How it Works
Zyxel
Loading...
USG60W
CLI Reference Guide
594 pgs4.36 Mb0
Datasheet
12 pgs1.51 Mb0
Handbook
297 pgs15.85 Mb0
Handbook
810 pgs28.94 Mb0
Quick Start Manual
8 pgs3.08 Mb0
User Manual
1053 pgs29.78 Mb0
User Manual
994 pgs29.96 Mb0
User Manual
742 pgs21.51 Mb0
User Manual
815 pgs23.83 Mb0
User Manual
829 pgs24.77 Mb0
User's Guide
1142 pgs34.99 Mb0
Table of contents
Loading...

Zyxel USG60, USG40W, USG2200, USG40, USG210 CLI Reference Guide

...
Download
Default Login Details
CLI Reference Guide

ZyWALL USG/USG FLEX/VPN/ATP Series

User Name admin
Password 1234
Version 4.10–4.60 Ed 1, 10/2020
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide Copyright © 2020 Zyxel Communications Corpo-
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE.
This is a Reference Guide for a series of products intended for people who want to configure the Zyxel Device via Command Line Interface (CLI).
Note: The version number on the cover page refers to the latest firmware version supported
by the Zyxel Device. This guide applies to ZLD version 4.10–4.60 at the time of writing.
How To Use This Guide
1 Read Chapter 1 on page 24 for how to access and use the CLI (Command Line Interface).
2 Read Chapter 2 on page 40 to learn about the CLI user and privilege modes.
Some commands or command options in this guide may not be available in your product. See your product's User’s Guide for a list of supported features. Do not use commands not documented in this guide. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable. Some commands are renamed between firmware versions. In cases where a command has multiple names, the Reference Guide lists each variation.
Related Documentation
•Quick Start Guide The Quick Start Guide shows how to connect the Zyxel Device and access the Web Configurator.
• User’s Guide The ATP Series User’s Guide explains how to use the Web Configurator to configure the Zyxel Device. It
also shows the product feature matrix for each device. General feature differences are written in the Introduction chapter while a more detailed table is in the Product Feature appendix.
The USG Series User’s Guide explains how to use the Web Configurator to configure the Zyxel Device. It also shows the product feature matrix for each device. General feature differences are written in the Introduction chapter while a more detailed table is in the Product Feature appendix.
Note: It is recommended you use the Web Configurator to configure the Zyxel Device.
•More Information Go to support.zyxel.com to find other information on Zyxel Device.

Contents Overview

Contents Overview
Introduction .......................................................................................................................................23
Command Line Interface ................................ ....... ....... ....... ....... ....... ....... .............. ....... ....... .............. 24
User and Privilege Modes .................................................................................................................... 40
Reference ..........................................................................................................................................44
Object Reference ................................................................................................................................ 45
Status ......................................................................... ............................................................................. 47
Registration ...................................................................... .......................................... ............................ 52
AP Management .................................................................................................................................. 55
Built-in AP ............................................................................................................................................... 63
AP Group ........... ................................................................................... ................................................. 65
Wireless LAN Profiles .............................................................................................................................. 72
Rogue AP ............................................................................................................................................... 90
Wireless Frame Capture ....................................................................................................................... 94
Dynamic Channel Selection ............................................................................................................... 96
Auto-Healing ......................................................................................................................................... 97
LEDs ........................................................................................................................................................ 99
Interfaces ................................................................................ ............................................................. 101
Trunks ................................................................................ .................................................................... 147
Route ................................................................................ .................................................................... 151
Routing Protocol ................................................................................................................................. 160
Zones ......................................................................... ........................................................................... 167
DDNS .................................................................................................................................................... 170
Virtual Servers ...................................................................................................................................... 173
HTTP Redirect ....................................................................................................................................... 186
Redirect Service .................................................................................................................................. 188
ALG ................................................................................... ....... ....... ....... ....... ....... ................................. 192
UPnP ..................................................................................................................................................... 195
IP/MAC Binding ...................................................................... ............................................................. 198
Layer 2 Isolation .................................................................................................................................. 200
Secure Policy ....................................................................................................................................... 203
Cloud CNM .................................................................................................................................... ..... 221
Web Authentication ........................................................................................................................... 229
Hotspot ................................................................................................................................................ 237
IPSec VPN ............................................................................................................................................ 252
SSL VPN ................................... ............................................................................................................. 267
L2TP VPN .............................................................................................................................................. 271
Bandwidth Management .................................................................................................................. 279
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
3
Contents Overview
Application Patrol ............................................................................................................................... 285
Anti-Virus .............................................................................................................................................. 289
RTLS ................................................................................... .................................................................... 297
Reputation Filter .................................................................................................................................. 299
Sandboxing ......................................................................................................................................... 316
IDP Commands ................................................................................................................................... 319
Content Filtering ................................................................................................................................. 332
Anti-Spam ............................................................................... ............................................................. 358
SSL Inspection ...................................................................................................................................... 369
IP Exception ......................................................................................................................................... 376
Device HA .......................................................................................................... ................................. 378
User/Group ...................................................................... .................................................................... 388
Application Object ...................... ...................................................................................................... 398
Addresses ............................................................................................................................................ 401
Services ................................................................................... ............................................................. 410
Schedules ............................................................................................................................................ 413
AAA Server .......................................................................................................................................... 415
Authentication Objects ..................................................................................................................... 422
Authentication Server ........................................................................................................................ 432
Certificates .......................................................................................................................................... 434
ISP Accounts ........................................................................................................................................ 440
SSL Application ................................................................................................................................... 442
DHCPv6 Objects ................................................................................................................................. 444
Dynamic Guest Accounts ................................................................................................................. 447
System ................................................................ .................................................................................. 450
System Remote Management .......................................................................................................... 466
File Manager ....................................................................................................................................... 478
Logs ...................................................................................................................................................... 501
Reports and Reboot ........................................................................................................................... 507
Session Timeout ................................................................................................................................... 513
Diagnostics and Remote Assistance ............................................................................................... 514
Packet Flow Explore ........................................................................................................................... 517
Maintenance Tools .. ....... ....... ....... ....... ....... ...... ....... ....... ....... .............. ....... ....... ....... ....... ................... 521
Miscellaneous ..................................................................................................................................... 530
Managed AP Commands ................................................................................................................. 535
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
4

