ZyXEL Communications ZyNOS User Manual
ZyWALL (ZyNOS) CLI
Reference Guide
Internet Security Appliance
CLI Reference Guide
Version 4.04
4/2008
Edition 1
DEFAULT LOGIN
In-band IP Address http://192.168.1.1
User Name admin
Password 1234
www.zyxel.com
About This CLI Reference Guide
About This CLI Reference Guide
Intended Audience
This manual is intended for people who want to configure the ZyWALL via Command Line
Interface (CLI). You should have at least a basic knowledge of TCP/IP networking concepts
and topology.
" This guide is intended as a command reference for a series of products.
Therefore many commands in this guide may not be available in your product.
See your User’s Guide for a list of supported features and details about feature
implementation.
Please refer to www.zyxel.com or your product’s CD for product specific User Guides and
product certifications.
How To Use This Guide
•Read Chapter 1 on page 13 for an overview of various ways you can get to the command
interface on your ZyWALL.
•Read Chapter 2 on page 17 for an introduction to some of the more commonly used
commands.
" It is highly recommended that you read at least these two chapters.
• The other chapters in this guide are arranged according to the CLI structure. Each chapter
describes commands related to a feature.
" See your ZyWALL’s User Guide for feature background information.
• To find specific information in this guide, use the Contents Overview, the Index of
Commands, or search the PDF file. E-mail techwriters@zyxel.com.tw if you cannot find
the information you require.
CLI Reference Guide Feedback
Help us help you. Send all guide-related comments, questions or sugg estions for improvement
to the following address, or use e-mail instead. Thank you!
ZyWALL (ZyNOS) CLI Reference Guide
3
About This CLI Reference Guide
The Technical Writing Team,
ZyXEL Communications Corp.,
6 Innovation Road II,
Science-Based Industrial Park,
Hsinchu, 300, Taiwan.
E-mail: techwriters@zyxel.com.tw
4
ZyWALL (ZyNOS) CLI Reference Guide
Document Conventions
Document Conventions
Warnings and Notes
Warnings and notes are indicated as follows in this guide.
1 Warnings tell you about things that could harm you or your device. See your
User’s Guide for product specific warnings.
" Notes tell you other important information (for example, other things you may
need to configure or helpful tips) or recommendations.
Syntax Conventions
This manual follows these general conventions:
• ZyWALLs may also be referred to as the “device”, the “ZyXEL device”, the “system” or
the “product” in this guide.
• Units of measurement may denote the “metric” value or the “scientific” value. For
example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000”
or “1048576” and so on.
Command descriptions follow these conventions:
• Commands are in
• Required input values are in angle brackets <>; for example,
means that you must specify an IP address for this command.
• Optional fields are in square brackets []; for instance show logins [name], the name
field is optional.
The following is an example of a required field within an optional field: snmp-server
[contact <system contact>], the contact field is optional. However, if you
use contact, then you must provide the system contact information.
•The | (bar) symbol means “or”.
• italic terms represent user-defined input values; for example, in sys datetime
date [year month date], year month date can be replaced by the actual
year month and date that you want to set, for example, 2007 08 15.
• A key stroke is denoted by square brackets and uppercase text, for example, [ENTER]
means the “Enter” or “Return” key on your keyboard.
• <cr> means press the [ENTER] key.
• An arrow (-->) indicates that this line is a continuation of the previous line.
courier new font.
ping <ip-address>
ZyWALL (ZyNOS) CLI Reference Guide
5
Document Conventions
Command summary tables are organized as follows:
Table 1 Table Title
COMMAND DESCRIPTION M
ip alg disable
<ALG_FTP|ALG_H323|ALG_SIP>
ip alg disp Shows whether the ALG is enabled or disabled. R+B
ip alg enable
<ALG_FTP|ALG_H323|ALG_SIP>
ip alg ftpPortNum [port] Sets the FTP ALG to support a different port number (instead of the
ip alg siptimeout <timeout> Sets the SIP timeout in seconds. 0 means no timeout. R+B
ip alias <interface> Sets an alias for the specified interface. R
Turns off the specified ALG (Application Layer Gateway). R+B
Turns on the specified ALG. R+B
R+B
default).
The Table title identifies commands or the specific feature that the commands configure.
The COMMAND column shows the syntax of the command.
The DESCRIPTION column explains what the command does. It may also identify legal
input values.
The M column identifies the mode in which you run the command.
• R: The command is available in router mode.
• B: The command is available in bridge mode.
• R + B: The command is available in both router and bridge modes
A long list of pre-defined values may be replaced by a command input value ‘variable’ so as to
avoid a very long command in the description table. Refer to the command input values table
if you are unsure of what to enter.
