How it Works
Zyxel
Loading...
USG FLEX 50
CLI Reference Guide
670 pgs4.91 Mb0
Datasheet
7 pgs2.1 Mb0
Handbook
865 pgs32.64 Mb0
Quick Start Guide
1 pgs3.42 Mb0
User's Guide
919 pgs22.98 Mb0
Table of contents
Loading...

Zyxel USG FLEX 700, USG FLEX 50, USG FLEX 100W, USG FLEX 200, USG FLEX 500 CLI Reference Guide

...
Download
Default Login Details
3'ŻMÍºŻGuide

ZyWALL Series

LAN Port IP Address https://192.168.1.1
User Name admin
Password 1234
Copyright © 2023 Zyxel and/or its affiliates. All rights reserved.
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE.
This is a Reference Guide for a series of products intended for people who want to configure the Zyxel Device via Command Line Interface (CLI).
Note: The version number on the cover page refers to the latest firmware version supported
by the Zyxel Device. This guide applies to ZLD version 4.10–5.00 at the time of writing.
How To Use This Guide
1 Read Chapter 1 on page 26 for how to access and use the CLI (Command Line Interface).
2 Read Chapter 2 on page 42 to learn about the CLI user and privilege modes.
Some commands or command options in this guide may not be available in your product. See your product's User’s Guide for a list of supported features. Do not use commands not documented in this guide. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable. Some commands are renamed between firmware versions. In cases where a command has multiple names, the Reference Guide lists each variation.
Related Documentation
•Quick Start Guide The Quick Start Guide shows how to connect the Zyxel Device and access the Web Configurator.
• User’s Guide The ZyWALL USG, ATP, USG FLEX and VPN series User Guides explain how to use the Web Configurator
to configure the Zyxel Device. It also shows the product feature matrix for each device. General feature differences are written in the Introduction chapter while a more detailed table is in the Product Feature appendix.
Note: It is recommended you use the Web Configurator to configure the Zyxel Device.
•More Information Go to support.zyxel.com to find other information on
Zyxel Device.

Contents Overview

Contents Overview
Introduction .......................................................................................................................................25
Command Line Interface ........................................................................................ ....... ....... .............. 26
User and Privilege Modes .................................................................................................................... 42
Reference ..........................................................................................................................................44
Object Reference ................................................................................................................................ 45
Status ......................................................................... ............................................................................. 47
Registration ...................................................................... .......................................... ............................ 53
AP Management .................................................................................................................................. 57
Built-in AP ............................................................................................................................................... 70
AP Group ............................................................................................................................................... 72
Wireless LAN Profiles .............................................................................................................................. 79
Rogue AP ............................................................................................................................................. 100
Wireless Health .................................................................................................................................... 104
Wireless Frame Capture ..................................................................................................................... 109
Dynamic Channel Selection ............................................................................................................. 112
Auto-Healing ....................................................................................................................................... 113
LEDs ...................................................................................................................................................... 115
Interfaces ................................................................................ ............................................................. 117
Trunks ................................................................................ .................................................................... 165
Route ................................................................................ .................................................................... 169
Routing Protocol ................................................................................................................................. 179
Zones ......................................................................... ........................................................................... 186
DDNS .................................................................................................................................................... 189
Virtual Servers ...................................................................................................................................... 192
HTTP Redirect ....................................................................................................................................... 205
Redirect Service .................................................................................................................................. 207
ALG ................................................................................... ....... ....... ....... ....... ....... ................................. 211
UPnP ..................................................................................................................................................... 214
IP/MAC Binding ................................................................................................................................... 217
Layer 2 Isolation .................................................................................................................................. 219
Secure Policy ....................................................................................................................................... 222
Cloud CNM ......................................................................................................................................... 244
Web Authentication ........................................................................................................................... 252
Hotspot ................................................................................................................................................ 263
IPSec VPN ............................................................................................................................................ 278
SSL VPN ................................... ............................................................................................................. 297
L2TP VPN .............................................................................................................................................. 301
ZyWALL Series CLI Reference Guide
3
Contents Overview
Bandwidth Management .................................................................................................................. 309
Application Patrol ............................................................................................................................... 315
Anti-Virus .............................................................................................................................................. 319
RTLS ................................................................................... .................................................................... 327
Reputation Filter .................................................................................................................................. 329
Sandboxing ......................................................................................................................................... 348
IDP Commands ...................................................................................................................................351
Content Filtering ................................................................................................................................. 368
Anti-Spam ............................................................................... ............................................................. 402
Collaborative Detection & Response .............................................................................................. 414
SSL Inspection ...................................................................................................................................... 422
IP Exception ......................................................................................................................................... 430
Device HA ........................................................................................................................................... 432
Device Insight ...................................................................................................................................... 442
User/Group ...................................................................... .................................................................... 447
Application Object ...................... ...................................................................................................... 459
Addresses ............................................................................................................................................ 462
Services ................................................................................... ............................................................. 470
Schedules ............................................................................................................................................ 473
AAA Server .......................................................................................................................................... 475
Authentication Objects ..................................................................................................................... 482
Authentication Server ........................................................................................................................ 494
Certificates .......................................................................................................................................... 496
ISP Accounts ........................................................................................................................................ 502
SSL Application ................................................................................................................................... 505
DHCPv6 Objects ................................................................................................................................. 508
Dynamic Guest Accounts .................................................................................................................511
System ................................................................ .................................................................................. 515
System Remote Management .......................................................................................................... 531
File Manager ....................................................................................................................................... 543
Logs ...................................................................................................................................................... 569
Reports and Reboot ........................................................................................................................... 576
Diagnostics and Remote Assistance ...............................................................................................582
Session Timeout ................................................................................................................................... 585
Packet Flow Explore .......................................................................................... ................................. 586
Maintenance Tools .. ....... ....... ....... ....... ....... ...... ....... ....... ....... .............. ....... ....... ....... ....... ................... 590
Miscellaneous ..................................................................................................................................... 601
Managed AP Commands ................................................................................................................. 608
ZyWALL Series CLI Reference Guide
4