Table of Contents

Table of Contents
Contents Overview .............................................................................................................................3
Table of Contents.................................................................................................................................5
Part I: Introduction ..........................................................................................23
Chapter 1
Command Line Interface..................................................................................................................24
1.1 Overview ......................................................................................................................................... 24
1.1.1 The Configuration File ........................................................................................................... 25
1.2 Accessing the CLI ........................................................................................................................... 25
1.2.1 Console Port .......................................................................................................................... 25
1.2.2 Web Configurator Console .................................................................................................. 26
1.2.3 Telnet ...................................................................................................................................... 28
1.2.4 SSH (Secure SHell) .................................................................................................................. 29
1.3 How to Find Commands in this Guide .........................................................................................29
1.4 How Commands Are Explained ................................................................................................... 29
1.4.1 Background Information (Optional) ................................................................................... 30
1.4.2 Command Input Values (Optional) .................................................................................... 30
1.4.3 Command Summary ............................................................................................................ 30
1.4.4 Command Examples (Optional) ......................................................................................... 30
1.4.5 Command Syntax ................................................................................................................. 30
1.4.6 Naming Conventions ............................................................................................................ 31
1.4.7 Changing the Password ....................................................................................................... 31
1.4.8 Idle Timeout ........................................................................................................................... 31
1.5 CLI Modes ........................................................................................................................................ 31
1.6 Shortcuts and Help ......................................................................................................................... 32
1.6.1 List of Available Commands ................................................................................................ 32
1.6.2 List of Sub-commands or Required User Input ................................................................... 33
1.6.3 Entering Partial Commands ................................................................................................. 33
1.6.4 Entering a ? in a Command ................................................................................................34
1.6.5 Command History ................................................................................................................. 34
1.6.6 Navigation ............................................................................................................................. 34
1.6.7 Erase Current Command ..................................................................................................... 34
1.6.8 The no Commands ............................................................................................................... 34
1.7 Input Values .................................................................................................................................... 34
1.8 Ethernet Interfaces ......................................................................................................................... 38
1.9 Saving Configuration Changes .................................................................................................... 38
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
5
Table of Contents
1.10 Logging Out .................................................................................................................................. 38
1.11 Resetting the Zyxel Device .......................................................................................................... 39
Chapter 2
User and Privilege Modes .................................................................................................................40
2.1 User And Privilege Modes .............................................................................................................. 40
2.1.1 Debug Commands ............................................................................................................... 42
Part II: Reference ............................................................................................44
Chapter 3
Object Reference ................................ ... ...........................................................................................45
3.1 Object Reference Commands ..................................................................................................... 45
3.1.1 Object Reference Command Example ............................................................................. 46
Chapter 4
Status...................................................................................................................................................47
4.1 ATP Dashboard Commands ......................................................................................................... 51
Chapter 5
Registration.........................................................................................................................................52
5.1 myZyxel Overview ........................................................................................................................... 52
5.1.1 Subscription Services Available on the Zyxel Device ........................................................ 52
5.2 Registration Commands ................................................................................................................ 53
5.2.1 Command Examples ............................................................................................................ 54
Chapter 6
AP Management................................................................................................................................55
6.1 AP Management Overview .......................................................................................................... 55
6.2 AP Management Commands ...................................................................................................... 55
6.2.1 AP Management Commands Example ............................................................................. 60
Chapter 7
Built-in AP............................................................................................................................................63
7.1 Built-in AP Commands .................................................................................................................... 63
Chapter 8
AP Group ............................................................................................................................................65
8.1 Wireless Load Balancing Overview .............................................................................................. 65
8.2 AP Group Commands ................................................................................................................... 65
8.2.1 AP Group Examples .............................................................................................................. 69
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
6
Table of Contents
Chapter 9
Wireless LAN Profiles ..........................................................................................................................72
9.1 Wireless LAN Profiles Overview ...................................................................................................... 72
9.2 AP Radio & Monitor Profile Commands ....................................................................................... 72
9.2.1 AP Radio & Monitor Profile Commands Example ............................................................. 78
9.3 SSID Profile Commands .................................................................................................................. 79
9.3.1 SSID Profile Example .............................................................................................................. 82
9.4 Security Profile Commands ........................................................................................................... 83
9.4.1 Security Profile Example ....................................................................................................... 86
9.5 MAC Filter Profile Commands ....................................................................................................... 86
9.5.1 MAC Filter Profile Example ................................................................................................... 87
9.6 ZyMesh Profile Commands ............................................................................................................ 87
Chapter 10
Rogue AP............................................................................................................................................90
10.1 Rogue AP Detection Overview ................................................................................................... 90
10.2 Rogue AP Detection Commands ...............................................................................................90
10.2.1 Rogue AP Detection Examples ......................................................................................... 91
10.3 Rogue AP Containment Overview .............................................................................................92
10.4 Rogue AP Containment Commands ......................................................................................... 93
10.4.1 Rogue AP Containment Example ..................................................................................... 93
Chapter 11
Wireless Frame Capture....................................................................................................................94
11.1 Wireless Frame Capture Overview ............................................................................................. 94
11.2 Wireless Frame Capture Commands ......................................................................................... 94
11.2.1 Wireless Frame Capture Examples .................................................................................... 95
Chapter 12
Dynamic Channel Selection.............................................................................................................96
12.1 DCS Overview ............................................................................................................................... 96
12.2 DCS Commands ........................................................................................................................... 96
Chapter 13
Auto-Healing......................................................................................................................................97
13.1 Auto-Healing Overview ............................................................................................................... 97
13.2 Auto-Healing Commands ........................................................................................................... 97
13.2.1 Auto-Healing Examples ...................................................................................................... 98
Chapter 14
LEDs .....................................................................................................................................................99
14.1 LED Suppression Mode ................................................................................................................. 99
14.2 LED Suppression Commands ....................................................................................................... 99
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
7
Table of Contents
14.2.1 LED Suppression Commands Example ............................................................................. 99
14.3 LED Locator ................................................................................................................................. 100
14.4 LED Locator Commands ............................................................................................................ 100
14.4.1 LED Locator Commands Example .................................................................................. 100
Chapter 15
Interfaces..........................................................................................................................................101
15.1 Interface Overview .................................................................................................................... 101
15.1.1 Types of Interfaces ............................................................................................................ 101
15.1.2 Relationships Between Interfaces ................................................................................... 104
15.2 Interface General Commands Summary ................................................................................ 105
15.2.1 Basic Interface Properties and IP Address Commands ................................................ 105
15.2.2 IGMP Proxy Commands ................................................................................................... 111
15.2.3 Proxy ARP Commands ......................................................................................................112
15.2.4 DHCP Setting Commands ................................................. ............................................... 113
15.2.5 Interface Parameter Command Examples ................................................................... 118
15.2.6 RIP Commands .................................................................................................................. 119
15.2.7 OSPF Commands .............................................................................................................. 119
15.2.8 Connectivity Check (Ping-check) Commands ................................... .......................... 121
15.3 Ethernet Interface Specific Commands .................................................................................. 122
15.3.1 MAC Address Setting Commands .................................................................................. 122
15.3.2 Port Grouping Commands .............................................................................................. 123
15.4 Virtual Interface Specific Commands ...................................................................................... 124
15.4.1 Virtual Interface Command Examples ........................................................................... 125
15.5 PPPoE/PPTP Specific Commands ............................................................................................. 125
15.5.1 PPPoE/PPTP Interface Command Examples .................................................................. 126
15.6 Cellular Interface Specific Commands ................................................................................... 127
15.6.1 Cellular Status .................................................................................................................... 1 30
15.6.2 Cellular Interface Command Examples ......................................................................... 131
15.7 Tunnel Interface Specific Commands ..................................................................................... 132
15.7.1 Tunnel Interface Command Examples ........................................................................... 134
15.8 USB Storage Specific Commands .............................................................................................134
15.8.1 Firmware Upgrade via USB Stick ...................................................................................... 135
15.8.2 USB Storage Commands Example .................................................................................. 137
15.9 VLAN Interface Specific Commands ....................................................................................... 137
15.9.1 VLAN Interface Command Examples ............................................................................ 138
15.10 Bridge Specific Commands .................................................................................................... 138
15.10.1 Bridge Interface Command Examples ......................................................................... 139
15.11 LAG Commands ....................................................................................................................... 139
15.11.1 LAG Interface Command Example .............................................................................. 142
15.12 VTI Commands ......................................................................................................................... 143
15.12.1 Restrictions for IPsec Virtual Tunnel Interface ............................................ .............. ..... 143
15.12.2 VTI Interface Command Example ................................................................................ 146
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
8
Table of Contents
Chapter 16
Trunks ................................................................................................................................................147
16.1 Trunks Overview .......................................................................................................................... 147
16.2 Trunk Scenario Examples ........................................................................................................... 147
16.3 Trunk Commands Input Values ................................................................................................. 148
16.4 Trunk Commands Summary ...................................................................................................... 148
16.5 Trunk Command Examples ....................................................................................................... 149
Chapter 17
Route.................................................................................................................................................151
17.1 Policy Route ................................................................................................................................ 151
17.2 Policy Route Commands ........................................................................................................... 151
17.2.1 Assured Forwarding (AF) PHB for DiffServ ....................................................................... 156
17.2.2 Policy Route Command Example ................................................................................... 156
17.3 IP Static Route ............................................................................................................................. 157
17.4 Static Route Commands ........................................................................................................... 158
17.4.1 Static Route Commands Examples ................................................................................ 159
Chapter 18
Routing Protocol...............................................................................................................................160
18.1 Routing Protocol Overview ....................................................................................................... 160
18.2 Routing Protocol Commands Summary .................................................................................. 160
18.2.1 RIP Commands .................................................................................................................. 161
18.2.2 General OSPF Commands ............................................................................................... 161
18.2.3 OSPF Area Commands .................................................................................................... 162
18.2.4 Virtual Link Commands ..................................................................................................... 162
18.2.5 Learned Routing Information Commands ..................................................................... 163
18.2.6 Show IP Route Command Example ................................................................................ 163
18.3 BGP (Border Gateway Protocol) ...................................................... ....... ....... .............. ....... ..... 163
18.3.1 BGP Commands ................................................................................................................ 165
Chapter 19
Zones.................................................................................................................................................167
19.1 Zones Overview .......................................................................................................................... 167
19.2 Zone Commands Summary ...................................................................................................... 168
19.2.1 Zone Command Examples .................................................................................. ............ 169
Chapter 20
DDNS .................................................................................................................................................170
20.1 DDNS Overview ........................................................................................................................... 170
20.2 DDNS Commands Summary .....................................................................................................171
20.3 DDNS Commands Example ...................................................................................................... 172
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
9
Table of Contents
Chapter 21
Virtual Servers...................................................................................................................................173
21.1 Virtual Server Overview .............................................................................................................. 173
21.1.1 1:1 NAT and Many 1:1 NAT ............................................................................................... 173
21.2 Virtual Server Commands Summary ......................................................................................... 173
21.2.1 Virtual Server Command Examples ................................................................................ 175
21.2.2 Tutorial - How to Allow Public Access to a Server ......................................................... 176
21.3 Virtual Server Load Balancing ................................................................................................... 177
21.3.1 Load Balancing Example 1 .............................................................................................. 177
21.3.2 Load Balancing Example 2 .............................................................................................. 178
21.3.3 Virtual Server Load Balancing Process ........................................................................... 179
21.3.4 Load Balancing Rules ....................................................................................................... 180
21.3.5 Virtual Server Load Balancing Algorithms ...................................................................... 181
21.3.6 Virtual Server Load Balancing Commands ............................................................... ..... 182
Chapter 22
HTTP Redirect....................................................................................................................................186
22.1 HTTP Redirect Overview ............................................................................................................. 186
22.1.1 Web Proxy Server .............................................................................................................. 186
22.2 HTTP Redirect Commands ......................................................................................................... 186
22.2.1 HTTP Redirect Command Examples ............................................................................... 187
Chapter 23
Redirect Service...............................................................................................................................188
23.1 HTTP Redirect ............................................................................................................................... 188
23.2 SMTP Redirect ............................................................................................................................. 188
23.3 Redirect Commands .................................................................................................................. 189
23.3.1 Redirect Command Example .......................................................................................... 191
Chapter 24
ALG....................................................................................................................................................192
24.1 ALG Introduction ........................................................................................................................ 192
24.2 ALG Commands ......................................................................................................................... 193
24.3 ALG Commands Example ....................... .................................................................................. 194
Chapter 25
UPnP...................................................................................................................................................195
25.1 UPnP and NAT-PMP Overview ................................................................................................... 195
25.2 UPnP and NAT-PMP Commands ............................................................................................... 195
25.3 UPnP & NAT-PMP Commands Example ................................................................................... 196
Chapter 26
IP/MAC Binding................................................................................................................................198
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
10
Table of Contents
26.1 IP/MAC Binding Overview ......................................................................................................... 198
26.2 IP/MAC Binding Commands ..................................................................................................... 198
26.3 IP/MAC Binding Commands Example ..................................................................................... 199
Chapter 27
Layer 2 Isolation...............................................................................................................................200
27.1 Layer 2 Isolation Overview ......................................................................................................... 200
27.2 Layer 2 Isolation Commands ..................................................................................................... 201
27.2.1 Layer 2 Isolation White List Sub-Commands .................................................................. 201
27.3 Layer 2 Isolation Commands Example ..................................................................................... 202
Chapter 28
Secure Policy....................................................................................................................................203
28.1 Secure Policy Overview ............................................................................................................. 203
28.2 Secure Policy Commands ......................................................................................................... 204
28.2.1 Secure Policy Sub-Commands ........................................................................................ 207
28.2.2 Security Services Multiple Profiles .................................................................................... 209
28.2.3 Secure Policy Command Examples ................................................................................ 210
28.3 Session Limit Commands ........................................................................................................... 213
28.4 ADP Commands Overview ................................................. ...................................................... 215
28.4.1 ADP Command Input Values .......................................................................................... 216
28.4.2 ADP Activation Commands ............................................................................................ 216
28.4.3 ADP Global Profile Commands ....................................................................................... 216
28.4.4 ADP Zone-to-Zone Rule Commands ............................................................................... 217
28.4.5 ADP Add/Edit Profile Sub Commands ............................................................................ 217
Chapter 29
Cloud CNM............. .... ............................................ .... ... .... ............................................ ...................221
29.1 Cloud CNM Overview ................................................... ............................................................. 221
29.2 Cloud CNM SecuManager ....................................................................................................... 221
29.2.1 Introduction to XMPP ........................................................................................................ 222
29.2.2 Cloud CNM SecuManager Commands ........................................................................ 223
29.2.3 Cloud CNM SecuManager Command Example .......................................................... 226
29.3 Cloud CNM SecuReporter ......................................................................................................... 226
29.3.1 Cloud CNM SecuReporter Commands .......................................................................... 226
29.3.2 Cloud CNM SecuReporter Commands Example .......................................................... 228
Chapter 30
Web Authentication.........................................................................................................................229
30.1 Web Authentication Overview .............................................................................. ................... 229
30.2 Web Authentication Commands ............................................................................................. 229
30.2.1 web-auth login setting Sub-commands ............................................................. ............ 231
30.2.2 web-auth policy Sub-commands ................................................................................... 233
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
11
Table of Contents
30.2.3 Facebook Wi-Fi Commands ............................................................................................ 234
30.3 SSO Overview .............................................................................................................................. 234
30.3.1 SSO Configuration Commands ....................................................................................... 235
30.3.2 SSO Show Commands ...................................................................................................... 235
30.3.3 Command Setup Sequence Example ........................................................................... 236
Chapter 31
Hotspot..............................................................................................................................................237
31.1 Hotspot Overview ....................................................................................................................... 237
31.2 Billing Overview ........................................................................................................................... 237
31.3 Billing Commands ....................................................................................................................... 237
31.3.1 Billing Profile Sub-commands ........................................................................................... 239
31.3.2 Billing Command Example ............................................................................................... 239
31.3.3 Payment Service ................................................................................................... ............ 241
31.4 Printer Manager Overview ........................................................................................................ 244
31.5 Printer-manager Commands .................................................................................................... 244
31.5.1 Printer-manager Printer Sub-commands ............................................................ ............ 245
31.5.2 Printer-manager Command Example ............................................................................ 245
31.6 Free Time Overview ....................................................... ....... ....... ....... ....... ....... ....... ................... 246
31.7 Free-Time Commands ................................................................................................................ 246
31.8 Free-Time Commands Example ................................................................................................247
31.9 IPnP Overview ............................................................................................................................. 247
31.10 IPnP Commands ....................................................................................................................... 247
31.11 IPnP Commands Example .......................................... ............................................................. 248
31.12 Walled Garden Overview ....................................................................................................... 248
31.13 Walled Garden Commands ...................................................................................................248
31.13.1 walled-garden rule Sub-commands ............................................................................. 249
31.13.2 walled-garden domain-ip rule Sub-commands .............................................. ............ 250
31.13.3 Walled Garden Command Example ........................................................................... 250
31.14 Advertisement Overview ......................................................................................................... 251
31.15 Advertisement Commands ..................................................................................................... 251
31.15.1 Advertisement Command Example ............................................................................. 251
Chapter 32
IPSec VPN .........................................................................................................................................252
32.1 IPSec VPN Overview ................................................................................................................... 252
32.2 IPSec VPN Commands Summary ............................................................................................. 253
32.2.1 IPv4 IKEv1 SA Commands ................................................................................................. 254
32.2.2 IPv4 IPSec SA Commands (except Manual Keys) ......................................................... 256
32.2.3 IPv4 IPSec SA Commands (for Manual Keys) ................................................................. 259
32.2.4 VPN Concentrator Commands ....................................................................................... 259
32.2.5 VPN Configuration Provisioning Commands ................................................................. 260
32.2.6 SA Monitor Commands .................................................................................................... 261
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
12
Table of Contents
32.2.7 IPv4 IKEv2 SA Commands ................................................................................................. 262
32.2.8 IPv6 IKEv2 SA Commands ................................................................................................. 263
32.2.9 IPv6 IPSec SA Commands ................................................................................................ 264
32.2.10 IPv6 VPN Concentrator Commands ............................................................................. 266
Chapter 33
SSL VPN..............................................................................................................................................267
33.1 SSL Access Policy ........................................................................................................................ 267
33.1.1 SSL Application Objects ................................................................................................... 267
33.1.2 SSL Access Policy Limitations ...........................................................................................267
33.2 SSL VPN Commands ................................................................................................................... 267
33.2.1 SSL VPN Commands ......................................................................................................... 268
33.2.2 Setting an SSL VPN Rule Tutorial ...................................................................................... 269
Chapter 34
L2TP VPN................................................................................. ... .... .... ................................................271
34.1 L2TP VPN Overview ..................................................................................................................... 271
34.2 IPSec Configuration .................................................................................................................... 271
34.2.1 Using the Default L2TP VPN Connection ........................................................................ 272
34.3 Policy Route ................................................................................................................................ 272
34.4 L2TP VPN Commands ................................................................................................................. 273
34.4.1 L2TP VPN Commands .......................................................................................................273
34.4.2 L2TP Account Commands ..................................................................... .......................... 275
34.5 L2TP VPN Examples ...................... ............................................................................................... 275
34.5.1 Configuring the Default L2TP VPN Gateway Example ................................................. 276
34.5.2 Configuring the Default L2TP VPN Connection Example ............................................. 276
34.5.3 Configuring the L2TP VPN Settings Example .................................................................. 277
34.5.4 Configuring the Policy Route for L2TP Example ............................................................. 277
Chapter 35
Bandwidth Management................................................................................................................279
35.1 Bandwidth Management Overview ........................................................................................ 279
35.1.1 BWM Type .......................................................................................................................... 279
35.2 Bandwidth Management Commands .................................................................................... 279
35.2.1 Bandwidth Sub-Commands ............................................................................................ 280
35.3 Bandwidth Management Commands Examples .............................................................. ..... 283
Chapter 36
Application Patrol............................................................................................................................285
36.1 Application Patrol Overview ..................................................................................................... 285
36.2 Application Patrol Commands Summary ................................................................................ 285
36.2.1 Application Patrol Commands ........................................................................................ 286
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
13
Table of Contents
Chapter 37
Anti-Virus...........................................................................................................................................289
37.1 Anti-Virus Overview .................................................................................................................... 289
37.2 Anti-Virus Commands ................................................................................................................ 289
37.2.1 General Anti-Virus Commands ........................................................................................ 290
37.2.2 Anti-Virus Profile ................................................................................................................. 291
37.2.3 White and Black Lists ......................................................................................................... 292
37.2.4 Signature Search Anti-Virus Command ........................... .......................................... ..... 294
37.3 Update Anti-Virus Signatures ..................................................................................................... 295
37.3.1 Update Signature Examples ............................................................................................ 295
37.4 Anti-Virus Statistics .......................................................... ....... ....... ....... ....... ....... .......................... 296
37.4.1 Anti-Virus Statistics Example ............................................................................................. 296
Chapter 38
RTLS....................................................................................................................................................297
38.1 RTLS Overview ............................................................................................................................. 297
38.1.1 RTLS Configuration Commands ....................................................................................... 298
38.1.2 RTLS Configuration Examples ........................................................................................... 298
Chapter 39
Reputation Filter ...............................................................................................................................299
39.1 Overview ..................................................................................................................................... 299
39.1.1 Signature Database Priority .............................................................................................300
39.2 IP Reputation Commands ..................................... .................................................................... 300
39.2.1 Update IP Reputation Signatures .................................................................................... 302
39.2.2 IP Reputation Statistics ...................................................................................................... 302
39.2.3 IP Reputation External Black List ...................................................................................... 302
39.3 Anti-Botnet Commands ............................................................................................................. 304
39.3.1 Anti-Botnet Profile Commands ........................................................................................ 306
39.3.2 Anti-Botnet External Black List .......................................................................................... 307
39.3.3 Update Anti-Botnet Signatures ........................................................................................ 309
39.3.4 Update Signature Examples ............................................................................................ 310
39.3.5 Anti-Botnet Statistics .......................................................................................................... 310
39.3.6 Anti-Botnet Statistics Example ......................................................................................... 311
39.4 DNS Filter Commands ................................................................................................................ 313
Chapter 40
Sandboxing ......................................................................................................................................316
40.1 Sandboxing Overview ................................................................................................................ 316
40.2 Sandbox Commands ................................................................................................................. 316
40.2.1 Sandbox Command Examples ....................................................................................... 318
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
14
Table of Contents
Chapter 41
IDP Commands ................................................................................................................................319
41.1 Overview ..................................................................................................................................... 319
41.2 General IDP Commands ........................................................................................................... 319
41.2.1 IDP Activation .................................................................................................................... 319
41.3 IDP Profile Commands ............................................................................................................... 321
41.3.1 Global Profile Commands ............................................................................................... 321
41.3.2 Editing/Creating IDP Signature Profiles ........................................................ ................... 322
41.3.3 Signature Search ............................................................................................................... 322
41.4 IDP Custom Signatures ............................................................................................................... 324
41.4.1 Custom Signature Examples ............................................................................................ 325
41.5 Update IDP Signatures ............................................................................................................... 328
41.5.1 Update Signature Examples ............................................................................................ 329
41.6 IDP Statistics ................................................................................................................................. 329
41.6.1 IDP Statistics Example ....................................................................................................... 330
41.7 IDP White List .......................................................................................................................... ..... 331
Chapter 42
Content Filtering...............................................................................................................................332
42.1 Content Filtering Overview ........................................................................................................ 332
42.2 External Web Filtering Service ................................................................................................... 332
42.3 Content Filter Command Input Values .................................................................................... 333
42.4 General Content Filter Commands .......................................................................................... 335
42.5 Content Filter Filtering Profile Commands ............................................................................... 337
42.6 Content Filtering Statistics ......................................................................... ................................. 341
42.6.1 Content Filtering Statistics Example ................................................................................ 342
42.7 Content Filtering Commands Example .................................................................................... 342
42.8 Content Filtering Category Definitions ..................................................................................... 344
Chapter 43
Anti-Spam.........................................................................................................................................358
43.1 Anti-Spam Overview .................................................................................................................. 358
43.2 Anti-Spam Commands .............................................................................................................. 358
43.2.1 Anti-Spam Profile Rules ..................................................................................................... 358
43.2.2 White and Black Lists ......................................................................................................... 363
43.2.3 DNSBL Anti-Spam Commands ......................................................................................... 365
43.3 Anti-Spam Statistics .................................. .................................................................................. 367
43.3.1 Anti-Spam Statistics Example ........................................................................................... 368
Chapter 44
SSL Inspection...................................................................................................................................369
44.1 SSL Inspection Overview ............................................................................................................ 369
44.2 SSL Inspection Commands Summary ....................................................................................... 369
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
15
Table of Contents
44.2.1 SSL Inspection General Settings ...................................................................................... 370
44.2.2 SSL Inspection Exclusion Commands .. ............................................................................ 370
44.2.3 SSL Inspection Profile Settings .......................................................................................... 371
44.2.4 SSL Inspection Certificate Cache ................................................................................... 373
44.2.5 SSL Inspection Certificate Update .................................................................................. 373
44.2.6 SSL Inspection Statistics ..................................................................................................... 374
44.2.7 SSL Inspection Command Examples .............................................................................. 374
Chapter 45
IP Exception......................................................................................................................................376
45.1 IP Exception Overview ............................................................................................................... 376
45.2 IP Exception Commands ........................................................................................................... 376
Chapter 46
Device HA.........................................................................................................................................378
46.1 Device HA Overview .................................................................................................................. 378
46.1.1 Before You Begin ............................................................................................................... 379
46.1.2 Device HA and Device HA Pro ........................................................................................ 379
46.2 General Device HA Commands .............................................................................................. 380
46.3 Active-Passive Mode Device HA .............................................................................................. 380
46.4 Active-Passive Mode Device HA Commands ........................................................................ 381
46.4.1 Active-Passive Mode Device HA Commands ............................................................... 381
46.4.2 Active-Passive Mode Device HA Command Example ................................................ 3 83
46.5 Device HA Pro ............................................................................................................................. 383
46.5.1 Deploying Device HA Pro ................................................................................................ 383
46.5.2 Device HA Pro Commands .............................................................................................. 384
46.5.3 Device HA2 Command Example .................................................................................... 386
Chapter 47
User/Group.......................................................................................................................................388
47.1 User Account Overview ............................................................................................................. 388
47.1.1 User Types ........................................................................................................................... 388
47.2 User/Group Commands Summary ........................................................................................... 389
47.2.1 User Commands ................................................................................................................ 389
47.2.2 User Group Commands ................................................................................................... 391
47.2.3 User Setting Commands ...................................................................................................391
47.2.4 MAC Auth Commands ..................................................................................................... 393
47.2.5 Additional User Commands ............................................................................................. 394
Chapter 48
Application Object..........................................................................................................................398
48.1 Application Object Commands Summary .............................................................................. 398
48.1.1 Application Object Commands ..................................................................................... 398
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
16
Table of Contents
48.1.2 Application Object Group Commands ......................................................................... 399
Chapter 49
Addresses.........................................................................................................................................401
49.1 Address Overview ....................................................................................................................... 401
49.2 Address Commands Summary ................................................................................................. 401
49.2.1 Address Object Commands ............................................................................................ 402
49.2.2 Address Group Commands ............................................................................................. 406
49.2.3 FQDN Object ..................................................................................................................... 407
49.2.4 Geo IP ................................................................................................................................. 408
49.2.5 FQDN / Geo IP Commands .................. ....... ....... ....... .............. ....... ....... ....... ....... ....... ..... 408
49.2.6 Geo IP Command Examples ........................................................................................... 409
Chapter 50
Services.............................................................................................................................................410
50.1 Services Overview ...................................................................................................................... 410
50.2 Services Commands Summary .................................................................................................410
50.2.1 Service Object Commands ............................................................................................. 410
50.2.2 Service Group Commands .............................................................................................. 412
Chapter 51
Schedules.........................................................................................................................................413
51.1 Schedule Overview .................................................................................................................... 413
51.2 Schedule Commands Summary ............................................................................................... 413
51.2.1 Schedule Command Examples ...................................................................................... 414
Chapter 52
AAA Server .................... ............................................. ... .... .... ...........................................................415
52.1 AAA Server Overview ................................................................................................................. 415
52.2 Authentication Server Command Summary ........................................................................... 415
52.2.1 ad-server Commands ......................................................................................................416
52.2.2 ldap-server Commands ................................................................................................... 416
52.2.3 radius-server Commands ................................................................................................. 417
52.2.4 radius-server Command Example .................................................................................. 417
52.2.5 aaa group server ad Commands ................................................................................... 418
52.2.6 aaa group server ldap Commands ................................................................................ 419
52.2.7 aaa group server radius Commands ............................................................................. 420
52.2.8 aaa group server Command Example .......................................................................... 421
Chapter 53
Authentication Objects...................................................................................................................422
53.1 Authentication Objects Overview ............................................................................................ 422
53.2 aaa authentication Commands .............................................................................................. 422
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
17
Table of Contents
53.2.1 aaa authentication Command Example ...................................................................... 423
53.3 test aaa Command ................................................................................................................... 423
53.3.1 Test a User Account Command Example ...................................................................... 424
53.4 Two-Factor Authentication ........................................................................................................ 424
53.4.1 Two-Factor Authentication Methods .............................................................................. 424
53.4.2 Two-Factor Authentication with SMS/Email ................................................................... 425
53.4.3 SMS/Email Configuration .................................................................................................. 426
53.4.4 Two-Factor Authentication with Google Authenticator .............................................. 426
53.5 Two-Factor Authentication Commands ................................................. ................................. 428
53.5.1 Two-Factor Authentication VPN Access ........................................................................ 428
53.5.2 VPN Access Two-Factor Command Example ............................................................... 429
53.5.3 Admin Access .................................................................................................................... 430
53.5.4 Admin Access Two-Factor Command Example ........................................................... 431
Chapter 54
Authentication Server......................................................................................................................432
54.1 Authentication Server Overview ............................................................................................... 432
54.2 Authentication Server Commands ........................................................................................... 432
54.2.1 Authentication Server Command Examples ................................................................. 433
Chapter 55
Certificates .......................................................................................................................................434
55.1 Certificates Overview ................................................................................................................ 434
55.2 Certificate Commands .............................................................................................................. 434
55.3 Certificates Commands Input Values ...................................................................................... 434
55.4 Certificates Commands Summary ........................................................................................... 436
55.5 Certificates Commands Examples ........................................................................................... 439
Chapter 56
ISP Accounts.....................................................................................................................................440
56.1 ISP Accounts Overview .............................................................................................................. 440
56.1.1 PPPoE and PPTP Account Commands ........................................................................... 440
56.1.2 Cellular Account Commands ......................................................................................... 441
Chapter 57
SSL Application.................................................................................................................................442
57.1 SSL Application Overview .......................................................................................................... 442
57.1.1 SSL Application Object Commands ............................................................................... 442
57.1.2 SSL Application Command Examples ............................................................................ 443
Chapter 58
DHCPv6 Objects...............................................................................................................................444
58.1 DHCPv6 Object Commands Summary .................................................................................... 444
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
18
Table of Contents
58.1.1 DHCPv6 Object Commands ........................................................................................... 444
58.1.2 DHCPv6 Object Command Examples ........................................................................... 445
Chapter 59
Dynamic Guest Accounts...............................................................................................................447
59.1 Dynamic Guest Accounts Overview ........................................................................................ 447
59.2 Dynamic-guest Commands ...................................................................................................... 447
59.2.1 dynamic-guest Sub-commands ...................................................................................... 448
59.2.2 Dynamic-guest Command Example .............................................................................. 449
Chapter 60
System...............................................................................................................................................450
60.1 System Overview ........................................................................................................................ 450
60.2 Customizing the WWW Login Page .......................................................................................... 450
60.3 Host Name Commands ............................................................................................................. 452
60.4 Time and Date ........................................................................................................................... 452
60.4.1 Date/Time Commands ..................................................................................................... 453
60.5 Console Port Speed .................................................................................................................. 454
60.6 DNS Overview ............................................................................................................................ 454
60.6.1 Domain Zone Forwarder ......... ........................................................................................ 454
60.6.2 DNS Commands ................................................................................................................ 4 55
60.6.3 DNS Command Examples ................................................................................................ 457
60.7 Authentication Server Overview ............................................................................................... 457
60.7.1 Authentication Server Commands ................................................................................. 458
60.7.2 Authentication Server Command Examples ................................................................. 459
60.8 Notification .................................................................................................................................. 459
60.8.1 Mail Server Commands ....................................................................................................459
60.8.2 SMS Service Commands .................................................................................................. 460
60.8.3 Response Message Commands ..................................................................................... 462
60.9 Language Commands .............................................................................................................. 463
60.10 IPv6 Commands ....................................................................................................................... 463
60.11 ZON Overview ........................................................................................................................... 463
60.11.1 LLDP .................................................................................................................................. 463
60.11.2 ZON Commands ............................................................................................................. 464
60.11.3 ZON Examples ................................................................................................................. 464
60.12 Fast Forwarding ......................................................................................................................... 464
60.12.1 Fast Forwarding Technical Overview ............................................................................ 465
60.12.2 Fast Forwarding Commands ......................................................................................... 465
Chapter 61
System Remote Management........................................................................................................466
61.1 Remote Management Overview ........................................................................................ ..... 466
61.1.1 Remote Management Limitations .................................................................................. 466
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
19
Table of Contents
61.1.2 System Timeout .................................................................................................................. 466
61.2 Common System Command Input Values ............................................................................. 467
61.3 HTTP/HTTPS Commands .............................................................................................................. 467
61.3.1 HTTP/HTTPS Command Examples .................................................................................... 469
61.4 SSH ................................................................................................................................................ 470
61.4.1 SSH Implementation on the Zyxel Device ...................................................................... 470
61.4.2 Requirements for Using SSH ..............................................................................................470
61.4.3 SSH Commands ................................................................................................................. 470
61.4.4 SSH Command Examples ................................................................................................. 471
61.5 Telnet ........................................................................................................................................... 471
61.6 Telnet Commands ...................................................................................................................... 471
61.6.1 Telnet Commands Examples ........................................................................................... 472
61.7 Configuring FTP .......................................................................................................................... 472
61.7.1 FTP Commands ................................................................................................................. 473
61.7.2 FTP Commands Examples ................................................................................................ 473
61.8 SNMP ........................................................................................................................................... 474
61.8.1 Supported MIBs ................................................................................................................. 474
61.8.2 SNMP Traps ......................................................................................................................... 474
61.8.3 SNMP Commands ............................................................................................................. 475
61.8.4 SNMP Commands Examples ............................................................................................ 476
61.9 ICMP Filter ................................................................................................................................... 477
Chapter 62
File Manager ....................................................................................................................................478
62.1 File Directories ............................................................................................................................. 478
62.2 Configuration Files and Shell Scripts Overview ...................................................................... 478
62.2.1 Comments in Configuration Files or Shell Scripts ........................................................... 479
62.2.2 Errors in Configuration Files or Shell Scripts ..................................................................... 480
62.2.3 Zyxel Device Configuration File Details .......................................................................... 480
62.2.4 Configuration File Flow at Restart ................................................................................... 481
62.3 File Manager Commands Input Values ................................................................................... 481
62.4 File Manager Commands Summary ........................................................................................ 482
62.5 File Manager Dual Firmware Commands ................................................................................ 483
62.6 File Manager Command Examples ......................................................................................... 484
62.7 FTP File Transfer ............................................................................................................................ 485
62.7.1 Command Line FTP File Upload ....................................................................................... 485
62.7.2 Command Line FTP Configuration File Upload Example ............................................. 485
62.7.3 Command Line FTP File Download ................................................................................. 486
62.7.4 Command Line FTP Configuration File Download Example ........................................ 486
62.8 Cloud Helper Commands ......................................................................................................... 487
62.8.1 Cloud Helper Command Examples ................................................................................ 489
62.9 Zyxel Device File Usage at Startup ........................................................................................... 490
62.10 Notification of a Damaged Recovery Image or Firmware ................................................. 491
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
20
Table of Contents
62.11 Restoring the Recovery Image ............................................................................................... 492
62.12 Restoring the Firmware ............................................................................................................ 494
62.13 Restoring the Default System Database ................................................................................ 496
62.13.1 Using the atkz -u Debug Command ............................................................................. 498
Chapter 63
Logs...................................................................................................................................................501
63.1 Log Commands Summary ......................................................................................................... 501
63.1.1 Log Entries Commands ....................................................................................................502
63.1.2 System Log Commands ................................................................................................... 502
63.1.3 Debug Log Commands ................................................................................................... 503
63.1.4 E-mail Profile Commands .................................................................................................505
63.1.5 Console Port Logging Commands ................................................................................. 506
Chapter 64
Reports and Reboot........................................... .... .... ... ...................................................................507
64.1 Report Commands Summary ...................................................................................................507
64.1.1 Report Commands ........................................................................................................... 507
64.1.2 Report Command Examples ........................................................................................... 508
64.1.3 Session Commands ........................................................................................................... 508
64.1.4 Packet Size Statistics Commands ....................... ....... ....... ....... ....... ....... ....... ....... ....... ..... 509
64.2 Email Daily Report Commands ................................................................................................. 509
64.2.1 Email Daily Report Example ............................................................................................. 510
64.3 Reboot ......................................................................................................................................... 512
Chapter 65
Session Timeout.......... ... ...................................................................................................................513
Chapter 66
Diagnostics and Remote Assistance.............................................................................................514
66.1 Diagnostics .................................................................................................................................. 514
66.2 Diagnosis Commands ................................................................................................................ 514
66.3 Diagnosis Commands Example ................................................................................................515
66.4 Remote Assistance ..................................................................................................................... 515
66.5 Remote Assistance Commands ............................................................................................... 516
Chapter 67
Packet Flow Explore ........................................................................................................................517
67.1 Packet Flow Explore ................................................................................................................... 517
67.2 Packet Flow Explore Commands ..............................................................................................517
67.3 Packet Flow Explore Commands Example ........................................................... ....... ....... ..... 518
Chapter 68
Maintenance Tools ...................... .... ................................................................................................521
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
21
Table of Contents
68.1 Maintenance Command Examples ........................................................................................ 524
68.1.1 Packet Capture Command Example ............................................................................ 525
68.2 Scheduled Reboot ..................................................................................................................... 526
68.2.1 High Availability Reboot Process ..................................................................................... 527
68.3 Configuration File Backup ......................................................................................................... 528
Chapter 69
Miscellaneous ..................................................................................................................................530
69.1 Watchdog Timer ......................................................................................................................... 530
69.1.1 Hardware Watchdog Timer ............................................................................................. 530
69.1.2 Software Watchdog Timer ............................................................................................... 530
69.1.3 Application Watchdog ..... ...............................................................................................531
69.2 Conserve Memory ...................................................................................................................... 533
69.2.1 Converse Memory Settings .............................................................................................. 533
69.2.2 Conserve Memory Commands ....................................................................................... 533
69.2.3 Conserve Memory Example ........................ .................................................................... 534
Chapter 70
Managed AP Commands...............................................................................................................535
70.1 Managed Series AP Commands Overview ................................................................. ............ 535
70.2 Accessing the AP CLI ................................................................................................................. 535
70.3 CAPWAP Client Commands ..................................................................................................... 535
70.3.1 CAPWAP Client Commands Example ............................................................................ 536
70.4 DNS Server Commands .............................................................................................................. 538
70.4.1 DNS Server Commands Example .................................................................................... 538
70.4.2 DNS Server Commands and DHCP ................................................................................. 538
List of Commands (Alphabetical) ..................................................................................................540
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
22
PART I

Introduction

23

Command Line Interface

This chapter describes how to access and use the CLI (Command Line Interface).