Table 2 Common Command Input Values
LABEL DESCRIPTION
description Used when a command has a description field in order to add more detail.
ip-address An IP address in dotted decimal notation. For example, 192.168.1.3.
mask
mask-bits The number of bits in an address’s subnet mask. For example type /24 for a
port A protocol’s port number.
The subnet mask in dotted decimal notation, for example, 255.255.255.0.
subnet mask of 255.255.255.0.
6
ZyWALL (ZyNOS) CLI Reference Guide
Document Conventions
Table 2 Common Command Input Values (continued)
LABEL DESCRIPTION
interface An interface on the ZyWALL. Use the following for a ZyWALL with a single WAN
Ethernet interface.
enif0: LAN
enif1: Ethernet WAN
enif2: DMZ
enif4: Ethernet WLAN
wanif0: PPPoE or PPTP or 3G depending on which is connected first
wanif1: PPPoE or PPTP or 3G depending on which is connected second
Use the following for a ZyWALL with two WAN Ethernet interfaces.
enif0: LAN
enif1: Ethernet WAN 1
enif2: DMZ
enif3: Ethernet WAN 2
enif5: Ethernet WLAN
wanif0: PPPoE or PPTP or 3G depending on which is connected first
wanif1: PPPoE or PPTP or 3G depending on which is connected second
For some commands you can also add a colon and a 0 or 1 to specify an IP alias.
This is only for the LAN, DMZ, and WLAN interfaces. For example, enif0:0
specifies LAN IP alias 1 and enif0:1 specifies LAN IP alias 2.
hostname Hostname can be an IP address or domain name.
name Used for the name of a rule, policy, set, group and so on.
number Used for a number, for example 10, that you have to input.
" Commands are case sensitive! Enter commands exactly as seen in the
command interface. Remember to also include underscores if required.
Copy and Paste Commands
You can copy and paste commands directly from this document into your terminal emulation
console window (such as HyperTerminal). Use right-click (not ctrl-v) to paste your command
into the console window as shown next.
ZyWALL (ZyNOS) CLI Reference Guide
7
Document Conventions
Icons Used in Figures
Figures in this guide may use the following generic icons. The ZyWALL icon is not an exact
representation of your device.
ZyWALL Computer Notebook computer
Server DSLAM Firewall
Telephone Switch Router
8
ZyWALL (ZyNOS) CLI Reference Guide
Contents Overview
Contents Overview
Introduction ............................................................................................................................ 11
How to Access and Use the CLI ................................................................................................13
Common Commands ................ ... .... ... .......................................... ... ... ... .... ... ... ... .... ... ... ... ..........17
Reference ................................................................................................................................31
Antispam Commands ................................................................................................................ 33
Antivirus Commands ................................................ .... ... ... ... .... ... ... ... ... .... ... ............................. 35
Auxiliary (Dial Backup) Commands ........................................................................................... 39
Bandwidth Management Commands ......................................................................................... 43
Bridge Commands ........................... ... ... ... ... .... ... ... ... .... ... ... ... .......................................... ... ....... 51
Certificates Commands ............................................................................................................. 55
CNM Agent Commands .............................................................................................................63
Configuration Commands ...................... ... ... .... ... ... ... .... ... .......................................... ... ... ... .... ... 67
Device Related Commands ............................. ....................................................... ...................83
Ethernet Commands .................................................................................................................. 85
Firewall Commands ................................................................................................................... 87
IDP Commands ......................................................................................................................... 93
IP Commands ........................... ... .... ... ... ... .......................................... ... .... ... ... ... .... ................... 97
IPSec Commands .................. ... ... .......................................... .... ... ... ... ... .... .............................. 121
Load Balancing Commands ...................................................... ... ... ... ... .... .............................. 133
myZyXEL.com Commands ......................................................................................................135
PPPoE Commands ..................................................................................................................145
PPTP Commands ...................................................................................................................149
System Commands ........ .......................................... .... ... ... ... .... ... ........................................... 151
Wireless Commands ................................................ .... ... ... ... .... ... ... ... ... .... ... ........................... 165
WWAN Commands ..................................................................................................................169
Appendices and Index of Commands ................................................................................175
ZyWALL (ZyNOS) CLI Reference Guide
9
Contents Overview
10
ZyWALL (ZyNOS) CLI Reference Guide
PART I
Introduction
How to Access and Use the CLI (13)
Common Commands (17)
11
12
CHAPTER 1
How to Access and Use the CLI
This chapter introduces the command line interface (CLI).
1.1 Accessing the CLI
Use any of the following methods to access the CLI.
