ZyXEL Communications ZyNOS User Manual

Download

ZyWALL (ZyNOS) CLI Reference Guide

Internet Security Appliance

CLI Reference Guide

Version 4.04 4/2008 Edition 1

DEFAULT LOGIN

In-band IP Address http://192.168.1.1 User Name admin Password 1234

www.zyxel.com

About This CLI Reference Guide

Intended Audience

This manual is intended for people who want to configure the ZyWALL via Command Line Interface (CLI). You should have at least a basic knowledge of TCP/IP networking concepts and topology.

" This guide is intended as a command reference for a series of products.

Therefore many commands in this guide may not be available in your product. See your User’s Guide for a list of supported features and details about feature implementation.

Please refer to www.zyxel.com or your product’s CD for product specific User Guides and product certifications.

How To Use This Guide

•Read Chapter 1 on page 13 for an overview of various ways you can get to the command interface on your ZyWALL.

•Read Chapter 2 on page 17 for an introduction to some of the more commonly used commands.

" It is highly recommended that you read at least these two chapters.

• The other chapters in this guide are arranged according to the CLI structure. Each chapter describes commands related to a feature.

" See your ZyWALL’s User Guide for feature background information.

• To find specific information in this guide, use the Contents Overview, the Index of Commands, or search the PDF file. E-mail techwriters@zyxel.com.tw if you cannot find

the information you require.

CLI Reference Guide Feedback

Help us help you. Send all guide-related comments, questions or sugg estions for improvement to the following address, or use e-mail instead. Thank you!

ZyWALL (ZyNOS) CLI Reference Guide

About This CLI Reference Guide

The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.

E-mail: techwriters@zyxel.com.tw

ZyWALL (ZyNOS) CLI Reference Guide

Document Conventions

Warnings and Notes

Warnings and notes are indicated as follows in this guide.

1 Warnings tell you about things that could harm you or your device. See your

User’s Guide for product specific warnings.

" Notes tell you other important information (for example, other things you may

need to configure or helpful tips) or recommendations.

Syntax Conventions

This manual follows these general conventions:

• ZyWALLs may also be referred to as the “device”, the “ZyXEL device”, the “system” or the “product” in this guide.

• Units of measurement may denote the “metric” value or the “scientific” value. For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on.

Command descriptions follow these conventions:

• Commands are in

• Required input values are in angle brackets <>; for example, means that you must specify an IP address for this command.

• Optional fields are in square brackets []; for instance show logins [name], the name field is optional.

The following is an example of a required field within an optional field: snmp-server [contact <system contact>], the contact field is optional. However, if you use contact, then you must provide the system contact information.

•The | (bar) symbol means “or”.

• italic terms represent user-defined input values; for example, in sys datetime date [year month date], year month date can be replaced by the actual year month and date that you want to set, for example, 2007 08 15.

• A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the “Enter” or “Return” key on your keyboard.

• <cr> means press the [ENTER] key.

• An arrow (-->) indicates that this line is a continuation of the previous line.

courier new font.

ping <ip-address>

ZyWALL (ZyNOS) CLI Reference Guide

Document Conventions

Command summary tables are organized as follows:

Table 1 Table Title

COMMAND DESCRIPTION M

ip alg disable <ALG_FTP|ALG_H323|ALG_SIP>

ip alg disp Shows whether the ALG is enabled or disabled. R+B ip alg enable

<ALG_FTP|ALG_H323|ALG_SIP> ip alg ftpPortNum [port] Sets the FTP ALG to support a different port number (instead of the

ip alg siptimeout <timeout> Sets the SIP timeout in seconds. 0 means no timeout. R+B ip alias <interface> Sets an alias for the specified interface. R

Turns off the specified ALG (Application Layer Gateway). R+B

Turns on the specified ALG. R+B

R+B

default).

The Table title identifies commands or the specific feature that the commands configure. The COMMAND column shows the syntax of the command. The DESCRIPTION column explains what the command does. It may also identify legal

input values. The M column identifies the mode in which you run the command.

• R: The command is available in router mode.