1.1 Overview

Zyxel Device refers to these models as outlined below
• ZyWALL
• ZyWALL 110
• ZyWALL 310
• ZyWALL 1100
CHAPTER 1
• ZyWALL USG (Unified Security Gateway)
• USG40 • USG110 • USG1900 • USG2200-VPN
• USG40W • USG210 • USG2200
•USG60 •USG310 •USG20-VPN
• USG60W • USG1100 • USG20W-VPN
• ZyWALL USG FLEX
• USG FLEX 100
• USG FLEX 200
• USG FLEX 500
• ZyWALL ATP (Advanced Threat Protection)
• ATP100
• ATP100W
• ATP200
• ATP500
• ATP700
• ATP800
• ZyWALL VPN
• VPN50
• VPN100
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
24
Chapter 1 Command Line Interface
• VPN300
• VPN1000
If you have problems with your Zyxel Device, customer support may request that you issue some of these commands to assist them in troubleshooting.
Use of undocumented commands or misconfiguration can damage the Zyxel Device and possibly render it unusable.
1.1.1 The Configuration File
When you configure the Zyxel Device using either the CLI (Command Line Interface) or the web configurator, the settings are saved as a series of commands in a configuration file on the Zyxel Device. You can store more than one configuration file on the Zyxel Device. However, only one configuration file is used at a time.
You can perform the following with a configuration file:
• Back up Zyxel Device configuration once the Zyxel Device is set up to work in your network.
• Restore Zyxel Device configuration.
• Save and edit a configuration file and upload it to multiple Zyxel Devices (of the same model) in your network to have the same settings.
Note: You may also edit a configuration file using a text editor.

1.2 Accessing the CLI

You can access the CLI using a terminal emulation program on a computer connected to the console port, from the web configurator or access the Zyxel Device using Telnet or SSH (Secure SHell).
Note: The Zyxel Device might force you to log out of your session if re-authentication time,
lease time, or idle timeout is reached. See Chapter 47 on page 388 for more information about these settings.
1.2.1 Console Port
The default settings for the console port are as follows. Table 1 Managing the Zyxel Device: Console Port
SETTING VALUE
Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
25
Chapter 1 Command Line Interface
When you turn on your Zyxel Device, it performs several internal tests as well as line initialization. You can view the initialization information using the console port.
• Garbled text displays if your terminal emulation program’s speed is set lower than the Zyxel Device’s.
• No text displays if the speed is set higher than the Zyxel Device’s.
• If changing your terminal emulation program’s speed does not get anything to display, restart the Zyxel Device.
• If restarting the Zyxel Device does not get anything to display, contact your local customer support.
Figure 1 Console Port Power-on Display
U-Boot 2011.03 (Development build, svnversion: u-boot:424M, exec:exported) (Build time: Aug 28 2013 - 14:19:07)
BootModule Version: V1.01 | Aug 28 2013 14:19:07 DRAM: Size = 1024 Mbytes
Press any key to enter debug mode within 3 seconds.
After the initialization, the login screen displays.
Figure 2 Login Screen
Welcome to USG60W
Username:
Enter the user name and password at the prompts.
Note: The default login username is admin and password is 1234. The username and password
are case-sensitive.
1.2.2 Web Configurator Console
Note: Before you can access the CLI through the web configurator, make sure your computer
supports the Java Runtime Environment. You will be prompted to download and install the Java plug-in if it is not already installed.
When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the Zyxel Device. Follow the steps below to access the web console.
1 Log into the web configurator.
2 Click the Console icon in the top-right corner of the web configurator screen.
3 If the Java plug-in is already installed, skip to step 4.
Otherwise, you will be prompted to install the Java plug-in. If the prompt does not display and the screen remains gray, you have to download the setup program.
4 The web console starts. This might take a few seconds. One or more security screens may display. Click
Yes or Always.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
26
Chapter 1 Command Line Interface
Figure 3 Web Console: Security Warnings
Finally, the User Name screen appears. Figure 4 Web Console: User Name
5 Enter the user name you want to use to log in to the console. The console begins to connect to the Zyxel
Device.
Note: The default login username is admin. It is case-sensitive.
Figure 5 Web Console: Connecting
Then, the Password screen appears.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
27
Chapter 1 Command Line Interface
Figure 6 Web Console: Password
6 Enter the password for the user name you specified earlier, and click OK. If you enter the password
incorrectly, you get an error message, and you may have to close the console window and open it again. If you enter the password correctly, the console screen appears.
Figure 7 Web Console
7 To use most commands in this User’s Guide, enter configure terminal. The prompt should change
to
Router(config)#.
1.2.3 Telnet
Use the following steps to Telnet into your Zyxel Device.
1 Using the Web Configurator, enable and configure Telnet at System > TELNET.
2 Ensure that the Telnet protocol is allowed from your computer’s zone to the Zyxel Device.
By default, add TELNET to the default service group at Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL.
3 In Windows, click Start (usually in the bottom left corner) and Run. Then type
Device’s IP address. For example, enter
4 Click OK. A login screen displays. Enter the user name and password at the prompts.
Note: The default login username is admin and password is 1234. The username and password
telnet and the Zyxel
telnet 192.168.1.1 (the default management IP address).
are case-sensitive.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
28
1.2.4 SSH (Secure SHell)
You can use an SSH client program to access the CLI. The following figure shows an example using a text-based SSH client program. Refer to the documentation that comes with your SSH program for information on using it.
Before connecting, do the following:
• Using the Web Configurator, enable SSH at System > SSH.
• Ensure that the SSH protocol is allowed from your computer’s zone to the Zyxel Device. By default, add SSH to the service group Default_Allow_WAN_To_ZyWALL at Object > Service > Service Group. This group defines which services are allowed in the default WAN_to_Device security policy.
Note: The default login username is admin and password is 1234. The username and password
are case-sensitive.
Figure 8 SSH Login Example
C:\>ssh2 admin@192.168.1.1 Host key not found from database. Key fingerprint: xolor-takel-fipef-zevit-visom-gydog-vetan-bisol-lysob-cuvun-muxex You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes
Chapter 1 Command Line Interface
Host key saved to C:/Documents and Settings/user/Application Data/SSH/ hostkeys/ ey_22_192.168.1.1.pub host key for 192.168.1.1, accepted by user Tue Aug 09 2005 07:38:28 admin's password: Authentication successful.

1.3 How to Find Commands in this Guide

You can simply look for the feature chapter to find commands. In addition, you can use the List of
Commands (Alphabetical) at the end of the guide. This section lists the commands in alphabetical
order that they appear in this guide.
If you are looking at the CLI Reference Guide electronically, you might have additional options (for example, bookmarks or Find...) as well.

1.4 How Commands Are Explained

Each chapter explains the commands for one keyword. The chapters are divided into the following sections.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
29
Chapter 1 Command Line Interface
1.4.1 Background Information (Optional)
Note: See the User’s Guide for background information about most features.
This section provides background information about features that you cannot configure in the web configurator. In addition, this section identifies related commands in other chapters.
1.4.2 Command Input Values (Optional)
This section lists common input values for the commands for the feature in one or more tables
1.4.3 Command Summary
This section lists the commands for the feature in one or more tables.
1.4.4 Command Examples (Optional)
This section contains any examples for the commands in this feature.
1.4.5 Command Syntax
The following conventions are used in this User’s Guide.
• A command or keyword in courier new must be entered literally as shown. Do not abbreviate.
• Values that you need to provide are in italics.
• Required fields that have multiple choices are enclosed in curly brackets
• A range of numbers is enclosed in angle brackets <>.
• Optional fields are enclosed in square brackets
• The | symbol means OR.
For example, look at the following command to create a TCP/UDP service object.
service-object object-name {tcp | udp} {eq <1..65535> | range <1..65535> <1..65535>}
1 Enter
2 Enter the name of the object where you see object-name.
3 Enter
4 Finally, do one of the following.
service-object exactly as it appears.
tcp or udp, depending on the service object you want to create.
•Enter
•Enter range exactly as it appears, followed by two numbers between 1 and 65535.
eq exactly as it appears, followed by a number between 1 and 65535.
{}.
[].
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
30
Chapter 1 Command Line Interface
1.4.6 Naming Conventions
The ATP and USG devices may have different names for the same service, but the commands for both devices are the same. The command names will be used to refer to these services throughout this reference guide. A list of naming differences are in the next table.
Table 2 Naming differences between USG and ATP devices
COMMAND NAME USG SERIES NAME USG FLEX SERIES NAME ATP SERIES NAME
anti-virus Anti-Virus Anti-Malware Anti-Malware anti-spam Anti-Spam Email Security Email Security threat-website N/A URL Threat Filter URL Threat Filter
1.4.7 Changing the Password
It is highly recommended that you change the password for accessing the Zyxel Device. See Section
47.2 on page 389 for the appropriate commands.
1.4.8 Idle Timeout
See Section 47.2.1 on page 389 for commands on changing the default logout time when no activity is recorded.

1.5 CLI Modes

You run CLI commands in one of several modes.
After you log into the Zyxel Device, you will see this prompt Router> in User mode.
Type enable and you will see this prompt Router# in Privilege mode.
Type configure terminal and you will see this prompt Router(config)# in Configuration mode.
This is a summary of the modes. Table 3 CLI Modes
What Guest users can do
What User users can do
What Limited- Admin users can do
USER PRIVILEGE CONFIGURATION SUB-COMMAND
Unable to access Unable to access Unable to access Unable to access
• Look at (but not run) available commands
•Look at system information (like Status screen)
•Run basic diagnostics
Unable to access Unable to access Unable to access
• Look at system information (like Status screen)
• Run basic diagnostics
Unable to access Unable to access
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
31
Chapter 1 Command Line Interface
Table 3 CLI Modes (continued)
USER PRIVILEGE CONFIGURATION SUB-COMMAND
What Admin users can do
How you enter it Log in to the Zyxel
What the prompt looks like
•Look at system information (like Status screen)
•Run basic diagnostics
Device
Router> Router# Router(config)#
• Look at system information (like Status screen)
• Run basic diagnostics
Type enable in User mode
• Configure simple features (such as an address object)
• Create or remove complex parts (such as an interface)
Type configure
terminal in User or Privilege mode
•Configure complex parts (such as an interface) in the Zyxel Device
Type the command used to create the specific part in Configuration mode
(varies by part)
Router(zone)# Router(config­if-ge)# ...
How you exit it Type exit Type disable Type exit Type exit
See Chapter 47 on page 388 for more information about the user types. User users can only log in, look at (but not run) the available commands in User mode, and log out. Limited-Admin users can look at the configuration in the web configurator and CLI, and they can run basic diagnostics in the CLI. Admin users can configure the Zyxel Device in the web configurator or CLI.
At the time of writing, there is not much difference between User and Privilege mode for admin users. This is reserved for future use.

1.6 Shortcuts and Help

1.6.1 List of Available Commands
A list of valid commands can be found by typing ? or [TAB] at the command prompt. To view a list of available commands within a command group, enter
Figure 9 Help: Available Commands Example 1
Router> ? <cr> apply atse clear configure
------------------[Snip]-------------------­shutdown telnet test traceroute write Router>
<command> ? or <command> [TAB].
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
32
Chapter 1 Command Line Interface
Figure 10 Help: Available Command Example 2
Router> show ? <wlan ap interface> aaa access-page account ad-server address-object
------------------[Snip]-------------------­wlan workspace zone Router> show
1.6.2 List of Sub-commands or Required User Input
To view detailed help information for a command, enter <command> <sub command> ?.
Figure 11 Help: Sub-command Information Example
Router(config)# ip telnet server ? ; <cr> port rule | Router(config)# ip telnet server
Figure 12 Help: Required User Input Example
Router(config)# ip telnet server port ? <1..65535> Router(config)# ip telnet server port
1.6.3 Entering Partial Commands
The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press
For example, if you enter config and press [TAB] , the full command of configure automatically displays.
If you enter a partial command that is not unique and press commands that start with the partial command.
Figure 13 Non-Unique Partial Command Example
Router# c [TAB] clear configure copy Router# co configure copy
[TAB] to have the Zyxel Device automatically display the full command.
[TAB]
[TAB], the Zyxel Device displays a list of
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
33
Chapter 1 Command Line Interface
1.6.4 Entering a ? in a Command
Typing a ? (question mark) usually displays help information. However, some commands allow you to input a ?, for example as part of a string. Press [CTRL+V] on your keyboard to enter a ? without the Zyxel Device treating it as a help query.
1.6.5 Command History
The Zyxel Device keeps a list of commands you have entered for the current CLI session. You can use any commands in the history again by pre s s i ng th e up ( ) or down () arrow key to scroll through the previously used commands and press
1.6.6 Navigation
Press [CTRL]+A to move the cursor to the beginning of the line. Press [CTRL]+E to move the cursor to the end of the line.
1.6.7 Erase Current Command
[ENTER].
Press [CTRL]+U to erase whatever you have currently typed at the prompt (before pressing [ENTER]).
1.6.8 The no Commands
When entering the no commands described in this document, you may not need to type the whole command. For example, with the “[no] mss <536..1452>” command, you use “mss 536” to specify the MSS value. But to disable the MSS setting, you only need to type “no mss” instead of “no mss 536”.

1.7 Input Values

You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen. For example, in the following example, the next input value is a string called
<description>.
Router# configure terminal Router(config)# interface ge1 Router(config-if-ge)# description <description>
When you use the example above, note that Zyxel Device USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
34
Chapter 1 Command Line Interface
The following table provides more information about input values like <description>.
Table 4 Input-Value Formats for Strings in CLI Commands
TAG # VALUES LEGAL VALUES
* 1*
all -- ALL
authentication key Used in IPSec SA
32-40 16-20
Used in MD5 authentication keys for RIP/OSPF and text authentication key for RIP
0-16 alphanumeric or _-
Used in text authentication keys for OSPF
0-8 alphanumeric or _-
certificate name 1-31 alphanumeric or ;`~!@#$%^&()_+[\]{}',.=-
community string 0-63 alphanumeric or .-
connection_id 1+ alphanumeric or -_:
contact 1-61 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-.
country code 0 or 2 alphanumeric
custom signature file name
description Used in keyword criteria for log entries
distinguished name 1-511 alphanumeric, spaces, or .@=,_-
domain name Used in content filtering
email 1-63 alphanumeric or .@_-
e-mail 1-64 alphanumeric or .@_-
encryption key 16-64
file name 0-31 alphanumeric or _-
filter extension 1-256 alphanumeric, spaces, or '()+,/:=?;!*#@$_%.-
0-30 alphanumeric or _-.
1-64 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-.
Used in other commands
1-61 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-
0+ lower-case letters, numbers, or .-
Used in ip dns server
0-247 alphanumeric or .-
Used in domainname, ip dhcp , and ip domain
0-254 alphanumeric or ._-
8-32
“0x” or “0X” + 32-40 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\\{}':,./<>=-
first character: alphanumeric or -
first character: letter
first character: alphanumeric or -
first character: alphanumeric or -
“0x” or “0X” + 16-64 hexadecimal values alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=-
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
35
Chapter 1 Command Line Interface
Table 4 Input-Value Formats for Strings in CLI Commands (continued)
TAG # VALUES LEGAL VALUES
fqdn Used in ip dns server
0-252 alphanumeric or .-
first character: alphanumeric or -
Used in ip ddns, time server, device HA, VPN, certificates, and interface ping check
0-254 alphanumeric or .-
first character: alphanumeric or -
full file name 0-256 alphanumeric or _/.-
hostname Used in hostname command
0-63 alphanumeric or .-_
first character: alphanumeric or -
Used in other commands
0-252 alphanumeric or .-
first character: alphanumeric or -
import configuration file
1-26+”.conf” alphanumeric or ;`~!@#$%^&()_+[]{}',.=-
add “.conf” at the end
import shell script 1-26+”.zysh” alphanumeric or ;`~!@#$%^&()_+[]{}',.=-
add “.zysh” at the end
initial string 1-64 alphanumeric, spaces, or '()+,/:=!*#@$_%-.&
isp account password 0-63 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./
isp account username 0-30 alphanumeric or -_@$./
ipv6_addr
An IPv6 address. The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
IPv6 addresses can be abbreviated in two ways: Leading zeros in a block can be omitted. So
2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0.
Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can only appear once in an IPv6 address. So
2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015, 2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.
key length -- 512, 768, 1024, 1536, 2048, 4096
license key 25 “S-” + 6 upper-case letters or numbers + “-” + 16 upper-
case letters or numbers
mac address -- aa:bb:cc:dd:ee:ff (hexadecimal)
mail server fqdn lower-case letters, numbers, or -.
name 1-31 alphanumeric or _-
notification message 1-81 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-
password: less than
1-15 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./
15 chars
password: less than
1-8 alphanumeric or ;/?:@&=+$\.-_!~*'()%,#$
8 chars
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
36
Chapter 1 Command Line Interface
Table 4 Input-Value Formats for Strings in CLI Commands (continued)
TAG # VALUES LEGAL VALUES
password Used in user and ip ddns
1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./
Used in e-mail log profile SMTP authentication
1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<>./
Used in device HA synchronization
1-63 alphanumeric or ~#%^*_-={}:,.
Used in registration
6-20 alphanumeric or .@_-
phone number 1-20 numbers or ,+
preshared key 16-64 “0x” or “0X” + 16-64 hexadecimal values
alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=-
profile name 0-30 alphanumeric or _-
first character: letters or _-
proto name 1-16 lower-case letters, numbers, or -
protocol name 0-30 alphanumeric or _-
first character: letters or _-
quoted string less than 127 chars
quoted string less than 63 chars
quoted string 0+ alphanumeric, spaces, or punctuation marks
service name 0-63 alphanumeric or -_@$./
spi 2-8 hexadecimal
string less than 15 chars
string: less than 63 chars
string 1+ alphanumeric or -_@
subject 1-61 alphanumeric, spaces, or '()+,./:=?;!*#@$_%-
system type 0-2 hexadecimal
timezone [-+]hh -- -12 through +12 (with or without “+”)
url 1-511 alphanumeric or '()+,/:.=?;!*#@$_%-
url Used in content filtering redirect
1-255 alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()%,
1-63 alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()%
enclosed in double quotation marks (“) must put a backslash (\) before double quotation marks that are part of input value itself
1-15 alphanumeric or -_
1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./
“http://”+ “https://”+
Used in other content filtering commands
“http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%,
alphanumeric or ;/?:@&=+$\.-_!~*'()%, starts with “http://” or “https://” may contain one pound sign (#)
starts with “http://” may contain one pound sign (#)
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
37
Chapter 1 Command Line Interface
Table 4 Input-Value Formats for Strings in CLI Commands (continued)
TAG # VALUES LEGAL VALUES
user name Used in VPN extended authentication
1-31 alphanumeric or _-
Used in other commands
0-30 alphanumeric or _-
first character: letters or _-
username 6-20 alphanumeric or .@_-
registration
user name 1+ alphanumeric or -_.
logging commands
user@domainname 1-80 alphanumeric or .@_-
vrrp group name: less than 15 chars
week-day sequence, i.e. 1=first,2=second
xauth method 1-31 alphanumeric or _-
xauth password 1-31 alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=-
mac address 0-12 (even
1-15 alphanumeric or _-
11-4
hexadecimal
number)
for example: aa aabbcc aabbccddeeff

1.8 Ethernet Interfaces

How you specify an Ethernet interface depends on the Zyxel Device model.
• For some Zyxel Device models, use gex, x = 1~N, where N equals the highest numbered Ethernet interface for your Zyxel Device model.
• For other Zyxel Device models use a name such as wan1, wan2, opt, lan1, or dmz.

1.9 Saving Configuration Changes

Use the write command to save the current configuration to the Zyxel Device.
Note: Always save the changes before you log out after each management session. All
unsaved changes will be lost after the system restarts.