1.1.1 Console Port
You may use this method if your ZyWALL has a console port.
1 Connect your computer to the console port on the ZyWALL using the appropriate cable.
2 Use terminal emulation software with the following settings:
Table 3 Default Settings for the Console Port
SETTING DEFAULT VALUE
Terminal Emulation VT100
Baud Rate 9600 bps
Parity None
Number of Data Bits 8
Number of Stop Bits 1
Flow Control None
3 Press [ENTER] to open the login screen.
1.1.2 Telnet
4 Open a Telnet session to the ZyWALL’s IP address. If this is your first login, use the
default values.
Table 4 Default Management IP Address
SETTING DEFAULT VALUE
IP Address 192.168.1.1
Subnet Mask 255.255.255.0
Make sure your computer IP address is in the same subnet, unless you are accessing the
ZyWALL through one or more routers. In the latter case, make sure remote management
of the ZyWALL is allowed via Telnet.
ZyWALL (ZyNOS) CLI Reference Guide
13
Chapter 1 How to Access and Use the CLI
1.1.3 SSH
You may use this method if your ZyWALL supports SSH connections.
1 Connect your computer to one of the Ethernet ports.
2 Use a SSH client program to access the ZyWALL. If this is your first login, use the
default values in Table 4 on page 13 and Table 5 on page 14. Make sure your computer
IP address is in the same subnet, unless you are accessing the ZyWALL through one or
more routers.
1.2 Logging in
Use the administrator username and password. If this is your first login, use the default values.
in some ZyWALLs you may not need to enter the user name.
Table 5 Default User Name and Password
SETTING DEFAULT VALUE
User Name admin
Password 1234
The ZyWALL automatically logs you out of the management interface after five minutes of
inactivity . If this happens to you, simply log back in again. Use the sys stdio co mman d to
extend the idle timeout. For example, the ZyWALL automatically logs you out of the
management interface after 60 minutes of inactivity after you use the sys stdio 60
command.
1.3 Using Shortcuts and Getting Help
This table identifies some shortcuts in the CLI, as well as how to get help.
Table 6 CLI Shortcuts and Help
COMMAND / KEY(S) DESCRIPTION
yz (up/down arrow keys) Scrolls through the list of recently-used commands. You can edit
any command or press [ENTER] to run it again.
[CTRL]+U Clears the current command.
? Displays the keywords and/or input values that are allowed in
place of the ?.
help Displays the (full) commands that are allowed in place of help.
Use the help command to view the available commands on the ZyWALL. Follow these steps
to create a list of supported commands:
14
1 Log into the CLI.
ZyWALL (ZyNOS) CLI Reference Guide
Chapter 1 How to Access and Use the CLI
2 Type help and press [ENTER]. A list comes up which shows all the commands
available for this device.
ras> help
Valid commands are:
sys exit ether aux
config wwan wlan ip
ipsec bridge bm certificates
8021x radius radserv wcfg
ras>
Abbreviations
Commands can be abbreviated to the smallest unique string that differentiates the command.
For example sys version could be abbreviated to s v.
ras> sys version
ZyNOS version: V4.03(XD.0)Preb2_0802_1 | 08/03/2007
romRasSize: 3596736
system up time: 42:41:02 (ea784b ticks)
bootbase version: V1.08 | 01/28/2005
CPU chip revision: 1
CPU chip clock: 266MHz
CPU core revision: 0
ras> s v
ZyNOS version: V4.03(XD.0)Preb2_0802_1 | 08/03/2007
romRasSize: 3596736
system up time: 42:41:05 (ea796a ticks)
bootbase version: V1.08 | 01/28/2005
CPU chip revision: 1
CPU chip clock: 266MHz
CPU core revision: 0
ras>
1.4 Saving Your Configuration
In the ZyWALL some commands are saved as you run them and others require you to run a
save command. For example, type ip stroute save to save the static route rule in nonvolatile memory. See the related section of this guide to see if a save command is required.
" Unsaved configuration changes to commands that require you to run a save
command are lost once you restart the ZyWALL
ZyWALL (ZyNOS) CLI Reference Guide
15
Chapter 1 How to Access and Use the CLI
1.5 Logging Out
Enter exit to log out of the CLI.
Table 7 Exit Command
COMMAND DESCRIPTION M
exit Logs you out of the CLI. R+B
16
ZyWALL (ZyNOS) CLI Reference Guide
CHAPTER 2
Common Commands
This chapter introduces some of the more commonly-used commands in the ZyWALL. For
more detailed usage, see the corresponding feature chapter in this guide.