Table of Contents

Table of Contents
Contents Overview .............................................................................................................................3
Table of Contents.................................................................................................................................5
Part I: Introduction ..........................................................................................25
Chapter 1
Command Line Interface..................................................................................................................26
1.1 Overview ......................................................................................................................................... 26
1.1.1 The Configuration File ........................................................................................................... 27
1.2 Accessing the CLI ........................................................................................................................... 27
1.2.1 Console Port .......................................................................................................................... 28
1.2.2 Web Configurator Console .................................................................................................. 29
1.2.3 Telnet ...................................................................................................................................... 31
1.2.4 SSH (Secure SHell) .................................................................................................................. 31
1.3 How to Find Commands in this Guide .........................................................................................32
1.4 How Commands Are Explained ................................................................................................... 32
1.4.1 Background Information (Optional) ................................................................................... 32
1.4.2 Command Input Values (Optional) .................................................................................... 32
1.4.3 Command Summary ............................................................................................................ 32
1.4.4 Command Examples (Optional) ......................................................................................... 32
1.4.5 Command Syntax ................................................................................................................. 32
1.4.6 Naming Conventions ............................................................................................................ 33
1.4.7 Changing the Password ....................................................................................................... 33
1.4.8 Idle Timeout ........................................................................................................................... 33
1.5 CLI Modes ........................................................................................................................................ 33
1.6 Shortcuts and Help ......................................................................................................................... 34
1.6.1 List of Available Commands ................................................................................................ 34
1.6.2 List of Sub-commands or Required User Input ................................................................... 35
1.6.3 Entering Partial Commands ................................................................................................. 35
1.6.4 Entering a ? in a Command ................................................................................................36
1.6.5 Command History ................................................................................................................. 36
1.6.6 Navigation ............................................................................................................................. 36
1.6.7 Erase Current Command ..................................................................................................... 36
1.6.8 The no Commands ............................................................................................................... 36
1.7 Input Values .................................................................................................................................... 36
1.8 Ethernet Interfaces ......................................................................................................................... 41
1.9 Saving Configuration Changes .................................................................................................... 41
ZyWALL Series CLI Reference Guide
5
Table of Contents
1.10 Logging Out .................................................................................................................................. 41
1.11 Resetting the Zyxel Device .......................................................................................................... 41
Chapter 2
User and Privilege Modes .................................................................................................................42
2.1 User And Privilege Modes .............................................................................................................. 42
Part II: Reference ............................................................................................44
Chapter 3
Object Reference ................................ ... .......................................................................... .................45
3.1 Object Reference Commands ..................................................................................................... 45
3.1.1 Object Reference Command Example ............................................................................. 46
Chapter 4
Status...................................................................................................................................................47
4.1 ATP Dashboard Commands ......................................................................................................... 51
4.2 CPU Temperature Monitor Commands ....................................................................................... 52
4.3 System Protection Signature Commands .................................................................................... 52
Chapter 5
Registration.........................................................................................................................................53
5.1 Registration Overview .................................................................................................................... 53
5.2 myZyxel Overview ........................................................................................................................... 53
5.2.1 Subscription Services Available on the Zyxel Device ........................................................ 53
5.2.2 Firewall as a Service (FaaS) License .................................................................................... 54
5.3 Registration Commands ................................................................................................................ 54
5.4 FaaS Commands ............................................................................................................................ 55
5.4.1 Command Examples ............................................................................................................ 55
5.5 Update License Commands ......................................................................................................... 56
Chapter 6
AP Management................................................................................................................................57
6.1 AP Management Overview ..........................................................................................................57
6.1.1 AP Modes ............................................................................................................................... 57
6.1.2 Airtime Fairness ...................................................................................................................... 58
6.2 AP Management Value ................................................................................................................. 58
6.3 General AP Management Commands ....................................................................................... 59
6.3.1 AP Management Commands Example ............................................................................. 64
6.4 Remote AP ...................................................................................................................................... 66
6.4.1 Remote AP Notes .................................................................................................................. 68
ZyWALL Series CLI Reference Guide
6
Table of Contents
6.4.2 Remote AP Commands .......................................................................................................68
Chapter 7
Built-in AP............................................................................................................................................70
7.1 Built-in AP Commands .................................................................................................................... 70
Chapter 8
AP Group ............................................................................................................................................72
8.1 Wireless Load Balancing Overview .............................................................................................. 72
8.2 AP Group Commands ................................................................................................................... 72
8.2.1 AP Group Examples .............................................................................................................. 76
Chapter 9
Wireless LAN Profiles ..........................................................................................................................79
9.1 Wireless LAN Profiles Overview ...................................................................................................... 79
9.2 AP Radio & Monitor Profile Commands ....................................................................................... 79
9.2.1 AP Radio & Monitor Profile Commands Example ............................................................. 88
9.3 SSID Profile Commands .................................................................................................................. 89
9.3.1 SSID Profile Example .............................................................................................................. 92
9.4 Security Profile Commands ........................................................................................................... 92
9.4.1 Security Profile Example ....................................................................................................... 95
9.4.2 SSID and Security Profiles Example ...................................................................................... 96
9.5 MAC Filter Profile Commands ....................................................................................................... 97
9.5.1 MAC Filter Profile Example ................................................................................................... 97
9.6 ZyMesh Profile Commands ............................................................................................................ 98
Chapter 10
Rogue AP..........................................................................................................................................100
10.1 Rogue AP Detection Overview ................................................................................................. 100
10.2 Rogue AP Detection Commands ............................................................................................. 100
10.2.1 Rogue AP Detection Examples ....................................................................................... 101
10.3 Rogue AP Containment Overview ........................................................................................... 102
10.4 Rogue AP Containment Commands ....................................................................................... 103
10.4.1 Rogue AP Containment Example ................................................................................... 103
Chapter 11
Wireless Health.................................................................................................................................104
11.1 Wireless Health Overview .......................................................................................................... 104
11.2 Wireless Health Commands ...................................................................................................... 104
11.2.1 Wireless Health Radio and Station Settings ............................ ........................................ 106
11.2.2 Wireless Health Radio and Station Actions .................................................................... 107
11.2.3 Wireless Health Command Examples ............................................................................. 107
ZyWALL Series CLI Reference Guide
7
Table of Contents
Chapter 12
Wireless Frame Capture..................................................................................................................109
12.1 Wireless Frame Capture Overview ...........................................................................................109
12.2 Wireless Frame Capture Commands ....................................................................................... 109
12.2.1 Wireless Frame Capture Examples .................................................................................. 110
12.2.2 Remote Packet Capture .................................................................................................. 110
Chapter 13
Dynamic Channel Selection...........................................................................................................112
13.1 DCS Overview ............................................................................................................................. 112
13.2 DCS Commands ......................................................................................................................... 112
Chapter 14
Auto-Healing....................................................................................................................................113
14.1 Auto-Healing Overview ............................................................................................................. 113
14.2 Auto-Healing Commands ......................................................................................................... 113
14.2.1 Auto-Healing Examples .................................................................................................... 114
Chapter 15
LEDs ...................................................................................................................................................115
15.1 LED Suppression Mode ............................................................................................................... 115
15.2 LED Suppression Commands ..................................................................................................... 115
15.2.1 LED Suppression Commands Example ........................................................................... 115
15.3 LED Locator ................................................................................................................................. 115
15.4 LED Locator Commands ............................................................................................................ 116
15.4.1 LED Locator Commands Example .................................................................................. 116
Chapter 16
Interfaces..........................................................................................................................................117
16.1 Interface Overview .................................................................................................................... 117
16.1.1 Types of Interfaces ............................................................................................................ 117
16.1.2 Relationships Between Interfaces ................................................................................... 119
16.2 Interface General Commands Summary ................................................................................ 121
16.2.1 Basic Interface Properties and IP Address Commands ................................................ 121
16.2.2 IGMP Proxy Commands ................................................................................................... 128
16.2.3 Proxy ARP Commands ......................................................................................................129
16.2.4 DHCP Setting Commands ................................................................................................ 130
16.2.5 Interface Parameter Command Examples ................................................................... 135
16.2.6 RIP Commands .................................................................................................................. 136
16.2.7 OSPF Commands .............................................................................................................. 137
16.2.8 Connectivity Check (Ping-check) Commands ................................... .......................... 138
16.3 Ethernet Interface Specific Commands .............. .................................................................... 139
16.3.1 MAC Address Setting Commands .................................................................................. 140
ZyWALL Series CLI Reference Guide
8
Table of Contents
16.3.2 Port Grouping Commands .............................................................................................. 140
16.4 Virtual Interface Specific Commands ...................................................................................... 142
16.4.1 Virtual Interface Command Examples ........................................................................... 142
16.5 PPPoE/PPTP Specific Commands ............................................................................................. 142
16.5.1 PPPoE/PPTP Interface Command Examples .................................................................. 144
16.6 Cellular Interface Specific Commands ................................................................................... 144
16.6.1 Cellular Status .................................................................................................................... 147
16.6.2 Cellular Interface Command Examples ......................................................................... 149
16.7 Tunnel Interface Specific Commands ..................................................................................... 150
16.7.1 Tunnel Interface Command Examples ........................................................................... 152
16.8 USB Storage Specific Commands .............................................................................................152
16.8.1 Firmware Upgrade via USB Stick ...................................................................................... 153
16.8.2 USB Storage Commands Example .................................................................................. 155
16.9 VLAN Interface Specific Commands ....................................................................................... 155
16.9.1 VLAN Interface Command Examples ............................................................................ 156
16.10 Bridge Specific Commands .................................................................................................... 156
16.10.1 Bridge Interface Command Examples ......................................................................... 157
16.11 LAG Commands ....................................................................................................................... 157
16.11.1 LAG Interface Command Example .............................................................................. 160
16.12 VTI Commands ......................................................................................................................... 161
16.12.1 Restrictions for IPsec Virtual Tunnel Interface ............................................ .............. ..... 161
16.12.2 VTI Interface Command Example ................................................................................ 164
Chapter 17
Trunks ................................................................................................................................................165
17.1 Trunks Overview .......................................................................................................................... 165
17.2 Trunk Scenario Examples ........................................................................................................... 165
17.3 Trunk Commands Input Values ................................................................................................. 166
17.4 Trunk Commands Summary ...................................................................................................... 166
17.5 Trunk Command Examples ....................................................................................................... 167
Chapter 18
Route.................................................................................................................................................169
18.1 Policy Route ................................................................................................................................ 169
18.1.1 Source Network Address Translation (SNAT) .................................................................. 169
18.2 Policy Route Commands ........................................................................................................... 170
18.2.1 Assured Forwarding (AF) PHB for DiffServ ....................................................................... 175
18.2.2 Policy Route Command Example ................................................................................... 175
18.3 IP Static Route ............................................................................................................................. 176
18.4 Static Route Commands ........................................................................................................... 177
18.4.1 Static Route Commands Examples ................................................................................ 178
Chapter 19
Routing Protocol...............................................................................................................................179
ZyWALL Series CLI Reference Guide
9
Table of Contents
19.1 Routing Protocol Overview ....................................................................................................... 179
19.2 Routing Protocol Commands Summary .................................................................................. 179
19.2.1 RIP Commands .................................................................................................................. 180
19.2.2 General OSPF Commands ............................................................................................... 180
19.2.3 OSPF Area Commands .................................................................................................... 181
19.2.4 Virtual Link Commands ..................................................................................................... 181
19.2.5 Learned Routing Information Commands ..................................................................... 182
19.2.6 Show IP Route Command Example ................................................................................ 182
19.3 BGP (Border Gateway Protocol) ...................................................... ....... ....... .............. ....... ..... 182
19.3.1 BGP Commands ................................................................................................................ 184
Chapter 20
Zones.................................................................................................................................................186
20.1 Zones Overview .......................................................................................................................... 186
20.2 Zone Commands Summary ...................................................................................................... 187
20.2.1 Zone Command Examples .................................................................................. ............ 188
Chapter 21
DDNS .................................................................................................................................................189
21.1 DDNS Overview ........................................................................................................................... 189
21.2 DDNS Commands Summary .....................................................................................................189
21.3 DDNS Commands Example ...................................................................................................... 191
Chapter 22
Virtual Servers...................................................................................................................................192
22.1 Virtual Server Overview .............................................................................................................. 192
22.1.1 1:1 NAT and Many 1:1 NAT ............................................................................................... 192
22.2 Virtual Server Commands Summary ......................................................................................... 192
22.2.1 Virtual Server Command Examples ................................................................................ 194
22.2.2 Tutorial - How to Allow Public Access to a Server ......................................................... 195
22.3 Virtual Server Load Balancing ................................................................................................... 196
22.3.1 Load Balancing Example 1 .............................................................................................. 196
22.3.2 Load Balancing Example 2 .............................................................................................. 197
22.3.3 Virtual Server Load Balancing Process ........................................................................... 198
22.3.4 Load Balancing Rules ....................................................................................................... 199
22.3.5 Virtual Server Load Balancing Algorithms ...................................................................... 200
22.3.6 Virtual Server Load Balancing Commands ............................................................... ..... 201
Chapter 23
HTTP Redirect....................................................................................................................................205
23.1 HTTP Redirect Overview ............................................................................................................. 205
23.1.1 Web Proxy Server .............................................................................................................. 205
23.2 HTTP Redirect Commands ......................................................................................................... 205
ZyWALL Series CLI Reference Guide
10
Table of Contents
23.2.1 HTTP Redirect Command Examples ............................................................................... 206
Chapter 24
Redirect Service...............................................................................................................................207
24.1 HTTP Redirect ............................................................................................................................... 207
24.2 SMTP Redirect ............................................................................................................................. 207
24.3 Redirect Commands .................................................................................................................. 207
24.3.1 Redirect Command Example .......................................................................................... 210
Chapter 25
ALG....................................................................................................................................................211
25.1 ALG Introduction ........................................................................................................................ 211
25.2 ALG Commands ......................................................................................................................... 212
25.3 ALG Commands Example ......................................................................................................... 213
Chapter 26
UPnP...................................................................................................................................................214
26.1 UPnP and NAT-PMP Overview ................................................................................................... 214
26.2 UPnP and NAT-PMP Commands ............................................................................................... 214
26.3 UPnP & NAT-PMP Commands Example ................................................................................... 215
Chapter 27
IP/MAC Binding................................................................................................................................217
27.1 IP/MAC Binding Overview ......................................................................................................... 217
27.2 IP/MAC Binding Commands ..................................................................................................... 217
27.3 IP/MAC Binding Commands Example ..................................................................................... 218
Chapter 28
Layer 2 Isolation...............................................................................................................................219
28.1 Layer 2 Isolation Overview ......................................................................................................... 219
28.2 Layer 2 Isolation Commands ..................................................................................................... 220
28.2.1 Layer 2 Isolation White List Sub-Commands .................................................................. 220
28.3 Layer 2 Isolation Commands Example ..................................................................................... 221
Chapter 29
Secure Policy....................................................................................................................................222
29.1 Secure Policy Overview ............................................................................................................. 222
29.2 Secure Policy Commands ......................................................................................................... 223
29.2.1 Secure Policy Sub-Commands ........................................................................................ 226
29.2.2 Security Services Multiple Profiles .................................................................................... 228
29.2.3 Secure Policy Command Examples ................................................................................ 229
29.3 Output Control Commands ...................................................................................................... 233
29.3.1 Output Control Sub-Commands ..................................................................................... 235
ZyWALL Series CLI Reference Guide
11
Table of Contents
29.4 Session Limit Commands ........................................................................................................... 236
29.5 ADP Commands Overview ................................................. ...................................................... 238
29.5.1 ADP Command Input Values .......................................................................................... 238
29.5.2 ADP Activation Commands ............................................................................................ 239
29.5.3 ADP Global Profile Commands ....................................................................................... 239
29.5.4 ADP Zone-to-Zone Rule Commands ............................................................................... 239
29.5.5 ADP Add/Edit Profile Sub Commands ............................................................................ 240
29.5.6 ADP Flood Detection Whitelist Commands ................................................................... 243
Chapter 30
Cloud CNM....................................... .... ... .... .....................................................................................244
30.1 Cloud CNM Overview ................................................................................................................ 244
30.2 Cloud CNM SecuManager ....................................................................................................... 244
30.2.1 Introduction to XMPP ........................................................................................................ 245
30.2.2 Cloud CNM SecuManager Commands ........................................................................ 246
30.2.3 Cloud CNM SecuManager Command Example .......................................................... 249
30.3 Cloud CNM SecuReporter ............................................ ............................................................. 249
30.3.1 Cloud CNM SecuReporter Commands .......................................................................... 249
30.3.2 Cloud CNM SecuReporter Commands Example .......................................................... 251
Chapter 31
Web Authentication.........................................................................................................................252
31.1 Web Authentication Overview ................................................................................................. 252
31.1.1 User Two-Factor Authentication ...................................................................................... 252
31.1.2 802.1X Single Sign-On ....................................................................................................... 253
31.1.3 Summary of User Authentication Methods .................................................................... 253
31.2 Web Authentication Commands ............................................................................................. 254
31.2.1 web-auth login setting Sub-commands ............................................................. ............ 256
31.2.2 web-auth policy Sub-commands ................................................................................... 257
31.2.3 Facebook Wi-Fi Commands ............................................................................................ 259
31.3 SSO Overview .............................................................................................................................. 259
31.3.1 SSO Configuration Commands ....................................................................................... 260
31.3.2 SSO Show Commands ...................................................................................................... 260
31.3.3 Command Setup Sequence Example ........................................................................... 261
31.3.4 Two-Factor Web Authentication Command Example ............................................ ..... 261
Chapter 32
Hotspot........................................................................................................................ ......................263
32.1 Hotspot Overview ....................................................................................................................... 263
32.2 Billing Overview ........................................................................................................................... 263
32.3 Billing Commands .......................................................................................................................263
32.3.1 Billing Profile Sub-commands ........................................................................................... 265
32.3.2 Billing Command Example ............................................................................................... 265
ZyWALL Series CLI Reference Guide
12
Table of Contents
32.3.3 Payment Service ............................................................................................................... 267
32.4 Printer Manager Overview ........................................................................................................ 270
32.5 Printer-manager Commands .................................................................................................... 270
32.5.1 Printer-manager Printer Sub-commands ............................................................ ............ 271
32.5.2 Printer-manager Command Example ............................................................................ 271
32.6 Free Time Overview .................................................................................................................... 272
32.7 Free-Time Commands ................................................................................................................ 272
32.8 Free-Time Commands Example ................................................................................................273
32.9 IPnP Overview ............................................................................................................................. 273
32.10 IPnP Commands ....................................................................................................................... 273
32.11 IPnP Commands Example ....................................................................................................... 274
32.12 Walled Garden Overview ....................................................................................................... 274
32.13 Walled Garden Commands ...................................................................................................274
32.13.1 walled-garden rule Sub-commands ............................................................................. 275
32.13.2 walled-garden domain-ip rule Sub-commands .............................................. ............ 276
32.13.3 Walled Garden Command Example ........................................................................... 276
32.14 Advertisement Overview ......................................................................................................... 277
32.15 Advertisement Commands ..................................................................................................... 277
32.15.1 Advertisement Command Example ............................................................................. 277
Chapter 33
IPSec VPN .........................................................................................................................................278
33.1 IPSec VPN Overview ................................................................................................................... 278
33.2 IPSec VPN Commands Summary ............................................................................................. 279
33.2.1 IPv4 IKEv1 SA Commands ................................................................................................. 280
33.2.2 IPv4 IPSec SA Commands (except Manual Keys) ......................................................... 282
33.2.3 IPv4 IPSec SA Commands (for Manual Keys) ................................................................. 287
33.2.4 VPN Concentrator Commands ....................................................................................... 288
33.2.5 VPN Configuration Provisioning Commands ................................................................. 288
33.2.6 SA Monitor Commands ....................................................................................................290
33.2.7 IPv4 IKEv2 SA Commands ................................................................................................. 291
33.2.8 IPv6 IKEv2 SA Commands ................................................................................................. 292
33.2.9 IPv6 IPSec SA Commands ................................................................................................ 294
33.2.10 IPv6 VPN Concentrator Commands ............................................................................. 296
Chapter 34
SSL VPN..............................................................................................................................................297
34.1 SSL Access Policy ........................................................................................................................ 297
34.1.1 SSL Application Objects ...................................................................................................297
34.1.2 SSL Access Policy Limitations ...........................................................................................297
34.2 SSL VPN Commands ................................................................................................................... 297
34.2.1 SSL VPN Commands ......................................................................................................... 298
34.2.2 Setting an SSL VPN Rule Tutorial ...................................................................................... 299
ZyWALL Series CLI Reference Guide
13
Table of Contents
Chapter 35
L2TP VPN.................................................................. .... ......................................................................301
35.1 L2TP VPN Overview ..................................................................................................................... 301
35.2 IPSec Configuration .................................................................................................................... 301
35.2.1 Using the Default L2TP VPN Connection ........................................................................ 302
35.3 LAN Policy Route ........................................................................................................................ 302
35.4 WAN Policy Route ....................................................................................................................... 302
35.5 L2TP VPN Commands ................................................................................................................. 303
35.5.1 L2TP VPN Commands ........................................................................................... ............303
35.5.2 L2TP Account Commands ..................................................................... .......................... 305
35.6 L2TP VPN Examples ..................................................................................................................... 305
35.6.1 Configuring the Default L2TP VPN Gateway Example ................................................. 306
35.6.2 Configuring the Default L2TP VPN Connection Example ............................................. 306
35.6.3 Configuring the L2TP VPN Settings Example .................................................................. 307
35.6.4 Configuring the LAN Policy Route for L2TP Example ..................................................... 307
35.6.5 Configuring the WAN Policy Route for L2TP Example ................................................... 308
Chapter 36
Bandwidth Management................................................................................................................309
36.1 Bandwidth Management Overview ........................................................................................ 309
36.1.1 BWM Type .......................................................................................................................... 309
36.2 Bandwidth Management Commands .................................................................................... 309
36.2.1 Bandwidth Sub-Commands ............................................................................................ 310
36.3 Bandwidth Management Commands Examples ................................................................... 313
Chapter 37
Application Patrol............................................................................................................................315
37.1 Application Patrol Overview ..................................................................................................... 315
37.2 Application Patrol Commands Summary ................................................................................ 315
37.2.1 Application Patrol Commands ........................................................................................ 316
Chapter 38
Anti-Virus...........................................................................................................................................319
38.1 Anti-Virus Overview .................................................................................................................... 319
38.2 Anti-Virus Commands ................................................................................................................ 319
38.2.1 General Anti-Virus Commands ........................................................................................ 319
38.2.2 Anti-Virus Profile ................................................................................................................. 321
38.2.3 White and Black Lists ......................................................................................................... 322
38.2.4 Signature Search Anti-Virus Command ........................... .......................................... ..... 324
38.3 Update Anti-Virus Signatures ..................................................................................................... 325
38.3.1 Update Signature Examples ............................................................................................ 325
38.4 Anti-Virus Statistics .......................................................... ....... ....... ....... ....... ....... .......................... 326
38.4.1 Anti-Virus Statistics Example ............................................................................................. 326
ZyWALL Series CLI Reference Guide
14
Table of Contents
Chapter 39
RTLS....................................................................................................................................................327
39.1 RTLS Overview ............................................................................................................................. 327
39.1.1 RTLS Configuration Commands ....................................................................................... 328
39.1.2 RTLS Configuration Examples ........................................................................................... 328
Chapter 40
Reputation Filter ...............................................................................................................................329
40.1 Overview ..................................................................................................................................... 329
40.1.1 Signature Database Priority .............................................................................................329
40.2 IP Reputation Commands ......................................................................................................... 330
40.2.1 Update IP Reputation Signatures .............................. ...................................................... 332
40.2.2 IP Reputation Statistics ...................................................................................................... 332
40.2.3 IP Reputation External Black List ...................................................................................... 332
40.3 URL Threat Filter Commands ..................................................................................................... 334
40.3.1 URL Threat Filter Command Examples ............................................................................ 336
40.3.2 URL Threat Filter Profile Commands ............................................................................... 337
40.3.3 URL Threat Filter External Black List .................................................................................. 338
40.3.4 Update URL Threat Filter Signatures ................................................................................ 340
40.3.5 Update Signature Examples ............................................................................................ 341
40.3.6 URL Threat Filter Statistics .................................................................................................. 341
40.3.7 URL Threat Filter Statistics Example .......................................... ....... ....... ....... ....... ....... ..... 342
40.4 DNS Threat Filter Commands ..................................................................................................... 344
40.5 Blocking Secure DNS Query Packets Command Examples .................................................. 347
Chapter 41
Sandboxing ......................................................................................................................................348
41.1 Sandboxing Overview ................................................................................................................ 348
41.2 Sandbox Commands ................................................................................................................. 348
41.2.1 Sandbox Command Examples ....................................................................................... 350
Chapter 42
IDP Commands ................................................................................................................................351
42.1 Overview ..................................................................................................................................... 351
42.2 General IDP Commands ........................................................................................................... 352
42.2.1 IDP Activation .................................................................................................................... 352
42.3 IDP Profile Commands ............................................................................................................... 354
42.3.1 Global Profile Commands ............................................................................................... 354
42.3.2 Editing/Creating IDP Signature Profiles ........................................................ ................... 355
42.3.3 Editing Rate Based Signatures Profiles ............................................................................ 355
42.3.4 Signature Search ...............................................................................................................357
42.4 IDP Custom Signatures ............................................................................................................... 358
42.4.1 Custom Signature Examples ............................................................................................ 359
ZyWALL Series CLI Reference Guide
15
Table of Contents
42.5 Update IDP Signatures ............................................................................................................... 362
42.5.1 Update Signature Examples ............................................................................................ 363
42.6 IDP Statistics ................................................................................................................................. 363
42.6.1 IDP Statistics Example ....................................................................................................... 365
42.7 IDP White List ............................................................................................................................... 365
42.8 IDP Packet Capture ................................................................................................................... 366
42.8.1 IDP Packet Capture Example .......................................................................................... 367
Chapter 43
Content Filtering...............................................................................................................................368
43.1 Content Filtering Overview ........................................................................................................ 368
43.1.1 Web Content Filter ............................................................................................................ 368
43.1.2 DNS Content Filter ............................................................................................................. 368
43.2 External Web Filtering Service ................................................................................................... 369
43.3 Content Filter Command Input Values .................................................................................... 370
43.4 Web Content Filter ..................................................................................................................... 372
43.4.1 General Web Content Filter Commands ....................................................................... 372
43.4.2 Web Content Filter Profile Commands ........................................................................... 374
43.4.3 Web Content Filtering Statistics ....................................................................................... 379
43.4.4 Web Content Filtering Statistics Example .................................................... ................... 379
43.5 DNS Content Filter ...................................................................................................................... 379
43.5.1 DNS Content Filter Commands ....................................................................................... 379
43.5.2 DNS Content Filter Profile Commands ............................................................................ 381
43.5.3 DNS Content Filtering Statistics ........................................................................................382
43.6 Web Content Filtering Example .......................................... ...................................................... 382
43.7 Content Filter Category Definitions .......................................................................................... 384
43.8 Web Content Filter Example ..................................................................................................... 397
43.9 DNS Content Filter Example ...................................................................................................... 398
Chapter 44
Anti-Spam.........................................................................................................................................402
44.1 Anti-Spam Overview .................................................................................................................. 402
44.2 Anti-Spam Commands .............................................................................................................. 402
44.2.1 Anti-Spam Profile Rules ................................. .................................................................... 402
44.2.2 White and Black Lists ......................................................................................................... 407
44.2.3 DNSBL Anti-Spam Commands ......................................................................................... 409
44.3 Anti-Spam Statistics .................................. .................................................................................. 412
44.3.1 Anti-Spam Statistics Example ........................................................................................... 413
Chapter 45
Collaborative Detection & Response.............................................................................................414
45.1 Overview ..................................................................................................................................... 414
45.1.1 CDR Example Scenario ....................................................................................................414
ZyWALL Series CLI Reference Guide
16
Table of Contents
45.2 Before You Begin ........................................................................................................................ 415
45.3 CDR Commands ........................................................................................................................ 417
45.3.1 CDR General Commands ................................................................................................ 417
45.3.2 CDR Show Commands ..................................................................................................... 419
45.3.3 Update CDR Signatures ...................................................................................................419
Chapter 46
SSL Inspection...................................................................................................................................422
46.1 SSL Inspection Overview ............................................................................................................ 422
46.2 SSL Inspection Commands Summary ....................................................................................... 422
46.2.1 SSL Inspection General Settings ...................................................................................... 423
46.2.2 SSL Inspection Exclusion Command Input Values ......................................................... 424
46.2.3 SSL Inspection Exclusion Commands .............................................................................. 424
46.2.4 SSL Inspection Profile Settings .......................................................................................... 426
46.2.5 SSL Inspection Certificate Cache ................................................................................... 427
46.2.6 SSL Inspection Certificate Update .................................................................................. 427
46.2.7 SSL Inspection Statistics ..................................................................................................... 428
46.2.8 SSL Inspection Command Examples .............................................................................. 428
Chapter 47
IP Exception......................................................................................................................................430
47.1 IP Exception Overview ............................................................................................................... 430
47.2 IP Exception Commands ........................................................................................................... 430
Chapter 48
Device HA.........................................................................................................................................432
48.1 Device HA Overview ..................................................................................................................432
48.1.1 Before You Begin ............................................................................................................... 4 32
48.1.2 Device HA and Device HA Pro ........................................................................................ 433
48.2 General Device HA Commands .............................................................................................. 434
48.3 Active-Passive Mode Device HA .............................................................................................. 434
48.4 Active-Passive Mode Device HA Commands ........................................................................ 435
48.4.1 Active-Passive Mode Device HA Commands ............................................................... 435
48.4.2 Active-Passive Mode Device HA Command Example ................................................ 437
48.5 Device HA Pro .............................................................................................................................437
48.5.1 Deploying Device HA Pro ................................................................................................ 437
48.5.2 Device HA Pro Commands .............................................................................................. 438
48.5.3 Device HA2 Command Example .................................................................................... 440
Chapter 49
Device Insight...................................................................................................................................442
49.1 Device Insight Overview ............................................................................................................ 442
49.1.1 Device Insight Commands .............................................................................................. 443
ZyWALL Series CLI Reference Guide
17
Table of Contents
49.1.2 Device Insight Command Examples .............................................................................. 444
Chapter 50
User/Group.......................................................................................................................................447
50.1 User Account Overview .............................................................................................................447
50.1.1 User Types ........................................................................................................................... 447
50.2 User/Group Commands Summary ........................................................................................... 448
50.2.1 User Commands ................................................................................................................ 448
50.2.2 User Group Commands ................................................................................................... 450
50.2.3 User Setting Commands ...................................................................................................450
50.2.4 MAC Auth Commands ..................................................................................................... 453
50.2.5 Additional User Commands ............................................................................................. 455
Chapter 51
Application Object..........................................................................................................................459
51.1 Application Object Commands Summary .............................................................................. 459
51.1.1 Application Object Commands ..................................................................................... 459
51.1.2 Application Object Group Commands ............ ............................................................. 460
Chapter 52
Addresses.........................................................................................................................................462
52.1 Address Overview ....................................................................................................................... 462
52.2 Address Commands Summary ................................................................................................. 462
52.2.1 Address Object Commands ............................................................................................ 463
52.2.2 Address Group Commands ............................................................................................. 466
52.2.3 FQDN Object ..................................................................................................................... 467
52.2.4 Geo IP ................................................................................................................................. 468
52.2.5 FQDN / Geo IP Commands ............................................................................................. 468
52.2.6 Geo IP Command Examples ........................................................................................... 469
Chapter 53
Services.............................................................................................................................................470
53.1 Services Overview ...................................................................................................................... 470
53.2 Services Commands Summary .................................................................................................470
53.2.1 Service Object Commands ............................................................................................. 470
53.2.2 Service Group Commands .............................................................................................. 472
Chapter 54
Schedules.........................................................................................................................................473
54.1 Schedule Overview .................................................................................................................... 473
54.2 Schedule Commands Summary ............................................................................................... 473
54.2.1 Schedule Command Examples ...................................................................................... 474
ZyWALL Series CLI Reference Guide
18
Table of Contents
Chapter 55
AAA Server .................... .......................................................................... .........................................475
55.1 AAA Server Overview ................................................................................................................. 475
55.2 Authentication Server Command Summary ........................................................................... 475
55.2.1 ad-server Commands ......................................................................................................476
55.2.2 ldap-server Commands ................................................................................................... 476
55.2.3 radius-server Commands ................................................................................................. 477
55.2.4 radius-server Command Example .................................................................................. 477
55.2.5 aaa group server ad Commands ................................................................................... 478
55.2.6 aaa group server ldap Commands ................................................................................ 479
55.2.7 aaa group server radius Commands ............................................................................. 480
55.2.8 aaa group server Command Example .......................................................................... 481
Chapter 56
Authentication Objects...................................................................................................................482
56.1 Authentication Objects Overview ............................................................................................ 482
56.2 aaa authentication Commands .............................................................................................. 482
56.2.1 aaa authentication Command Example ...................................................................... 483
56.3 test aaa Command ................................................................................................................... 483
56.3.1 Test a User Account Command Example ...................................................................... 484
56.4 VPN/Admin Two-Factor Authentication .................................................................................. 484
56.4.1 Two-Factor Authentication Methods .............................................................................. 485
56.4.2 Two-Factor Authentication with SMS/Email ................................................................... 485
56.4.3 SMS/Email Configuration .................................................................................................. 486
56.4.4 Two-Factor Authentication with Google Authenticator .............................................. 487
56.5 Two-Factor Authentication Commands ................................................. ................................. 488
56.5.1 Two-Factor Authentication VPN Access ........................................................................ 488
56.5.2 VPN Access Two-Factor Command Example ............................................................... 490
56.5.3 Admin Access .................................................................................................................... 490
56.5.4 Admin Access Two-Factor Command Examples .......................................................... 491
Chapter 57
Authentication Server......................................................................................................................494
57.1 Authentication Server Overview ............................................................................................... 494
57.2 Authentication Server Commands ........................................................................................... 494
57.2.1 Authentication Server Command Examples ................................................................. 495
Chapter 58
Certificates .......................................................................................................................................496
58.1 Certificates Overview ................................................................................................................ 496
58.2 Certificate Commands .............................................................................................................. 496
58.3 Certificates Commands Input Values ...................................................................................... 496
58.4 Certificates Commands Summary ........................................................................................... 498
ZyWALL Series CLI Reference Guide
19
Table of Contents
58.5 Certificates Commands Examples ........................................................................................... 501
Chapter 59
ISP Accounts.....................................................................................................................................502
59.1 ISP Accounts Overview .............................................................................................................. 502
59.1.1 PPPoE and PPTP Account Commands ........................................................................... 502
59.1.2 Cellular Account Commands ......................................................................................... 503
Chapter 60
SSL Application.................................................................................................................................505
60.1 SSL Application Overview .......................................................................................................... 505
60.1.1 SSL Application Object Commands ............................................................................... 505
60.1.2 SSL Application Command Examples ............................................................................ 507
Chapter 61
DHCPv6 Objects...............................................................................................................................508
61.1 DHCPv6 Object Commands Summary .................................................................................... 508
61.1.1 DHCPv6 Object Commands ........................................................................................... 508
61.1.2 DHCPv6 Object Command Examples ........................................................................... 509
Chapter 62
Dynamic Guest Accounts...............................................................................................................511
62.1 Dynamic Guest Accounts Overview ........................................................................................ 511
62.2 Dynamic-guest Commands ...................................................................................................... 511
62.2.1 dynamic-guest Sub-commands ...................................................................................... 512
62.2.2 Dynamic-guest Command Example .............................................................................. 514
Chapter 63
System...............................................................................................................................................515
63.1 System Overview ........................................................................................................................ 515
63.2 Customizing the WWW Login Page .......................................................................................... 515
63.3 Host Name Commands ............................................................................................................. 517
63.4 Time and Date ........................................................................................................................... 517
63.4.1 Date/Time Commands ..................................................................................................... 518
63.5 Console Port Speed .................................................................................................................. 519
63.6 DNS Overview ............................................................................................................................ 519
63.6.1 Domain Zone Forwarder ......... ........................................................................................ 519
63.6.2 DNS Commands ................................................................................................................ 520
63.6.3 DNS Command Examples ................................................................................................ 522
63.7 Authentication Server Overview ............................................................................................... 522
63.7.1 Authentication Server Commands ................................................................................. 523
63.7.2 Authentication Server Command Examples ................................................................. 524
63.8 Notification .................................................................................................................................. 524
ZyWALL Series CLI Reference Guide
20
Table of Contents
63.8.1 Mail Server Commands ....................................................................................................524
63.8.2 SMS Service Commands .................................................................................................. 525
63.8.3 Response Message Commands ..................................................................................... 527
63.9 Language Commands .............................................................................................................. 528
63.10 IPv6 Commands ....................................................................................................................... 528
63.11 ZON Overview ........................................................................................................................... 528
63.11.1 LLDP .................................................................................................................................. 529
63.11.2 ZON Commands ............................................................................................................. 529
63.11.3 ZON Examples ................................................................................................................. 529
63.12 Fast Forwarding ......................................................................................................................... 530
63.12.1 Fast Forwarding Technical Overview ............................................................................ 530
63.12.2 Fast Forwarding Commands ......................................................................................... 530
Chapter 64
System Remote Management........................................................................................................531
64.1 Remote Management Overview ............................................................................................. 531
64.1.1 Remote Management Limitations .................................................................................. 531
64.1.2 System Timeout .................................................................................................................. 531
64.2 Common System Command Input Values ............................................................................. 532
64.3 HTTP/HTTPS Commands .............................................................................................................. 532
64.3.1 HTTP/HTTPS Command Examples .................................................................................... 534
64.4 SSH ................................................................................................................................................ 535
64.4.1 SSH Implementation on the Zyxel Device ...................................................................... 535
64.4.2 Requirements for Using SSH ..............................................................................................535
64.4.3 SSH Commands ................................................................................................................. 535
64.4.4 SSH Command Examples ................................................................................................. 536
64.5 Telnet ........................................................................................................................................... 536
64.6 Telnet Commands ....................... ............................................................................................... 536
64.6.1 Telnet Commands Examples ........................................................................................... 537
64.7 Configuring FTP .......................................................................................................................... 537
64.7.1 FTP Commands ................................................................................................................. 538
64.7.2 FTP Commands Examples ................................................................................................ 538
64.8 SNMP ........................................................................................................................................... 539
64.8.1 Supported MIBs ................................................................................................................. 539
64.8.2 SNMP Traps ......................................................................................................................... 539
64.8.3 SNMP Commands ............................................................................................................. 540
64.8.4 SNMP Commands Examples ............................................................................................ 541
64.9 ICMP Filter ................................................................................................................................... 542
Chapter 65
File Manager ....................................................................................................................................543
65.1 File Directories ............................................................................................................................. 543
65.2 Configuration Files and Shell Scripts Overview ...................................................................... 543
ZyWALL Series CLI Reference Guide
21
Table of Contents
65.2.1 Comments in Configuration Files or Shell Scripts ........................................................... 544
65.2.2 Errors in Configuration Files or Shell Scripts ..................................................................... 545
65.2.3 Zyxel Device Configuration File Details .......................................................................... 546
65.2.4 Configuration File Flow at Restart ................................................................................... 546
65.2.5 Sensitive Data Protection ................................................................................................. 547
65.3 File Manager Commands Input Values ................................................................................... 548
65.4 File Manager Commands Summary ........................................................................................ 549
65.5 File Manager Dual Firmware Commands ................................................................................ 550
65.6 File Manager Command Examples ......................................................................................... 551
65.7 FTP File Transfer ............................................................................................................................ 552
65.7.1 Command Line FTP File Upload ....................................................................................... 552
65.7.2 Command Line FTP Configuration File Upload Example ............................................. 552
65.7.3 Command Line FTP File Download ................................................................................. 553
65.7.4 Command Line FTP Configuration File Download Example ........................................ 553
65.8 Cloud Helper Commands ......................................................................................................... 554
65.8.1 Cloud Helper Command Examples ................................................................................ 557
65.9 Zyxel Device File Usage at Startup ........................................................................................... 558
65.10 Notification of a Damaged Recovery Image or Firmware ................................................. 559
65.11 Restoring the Recovery Image ............................................................................................... 560
65.12 Restoring the Firmware ............................................................................................................ 562
65.13 Restoring the Default System Database ................................................................................ 564
65.13.1 Using the atkz -u Debug Command ............................................................................. 566
Chapter 66
Logs...................................................................................................................................................569
66.1 Log Commands Summary ......................................................................................................... 569
66.1.1 Log Entries Commands ....................................................................................................570
66.1.2 System Log Commands ................................................................................................... 570
66.1.3 Debug Log Commands ................................................................................................... 571
66.1.4 E-mail Profile Commands .................................................................................................573
66.1.5 Console Port Logging Commands ................................................................................. 574
Chapter 67
Reports and Reboot................................................................................................... ... .... ...............576
67.1 Report Commands Summary ...................................................................................................576
67.1.1 Report Commands ........................................................................................................... 576
67.1.2 Report Command Examples ........................................................................................... 577
67.1.3 Session Commands ........................................................................................................... 577
67.1.4 Packet Size Statistics Commands ....................... ....... ....... ....... ....... ....... ....... ....... ....... ..... 578
67.2 Email Daily Report Commands ................................................................................................. 578
67.2.1 Email Daily Report Example ............................................................................................. 579
67.3 Reboot ......................................................................................................................................... 581
ZyWALL Series CLI Reference Guide
22
Table of Contents
Chapter 68
Diagnostics and Remote Assistance.............................................................................................582
68.1 Diagnostics .................................................................................................................................. 582
68.2 Diagnosis Commands ................................................................................................................ 582
68.3 Diagnosis Commands Example ................................................................................................583
68.4 Remote Assistance ..................................................................................................................... 583
68.5 Remote Assistance Commands ............................................................................................... 584
Chapter 69
Session Timeout............................................................................................................. ...................585
Chapter 70
Packet Flow Explore ........................................................................................................................586
70.1 Packet Flow Explore ................................................................................................................... 586
70.2 Packet Flow Explore Commands ..............................................................................................586
70.3 Packet Flow Explore Commands Example ........................................................... ....... ....... ..... 587
Chapter 71
Maintenance Tools ...................... .... .......................................................................... ... .... ...............590
71.1 Maintenance Command Examples ........................................................................................ 593
71.1.1 Packet Capture Command Example ............................................................................ 595
71.2 Scheduled Reboot .....................................................................................................................597
71.2.1 High Availability Reboot Process ..................................................................................... 598
71.3 Configuration File Backup ......................................................................................................... 599
Chapter 72
Miscellaneous ..................................................................................................................................601
72.1 SDWan OnCloud ...................................... .................................................................................. 601
72.2 Watchdog Timer ......................................................................................................................... 601
72.2.1 Hardware Watchdog Timer ............................................................................................. 601
72.2.2 Software Watchdog Timer ............................................................................................... 601
72.2.3 Application Watchdog ....................................................................................................602
72.3 Conserve Memory ...................................................................................................................... 605
72.3.1 Converse Memory Settings .............................................................................................. 605
72.3.2 Conserve Memory Commands ....................................................................................... 605
72.3.3 Conserve Memory Example ........................ .................................................................... 606
72.4 GUI Visibility ................................................................................................................................. 607
Chapter 73
Managed AP Commands...............................................................................................................608
73.1 Managed Series AP Commands Overview ................................................................. ............ 608
73.2 Accessing the AP CLI ................................................................................................................. 608
73.3 CAPWAP Client Commands ..................................................................................................... 608
ZyWALL Series CLI Reference Guide
23
Table of Contents
73.3.1 CAPWAP Client Commands Example ............................................................................ 609
73.4 DNS Server Commands .............................................................................................................. 610
73.4.1 DNS Server Commands Example .................................................................................... 611
73.4.2 DNS Server Commands and DHCP ................................................................................. 611
List of Commands (Alphabetical) ..................................................................................................612
ZyWALL Series CLI Reference Guide
24
PART I