1.10 Logging Out

Enter the exit or end command in configure mode to go to privilege mode.
Enter the exit command in user mode or privilege mode to log out of the CLI.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
38
Chapter 1 Command Line Interface

1.11 Resetting the Zyxel Device

If you cannot access the Zyxel Device by any method, try restarting it by turning the power off and then on again. If you still cannot access the Zyxel Device by any method or you forget the administrator password(s), you can reset the Zyxel Device to its factory-default settings. Any configuration files or shell scripts that you saved on the Zyxel Device should still be available afterwards.
Use the following command to reset the Zyxel Device to its factory-default settings. This overwrites the settings in the startup-config.conf file with the settings in the system-default.conf file.
Note: This procedure removes the current configuration. Note that there is a space after
apply in the command.
Figure 14 Resetting the Zyxel Device
Router> apply /conf/system-default.conf
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
39

User and Privilege Modes

This chapter describes how to use these two modes.

2.1 User And Privilege Modes

This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the Zyxel Device uses. See Chapter 47 on page 388 for more information about the user types. ‘User’ type accounts can only run ‘exit’ in this mode. However, they may need to log into the device in order to be authenticated for ‘user-aware’ policies, for example a firewall rule that a particular user is exempt from or a VPN tunnel that only certain people may use.)
Type ‘enable’ to go to ‘privilege mode’. No password is required. All commands can be run from here except those marked with an asterisk. Many of these commands are for trouble-shooting purposes, for example debug commands. Customer support may ask you to run some of these commands and send the results if you need assistance troubleshooting your device.
CHAPTER 2
For admin logins, all commands are visible in ‘user mode’ but not all can be run there. The following table displays which commands can be run in ‘user mode’. All commands can be run in ‘privilege mode’.
Type ezmode activate if you have a simple network environment with one ISP for Internet access for example. You’ll enter Easy Mode every time you log in to the Zyxel Device using the Web Configurator. Objects created in Easy Mode begin with EZ_
Type ezmode deactivate if you have a complex network environment with two ISPs for Internet access for example. You’ll enter Expert Mode every time you log in to the Zyxel Device using the Web Configurator. Some EZ_ objects cannot be edited in Expert Mode.
The psm commands are for Zyxel’s internal manufacturing process.
Table 5 User (U) and Privilege (P) Mode Commands
COMMAND MODE DESCRIPTION
apply
atse
clear
configure
copy
debug (*)
delete
details
P Applies a configuration file. U/P Displays the seed code U/P Clears system or debug logs or DHCP binding. U/P Use ‘configure terminal’ to enter configuration mode. P Copies configuration files. U/P For support personnel only! The device needs to have the debug flag enabled. P Deletes configuration files. P Performs diagnostic commands.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
40
Chapter 2 User and Privilege Modes
Table 5 User (U) and Privilege (P) Mode Commands (continued)
COMMAND MODE DESCRIPTION
diag
diag-info
dir
disable
enable
exit
interface
no packet-
P Provided for support personnel to collect internal system information. It is not
recommended that you use these.
P Has the Zyxel Device create a new diagnostic file. P Lists files in a directory. U/P Goes from privilege mode to user mode U/P Goes from user mode to privilege mode U/P Goes to a previous mode or logs out. U/P Dials or disconnects an interface. U/P Turns off packet tracing.
trace
nslookup
packet-trace
ping
ping6
psm
U/P Resolves an IP address to a host name and vice-versa. U/P Performs a packet trace. U/P Pings an IP address or host name. U/P Pings an IPv6 address or a host name. U/P Goes to psm (product support module) mode for setting product parameters. Only
use psm commands if your customer support Engineer asks you to during troubleshooting.
Note: These commands are for Zyxel’s internal manufacturing process.
reboot
release
rename
renew
run
setenv
show
shutdown
telnet
test aaa
traceroute
traceroute6
write
P Restarts the device. P Releases DHCP information from an interface. P Renames a configuration file. P Renews DHCP information for an interface. P Runs a script. U/P Turns stop-on-error on (terminates booting if an error is found in a configuration file) or
off (ignores configuration file errors and continues booting).
U/P Displays command statistics. See the associated command chapter in this guide. P Writes all d data to disk and stops the system processes. It does not turn off the
power.
U/P Establishes a connection to the TCP port number 23 of the specified host name or IP
address.
U/P Tests whether the specified user name can be successfully authenticated by an
external authentication server. P Traces the route to the specified host name or IP address. P Traces the route to the specified host name or IPv6 address.
P Saves the current configuration to the Zyxel Device. All unsaved changes are lost
after the Zyxel Device restarts.
Subsequent chapters in this guide describe the configuration commands. User/privilege mode commands that are also configuration commands (for example, ‘show’) are described in more detail in the related configuration command chapter.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
41
Chapter 2 User and Privilege Modes
2.1.1 Debug Commands
The debug commands follow a Linux-based syntax, so if there is a Linux equivalent, it is displayed in this chapter for your reference. You must know a command listed here well before you use it. Otherwise, it may cause undesired results.
Note: Debug commands marked with an asterisk (*) are not available when the debug flag is on and
are for Zyxel service personnel use only.
Table 6 Debug Commands
COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT
debug alg
debug anti-spam
debug app
debug app show l7protocol (*)
debug ca (*)
debug content-filter
debug show content-filter https-domain-filter cache
debug content-filter https­domain-filter cache flush
debug device-ha (*)
debug force-auth (*)
debug gui (*)
debug gui (*)
debug hardware (*)
debug idp
debug idp-av
debug interface
debug interface ifconfig [interface]
debug interface-group
debug ip dns
debug ip virtual-server
debug ipsec
debug logging
debug manufacture
debug myzyxel-server (*)
debug network arpignore (*)
debug server register
debug policy-route (*)
FTP/SIP ALG debug commands Anti-Spam debug commands Application patrol debug command Shows app patrol protocol list
Certificate debug commands Content Filtering debug commands Displays content filtering HTTPs Domain Filter
cache entries. Removes content filtering HTTPs Domain
Filter cache entries. Device HA debug commands
Authentication policy debug commands GUI cgi related debug commands Web Configurator related debug
commands Hardware debug commands
IDP debug commands IDP and Anti-Virus debug commands Interface debug commands Shows system interfaces detail
Port grouping debug commands DNS debug commands Virtual Server (NAT) debug commands IPSec VPN debug commands System logging debug commands Manufacturing related debug commands myZyxel debug commands Enable/Display the ignoring of ARP
responses for interfaces which don't own the IP address
Set the myZyxel registration server Policy route debug command
> cat /etc/l7_protocols/ protocol.list
> ifconfig [interface]
cat /proc/sys/net/ipv4/conf/ */arp_ignore
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
42
Chapter 2 User and Privilege Modes
Table 6 Debug Commands (continued)
COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT
debug reset content-filter
Content Filtering debug commands
profiling
debug service-register
debug show content-filter server
debug show myzyxel-server
Service registration debug command Category-based content filtering debug
command myZyxel status debug commands
status
debug show ipset
debug sslvpn
debug system ipv6
debug [cmdexec|corefile|ip
Lists the Zyxel Device‘s received cards SSL VPN debug commands IPv6 debug commands ZLD internal debug commands
|kernel|mac-id­rewrite|observer|switch |system|zyinetpkt|zysh-ipt­op] (*)
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
43
PART II

Reference

44

Object Reference

This chapter describes how to use object reference commands.

3.1 Object Reference Commands

The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
Table 7 show reference Commands
COMMAND DESCRIPTION
show reference object username [username]
show reference object address [object_name]
show reference object address6 [object_name]
show reference object service [object_name]
show reference object schedule [object_name]
show reference object interface [interface_name | virtual_interface_name]
show reference object aaa authentication [default | auth_method]
show reference object ca category {local|remote} [cert_name]
show reference object account pppoe [object_name]
show reference object account pptp [object_name]
show reference object app-patrol [profile-name]
show reference object sslvpn application [object_name]
show reference object crypto map [crypto_name]
Displays which configuration settings reference the specified user object.
Displays which configuration setti ngs reference the specified address object.
Displays which configuration settings reference the specified IPv6 address object.
Displays which configuration settings reference the specified service object.
Displays which configuration settings reference the specified schedule object.
Displays which configuration setti ngs reference the specified interface or virtual interface object.
Displays which configuration settings reference the specified AAA authentication object.
Displays which configuration settings reference the specified authentication method object.
Displays which configuration settings reference the specified PPPoE account object.
Displays which configuration settings reference the specified PPTP account object.
Displays which configuration settings reference the specified application patrol profile.
Displays which configuration settings reference the specified SSL VPN application object.
Displays which configuration settings reference the specified VPN connection object.
CHAPTER 3
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
45
Chapter 3 Object Reference
Table 7 show reference Commands (continued)
COMMAND DESCRIPTION
show reference object isakmp policy [isakmp_name]
show reference object sslvpn policy
Displays which configuration settings reference the specified VPN gateway object.
Displays which configuration settings reference the specified SSL VPN object.
[object_name]
show reference object zone
Displays which configuration setti ngs reference the specified zone object.
[object_name]
show reference object dhcp6-lease­object [object_name]
show reference object dhcp6­request-object [object_name]
show reference object-group username [username]
show reference object-group address [object_name]
show reference object-group address6 [object_name]
show reference object-group service [object_name]
show reference object-group
Displays which configuration settings reference the specified DHCPv6 lease object.
Displays which configuration settings reference the specified DHCPv6 request object.
Displays which configuration settings reference the specified user group object.
Displays which configuration settings reference the specified address group object.
Displays which configuration settings reference the specified IPv6 address group object.
Displays which configuration settings reference the specified service group object.
Displays which configuration settings reference the specified trunk object.
interface [object_name]
show reference object-group aaa ad [group_name]
show reference object-group aaa ldap [group_name]
show reference object-group aaa radius [group_name]
Displays which configuration settings reference the specified AAA AD group object.
Displays which configuration settings reference the specified AAA LDAP group object.
Displays which configuration settings reference the specified AAA RADI US group object.
3.1.1 Object Reference Command Example
This example shows how to check which configuration is using an address object named LAN1_SUBNET. For the command output, firewall rule 3 named LAN1-to-USG-2000 is using the address object.
Router(config)# show reference object address LAN1_SUBNET
LAN1_SUBNET References: Category Rule Priority Rule Name Description =========================================================================== Security Policy Control 3 N/A LAN1-to-USG-2000 Router(config)#
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
46
CHAPTER 4

Status

This chapter explains some commands you can use to display information about the Zyxel Device’s current operational state.
Table 8 Status Show Commands
COMMAND DESCRIPTION
show boot status
show comport status
show cpu status
show cpu all
show disk
show extension­slot
show led status
show mac
show mem status
show ram-size
show serial­number
show socket listen
show socket open
show system uptime
show version
show ap-info total {sta | usage} {24G | 5G | all} timer
show ap-info top number {sta | usage} timer
Displays details about the Zyxel Device’s startup state. Displays whether the console is on or off.
Displays the CPU utilization. Displays the CPU utilization of each CPU. Displays the disk utilization. Displays the status of the extension card slot and USB ports and the names of devices
connected to them. Displays the status of each LED on the Zyxel Device.
Displays the Zyxel Device’s MAC address. Displays what percentage of the Zyxel Device’s memory is currently being used. Displays the size of the Zyxel Device’s on-board RAM. Displays the serial number of this Zyxel Device.
Displays the Zyxel Device’s listening ports
Displays the ports that are open on the Zyxel Device. Displays how long the Zyxel Device has been running since it last restarted or was turned
on. Displays the Zyxel Device’s model, firmware and build information. Displays how many wireless stations are connected to all managed APs or the amount
of data (in bytes) sent/received by the connected stations. timer: a period of time (from 1 to 24 hours) over which the station number is recorded or
the traffic flow occurred. Displays how many wireless stations are connected to the top managed AP(s) or the
amount of data (in bytes) sent/received by the connected stations. number: 1 to 64, the top “N” number of managed APs.
show ap-info {mac_address | all} {sta | usage} {24G | 5G | all} timer
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
timer: a period of time (from 1 to 24 hours) over which the station number is recorded or the traffic flow occurred.
Displays how many wireless stations are connected to a specific or all managed APs or the amount of data (in bytes) sent/received by the connected stations.
mac_address: the managed AP’s MAC address. timer: a period of time (from 1 to 24 hours) over which the station number is recorded or
the traffic flow occurred.
47
Chapter 4 Status
Table 8 Status Show Commands
COMMAND DESCRIPTION
show sta-info {mac_address | all} usage timer
show sta-info total usage timer
show sta-info top
number usage timer
Displays data usage of a specific or all connected wireless stations.
mac_address: the wireless station’s MAC address. timer: a period of time (from 1 to 24 hours) over which the traffic flow occurred.
Displays data usage of all connected wireless station(s). timer: a period of time (from 1 to 24 hours) over which the traffic flow occurred.
Displays data usage of the top connected wireless station(s).
number: 1 to 64, the top “N” number of connected wireless stations. timer: a period of time (from 1 to 24 hours) over which the traffic flow occurred.
Here are examples of the commands that display the CPU and disk utilization.
Router(config)# show cpu status CPU utilization: 0 % CPU utilization for 1 min: 0 % CPU utilization for 5 min: 0 % Router(config)# show disk ; <cr> | Router(config)# show disk No. Disk Size(MB) Usage =========================================================================== 1 image 67 83% 2 onboard flash 163 15%
Router(config)# show cpu all CPU core 0 utilization: 0 % CPU core 0 utilization for 1 min: 0 % CPU core 0 utilization for 5 min: 0 % CPU core 1 utilization: 0 % CPU core 1 utilization for 1 min: 0 % CPU core 1 utilization for 5 min: 2 % CPU core 2 utilization: 0 % CPU core 2 utilization for 1 min: 0 % CPU core 2 utilization for 5 min: 0 % CPU core 3 utilization: 0 % CPU core 3 utilization for 1 min: 0 % CPU core 3 utilization for 5 min: 0 %
Here are examples of the commands that display the MAC address, memory usage, RAM size, and serial number.
Router(config)# show mac MAC address: 28:61:32:89:37:61-28:61:32:89:37:67 Router(config)# show mem status memory usage: 39% Router(config)# show ram-size ram size: 510MB Router(config)# show serial-number serial number: S060Z12020460
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
48
Chapter 4 Status
Here is an example of the command that displays the listening ports.
Router(config)# show socket listen No. Proto Local_Address Foreign_Address State =========================================================================== 1 tcp 0.0.0.0:2601 0.0.0.0:0 LISTEN 2 tcp 0.0.0.0:2602 0.0.0.0:0 LISTEN 3 tcp 127.0.0.1:10443 0.0.0.0:0 LISTEN 4 tcp 0.0.0.0:2604 0.0.0.0:0 LISTEN 5 tcp 0.0.0.0:80 0.0.0.0:0 LISTEN 6 tcp 127.0.0.1:8085 0.0.0.0:0 LISTEN 7 tcp 1.1.1.1:53 0.0.0.0:0 LISTEN 8 tcp 172.16.37.205:53 0.0.0.0:0 LISTEN 9 tcp 10.0.0.8:53 0.0.0.0:0 LISTEN 10 tcp 172.16.37.240:53 0.0.0.0:0 LISTEN 11 tcp 192.168.1.1:53 0.0.0.0:0 LISTEN 12 tcp 127.0.0.1:53 0.0.0.0:0 LISTEN 13 tcp 0.0.0.0:21 0.0.0.0:0 LISTEN 14 tcp 0.0.0.0:22 0.0.0.0:0 LISTEN 15 tcp 127.0.0.1:953 0.0.0.0:0 LISTEN 16 tcp 0.0.0.0:443 0.0.0.0:0 LISTEN 17 tcp 127.0.0.1:1723 0.0.0.0:0 LISTEN
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
49
Chapter 4 Status
Here is an example of the command that displays the open ports.
Router(config)# show socket open No. Proto Local_Address Foreign_Address State =========================================================================== 1 tcp 172.23.37.240:22 172.23.37.10:1179 ESTABLISHED 2 udp 127.0.0.1:64002 0.0.0.0:0 3 udp 0.0.0.0:520 0.0.0.0:0 4 udp 0.0.0.0:138 0.0.0.0:0 5 udp 0.0.0.0:138 0.0.0.0:0 6 udp 0.0.0.0:138 0.0.0.0:0 7 udp 0.0.0.0:138 0.0.0.0:0 8 udp 0.0.0.0:138 0.0.0.0:0 9 udp 0.0.0.0:138 0.0.0.0:0 10 udp 0.0.0.0:138 0.0.0.0:0 11 udp 0.0.0.0:32779 0.0.0.0:0 12 udp 192.168.1.1:4500 0.0.0.0:0 13 udp 1.1.1.1:4500 0.0.0.0:0 14 udp 10.0.0.8:4500 0.0.0.0:0 15 udp 172.23.37.205:4500 0.0.0.0:0 16 udp 172.23.37.240:4500 0.0.0.0:0 17 udp 127.0.0.1:4500 0.0.0.0:0 18 udp 127.0.0.1:63000 0.0.0.0:0 19 udp 127.0.0.1:63001 0.0.0.0:0 20 udp 127.0.0.1:63002 0.0.0.0:0 21 udp 0.0.0.0:161 0.0.0.0:0 22 udp 127.0.0.1:63009 0.0.0.0:0 23 udp 192.168.1.1:1701 0.0.0.0:0 24 udp 1.1.1.1:1701 0.0.0.0:0 25 udp 10.0.0.8:1701 0.0.0.0:0 26 udp 172.23.37.205:1701 0.0.0.0:0 27 udp 172.23.37.240:1701 0.0.0.0:0 28 udp 127.0.0.1:1701 0.0.0.0:0 29 udp 127.0.0.1:63024 0.0.0.0:0 30 udp 127.0.0.1:30000 0.0.0.0:0 31 udp 1.1.1.1:53 0.0.0.0:0 32 udp 172.23.37.205:53 0.0.0.0:0 33 udp 10.0.0.8:53 0.0.0.0:0 34 udp 172.23.37.240:53 0.0.0.0:0 35 udp 192.168.1.1:53 0.0.0.0:0 36 udp 127.0.0.1:53 0.0.0.0:0 37 udp 0.0.0.0:67 0.0.0.0:0 38 udp 127.0.0.1:63046 0.0.0.0:0 39 udp 127.0.0.1:65097 0.0.0.0:0 40 udp 0.0.0.0:65098 0.0.0.0:0 41 udp 192.168.1.1:500 0.0.0.0:0 42 udp 1.1.1.1:500 0.0.0.0:0 43 udp 10.0.0.8:500 0.0.0.0:0 44 udp 172.23.37.205:500 0.0.0.0:0 45 udp 172.23.37.240:500 0.0.0.0:0 46 udp 127.0.0.1:500 0.0.0.0:0
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
50
Chapter 4 Status
Here are examples of the commands that display the system uptime and model, firmware, and build information.
Router> show system uptime system uptime: 04:18:00 Router> show version Zyxel Communications Corp. model : ZyWALL USG 110 firmware version: 2.20(AQQ.0)b3 BM version : 1.08 build date : 2014-01-21 01:18:06
This example shows the current LED states on the Zyxel Device. The SYS LED lights on and green. The HDD LEDs is off.
Router> show led status sys: green usbled: off Router>

4.1 ATP Dashboard Commands

Use these commands to view status and statistics information about security services on the ZyWALL ATP models.
Table 9 Dashboard Commands
COMMAND DESCRIPTION
show anti-botnet dashboard statistics summary
show ip-reputation dashboard statistics summary
show anti-spam dashboard statistics summary
show anti-virus statistics summary
show content-filter dashboard statistics summary
show idp dashboard statistics summary
show sandbox dashboard statistics summary
show security-service status
threat-website dashboard statistics flush
content-filter dashboard statistics flush
Displays the number of the connection attempts detected or blocked, and the number of malware threats.
Displays the number of IPv4 addresses that have been scanned, the number of hit counts on the scanned IPv4 addresses, and the number of IPv4 address for each threat level.
Displays the number of emails that the Zyxel Device’s email security feature has checked, the number of spam emails and the number of suspicious websites known for phishing.
Displays the number of viruses detected. Displays the number of web pages that the Zyxel Device’s
content filtering feature has checked. Displays the number of sessions and packets that the Zyxel
Device’s IDP feature has checked. Displays the number of files that have been scanned or
destroyed and the scan result. Displays whether the security service, such as content filtering or
sandboxing is enabled on the Zyxel Device. Clears the anti-botnet statistics on the dashboard.
Clears the content-filter statistics on the dashboard.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
51
This chapter introduces myZyxel and shows you how to register the Zyxel Device for IDP/AppPatrol, anti­virus, content filtering, and SSL VPN services using commands.