In the following examples, ras is the prompt as that is the default. If you configure a system
name, then that prompt will display as the system name you configured. For example, change
the system name to zyxel using the sys hostname zyxel command; the command
prompt will then display as zyxel>.
2.1 Change the Idle Timeout
By default, the ZyWALL automatically logs you out of the management interface after five
minutes of inactivity. Use the sys stdio command to extend the idle timeout. The
following example extends the idle timeout to 120 minutes.
ras> sys stdio 120
Stdio Timeout = 120 minutes
ras>
2.2 Interface Information
ZyWALL interfaces are defined as shown in Table 2 on page 6.
ZyWALL (ZyNOS) CLI Reference Guide
17
Chapter 2 Common Commands
The first command in this example shows information about the LAN port, for example, it has
an IP address of 192.168.1.1. The second command is used to change this IP address to
192.168.100.100.
ras> ip ifconfig enif0
enif0: mtu 1500 mss 1460
inet 192.168.1.1, netmask 0xffffff00, broadcast 192.168.1.255
RIP RX:Ver 1 & 2, TX:Ver 1,
[InOctets 0] [InUnicast 0] [InMulticast 0]
[InDiscards 0] [InErrors 0] [InUnknownProtos 0]
[OutOctets 156] [OutUnicast 0] [OutMulticast 3]
[OutDiscards 0] [OutErrors 0]
ras> ip ifconfig enif0 192.168.100.100/24
enif0: mtu 1500 mss 1460
inet 192.168.100.100, netmask 0xffffff00, broadcast 192.168.100.255
RIP RX:Ver 1 & 2, TX:Ver 1,
[InOctets 0] [InUnicast 0] [InMulticast 0]
[InDiscards 0] [InErrors 0] [InUnknownProtos 0]
[OutOctets 728] [OutUnicast 0] [OutMulticast 14]
[OutDiscards 0] [OutErrors 0]
ras>
" Afterwards, you have to use this new IP address to access the ZyW ALL via the
LAN port.
To view information on all interfaces, enter ip ifconfig.
To view DHCP information on the LAN port, enter ip dhcp enif0 status.
ras> ip dhcp enif0 status
DHCP on iface enif0 is server
Start assigned IP address: 192.168.1.33/24
Number of IP addresses reserved: 128
Hostname prefix: dhcppc
DNS server: 0.0.0.0 0.0.0.0 0.0.0.0
WINS server: 0.0.0.0 0.0.0.0
Domain Name :
Default gateway: 192.168.1.1
Lease time: 259200 seconds
Renewal time: 129600 seconds
Rebind time: 226800 seconds
Probing count: 4
Probing type: ICMP
slot state timer type hardware address hostname
0 UNCERTAIN 0 0 00
1 UNCERTAIN 0 0 00
18
ZyWALL (ZyNOS) CLI Reference Guide
Chapter 2 Common Commands
Use these commands to release and renew DHCP-assigned information on the specified
interface.
ras> ip dhcp enif1 client release
ras> ip dhcp enif1 status
DHCP on iface enif1 is client
Hostname : zyxel.zyxel.com
Domain Name : zyxel.com
Server IP address: 0.0.0.0
Client IP address: 0.0.0.0/27
DNS server : 0.0.0.0, 0.0.0.0
Default gateway: 0.0.0.0
Lease time : 0 seconds
Renewal time: 0 seconds
Rebind time : 0 seconds
Client State = 8, retry = 0
periodtimer = 286, timer = 0
flags = 2
Status:
Packet InCount: 3, OutCount: 3, DiscardCount: 0
ras> ip dhcp enif1 client renew
ras> ip dhcp enif1 status
DHCP on iface enif1 is client
Hostname : zyxel.zyxel.com
Domain Name : zyxel.com
Server IP address: 172.16.5.2
Client IP address: 172.16.37.48/24
DNS server : 172.16.5.2, 172.16.5.1, 0.0.0.0
Default gateway: 172.16.37.254
Lease time : 604800 seconds
Renewal time: 302400 seconds
Rebind time : 529200 seconds
Client State = 3, retry = 0
periodtimer = 272, timer = 302397
flags = 2
Status:
Packet InCount: 3, OutCount: 2, DiscardCount: 0
ZyWALL (ZyNOS) CLI Reference Guide
19
Chapter 2 Common Commands
To view the ARP table for the LAN port, enter ip arp status enif0.