Introduction

25

Command Line Interface

1.1 Overview

Zyxel Device refers to these models as outlined below:.
Devices on firmware 4.1–4.6
•ZyWALL
• ZyWALL 110
• ZyWALL 310
• ZyWALL 1100
• ZyWALL USG (Unified Security Gateway)
CHAPTER 1
•USG40 •USG110 •USG1900
• USG40W • USG210 • USG2200
• USG60 • USG310 • USG2200-VPN
•USG60W •USG1100
•USG40 •USG110
Devices on firmware 5.02-5.31
• ZyWALL NS (National Security)
• NS5000
• NS7000
Devices on firmware 4.1–5.36
• ZyWALL USG (Unified Security Gateway)
• USG FLEX 50 (USG20-VPN)
• USG FLEX 50AX
•USG20W-VPN
• ZyWALL USG FLEX
• USG FLEX 100
• USG FLEX 100AX
• USG FLEX 100W
• USG FLEX 200
ZyWALL Series CLI Reference Guide
26
Chapter 1 Command Line Interface
• USG FLEX 500
• USG FLEX 700
• ZyWALL ATP (Advanced Threat Protection)
• ATP100
• ATP100W
• ATP200
• ATP500
• ATP700
• ATP800
• ZyWALL VPN
• VPN50
• VPN100
• VPN300
• VPN1000
If you have problems with your Zyxel Device, customer support may request that you issue some of these commands to assist them in troubleshooting.
Use of undocumented commands or misconfiguration can damage the Zyxel Device and possibly render it unusable.
1.1.1 The Configuration File
When you configure the Zyxel Device using either the CLI (Command Line Interface) or the web configurator, the settings are saved as a series of commands in a configuration file on the Zyxel Device. You can store more than one configuration file on the Zyxel Device. However, only one configuration file is used at a time.
You can perform the following with a configuration file:
• Back up Zyxel Device configuration once the Zyxel Device is set up to work in your network.
• Restore Zyxel Device configuration.
• Save and edit a configuration file and upload it to multiple Zyxel Devices (of the same model) in your network to have the same settings.
Note: You may also edit a configuration file using a text editor.

1.2 Accessing the CLI

You can access the CLI using a terminal emulation program on a computer connected to the console port, from the web configurator or access the Zyxel Device using Telnet or SSH (Secure SHell).
ZyWALL Series CLI Reference Guide
27
Note: The Zyxel Device might force you to log out of your session if re-authentication time,
lease time, or idle timeout is reached. See Chapter 49 on page 442 for more information about these settings.
1.2.1 Console Port
The default settings for the console port are as follows. Table 1 Managing the Zyxel Device: Console Port
SETTING VALUE
Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off
When you turn on your Zyxel Device, it performs several internal tests as well as line initialization. You can view the initialization information using the console port.
• Garbled text displays if your terminal emulation program’s speed is set lower than the Zyxel Device’s.
• No text displays if the speed is set higher than the Zyxel Device’s.
• If changing your terminal emulation program’s speed does not get anything to display, restart the Zyxel Device.
• If restarting the Zyxel Device does not get anything to display, contact your local customer support.
Figure 1 Console Port Power-on Display
U-Boot 2011.03 (Development build, svnversion: u-boot:424M, exec:exported) (Build time: Aug 28 2013 - 14:19:07)
Chapter 1 Command Line Interface
BootModule Version: V1.01 | Aug 28 2013 14:19:07 DRAM: Size = 1024 Mbytes
Press any key to enter debug mode within 3 seconds.
After the initialization, the login screen displays.
Figure 2 Login Screen
Welcome to USG60W
Username:
Enter the user name and password at the prompts.
Note: The default login username is admin and password is 1234. The username and password
are case-sensitive.
ZyWALL Series CLI Reference Guide
28
Chapter 1 Command Line Interface
1.2.2 Web Configurator Console
Note: Before you can access the CLI through the web configurator, make sure your computer
supports the Java Runtime Environment. You will be prompted to download and install the Java plug-in if it is not already installed.
When you access the CLI using the web console, your computer establishes a SSH (Secure SHell) connection to the Zyxel Device. Follow the steps below to access the web console.
1 Log into the web configurator.
2 Click the Console icon in the top-right corner of the web configurator screen.
3 If the Java plug-in is already installed, skip to step 4.
Otherwise, you will be prompted to install the Java plug-in. If the prompt does not display and the screen remains gray, you have to download the setup program.
4 The web console starts. This might take a few seconds. One or more security screens may display. Click
Yes or Always. Figure 3 Web Console: Security Warnings
Finally, the User Name screen appears. Figure 4 Web Console: User Name
5 Enter the user name you want to use to log in to the console. The console begins to connect to the Zyxel
Device.
ZyWALL Series CLI Reference Guide
29
Chapter 1 Command Line Interface
Note: The default login username is admin. It is case-sensitive.
Figure 5 Web Console: Connecting
Then, the Password screen appears. Figure 6 Web Console: Password
6 Enter the password for the user name you specified earlier, and click OK. If you enter the password
incorrectly, you get an error message, and you may have to close the console window and open it again. If you enter the password correctly, the console screen appears.
Figure 7 Web Console
7 To use most commands in this User’s Guide, enter
to
Router(config)#.
configure terminal. The prompt should change
ZyWALL Series CLI Reference Guide
30
1.2.3 Telnet
Use the following steps to Telnet into your Zyxel Device.
1 Using the Web Configurator, enable and configure Telnet at System > TELNET.
2 Ensure that the Telnet protocol is allowed from your computer’s zone to the Zyxel Device.
By default, add TELNET to the default service group at Object > Service > Service Group > Default_Allow_WAN_To_ZyWALL.
Chapter 1 Command Line Interface
3 In Windows, click Start (usually in the bottom left corner) and Run. Then type
Device’s IP address. For example, enter
4 Click OK. A login screen displays. Enter the user name and password at the prompts.
Note: The default login username is admin and password is 1234. The username and password
are case-sensitive.
1.2.4 SSH (Secure SHell)
You can use an SSH client program to access the CLI. The following figure shows an example using a text-based SSH client program. Refer to the documentation that comes with your SSH program for information on using it.
Before connecting, do the following:
• Using the Web Configurator, enable SSH at System > SSH.
• Ensure that the SSH protocol is allowed from your computer’s zone to the Zyxel Device. By default, add SSH to the service group Default_Allow_WAN_To_ZyWALL at Object > Service > Service Group. This group defines which services are allowed in the default WAN_to_Device security policy.
Note: The default login username is admin and password is 1234. The username and password
are case-sensitive.
telnet and the Zyxel
telnet 192.168.1.1 (the default management IP address).
Figure 8 SSH Login Example
C:\>ssh2 admin@192.168.1.1 Host key not found from database. Key fingerprint: xolor-takel-fipef-zevit-visom-gydog-vetan-bisol-lysob-cuvun-muxex You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes
Host key saved to C:/Documents and Settings/user/Application Data/SSH/ hostkeys/ ey_22_192.168.1.1.pub host key for 192.168.1.1, accepted by user Tue Aug 09 2005 07:38:28 admin's password: Authentication successful.
ZyWALL Series CLI Reference Guide
31
Chapter 1 Command Line Interface

1.3 How to Find Commands in this Guide

You can simply look for the feature chapter to find commands. In addition, you can use the List of
Commands (Alphabetical) at the end of the guide. This section lists the commands in alphabetical
order that they appear in this guide.
If you are looking at the CLI Reference Guide electronically, you might have additional options (for example, bookmarks or Find...) as well.

1.4 How Commands Are Explained

Each chapter explains the commands for one keyword. The chapters are divided into the following sections.
1.4.1 Background Information (Optional)
Note: See the User’s Guide for background information about most features.
This section provides background information about features that you cannot configure in the web configurator. In addition, this section identifies related commands in other chapters.
1.4.2 Command Input Values (Optional)
This section lists common input values for the commands for the feature in one or more tables
1.4.3 Command Summary
This section lists the commands for the feature in one or more tables.
1.4.4 Command Examples (Optional)
This section contains any examples for the commands in this feature.
1.4.5 Command Syntax
The following conventions are used in this User’s Guide.
• A command or keyword in courier new must be entered literally as shown. Do not abbreviate.
• Values that you need to provide are in italics.
• Required fields that have multiple choices are enclosed in curly brackets
• A range of numbers is enclosed in angle brackets
• Optional fields are enclosed in square brackets
• The
| symbol means OR.
{}.
<>.
[].
ZyWALL Series CLI Reference Guide
32
Chapter 1 Command Line Interface
For example, look at the following command to create a TCP/UDP service object.
service-object object-name {tcp | udp} {eq <1..65535> | range <1..65535> <1..65535>}
1 Enter
2 Enter the name of the object where you see object-name.
3 Enter
4 Finally, do one of the following.
service-object exactly as it appears.
tcp or udp, depending on the service object you want to create.
•Enter
•Enter range exactly as it appears, followed by two numbers between 1 and 65535.
eq exactly as it appears, followed by a number between 1 and 65535.
1.4.6 Naming Conventions
The ATP and USG devices may have different names for the same service, but the commands for both devices are the same. The command names will be used to refer to these services throughout this reference guide. A list of naming differences are in the next table.
Table 2 Naming differences between USG and ATP devices
COMMAND NAME USG SERIES NAME USG FLEX SERIES NAME ATP SERIES NAME
anti-virus Anti-Virus Anti-Malware Anti-Malware anti-spam Anti-Spam Email Security Email Security threat-website N/A URL Threat Filter URL Threat Filter
1.4.7 Changing the Password
It is highly recommended that you change the password for accessing the Zyxel Device. See Section
50.2 on page 448 for the appropriate commands.
1.4.8 Idle Timeout
See Section 50.2.1 on page 448 for commands on changing the default logout time when no activity is recorded.

1.5 CLI Modes

You run CLI commands in one of several modes.
After you log into the Zyxel Device, you will see this prompt Router> in User mode.
Type enable and you will see this prompt Router# in Privilege mode.
Type configure terminal and you will see this prompt Router(config)# in Configuration mode.
ZyWALL Series CLI Reference Guide
33
Chapter 1 Command Line Interface
This is a summary of the modes. Table 3 CLI Modes
USER PRIVILEGE CONFIGURATION SUB-COMMAND
What Guest users can do
What User users can do
What Limited- Admin users can do
What Admin users can do
How you enter it Log in to the Zyxel
What the prompt looks like
Unable to access Unable to access Unable to access Unable to access
• Look at (but not run) available commands
•Look at system information (like Status screen)
•Run basic diagnostics
•Look at system information (like Status screen)
•Run basic diagnostics
Device
Router> Router# Router(config)#
Unable to access Unable to access Unable to access
• Look at system information (like Status screen)
• Run basic diagnostics
• Look at system information (like Status screen)
• Run basic diagnostics
Type enable in User mode
Unable to access Unable to access
• Configure simple features (such as an address object)
• Create or remove complex parts (such as an interface)
Type configure
terminal in User or Privilege mode
•Configure complex parts (such as an interface) in the Zyxel Device
Type the command used to create the specific part in Configuration mode
(varies by part)
Router(zone)# Router(config­if-ge)# ...
How you exit it Type exit Type disable Type exit Type exit
See Chapter 49 on page 442 for more information about the user types. User users can only log in, look at (but not run) the available commands in User mode, and log out. Limited-Admin users can look at the configuration in the web configurator and CLI, and they can run basic diagnostics in the CLI. Admin users can configure the Zyxel Device in the web configurator or CLI.
At the time of writing, there is not much difference between User and Privilege mode for admin users. This is reserved for future use.

1.6 Shortcuts and Help

1.6.1 List of Available Commands
A list of valid commands can be found by typing ? or [TAB] at the command prompt. To view a list of available commands within a command group, enter
<command> ? or <command> [TAB].
ZyWALL Series CLI Reference Guide
34
Chapter 1 Command Line Interface
Figure 9 Help: Available Commands Example 1
Router> ? <cr> apply atse clear configure
------------------[Snip]-------------------­shutdown telnet test traceroute write Router>
Figure 10 Help: Available Command Example 2
Router> show ? <wlan ap interface> aaa access-page account ad-server address-object
------------------[Snip]-------------------­wlan workspace zone Router> show
1.6.2 List of Sub-commands or Required User Input
To view detailed help information for a command, enter <command> <sub command> ?.
Figure 11 Help: Sub-command Information Example
Router(config)# ip telnet server ? ; <cr> port rule | Router(config)# ip telnet server
Figure 12 Help: Required User Input Example
Router(config)# ip telnet server port ? <1..65535> Router(config)# ip telnet server port
1.6.3 Entering Partial Commands
The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press
[TAB] to have the Zyxel Device automatically display the full command.
ZyWALL Series CLI Reference Guide
35
Chapter 1 Command Line Interface
For example, if you enter config and press [TAB] , the full command of configure automatically displays.
If you enter a partial command that is not unique and press commands that start with the partial command.
Figure 13 Non-Unique Partial Command Example
Router# c [TAB] clear configure copy Router# co [TAB] configure copy
1.6.4 Entering a ? in a Command
Typing a ? (question mark) usually displays help information. However, some commands allow you to input a ?, for example as part of a string. Press [CTRL+V] on your keyboard to enter a ? without the Zyxel Device treating it as a help query.
1.6.5 Command History
The Zyxel Device keeps a list of commands you have entered for the current CLI session. You can use any commands in the history again by pre s s i ng th e up ( ) or down () arrow key to scroll through the previously used commands and press
1.6.6 Navigation
[TAB], the Zyxel Device displays a list of
[ENTER].
Press [CTRL]+A to move the cursor to the beginning of the line. Press [CTRL]+E to move the cursor to the end of the line.
1.6.7 Erase Current Command
Press [CTRL]+U to erase whatever you have currently typed at the prompt (before pressing [ENTER]).
1.6.8 The no Commands
When entering the no commands described in this document, you may not need to type the whole command. For example, with the “[no] mss <536..1452>” command, you use “mss 536” to specify the MSS value. But to disable the MSS setting, you only need to type “no mss” instead of “no mss 536”.

1.7 Input Values

You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may
ZyWALL Series CLI Reference Guide
36
Chapter 1 Command Line Interface
not be displayed in the screen. For example, in the following example, the next input value is a string called
<description>.
Router# configure terminal Router(config)# interface ge1 Router(config-if-ge)# description <description>
When you use the example above, note that Zyxel Device USG 200 and below models use a name such as wan1, wan2, opt, lan1, ext-wlan, or dmz.
The following table provides more information about input values like
Table 4 Input-Value Formats for Strings in CLI Commands
TAG # VALUES LEGAL VALUES
* 1* all -- ALL authentication key Used in IPSec SA
32-40 16-20
Used in MD5 authentication keys for RIP/OSPF and text authentication key for RIP
0-16 alphanumeric or _­Used in text authentication keys for OSPF 0-8 alphanumeric or _-
certificate name 1-31 alphanumeric or ;`~!@#$%^&()_+[\]{}',.=- community string 0-63 alphanumeric or .-
connection_id 1+ alphanumeric or -_: contact 1-61 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-. country code 0 or 2 alphanumeric custom signature
file name description Used in keyword criteria for log entries
distinguished name 1-511 alphanumeric, spaces, or .@=,_-
0-30 alphanumeric or _-.
1-64 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-. Used in other commands 1-61 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-
“0x” or “0X” + 32-40 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\\{}':,./<>=-
first character: alphanumeric or -
first character: letter
<description>.
ZyWALL Series CLI Reference Guide
37
Chapter 1 Command Line Interface
Table 4 Input-Value Formats for Strings in CLI Commands (continued)
TAG # VALUES LEGAL VALUES
domain name Used in content filtering
0+ lower-case letters, numbers, or .­Used in ip dns server 0-247 alphanumeric or .-
first character: alphanumeric or ­Used in domainname, ip dhcp , and ip domain 0-254 alphanumeric or ._-
first character: alphanumeric or -
email 1-63 alphanumeric or .@_- e-mail 1-64 alphanumeric or .@_- encryption key 16-64
8-32
file name 0-31 alphanumeric or _- filter extension 1-256 alphanumeric, spaces, or '()+,/:=?;!*#@$_%.- fqdn Used in ip dns server
0-252 alphanumeric or .-
Used in ip ddns, time server, device HA, VPN, certificates, and interface ping check
0-254 alphanumeric or .-
full file name 0-256 alphanumeric or _/.- hostname Used in hostname command
0-63 alphanumeric or .-_
Used in other commands 0-252 alphanumeric or .-
import configuration file
import shell script 1-26+”.zysh” alphanumeric or ;`~!@#$%^&()_+[]{}',.=-
initial string 1-64 alphanumeric, spaces, or '()+,/:=!*#@$_%-.& isp account password 0-63 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./ isp account username 0-30 alphanumeric or -_@$./
1-26+”.conf” alphanumeric or ;`~!@#$%^&()_+[]{}',.=-
“0x” or “0X” + 16-64 hexadecimal values
alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=-
first character: alphanumeric or -
first character: alphanumeric or -
first character: alphanumeric or -
first character: alphanumeric or -
add “.conf” at the end
add “.zysh” at the end
ZyWALL Series CLI Reference Guide
38
Chapter 1 Command Line Interface
Table 4 Input-Value Formats for Strings in CLI Commands (continued)
TAG # VALUES LEGAL VALUES
ipv6_addr
An IPv6 address. The 128-bit IPv6 address is written as eight 16-bit
hexadecimal blocks separated by colons (:). This is an example IPv6 address
2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
IPv6 addresses can be abbreviated in two ways:
Leading zeros in a block can be omitted. So
2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as
2001:db8:1a2b:15:0:0:1a2f:0.
Any number of consecutive blocks of zeros can be replaced by a double
colon. A double colon can only appear once in an IPv6 address. So
2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as
2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015,
2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15.
key length -- 512, 768, 1024, 1536, 2048, 4096 license key 25 “S-” + 6 upper-case letters or numbers + “-” + 16 upper-
case letters or numbers
mac address -- aa:bb:cc:dd:ee:ff (hexadecimal) mail server fqdn lower-case letters, numbers, or -. name 1-31 alphanumeric or _- notification message 1-81 alphanumeric, spaces, or '()+,/:=?;!*#@$_%- password: less than
1-15 alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./
15 chars password: less than
1-8 alphanumeric or ;/?:@&=+$\.-_!~*'()%,#$
8 chars password Used in user and ip ddns
1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./ Used in e-mail log profile SMTP authentication 1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<>./ Used in device HA synchronization 1-63 alphanumeric or ~#%^*_-={}:,. Used in registration 6-20 alphanumeric or .@_-
phone number 1-20 numbers or ,+ preshared key 16-64 “0x” or “0X” + 16-64 hexadecimal values
alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=-
profile name 0-30 alphanumeric or _-
first character: letters or _-
proto name 1-16 lower-case letters, numbers, or - protocol name 0-30 alphanumeric or _-
first character: letters or _-
quoted string less
1-255 alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()%,
than 127 chars quoted string less
1-63 alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()%
than 63 chars
ZyWALL Series CLI Reference Guide
39
Chapter 1 Command Line Interface
Table 4 Input-Value Formats for Strings in CLI Commands (continued)
TAG # VALUES LEGAL VALUES
quoted string 0+ alphanumeric, spaces, or punctuation marks
enclosed in double quotation marks (“)
must put a backslash (\) before double quotation marks
that are part of input value itself
service name 0-63 alphanumeric or -_@$./ spi 2-8 hexadecimal string less than 15
chars string: less than 63
chars string 1+ alphanumeric or -_@ subject 1-61 alphanumeric, spaces, or '()+,./:=?;!*#@$_%- system type 0-2 hexadecimal timezone [-+]hh -- -12 through +12 (with or without “+”) url 1-511 alphanumeric or '()+,/:.=?;!*#@$_%- url Used in content filtering redirect
user name Used in VPN extended authentication
username 6-20 alphanumeric or .@_-
user name 1+ alphanumeric or -_.
user@domainname 1-80 alphanumeric or .@_- vrrp group name:
less than 15 chars week-day sequence,
i.e. 1=first,2=second
xauth method 1-31 alphanumeric or _- xauth password 1-31 alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=- mac address 0-12 (even
1-15 alphanumeric or -_
1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./
“http://”+ “https://”+
Used in other content filtering commands “http://”+ alphanumeric or ;/?:@&=+$\.-_!~*'()%,
1-31 alphanumeric or _­Used in other commands 0-30 alphanumeric or _-
1-15 alphanumeric or _-
11-4
number)
alphanumeric or ;/?:@&=+$\.-_!~*'()%,
starts with “http://” or “https://”
may contain one pound sign (#)
starts with “http://”
may contain one pound sign (#)
first character: letters or _-
registration
logging commands
hexadecimal
for example: aa aabbcc aabbccddeeff
ZyWALL Series CLI Reference Guide
40
Chapter 1 Command Line Interface

1.8 Ethernet Interfaces

How you specify an Ethernet interface depends on the Zyxel Device model.
• For some Zyxel Device models, use gex, x = 1~N, where N equals the highest numbered Ethernet interface for your Zyxel Device model.
• For other Zyxel Device models use a name such as wan1, wan2, opt, lan1, or dmz.