5.1 myZyxel Overview

myZyxel is Zyxel’s online services center where you can register your Zyxel Device and manage subscription services available for the Zyxel Device.
Note: You need to create an account before you can register your device and activate the
services at myZyxel.
First, go to http://www.myZyxel with the Zyxel Device’s serial number and LAN MAC address to register the Zyxel Device. Refer to the web site’s on-line help for details. You can also go to the portal and see license status using the Licensing > Registration screens.
CHAPTER 5

Registration

Note: To activate a service on a Zyxel Device, you need to access myZyxel via that Zyxel
Device.
5.1.1 Subscription Services Available on the Zyxel Device
Refer to Section 1.4.6 on page 31 for differences between ATP and USG license names.
The Zyxel Device can use anti-virus, anti-spam, IDP/AppPatrol (Intrusion Detection and Prevention and application patrol), SSL VPN, and content filtering subscription services.
ZyWALL models need a license for UTM (Unified Threat Management) functionality. See the Introduction chapter in the Zyxel Device User’s Guide or the product datasheet for details.
You can purchase an EiCard and enter the license key from it, at http://www.myZyxel.com to have the ZyWALL use UTM services or have the Zyxel Device use more SSL VPN tunnels. See the respective chapters in the User’s Guide for more information about UTM features.
• The Zyxel Device’s anti-virus packet scanner uses signature files on the Zyxel Device to detect virus. Your Zyxel Device scans files transmitted through enabled interfaces into the network. Subscribe to signature updates for Zyxel’s anti-virus engine. After the service is activated, the Zyxel Device can download the up-to-date signatures from the update server.
After the trial expires, you need to purchase an EiCard and enter the PIN number (license key) at
http://www.myZyxel.com.
• The IDP and application patrol features use IDP/AppPatrol signatures on the Zyxel Device. IDP detects malicious or suspicious packets and responds immediately. Application patrol conveniently manages the use of various applications on the network. After the service is activated, the Zyxel Device can download the up-to-date signature files from the update server.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
52
Chapter 5 Registration
• SSL VPN tunnels provide secure network access to remote users. You can purchase and enter a license key to have the Zyxel Device use more SSL VPN tunnels.
• Content filter allows or blocks access to web sites. Subscribe to category-based content filtering to block access to categories of web sites based on content. Your Zyxel Device accesses an external database that has millions of web sites categorized based on content. You can have the Zyxel Device block, block and/or log access to web sites based on these categories.
• You will get automatic e-mail notification of new signature releases from mySecurityZone after you activate the IDP/AppPatrol service. You can also check for new signatures at http://
mysecurity.zyxel.com.
See the respective chapters for more information about these features.
Note: To update the signature file or use a subscription service, you have to register the Zyxel
Device and activate the corresponding service at myZyxel (through the Zyxel Device).

5.2 Registration Commands

The following table describes the commands available for registration. You must use the configure
terminal
command to enter the configuration mode before you can use these commands.
Table 10 Command Summary: Registration
COMMAND DESCRIPTION
service-register checkexpire
service-register _setremind {after-10­days | after-180-days | after-30-days | every-time | never}
show device-register status
show service-register status {all | application-security | secu-reporter | as | av | concurrent-device-upgrade |
Gets information of all service subscriptions from myZyxel and updates the status table.
Sets how often you want to display the network risk warning screen in the Web Configurator. The screen shows the security services which are not registered or disabled on the Zyxel Device.
Displays whether the device is registered and account information.
Displays the status of your service registrations. Use all to show all registrations as a list.
content-filter | firmware-upgrade | geo-ip | idp | malware-blocker | ctdb | managed-ap-service | pkg | sandbox | secu-reporter | sslvpn | sslvpn-status | web-security | zymesh}
show service-register status content­filter {commtouch}
show service-register status sslvpn­status
show service-register content-filter­engine
debug myzyxel2 show [as|av|idp|content-
Displays Commtouch content filter service license information.
Displays the status of SSL VPN t unnels. The first number is the actual number of VPN tunnels up
and the second number is the maximum number of SSL VPN tunnels allowed.
Displays which external web filtering service the Zyxel Device is set to use for content filtering.
Shows debug information for services at myZyxel
filter|sslvpn|extmaps|pkg] shm
debug show myzyxel-server status
Shows debug information for the myZyxel server.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
53
5.2.1 Command Examples
The following command displays the account information and whether the device is registered.
Router# configure terminal Router(config)# show device-register status username : example password : 123456 device register status : yes expiration self check : no
The following command displays the service registration status and type and how many days remain before the service expires.
Router# configure terminal Router(config)# show service-register status all Service Status Type Count Expiration =========================================================================== IDP Signature Licensed Standard N/A 176 Anti-Virus Not Licensed None N/A 0 SSLVPN Not Licensed None 5 N/A Content-Filter Not Licensed None N/A 0
Chapter 5 Registration
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
54

AP Management

This chapter shows you how to configure wireless AP management options on your Zyxel Device.

6.1 AP Management Overview

The Zyxel Device allows you to remotely manage all of the Access Points (APs) on your network. You can manage a number of APs without having to configure them individually as the Zyxel Device automatically handles basic configuration for you.
The commands in this chapter allow you to add, delete, and edit the APs managed by the Zyxel Device by means of the CAPWAP protocol. An AP must be moved from the wait list to the management list before you can manage it. If you do not want to use this registration mechanism, you can disable it and then any newly connected AP is registered automatically.
CHAPTER 6

6.2 AP Management Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 11 Input Values for General AP Management Commands
LABEL DESCRIPTION
ap_mac
ap_model
slot_name
profile_name
ap_description
sta_mac
The Ethernet MAC address of the managed AP. Enter 6 hexidecimal pairs separated by colons. You can use 0-9, a-z and A-Z.
The model name of the managed AP, such as NWA5160N, NWA5560-N, NWA5550-N, NWA5121-NI or NWA5123-NI.
The slot name for the AP’s on-board wireless LAN card. Use either slot1 or slot2. (The NWA5560-N supports up to 2 radio slots.)
The wireless LAN radio profile name. You may use 1-31 alphanumeric characters, underscores( sensitive.
The AP description. This is strictly used for reference purposes and has no effect on any other settings. You may use 1-31 alphanumeric characters, underscores( first character cannot be a number. This value is case-sensitive.
The MAC address of the wireless client. Enter 6 hexidecimal pairs separated by colons. You can use 0-9, a-z and A-Z.
_), or dashes (-), but the first character cannot be a number. This value is case-
_), or dashes (-), but the
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
55
Chapter 6 AP Management
The following table describes the commands available for AP management. You must use the
configure terminal command to enter the configuration mode before you can use these
commands. Table 12 Command Summary: AP Management
COMMAND DESCRIPTION
[no] capwap activate
capwap ap ap_mac
slot_name ap-profile profile_name
no slot_name ap-profile
slot_name monitor-profile profile_name
no slot_name monitor-profile
slot_name {root-ap | repeater-ap } zymesh-profile_name
slot_name wireless-bridge
{enable | disable}
antenna config slot_name chain3 {ceiling | wall}
[no] antenna sw-control enable
ap-group-profile ap-group-
profile_name
description ap_description
[no] force vlan
Enables or disables the AP controller service. Enters the sub-command mode for the specified AP. Sets the radio (slot_name) to AP mode and assigns a created
profile to the radio. Removes the AP mode profile assignment for the specified
radio (slot_name). Sets the specified radio (slot_name) to monitor mode and
assigns a created profile to the radio. Monitor mode APs act as wireless monitors, which can detect rogue APs and help you in building a list of friendly ones. See also Section 9.2 on
page 72.
Removes the monitor mode profile assignment for the specified radio (slot_name).
Sets the specified radio (slot_name) to root AP or repeater mode and assigns a created ZyMesh profile to the radio. See also Section 9.6 on page 87 for more information about ZyMesh.
Enables or disables wireless bridging on the specified radio (slot_name). The managed AP must support LAN provision and the radio should be in repeater mode. VLAN and bridge interfaces are created automatically according to the LAN port’s VLAN settings.
When wireless bridging is enabled, the managed repeater AP can still transmit data through its Ethernet port(s) after the ZyMesh/WDS link is up. Be careful to avoid bridge loops.
The managed APs in the same ZyMesh/WDS must use the same static VLAN ID.
Adjusts coverage depending on each radio’s antenna orientation for better coverage.
Enables the adjustment of coverage depending on the orientation of the antenna for the AP radios using the web configurator or the command line interface (CLI),
The no command disables adjustment through the web configurator or the command line interface (CLI). You can still adjust coverage using a physical antenna switch.
Sets the AP group to which the AP belongs.
Sets the description for the specified AP. Sets whether or not the Zyxel Device changes the AP’s
management VLAN to match the one you configure using the vlan sub-command. The management VLAN on the Zyxel Device and AP must match for the Zyxel Device to manage the AP.
This takes priority over the AP’s CAPWAP client commands described in Chapter 70 on page 535.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
56
Chapter 6 AP Management
Table 12 Command Summary: AP Management (continued)
COMMAND DESCRIPTION
lan-provision lan_port {activate | inactivate} pvid <1..4094>
lan-provision vlan_interface {activate | inactivate} vid <1..4094> join lan_port {tag | untag} [lan_port {tag | untag}] [lan_port {tag | untag}]
[no] override-full-power activate
[no] load-balancing <group1 | group2> group_name
[no] override slot_name {output­power | radio-setting | ssid­setting}
[no] override lan-provision
[no] override vlan-setting
vlan <1..4094> {tag | untag}
exit
capwap ap ac-ip {primary_ac_ip}
{secondary_ac_ip}
capwap ap ac-ip auto
capwap ap add ap_mac [ap_model]
capwap ap factory default ap_mac
capwap ap fallback disable
capwap ap fallback enable
capwap ap fallback interval <30..86400>
Sets the Zyxel Device to enable or disable the specified LAN port on the AP and configures a PVID (Port VLAN ID) for this port.
lan_port: the name of the AP’s LAN port (lan1 for example). Sets the Zyxel Device to create a new VLAN or configure an
existing VLAN. You can disable or enable the VLAN, set the VLAN ID, assign up to three ports to this VLAN as members and set whether the port is to tag outgoing traffic with the VLAN ID.
vlan_interface: the name of the VLAN (vlan1 for example). Forces the AP to draw full power from the power sourcing
equipment. This improves performance in cases when a PoE injector that does not support PoE negotiation is used.
Use the no command to disable this feature. Assigns a load balancing group to the AP.
Use the no command to remove the group1 or group2 assignment of the AP.
Sets the Zyxel Device to overwrite the AP’s output power, radio or SSID profile settings for the specified radio.
Use the no command to not overwrite the specified settings. Sets the Zyxel Device to overwrite the AP’s LAN port settings.
Use the no command to not overwrite the specified settings. Sets the Zyxel Device to overwrite the AP’s LAN port settings.
Use the no command to not overwrite the specified settings. Sets the VLAN ID for the specified AP as well as whether
packets sent to and from that ID are tagged or untagged. Exits the sub-command mode for the specified AP.
Specifies the primary and secondary IP address or domain name of the AP controller (the Zyxel Device) to which the AP connects.
Sets the AP to use DHCP to get the address of the AP controller (the Zyxel Device).
Adds the specified AP to the Zyxel Device for management. If manual add is disabled, this command can still be used; if you add an AP before it connects to the network, then this command simply preconfigures the management list with that AP’s information.
Resets the specified AP to its factory default settings. Sets the managed AP(s) to not change back to associate
with the primary AP controller when the primary AP controller is available.
Sets the managed AP(s) to change back to associate with the primary AP controller as soon as the primary AP controller is available.
Sets how often (in seconds) the managed AP(s) check whether the primary AP controller is available.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
57
Chapter 6 AP Management
Table 12 Command Summary: AP Management (continued)
COMMAND DESCRIPTION
capwap ap idle timeout {25–100}
capwap ap kick {all | ap_mac}
capwap ap led-off ap_mac
capwap ap led-on ap_mac
capwap ap reboot ap_mac
capwap manual-add {enable | disable}
capwap station kick sta_mac
show capwap ap {all | ap_mac}
show capwap ap {all | ap_mac} config status
country-code country_code
lan-provision ap ap_mac
lan_port {activate | inactivate} pvid <1..4094>
vlan_interface {activate | inactivate} vid <1..4094> join lan_port {tag | untag} [lan_port {tag | untag}] [lan_port {tag | untag}]
[no] vlan_interface
show capwap ap {all | ap_mac}
show capwap ap ap_mac slot_name detail
Sets the default period after which idle wireless clients are kicked from an AP, in minutes.
This setting takes affect if setting Disassociate station when overloaded is enabled.
Removes the specified AP (ap_mac) or all connected APs (all) from the management list. Doing this removes the AP(s) from the management list.
If the Zyxel Device is set to automatically add new APs to the AP management list, then any kicked APs are added back to the management list as soon as they reconnect.
Sets the LEDs of the specified AP to turn off after it’s ready. Sets the LEDs of the specified AP to stay lit after the Zyxel
Device is ready. Forces the specified AP (ap_mac) to restart. Doing this severs
the connections of all associated stations. Allows the Zyxel Device to either automatically add new APs
to the network (disable) or wait until you manually confirm them (enable).
Forcibly disconnects the specified station from the network. Displays information of all managed APs (all) or information
of an AP on the Specified MAC address (ap_mac). Displays whether or not any AP’s configuration or the
specified AP’s configuration is in conflict with the Zyxel Device’s settings for the AP, and displays the settings in conflict if there are any.
Sets the country where the Zyxel Device is located/installed. This is the default country code the Zyxel Device uses in a new
radio profile or monitor profile if you do not change it. The available channels vary depending on the country you selected.
country_code: 2-letter country-codes, such as TW, DE, or FR. Enters the sub-command mode for the specified AP
Enables or disables the specified LAN port on the AP and configures a PVID (Port VLAN ID) for this port.
lan_port: the name of the AP’s LAN port (lan1 for example). Creates a new VLAN or configures an existing VLAN. You can
disable or enable the VLAN, set the VLAN ID, assign up to three ports to this VLAN as members and set whether the port is to tag outgoing traffic with the VLAN ID.
vlan_interface: the name of the VLAN (vlan1 for example). Removes the specified VLAN.
Displays the management list (all) or whether the specified AP is on the management list (ap_mac).
Displays details for the specified radio (slot_name) on the specified AP (ap_mac).
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
58
Chapter 6 AP Management
Table 12 Command Summary: AP Management (continued)
COMMAND DESCRIPTION
show capwap ap {all | ap_mac} config status
show capwap ap ac-ip
show capwap ap all statistics
show capwap ap fallback
show capwap ap fallback interval
show capwap ap idle timeout
Displays whether or not any AP’s configuration or the specified AP’s configuration is in conflict with the Zyxel Device’s settings for the AP and displays the settings in conflict if there are any.
Displays the address of the Zyxel Device or auto if the AP finds the Zyxel Device through broadcast packets.
Displays radio statistics for all APs on the management list. Displays whether the managed AP(s) will change back to
associate with the primary AP controller when the primary AP controller is available.
Displays the interval for how often the managed AP(s) check whether the primary AP controller is available.
Displays the default period after which idle wireless clients are kicked from an AP, in minutes,
show capwap ap wait-list
show capwap manual-add
show capwap station all
show country-code list
show default country-code
show lan-provision ap ap_mac interface {lan_port | vlan_interface | all| ethernet | uplink | vlan}
Displays a list of connected but as-of-yet unmanaged APs. This is known as the ‘wait list’.
Displays the current manual add option. Displays information for all stations connected to the APs on
the management list. Displays a reference list of two-letter country codes.
Displays the default country code configured on the Zyxel Device.
Displays the port and/or VLAN settings for the specified AP. You can also set to display settings for a specified port, a
sepcified VLAN, all physical Ethernet ports, the uplink port or all VLANs on the AP.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
59
Chapter 6 AP Management
6.2.1 AP Management Commands Example
The following example shows you how to add an AP to the management list, and then edit it.
Router# show capwap ap wait-list index: 1 IP: 192.168.1.35, MAC: 00:11:11:11:11:FE Model: NWA5160N, Description: AP-00:11:11:11:11:FE index: 2 IP: 192.168.1.36, MAC: 00:19:CB:00:BB:03 Model: NWA5160N, Description: AP-00:19:CB:00:BB:03 Router# configure terminal Router(config)# capwap ap add 00:19:CB:00:BB:03 Router(config)# capwap ap 00:19:CB:00:BB:03 Router(AP 00:19:CB:00:BB:03)# slot1 ap-profile approf01 Router(AP 00:19:CB:00:BB:03)# exit Router(config)# show capwap ap all index: 1 Status: RUN IP: 192.168.1.37, MAC: 40:4A:03:05:82:1E Description: AP-404A0305821E Model: NWA5160N R1 mode: AP, R1Prof: default R2 mode: AP, R2Prof: n/a Station: 0, RadioNum: 2 Mgnt. VLAN ID: 1, Tag: no WTP VLAN ID: 1, WTP Tag: no Force VLAN: disable Firmware Version: 2.25(AAS.0)b2 Recent On-line Time: 08:43:04 2013/05/24 Last Off-line Time: N/A
Router(config)# show capwap ap 40:4A:03:05:82:1E slot1 detail index: 1 SSID: Zyxel, BSSID: 40:4A:03:05:82:1F SecMode: NONE, Forward Mode: Local Bridge, Vlan: 1
Router(config)# show capwap ap all statistics index: 1 Status: RUN, Loading: ­ AP MAC: 40:4A:03:05:82:1E Radio: 1, OP Mode: AP Profile: default, MAC: 40:4A:03:05:82:1F Description: AP-404A0305821E Model: NWA5160N Band: 2.4GHz, Channel: 6 Station: 0 RxPkt: 4463, TxPkt: 38848 RxFCS: 1083323, TxRetry: 198478
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
60
Chapter 6 AP Management
The following example displays the management list and radio statistics for the specified AP.
Router(config)# show capwap ap all index: 1 Status: RUN IP: 192.168.1.37, MAC: 60:31:97:82:F5:AF Description: AP-60319782F5AF Model: WAC5302D-S CPU Usage: 12 % R1 mode: AP, R1Prof: default R2 mode: AP, R2Prof: default2 AP Group Profile: default Override Slot1 Radio Profile: disable Override Slot1 SSID Profile: disable slot1-SSID Profile 1: default slot1-SSID Profile 2: slot1-SSID Profile 3: slot1-SSID Profile 4: slot1-SSID Profile 5: slot1-SSID Profile 6: slot1-SSID Profile 7: slot1-SSID Profile 8: Override Slot1 Output Power: disable Slot1 Output Power: 30dBm Override Slot2 Radio Profile: disable Override Slot2 SSID Profile: disable slot2-SSID Profile 1: default slot2-SSID Profile 2: slot2-SSID Profile 3: slot2-SSID Profile 4: slot2-SSID Profile 5: slot2-SSID Profile 6: slot2-SSID Profile 7: slot2-SSID Profile 8: Override Slot2 Output Power: disable Slot2 Output Power: 30dBm Station: 2, RadioNum: 2 Override VLAN Setting: disable Mgnt. VLAN ID: 1, Tag: no WTP VLAN ID: 1, WTP Tag: no Force VLAN: disable Support Lan-provision: yes Override LAN Provision: disable Firmware Version: 5.00(ABFH.1)b1 Primary AC IP: broadcast Secondary AC IP: N/A Recent On-line Time: 03:15:30 2016/11/11 Last Off-line Time: 03:10:48 2016/11/11 Loop State: N/A LED Status: N/A Suppress Mode Status: Enable Locator LED Status: N/A Locator LED Time: 0 Locator LED Time Lease: 0 Power Mode: Full Antenna Switch SW-Control: N/A Antenna Switch Radio 1: N/A Antenna Switch Radio 2: N/A
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
61
Chapter 6 AP Management
Compatible: No Capability: 32 Port Number: 4 Router(config)# show capwap ap 60:31:97:82:F5:AF slot1 detail index: 1 SSID: ZyXEL BSSID: 60:31:97:82:F5:B0 SecMode: NONE, Forward Mode: Local Bridge, Vlan: 1 Router(config)# show capwap ap all statistics index: 1 Status: RUN, Loading: - AP MAC: 60:31:97:82:F5:AF Radio: 1, OP Mode: AP Profile: default, MAC: F0:FD:F0:FD:F0:FD Description: AP-60319782F5AF Model: WAC5302D-S Band: 2.4GHz, Channel: 6 Station: 0 Rx: 101395, Tx: 866288 RxFCS: 42803, TxRetry: 897 TxPower: 15 dBm Antenna Type: N/A
index: 2 Status: RUN, Loading: ­ AP MAC: 60:31:97:82:F5:AF Radio: 2, OP Mode: AP Profile: default2, MAC: F0:FD:F0:FD:F0:FD Description: AP-60319782F5AF Model: WAC5302D-S Band: 5GHz, Channel: 36/40 Station: 2 Rx: 864251, Tx: 1076862 RxFCS: 169608, TxRetry: 2816 TxPower: 16 dBm Antenna Type: N/A
Router(config)#
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
62
If your Zyxel Device has a built-in AP, then use this function to allow WiFi clients to access your Zyxel Device wirelessly to connect to the network.
Note: The Zyxel Device cannot mange external APs when the built-in AP is enabled.
Table 13 Input Values for Built-in AP Commands
LABEL DESCRIPTION
slot_name
The slot name for the Zyxel Device’s on-board wireless LAN card. Use either slot1 or slot2.

7.1 Built-in AP Commands

CHAPTER 7

Built-in AP

Table 14 Command Summary: Built-in AP
COMMAND DESCRIPTION
capwap ap local-ap
[no] slot_name ap-profile
radio_profile_name
[no] slot_name monitor-profile monitor_profile_name
[no] slot_name output-power wlan_power
[no] slot_name ssid-profile <1..8> ssid_profile_name
[no] slot_name zymesh-profile
zymesh_profile_name
ap-group-profile ap-group­profile_name
[no] ap-mode detection activate
Enter sub-command mode for the built-in AP. Sets the specified built-in radio to work as an AP and specifies the
radio profile the radio is to use. Use the no command to remove the specified profile.
Sets the specified built-in radio to work in monitor mode and specifies the monitor profile the radio is to use.
Use the no command to remove the specified profile. Sets the output power (between 0 to 30 dBm) for the built-in AP
radio. Use the no command to remove the output power setting.
Sets the SSID profile that is associated with this profile. You can associate up to eight SSID profiles with an AP radio. Use the no command to remove the specified profile.
Sets the ZyMesh profile the built-in AP radio (in root AP or repeater mode) uses to connect to a root AP or repeater.
Use the no command to remove the specified profile. Sets the AP group to which the built-in AP belongs.
Sets the built-in AP to detect Rogue APs in then network. Use the no parameter to disable rogue AP detection. For details about this feature, see Chapter 10 on page 90.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
63
Chapter 7 Built- in AP
COMMAND DESCRIPTION
location location
[no] override slot_name {output-power | radio-setting | ssid-setting}
sysname system_name
exit
Sets the name of the place where the AP is located, for admin reference.
Use the no command to remove the specified setting. Sets the Zyxel Device to overwrite the built-in AP’s output power,
radio or SSID profile settings for the specified radio. Use the no command to not overwrite the specified settings. Sets a name to identify the AP on a network. This is
usually the AP’s fully qualified domain name. Use the no command to remove the specified setting.
Exits sub-command mode.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
64
Chapter 8 AP Group
If your Zyxel Device has a built-in AP, then use this function to allow WiFi clients to access your Zyxel Device wirelessly to connect to the network.This chapter shows you how to configure AP groups, which
define the radio, port, VLAN and load balancing settings and apply the settings to all APs in the group. An AP can belong to one AP group at a time.