ras> ip arp status enif0
received 1458 badtype 0 bogus addr 0 reqst in 312 replies 9 reqst out 16
cache hit 11278 (88%), cache miss 1521 (11%)
IP-addr Type Time Addr stat iface
172.16.1.44 10 Mb Ethernet 290 00:13:49:6b:10:55 41 enif0
172.16.1.123 10 Mb Ethernet 290 00:0a:e4:06:11:91 41 enif0
172.16.1.3 10 Mb Ethernet 290 00:02:e3:57:ea:4f 41 enif0
172.16.1.122 10 Mb Ethernet 280 00:c0:a8:fa:e9:27 41 enif0
172.16.1.105 10 Mb Ethernet 280 00:0f:fe:0a:2d:3b 41 enif0
172.16.1.30 10 Mb Ethernet 270 00:60:b3:45:2b:c5 41 enif0
172.16.1.53 10 Mb Ethernet 210 00:16:d3:b8:3d:1a 41 enif0
172.16.1.32 10 Mb Ethernet 160 00:16:36:10:26:2d 41 enif0
172.16.1.2 10 Mb Ethernet 130 00:16:d3:37:c7:33 41 enif0
172.16.1.42 10 Mb Ethernet 150 00:00:e8:71:e3:f9 41 enif0
172.16.1.14 10 Mb Ethernet 250 00:13:49:fb:99:16 41 enif0
172.16.1.7 10 Mb Ethernet 190 00:0d:60:cb:fd:08 41 enif0
172.16.1.52 10 Mb Ethernet 130 00:0f:fe:32:b4:12 41 enif0
num of arp entries= 13
Each ZyWALL can support a specific number of NAT sessions in total. You can limit the
number of NAT sessions allowed per host by using the ip nat session command. In the
following example, each host may have up to 4000 NAT sessions open at one time. The total
number of NAT sessions must not exceed the number for your ZyWALL.
ras> ip nat session 4000
ip nat session
NAT session number per host: 4000
ras>
To see the IP routing table, enter the following command.
ras> ip route status
Dest FF Len Device Gateway Metric stat Timer Use
192.168.1.0 00 24 enet0 192.168.1.1 1 041b 0 0
192.168.100.0 00 24 enet0 192.168.100.100 1 041b 0 0
default 00 0 Idle WAN 2 102 002b 0 0
ras>
20
ZyWALL (ZyNOS) CLI Reference Guide
2.3 Basic System Information
Use the following sys version and sys atsh commands to view information about
your ZyWALL.
ras> sys version
ZyNOS version: V4.03(XD.0)Preb2_0802_1 | 08/03/2007
romRasSize: 3596736
system up time: 23:51:53 (831816 ticks)
bootbase version: V1.08 | 01/28/2005
CPU chip revision: 1
CPU chip clock: 266MHz
CPU core revision: 0
ras> sys atsh
ZyNOS version : V4.03(XD.0)Preb2_0802_1 | 08/03/2007
Ram Size : 32768 Kbytes
Flash Size : Intel 64M * 1
romRasSize : 3596736
bootbase version : V1.08 | 01/28/2005
Vendor Name : ZyXEL Communications Corp.
Product Model : ZyWALL 5
MAC Address : 001349000001
Default Country Code : FF
Boot Module Debug Flag : 0
RomFile Version : 38
RomFile Checksum : b4fc
Chapter 2 Common Commands
Use the following command to view CPU utilization.
ras> sys cpu display
CPU usage status:
baseline 1472882 ticks
sec ticks load sec ticks load sec ticks load sec ticks load
0 1393404 5.39 1 1472882 0.00 2 1472882 0.00 3 1472882 0.00
4 1097036 25.51 5 1455444 1.18 6 1460440 0.84 7 1469623 0.22
8 1472882 0.00 9 1458718 0.96 10 15369 98.96 11 721711 51.00
12 1462602 0.69 13 1465369 0.51 14 1464771 0.55 15 1469584 0.22
16 1472882 0.00 17 1472882 0.00 18 1465200 0.52 19 1459341 0.91
20 1457914 1.01 21 1454838 1.22 22 1472882 0.00 23 1472882 0.00
24 1458275 0.99 25 1472882 0.00 26 1472882 0.00 27 1472882 0.00
28 1472882 0.00 29 1472882 0.00 30 1472882 0.00 31 1472882 0.00
32 1472882 0.00 33 1472882 0.00 34 1472882 0.00 35 1472882 0.00
36 1472882 0.00 37 1472882 0.00 38 1472882 0.00 39 1460334 0.85
40 1472882 0.00 41 1472882 0.00 42 1472882 0.00 43 1472882 0.00
44 1472882 0.00 45 1472882 0.00 46 1472882 0.00 47 1472882 0.00
48 1472882 0.00 49 1472882 0.00 50 1472882 0.00 51 1472882 0.00
52 1472882 0.00 53 1472882 0.00 54 1459578 0.90 55 1472882 0.00
56 1472882 0.00 57 1472882 0.00 58 1472882 0.00 59 1472882 0.00
60 1472882 0.00 61 1472882 0.00 62 1472882 0.00
Average CPU Load = 3.5%
ras>
ZyWALL (ZyNOS) CLI Reference Guide
21
Chapter 2 Common Commands
Use the following command to view the ZyWALL’s time and date.