1.9 Saving Configuration Changes

Use the write command to save the current configuration to the Zyxel Device.
Note: Always save the changes before you log out after each management session. All
unsaved changes will be lost after the system restarts.

1.10 Logging Out

Enter the exit or end command in configure mode to go to privilege mode.
Enter the
exit command in user mode or privilege mode to log out of the CLI.

1.11 Resetting the Zyxel Device

If you cannot access the Zyxel Device by any method, try restarting it by turning the power off and then on again. If you still cannot access the Zyxel Device by any method or you forget the administrator password(s), you can reset the Zyxel Device to its factory-default settings. Any configuration files or shell scripts that you saved on the Zyxel Device should still be available afterwards.
Use the following command to reset the Zyxel Device to its factory-default settings. This overwrites the settings in the startup-config.conf file with the settings in the system-default.conf file.
Note: This procedure removes the current configuration. Note that there is a space after
apply in the command.
Figure 14 Resetting the Zyxel Device
Router> apply /conf/system-default.conf
ZyWALL Series CLI Reference Guide
41

User and Privilege Modes

2.1 User And Privilege Modes

This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types of user accounts the Zyxel Device uses. See Chapter 49 on page 442 for more information about the user types. ‘User’ type accounts can only run ‘exit’ in this mode. However, they may need to log into the device in order to be authenticated for ‘user-aware’ policies, for example a firewall rule that a particular user is exempt from or a VPN tunnel that only certain people may use.)
Type ‘enable’ to go to ‘privilege mode’. No password is required. All commands can be run from here except those marked with an asterisk. Many of these commands are for trouble-shooting purposes, for example debug commands. Customer support may ask you to run some of these commands and send the results if you need assistance troubleshooting your device.
For admin logins, all commands are visible in ‘user mode’ but not all can be run there. The following table displays which commands can be run in ‘user mode’. All commands can be run in ‘privilege mode’.
CHAPTER 2
Type ezmode activate if you have a simple network environment with one ISP for Internet access for example. You’ll enter Easy Mode every time you log in to the Zyxel Device using the Web Configurator. Objects created in Easy Mode begin with EZ_
Type ezmode deactivate if you have a complex network environment with two ISPs for Internet access for example. You’ll enter Expert Mode every time you log in to the Zyxel Device using the Web Configurator. Some EZ_ objects cannot be edited in Expert Mode.
The psm commands are for Zyxel’s internal manufacturing process.
Table 5 User (U) and Privilege (P) Mode Commands
COMMAND MODE DESCRIPTION
apply atse clear configure copy debug (*) delete details diag
diag-info dir
P Applies a configuration file. U/P Displays the seed code U/P Clears system or debug logs or DHCP binding. U/P Use ‘configure terminal’ to enter configuration mode. P Copies configuration files. U/P For support personnel only! The device needs to have the debug flag enabled. P Deletes configuration files. P Performs diagnostic commands. P Provided for support personnel to collect internal system information. It is not
recommended that you use these. P Has the Zyxel Device create a new diagnostic file. P Lists files in a directory.
ZyWALL Series CLI Reference Guide
42
Chapter 2 User and Privilege Modes
Table 5 User (U) and Privilege (P) Mode Commands (continued)
COMMAND MODE DESCRIPTION
disable enable exit interface no packet-
U/P Goes from privilege mode to user mode U/P Goes from user mode to privilege mode U/P Goes to a previous mode or logs out. U/P Dials or disconnects an interface. U/P Turns off packet tracing.
trace nslookup packet-trace ping ping6 psm
U/P Resolves an IP address to a host name and vice-versa. U/P Performs a packet trace. U/P Pings an IP address or host name. U/P Pings an IPv6 address or a host name. U/P Goes to psm (product support module) mode for setting product parameters. Only
use psm commands if your customer support Engineer asks you to during
troubleshooting.
Note: These commands are for Zyxel’s internal manufacturing process.
reboot release rename renew run setenv
show shutdown
telnet
test aaa
traceroute traceroute6 write
P Restarts the device. P Releases DHCP information from an interface. P Renames a configuration file. P Renews DHCP information for an interface. P Runs a script. U/P Turns stop-on-error on (terminates booting if an error is found in a configuration file) or
off (ignores configuration file errors and continues booting). U/P Displays command statistics. See the associated command chapter in this guide.
P Writes all d data to disk and stops the system processes. It does not turn off the
power. U/P Establishes a connection to the TCP port number 23 of the specified host name or IP
address. U/P Tests whether the specified user name can be successfully authenticated by an
external authentication server. P Traces the route to the specified host name or IP address. P Traces the route to the specified host name or IPv6 address.
P Saves the current configuration to the Zyxel Device. All unsaved changes are lost
after the Zyxel Device restarts.
Subsequent chapters in this guide describe the configuration commands. User/privilege mode commands that are also configuration commands (for example, ‘show’) are described in more detail in the related configuration command chapter.
ZyWALL Series CLI Reference Guide
43
PART II

Reference

44

Object Reference

3.1 Object Reference Commands

The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
Table 6 show reference Commands
COMMAND DESCRIPTION
show reference object username [username]
show reference object address [object_name]
show reference object address6 [object_name]
show reference object service [object_name]
show reference object schedule [object_name]
show reference object interface [interface_name | virtual_interface_name]
show reference object aaa authentication [default | auth_method]
show reference object ca category {local|remote} [cert_name]
show reference object account pppoe [object_name]
show reference object account pptp [object_name]
show reference object app-patrol [profile-name]
show reference object sslvpn application [object_name]
show reference object crypto map [crypto_name]
show reference object isakmp policy [isakmp_name]
show reference object sslvpn policy [object_name]
Displays which configuration settings reference the specified user object.
Displays which configuration settings reference the specified address object.
Displays which configuration settings reference the specified IPv6 address object.
Displays which configuration settings reference the specified service object.
Displays which configuration settings reference the specified schedule object.
Displays which configuration settings reference the specified interface or virtual interface object.
Displays which configuration settings reference the specified AAA authentication object.
Displays which configuration settings reference the specified authentication method object.
Displays which configuration settings reference the specified PPPoE account object.
Displays which configuration settings reference the specified PPTP account object.
Displays which configuration settings reference the specified application patrol profile.
Displays which configuration settings reference the specified SSL VPN application object.
Displays which configuration settings reference the specified VPN connection object.
Displays which configuration settings reference the specified VPN gateway object.
Displays which configuration settings reference the specified SSL VPN object.
CHAPTER 3
ZyWALL Series CLI Reference Guide
45
Chapter 3 Object Reference
Table 6 show reference Commands (continued)
COMMAND DESCRIPTION
show reference object zone [object_name]
show reference object dhcp6-lease­object [object_name]
show reference object dhcp6­request-object [object_name]
show reference object-group username [username]
show reference object-group address [object_name]
show reference object-group address6 [object_name]
show reference object-group service [object_name]
show reference object-group interface [object_name]
show reference object-group aaa ad [group_name]
show reference object-group aaa ldap [group_name]
show reference object-group aaa radius [group_name]
Displays which configuration settings reference the specified zone object.
Displays which configuration settings reference the specified DHCPv6 lease object.
Displays which configuration settings reference the specified DHCPv6 request object.
Displays which configuration settings reference the specified user group object.
Displays which configuration settings reference the specified address group object.
Displays which configuration settings reference the specified IPv6 address group object.
Displays which configuration settings reference the specified service group object.
Displays which configuration settings reference the specified trunk object.
Displays which configuration settings reference the specified AAA AD group object.
Displays which configuration settings reference the specified AAA LDAP group object.
Displays which configuration settings reference the specified AAA RADIUS group object.
3.1.1 Object Reference Command Example
This example shows how to check which configuration is using an address object named LAN1_SUBNET. For the command output, firewall rule 3 named LAN1-to-USG-2000 is using the address object.
Router(config)# show reference object address LAN1_SUBNET
LAN1_SUBNET References: Category Rule Priority Rule Name Description =========================================================================== Security Policy Control 3 N/A LAN1-to-USG-2000 Router(config)#
ZyWALL Series CLI Reference Guide
46
CHAPTER 4

Status

This chapter explains some commands you can use to display information about the Zyxel Device’s current operational state.
Table 7 Status Show Commands
COMMAND DESCRIPTION
show boot status show comport
status show cpu status show cpu all show disk show extension-
slot show led status show mac show mem status show ram-size show serial-
number show socket
listen show socket open show system
uptime show version show ap-info
total {sta | usage} {24G | 5G | 6G| all} timer
show ap-info top number {sta | usage} timer
Displays details about the Zyxel Device’s startup state. Displays whether the console is on or off.
Displays the CPU utilization. Displays the CPU utilization of each CPU. Displays the disk utilization. Displays the status of the extension card slot and USB ports and the names of devices
connected to them. Displays the status of each LED on the Zyxel Device.
Displays the Zyxel Device’s MAC address. Displays what percentage of the Zyxel Device’s memory is currently being used. Displays the size of the Zyxel Device’s on-board RAM. Displays the serial number of this Zyxel Device.
Displays the Zyxel Device’s listening ports
Displays the ports that are open on the Zyxel Device. Displays how long the Zyxel Device has been running since it last restarted or was turned
on. Displays the Zyxel Device’s model, firmware and build information. Displays how many wireless stations are connected to all managed APs or the amount
of data (in bytes) sent/received by the connected stations. timer: a period of time (from 1 to 24 hours) over which the station number is recorded or
the traffic flow occurred. Displays how many wireless stations are connected to the top managed AP(s) or the
amount of data (in bytes) sent/received by the connected stations. number: 1 to 64, the top “N” number of managed APs.
show ap-info {mac_address | all} {sta | usage} {24G | 5G | 6G| all} timer
timer: a period of time (from 1 to 24 hours) over which the station number is recorded or the traffic flow occurred.
Displays how many wireless stations are connected to a specific or all managed APs or the amount of data (in bytes) sent/received by the connected stations.
mac_address: the managed AP’s MAC address. timer: a period of time (from 1 to 24 hours) over which the station number is recorded or
the traffic flow occurred.
ZyWALL Series CLI Reference Guide
47
Chapter 4 Status
Table 7 Status Show Commands
COMMAND DESCRIPTION
show sta-info {mac_address | all} usage timer
show sta-info total usage timer
show sta-info top
number usage timer
Displays data usage of a specific or all connected wireless stations.
mac_address: the wireless station’s MAC address. timer: a period of time (from 1 to 24 hours) over which the traffic flow occurred.
Displays data usage of all connected wireless station(s). timer: a period of time (from 1 to 24 hours) over which the traffic flow occurred.
Displays data usage of the top connected wireless station(s).
number: 1 to 64, the top “N” number of connected wireless stations. timer: a period of time (from 1 to 24 hours) over which the traffic flow occurred.
Here are examples of the commands that display the CPU and disk utilization.
Use show cpu all to check all the Zyxel Device CPU utilization. Use show cpu status to check the Zyxel Device average CPU utilization. You can use these commands to check your cpu status if you feel the Zyxel Device’s performance is becoming slower
Use show disk to check the percentage of Zyxel Device onboard flash memory that is currently being used. You can use this command to check your disk status if you’r e having tr ouble saving files on the Zyxel Device, such as the firmware or the packet capture files.
Router(config)# show cpu status Router> show cpu status CPU utilization: 11 % CPU utilization for 1 min: 2 % CPU utilization for 5 min: 2 % Router> show cpu all CPU core 0 utilization: 3 % CPU core 0 utilization for 1 min: 4 % CPU core 0 utilization for 5 min: 2 % CPU core 1 utilization: 0 % CPU core 1 utilization for 1 min: 2 % CPU core 1 utilization for 5 min: 4 % Router> show disk No. Disk Size(MB) Usage =========================================================================== ==== 1 image 116 93% 2 onboard flash 1007 12%
Here are examples of the commands that display the MAC address, memory usage, RAM size, and serial number. You need the MAC address and serial number if you want to pass the Zyxel Device management to Nebula.
Router(config)# show mac MAC address: 28:61:32:89:37:61-28:61:32:89:37:67 Router(config)# show mem status memory usage: 39% Router(config)# show ram-size ram size: 510MB Router(config)# show serial-number serial number: XXXXXXXXXXXXX
ZyWALL Series CLI Reference Guide
48
Chapter 4 Status
Here is an example of the command that displays the listening ports.
Router(config)# show socket listen No. Proto Local_Address Foreign_Address State =========================================================================== 1 tcp 0.0.0.0:2601 0.0.0.0:0 LISTEN 2 tcp 0.0.0.0:2602 0.0.0.0:0 LISTEN 3 tcp 127.0.0.1:10443 0.0.0.0:0 LISTEN 4 tcp 0.0.0.0:2604 0.0.0.0:0 LISTEN 5 tcp 0.0.0.0:80 0.0.0.0:0 LISTEN 6 tcp 127.0.0.1:8085 0.0.0.0:0 LISTEN 7 tcp 1.1.1.1:53 0.0.0.0:0 LISTEN 8 tcp 172.16.37.205:53 0.0.0.0:0 LISTEN 9 tcp 10.0.0.8:53 0.0.0.0:0 LISTEN 10 tcp 172.16.37.240:53 0.0.0.0:0 LISTEN 11 tcp 192.168.1.1:53 0.0.0.0:0 LISTEN 12 tcp 127.0.0.1:53 0.0.0.0:0 LISTEN 13 tcp 0.0.0.0:21 0.0.0.0:0 LISTEN 14 tcp 0.0.0.0:22 0.0.0.0:0 LISTEN 15 tcp 127.0.0.1:953 0.0.0.0:0 LISTEN 16 tcp 0.0.0.0:443 0.0.0.0:0 LISTEN 17 tcp 127.0.0.1:1723 0.0.0.0:0 LISTEN
ZyWALL Series CLI Reference Guide
49
Chapter 4 Status
Here is an example of the command that displays the open ports.
Router(config)# show socket open No. Proto Local_Address Foreign_Address State =========================================================================== 1 tcp 172.23.37.240:22 172.23.37.10:1179 ESTABLISHED 2 udp 127.0.0.1:64002 0.0.0.0:0 3 udp 0.0.0.0:520 0.0.0.0:0 4 udp 0.0.0.0:138 0.0.0.0:0 5 udp 0.0.0.0:138 0.0.0.0:0 6 udp 0.0.0.0:138 0.0.0.0:0 7 udp 0.0.0.0:138 0.0.0.0:0 8 udp 0.0.0.0:138 0.0.0.0:0 9 udp 0.0.0.0:138 0.0.0.0:0 10 udp 0.0.0.0:138 0.0.0.0:0 11 udp 0.0.0.0:32779 0.0.0.0:0 12 udp 192.168.1.1:4500 0.0.0.0:0 13 udp 1.1.1.1:4500 0.0.0.0:0 14 udp 10.0.0.8:4500 0.0.0.0:0 15 udp 172.23.37.205:4500 0.0.0.0:0 16 udp 172.23.37.240:4500 0.0.0.0:0 17 udp 127.0.0.1:4500 0.0.0.0:0 18 udp 127.0.0.1:63000 0.0.0.0:0 19 udp 127.0.0.1:63001 0.0.0.0:0 20 udp 127.0.0.1:63002 0.0.0.0:0 21 udp 0.0.0.0:161 0.0.0.0:0 22 udp 127.0.0.1:63009 0.0.0.0:0 23 udp 192.168.1.1:1701 0.0.0.0:0 24 udp 1.1.1.1:1701 0.0.0.0:0 25 udp 10.0.0.8:1701 0.0.0.0:0 26 udp 172.23.37.205:1701 0.0.0.0:0 27 udp 172.23.37.240:1701 0.0.0.0:0 28 udp 127.0.0.1:1701 0.0.0.0:0 29 udp 127.0.0.1:63024 0.0.0.0:0 30 udp 127.0.0.1:30000 0.0.0.0:0 31 udp 1.1.1.1:53 0.0.0.0:0 32 udp 172.23.37.205:53 0.0.0.0:0 33 udp 10.0.0.8:53 0.0.0.0:0 34 udp 172.23.37.240:53 0.0.0.0:0 35 udp 192.168.1.1:53 0.0.0.0:0 36 udp 127.0.0.1:53 0.0.0.0:0 37 udp 0.0.0.0:67 0.0.0.0:0 38 udp 127.0.0.1:63046 0.0.0.0:0 39 udp 127.0.0.1:65097 0.0.0.0:0 40 udp 0.0.0.0:65098 0.0.0.0:0 41 udp 192.168.1.1:500 0.0.0.0:0 42 udp 1.1.1.1:500 0.0.0.0:0 43 udp 10.0.0.8:500 0.0.0.0:0 44 udp 172.23.37.205:500 0.0.0.0:0 45 udp 172.23.37.240:500 0.0.0.0:0 46 udp 127.0.0.1:500 0.0.0.0:0
ZyWALL Series CLI Reference Guide
50
Chapter 4 Status
Here are examples of the commands that display the system uptime and model, firmware, and build information.
Router> show system uptime system uptime: 04:18:00 Router> show version Zyxel Communications Corp. model : ZyWALL USG 110 firmware version: 2.20(AQQ.0)b3 BM version : 1.08 build date : 2014-01-21 01:18:06
This example shows the current LED states on the Zyxel Device. The SYS LED lights on and green. The HDD LEDs is off.
Router> show led status sys: green usbled: off Router>

4.1 ATP Dashboard Commands

Use these commands to view status and statistics information about security services on the ZyWALL ATP models.
Table 8 Dashboard Commands
COMMAND DESCRIPTION
show anti-botnet dashboard statistics summary
show ip-reputation dashboard statistics summary
show anti-spam dashboard statistics summary
show anti-virus statistics summary show content-filter dashboard
statistics summary show idp dashboard statistics
summary show sandbox dashboard statistics
summary show security-service status
threat-website dashboard statistics flush
content-filter dashboard statistics flush
Displays the number of the connection attempts detected or blocked, and the number of malware threats.
Displays the number of IPv4 addresses that have been scanned, the number of hit counts on the scanned IPv4 addresses, and the number of IPv4 address for each threat level.
Displays the number of emails that the Zyxel Device’s email security feature has checked, the number of spam emails and the number of suspicious websites known for phishing.
Displays the number of viruses detected. Displays the number of web pages that the Zyxel Device’s
content filtering feature has checked. Displays the number of sessions and packets that the Zyxel
Device’s IDP feature has checked. Displays the number of files that have been scanned or
destroyed and the scan result. Displays whether the security service, such as content filtering or
sandboxing is enabled on the Zyxel Device. Clears the URL Threat Filter statistics on the dashboard.
Clears the content-filter statistics on the dashboard.
ZyWALL Series CLI Reference Guide
51
Chapter 4 Status

4.2 CPU Temperature Monitor Commands

Use these commands to have the Zyxel Device periodically write CPU temperatures to the system logs. Table 9 Dashboard Commands
COMMAND DESCRIPTION
show cpu-temperature-monitor status
[no] cpu-temperature-monitor
Displays whether CPU temperature monitoring is enabled, and how often the temperature is written to the system logs.
Enables or disables CPU monitoring.
activate cpu-temperature-monitor period
minutes cpu-temperature-monitor unit
{celsius| fahrenheit}
Sets how often in minutes that the Zyxel Device writes CPU temperature to the system logs. The valid range is 5-120.
Sets the temperature unit that the Zyxel Device uses when it writes CPU temperature to the system logs.

4.3 System Protection Signature Commands

Use these commands to view the system protection signature information and update the signatures if necessary.
Table 10 System Protection Signature Commands
COMMAND DESCRIPTION
show system protection signatures version
show system protection signature update status
system protection signature update signature
Displays system protection signatures of the Zyxel Device. These signatures do not require a license.
The Zyxel Device will synch with the Cloud Helper Server every day to update these signatures automatically. You can also update manually using the command below.
Please note that in the web configurator, the system protection signature version displays in Dashboard > About.
System protection signatures protect your Zyxel Device and local networks from web attacks, such as command injection, cross­site scripting and path traversal.
Command injection: This is an attack in which an attacker uses the Zyxel Device vulnerabilities to execute commands to control your Zyxel Device.
Cross-site scripting: This is an attack in which an attacker implants malicious scripts in a website. When you visit this website, the malicious scripts are sent and executed on your web browser.
Path traversal: This is an attack that allows an attacker to access files you store in the web root folder.
Displays if the system protection signatures are updated to the latest version.
Use this command to update the system protection signatures to the latest version.
Make sure the Zyxel Device can access the Cloud Helper Server when you want to update the signatures.
ZyWALL Series CLI Reference Guide
52

5.1 Registration Overview

This chapter introduces myZyxel and shows you how to register the Zyxel Device for IDP/AppPatrol, anti­virus, content filtering, and SSL VPN services using commands.