8.1 Wireless Load Balancing Overview

Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it. Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users. Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a meager trickle, the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity.
Chapter 8

AP Group

8.2 AP Group Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 15 Input Values for General AP Management Commands
LABEL DESCRIPTION
ap_group_profile _name
slot_name
The following table describes the commands available for AP groups. You must use the
terminal
Table 16 Command Summary: AP Group
COMMAND DESCRIPTION
ap-group first-priority
ap_group_profile_name
ap-group flush wtp-setting
ap_group_profile_name
command to enter the configuration mode before you can use these commands.
The wireless LAN radio profile name. You may use 1-31 alphanumeric characters, underscores( case-sensitive.
The slot name for the AP’s on-board wireless LAN card. Use either slot1 or slot2. (The NWA5560-N supports up to 2 radio slots.)
_), or dashes (-), but the first character cannot be a number. This value is
configure
Sets an AP group file that is used as the default group file. Any AP that is not configured to associate with a specific AP group belongs to the default group automatically.
Sets the Zyxel Device to overwrite the settings of all managed APs in the specified group with the group profile settings.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
65
Chapter 8 AP Group
Table 16 Command Summary: AP Group (continued)
COMMAND DESCRIPTION
ap-group-member ap_group_wlan_name[no] member local-ap
ap-group-member
ap_group_profile_name [no] member mac_address
[no] ap-group-profile ap_group_profile_name
[no] slot_name ap-profile
radio_profile_name
[no] slot_name monitor-profile monitor_profile_nameliInterval
[no] slot_name output-power wlan_power
[no] slot_name ssid-profile <1..8> ssid_profile_name
Specifies the SSID of the built-in AP that you want to apply the specified AP group profile and add to the group.
Use the no command to remove the built-in AP from this group. Specifies the MAC address of the AP that you want to apply the
specified AP group profile and add to the group. Use the no command to remove the specified AP from this
group. Enters configuration mode for the specified AP group profile. Use
the no command to remove the specified profile. Sets the specified radio to work as an AP and specifies the radio
profile the radio is to use. Use the no command to remove the specified profile.
Sets the specified radio to work in monitor mode and specifies the monitor profile the radio is to use.
Use the no command to remove the specified profile. Sets the output power (between 0 to 30 dBm) for the radio on
the AP that belongs to this group. Use the no command to remove the output power setting.
Sets the SSID profile that is associated with this profile. You can associate up to eight SSID profiles with an AP radio.
[no] slot_name repeater-ap radio_profile_name
[no] slot_name root-ap radio_profile_name
[no] slot_name zymesh-profile zymesh_profile_name
description description
exit
[no] force vlan
Use the no command to remove the specified profile. Sets the specified AP radio to work as a repeater and specifies
the radio profile the radio is to use. Use the no command to remove the specified profile.
Sets the specified radio to work as a root AP and specifies the radio profile the radio is to use.
A root AP supports the wireless connections with other APs (in repeater mode) to form a ZyMesh to extend its wireless network.
Use the no command to remove the specified profile. Sets the ZyMesh profile the radio (in root AP or repeater mode)
uses to connect to a root AP or repeater. Use the no command to remove the specified profile.
Sets a description for this group. You can use up to 31 characters, spaces and underscores allowed.
Use the no command to remove the specified description. Exits configuration mode for this profile. Sets the Zyxel Device to change the AP’s management VLAN to
match the configuration in this profile. Use the no command to not change the AP’s management
VLAN setting.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
66
Chapter 8 AP Group
Table 16 Command Summary: AP Group (continued)
COMMAND DESCRIPTION
[no] lan-provision model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e} ap_lan_port activate pvid <1..4094>
[no] lan-provision model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e} ap_lan_port inactivate pvid <1..4094>
[no] lan-provision model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e} vlan_interface activate vid <1..4094> join ap_lan_port {tag | untag} [ap_lan_port {tag | untag}] [ap_lan_port {tag | untag}]
[no] lan-provision model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e} vlan_interface inactivate vid <1..4094> join ap_lan_port {tag | untag} [ap_lan_port {tag | untag}] [ap_lan_port {tag | untag}]
[no] load-balancing [slot1 | slot2] activate
load-balancing [slot1 | slot2] alpha <1..255>
Sets the model of the managed AP and enable the model­specific LAN port and configure the port VLAN ID.
Use the no command to remove the specified port and VLAN settings.
ap_lan_port: the Ethenet LAN port on the managed AP, such as lan1 or lan2.
Sets the model of the managed AP and disable the model­specific LAN port and configure the port VLAN ID.
Use the no command to remove the specified port and VLAN settings.
ap_lan_port: the Ethenet LAN port on the managed AP, such as lan1 or lan2.
Sets the model of the managed AP, enable a VLAN and configure the VLAN ID. It also sets the Ethernet port(s) on the managed AP to be a member of the VLAN, and sets the port(s) to send packets with or without a VLAN tag.
Use the no command to remove the specified port and VLAN settings.
vlan_interface: the name of the VLAN, such as vlan0. ap_lan_port: the Ethenet LAN port on the managed AP, such
as lan1 or lan2. Sets the model of the managed AP, disable a VLAN and
configure the VLAN ID. It also sets the Ethernet port(s) on the managed AP to be a member of the VLAN, and sets the port(s) to send packets with or without a VLAN tag.
Use the no command to remove the specified port and VLAN settings.
vlan_interface: the name of the VLAN, such as vlan0. ap_lan_port: the Ethenet LAN port on the managed AP, such
as lan1 or lan2. Enables load balancing. Use the no parameter to disable it.
Optionally specify a radio slot. Sets the load balancing alpha value.
When the AP is balanced, then this setting delays a client’s association with it by this number of seconds.
load-balancing [slot1 | slot2] beta <1..255>
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
Note: This parameter has been optimized for the Zyxel
Device and should not be changed unless you have been specifically directed to do so by Zyxel support.
Sets the load balancing beta value. When the AP is overloaded, then this setting delays a client’s
association with it by this number of seconds.
Note: This parameter has been optimized for the Zyxel
Device and should not be changed unless you have been specifically directed to do so by Zyxel support.
67
Chapter 8 AP Group
Table 16 Command Summary: AP Group (continued)
COMMAND DESCRIPTION
load-balancing [slot1 | slot2] kickInterval <1..255>
[no] load-balancing [slot1 | slot2] kickout
load-balancing [slot1 | slot2] liInterval <1..255>
load-balancing [slot1 | slot2] max sta <1..127>
load-balancing mode [slot1 | slot2] {station | traffic | smart-classroom}
load-balancing [slot1 | slot2] sigma <51..100>
Enables the kickout feature for load balancing and also sets the kickout interval in seconds. While load balancing is enabled, the AP periodically disconnects stations at intervals equal to this setting.
This occurs until the load balancing threshold is no longer exceeded.
Enables an overloaded AP to disconnect (“kick”) idle clients or clients with noticeably weak connections.
Sets the interval in seconds that each AP communicates with the other APs in its range for calculating the load balancing algorithm.
Note: This parameter has been optimized for the Zyxel
Device and should not be changed unless you have been specifically directed to do so by Zyxel support.
If load balancing by the number of stations/wireless clients, this sets the maximum number of devices allowed to connect to a load-balanced AP.
Enables load balancing based on either number of stations (also known as wireless clients) or wireless traffic on an AP.
station or traffic: once the threshold is crossed (either the maximum station numbers or with network traffic), the AP delays association request and authentication request packets from any new station that attempts to make a connection.
smart-classroom: the AP ignores association request and authentication request packets from any new station when the maximum number of stations is reached.
Sets the load balancing sigma value. This value is algorithm parameter used to calculate whether an
AP is considered overloaded, balanced, or underloaded. It only applies to ‘by traffic mode’.
load-balancing [slot1 | slot2] timeout <1..255>
load-balancing [slot1 | slot2] traffic level {high | low | medium}
vlan <1..4094> {tag | untag}
show ap-group first-priority
show ap-group-profile {all | ap_group_profile_name}
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
Note: This parameter has been optimized for the Zyxel
Device and should not be changed unless you have been specifically directed to do so by Zyxel support.
Sets the length of time that an AP retains load balancing information it receives from other APs within its range.
If load balancing by traffic threshold, this sets the traffic threshold level.
Sets the management VLAN ID for the AP(s) in this group as well as whether packets sent to and from that VLAN ID are tagged or untagged.
Displays the name of the default AP group profile. Displays the settings of the AP group profile(s).
all: Displays all profiles. ap_group_profile_name: Displays the specified profile.
68
Chapter 8 AP Group
Table 16 Command Summary: AP Group (continued)
COMMAND DESCRIPTION
show ap-group-profile ap_group_profile_name load­balancing config
show ap-group-profile ap_group_profile_name lan­provision interface {all | vlan | ethernet | ap_lan_port | vlan_interface} model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e}
show ap-group-profile ap_group_profile_name lan­provision model
show ap-group-profile rule_count
ap-group-profile rename
ap_group_profile_name1 ap_group_profile_name2
Displays the load balanc ing configuration of the specified AP group profile.
Displays the LAN port and/or VLAN settings on the managed AP which is in the specified AP group and of the specified model.
vlan_interface: the name of the VLAN, such as vlan0. ap_lan_port: the Ethenet LAN port on the managed AP, such
as lan1 or lan2.
Shows the model name of the managed AP which belongs to the specified AP group.
Displays how many AP group profiles have been configured on the Zyxel Device.
Gives an existing AP group profile (ap_group_profile_name1) a new name (ap_group_profile_name2).
8.2.1 AP Group Examples
The following example shows you how to create an AP group profile (named “TEST”) and configure the AP’s first radio to work in repeater mode using the “default” radio profile and the “ZyMesh_TEST” ZyMesh profile. It also adds the AP with the MAC address 00:a0:c5:01:23:45 to this AP group.
Router(config)# ap-group-profile TEST Router(config-ap-group TEST)# slot1 repeater-ap default Router(config-ap-group TEST)# exit Router(config)# ap-group-member TEST member 00:a0:c5:01:23:45 Router(config)#
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
69
The following example shows you how to create an AP group profile (named GP1) and configure AP load balancing in "by station" mode. The maximum number of stations is set to 1.
Router(config)# ap-group-profile GP1 Router(config-ap-group GP1)# load-balancing mode station Router(config-ap-group GP1)# load-balancing max sta 1 Router(config-ap-group GP1)# exit Router(config)# show ap-group-profile GP1 load-balancing config AP Group Profile:GP1 load balancing config: Activate: yes Kickout: no Mode: station Max-sta: 1 Traffic-level: high Alpha: 5 Beta: 10 Sigma: 60 Timeout: 20 LIInterval: 10 KickoutInterval: 20 Router(config)#
The following example shows you how to create an AP group profile (named GP2) and configure AP load balancing in "by traffic" mode. The traffic level is set to low, and "disassociate station" is enabled.
Router(config)# ap-group-profile GP2 Router(config-ap-group GP2)# load-balancing mode traffic Router(config-ap-group GP2)# load-balancing traffic level low Router(config-ap-group GP2)# load-balancing kickout Router(config-ap-group GP2)# exit Router(config)# show ap-group-profile GP2 load-balancing config AP Group Profile:GP2 load balancing config: Activate: yes Kickout: yes Mode: traffic Max-sta: 1 Traffic-level: low Alpha: 5 Beta: 10 Sigma: 60 Timeout: 20 LIInterval: 10 KickoutInterval: 20 Router(config)#
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
70
Chapter 8 AP Group
The following example shows the settings and status of the VLAN(s) configured for the managed APs (NWA5301-NJ) in the default AP group.
Router(config)# show ap-group-profile default lan-provision interface vlan model nwa5301-nj No. Name Active VID Member =========================================================================== 1 vlan0 yes 1 lan1,lan2,lan3 Router(config)# show ap-group-profile default lan-provision interface vlan0 model nwa5301-nj active: yes interface name: vlan0 VID: 1 member: lan1&lan2&lan3 lan1_tag: untag lan2_tag: untag lan3_tag: untag Router(config)#
The following example shows the status of Ethernet ports for the managed APs (NWA5301-NJ) in the default AP group. It also shows whether the lan1 port is enabled and what the port’s VLAN ID is.
Router(config)# show ap-group-profile default lan-provision interface ethernet model nwa5301-nj No. Name Active PVID =========================================================================== 1 uplink yes n/a 2 lan1 yes 1 3 lan2 yes 1 4 lan3 yes 1 Router(config)# show ap-group-profile default lan-provision interface lan1 model nwa5301-nj Name Active PVID =========================================================================== lan1 yes 1 Router(config)#
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
71
Chapter 9 Wireless LAN Profiles

Wireless LAN Profiles

This chapter shows you how to configure wireless LAN profiles on your Zyxel Device.

9.1 Wireless LAN Profiles Overview

The managed Access Points designed to work explicitly with your Zyxel Device do not have on-board configuration files, you must create “profiles” to manage them. Profiles are preset configurations that are uploaded to the APs and which manage them. They include: Radio and Monitor profiles, SSID profiles, Security profiles, and MAC Filter profiles. Altogether, these profiles give you absolute control over your wireless network.
CHAPTER 9

9.2 AP Radio & Monitor Profile Commands

The radio profile commands allow you to set up configurations for the radios onboard your various APs. The monitor profile commands allow you to set up monitor mode configurations that allow your APs to scan for other APs in the vicinity.
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 17 Input Values for General Radio and Monitor Profile Commands
LABEL DESCRIPTION
radio_profile_name
monitor_profile_name
interval
wlan_role
wireless_channel_2g
wireless_channel_5g
The radio profile name. You may use 1-31 alphanumeric characters, underscores (
_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive. The monitor profile name. You may use 1-31 alphanumeric characters, underscores
(
_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive. Enters the dynamic channel selection interval time. The range is 10 ~ 1440 minutes.
Sets the wireless LAN radio operating mode. At the time of writing, you can use ap for Access Point.
Sets the 2 GHz channel used by this radio profile. The channel range is 1 ~ 14.
Note: Your choice of channel may be restricted by regional regulations.
Sets the 5 GHz channel used by this radio profile. The channel range is 36 ~ 165.
wlan_htcw
Note: Your choice of channel may be restricted by regional regulations.
Sets the HT channel width. Select either 20, 20/40 or 20/40/80.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
72
Chapter 9 Wireless LAN Profiles
Table 17 Input Values for General Radio and Monitor Profile Commands (continued)
LABEL DESCRIPTION
wlan_htgi
chain_mask
wlan_power
scan_method
wlan_interface_index
ssid_profile
Sets the HT guard interval. Select either long or short. Sets the network traffic chain mask. The range is 1 ~ 7. Sets the radio output power. Sets the radio’s scan method while in Monitor mode. Select manual or auto. Sets the radio interface index number. The range is 1 ~ 8. Sets the associated SSID profile name. This name must be an existing SSID profile.
You may use 1-31 alphanumeric characters, underscores ( first character cannot be a number. This value is case-sensitive.
_), or dashes (-), but the
The following table describes the commands available for radio and monitor profile management. You must use the
configure terminal command to enter the configuration mode before you can use
these commands. Table 18 Command Summary: Radio Profile
COMMAND DESCRIPTION
show wlan-radio-profile {all | radio_profile_name}
Displays the radio profile(s). all: Displays all profiles.
wlan-radio-profile rename
radio_profile_name1 radio_profile_name2
[no] wlan-radio-profile radio_profile_name
2g-channel wireless_channel_2g
5g-channel wireless_channel_5g
2g-multicast-speed
wlan_2g_support_speed
5g-multicast-speed
wlan_5g_basic_speed
[no] activate
radio_profile_name: Displays the specified profile. Gives an existing radio profile (radio_profile_name1) a
new name (radio_profile_name2).
Enters configuration mode for the specified radio profile. Use the no parameter to remove the specified profile.
Sets the broadcast band for this profile in the 2.4 GHz frequency range. The default is 6.
Sets the broadcast band for this profile in the 5 GHz frequency range. The default is 36.
When you disable multicast to unicast, use this command to set the data rate { 1.0 | 2.0 | … } in Mbps for 2.4 GHz multicast traffic.
When you disable multicast to unicast, use this command to set the data rate { 6.0 | 9.0 | … } in Mbps for 5 GHz multicast traffic.
Makes this profile active or inactive.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
73
Chapter 9 Wireless LAN Profiles
Table 18 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
band {2.4G |5G} band-mode {bg | bgn | a | ac | an | bgnax | anacax}
bss-color <0~63>
[no] disable-bss-color
beacon-interval <40..1000>
Sets the radio band (2.4 GHz or 5 GHz) and band mode for this profile. Band mode details:
For 2.4 GHz, bg lets IEEE 802.11b and IEEE 802.11g clients associate with the AP.
For 2.4 GHz, bgn lets IEEE 802.11b, IEEE 802.11g, and IEEE
802.11n clients associate with the AP. For 2.4 GHz, bgnax lets IEEE 802.11b, IEEE 802.11g, IEEE
802.11n, and IEEE802.11ax clients associate with the AP. For 5 GHz, a lets only IEEE 802.11a clients associate with the
AP. For 5 GHz, ac lets IEEE 802.11a, IEEE 802.11n, and IEEE 802.11ac
clients associate with the AP. For 5 GHz, an lets IEEE 802.11a and IEEE 802.11n clients
associate with the AP. For 5 GHz, anacax lets IEEE 802.11a, IEEE 802.11n, IEEE
802.11ac, and IEEE802.11ax clients associate with the AP. Sets the BSS color of the AP, which distinguishes it from other
nearby APs when they transmit over the same channel. Set it to 0 to automatically assign a BSS color.
Disables BSS coloring. Use the
Sets the beacon interval for this profile. When a wirelessly networked device sends a beacon, it
includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the ne tw or k ho w l ong th ey can wait in low-power mode before waking up to handle the beacon. This value can be set from 40ms to 1000ms. A high value helps save current consumption of the access point.
no command to enable BSS coloring.
country-code country_code
[no] dcs activate
dcs 2g-selected-channel
2.4g_channels
dcs 5g-selected-channel
5g_channels
dcs dcs-2g-method {auto|manual}
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
The default is 100. Sets the country where the Zyxel Device is located/installed.
The available channels vary depending on the country you selected. Be sure to select the correct/same country for both radios on an AP and all connected APs, in order to prevent roaming failure and interference to other systems.
country_code: 2-letter country-codes, such as TW, DE, or FR. Starts dynamic channel selection to automatically find a less-
used channel in an environment where there are many APs and there may be interference. Use the no parameter to turn it off.
Specifies the channels that are available in the 2.4 GHz band when you manually configure the channels an AP can use.
Specifies the channels that are available in the 5 GHz band when you manually configure the channels an AP can use.
Sets the AP to automatically search for available channels or manually configure the channels the AP uses in the 2.4 GHz band.
74
Chapter 9 Wireless LAN Profiles
Table 18 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
dcs dcs-5g-method {auto|manual}
dcs client-aware {enable|disable}
dcs channel-deployment {3­channel|4-channel}
dcs dfs-aware {enable|disable}
dcs mode {interval|schedule}
dcs schedule <hh:mm> {mon|tue|wed|thu|fri|sat|sun}
dcs sensitivity-level {high|medium |low}
dcs time-interval interval
[no] nol-channel-block
[no] disable-dfs-switch
[no] dot11n-disable-coexistence
[no] ctsrts <0..2347>
Sets the AP to automatically search for available channels or manually configure the channels the AP uses in the 5 GHz band.
When enabled, this ensures that an AP will not change channels as long as a client is connected to it. If disabled, the AP may change channels regardless of whether it has clients connected to it or not.
Sets either a 3-channel deployment or a 4-channel deployment.
In a 3-channel deployment, the AP running the scan alternates between the following channels: 1, 6, and 11.
In a 4-channel deployment, the AP running the scan alternates between the following channels: 1, 4, 7, and 11 (FCC) or 1, 5, 9, and 13 (ETSI).
Sets the option that is applicable to your region. (Channel deployment may be regulated differently between countries and locales.)
Enables this to allow an AP to avoid phase DFS channels below the 5 GHz spectrum.
Sets the AP to use DCS at the end of the specified time interval or at a specifc time on selected days of the week.
Sets what time of day (in 24-hour format) the AP starts to use DCS on the specified day(s) of the week.
Sets how sensitive DCS is to radio channel changes in the vicinity of the AP running the scan.
Sets the interval that specifies how often DCS should run. Enables or disables temporary DFS channel blacklisting. If
enabled, the AP will block a DFS channel if it detects a radar signal within that range.
Makes the DFS switch active or inactive. By default this is inactive.
Fixes the channel bandwidth as 40 MHz. The no command has the AP automatically choose 40 MHz if all the clients support it or 20 MHz if some clients only support 20 MHz.
Sets or removes the RTS/CTS value for this profile. Use RTS/CTS to reduce data collisions on the wireless network
if you have wireless clients that are associated with the same AP but out of range of one another. When enabled, a wireless client sends an RTS (Request To Send) and then waits for a CTS (Clear To Send) before it transmits. This stops wireless clients from transmitting packets at the same time (and causing data collisions).
A wireless client sends an RTS for all packets larger than the number (of bytes) that you enter here. Set the RTS/CTS equal to or higher than the fragmentation threshold to turn RTS/CTS off.
The default is 2347.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
75
Chapter 9 Wireless LAN Profiles
Table 18 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
[no] frag <256..2346>
dtim-period <1..255>
[no] ampdu
limit-ampdu < 100..65535>
subframe-ampdu <2..64>
[no] amsdu
limit-amsdu <2290..4096>
[no] multicast-to-unicast
[no] block-ack
ch-width wlan_htcw
Sets or removes the fragmentation value for this profile. The threshold (number of bytes) for the fragmentation
boundary for directed messages. It is the maximum data fragment size that can be sent.
The default is 2346. Sets the DTIM period for this profile.
Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. This value can be set from 1 to 255.
The default is 1. Activates MPDU frame aggregation for this profile. Use the no
parameter to disable it. Message Protocol Data Unit (MPDU) aggregation collects
Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates.
By default this is enabled. Sets the maximum frame size to be aggregated.
By default this is 50000. Sets the maximum number of frames to be aggregated each
time. By default this is 32.
Activates MPDU frame aggregation for this profile. Use the no parameter to disable it.
Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header. This method is useful for increasing bandwidth throughput. It is also more efficient than A-MPDU except in environments that are prone to high error rates.
By default this is enabled. Sets the maximum frame size to be aggregated.
The default is 4096. “Multicast to unicast” broadcasts wireless multicast traffic to
all wireless clients as unicast traffic to provide more reliable transmission. The data rate changes dynamically based on the application’s bandwidth requirements. Although unicast provides more reliable transmission of the multicast traffic, it also produces duplicate packets.
The no command turns multicast to unicast off to send wireless multicast traffic at the rate you specify with the 2g- multicast-speed or 5g-multicast-speed command.
Makes block-ack active or inactive. Use the no parameter to disable it.
Sets the channel width for this profile.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
76
Chapter 9 Wireless LAN Profiles
Table 18 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
guard-interval wlan_htgi
[no] htprotect
output-power wlan_power
role wlan_role
rssi-dbm <-20~-76>
rssi-kickout <-20~-105>
[no] rssi-retry
rssi-retrycount <1~100>
[no] rssi-thres
[no] ssid-profile
wlan_interface_index
Sets the guard interval for this profile. The default for this is short.
Activates HT protection for this profile. Use the no parameter to disable it.
By default, this is disabled. Sets the output power (between 0 to 30 dBm) for the radio in
this profile. Sets the profile’s wireless LAN radio operating mode.
When using the RSSI threshold, set a minimum client signal strength for connecting to the AP. -20 dBm is the strongest signal you can require and -76 is the weakest.
Sets a minimum kick-off signal strength. When a wireless client’s signal strength is lower than the specified threshold, the Zyxel Device disconnects the wireless client from the AP.
-20 dBm is the strongest signal you can require and -105 is the weakest.
Allows a wireless client to try to associate with the AP again after it is disconnected due to weak signal strength.
Use the no parameter to disallow it. Sets the maximum number of times a wireless client can
attempt to re-connect to the AP. Sets whether or not to use the Received Signal Strength
Indication (RSSI) threshold to ensure wireless clients receive good throughput. This allows only wireless clients with a strong signal to connect to the AP.
Assigns an SSID profile to this radio profile. Requires an existing SSID profile. Use the no parameter to disable it.
ssid_profile
tx-mask chain_mask
rx-mask chain_mask
exit
storm-control ethernet ap mac_address
[no] broadcast
broadcast pps <1~10000>
[no] multicast
multicast pps <1~10000>
exit
no storm-control ethernet ap
mac_address
Sets the outgoing chain mask rate. Sets the incoming chain mask rate. Exits configuration mode for this profile. Enters the storm control sub-command mode for the
specified AP. Enables or disables broadcast storm control, which drops
broadcast packets from ingress traffic if the traffic rate exceeds the configured maximum rate.
Sets the maximum rate for broadcast traffic before storm control starts dropping broadcast packets.
Enables or disables multicast storm control, which drops multicast packets from ingress traffic if the traffic rate exceeds the configured maximum rate.
Sets the maximum rate for multicast traffic before storm control starts dropping multicast packets.
Exits configuration mode for this profile. Disables broadcast and multicast storm control, and removes
all storm control settings for the specified AP.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
77
Chapter 9 Wireless LAN Profiles
Table 18 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
show storm-control ethernet ap
mac_address
show wlan-monitor-profile {all |
Displays broadcast/multicast storm control settings on the specified AP.
Displays all monitor profiles or just the specified one.
monitor_profile_name}
wlan-monitor-profile rename
monitor_profile_name1
Gives an existing monitor profile (monitor_profile_name1) a new name (monitor_profile_name2).
monitor_profile_name2
[no] wlan-monitor-profile
monitor_profile_name
[no] activate
country-code country_code
scan-method scan_method
[no] 2g-scan-channel
wireless_channel_2g
[no] 5g-scan-channel
wireless_channel_5g
scan-dwell <100..1000>
exit
Enters configuration mode for the specified monitor profile. Use the no parameter to remove the specified profile.
Makes this profile active or inactive. By default, this is enabled.
Sets the country where the Zyxel Device is located/installed. The available channels vary depending on the country you
selected. Be sure to select the correct/same country for both radios on an AP and all connected APs, in order to prevent roaming failure and interference to other systems.
country_code: 2-letter country-codes, such as TW, DE, or FR. Sets the channel scanning method for this profile.
Sets the broadcast band for this profile in the 2.4 Ghz frequency range. Use the no parameter to disable it.
Sets the broadcast band for this profile in the 5 GHz frequency range. Use the no parameter to disable it.
Sets the duration in milliseconds that the device using this profile scans each channel.
Exits configuration mode for this profile.
9.2.1 AP Radio & Monitor Profile Commands Example
The following example shows you how to set up the radio profile named ‘RADIO01’, activate it, and configure it to use the following settings:
• 2.4G band with channel 6
• channel width of 20MHz
• a DTIM period of 2
• a beacon interval of 100ms
• AMPDU frame aggregation enabled
• an AMPDU buffer limit of 65535 bytes
• an AMPDU subframe limit of 64 frames
• AMSDU frame aggregation enabled
• an AMSDU buffer limit of 4096
• block acknowledgement enabled
• a short guard interval
• an output power of 100%
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
78
Chapter 9 Wireless LAN Profiles
It will also assign the SSID profile labeled ‘default’ in order to create WLAN VAP (wlan-1-1) functionality within the radio profile.
Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# activate Router(config-profile-radio)# band 2.4G band-mode bgn Router(config-profile-radio)# 2g-channel 6 Router(config-profile-radio)# ch-width 20/40 Router(config-profile-radio)# dtim-period 2 Router(config-profile-radio)# beacon-interval 100 Router(config-profile-radio)# ampdu Router(config-profile-radio)# limit-ampdu 65535 Router(config-profile-radio)# subframe-ampdu 64 Router(config-profile-radio)# amsdu Router(config-profile-radio)# limit-amsdu 4096 Router(config-profile-radio)# block-ack Router(config-profile-radio)# guard-interval short Router(config-profile-radio)# tx-mask 5 Router(config-profile-radio)# rx-mask 7 Router(config-profile-radio)# output-power 21dBm Router(config-profile-radio)# ssid-profile 1 default

