dynamic DNS Commands

• IPv4 LAN Commands

• IPv6 LAN Commands

• IPv4 DMZ Setup Commands

• IPv6 DMZ Setup Commands

• WAN QoS Commands

• IPv4 Routing Commands

• IPv6 Routing Commands

After you have issued a command that includes the word configure, add, or edit, you need to save (or cancel) your changes. For more information, see Save Commands on page 12.

General WAN Commands

net wan port_setup configure <wan interface>

This command configures the advanced WAN settings for a W AN inte rface, that is, the MTU, port speed, MAC address, failure detection method, and uploa d and download settings of the VPN firewall. After you have issued the net wan port_setup configure command to specify one of the four WAN interfaces (that is, WAN1, WAN2, WAN3, or WAN4), you enter the net-config [port_setup] mode, and then you can configure the advanced settings for the specified interface in the order that you prefer.

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Step 1 Format net wan port_setup configure <wan interface>

Mode net

Step 2 Format def_mtu {Default | Custom {mtu_size <number>}}

port_speed {Auto_Sense | 10_BaseT_Half_Duplex |

10_BaseT_Full_Duplex | 100_BaseT_Half_Duplex | 100_BaseT_Full_Duplex | 1000_BaseT_Full_Duplex}

mac_type {Use-Default-Mac | Use-This-Computers-Mac |

Use-This-Mac {mac_address <mac address>}}

failover_method type {None | WAN-DNS {failover_method

retry_interval <seconds>} {failover_method retry_attempts

<number>}| CUSTOM-DNS {failover_method dns_ipaddress_wan <ipaddress>} {failover_method retry_interval <seconds>} {failover_method retry_attempts <number>}| Ping {failover_method ping_ipaddress_wan <ipaddress>} {failover_method retry_interval <seconds>} {failover_method

retry_attempts <number>}}

upload_download wan_conn_type {DSL | ADSL | T1 | T3 | Other} upload

upload_download download_speed_type {56-Kbps | 128-Kbps |

Mode net-config [port_setup]

Keyword Associated Keyword to

MTU

def_mtu Default or Custom Specifies whether the default MTU or a cust o m

mtu_size number The size of the default MTU in bytes for the WAN

_download upload_speed_type {56-Kbps | 128-Kbps | 256-Kbps | 384-Kbps | 512-Kbps | 768-Kbps | 1500-Kbps | 1544-Kbps | 10-Mbps | 44.736-Mbps | 100-Mbps | 1-Gbps | Custom {upload_download upload_speed <speed>}}

256-Kbps | 384-Kbps | 512-Kbps | 768-Kbps | 1500-Kbps | 1544-Kbps | 10-Mbps | 44.736-Mbps | 100-Mbps | 1-Gbps | Custom {upload_download download_speed <speed>}}

Description

Select or Parameter to Type

MTU is used. If you select Custom, you need to issue the mtu_size keyword and specify the size of the MTU.

port:

• If you have configured IPv4 mode, type a number between 68 and 1500 bytes.

• If you have configured IPv4/IPv6 mode, type a number between 1280 and 1500 bytes.

Net Mode Configuration Commands

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Keyword Associated Keyword to

Select or Parameter to Type

Port speed

port_speed Auto_Sense,

10_BaseT_Half_Duplex, 10_BaseT_Full_Duplex, 100_BaseT_Half_Duplex, 100_BaseT_Full_Duplex,

1000_BaseT_Full_Duplex

MAC address

mac_type Use-Default-Mac,

Use-This-Computers-Mac, or Use-This-Mac

mac_address mac address The MAC address that the ISP requires for MAC

Description

Specifies the port speed and duplex mode of the WAN port. The keywords are self-explanatory.

Specifies the source for the MAC address. The default setting is Use-Default-Mac.

If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, select either

Use-This-Computers-Mac or select Use-This-Mac. If you select the latter keyword,

you need to issue the mac_address keyword and specify the MAC address that is expected by your ISP.

authentication when the mac_type keyword is set to Use-This-Mac.