ras> sys datetime time
Current time is 08:26:56
ras> sys datetime date
Current date is Wed 2007/08/08
ras>
Use the following command to restart your ZyWALL right away.
ras> sys reboot
Bootbase Version: V1.08 | 01/28/2005 14:47:16
RAM:Size = 32 Mbytes
FLASH: Intel 64M
ZyNOS Version: V4.03(XD.0)Preb2_0802_1 | 08/03/2007 16:48:04
Press any key to enter debug mode within 3 seconds.
............................................................
Use the following command to reset the ZyWALL to the factory defaults. Make sure you back
up your current configuration first (using the web configurator or SMT). The ZyWALL will
restart and the console port speed will also reset to 9,600 bps.
ras> sys romreset
Do you want to restore default ROM file(y/n)?y
..................................................................OK
System Restart! (Console speed will be changed to 9600 bps)
Bootbase Version: V1.08 | 01/30/2005 14:41:51
RAM:Size = 64 Mbytes
FLASH: Intel 128M
ZyNOS Version: V4.03(WZ.0)Preb2_0803 | 08/03/2007 11:08:13
Press any key to enter debug mode within 3 seconds.
............................................................
Use the following command to change the console port speed. A higher console port speed is
recommended when uploading firmware via the console port. A console port speed of 1 1 5,200
bps is necessary to view CNM debug messages and packet traces on the ZyWALL.
ras> sys baud ?
Usage: baud <1..5>(1:38400, 2:19200, 3:9600, 4:57600, 5:115200)
ras> sys baud 5
22
Saving to ROM. Please wait...
Change Console Speed to 115200. Then hit any key to continue
ras>
ZyWALL (ZyNOS) CLI Reference Guide
Chapter 2 Common Commands
" After you change the console port speed, you need to change it also on your
terminal emulation software (such as HyperTerminal) in order to reconnect to
the ZyWALL.
Use the following command to see whether the ZyWALL is acting act as a bridge or router
ras> sys mode
Device mode: router
ras>
Use the following command to change the ZyWALL mode (bridge or router).
Usage: sys mode <router | bridge>
ras> sys mode router
Device mode: router
ras>
ZyWALL (ZyNOS) CLI Reference Guide
23
Chapter 2 Common Commands
Use the following command to display all ZyWALL logs. Logs are very useful for
troubleshooting. If you are having problems with your ZyWALL, then customer support may
request that you send them the logs.
ras> sys logs display
# .time notes
source destination
message
============================================================
0|2007-08-16 09:39:27 |WAN1
|
WAN interface gets IP:172.16.17.48
1|2007-08-16 09:38:40 |User:admin
|
Successful SMT login
2|2007-08-16 09:38:37 |User:admin
|
SMT login failed (password error)
3|2007-08-16 09:35:10 |
80.85.129.103:123 |172.16.17.48:1135
Time set from NTP server: 0.pool.ntp.org, offset: +208949688 sec
4|2001-01-01 00:00:18 |WAN1
|
WAN interface gets IP:172.16.17.48
5|2001-01-01 00:00:16 |WAN1
|
WAN1 connection is up.
6|2001-01-01 00:00:16 |WAN2
|
WAN2 connection is down.
ras>
Use the following command to display all ZyWALL error logs
ras> sys logs errlog disp
47 Mon Jan 1 00:00:03 2001 PINI INFO Channel 0 ok
48 Mon Jan 1 00:00:25 2001 PP0e INFO LAN promiscuous mode <0>
51 Mon Jan 1 00:00:25 2001 PINI INFO main: init completed
52 Mon Jan 1 00:00:25 2001 PP22 INFO No DNS server available
53 Mon Jan 1 00:11:53 2001 PINI INFO Last errorlog repeat 114 Times
54 Mon Jan 1 00:11:53 2001 PINI INFO SMT Session Begin
55 Mon Jan 1 00:15:25 2001 PP22 INFO No DNS server available
56 Mon Jan 1 00:51:15 2001 PINI INFO Channel 0 ok
57 Mon Jan 1 00:51:37 2001 PP0e INFO LAN promiscuous mode <0>
60 Mon Jan 1 00:51:37 2001 PINI INFO main: init completed
61 Mon Jan 1 00:51:37 2001 PP22 INFO No DNS server available
62 Mon Jan 1 00:51:41 2001 PINI INFO SMT Session Begin
63 Mon Jan 1 00:52:37 2001 PP1c INFO No DNS server available
Clear Error Log (y/n):
24
ZyWALL (ZyNOS) CLI Reference Guide
Chapter 2 Common Commands
Use the following commands for system debugging. A console po rt speed of 115,200 bps is
necessary to view packet traces on the ZyWALL.