5.2 myZyxel Overview

myZyxel is Zyxel’s online services center where you can register your Zyxel Device and manage subscription services available for the Zyxel Device.
Note: You need to create an account before you can register your device and activate the
services at myZyxel.
CHAPTER 5

Registration

First, go to http://www.myZyxel with the Zyxel Device’s serial number and LAN MAC address to register the Zyxel Device. Refer to the web site’s on-line help for details. You can also go to the portal and see license status using the Licensing > Registration screens.
Note: To activate a service on a Zyxel Device, you need to access myZyxel via that Zyxel
Device.
5.2.1 Subscription Services Available on the Zyxel Device
Refer to Section 1.4.6 on page 33 for differences between ATP and USG license names.
The Zyxel Device can use anti-virus, anti-spam, IDP/AppPatrol (Intrusion Detection and Prevention and application patrol), SSL VPN, and content filtering subscription services.
ZyWALL models need a license for UTM (Unified Threat Management) functionality. See the Introduction chapter in the Zyxel Device User’s Guide or the product datasheet for details.
You can purchase an EiCard and enter the license key from it, at http://www.myZyxel.com to have the ZyWALL use UTM services or have the Zyxel Device use more SSL VPN tunnels. See the respective chapters in the User’s Guide for more information about UTM features.
• The Zyxel Device’s anti-virus packet scanner uses signature files on the Zyxel Device to detect virus. Your Zyxel Device scans files transmitted through enabled interfaces into the network. Subscribe to signature updates for Zyxel’s anti-virus engine. After the service is activated, the Zyxel Device can download the up-to-date signatures from the update server.
After the trial expires, you need to purchase an EiCard and enter the PIN number (license key) at
http://www.myZyxel.com.
ZyWALL Series CLI Reference Guide
53
Chapter 5 Registration
• The IDP and application patrol features use IDP/AppPatrol signatures on the Zyxel Device. IDP detects malicious or suspicious packets and responds immediately. Application patrol conveniently manages the use of various applications on the network. After the service is activated, the Zyxel Device can download the up-to-date signature files from the update server.
• SSL VPN tunnels provide secure network access to remote users. You can purchase and enter a license key to have the Zyxel Device use more SSL VPN tunnels.
• Content filter allows or blocks access to web sites. Subscribe to category-based content filtering to block access to categories of web sites based on content. Your Zyxel Device accesses an external database that has millions of web sites categorized based on content. You can have the Zyxel Device block, block and/or log access to web sites based on these categories.
• You will get automatic e-mail notification of new signature releases from mySecurityZone after you activate the IDP/AppPatrol service. You can also check for new signatures at http://
mysecurity.zyxel.com.
See the respective chapters for more information about these features.
Note: To update the signature file or use a subscription service, you have to register the Zyxel
Device and activate the corresponding service at myZyxel (through the Zyxel Device).
5.2.2 Firewall as a Service (FaaS) License
The Zyxel Device FaaS allows you to use the Zyxel Device and its features, such as security, routing, VPN and sandboxing.
The FaaS license is valid for 1 year and 30 days (trail period) from the date of purchase. It has a 15-day grace period after which the license expires. During the grace period, you cannot configure the Zyxel Device but you can continue to use it. After the grace period ends, your Zyxel Device will stop working.
Please note the following limitations if you purchase a Zyxel Device with a FaaS license:
• You need to renew your FaaS license after it expires to continue using the Zyxel Device. You can renew your FaaS license automatically or renew it manually.
• The Zyxel Device with FaaS does not support firmware version earlier than 5.20.
• You cannot buy licenses for security services individually.
• you cannot use Nebula to manage your Zyxel Device.

5.3 Registration Commands

The following table describes the commands available for registration. You must use the configure
terminal
Table 11 Command Summary: Registration
COMMAND DESCRIPTION
service-register checkexpire
service-register _setremind {after-10­days | after-180-days | after-30-days | every-time | never}
command to enter the configuration mode before you can use these commands.
Gets information of all service subscriptions from myZyxel and updates the status table.
Sets how often you want to display the network risk warning screen in the Web Configurator. The screen shows the security services which are not registered or disabled on the Zyxel Device.
ZyWALL Series CLI Reference Guide
54
Chapter 5 Registration
Table 11 Command Summary: Registration (continued)
COMMAND DESCRIPTION
show device-register status
show service-register status {all | application-security | as | av | cdr | concurrent-device-upgrade | content­filter | firmware-upgrade | geo-ip | idp | malware-blocker | ctdb | managed-ap-service | pkg | reputation­filter | sandbox | secu-reporter | secure-wifi | sslvpn | sslvpn-status | web-security | zymesh}
show service-register status content­filter {commtouch}
show service-register status sslvpn­status
show service-register content-filter­engine
Displays whether the device is registered and account information.
Displays the status of your service registrations. Use all to show all registrations as a list.
Note: Options for this command might vary
depending on the Zyxel Device model and firmware version.
Displays Commtouch content filter service license information.
Displays the status of SSL VPN t unnels. The first number is the actual number of VPN tunnels up
and the second number is the maximum number of SSL VPN tunnels allowed.
Displays which external web filtering service the Zyxel Device is set to use for content filtering.

5.4 FaaS Commands

The following table describes the commands available for the FaaS license. You must use the
configure terminal command to enter the configuration mode before you can use these
commands. Table 12 Command Summary: Registration
COMMAND DESCRIPTION
show service-register status network­essentials
show device-subscription status
5.4.1 Command Examples
The following command displays the account information and whether the device is registered.
Router# configure terminal Router(config)# show device-register status username : example password : 123456 device register status : yes expiration self check : no
Displays the status of the Zyxel Device network services, such as security, routing and VPN.
Displays the status of the FaaS license.
ZyWALL Series CLI Reference Guide
55
Chapter 5 Registration
The following command displays the service registration status and type and how many days remain before the service expires.
Router# configure terminal Router(config)# show service-register status all Service Status Type Count Expiration =========================================================================== IDP Signature Licensed Standard N/A 176 Anti-Virus Not Licensed None N/A 0 SSLVPN Not Licensed None 5 N/A Content-Filter Not Licensed None N/A 0
The following command displays the FaaS license and network essentials service status.
Router# configure terminal Router(config)# show device-subscription status type status: yes license state: activate Router(config)# show service-register status network-essentials Service Status Type Count Expiration Grace Purchasable Activatable =============================================================================== Network Essentials Activated Standard N/A 387 0 N/A N/A

5.5 Update License Commands

The following table describes the commands you need to use to update the signatures through a proxy server on the Intranet. The Intranet proxy server downloads signatures from the Zyxel Cloud signature server. The Zyxel Device then downloads signatures from the Intranet proxy server. Contact your local support at http://www.zyxel.com for any questions on setting up the proxy server.
You must use the use these commands.
Table 13 Command Summary: Update License
COMMAND DESCRIPTION
[no] security-service update-server activate
security-service update-server server­url <url>
show security-service update-server
configure terminal command to enter the configuration mode before you can
Enables the Intranet proxy server used to update signatures.
The no command disables this feature. Sets the Intranet proxy server used to update signatures.
Displays the status and URL of the Intranet proxy server used to update signatures.
ZyWALL Series CLI Reference Guide
56

AP Management

6.1 AP Management Overview

The Zyxel Device allows you to remotely manage all of the Access Points (APs) on your network. You can manage a number of APs without having to configure them individually as the Zyxel Device automatically handles basic configuration for you.
The commands in this chapter allow you to add, delete, and edit the APs managed by the Zyxel Device by means of the CAPWAP protocol. An AP must be moved from the wait list to the management list before you can manage it. If you do not want to use this registration mechanism, you can disable it and then any newly connected AP is registered automatically.
6.1.1 AP Modes
This section describes some of the different roles that the AP can take up within a network.
CHAPTER 6
• Access Point: This is used to allow wireless clients to connect to the Internet.
• Monitor AP: A monitor AP acts as a wireless monitor, which can detect rogue APs and help you in building a list of friendly ones.
• Root AP: A root AP connects to the gateway or switch through a wired Ethernet connection and has wireless repeaters connected to it to extend its range.
• Repeater: A repeater connects to a root AP using a WiFi connection and extends the network’s WiFi range.
In the figure below, the repeater (Z) is connected to the root AP (X) using a WiFi connection. X is connected to a wired network. The monitor repeater (Y) is also connected to X using a WiFi connection. Y is monitoring the WiFi network.
ZyWALL Series CLI Reference Guide
57
Chapter 6 AP Management
Figure 15 AP Network Roles Application
6.1.2 Airtime Fairness
Airtime is the time it takes for a client to receive packets from the AP it is associated with. The amount of time each client needs may vary depending on various reasons, such as the distance between the client and the AP, the client’s operating system, or the IEEE standard the client is using.
Airtime fairness is a feature that makes sure all connected clients of an AP get the same amount of time to receive packets. Without airtime fairness, a client that needs more airtime will take up more time and bandwidth of an AP to receive packets. This will slow down your WiFi network overall.

6.2 AP Management Value

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 14 Input Values for AP Management Commands
LABEL DESCRIPTION
ap_mac
ap_model
slot_name
profile_name
The Ethernet MAC address of the managed AP. Enter 6 hexidecimal pairs separated by colons. You can use 0-9, a-z and A-Z.
The model name of the managed AP, such as NWA5160N, NWA5560-N, NWA5550-N, NWA5121-NI or NWA5123-NI.
The slot name for the AP’s on-board wireless LAN card. Use either slot1 or slot2. (The NWA5560-N supports up to 2 radio slots.)
The wireless LAN radio profile name. You may use 1-31 alphanumeric characters, underscores( sensitive.
_), or dashes (-), but the first character cannot be a number. This value is case-
ZyWALL Series CLI Reference Guide
58
Chapter 6 AP Management
Table 14 Input Values for AP Management Commands (continued)
LABEL DESCRIPTION
ap_description
sta_mac
The AP description. This is strictly used for reference purposes and has no effect on any other settings. You may use 1-31 alphanumeric characters, underscores( first character cannot be a number. This value is case-sensitive.
The MAC address of the wireless client. Enter 6 hexidecimal pairs separated by colons. You can use 0-9, a-z and A-Z.

6.3 General AP Management Commands

The following table describes the commands available for general AP management. You must use the
configure terminal command to enter the configuration mode before you can use these
commands. Table 15 Command Summary: AP Management
COMMAND DESCRIPTION
[no] capwap activate capwap ap <mac address> [no]
airtime-fairness activate
capwap ap ap_mac
slot_name ap-profile profile_name
no slot_name ap-profile
slot_name monitor-profile profile_name
no slot_name monitor-profile
slot_name {root-ap | repeater-ap } zymesh-profile_name
Enables or disables the AP controller service. Enables airtime fairness on the specified AP.
The no command disables airtime fairness on the AP. Enters the sub-command mode for the specified AP. Sets the radio (slot_name) to AP mode and assigns a created
profile to the radio. See Section 6.1.1 on page 57 for more information on different modes.
Removes the AP mode profile assignment for the specified radio (slot_name). See Section 6.1.1 on page 57 for more information on different modes.
Sets the specified radio (slot_name) to monitor mode and assigns a created profile to the radio. See Section 6.1.1 on
page 57 for more information on different modes. See also Section 9.2 on page 79 for more information on rogue APs
and friendly APs. Removes the monitor mode profile assignment for the
specified radio (slot_name). Sets the specified radio (slot_name) to root AP or repeater
mode and assigns a created ZyMesh profile to the radio. See Section 6.1.1 on page 57 for more information on different
modes. See also Section 9.6 on page 98 for more information about
ZyMesh.
_), or dashes (-), but the
ZyWALL Series CLI Reference Guide
59
Chapter 6 AP Management
Table 15 Command Summary: AP Management (continued)
COMMAND DESCRIPTION
slot_name wireless-bridge {enable | disable}
antenna config slot_name chain3 {ceiling | wall}
[no] antenna sw-control enable
ap-group-profile ap-group-
Enables or disables wireless bridging on the specified radio (slot_name). The radio should be in repeater mode. VLAN and bridge interfaces are created automatically according to the VLAN settings. See Section 6.1.2 on page 58 for more information on wireless bridge.
When wireless bridging is enabled, the managed repeater AP can still transmit data through its Ethernet port(s) after the ZyMesh/WDS link is up. Be careful to avoid bridge loops. See
Section 6.1.1 on page 57 for more information on different
modes. The managed APs in the same ZyMesh/WDS must use the
same static VLAN ID. Adjusts coverage depending on each radio’s antenna
orientation. Enables the adjustment of coverage depending on the
orientation of the antenna for the AP radios using the web configurator or the command line interface (CLI),
The no command disables adjustment through the web configurator or the command line interface (CLI).
Sets the AP group to which the AP belongs.
profile_name
description ap_description [no] force vlan
lan-provision lan_port {activa te | inactivate} pvid <1..4094>
Sets the description for the specified AP. Sets whether or not the Zyxel Device changes the AP’s
management VLAN to match the one you configure using the vlan sub-command. The management VLAN on the Zyxel Device and AP must match for the Zyxel Device to manage the AP.
This takes priority over the AP’s CAPWAP client commands described in Chapter 73 on page 608.
Sets the Zyxel Device to enable or disable the specified LAN port on the AP and configures a PVID (Port VLAN ID) for this port.
lan-provision vlan_interface {activate | inactivate} vid <1..4094> join lan_port {tag | untag} [lan_port {tag | untag}] [lan_port {tag | untag}]
[no] override-full-power activate
[no] load-balancing <group1 | group2> group_name
[no] override slot_name {output­power | radio-setting | ssid­setting}
ZyWALL Series CLI Reference Guide
lan_port: the name of the AP’s LAN port (lan1 for example). Sets the Zyxel Device to create a new VLAN or configure an
existing VLAN. You can disable or enable the VLAN, set the VLAN ID, assign up to three ports to this VLAN as members and set whether the port is to tag outgoing traffic with the VLAN ID.
vlan_interface: the name of the VLAN (vlan1 for example). Forces the AP to draw full power from the power sourcing
equipment. This improves performance in cases when a PoE injector that does not support PoE negotiation is used.
Use the no command to disable this feature. Assigns a load balancing group to the AP.
Use the no command to remove the group1 or group2 assignment of the AP.
Sets the Zyxel Device to overwrite the AP’s output power, radio or SSID profile settings for the specified radio.
Use the no command to not overwrite the specified settings.
60
Chapter 6 AP Management
Table 15 Command Summary: AP Management (continued)
COMMAND DESCRIPTION
[no] override lan-provision
[no] override vlan-setting
vlan <1..4094> {tag | untag}
exit
capwap ap ac-ip {primary_ac_ip}
{secondary_ac_ip}
capwap ap ac-ip auto
capwap ap add ap_mac [ap_model]
capwap ap factory default ap_mac capwap ap fallback disable
capwap ap fallback enable
capwap ap fallback interval <30..86400>
capwap ap idle timeout {25–100}
Sets the Zyxel Device to overwrite the AP’s LAN port settings. Use the no command to not overwrite the specified settings.
Sets the Zyxel Device to overwrite the AP’s LAN port settings. Use the no command to not overwrite the specified settings.
Sets the VLAN ID for the specified AP as well as whether packets sent to and from that ID are tagged or untagged.
Exits the sub-command mode for the specified AP. Specifies the primary and secondary IP address or domain
name of the AP controller (the Zyxel Device) to which the AP connects.
Sets the AP to use DHCP to get the address of the AP controller (the Zyxel Device).
Adds the specified AP to the Zyxel Device for management. If manual add is disabled, this command can still be used; if you add an AP before it connects to the network, then this command simply preconfigures the management list with that AP’s information.
Resets the specified AP to its factory default settings. Sets the managed AP(s) to not change back to associate
with the primary AP controller when the primary AP controller is available.
Sets the managed AP(s) to change back to associate with the primary AP controller as soon as the primary AP controller is available.
Sets how often (in seconds) the managed AP(s) check whether the primary AP controller is available.
Sets the default period after which idle wireless clients are kicked from an AP, in minutes.
capwap ap kick {all | ap_mac}
capwap ap led-off ap_mac capwap ap led-on ap_mac
capwap ap reboot ap_mac
capwap manual-add {enable | disable}
capwap station kick sta_mac show capwap ap {all | ap_mac}
ZyWALL Series CLI Reference Guide
This setting takes affect if setting Disassociate station when overloaded is enabled.
Removes the specified AP (ap_mac) or all connected APs (all) from the management list. Doing this removes the AP(s) from the management list.
If the Zyxel Device is set to automatically add new APs to the AP management list, then any kicked APs are added back to the management list as soon as they reconnect.
Sets the LEDs of the specified AP to turn off after it’s ready. Sets the LEDs of the specified AP to stay lit after the Zyxel
Device is ready. Forces the specified AP (ap_mac) to restart. Doing this severs
the connections of all associated stations. Allows the Zyxel Device to either automatically add new APs
to the network (disable) or wait until you manually confirm them (enable).
Forcibly disconnects the specified station from the network. Displays information of all managed APs (all) or information
of an AP on the Specified MAC address (ap_mac).
61
Chapter 6 AP Management
Table 15 Command Summary: AP Management (continued)
COMMAND DESCRIPTION
show capwap ap {all | ap_mac} config status
country-code country_code
lan-provision ap ap_mac
lan_port {activate | inactivate} pvid <1..4094>
vlan_interface {activate | inactivate} vid <1..4094> join lan_port {tag | untag} [lan_port {tag | untag}] [lan_port {tag | untag}]
[no] vlan_interface
ap internal-auth shared-secret key
ap internal-auth no shared-secret show capwap ap {all | ap_mac}
show capwap ap ap_mac slot_name detail
show capwap ap {all | ap_mac} config status
show capwap ap ac-ip
show capwap ap all statistics show capwap ap fallback
show capwap ap fallback interval
show capwap ap idle timeout
Displays whether or not any AP’s configuration or the specified AP’s configuration is in conflict with the Zyxel Device’s settings for the AP, and displays the settings in conflict if there are any.
Sets the country where the Zyxel Device is located/installed. This is the default country code the Zyxel Device uses in a new
radio profile or monitor profile if you do not change it. The available channels vary depending on the country you selected.
country_code: 2-letter country-codes, such as TW, DE, or FR. Enters the sub-command mode for the specified AP
Enables or disables the specified LAN port on the AP and configures a PVID (Port VLAN ID) for this port.
lan_port: the name of the AP’s LAN port (lan1 for example). Creates a new VLAN or configures an existing VLAN. You can
disable or enable the VLAN, set the VLAN ID, assign up to three ports to this VLAN as members and set whether the port is to tag outgoing traffic with the VLAN ID.
vlan_interface: the name of the VLAN (vlan1 for example). Removes the specified VLAN.
Enter the shared secret key used by APs to authenticate with an Access Point Controller (APC) authentication server.
The key is encrypted before being saved to the Zyxel Device. You can use the following characters: 0-9a-zA-
Z`~!@#$%^&*()_\-+={}\|\\;:'<,>\?.\ Resets the shared secret key to default.
Displays the management list (all) or whether the specified AP is on the management list (ap_mac).
Displays details for the specified radio (slot_name) on the specified AP (ap_mac).
Displays whether or not any AP’s configuration or the specified AP’s configuration is in conflict with the Zyxel Device’s settings for the AP and displays the settings in conflict if there are any.
Displays the address of the Zyxel Device or auto if the AP finds the Zyxel Device through broadcast packets.
Displays radio statistics for all APs on the management list. Displays whether the managed AP(s) will change back to
associate with the primary AP controller when the primary AP controller is available.
Displays the interval for how often the managed AP(s) check whether the primary AP controller is available.
Displays the default period after which idle wireless clients are kicked from an AP, in minutes,
show capwap ap wait-list
show capwap manual-add
ZyWALL Series CLI Reference Guide
Displays a list of connected but as-of-yet unmanaged APs. This is known as the ‘wait list’.
Displays the current manual add option.
62
Chapter 6 AP Management
Table 15 Command Summary: AP Management (continued)
COMMAND DESCRIPTION
show capwap station all
show country-code list show default country-code
show lan-provision ap ap_mac interface {lan_port | vlan_interface | all| ethernet | uplink | vlan}
Displays information for all stations connected to the APs on the management list.
Displays a reference list of two-letter country codes. Displays the default country code configured on the Zyxel
Device. Displays the port and/or VLAN settings for the specified AP.
You can also set to display settings for a specified port, a sepcified VLAN, all physical Ethernet ports, the uplink port or all VLANs on the AP.
ZyWALL Series CLI Reference Guide
63
Chapter 6 AP Management
6.3.1 AP Management Commands Example
The following example shows you how to add an AP to the management list, and then edit it.
Router# show capwap ap wait-list index: 1 IP: 192.168.1.35, MAC: 00:11:11:11:11:FE Model: NWA5160N, Description: AP-00:11:11:11:11:FE index: 2 IP: 192.168.1.36, MAC: 00:19:CB:00:BB:03 Model: NWA5160N, Description: AP-00:19:CB:00:BB:03 Router# configure terminal Router(config)# capwap ap add 00:19:CB:00:BB:03 Router(config)# capwap ap 00:19:CB:00:BB:03 Router(AP 00:19:CB:00:BB:03)# slot1 ap-profile approf01 Router(AP 00:19:CB:00:BB:03)# exit Router(config)# show capwap ap all index: 1 Status: RUN IP: 192.168.1.37, MAC: 40:4A:03:05:82:1E Description: AP-404A0305821E Model: NWA5160N R1 mode: AP, R1Prof: default R2 mode: AP, R2Prof: n/a Station: 0, RadioNum: 2 Mgnt. VLAN ID: 1, Tag: no WTP VLAN ID: 1, WTP Tag: no Force VLAN: disable Firmware Version: 2.25(AAS.0)b2 Recent On-line Time: 08:43:04 2013/05/24 Last Off-line Time: N/A
Router(config)# show capwap ap 40:4A:03:05:82:1E slot1 detail index: 1 SSID: Zyxel, BSSID: 40:4A:03:05:82:1F SecMode: NONE, Forward Mode: Local Bridge, Vlan: 1
Router(config)# show capwap ap all statistics index: 1 Status: RUN, Loading: ­ AP MAC: 40:4A:03:05:82:1E Radio: 1, OP Mode: AP Profile: default, MAC: 40:4A:03:05:82:1F Description: AP-404A0305821E Model: NWA5160N Band: 2.4GHz, Channel: 6 Station: 0 RxPkt: 4463, TxPkt: 38848 RxFCS: 1083323, TxRetry: 198478
ZyWALL Series CLI Reference Guide
64
The following example displays the management list and radio statistics for the specified AP.
Router(config)# show capwap ap all index: 1 Status: RUN IP: 192.168.1.37, MAC: 60:31:97:82:F5:AF Description: AP-60319782F5AF Model: WAC5302D-S CPU Usage: 12 % R1 mode: AP, R1Prof: default R2 mode: AP, R2Prof: default2 AP Group Profile: default Override Slot1 Radio Profile: disable Override Slot1 SSID Profile: disable slot1-SSID Profile 1: default slot1-SSID Profile 2: slot1-SSID Profile 3: slot1-SSID Profile 4: slot1-SSID Profile 5: slot1-SSID Profile 6: slot1-SSID Profile 7: slot1-SSID Profile 8: Override Slot1 Output Power: disable Slot1 Output Power: 30dBm Override Slot2 Radio Profile: disable Override Slot2 SSID Profile: disable slot2-SSID Profile 1: default slot2-SSID Profile 2: slot2-SSID Profile 3: slot2-SSID Profile 4: slot2-SSID Profile 5: slot2-SSID Profile 6: slot2-SSID Profile 7: slot2-SSID Profile 8: Override Slot2 Output Power: disable Slot2 Output Power: 30dBm Station: 2, RadioNum: 2 Override VLAN Setting: disable Mgnt. VLAN ID: 1, Tag: no WTP VLAN ID: 1, WTP Tag: no Force VLAN: disable Support Lan-provision: yes Override LAN Provision: disable Firmware Version: 5.00(ABFH.1)b1 Primary AC IP: broadcast Secondary AC IP: N/A Recent On-line Time: 03:15:30 2016/11/11 Last Off-line Time: 03:10:48 2016/11/11 Loop State: N/A LED Status: N/A Suppress Mode Status: Enable Locator LED Status: N/A Locator LED Time: 0 Locator LED Time Lease: 0 Power Mode: Full Antenna Switch SW-Control: N/A Antenna Switch Radio 1: N/A Antenna Switch Radio 2: N/A
ZyWALL Series CLI Reference Guide
65
Chapter 6 AP Management
Compatible: No Capability: 32 Port Number: 4 Router(config)# show capwap ap 60:31:97:82:F5:AF slot1 detail index: 1 SSID: ZyXEL BSSID: 60:31:97:82:F5:B0 SecMode: NONE, Forward Mode: Local Bridge, Vlan: 1 Router(config)# show capwap ap all statistics index: 1 Status: RUN, Loading: - AP MAC: 60:31:97:82:F5:AF Radio: 1, OP Mode: AP Profile: default, MAC: F0:FD:F0:FD:F0:FD Description: AP-60319782F5AF Model: WAC5302D-S Band: 2.4GHz, Channel: 6 Station: 0 Rx: 101395, Tx: 866288 RxFCS: 42803, TxRetry: 897 TxPower: 15 dBm Antenna Type: N/A
index: 2 Status: RUN, Loading: ­ AP MAC: 60:31:97:82:F5:AF Radio: 2, OP Mode: AP Profile: default2, MAC: F0:FD:F0:FD:F0:FD Description: AP-60319782F5AF Model: WAC5302D-S Band: 5GHz, Channel: 36/40 Station: 2 Rx: 864251, Tx: 1076862 RxFCS: 169608, TxRetry: 2816 TxPower: 16 dBm Antenna Type: N/A
Router(config)#