9.3 SSID Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 19 Input Values for General SSID Profile Commands
LABEL DESCRIPTION
ssid_profile_name
ssid
wlan_qos
The SSID profile name. You may use 1-31 alphanumeric characters, underscores (
_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive. The SSID broadcast name. You may use 1-32 alphanumeric characters,
underscores ( Sets the type of QoS the SSID should use.
disable: Turns off QoS for this SSID. wmm: Turns on QoS for this SSID. It automatically assigns Access Categories to
packets as the device inspects them in transit. wmm_be: Assigns the “best effort” Access Category to all traffic moving through the
SSID regardless of origin. wmm_bk: Assigns the “background” Access Category to all traffic moving through
the SSID regardless of origin. wmm_vi: Assigns the “video” Access Category to all traffic moving through the SSID
regardless of origin.
_), or dashes (-). This value is case-sensitive.
vlan_iface
wmm_vo: Assigns the “voice” Access Category to all traffic moving through the SSID regardless of origin.
The VLAN interface name of the controller (in this case, it is Zyxel Device). The maximum VLAN interface number is product-specific; for the Zyxel Device, the number is 512.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
79
Chapter 9 Wireless LAN Profiles
Table 19 Input Values for General SSID Profile Commands (continued)
LABEL DESCRIPTION
securityprofile
macfilterprofile
description2
Assigns an existing security profile to the SSID profile. You may use 1-31 alphanumeric characters, underscores ( cannot be a number. This value is case-sensitive.
Assigns an existing MAC filter profile to the SSID profile. You may use 1-31 alphanumeric characters, underscores ( cannot be a number. This value is case-sensitive.
Sets the description of the profile. You may use up to 60 alphanumeric characters, underscores (
_), or dashes (-). This value is case-sensitive.
_), or dashes (-), but the first character
_), or dashes (-), but the first character
The following table describes the commands available for SSID profile management. You must use the
configure terminal command to enter the configuration mode before you can use these
commands. Table 20 Command Summary: SSID Profile
COMMAND DESCRIPTION
show wlan-ssid-profile {all | ssid_profile_name}
wlan-ssid-profile rename
ssid_profile_name1 ssid_profile_name2
[no] wlan-ssid-profile
ssid_profile_name
[no] bandselect balance-ratio <1..8>
bandselect check-sta-interval <1..60000>
bandselect drop-authentication <1..16>
bandselect drop-probe-request <1..32>
bandselect min-sort-interval <1..60000>
Displays the SSID profile(s).
all: Displays all profiles for the selected operating mode. ssid_profile_name: Displays the specified profile for the
selected operating mode. Gives an existing SSID profile (ssid_profile_name1) a new
name (ssid_profile_name2).
Enters configuration mode for the specified SSID profile. Use the no parameter to remove the specified profile.
Sets a ratio of the wireless clients using the 5 GHz band to the wireless clients using the 2.4 GHz band. Use the no parameter to turn off this feature.
Sets how often (in seconds) the AP checks and deletes old wireless client data.
Sets how many authentication request from a client to a 2.4GHz Wi-Fi network is ignored during the specified timeout period.
Sets how many probe request from a client to a 2.4GHz Wi-Fi network is ignored during the specified timeout period.
Sets the minimum interval (in seconds) at which the AP sorts the wireless client data when the client queue is full.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
80
Chapter 9 Wireless LAN Profiles
Table 20 Command Summary: SSID Profile (continued)
COMMAND DESCRIPTION
bandselect mode {disable | force | standard}
To improve network performance and avoid interference in the
2.4 GHz frequency band, you can enable this feature to use the 5 GHz band first. You should set 2.4GHz and 5 GHz radio profiles to use the same SSID and security settings.
Note: The managed APs must be dual-band capable.
disable: to turn off this feature. force: to have the wireless clients always connect to an SSID
using the 5 GHZ band. Connections to an SSID using the 2.4GHz band are not allowed. It is recommended you select this option when the AP and wireless clients can function in either frequency band.
standard: to have the AP try to connect the wireless clients to the same SSID using the 5 GHZ band. Connections to an SSID using the 2.4GHz band are still allowed.
[no] bandselect stop-threshold <10..20>
bandselect time-out-force <1..255>
bandselect time-out-period <1..255>
bandselect time-out-standard <1..255>
[no] block-intra
data-forward localbridge
data-forward tunnel interface
Sets the threshold number of the connected wireless clients at which the AP disables the band select feature . Use the no parameter to turn off this feature.
Sets the timeout period (in seconds) within which the AP accepts probe or authentication requests to a 2.4GHz Wi-Fi network when the band select mode is set to force.
Sets the timeout period (in seconds) within which the AP drops the specified number of probe or authentication requests to a
2.4GHz Wi-Fi network. Sets the timeout period (in seconds) within which the AP
accepts probe or authentication requests to a 2.4GHz Wi-Fi network when the band select mode is set to standard.
Enables intra-BSSID traffic blocking. Use the no parameter to disable it in this profile.
By default this is disabled. Sets the data forwarding mode used by the SSID to localbridge
mode. In this mode, all of the wireless station’s traffic is routed through
the associated AP’s gateway and tagged with the VLAN ID set by command
This is the default data forwarding mode. Sets the data forwarding mode used by the SSID to tunnel
mode. In this mode, all of the wireless station’s traffic is routed through
the Zyxel Device via the specified interface.
vlan-id.
downlink-rate-limit data_rate
[no] hide
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
Note: The interface must be an VLAN or internal Ethernet
interface. The interface cannot be a member of a bridge.
Sets the maximum incoming transmission data rate (either in mbps or kbps) on a per-station basis.
Prevents the SSID from being publicly broadcast. Use the no parameter to re-enable public broadcast of the SSID in this profile.
By default this is disabled.
81
Chapter 9 Wireless LAN Profiles
Table 20 Command Summary: SSID Profile (continued)
COMMAND DESCRIPTION
[no] macfilter
macfilterprofile
qos wlan_qos
security securityprofile
ssid
[no] ssid-schedule
{mon|tue|wed|thu|fri|sat|sun} {disable | enable} <hh:mm> <hh:mm>
Assigns the specified MAC filtering profile to this SSID profile. Use the no parameter to remove it.
By default, no MAC filter is assigned. Sets the type of QoS used by this SSID.
Assigns the specified security profile to this SSID profile. Sets the SSID. This is the name visible on the network to wireless
clients. Enter up to 32 characters, spaces and underscores are allowed.
The default SSID is ‘ZyXEL’. Enables the SSID schedule. Use the no parameter to disable the
SSID schedule. Sets whether the SSID is enabled or disabled on each day of the
week. This also specifies the hour and minute (in 24-hour format) to set the time period of each day during which the SSID is enabled/enabled.
<hh:mm> <hh:mm>: If you set both start time and end time to 00:00, it indicates a whole day event.
uplink-rate-limit data_rate
vlan-id <1..4094>
exit
9.3.1 SSID Profile Example
The following example creates an SSID profile with the name ‘ZyXEL’. It makes the assumption that both the security profile (SECURITY01) and the MAC filter profile (MACFILTER01) already exist.
Router(config)# wlan-ssid-profile SSID01 Router(config-ssid-radio)# ssid ZyXEL Router(config-ssid-radio)# qos wmm Router(config-ssid-radio)# data-forward localbridge Router(config-ssid-radio)# security SECURITY01 Router(config-ssid-radio)# macfilter MACFILTER01 Router(config-ssid-radio)# exit Router(config)#
Note: The end time must be larger than the start time.
Sets the maximum outgoing transmission data rate (either in mbps or kbps) on a per-station basis.
Applies to each SSID profile that uses localbridge. If the VLAN ID is equal to the AP’s native VLAN ID then traffic originating from the SSID is not tagged.
The default VLAN ID is 1. Exits configuration mode for this profile.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
82
Chapter 9 Wireless LAN Profiles

9.4 Security Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 21 Input Values for General Security Profile Commands
LABEL DESCRIPTION
security_profile_name
wep_key
wpa_key
wpa_key_64
secret
auth_method
The following table describes the commands available for security profile management. You must use the
configure terminal command to enter the configuration mode before you can use these
commands.
The security profile name. You may use 1-31 alphanumeric characters, underscores (
_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive. Sets the WEP key encryption strength. Select either 64bit or 128bit.
Sets the WPA/WPA2 pre-shared key in ASCII. You may use 8~63 alphanumeric characters. This value is case-sensitive.
Sets the WPA/WPA2 pre-shared key in HEX. You muse use 64 alphanumeric characters.
Sets the shared secret used by your network’s RADIUS server. The authentication method used by the security profile.
Table 22 Command Summary: Security Profile
COMMAND DESCRIPTION
show wlan-security-profile {all | security_profile_name}
wlan-security-profile rename
security_profile_name1
Displays the security profile(s).
all: Displays all profiles for the selected operating mode. security_profile_name: Displays the specified profile for the
selected operating mode. Gives existing security profile (security_profile_name1) a
new name, (security_profile_name2).
security_profile_name2
[no] wlan-security-profile
security_profile_name
[no] accounting interim­interval <1..1440>
[no] accounting interim-update
description description
[no] dot11r activate
[no] dot11r over-the-ds activate
Enters configuration mode for the specified security profile. Use the no parameter to remove the specified profile.
Sets the time interval for how often the AP is to send an interim update message with curren t client statistics to the accounting server. Use the no parameter to clear the interval setting.
Sets the AP to send accounting update messages to the accounting server at the specified interval. Use the no parameter to disable it.
Sets the description for the profile. You may use up to 60 alphanumeric characters, underscores (_), or dashes (-). This value is case-sensitive
Turns on IEEE 802.11r fast roaming on the AP. Use the no parameter to turn it off.
Sets the clients to communicate with the target AP through the current AP. The communication between the client and the target AP is carried in frames between the client and the current AP, and is then sent to the target AP through the wired Ethernet connection.
Use the no parameter to have the clients communicate directly with the target AP.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
83
Chapter 9 Wireless LAN Profiles
Table 22 Command Summary: Security Profile (continued)
COMMAND DESCRIPTION
[no] dot1x-eap
[no] dot11w
dot11w-op <1..2>
Enables 802.1x secure authentication. Use the no parameter to disable it.
Data frames in 802.11 WLANs can be encrypted and authenticated with WEP, WPA or WPA2. But 802.11 management frames, such as beacon/probe response, association request, association response, de-authentication and disassociation are always unauthenticated and unencrypted. IEEE 802.11w Protected Management Frames allows APs to use the existing security mechanisms (encryption and authentication methods defined in IEEE 802.11i WPA/ WPA2) to protect management frames. This helps prevent wireless DoS attacks.
Enables management frame protection (MFP) to add security to 802.11 management frames. Use the no parameter to disable it.
Sets whether wireless clients have to support management frame protection in order to access the wireless network.
1: if you do not require the wireless clients to support MFP. Management frames will be encrypted if the clients support MFP.
eap {external | internal auth_method}
group-key <30..30000>
idle <30..30000>
[no] internal-eap-proxy activate
[no] mac-auth activate
mac-auth auth-method
auth_method
mac-auth case account {upper | lower}
2: wireless clients must sup port MFP in order to join the AP’s
wireless network. Sets the 802.1x authentication method.
Sets the interval (in seconds) at which the AP updates the group WPA/WPA2 encryption key.
The default is 3000. Sets the idle interval (in seconds) that a client can be idle
before authentication is discontinued. The default is 300.
Allows the Zyxel Device to act as a proxy server and forward the authentication packets to the connected RADIUS server.
Use the no parameter to disable it. MAC authentication has the AP use an external server to
authenticate wireless clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails. The no parameter turns it off.
RADIUS servers can require the MAC address in the wireless client’s account (username/password) or Calling Station ID RADIUS attribute.
Sets the authentication method for MAC authentication.
Sets the case (upper or lower) the external server requires for using MAC addresses as the account username and password.
For example, use mac-auth case account upper and mac- auth delimiter account dash if you need to use a MAC address formatted like 00-11-AC-01-A0-11 as the username and password.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
84
Chapter 9 Wireless LAN Profiles
Table 22 Command Summary: Security Profile (continued)
COMMAND DESCRIPTION
mac-auth case calling-station­id {upper | lower}
mac-auth delimiter account {colon | dash | none}
mac-auth delimiter calling­station-id {colon | dash |
Sets the case (upper or lower) the external server requires for letters in MAC addresses in the Calling Station ID RADIUS attribute.
Specify the separator the external server uses for the two­character pairs within MAC addresses used as the account username and password.
For example, use mac-auth case account upper and mac- auth delimiter account dash if you need to use a MAC address formatted like 00-11-AC-01-A0-11 as the username and password.
Select the separator the external server uses for the pairs in MAC addresses in the Calling Station ID RADIUS attribute.
none}
mode {none | enhanced-open |
Sets the security mode for this profile.
wep | wpa2 | wpa2-mix | wpa3}
[no] reauth <30..30000>
[no] server-acct <1..2> activate
server-acct <1..2> ip address ipv4_address port <1..65535>
Sets the interval (in seconds) between authentication requests. The default is 0.
Enables user accounting through an external server. Use the no parameter to disable.
Sets the IPv4 address, port number and shared secret of the external accounting server.
secret secret
no server-acct <1..2>
[no] server-auth <1..2> activate
server-auth <1..2> ip address ipv4_address port <1..65535>
Clears the specified user accounting setting. Activates server authentication for the account. The no
command deactivates authentication. Sets the IPv4 address, port number and shared secret of the
RADIUS server to be used for authentication.
secret secret
no server-auth <1..2>
[no] transition-mode
wep <64 | 128> default-key <1..4>
Clears the server authentication setting. Enables backward compatibility when used with WPA3 or
Enhanced Open security mode. WPA3 falls back to WPA2, while Enhanced Open falls back to open (none).
Sets the WEP encryption strength (64 or 128) and the default key value (1 ~ 4).
If you select WEP-64 enter 10 hexadecimal digits in the range of “A-F”, “a-f” and “0-9” (for example, 0x11AA22BB33) for each Key used; or enter 5 ASCII characters (case sensitive) ranging from “a-z”, “A-Z” and “0-9” (for example, MyKey) for each Key used.
wep-auth-type {open | share}
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
If you select WEP-128 enter 26 hexadecimal digits in the range of “A-F”, “a-f” and “0-9” (for example, 0x00112233445566778899AABBCC) for each Key used; or enter 13 ASCII characters (case sensitive) ranging from “a-z”, “A-Z” and “0-9” (for example, MyKey12345678) for each Key used.
You can save up to four different keys. Enter the default-key (1 ~ 4) to save your WEP to one of those four available slots.
Sets the authentication key type to either open or share.
85
Chapter 9 Wireless LAN Profiles
Table 22 Command Summary: Security Profile (continued)
COMMAND DESCRIPTION
wpa-encrypt {tkip | aes | auto}
wpa-psk {wpa_key | wpa_key_64}
[no] wpa2-preauth
exit
Sets the WPA/WPA2 encryption cipher type. auto: This automatically chooses the best available cipher
based on the cipher in use by the wireless client that is attempting to make a connection.
tkip: This is the Temporal Key Integrity Protocol encryption method added later to the WEP encryption protocol to further secure. Not all wireless clients may support this.
aes: This is the Advanced Encryption Standard encryption method, a newer more robust algorithm than TKIP Not all wireless clients may support this.
Sets the WPA/WPA2 pre-shared key. Enables pre-authentication to allow wireless clients to switch
APs without having to re-authenticate their network connection. The RADIUS server puts a temporary PMK Security Authorization cache on the wireless clients. It contains their session ID and a pre-authorized list of viable APs.
Use the no parameter to disable this. Exits configuration mode for this profile.
9.4.1 Security Profile Example
The following example creates a security profile with the name ‘SECURITY01’.
Router(config)# wlan-security-profile SECURITY01 Router(config-security-profile)# mode wpa2 Router(config-security-profile)# wpa-encrypt aes Router(config-security-profile)# wpa-psk 12345678 Router(config-security-profile)# idle 3600 Router(config-security-profile)# reauth 1800 Router(config-security-profile)# group-key 1800 Router(config-security-profile)# exit Router(config)#