ras> sys trcpacket sw on
ras> sys trcdisp brief
0 09:21:27.180 ENET1-T[0342] UDP 0.0.0.0:68->255.255.255.255:67
1 09:21:30.180 ENET1-T[0342] UDP 0.0.0.0:68->255.255.255.255:67
2 09:21:37.180 ENET1-T[0342] UDP 0.0.0.0:68->255.255.255.255:67
3 09:21:53.180 ENET1-T[0342] UDP 0.0.0.0:68->255.255.255.255:67
4 09:21:55.180 ENET1-T[0342] UDP 0.0.0.0:68->255.255.255.255:67
ras> sys trcdisp enif0 bothway
TIME:09:24:53.180 enet1-XMIT len:342 call=0
0000: ff ff ff ff ff ff 00 13 49 00 00 02 08 00 45 00
0010: 01 48 04 df 00 00 ff 11 b5 c6 00 00 00 00 ff ff
0020: ff ff 00 44 00 43 01 34 e6 79 01 01 06 00 00 00
0030: 1f 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0040: 00 00 00 00 00 00 00 13 49 00 00 02 00 00 00 00
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
The extended ping command is used to have the ZyWALL pin g IP address 172.16.1.202 five
times in the following example.
ras> ip pingext 172.16.1.202 -n 5
Resolving 172.16.1.202 ... 172.16.1.202
sent rcvd size rtt avg max min
1 1 36 510 510 510 510
2 2 36 530 520 530 510
3 3 36 850 630 850 510
4 4 36 1030 730 1030 510
5 5 36 1070 798 1070 510
Extended Ping From device to 172.16.1.202:
Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),
Approximate Round Trip Times in milli-seconds:
RTT: Average = 798ms, Maximum = 1070ms, Minimum = 510ms
ras>
2.4 UTM and myZyXEL.com
Use these commands to create an account at myZyXEL.com and view what services you have
activated.
" Ensure your ZyWALL is connected to the Internet before you use the following
commands.
ZyWALL (ZyNOS) CLI Reference Guide
25
Chapter 2 Common Commands
You need to create an account at my ZyXEL.com in order to activate content filtering, antispam and anti-virus UTM (Unified Threat Management) services. See the myZyXEL.com
chapter for information on the country code you should use.
ras> sys myZyxelCom register <username> <password> <email> <countryCode>
This command displays your ZyWALL’s registration information.
ras> sys myZyxelCom display
register server address : www.myzyxel.com
register server path : /register/registration?
username : aseawfasf
password : aaaaaa
email : aa@aa.aa.aa
sku : CFRT=1&CFST=319&ZASS=469&ISUS=469&ZAVS=469
country code : 204
register state 1
register MAC : 0000AA220765
CF expired day : 2008-05-26 14:58:19
AS expired day : 2008-10-23 14:58:19
2In1 expired day : 2008-10-23 14:58:19
Last update day : 2007-07-12 14:58:19
This command displays ZyWALL service registration details.
ras> sys myZyxelCom serviceDisplay
Content Filter Service :
Actived, Licenced, Trial, Expired : 2007-07-08 16:36:15
Anti-Spam Service :
Actived, Licenced, Trial, Expired : 2007-09-06 16:36:18
IDP/Anti-Virus Service :
Actived, Licenced, Trial, Expired : 2007-09-06 16:36:18
ras>
26
ZyWALL (ZyNOS) CLI Reference Guide
Chapter 2 Common Commands
Use these commands to enable anti-spam on the ZyWALL for traffic going from WAN1 to
LAN.
ras> as enable 1
Anti spam: enabled
ras> as dir wan1 lan on
From\To lan wan1 dmz wan2 wlan vpn
=======================================
lan off off off off off off
wan1 on off off off off off
dmz off off off off off off
wan2 off off off off off off
wlan off off off off off off
vpn off off off off off off
ras>
Use the following commands to enable anti-virus on the ZyWALL You first need to use the
load command.
ras> av load
ras> av config enable on
ras> av save
ras> av disp
AV Enable : On
AV Forward Over ZIP Session : Off
AV Forward Over ZIP Session : Off
------------------------------------
Use the following commands to enable content filtering on the ZyWALL, then on the external
database (DB) and then display the default policy.
ras> ip cf common enable on
ras> ip cf externalDB enable on
ras> ip cf policy displayAll
index Name Active IP Group
Start Addr End Addr
==========================================================================
1 Default Policy Y 0.0.0.0/0.0.0.0
The default policy does not actually block anything. Use the following commands to edit the
default policy, turn the external database service content filtering (category-based content
filtering), see what the categories are, block a category 92 in the following example) and then
save the policy.