6.4 Remote AP

Remote AP enables the ZyXEL device to connect to an Access Point (AP) through a secure VPN tunnel. This allows you to set up VPN-enabled WiFi APs in remote locations, such as in a branch office or at home. Clients connected to these APs can securely access your network through the VPN tunnel.
ZyWALL Series CLI Reference Guide
66
Chapter 6 AP Management
Figure 16 Remote AP: Secure Tunnel SSID
Figure 17 Remote AP: Local Bridge SSID
ZyWALL Series CLI Reference Guide
67
6.4.1 Remote AP Notes
• When you enable Remote AP, the Zyxel Device automatically creates a secure Network Virtualization Using Generic Routing Encapsulation (NVGRE) over IPSec tunnel between itself and the AP using the default VPN profile _remote_ap_vpn_profile. This profile cannot be edited.
• The first time Remote AP is enabled on an AP, the Zyxel Device adds the CAPWAP-CONTROL service to the service group Default_Allow_WAN_To_ZyWALL. If Remote AP is disabled on all APs, this rule is removed.
• Enabling Remote AP automatically enables Ethernet and wireless storm control on the AP.
• Remote AP is only supported on certain AP models. To check whether an AP supports Remote AP, run the command show capwap ap ap_mac, and then ensure that “Remote AP Capability” equals “Yes”.
• Remote AP only supports IP version 4 (IPv4).
6.4.2 Remote AP Commands
The following table describes the commands available for managing Remote AP (RAP). You must use the
configure terminal command to enter the configuration mode before you can use these
commands. Table 16 Command Summary: Remote AP Management
COMMAND DESCRIPTION
capwap ap ap_mac
role remote no role rap slot_name ap-profile
profile_name
no rap slot_name ap-profile
rap slot_name output-power
wlan_power rap slot_name ssid-profile
<1..6> ssid_profile_name [tunlif interface] vid vlan_id
no rap slot_name ssid-profile <1..6>
show sa monitor [ap-description desc] rap
Chapter 6 AP Management
Enters the sub-command mode for the specified AP. Enables the Remote AP feature on the AP. Disables the Remote AP feature on the AP. Sets the radio (slot_name) to AP mode and assigns a created
profile to the radio. Removes the AP mode profile assignment for the specified
radio (slot_name). Sets the output power (between 0 to 30 dBm) for the AP radio.
Sets an SSID profile and VLAN ID that is associated with this AP. You can associate up to six SSID profiles with a Remote AP radio.
• SSID profiles 1 to 4 are Secure Tunnel SSIDs. Network traffic from clients connected to these SSIDs is sent through the RAP tunnel to the ZyXEL device. The ZyXEL device then sends the traffic out through the interface defined in the SSID profile. This outgoing interface can be o verridden by specifiying an interface with the command tunlif.
• SSID profiles 5 and 6 are Local Bridge SSIDs. Network traffic from clients connected to these SSIDs is sent directly to the network through the AP’s local gateway.
• Traffic is tagged with the VLAN ID defined by
Removes the SSID profile from the AP.
Displays the current IPSec SA for each Remote AP.
vlan_id.
ZyWALL Series CLI Reference Guide
68
Chapter 6 AP Management
Table 16 Command Summary: Remote AP Management (continued)
COMMAND DESCRIPTION
vpn-policy-pool start start_ip end end_ip
show vpn-policy-pool
Sets the start and end IPv4 addresses for the shared Remote AP IP address pool.
The interface of the RAP IPSec tunnel on the AP is assigned an IP address from this pool.
Displays the start and end IPv4 address for the Remote AP VPN pool.
ZyWALL Series CLI Reference Guide
69
Chapter 7 Built- in AP
CHAPTER 7

Built-in AP

If your Zyxel Device has a built-in AP, then use this function to allow WiFi clients to access your Zyxel Device wirelessly to connect to the network.
Note: The Zyxel Device cannot mange external APs when the built-in AP is enabled.
Table 17 Input Values for Built-in AP Commands
LABEL DESCRIPTION
slot_name
The slot name for the Zyxel Device’s on-board wireless LAN card. Use either slot1 or slot2.

7.1 Built-in AP Commands

Table 18 Command Summary: Built-in AP
COMMAND DESCRIPTION
capwap ap local-ap
[no] slot_name ap-profile
radio_profile_name
[no] slot_name monitor-profile monitor_profile_name
[no] slot_name output-power wlan_power
[no] slot_name ssid-profile <1..8> ssid_profile_name
[no] slot_name zymesh-profile
zymesh_profile_name
ap-group-profile ap-group­profile_name
Enter sub-command mode for the built-in AP. Sets the specified built-in radio to work as an AP and specifies the
radio profile the radio is to use. Use the no command to remove the specified profile.
Sets the specified built-in radio to work in monitor mode and specifies the monitor profile the radio is to use.
Use the no command to remove the specified profile. Sets the output power (between 0 to 30 dBm) for the built-in AP
radio. Use the no command to remove the output power setting.
Sets the SSID profile that is associated with this profile. You can associate up to eight SSID profiles with an AP radio. Use the no command to remove the specified profile.
Sets the ZyMesh profile the built-in AP radio (in root AP or repeater mode) uses to connect to a root AP or repeater.
Use the no command to remove the specified profile. Sets the AP group to which the built-in AP belongs.
ZyWALL Series CLI Reference Guide
70
Chapter 7 Built-in AP
COMMAND DESCRIPTION
[no] ap-mode detection activate
location location
[no] override slot_name {output-power | radio-setting | ssid-setting}
sysname system_name
exit
Sets the built-in AP to detect Rogue APs in then network. Use the no parameter to disable rogue AP detection. For details about this feature, see Chapter 10 on page 100.
Sets the name of the place where the AP is located, for admin reference.
Use the no command to remove the specified setting. Sets the Zyxel Device to overwrite the built-in AP’s output power,
radio or SSID profile settings for the specified radio. Use the no command to not overwrite the specified settings. Sets a name to identify the AP on a network. This is
usually the AP’s fully qualified domain name. Use the no command to remove the specified setting.
Exits sub-command mode.
ZyWALL Series CLI Reference Guide
71
If your Zyxel Device has a built-in AP, then use this function to allow WiFi clients to access your Zyxel Device wirelessly to connect to the network.This chapter shows you how to configure AP groups, which
define the radio, port, VLAN and load balancing settings and apply the settings to all APs in the group. An AP can belong to one AP group at a time.

8.1 Wireless Load Balancing Overview

Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it. Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users. Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a meager trickle, the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity.
Chapter 8

AP Group

8.2 AP Group Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 19 Input Values for General AP Management Commands
LABEL DESCRIPTION
ap_group_profile _name
slot_name
The following table describes the commands available for AP groups. You must use the
terminal
Table 20 Command Summary: AP Group
COMMAND DESCRIPTION
ap-group first-priority
ap_group_profile_name
ap-group flush wtp-setting
ap_group_profile_name
ap-group-member ap_group_wlan_name[no] member local-ap
command to enter the configuration mode before you can use these commands.
The wireless LAN radio profile name. You may use 1-31 alphanumeric characters, underscores( case-sensitive.
The slot name for the AP’s on-board wireless LAN card. Use either slot1 or slot2. (The NWA5560-N supports up to 2 radio slots.)
_), or dashes (-), but the first character cannot be a number. This value is
configure
Sets an AP group file that is used as the default group file. Any AP that is not configured to associate with a specific AP group belongs to the default group automatically.
Sets the Zyxel Device to overwrite the settings of all managed APs in the specified group with the group profile settings.
Specifies the SSID of the built-in AP that you want to apply the specified AP group profile and add to the group.
Use the no command to remove the built-in AP from this group.
ZyWALL Series CLI Reference Guide
72
Chapter 8 AP Group
Table 20 Command Summary: AP Group (continued)
COMMAND DESCRIPTION
ap-group-member
ap_group_profile_name [no] member mac_address
[no] ap-group-profile ap_group_profile_name
[no] slot_name ap-profile
radio_profile_name
[no] slot_name monitor-profile monitor_profile_nameliInterval
[no] slot_name output-power wlan_power
[no] slot_name ssid-profile <1..8> ssid_profile_name
Specifies the MAC address of the AP that you want to apply the specified AP group profile and add to the group.
Use the no command to remove the specified AP from this group.
Enters configuration mode for the specified AP group profile. Use the no command to remove the specified profile.
Sets the specified radio to work as an AP and specifies the radio profile the radio is to use.
Use the no command to remove the specified profile. Sets the specified radio to work in monitor mode and specifies
the monitor profile the radio is to use. Use the no command to remove the specified profile.
Sets the output power (between 0 to 30 dBm) for the radio on the AP that belongs to this group.
Use the no command to remove the output power setting. Sets the SSID profile that is associated with this profile.
You can associate up to eight SSID profiles with an AP radio.
[no] slot_name repeater-ap radio_profile_name
[no] slot_name root-ap radio_profile_name
[no] slot_name zymesh-profile zymesh_profile_name
description description
exit [no] force vlan
[no] lan-provision model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e} ap_lan_port activate pvid <1..4094>
Use the no command to remove the specified profile. Sets the specified AP radio to work as a repeater and specifies
the radio profile the radio is to use. Use the no command to remove the specified profile.
Sets the specified radio to work as a root AP and specifies the radio profile the radio is to use.
A root AP supports the wireless connections with other APs (in repeater mode) to form a ZyMesh to extend its wireless network.
Use the no command to remove the specified profile. Sets the ZyMesh profile the radio (in root AP or repeater mode)
uses to connect to a root AP or repeater. Use the no command to remove the specified profile.
Sets a description for this group. You can use up to 31 characters, spaces and underscores allowed.
Use the no command to remove the specified description. Exits configuration mode for this profile. Sets the Zyxel Device to change the AP’s management VLAN to
match the configuration in this profile. Use the no command to not change the AP’s management
VLAN setting. Sets the model of the managed AP and enable the model-
specific LAN port and configure the port VLAN ID. Use the no command to remove the specified port and VLAN
settings. ap_lan_port: the Ethenet LAN port on the managed AP, such
as lan1 or lan2.
ZyWALL Series CLI Reference Guide
73
Chapter 8 AP Group
Table 20 Command Summary: AP Group (continued)
COMMAND DESCRIPTION
[no] lan-provision model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e} ap_lan_port inactivate pvid <1..4094>
[no] lan-provision model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e} vlan_interface activate vid <1..4094> join ap_lan_port {tag | untag} [ap_lan_port {tag | untag}] [ap_lan_port {tag | untag}]
[no] lan-provision model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e} vlan_interface inactivate vid <1..4094> join ap_lan_port {tag | untag} [ap_lan_port {tag | untag}] [ap_lan_port {tag | untag}]
[no] load-balancing [slot1 | slot2] activate
load-balancing [slot1 | slot2] alpha <1..255>
Sets the model of the managed AP and disable the model­specific LAN port and configure the port VLAN ID.
Use the no command to remove the specified port and VLAN settings.
ap_lan_port: the Ethenet LAN port on the managed AP, such as lan1 or lan2.
Sets the model of the managed AP, enable a VLAN and configure the VLAN ID. It also sets the Ethernet port(s) on the managed AP to be a member of the VLAN, and sets the port(s) to send packets with or without a VLAN tag.
Use the no command to remove the specified port and VLAN settings.
vlan_interface: the name of the VLAN, such as vlan0. ap_lan_port: the Ethenet LAN port on the managed AP, such
as lan1 or lan2. Sets the model of the managed AP, disable a VLAN and
configure the VLAN ID. It also sets the Ethernet port(s) on the managed AP to be a member of the VLAN, and sets the port(s) to send packets with or without a VLAN tag.
Use the no command to remove the specified port and VLAN settings.
vlan_interface: the name of the VLAN, such as vlan0. ap_lan_port: the Ethenet LAN port on the managed AP, such
as lan1 or lan2. Enables load balancing. Use the no parameter to disable it.
Optionally specify a radio slot. Sets the load balancing alpha value.
When the AP is balanced, then this setting delays a client’s association with it by this number of seconds.
load-balancing [slot1 | slot2] beta <1..255>
load-balancing [slot1 | slot2] kickInterval <1..255>
ZyWALL Series CLI Reference Guide
Note: This parameter has been optimized for the Zyxel
Device and should not be changed unless you have been specifically directed to do so by Zyxel support.
Sets the load balancing beta value. When the AP is overloaded, then this setting delays a client’s
association with it by this number of seconds.
Note: This parameter has been optimized for the Zyxel
Device and should not be changed unless you have been specifically directed to do so by Zyxel support.
Enables the kickout feature for load balancing and also sets the kickout interval in seconds. While load balancing is enabled, the AP periodically disconnects stations at intervals equal to this setting.
This occurs until the load balancing threshold is no longer exceeded.
74
Chapter 8 AP Group
Table 20 Command Summary: AP Group (continued)
COMMAND DESCRIPTION
[no] load-balancing [slot1 | slot2] kickout
load-balancing [slot1 | slot2] liInterval <1..255>
load-balancing [slot1 | slot2] max sta <1..127>
load-balancing mode [slot1 | slot2] {station | traffic | smart-classroom}
Enables an overloaded AP to disconnect (“kick”) idle clients or clients with noticeably weak connections.
Sets the interval in seconds that each AP communicates with the other APs in its range for calculating the load balancing algorithm.
Note: This parameter has been optimized for the Zyxel
Device and should not be changed unless you have been specifically directed to do so by Zyxel support.
If load balancing by the number of stations/wireless clients, this sets the maximum number of devices allowed to connect to a load-balanced AP.
Enables load balancing based on either number of stations (also known as wireless clients) or wireless traffic on an AP.
station or traffic: once the threshold is crossed (either the maximum station numbers or with network traffic), the AP delays association request and authentication request packets from any new station that attempts to make a connection.
load-balancing [slot1 | slot2] sigma <51..100>
load-balancing [slot1 | slot2] timeout <1..255>
load-balancing [slot1 | slot2] traffic level {high | low | medium}
vlan <1..4094> {tag | untag}
show ap-group first-priority show ap-group-profile {all |
ap_group_profile_name}
smart-classroom: the AP ignores association request and authentication request packets from any new station when the maximum number of stations is reached.
Sets the load balancing sigma value. This value is algorithm parameter used to calculate whether an
AP is considered overloaded, balanced, or underloaded. It only applies to ‘by traffic mode’.
Note: This parameter has been optimized for the Zyxel
Device and should not be changed unless you have been specifically directed to do so by Zyxel support.
Sets the length of time that an AP retains load balancing information it receives from other APs within its range.
If load balancing by traffic threshold, this sets the traffic threshold level.
Sets the management VLAN ID for the AP(s) in this group as well as whether packets sent to and from that VLAN ID are tagged or untagged.
Displays the name of the default AP group profile. Displays the settings of the AP group profile(s). all: Displays all profiles.
show ap-group-profile ap_group_profile_name load­balancing config
ZyWALL Series CLI Reference Guide
ap_group_profile_name: Displays the specified profile. Displays the load balanc ing configuration of the specified AP
group profile.
75
Table 20 Command Summary: AP Group (continued)
COMMAND DESCRIPTION
show ap-group-profile ap_group_profile_name lan­provision interface {all | vlan | ethernet | ap_lan_port | vlan_interface} model {nwa5301-nj | wac6502d-e | wac6502d-s | wac6503d-s | wac6553d-e}
show ap-group-profile ap_group_profile_name lan­provision model
show ap-group-profile rule_count
ap-group-profile rename
ap_group_profile_name1 ap_group_profile_name2
8.2.1 AP Group Examples
Chapter 8 AP Group
Displays the LAN port and/or VLAN settings on the managed AP which is in the specified AP group and of the specified model.
vlan_interface: the name of the VLAN, such as vlan0. ap_lan_port: the Ethenet LAN port on the managed AP, such
as lan1 or lan2.
Shows the model name of the managed AP which belongs to the specified AP group.
Displays how many AP group profiles have been configured on the Zyxel Device.
Gives an existing AP group profile (ap_group_profile_name1) a new name (ap_group_profile_name2).
The following example shows you how to create an AP group profile (named “TEST”) and configure the AP’s first radio to work in repeater mode using the “default” radio profile and the “ZyMesh_TEST” ZyMesh profile. It also adds the AP with the MAC address 00:a0:c5:01:23:45 to this AP group.
Router(config)# ap-group-profile TEST Router(config-ap-group TEST)# slot1 repeater-ap default Router(config-ap-group TEST)# exit Router(config)# ap-group-member TEST member 00:a0:c5:01:23:45 Router(config)#
The following example shows you how to create an AP group profile (named GP1) and configure AP load balancing in "by station" mode. The maximum number of stations is set to 1.
Router(config)# ap-group-profile GP1 Router(config-ap-group GP1)# load-balancing mode station Router(config-ap-group GP1)# load-balancing max sta 1 Router(config-ap-group GP1)# exit Router(config)# show ap-group-profile GP1 load-balancing config AP Group Profile:GP1 load balancing config: Activate: yes Kickout: no Mode: station Max-sta: 1 Traffic-level: high Alpha: 5 Beta: 10 Sigma: 60 Timeout: 20 LIInterval: 10 KickoutInterval: 20 Router(config)#
ZyWALL Series CLI Reference Guide
76
Chapter 8 AP Group
The following example shows you how to create an AP group profile (named GP2) and configure AP load balancing in "by traffic" mode. The traffic level is set to low, and "disassociate station" is enabled.
Router(config)# ap-group-profile GP2 Router(config-ap-group GP2)# load-balancing mode traffic Router(config-ap-group GP2)# load-balancing traffic level low Router(config-ap-group GP2)# load-balancing kickout Router(config-ap-group GP2)# exit Router(config)# show ap-group-profile GP2 load-balancing config AP Group Profile:GP2 load balancing config: Activate: yes Kickout: yes Mode: traffic Max-sta: 1 Traffic-level: low Alpha: 5 Beta: 10 Sigma: 60 Timeout: 20 LIInterval: 10 KickoutInterval: 20 Router(config)#
The following example shows the settings and status of the VLAN(s) configured for the managed APs (NWA5301-NJ) in the default AP group.
Router(config)# show ap-group-profile default lan-provision interface vlan model nwa5301-nj No. Name Active VID Member =========================================================================== 1 vlan0 yes 1 lan1,lan2,lan3 Router(config)# show ap-group-profile default lan-provision interface vlan0 model nwa5301-nj active: yes interface name: vlan0 VID: 1 member: lan1&lan2&lan3 lan1_tag: untag lan2_tag: untag lan3_tag: untag Router(config)#
ZyWALL Series CLI Reference Guide
77
Chapter 8 AP Group
The following example shows the status of Ethernet ports for the managed APs (NWA5301-NJ) in the default AP group. It also shows whether the lan1 port is enabled and what the port’s VLAN ID is.
Router(config)# show ap-group-profile default lan-provision interface ethernet model nwa5301-nj No. Name Active PVID =========================================================================== 1 uplink yes n/a 2 lan1 yes 1 3 lan2 yes 1 4 lan3 yes 1 Router(config)# show ap-group-profile default lan-provision interface lan1 model nwa5301-nj Name Active PVID =========================================================================== lan1 yes 1 Router(config)#
ZyWALL Series CLI Reference Guide
78
Chapter 9 Wireless LAN Profiles

Wireless LAN Profiles

This chapter shows you how to configure wireless LAN profiles on your Zyxel Device.