Failure detection method

failover_method type

failover_method retry_interval

None, WAN-DNS, CUSTOM-DNS, or Ping

seconds The retry interval in seconds, from 5 to 999

Specifies the type of failover method for IPv4 connections. You can specify only one type of method:

• None. The re is no failover method configured.

• WAN-DNS. DNS queries are sent to the DNS server that you configure through the net wan

wan ipv4 configure <wan interface> command.

• CUSTOM-DNS. DNS queries are sent to the DNS server that you need to specify with the failover_method dns_ipaddress_wan keyword.

• Ping. Pings are sent to a server with a public IP address that you need to specify with the failover_method ping_ipaddress_wan keyword.

For all three failover methods, you also need to issue the failover_method retry_interval keyword to specify and interval and the and failover_method retry_attempts keywords to specify the number of attempts.

seconds. The DNS query or ping is sent periodically after every test period.

Net Mode Configuration Commands

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Keyword Associated Keyword to

Select or Parameter to Type

failover_method retry_attempts

failover_method dns_ipaddress_wan

failover_method ping_ipaddress_wan

Upload and download settings

upload_download wan_conn_type

upload_download upload_speed_type

number The number of failover attempts, from 2 to 999.

ipaddress The address of the DNS server to which the DNS

ipaddress The ping address to which the pings are sent if the

DSL, ADSL, T1, T3, or Other

56-Kbps, 128-Kbps, 256-Kbps, 384-Kbps, 512-Kbps, 768-Kbps, 1500-Kbps, 1544-Kbps, 10-Mbps, 44.736-Mbps, 100-Mbps, 1-Gbps, or Custom

Description

The primary WAN interface is considered down after the specified number of queries have failed to elicit a reply. The backup interface is brought up after this situation has occurred.

queries are sent if the failover method is set to CUSTOM-DNS.

failover method is set to Ping.

Specifies the type of WAN connection that the VPN firewall uses to connect to the Internet.

Specifies the maximum upload speed that is provided by your ISP. If you select Custom, you need to specify the speed in Kbps with the

upload_download upload_speed keyword.

upload_download upload_speed

upload_download download_speed_type

upload_download download_speed

speed The upload speed in Kbps if the type of WAN

56-Kbps, 128-Kbps, 256-Kbps, 384-Kbps, 512-Kbps, 768-Kbps, 1500-Kbps, 1544-Kbps, 10-Mbps, 44.736-Mbps, 100-Mbps, 1-Gbps, or Custom

speed The download speed in Kbps if the type of WAN

Command example:

SRX5308>

net wan port_setup configure WAN1

net-config[port_setup]> net-config[port_setup]> net-config[port_setup]> net-config[port_setup]> net-config[port_setup]> net-config[port_setup]> net-config[port_setup]> net-config[port_setup]> net-config[port_setup]> net-config[port_setup]>

connection is Custom. Specifies the maximum download speed that is

provided by your ISP. If you select Custom, you need to specify the speed in Kbps with the

upload_download download_speed

yword.

connection is Custom.

def_mtu Custom mtu_size 1498 port_speed 1000_BaseT_Full_Duplex mac_type Use-This-Computers-Mac failover_method type Ping failover_method ping_ipaddress_wan 10.147.38.217 failover_method retry_interval 30 failover_method retry_attempts 4 upload_download wan_conn_type DSL upload_download upload_speed_type 1-Gbps

Net Mode Configuration Commands

+ 298 hidden pages

Netgear SRX5308 Installation Manual

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Contents

1. Introduction

Command Syntax and Conventions

Command Conventions

Description of a Command

Common Parameters

The Four Categories of Commands

The Four Main Modes for Configuration Commands

Save Commands

Global Commands

The Three Basic Types of Commands

Command Autocompletion and Command Abbreviation

CLI Line-Editing Conventions

Access the CLI

Network Settings (Net Mode) Configuration Commands

Security Settings (Security Mode) Configuration Commands

Administrative and Monitoring Settings (System Mode) Configuration Commands

VPN Settings (VPN Mode) Configuration Commands

3. Net Mode Configuration Commands

General WAN Commands