ZyWALL (ZyNOS) CLI Reference Guide
27
Chapter 2 Common Commands
ras> ip cf policy edit 1
ras> ip cf policy config webControl enable on
ras> ip cf policy config webControl display
The Categories:
type 1 :Adult/Mature Content
type 2 :Pornography
type 3 :Sex Education
type 4 :Intimate Apparel/Swimsuit
type 5 :Nudity
type 6 :Alcohol/Tobacco
type 7 :Illegal/Questionable
type 8 :Gambling
type 9 :Violence/Hate/Racism
type10 :Weapons
type11 :Abortion
type12 :Hacking
type13 :Phishing
type14 :Arts/Entertainment
type15 :Business/Economy
type16 :Alternative Spirituality/Occult
type17 :Illegal Drugs
type18 :Education
type19 :Cultural/Charitable Organization
type20 :Financial Services
type21 :Brokerage/Trading
type22 :Online Games
type23 :Government/Legal
type24 :Military
type25 :Political/Activist Groups
type26 :Health
type27 :Computers/Internet
type28 :Search Engines/Portals
type29 :Spyware/Malware Sources
type30 :Spyware Effects/Privacy Concerns
type31 :Job Search/Careers
type32 :News/Media
type33 :Personals/Dating
type34 :Reference
type35 :Open Image/Media Search
type36 :Chat/Instant Messaging
type37 :Email
type38 :Blogs/Newsgroups
type39 :Religion
type40 :Social Networking
type41 :Online Storage
type42 :Remote Access Tools
type43 :Shopping
type44 :Auctions
type45 :Real Estate
type46 :Society/Lifestyle
type47 :Sexuality/Alternative Lifestyles
type48 :Restaurants/Dining/Food
type49 :Sports/Recreation/Hobbies
type50 :Travel
type51 :Vehicles
type52 :Humor/Jokes
type53 :Software Downloads
type54 :Pay to Surf
type55 :Peer-to-Peer
type56 :Streaming Media/MP3s
type57 :Proxy Avoidance
type58 :For Kids
type59 :Web Advertisements
type60 :Web Hosting
type61 :Unrated
ras> ip cf policy config webControl category block 2
The Categories:
type 1 :Adult/Mature Content
type 2 (block):Pornography
------ras> ip cf policy save
ras>
28
ZyWALL (ZyNOS) CLI Reference Guide
You may also configure and schedule new policies using commands as well as configure what
to block using the external database.
2.5 Firewall
Use the following command to enable the firewall on the ZyWALL.
ras> sys firewall active yes
ras>
2.6 VPN
Use the following command to show what IPsec VPN tunnels are active on your ZyWALL.
ras> ipsec show_runtime sa
Runtime SA status:
Chapter 2 Common Commands
No phase 1 IKE SA exist
No phase 2 IPSec SA exist
Active SA pair = 0
ras>
Use the following command to manually bring up a previously configured VPN tunnel.
ras> ipsec dial 1
Start dialing for tunnel <rule# 1>...
.....................
2.7 Dialing PPPoE and PPTP Connections
This example shows dialing up remote node “WAN 1” using PPPoE.
ras> poe dial "WAN 1"
Start dialing for node <WAN 1>...
### Hit any key to continue.###
$$$ DIALING dev=6 ch=0..........
$$$ OUTGOING-CALL phone()
$$$ CALL CONNECT speed<100000000> type<6> chan<0>
$$$ LCP opened
$$$ PAP sending user/pswd
$$$ IPCP negotiation started
$$$ IPCP neg' Primary DNS 192.168.30.1
$$$ IPCP neg' Primary DNS 172.16.5.2
$$$ IPCP opened
ZyWALL (ZyNOS) CLI Reference Guide
29
Chapter 2 Common Commands
This example shows dialing up remote node “WAN 1” using PPTP.
ras> pptp dial "WAN 1"
Start dialing for node <WAN 1>...
### Hit any key to continue.###
ras>
30
ZyWALL (ZyNOS) CLI Reference Guide
Loading...