9.1 Wireless LAN Profiles Overview

The managed Access Points designed to work explicitly with your Zyxel Device do not have on-board configuration files, you must create “profiles” to manage them. Profiles are preset configurations that are uploaded to the APs and which manage them. They include: Radio and Monitor profiles, SSID profiles, Security profiles, and MAC Filter profiles. Altogether, these profiles give you absolute control over your wireless network.
CHAPTER 9

9.2 AP Radio & Monitor Profile Commands

The radio profile commands allow you to set up configurations for the radios onboard your various APs. The monitor profile commands allow you to set up monitor mode configurations that allow your APs to scan for other APs in the vicinity.
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 21 Input Values for General Radio and Monitor Profile Commands
LABEL DESCRIPTION
radio_profile_name
monitor_profile_name
interval wlan_role
wireless_channel_2g
wireless_channel_5g
The radio profile name. You may use 1-31 alphanumeric characters, underscores (
_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive. The monitor profile name. You may use 1-31 alphanumeric characters, underscores
(
_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive. Enters the dynamic channel selection interval time. The range is 10 ~ 1440 minutes.
Sets the wireless LAN radio operating mode. At the time of writing, you can use ap for Access Point.
Sets the 2 GHz channel used by this radio profile. The channel range is 1 ~ 14.
Note: Your choice of channel may be restricted by regional regulations.
Sets the 5 GHz channel used by this radio profile. The channel range is 36 ~ 165.
wlan_htcw
Note: Your choice of channel may be restricted by regional regulations.
Sets the HT channel width. Select either 20, 20/40 or 20/40/80.
ZyWALL Series CLI Reference Guide
79
Chapter 9 Wireless LAN Profiles
Table 21 Input Values for General Radio and Monitor Profile Commands (continued)
LABEL DESCRIPTION
wlan_htgi chain_mask wlan_power scan_method wlan_interface_index ssid_profile
Sets the HT guard interval. Select either long or short. Sets the network traffic chain mask. The range is 1 ~ 7. Sets the radio output power. Sets the radio’s scan method while in Monitor mode. Select manual or auto. Sets the radio interface index number. The range is 1 ~ 8. Sets the associated SSID profile name. This name must be an existing SSID profile.
You may use 1-31 alphanumeric characters, underscores ( first character cannot be a number. This value is case-sensitive.
_), or dashes (-), but the
The following table describes the commands available for radio and monitor profile management. You must use the
configure terminal command to enter the configuration mode before you can use
these commands. Table 22 Command Summary: Radio Profile
COMMAND DESCRIPTION
show wlan-radio-profile {all | radio_profile_name}
Displays the radio profile(s). all: Displays all profiles.
dcs dfs-aware {enable|disable}
wlan-radio-profile rename
radio_profile_name1 radio_profile_name2
[no] wlan-radio-profile radio_profile_name
2g-basic-speed speed 2g-channel wireless_channel_2g
2g-multicast-speed
wlan_2g_support_speed
2g-wlan-rate-control rate_2g
radio_profile_name: Displays the specified profile.
Enables this to force the Zyxel Device to only use the non-DFS channels.
Disables this to allow the Zyxel Device to use the DFS channels for more channel options.
Dynamic Frequency Selection (DFS) is a channel WiFi allocation scheme that allows APs to use channels in the 5 Ghz band normally reserved for radar. Before using a DFS channel, an AP must ensure there is no radar present by performing a Channel Availability Check (CAC). This check takes 1-10 minutes, depending on the country in which the AP is located.
Gives an existing radio profile (radio_profile_name1) a new name (radio_profile_name2).
Enters configuration mode for the specified radio profile. Use the no parameter to remove the specified profile.
Sets the broadcast band for this profile in the 2.4 GHz frequency range. The default is 6.
When you disable multicast to unicast, use this command to set the data rate { 1.0 | 2.0 | … } in Mbps for 2.4 GHz multicast traffic.
Sets the minimum data rate that 2.4Ghz WiFi clients can connect at, in Mbps. At the time of write, allowed values are: 1, 2,5. 5, 6, 9, 11, 12, 18, 24, 36, 48, 54.
Increasing the minimum data rate can reduce network overhead and improve WiFi network performance in high density environments. However, WiFi clients that do not support the minimum data rate will not be able to connect to the AP.
ZyWALL Series CLI Reference Guide
80
Chapter 9 Wireless LAN Profiles
Table 22 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
5g-basic-speed speed 5g-channel wireless_channel_5g
5g-multicast-speed
wlan_5g_basic_speed
5g-wlan-rate-control rate_5g
6g-channel wireless_channel_6g
6g-multicast-speed
wlan_6g_basic_speed
6g-wlan-rate-control rate_6g
[no] activate [no] ampdu
Sets the broadcast band for this profile in the 5 GHz frequency range. The default is 36.
When you disable multicast to unicastt, use this command to set the data rate { 6.0 | 9.0 | … } in Mbps for 5 GHz multicast traffic.
Sets the minimum data rate that 5 Ghz WiFi clients can connect at, in Mbps. At the time of write, allowed values are: 6,9, 12, 18, 24, 36, 48, 54.
Increasing the minimum data rate can reduce network overhead and improve WiFi network performance in high density environments. However, WiFi clients that do not support the minimum data rate will not be able to connect to the AP.
Sets the broadcast band for this profile in the 6 GHz frequency range.
When you disable multicast to unicastt, use this command to set the data rate in Mbps for 6 GHz multicast traffic.
Sets the minimum data rate that 6 Ghz WiFi clients can connect at, in Mbps. At the time of write, allowed values are: 6,9, 12, 18, 24, 36, 48, 54.
Increasing the minimum data rate can reduce network overhead and improve WiFi network performance in high density environments. However, WiFi clients that do not support the minimum data rate will not be able to connect to the AP.
Makes this radio profile active or inactive. Activates MPDU frame aggregation for this profile. Use the no
parameter to disable it.
limit-ampdu < 100..65535>
subframe-ampdu <2..64>
[no] amsdu
ZyWALL Series CLI Reference Guide
Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates.
By default this is enabled. Sets the maximum frame size to be aggregated using MPDU.
By default this is 50000. Sets the maximum number of frames to be aggregated each
time. By default this is 32.
Activates MPDU frame aggregation for this profile. Use the no parameter to disable it.
Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header. This method is useful for increasing bandwidth throughput. It is also more efficient than A-MPDU except in environments that are prone to high error rates.
By default this is enabled.
81
Chapter 9 Wireless LAN Profiles
Table 22 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
limit-amsdu <2290..4096>
band {2.4G |5G| 6G} band-mode {bg | bgn | a | ac | an | bgnax | anacax| ax}
beacon-interval <40..1000>
Sets the maximum frame size to be aggregated using MPDU. The default is 4096.
Sets the radio band (2.4 GHz, 5 GHz or 6 GHz) and band mode for this profile. Band mode details:
For 2.4 GHz, bg lets IEEE 802.11b and IEEE 802.11g clients associate with the AP.
For 2.4 GHz, bgn lets IEEE 802.11b, IEEE 802.11g, and IEEE
802.11n clients associate with the AP. For 2.4 GHz, bgnax lets IEEE 802.11b, IEEE 802.11g, IEEE
802.11n, and IEEE802.11ax clients associate with the AP. For 5 GHz, a lets only IEEE 802.11a clients associate with the
AP. For 5 GHz, ac lets IEEE 802.11a, IEEE 802.11n, and IEEE 802.11ac
clients associate with the AP. For 5 GHz, an lets IEEE 802.11a and IEEE 802.11n clients
associate with the AP. For 5 GHz, anacax lets IEEE 802.11a, IEEE 802.11n, IEEE
802.11ac, and IEEE802.11ax clients associate with the AP. For 6 GHz, ax lets IEEE802.11ax clients associate with the AP.
Sets the beacon interval for this profile. When a wirelessly networked device sends a beacon, it
includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in low-power mode before waking up to handle the beacon. This value can be set from 40ms to 1000ms. A high value helps save current consumption of the access point.
[no] block-ack
bss-color <0~63>
[no] disable-bss-color
ch-width wlan_htcw country-code country_code
ZyWALL Series CLI Reference Guide
The default is 100. Makes block-ack active or inactive. Use the no parameter
to disable it. Sets the BSS color of the AP, which distinguishes it from other
nearby APs when they transmit over the same channel. Set it to 0 to automatically assign a BSS color.
Disables BSS coloring. Use the
Sets the channel width for this profile. Sets the country where the Zyxel Device is located/installed. The available channels vary depending on the country you
selected. Be sure to select the correct/same country for both radios on an AP and all connected APs, in order to prevent roaming failure and interference to other systems.
country_code: 2-letter country-codes, such as TW, DE, or FR.
no command to enable BSS coloring.
82
Chapter 9 Wireless LAN Profiles
Table 22 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
[no] ctsrts <0..2347>
[no] dcs activate
dcs 2g-selected-channel
2.4g_channels
dcs 5g-selected-channel
5g_channels
dcs 6g-selected-channel
6g_channels
dcs dcs-2g-method {auto|manual}
dcs dcs-5g-method {auto|manual}
dcs dcs-6g-method {auto|manual}
dcs client-aware {enable|disable}
dcs channel-deployment {3­channel|4-channel}
Sets or removes the RTS/CTS value for this profile. Use RTS/CTS to reduce data collisions on the wireless network
if you have wireless clients that are associated with the same AP but out of range of one another. When enabled, a wireless client sends an RTS (Request To Send) and then waits for a CTS (Clear To Send) before it transmits. This stops wireless clients from transmitting packets at the same time (and causing data collisions).
A wireless client sends an RTS for all packets larger than the number (of bytes) that you enter here. Set the RTS/CTS equal to or higher than the fragmentation threshold to turn RTS/CTS off.
The default is 2347. Starts dynamic channel selection to automatically find a less-
used channel in an environment where there are many APs and there may be interference. Use the no parameter to turn it off.
Specifies the channels that are available in the 2.4 GHz band when you manually configure the channels an AP can use.
Specifies the channels that are available in the 5 GHz band when you manually configure the channels an AP can use.
Specifies the channels that are available in the 6 GHz band when you manually configure the channels an AP can use.
Sets the AP to automatically search for available channels or manually configure the channels the AP uses in the 2.4 GHz band.
Sets the AP to automatically search for available channels or manually configure the channels the AP uses in the 5 GHz band.
Sets the AP to automatically search for available channels or manually configure the channels the AP uses in the 6 GHz band.
When enabled, this ensures that an AP will not change channels as long as a client is connected to it. If disabled, the AP may change channels regardless of whether it has clients connected to it or not.
Sets either a 3-channel deployment or a 4-channel deployment.
In a 3-channel deployment, the AP running the scan alternates between the following channels: 1, 6, and 11.
dcs dfs-aware {enable|disable}
ZyWALL Series CLI Reference Guide
In a 4-channel deployment, the AP running the scan alternates between the following channels: 1, 4, 7, and 11 (FCC) or 1, 5, 9, and 13 (ETSI).
Sets the option that is applicable to your region. (Channel deployment may be regulated differently between countries and locales.)
Enable this to allow an AP to avoid phase DFS channels below the 5 GHz spectrum.
Note: This feature is automatically disabled when Zero-
Wait DFS is enabled.
83
Chapter 9 Wireless LAN Profiles
Table 22 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
dcs mode {interval|schedule}
dcs schedule <hh:mm> {mon|tue|wed|thu|fri|sat|sun}
dcs sensitivity-level {high|medium |low}
dcs time-interval interval description description
[no] disable-dfs-switch
Sets the AP to use DCS at the end of the specified time interval or at a specifc time on selected days of the week.
Sets what time of day (in 24-hour format) the AP starts to use DCS on the specified day(s) of the week.
Sets how sensitive DCS is to radio channel changes in the vicinity of the AP running the scan.
Sets the interval that specifies how often DCS should run. Sets the description of the profile. You may use up to 60
alphanumeric characters, underscores ( Makes the DFS switch active or inactive. By default this is
inactive.
dot11-preamble {long|short} [no] dot11n-disable-coexistence
dtim-period <1..255>
Fixes the channel bandwidth as 40 MHz. The no command has the AP automatically choose 40 MHz if all the clients support it or 20 MHz if some clients only support 20 MHz.
Sets the DTIM period for this profile. Delivery Traffic Indication Message (DTIM) is the time period
after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. This value can be set from 1 to 255.
_), or dashes (-).
[no] force-mu-mimo [no] frag <256..2346>
guard-interval wlan_htgi
[no] htprotect
[no] ignore-country-ie
max-sw-retries <0..10>
The default is 1.
Sets or removes the fragmentation value for this profile. The threshold (number of bytes) for the fragmentation
boundary for directed messages. It is the maximum data fragment size that can be sent.
The default is 2346. Sets the guard interval for this profile.
The default for this is short. Activates HT protection for this profile. Use the no parameter
to disable it. By default, this is disabled.
Prevents the AP from broadcasting a country code, also called a country Information Element (IE), in beacon frames. This makes the AP incompatible with 802.11d networks and devices. The country code.
802.11d is a WiFi network specification that allows an AP to broadcast a country code to WiFi clients. The country code tells clients where the AP is located.
no command allows the AP to broadcast the
Note: Run this command if WiFi clients are unable to
connect to the AP because of an incompatible country code.
ZyWALL Series CLI Reference Guide
84
Chapter 9 Wireless LAN Profiles
Table 22 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
[no] multicast-to-unicast
[no] nol-channel-block
“Multicast to unicast” broadcasts wireless multicast traffic to all wireless clients as unicast traffic to provide more reliable transmission. The data rate changes dynamically based on the application’s bandwidth requirements. Although unicast provides more reliable transmission of the multicast traffic, it also produces duplicate packets.
The no command turns multicast to unicast off to send wireless multicast traffic at the rate you specify with the 2g-
multicast-speed, 5g-multicast-speed or 6g­multicast-speed command.
Enables or disables temporary DFS channel blacklisting. If enabled, the AP will block a DFS channel if it detects a radar signal within that range.
Note: This feature is automatically disabled when Zero-
Wait DFS is enabled.
output-power wlan_power
Sets the output power (between 0 to 30 dBm) for the radio in this profile.
pn-check-thres <0..100> [no] reject-legacy-station role wlan_role rssi-dbm <-20~-76>
Sets the profile’s wireless LAN radio operating mode. When using the RSSI threshold, set a minimum client signal
strength for connecting to the AP. -20 dBm is the strongest signal you can require and -76 is the weakest.
rssi-interval (1..86400> rssi-kickout <-20~-105>
Sets a minimum kick-off signal strength. When a wireless client’s signal strength is lower than the specified threshold, the Zyxel Device disconnects the wireless client from the AP.
-20 dBm is the strongest sig nal y ou c an r equire and -105 is t he weakest.
rssi-optype <0-3> rssi-privilegetime [no] rssi-retry
rssi-retrycount <1~100>
[no] rssi-thres
Allows a wireless client to try to associate with the AP again after it is disconnected due to weak signal strength.
Use the no parameter to disallow it. Sets the maximum number of times a wireless client can
attempt to re-connect to the AP. Sets whether or not to use the Received Signal Strength
Indication (RSSI) threshold to ensure wireless clients receive good throughput. This allows only wireless clients with a strong signal to connect to the AP.
rssi-verifytime rx-mask chain_mask schedule schedule_object
[no] ssid-profile
wlan_interface_index
Sets the incoming chain mask rate. Sets the radio profile to be activate according to the
schedule defined by the specified schedule object. Assigns an SSID profile to this radio profile. Requires an existing
SSID profile. Use the no parameter to disable it.
ssid_profile
subframe-ampdu <2..64>
ZyWALL Series CLI Reference Guide
85
Chapter 9 Wireless LAN Profiles
Table 22 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
[no] suppress-retry-rts tx-mask chain_mask [no] zero-wait-dfs
Sets the outgoing chain mask rate. Enables or disables zero-wait DFS (Dynamic Frequency
Selection) on the AP.
Note: Zero-wait DFS is only supported on certain AP
models, such as the WAX650S.
DFS is a channel WiFi allocation scheme that allows APs to use channels in the 5Ghz band normally reserved for radar. Before using a DFS channel, an AP must ensure that no radar present by performing a Channel Availability Check (CAC). This check takes 1-10 minutes, depending on the country in which the AP is located.
Zero-Wait DFS allows an AP to provide network services to WiFi clients using a primary 5Ghz radio, while simultaneously checking DFS channels for the presence of radar using a secondary 5Ghz radio. If no radar is detected on a DFS channel, the AP adds it to a list of cleared channels. The AP can then switch the primary radio to any cleared DFS channel without having to wait 1-10 minutes for a Channel Availability Check.
exit
storm-control ethernet ap
mac_address
[no] broadcast
broadcast pps <1~10000>
[no] multicast
multicast pps <1~10000>
exit
no storm-control ethernet ap
mac_address
Note: When zero-wait DFS is enabled, 5Ghz DFS Aware
(dcs dfs-aware) and Blacklist DFS Channels (nol-channel-block) are automatically disabled on the AP.
Exits configuration mode for this profile. Enables Ethernet storm control and then enters the Ethernet
storm control sub-command mode for the specified radio profile.
Ethernet storm control prevents WiFi clients from receiving excessive broadcast or multicast traffic sent from wired clients in the same subnet.
Enables or disables broadcast storm control, which drops broadcast packets from ingress traffic if the traffic rate exceeds the configured maximum rate.
Sets the maximum allowed rate for broadcast traffic, in packets per second.
Enables or disables multicast storm control, which drops multicast packets from ingress traffic if the traffic rate exceeds the configured maximum rate.
Sets the maximum allowed rate for multicast traffic, in packets per second.
Exits configuration mode for this profile. Disables Ethernet broadcast and multicast storm control, and
removes all Ethernet storm control settings for the specified AP.
ZyWALL Series CLI Reference Guide
86
Chapter 9 Wireless LAN Profiles
Table 22 Command Summary: Radio Profile (continued)
COMMAND DESCRIPTION
storm-control wireless ap
mac_address
Enables wireless storm control and then enters the wireless storm control sub-command mode for the specified AP.
Wireless storm control prevents wired clients from receiving excessive broadcast or multicast traffic sent from WiFi clients in the same subnet.
Note: To enable wireless storm control, Remote AP
must be enabled on the AP and the AP mu st be running firmware version 6.20 or later.
[no] broadcast
broadcast pps <1~10000>
[no] multicast
multicast pps <1~10000>
exit
no storm-control wireless ap
mac_address
show storm-control ethernet ap
mac_address show wlan-monitor-profile {all |
Enables or disables broadcast storm control, which drops broadcast packets from ingress traffic if the traffic rate exceeds the configured maximum rate.
Sets the maximum allowed rate for broadcast traffic, in packets per second.
Enables or disables multicast storm control, which drops multicast packets from ingress traffic if the traffic rate exceeds the configured maximum rate.
Sets the maximum allowed rate for multicast traffic, in packets per second.
Exits configuration mode for this profile. Disables wireless broadcast and multicast storm control, and
removes all wireless storm control settings for the specified AP.
Displays broadcast/multicast storm control settings on the specified AP.
Displays all monitor profiles or just the specified one.
monitor_profile_name} wlan-monitor-profile rename
monitor_profile_name1
Gives an existing monitor profile (monitor_profile_name1) a new name (monitor_profile_name2).
monitor_profile_name2
[no] wlan-monitor-profile
monitor_profile_name
[no] activate
country-code country_code
Enters configuration mode for the specified monitor profile. Use the no parameter to remove the specified profile.
Makes this profile active or inactive. By default, this is enabled.
Sets the country where the Zyxel Device is located/installed. The available channels vary depending on the country you
selected. Be sure to select the correct/same country for both radios on an AP and all connected APs, in order to prevent roaming failure and interference to other systems.
scan-method scan_method [no] 2g-scan-channel
wireless_channel_2g
[no] 5g-scan-channel
wireless_channel_5g
scan-dwell <100..1000>
exit
ZyWALL Series CLI Reference Guide
country_code: 2-letter country-codes, such as TW, DE, or FR. Sets the channel scanning method for this profile. Sets the broadcast band for this profile in the 2.4 Ghz
frequency range. Use the no parameter to disable it. Sets the broadcast band for this profile in the 5 GHz
frequency range. Use the no parameter to disable it. Sets the duration in milliseconds that the device using this
profile scans each channel. Exits configuration mode for this profile.
87
Chapter 9 Wireless LAN Profiles
9.2.1 AP Radio & Monitor Profile Commands Example
The following example shows you how to set up the radio profile named ‘RADIO01’, activate it, and configure it to use the following settings:
• 2.4G band with channel 6
• channel width of 20MHz
• a DTIM period of 2
• a beacon interval of 100ms
• AMPDU frame aggregation enabled
• an AMPDU buffer limit of 65535 bytes
• an AMPDU subframe limit of 64 frames
• AMSDU frame aggregation enabled
• an AMSDU buffer limit of 4096
• block acknowledgement enabled
• a short guard interval
• an output power of 100% It will also assign the SSID profile labeled ‘default’ in order to create WLAN VAP (wlan-1-1) functionality
within the radio profile.
Router(config)# wlan-radio-profile RADIO01 Router(config-profile-radio)# activate Router(config-profile-radio)# band 2.4G band-mode bgn Router(config-profile-radio)# 2g-channel 6 Router(config-profile-radio)# ch-width 20/40 Router(config-profile-radio)# dtim-period 2 Router(config-profile-radio)# beacon-interval 100 Router(config-profile-radio)# ampdu Router(config-profile-radio)# limit-ampdu 65535 Router(config-profile-radio)# subframe-ampdu 64 Router(config-profile-radio)# amsdu Router(config-profile-radio)# limit-amsdu 4096 Router(config-profile-radio)# block-ack Router(config-profile-radio)# guard-interval short Router(config-profile-radio)# tx-mask 5 Router(config-profile-radio)# rx-mask 7 Router(config-profile-radio)# output-power 21dBm Router(config-profile-radio)# ssid-profile 1 default
ZyWALL Series CLI Reference Guide
88