9.5 MAC Filter Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 23 Input Values for General MAC Filter Profile Commands
LABEL DESCRIPTION
macfilter_profile_name
description2
The MAC filter profile name. You may use 1-31 alphanumeric characters, underscores ( value is case-sensitive.
Sets the description of the profile. You may use up to 60 alphanumeric characters, underscores (
_), or dashes (-), but the first character cannot be a number. This
_), or dashes (-). This value is case-sensitive.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
86
The following table describes the commands available for security profile management. You must use the
configure terminal command to enter the configuration mode before you can use these
commands.
Table 24 Command Summary: MAC Filter Profile
COMMAND DESCRIPTION
show wlan-macfilter-profile {all | macfilter_profile_name}
wlan-macfilter-profile rename
macfilter_profile_name1 macfilter_profile_name2
[no] wlan-macfilter-profile
macfilter_profile_name
filter-action {allow | deny} Permits the wireless client with the MAC addresses in this
[no] sta_mac description
description2
exit Exits configuration mode for this profile.
Displays the security profile(s).
all: Displays all profiles for the selected operating mode. macfilter_profile_name: Displays the specified profile
for the selected operating mode.
Gives an existing security profile (macfilter_profile_name1) a new name (macfilter_profile_name2).
Enters configuration mode for the specified MAC filter profile. Use the no parameter to remove the specified profile.
profile to connect to the network through the associated SSID; select deny to block the wireless clients with the specified MAC addresses.
The default is set to deny.
Sets the description of the wireless client with this MAC address. Enter up to 60 characters. Spaces and underscores allowed.
9.5.1 MAC Filter Profile Example
The following example creates a MAC filter profile with the name ‘MACFILTER01’.
Router(config)# wlan-macfilter-profile MACFILTER01 Router(config-macfilter-profile)# filter-action deny Router(config-macfilter-profile)# 01:02:03:04:05:06 description MAC01 Router(config-macfilter-profile)# 01:02:03:04:05:07 description MAC02 Router(config-macfilter-profile)# 01:02:03:04:05:08 description MAC03 Router(config-macfilter-profile)# exit Router(config)#

9.6 ZyMesh Profile Commands

ZyMesh is a ZyXEL-proprietary feature. In a ZyMesh, multiple managed APs form a WDS (Wireless Distribution System) to expand the wireless network and provide services or forward traffic between the Zyxel Device and wireless clients. ZyMesh also allows the Zyxel Device to use CAPWAP to automatically update the configuration settings on the managed APs (in repeater mode) through wireless connections. The managed APs (in repeater mode) are provisioned hop by hop.The managed APs in a WDS or ZyMesh must use the same SSID, channel number and pre-shared key. A manged AP can be either a root AP or repeater in a ZyMesh.
Note: All managed APs should be connected to the Zyxel Device directly to get the
configuration file before being deployed to build a ZyMesh/WDS. Ensure you restart the managed AP after you change its operating mode using the wlan-radio-profile radio_profile_name role commands.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
87
Chapter 9 Wireless LAN Profiles
• Root AP: a managed AP that can transmit and receive data from the Zyxel Device via a wired Ethernet connection.
• Repeater: a managed AP that transmit and/or receive data from the Zyxel Device via a wireless connection through a root AP.
Note: When managed APs are deployed to form a ZyMesh/WDS for the first time, the root AP
must be connected to an AP controller (the Zyxel Device).
The maximum number of hops (the repeaters beteen a wireless client and the root AP) you can have in a ZyMesh varies according to how many wireless clients a managed AP can support.
Note: A ZyMesh/WDS link with more hops has lower throughput. Note: When the wireless connection between the root AP and the repeater is up, in order to
prevent bridge loops, the repeater would not be able to transmit data through its Ethernet port(s). The repeater then could only receive power from a PoE device if you use PoE to provide power to the managed AP via an 8-ping Etherent cable.
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 25 Input Values for General ZyMesh Profile Commands
LABEL DESCRIPTION
zymesh_profile_name
The ZyMesh profile name. You may use 1-31 alphanumeric characters, underscores (
_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive.
The following table describes the commands available for ZyMesh profile management. You must use the
configure terminal command to enter the configuration mode before you can use these
commands. Table 26 Command Summary: ZyMesh Profile
COMMAND DESCRIPTION
show zymesh ap info
show zymesh link info {repeater­ap | root-ap}
show zymesh provision-group
show zymesh-profile {all | zymesh_profile_name}
zymesh-profile rename
zymesh_profile_name1
Displays the number of currently connected/offline ZyMesh APs. Displays the ZyMesh/WDS traffic statistics between the managed
APs. repeater-a: the managed AP is acting as a repeater in a
ZyMesh. root-ap: the managed AP is acting as a root AP in a ZyMesh.
Displays the current ZyMesh Provision Group MAC address in the Zyxel Device.
Displays the ZyMesh profile settings.
all: Displays all profiles. zymesh_profile_name: Displays the specified profile.
Gives an existing radio profile (zymesh_profile_name1) a new name (zymesh_profile_name2).
zymesh_profile_name2
[no] zymesh-profile zymesh_profile_name
Enters configuration mode for the specified ZyMesh profile. Use the no parameter to remove the specified profile.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
88
Chapter 9 Wireless LAN Profiles
Table 26 Command Summary: ZyMesh Profile (continued)
COMMAND DESCRIPTION
psk psk
ssid ssid
Sets a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.The key is used to encrypt the wireless traffic between the APs.
Sets the SSID with which you want the managed AP to connect to a root AP or repeater to build a ZyMesh link.
Note: The ZyMesh SSID is hidden in the outgoing beacon
frame so a wireless device cannot obtain the SSID through scanning using a site survey tool.
exit
zymesh provision-group ac_mac
Exits configuration mode for this profile. Enters the ZyMesh Provision Group MAC address of the primary AP
controller in your network to use this Zyxel Device to replace the primary AP controller.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
89
Chapter 10 Rogue AP
CHAPTER 10
This chapter shows you how to set up Rogue Access Point (AP) detection and containment.

10.1 Rogue AP Detection Overview

Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can potentially open holes in the network security. Attackers can take advantage of a rogue AP’s weaker (or non-existent) security to gain illicit access to the network, or set up their own rogue APs in order to capture information from wireless clients.

Rogue AP

Conversely, a friendly AP is one that the Zyxel Device network administrator regards as non-threatening. This does not necessarily mean the friendly AP must belong to the network managed by the Zyxel Device; rather, it is any unmanaged AP within range of the Zyxel Device’s own wireless network that is allowed to operate without being contained. This can include APs from neighboring companies, for example, or even APs maintained by your company’s employees that operate outside of the established network.

10.2 Rogue AP Detection Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 27 Input Values for Rogue AP Detection Commands
LABEL DESCRIPTION
ap_mac
description2
The following table describes the commands available for rogue AP detection. You must use the
configure terminal command to enter the configuration mode before you can use these
commands.
Specifies the MAC address (in XX:XX:XX:XX:XX:XX format) of the AP to be added to either the rogue AP or friendly AP list. The no command removes the entry.
Sets the description of the AP. You may use 1-60 alphanumeric characters, underscores (
_), or dashes (-). This value is case-sensitive.
Table 28 Command Summary: Rogue AP Detection
COMMAND DESCRIPTION
rogue-ap detection
[no] activate
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
Enters sub-command mode for rogue AP detection. Activates rogue AP detection. Use the no parameter to deactivate
rogue AP detection.
90
Table 28 Command Summary: Rogue AP Detection (continued)
COMMAND DESCRIPTION
rogue-ap ap_mac description2
no rogue-ap ap_mac
friendly-ap ap_mac description2
no friendly-ap ap_mac
monitoring flush
exit
show rogue-ap detection monitoring
show rogue-ap detection list {rogue |
Sets the device that owns the specified MAC address as a rogue AP. You can also assign a description to this entry on the rogue AP list.
Removes the device that owns the specified MAC address from the rogue AP list.
Sets the device that owns the specified MAC address as a friendly AP. You can also assign a description to this entry on the friendly AP list.
Removes the device that owns the specified MAC address from the friendly AP list.
Removes all detected APs from the rogue AP list. Exits configuration mode for rogue AP detection. Displays a table of detected APs and information about them, such
as their MAC addresses, when they were last seen, and their SSIDs, to name a few.
Displays the specified rogue/friendly/all AP list.
friendly| all}
show rogue-ap detection status
show rogue-ap detection info
Displays whether rogue AP detection is on or off. Displays a summary of the number of detected devices from the
following categories: rogue, friendly, ad-hoc, unclassified, and total.
10.2.1 Rogue AP Detection Examples
This example sets the device associated with MAC address 00:13:49:11:11:11 as a rogue AP, and the device associated with MAC address 00:13:49:11:11:22 as a friendly AP. It then removes MAC address from the rogue AP list with the assumption that it was misidentified.
Router(config)# rogue-ap detection Router(config-detection)# rogue-ap 00:13:49:11:11:11 rogue Router(config-detection)# friendly-ap 00:13:49:11:11:22 friendly Router(config-detection)# no rogue-ap 00:13:49:11:11:11 Router(config-detection)# exit
This example displays the rogue AP detection list.
Router(config)# show rogue-ap detection list rogue no. mac description contain =========================================================================== 1 00:13:49:18:15:5A 0
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
91
Chapter 10 Rogue AP
This example shows the friendly AP detection list.
Router(config)# show rogue-ap detection list friendly no. mac description =========================================================================== 1 11:11:11:11:11:11 third floor 2 00:13:49:11:22:33 3 00:13:49:00:00:05 4 00:13:49:00:00:01 5 00:0D:0B:CB:39:33 dept1
This example shows the combined rogue and friendly AP detection list.
Router(config)# show rogue-ap detection list all no. role mac description =========================================================================== 1 friendly-ap 11:11:11:11:11:11 third floor 2 friendly-ap 00:13:49:11:22:33 3 friendly-ap 00:13:49:00:00:05 4 friendly-ap 00:13:49:00:00:01 5 friendly-ap 00:0D:0B:CB:39:33 dept1 6 rogue-ap 00:13:49:18:15:5A
This example shows both the status of rogue AP detection and the summary of detected APs.
Router(config)# show rogue-ap detection status rogue-ap detection status: on
Router(config)# show rogue-ap detection info rogue ap: 1 friendly ap: 4 adhoc: 4 unclassified ap: 0 total devices: 0

10.3 Rogue AP Containment Overview

These commands enable rogue AP containment. You can use them to isolate a device that is flagged as a rogue AP. They are global in that they apply to all managed APs on the network (all APs utilize the same containment list, but only APs set to monitor mode can actively engage in containment of rogue APs). This means if we add a MAC address of a device to the containment list, then every AP on the network will respect it.
Note: Containing a rogue AP means broadcasting unviable login data at it, preventing
legitimate wireless clients from connecting to it. This is a kind of Denial of Service attack.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
92

10.4 Rogue AP Containment Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 29 Input Values for Rogue AP Containment Commands
LABEL DESCRIPTION
ap_mac
The following table describes the commands available for rogue AP containment. You must use the
configure terminal command to enter the configuration mode before you can use these
commands.
Table 30 Command Summary: Rogue AP Containment
COMMAND DESCRIPTION
rogue-ap containment
[no] activate
[no] contain ap_mac
exit
show rogue-ap containment config
show rogue-ap containment list
Specifies the MAC address (in XX:XX:XX:XX:XX:XX format) of the AP to be contained. The no command removes the entry.
Enters sub-command mode for rogue AP containment. Activates rogue AP containment. Use the no parameter to
deactivate rogue AP containment. Isolates the device associated with the specified MAC address. Use
the no parameter to remove this device from the containment list. Exits configuration mode for rogue AP containment.
Displays whether rogue AP containment is enabled or not. Displays the rogue AP containment list.
10.4.1 Rogue AP Containment Example
This example contains the device associated with MAC address 00:13:49:11:11:12 then displays the containment list for confirmation.
Router(config)# rogue-ap containment Router(config-containment)# activate Router(config-containment)# contain 00:13:49:11:11:12 Router(config-containment)# exit Router(config)# show rogue-ap containment list no. mac ===================================================================== 1 00:13:49:11:11:12
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
93
CHAPTER 11

Wireless Frame Capture

This chapter shows you how to configure and use wireless frame capture on the Zyxel Device.

11.1 Wireless Frame Capture Overview

Troubleshooting wireless LAN issues has always been a challenge. Wireless sniffer tools like Ethereal can help capture and decode packets of information, which can then be analyzed for debugging. It works well for local data traffic, but if your devices are spaced increasingly farther away then it often becomes correspondingly difficult to attempt remote debugging. Complicated wireless packet collection is arguably an arduous and perplexing process. The wireless frame capture feature in the Zyxel Device can help.
This chapter describes the wireless frame capture commands, which allows a network admin is trator to capture wireless traffic information and download it to an Ethereal/Tcpdump compatible format packet file for analysis.

11.2 Wireless Frame Capture Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 31 Input Values for Wireless Frame Capture Commands
LABEL DESCRIPTION
ip_address
mon_dir_size
file_name
The IP address of the Access Point (AP) that you want to monitor. Enter a standard IPv4 IP address (for example, 192.168.1.2).
The total combined size (in kbytes) of all files to be captured. The maximum you can set is 50 megabtyes (52428800 bytes.)
The file name prefix for each captured file. The default prefix is monitor while the default file name is monitor.dump.
You can use 1-31 alphanumeric characters, underscores or dashes but the first character cannot be a number. This string is case sensitive.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
94
Chapter 11 Wireless Frame Capture
The following table describes the commands available for wireless frame capture. You must use the
configure terminal command to enter the configuration mode before you can use these
commands.
Table 32 Command Summary: Wireless Frame Capture
COMMAND DESCRIPTION
frame-capture configure
src-ip {add|del} {ipv4_address | local}
file-prefix file_name
files-size mon_dir_size
exit
[no] frame-capture activate
show frame-capture status
show frame-capture config
Enters sub-command mode for wireless frame capture. Sets or removes the IPv4 address of an AP controlled by the Zyxel
Device that you want to capture wireless network traffic going through the AP interfaces. You can use this command multiple times to add additional IPs to the list.
Sets the file name prefix for each captured file. Enter up to 31 alphanumeric characters. Spaces and underscores are not allowed.
Sets the total combined size (in kbytes) of all files to be captured. Exits configuration mode for wireless frame capture. Starts wireless frame capture. Use the no parameter to turn it off. Displays whether frame capture is running or not. Displays the frame capture configuration.
11.2.1 Wireless Frame Capture Examples
This example configures the wireless frame capture parameters for an AP located at IP address
192.168.1.2.
Router(config)# frame-capture configure Router(frame-capture)# src-ip add 192.168.1.2 Router(frame-capture)# file-prefix monitor Router(frame-capture)# files-size 1000 Router(frame-capture)# exit Router(config)#
This example shows frame capture status and configuration.
Router(config)# show frame-capture status capture status: off
Router(config)# show frame-capture config capture source: 192.168.1.2 file prefix: monitor file size: 1000
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
95
Chapter 12 Dynamic Channel Selection
CHAPTER 12

Dynamic Channel Selection

This chapter shows you how to configure and use dynamic channel selection on the Zyxel Device.

12.1 DCS Overview

Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by passively listening to the area around it and determining what channels are currently being broadcast on by other devices.
When numerous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if some or all of them are broadcasting on the same radio channel. This can make accessing the network potentially rather difficult for the stations connected to them. If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a minimum degree of channel interference.

12.2 DCS Commands

See Section 9.2 on page 72 for detailed information about how to configure DCS settings in a radio profile.
The following table describes the commands available for dynamic channel selection. You must use the
configure terminal command to enter the configuration mode before you can use these
commands.
Table 33 Command Summary: DCS
COMMAND DESCRIPTION
dcs now {ap_mac | profile_name}
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
Sets the managed AP to scan for and select an available channel immediately.
96
Chapter 13 Auto-Healing
This chapter shows you how to configure auto-healing settings.

13.1 Auto-Healing Overview

Auto-healing allows you to extend the wireless service coverage area of the managed APs when one of the managed APs fails.
CHAPTER 13

Auto-Healing

13.2 Auto-Healing Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 34 Input Values for Auto-Healing Commands
LABEL DESCRIPTION
interval
The following table describes the commands available for auto-healing. You must use the
terminal
Table 35 Command Summary: Auto-Healing
COMMAND DESCRIPTION
[no] auto-healing activate
auto-healing healing-interval interval
auto-healing healing-threshold
auto-healing power-threshold <-50~-80>
command to enter the configuration mode before you can use these commands.
Enters the auto-healing interval time. The range is 5 ~ 30 minutes.
Turns on the auto-healing feature. Use the no parameter to turn it off. Sets the interval that specifies how often the managed APs scan
their neighborhoods and report the status of neighbor APs to the AP controller (Zyxel Device).
An AP is considered “failed” if the AP controller obtains the same scan result that the AP is missing from the neighbor list of other APs three times.
Sets a minimum signal strength. A managed AP is added to the neighbor lists only when the signal strength of the AP is stronger than the specified threshold.
Sets a power threshold (in dBm). This value is used to calculate the power level (power-threshold + margin) to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas.
configure
When the failed AP is working again, its neighbor APs return their output power to the original level.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
97
Chapter 13 Auto-Healing
Table 35 Command Summary: Auto-Healing (continued)
COMMAND DESCRIPTION
auto-healing margin
auto-healing update
show auto-healing config
Enters a number from 0 to 9. This value is used to calculate the power level (power-threshold + margin) to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas.
Sets all manged APs to immediately scan their neighborhoods three times in a row and update their neighbor lists to the AP controller (Zyxel Device).
Displays the current auto-healing configuration.
13.2.1 Auto-Healing Examples
This example enables auto-healing and sets the power level (in dBm) to which the neighbor APs of the failed AP increase their output power.
Router(config)# auto-healing activate Router(config)# auto-healing power-threshold -70 Router(config)# show auto-healing config auto-healing activate: yes auto-healing interval: 10 auto-healing power threshold: -70 dBm auto-healing healing threshold: -85 dBm auto-healing margin: 0 Router(config)#
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
98
This chapter describes two features that controls the LEDs of the managed APs connected to your Zyxel Device - Locator and Suppression.

14.1 LED Suppression Mode

The LED Suppression feature allows you to control how the LEDs of an AP behave after it’s ready. The default LED suppression setting of the AP is different depending on your AP model.
Note: When the AP is booting or performing firmware upgrade, the LEDs will light regardless of
the setting in LED suppression.
CHAPTER 14

LEDs

14.2 LED Suppression Commands

Use these commands to set how you want the LEDs to behave after the device is ready. You must use the configure terminal command before you can use these commands.
Table 36 LED Suppression Commands
COMMAND DESCRIPTION
led_suppress ap_mac_address enable
led_suppress ap_mac_address disable
show led_suppress ap_mac_address status
14.2.1 LED Suppression Commands Example
The following example activates LED suppression mode on the AP with the MAC address 00:a0:c5:01:23:45 and displays the settings.
Router(config)# led_suppress 00:a0:c5:01:23:45 enable Router(config)# show led_suppress 00:a0:c5:01:23:45 status Suppress Mode Status : Enable Router(config)#
Sets the LEDs of the specified AP to turn off after it’s ready. Sets the LEDs of the specified AP to stay lit after the Zyxel
Device is ready. Displays whether LED suppression mode is enabled or
disabled on the specified AP.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
99
Chapter 14 LEDs

14.3 LED Locator

The LED locator feature identifies the location of the WAC AP among several devices in the network. You can run this feature and set a timer.

14.4 LED Locator Commands

Use these commands to run the LED locator feature. You must use the configure terminal command before you can use these commands.
Table 37 LED Locator Commands
COMMAND DESCRIPTION
led_locator ap_mac_address on
led_locator ap_mac_address off
led_locator ap_mac_address blink-timer <1..60>
Enables the LED locator function on the specified AP. It will show the actual location of the AP among several devices in the network.
Disables the LED locator function on the specified AP. Sets a time interval between 1 and 60 minutes to stop the
locator LED from blinking on the specified AP.
Note: You should run this command before
show led_locator ap_mac_address status
Displays whether LED locator function is enabled on the specified AP and the timer setting.
14.4.1 LED Locator Commands Example
The following example turns on the LED locator feature on the AP with the MAC address 00:a0:c5:01:23:45, sets how long the locator LED stays blinking, and also displays the settings.
Router(config)# led_locator 00:a0:c5:01:23:45 blink-timer 5 Router(config)# led_locator 00:a0:c5:01:23:45 on Router(config)# show led_locator 00:a0:c5:01:23:45 status Locator LED Status : ON Locator LED Time : 5 Router(config)#
enabling the LED locator function.
ZyWALL USG/FLEX/VPN/ATP Series CLI Reference Guide
100
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use