9.3 SSID Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 23 Input Values for General SSID Profile Commands
LABEL DESCRIPTION
ssid_profile_name
ssid
wlan_qos
The SSID profile name. You may use 1-31 alphanumeric characters, underscores (
_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive. The SSID broadcast name. You may use 1-32 alphanumeric characters,
underscores ( Sets the type of QoS the SSID should use.
disable: Turns off QoS for this SSID. wmm: Turns on QoS for this SSID. It automatically assigns Access Categories to
packets as the device inspects them in transit. wmm_be: Assigns the “best effort” Access Category to all traffic moving through the
SSID regardless of origin. wmm_bk: Assigns the “background” Access Category to all traffic moving through
the SSID regardless of origin. wmm_vi: Assigns the “video” Access Category to all traffic moving through the SSID
regardless of origin.
_), or dashes (-). This value is case-sensitive.
wmm_vo: Assigns the “voice” Access Category to all traffic moving through the SSID regardless of origin.
vlan_iface
securityprofile
macfilterprofile
description2
The VLAN interface name of the controller (in this case, it is Zyxel Device). The maximum VLAN interface number is product-specific; for the Zyxel Device, the number is 512.
Assigns an existing security profile to the SSID profile. You may use 1-31 alphanumeric characters, underscores ( cannot be a number. This value is case-sensitive.
Assigns an existing MAC filter profile to the SSID profile. You may use 1-31 alphanumeric characters, underscores ( cannot be a number. This value is case-sensitive.
Sets the description of the profile. You may use up to 60 alphanumeric characters, underscores (
_), or dashes (-). This value is case-sensitive.
_), or dashes (-), but the first character
_), or dashes (-), but the first character
The following table describes the commands available for SSID profile management. You must use the
configure terminal command to enter the configuration mode before you can use these
commands. Table 24 Command Summary: SSID Profile
COMMAND DESCRIPTION
show wlan-ssid-profile {all | ssid_profile_name}
wlan-ssid-profile rename
ssid_profile_name1 ssid_profile_name2
[no] wlan-ssid-profile
ssid_profile_name
Displays the SSID profile(s).
all: Displays all profiles for the selected operating mode. ssid_profile_name: Displays the specified profile for the
selected operating mode. Gives an existing SSID profile (ssid_profile_name1) a new
name (ssid_profile_name2).
Enters configuration mode for the specified SSID profile. Use the no parameter to remove the specified profile.
ZyWALL Series CLI Reference Guide
89
Chapter 9 Wireless LAN Profiles
Table 24 Command Summary: SSID Profile (continued)
COMMAND DESCRIPTION
[no] bandselect balance-ratio <1..8>
bandselect check-sta-interval <1..60000>
bandselect drop-authentication <1..16>
bandselect drop-probe-request <1..32>
bandselect min-sort-interval <1..60000>
bandselect mode {disable | force | standard}
Sets a ratio of the wireless clients using the 5 GHz band to the wireless clients using the 2.4 GHz band. Use the no parameter to turn off this feature.
Sets how often (in seconds) the AP checks and deletes old wireless client data.
Sets how many authentication request from a client to a 2.4GHz Wi-Fi network is ignored during the specified timeout period.
Sets how many probe request from a client to a 2.4GHz Wi-Fi network is ignored during the specified timeout period.
Sets the minimum interval (in seconds) at which the AP sorts the wireless client data when the client queue is full.
To improve network performance and avoid interference in the
2.4 GHz frequency band, you can enable this feature to use the 5 GHz band first. You should set 2.4GHz and 5 GHz radio profiles to use the same SSID and security settings.
Note: The managed APs must be dual-band capable.
disable: to turn off this feature. force: to have the wireless clients always connect to an SSID
using the 5 GHZ band. Connections to an SSID using the 2.4GHz band are not allowed. It is recommended you select this option when the AP and wireless clients can function in either frequency band.
standard: to have the AP try to connect the wireless clients to the same SSID using the 5 GHZ band. Connections to an SSID using the 2.4GHz band are still allowed.
[no] bandselect stop-threshold <10..20>
bandselect time-out-force <1..255>
bandselect time-out-period <1..255>
bandselect time-out-standard <1..255>
[no] block-intra
Sets the threshold number of the connected wireless clients at which the AP disables the band select feature . Use the no parameter to turn off this feature.
Sets the timeout period (in seconds) within which the AP accepts probe or authentication requests to a 2.4GHz Wi-Fi network when the band select mode is set to force.
Sets the timeout period (in seconds) within which the AP drops the specified number of probe or authentication requests to a
2.4GHz Wi-Fi network. Sets the timeout period (in seconds) within which the AP
accepts probe or authentication requests to a 2.4GHz Wi-Fi network when the band select mode is set to standard.
Enables intra-BSSID traffic blocking. Use the no parameter to disable it in this profile.
data-forward localbridge
ZyWALL Series CLI Reference Guide
By default this is disabled. Sets the data forwarding mode used by the SSID to localbridge
mode. In this mode, all of the wireless station’s traffic is routed through
the associated AP’s gateway and tagged with the VLAN ID set by command
This is the default data forwarding mode.
vlan-id.
90
Chapter 9 Wireless LAN Profiles
Table 24 Command Summary: SSID Profile (continued)
COMMAND DESCRIPTION
data-forward tunnel interface
Sets the data forwarding mode used by the SSID to tunnel mode.
In this mode, all of the wireless station’s traffic is routed through the Zyxel Device via the specified interface.
Note: The interface must be a VLAN or internal Ethernet
interface. The interface cannot be a member of a bridge.
downlink-rate-limit data_rate
[no] hide
[no] macfilter
macfilterprofile
qos wlan_qos security securityprofile ssid
[no] ssid-schedule
{mon|tue|wed|thu|fri|sat|sun} {disable | enable} <hh:mm> <hh:mm>
Sets the maximum incoming transmission data rate (either in mbps or kbps) on a per-station basis.
Prevents the SSID from being publicly broadcast. Use the no parameter to re-enable public broadcast of the SSID in this profile.
By default this is disabled. Assigns the specified MAC filtering profile to this SSID profile. Use
the no parameter to remove it. By default, no MAC filter is assigned.
Sets the type of QoS used by this SSID. Assigns the specified security profile to this SSID profile. Sets the SSID. This is the name visible on the network to wireless
clients. Enter up to 32 characters, spaces and underscores are allowed.
The default SSID is ‘ZyXEL’. Enables the SSID schedule. Use the no parameter to disable the
SSID schedule. Sets whether the SSID is enabled or disabled on each day of the
week. This also specifies the hour and minute (in 24-hour format) to set the time period of each day during which the SSID is enabled/enabled.
<hh:mm> <hh:mm>: If you set both start time and end time to 00:00, it indicates a whole day event.
uplink-rate-limit data_rate
vlan-id <1..4094>
exit
ZyWALL Series CLI Reference Guide
Note: The end time must be larger than the start time.
Sets the maximum outgoing transmission data rate (either in mbps or kbps) on a per-station basis.
Applies to each SSID profile that uses localbridge. If the VLAN ID is equal to the AP’s native VLAN ID then traffic originating from the SSID is not tagged.
The default VLAN ID is 1. Exits configuration mode for this profile.
91
Chapter 9 Wireless LAN Profiles
9.3.1 SSID Profile Example
The following example creates an SSID profile with the name ‘ZyXEL’. It makes the assumption that both the security profile (SECURITY01) and the MAC filter profile (MACFILTER01) already exist.
Router(config)# wlan-ssid-profile SSID01 Router(config-ssid-radio)# ssid ZyXEL Router(config-ssid-radio)# qos wmm Router(config-ssid-radio)# data-forward localbridge Router(config-ssid-radio)# security SECURITY01 Router(config-ssid-radio)# macfilter MACFILTER01 Router(config-ssid-radio)# exit Router(config)#

9.4 Security Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 25 Input Values for General Security Profile Commands
LABEL DESCRIPTION
security_profile_name
wep_key wpa_key
wpa_key_64
secret auth_method
The following table describes the commands available for security profile management. You must use the
configure terminal command to enter the configuration mode before you can use these
commands. Table 26 Command Summary: Security Profile
COMMAND DESCRIPTION
show wlan-security-profile {all | security_profile_name}
wlan-security-profile rename
security_profile_name1 security_profile_name2
[no] wlan-security-profile
security_profile_name
The security profile name. You may use 1-31 alphanumeric characters, underscores (
_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive. Sets the WEP key encryption strength. Select either 64bit or 128bit. Sets the WPA/WPA2 pre-shared key in ASCII. You may use 8~63 alphanumeric
characters. This value is case-sensitive. Sets the WPA/WPA2 pre-shared key in HEX. You muse use 64 alphanumeric
characters. Sets the shared secret used by your network’s RADIUS server. The authentication method used by the security profile.
Displays the security profile(s).
all: Displays all profiles for the selected operating mode. security_profile_name: Displays the specified profile for the
selected operating mode. Gives existing security profile (security_profile_name1) a
new name, (security_profile_name2).
Enters configuration mode for the specified security profile. Use the no parameter to remove the specified profile.
ZyWALL Series CLI Reference Guide
92
Table 26 Command Summary: Security Profile (continued)
COMMAND DESCRIPTION
[no] accounting interim­interval <1..1440>
[no] accounting interim-update
description description
[no] dot11r activate
[no] dot11r over-the-ds activate
[no] dot1x-eap
[no] dot11w
dot11w-op <1..2>
eap {external | internal
Sets the time interval for how often the AP is to send an interim update message with curren t client statistics to the accounting server. Use the no parameter to clear the interval setting.
Sets the AP to send accounting update messages to the accounting server at the specified interval. Use the no parameter to disable it.
Sets the description for the profile. You may use up to 60 alphanumeric characters, underscores (_), or dashes (-). This value is case-sensitive
Turns on IEEE 802.11r fast roaming on the AP. Use the no parameter to turn it off.
Sets the clients to communicate with the target AP through the current AP. The communication between the client and the target AP is carried in frames between the client and the current AP, and is then sent to the target AP through the wired Ethernet connection.
Use the no parameter to have the clients communicate directly with the target AP.
Enables 802.1x secure authentication. Use the no parameter to disable it.
Data frames in 802.11 WLANs can be encrypted and authenticated with WEP, WPA or WPA2. But 802.11 management frames, such as beacon/probe response, association request, association response, de-authentication and disassociation are always unauthenticated and unencrypted. IEEE 802.11w Protected Management Frames allows APs to use the existing security mechanisms (encryption and authentication methods defined in IEEE 802.11i WPA/ WPA2) to protect management frames. This helps prevent wireless DoS attacks.
Enables management frame protection (MFP) to add security to 802.11 management frames. Use the no parameter to disable it.
Sets whether wireless clients have to support management frame protection in order to access the wireless network.
1: if you do not require the wireless clients to support MFP. Management frames will be encrypted if the clients support MFP.
2: wireless clients must sup port MFP in order to join the AP’s wireless network.
Sets the 802.1x authentication method.
auth_method} group-key <30..30000>
Sets the interval (in seconds) at which the AP updates the group WPA/WPA2 encryption key.
idle <30..30000>
[no] internal-eap-proxy activate
ZyWALL Series CLI Reference Guide
The default is 3000. Sets the idle interval (in seconds) that a client can be idle
before authentication is discontinued. The default is 300.
Allows the Zyxel Device to act as a proxy server and forward the authentication packets to the connected RADIUS server.
Use the no parameter to disable it.
93
Chapter 9 Wireless LAN Profiles
Table 26 Command Summary: Security Profile (continued)
COMMAND DESCRIPTION
[no] mac-auth activate
mac-auth auth-method
MAC authentication has the AP use an external server to authenticate wireless clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails. The no parameter turns it off.
RADIUS servers can require the MAC address in the wireless client’s account (username/password) or Calling Station ID RADIUS attribute.
Sets the authentication method for MAC authentication.
auth_method
mac-auth case account {upper | lower}
mac-auth case calling-station­id {upper | lower}
mac-auth delimiter account {colon | dash | none}
mac-auth delimiter calling­station-id {colon | dash |
Sets the case (upper or lower) the external server requires for using MAC addresses as the account username and password.
For example, use mac-auth case account upper and mac- auth delimiter account dash if you need to use a MAC address formatted like 00-11-AC-01-A0-11 as the username and password.
Sets the case (upper or lower) the external server requires for letters in MAC addresses in the Calling Station ID RADIUS attribute.
Specify the separator the external server uses for the two­character pairs within MAC addresses used as the account username and password.
For example, use mac-auth case account upper and mac- auth delimiter account dash if you need to use a MAC address formatted like 00-11-AC-01-A0-11 as the username and password.
Select the separator the external server uses for the pairs in MAC addresses in the Calling Station ID RADIUS attribute.
none} mode {none | enhanced-open |
Sets the security mode for this profile.
wep | wpa2 | wpa2-mix | wpa3} [no] reauth <30..30000>
[no] server-acct <1..2> activate
server-acct <1..2> ip address ipv4_address port <1..65535>
Sets the interval (in seconds) between authentication requests. The default is 0.
Enables user accounting through an external server. Use the no parameter to disable.
Sets the IPv4 address, port number and shared secret of the external accounting server.
secret secret no server-acct <1..2> [no] server-auth <1..2>
activate server-auth <1..2> ip address
ipv4_address port <1..65535>
Clears the specified user accounting setting. Activates server authentication for the account. The no
command deactivates authentication. Sets the IPv4 address, port number and shared secret of the
RADIUS server to be used for authentication.
secret secret no server-auth <1..2> [no] transition-mode
Clears the server authentication setting. Enables backward compatibility when used with WPA3 or
Enhanced Open security mode. WPA3 falls back to WPA2, while Enhanced Open falls back to open (none).
ZyWALL Series CLI Reference Guide
94
Table 26 Command Summary: Security Profile (continued)
COMMAND DESCRIPTION
wep <64 | 128> default-key <1..4>
wep-auth-type {open | share} wpa-encrypt {tkip | aes | auto}
Sets the WEP encryption strength (64 or 128) and the default key value (1 ~ 4).
If you select WEP-64 enter 10 hexadecimal digits in the range of “A-F”, “a-f” and “0-9” (for example, 0x11AA22BB33) for each Key used; or enter 5 ASCII characters (case sensitive) ranging from “a-z”, “A-Z” and “0-9” (for example, MyKey) for each Key used.
If you select WEP-128 enter 26 hexadecimal digits in the range of “A-F”, “a-f” and “0-9” (for example, 0x00112233445566778899AABBCC) for each Key used; or enter 13 ASCII characters (case sensitive) ranging from “a-z”, “A-Z” and “0-9” (for example, MyKey12345678) for each Key used.
You can save up to four different keys. Enter the default-key (1 ~ 4) to save your WEP to one of those four available slots.
Sets the authentication key type to either open or share. Sets the WPA/WPA2 encryption cipher type. auto: This automatically chooses the best available cipher
based on the cipher in use by the wireless client that is attempting to make a connection.
tkip: This is the Temporal Key Integrity Protocol encryption method added later to the WEP encryption protocol to further secure. Not all wireless clients may support this.
wpa-psk {wpa_key | wpa_key_64} [no] wpa2-preauth
exit
9.4.1 Security Profile Example
The following example creates a security profile with the name ‘SECURITY01’.
Router(config)# wlan-security-profile SECURITY01 Router(config-security-profile)# mode wpa2 Router(config-security-profile)# wpa-encrypt aes Router(config-security-profile)# wpa-psk 12345678 Router(config-security-profile)# idle 3600 Router(config-security-profile)# reauth 1800 Router(config-security-profile)# group-key 1800 Router(config-security-profile)# exit Router(config)#
aes: This is the Advanced Encryption Standard encryption
method, a newer more robust algorithm than TKIP Not all wireless clients may support this.
Sets the WPA/WPA2 pre-shared key. Enables pre-authentication to allow wireless clients to switch
APs without having to re-authenticate their network connection. The RADIUS server puts a temporary PMK Security Authorization cache on the wireless clients. It contains their session ID and a pre-authorized list of viable APs.
Use the no parameter to disable this. Exits configuration mode for this profile.
ZyWALL Series CLI Reference Guide
95
9.4.2 SSID and Security Profiles Example
This is an example of creating different WiFi network groups for different types of users, such as guests or employees at your company. You can configure different SSIDs and security modes for each group.
Follow the steps below to set up a wireless network for your company guest. Use the parameters in the table below.
Table 27 SSID and Security Profiles Settings Example
GUEST
SSID Guest Security Mode WPA2 Pre-Share Key guest123
1 Create an SSID profile. Set the profile name as Guest. Enter sub-command mode for this profile.
Router# configure terminal Router(config)# wlan-ssid-profile Guest Router(config-wlan-ssid Guest)#
2 Set the SSID as Guest. Exit the sub-command mode.
Router(config-wlan-ssid Guest)# ssid Guest Router(config-wlan-ssid Guest)# exit Router(config)#
3 Create a security profile. Set the profile name as GuestSecurity. Enter sub-command mode for this
profile.
Router(config)# wlan-security-profile GuestSecurity Router(config-wlan-security GuestSecurity)#
4 Set the security mode to WPA2. Set the pre-shared key to guest123. Exit the sub-command mode.
Router(config-wlan-security GuestSecurity)# mode wpa2 Router(config-wlan-security GuestSecurity)# wpa-psk guest123 Router(config-wlan-security GuestSecurity)# exit Router(config)#
5 Enter the Guest SSID profile sub command mode. Apply the GuestSecurity security profile to this SSID.
Router(config)# wlan-ssid-profile Guest Router(config-wlan-ssid Guest)# security GuestSecurity
ZyWALL Series CLI Reference Guide
96
Chapter 9 Wireless LAN Profiles

9.5 MAC Filter Profile Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 28 Input Values for General MAC Filter Profile Commands
LABEL DESCRIPTION
macfilter_profile_name
description2
The following table describes the commands available for security profile management. You must use the
configure terminal command to enter the configuration mode before you can use these
commands.
Table 29 Command Summary: MAC Filter Profile
COMMAND DESCRIPTION
show wlan-macfilter-profile {all | macfilter_profile_name}
wlan-macfilter-profile rename
macfilter_profile_name1 macfilter_profile_name2
[no] wlan-macfilter-profile
macfilter_profile_name
filter-action {allow | deny} Permits the wireless client with the MAC addresses in this
[no] sta_mac description
description2
exit Exits configuration mode for this profile.
The MAC filter profile name. You may use 1-31 alphanumeric characters, underscores ( value is case-sensitive.
Sets the description of the profile. You may use up to 60 alphanumeric characters, underscores (
_), or dashes (-), but the first character cannot be a number. This
Displays the security profile(s).
all: Displays all profiles for the selected operating mode. macfilter_profile_name: Displays the specified profile
for the selected operating mode.
Gives an existing security profile (macfilter_profile_name1) a new name (macfilter_profile_name2).
Enters configuration mode for the specified MAC filter profile. Use the no parameter to remove the specified profile.
profile to connect to the network through the associated SSID; select deny to block the wireless clients with the specified MAC addresses.
The default is set to deny.
Sets the description of the wireless client with this MAC address. Enter up to 60 characters. Spaces and underscores allowed.
_), or dashes (-). This value is case-sensitive.
9.5.1 MAC Filter Profile Example
The following example creates a MAC filter profile with the name ‘MACFILTER01’.
Router(config)# wlan-macfilter-profile MACFILTER01 Router(config-macfilter-profile)# filter-action deny Router(config-macfilter-profile)# 01:02:03:04:05:06 description MAC01 Router(config-macfilter-profile)# 01:02:03:04:05:07 description MAC02 Router(config-macfilter-profile)# 01:02:03:04:05:08 description MAC03 Router(config-macfilter-profile)# exit Router(config)#
ZyWALL Series CLI Reference Guide
97
Chapter 9 Wireless LAN Profiles

9.6 ZyMesh Profile Commands

ZyMesh is a ZyXEL-proprietary feature. In a ZyMesh, multiple managed APs form a WDS (Wireless Distribution System) to expand the wireless network and provide services or forward traffic between the Zyxel Device and wireless clients. ZyMesh also allows the Zyxel Device to use CAPWAP to automatically update the configuration settings on the managed APs (in repeater mode) through wireless connections. The managed APs (in repeater mode) are provisioned hop by hop.The managed APs in a WDS or ZyMesh must use the same SSID, channel number and pre-shared key. A manged AP can be either a root AP or repeater in a ZyMesh.
Note: All managed APs should be connected to the Zyxel Device directly to get the
configuration file before being deployed to build a ZyMesh/WDS. Ensure you restart the managed AP after you change its operating mode using the wlan-radio-profile radio_profile_name role commands.
• Root AP: a managed AP that can transmit and receive data from the Zyxel Device via a wired Ethernet connection.
• Repeater: a managed AP that transmit and/or receive data from the Zyxel Device via a wireless connection through a root AP.
Note: When managed APs are deployed to form a ZyMesh/WDS for the first time, the root AP
must be connected to an AP controller (the Zyxel Device).
The maximum number of hops (the repeaters beteen a wireless client and the root AP) you can have in a ZyMesh varies according to how many wireless clients a managed AP can support.
Note: A ZyMesh/WDS link with more hops has lower throughput. Note: When the wireless connection between the root AP and the repeater is up, in order to
prevent bridge loops, the repeater would not be able to transmit data through its Ethernet port(s). The repeater then could only receive power from a PoE device if you use PoE to provide power to the managed AP via an 8-ping Etherent cable.
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 30 Input Values for General ZyMesh Profile Commands
LABEL DESCRIPTION
zymesh_profile_name
The ZyMesh profile name. You may use 1-31 alphanumeric characters, underscores (
_), or dashes (-), but the first character cannot be a number. This value is case-
sensitive.
ZyWALL Series CLI Reference Guide
98
Chapter 9 Wireless LAN Profiles
The following table describes the commands available for ZyMesh profile management. You must use the
configure terminal command to enter the configuration mode before you can use these
commands. Table 31 Command Summary: ZyMesh Profile
COMMAND DESCRIPTION
show zymesh ap info show zymesh link info {repeater-
ap | root-ap}
show zymesh provision-group
show zymesh-profile {all | zymesh_profile_name}
zymesh-profile rename
zymesh_profile_name1
Displays the number of currently connected/offline ZyMesh APs. Displays the ZyMesh/WDS traffic statistics between the managed
APs. repeater-a: the managed AP is acting as a repeater in a
ZyMesh. root-ap: the managed AP is acting as a root AP in a ZyMesh.
Displays the current ZyMesh Provision Group MAC address in the Zyxel Device.
Displays the ZyMesh profile settings.
all: Displays all profiles. zymesh_profile_name: Displays the specified profile.
Gives an existing radio profile (zymesh_profile_name1) a new name (zymesh_profile_name2).
zymesh_profile_name2 [no] zymesh-profile
zymesh_profile_name
psk psk
ssid ssid
Enters configuration mode for the specified ZyMesh profile. Use the no parameter to remove the specified profile.
Sets a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.The key is used to encrypt the wireless traffic between the APs.
Sets the SSID with which you want the managed AP to connect to a root AP or repeater to build a ZyMesh link.
exit
zymesh provision-group ac_mac
ZyWALL Series CLI Reference Guide
Note: The ZyMesh SSID is hidden in the outgoing beacon
frame so a wireless device cannot obtain the SSID through scanning using a site survey tool.
Exits configuration mode for this profile. Enters the ZyMesh Provision Group MAC address of the primary AP
controller in your network to use this Zyxel Device to replace the primary AP controller.
99
Chapter 10 Rogue AP
CHAPTER 10
This chapter shows you how to set up Rogue Access Point (AP) detection and containment.

10.1 Rogue AP Detection Overview

Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can potentially open holes in the network security. Attackers can take advantage of a rogue AP’s weaker (or non-existent) security to gain illicit access to the network, or set up their own rogue APs in order to capture information from wireless clients.

Rogue AP

Conversely, a friendly AP is one that the Zyxel Device network administrator regards as non-threatening. This does not necessarily mean the friendly AP must belong to the network managed by the Zyxel Device; rather, it is any unmanaged AP within range of the Zyxel Device’s own wireless network that is allowed to operate without being contained. This can include APs from neighboring companies, for example, or even APs maintained by your company’s employees that operate outside of the established network.

10.2 Rogue AP Detection Commands

The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 32 Input Values for Rogue AP Detection Commands
LABEL DESCRIPTION
ap_mac
description2
The following table describes the commands available for rogue AP detection. You must use the
configure terminal command to enter the configuration mode before you can use these
commands.
Specifies the MAC address (in XX:XX:XX:XX:XX:XX format) of the AP to be added to either the rogue AP or friendly AP list. The no command removes the entry.
Sets the description of the AP. You may use 1-60 alphanumeric characters, underscores (
_), or dashes (-). This value is case-sensitive.
Table 33 Command Summary: Rogue AP Detection
COMMAND DESCRIPTION
rogue-ap detection
[no] activate
ZyWALL Series CLI Reference Guide
Enters sub-command mode for rogue AP detection. Activates rogue AP detection. Use the no parameter
to deactivate rogue AP detection.
100
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use