• B: The command is available in bridge mode.

• R + B: The command is available in both router and bridge modes

A long list of pre-defined values may be replaced by a command input value ‘variable’ so as to avoid a very long command in the description table. Refer to the command input values table if you are unsure of what to enter.

Table 2 Common Command Input Values

LABEL DESCRIPTION

description Used when a command has a description field in order to add more detail. ip-address An IP address in dotted decimal notation. For example, 192.168.1.3. mask mask-bits The number of bits in an address’s subnet mask. For example type /24 for a

port A protocol’s port number.

The subnet mask in dotted decimal notation, for example, 255.255.255.0.

subnet mask of 255.255.255.0.

ZyWALL (ZyNOS) CLI Reference Guide

Document Conventions

Table 2 Common Command Input Values (continued)

LABEL DESCRIPTION

interface An interface on the ZyWALL. Use the following for a ZyWALL with a single WAN

Ethernet interface. enif0: LAN enif1: Ethernet WAN enif2: DMZ enif4: Ethernet WLAN wanif0: PPPoE or PPTP or 3G depending on which is connected first wanif1: PPPoE or PPTP or 3G depending on which is connected second Use the following for a ZyWALL with two WAN Ethernet interfaces. enif0: LAN enif1: Ethernet WAN 1 enif2: DMZ enif3: Ethernet WAN 2 enif5: Ethernet WLAN wanif0: PPPoE or PPTP or 3G depending on which is connected first wanif1: PPPoE or PPTP or 3G depending on which is connected second For some commands you can also add a colon and a 0 or 1 to specify an IP alias.

This is only for the LAN, DMZ, and WLAN interfaces. For example, enif0:0 specifies LAN IP alias 1 and enif0:1 specifies LAN IP alias 2.

hostname Hostname can be an IP address or domain name. name Used for the name of a rule, policy, set, group and so on. number Used for a number, for example 10, that you have to input.

" Commands are case sensitive! Enter commands exactly as seen in the

command interface. Remember to also include underscores if required.

Copy and Paste Commands

You can copy and paste commands directly from this document into your terminal emulation console window (such as HyperTerminal). Use right-click (not ctrl-v) to paste your command into the console window as shown next.

ZyWALL (ZyNOS) CLI Reference Guide

Document Conventions

Icons Used in Figures

Figures in this guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device.

ZyWALL Computer Notebook computer

Server DSLAM Firewall

Telephone Switch Router

ZyWALL (ZyNOS) CLI Reference Guide

Contents Overview

Introduction ............................................................................................................................ 11

How to Access and Use the CLI ................................................................................................13

Common Commands ................ ... .... ... .......................................... ... ... ... .... ... ... ... .... ... ... ... ..........17

Reference ................................................................................................................................31

Antispam Commands ................................................................................................................ 33

Antivirus Commands ................................................ .... ... ... ... .... ... ... ... ... .... ... ............................. 35

Auxiliary (Dial Backup) Commands ........................................................................................... 39

Bandwidth Management Commands ......................................................................................... 43

Bridge Commands ........................... ... ... ... ... .... ... ... ... .... ... ... ... .......................................... ... ....... 51

Certificates Commands ............................................................................................................. 55

CNM Agent Commands .............................................................................................................63

Configuration Commands ...................... ... ... .... ... ... ... .... ... .......................................... ... ... ... .... ... 67

Device Related Commands ............................. ....................................................... ...................83

Ethernet Commands .................................................................................................................. 85

Firewall Commands ................................................................................................................... 87

IDP Commands ......................................................................................................................... 93

IP Commands ........................... ... .... ... ... ... .......................................... ... .... ... ... ... .... ................... 97

IPSec Commands .................. ... ... .......................................... .... ... ... ... ... .... .............................. 121

Load Balancing Commands ...................................................... ... ... ... ... .... .............................. 133

myZyXEL.com Commands ......................................................................................................135

PPPoE Commands ..................................................................................................................145

PPTP Commands ...................................................................................................................149

System Commands ........ .......................................... .... ... ... ... .... ... ........................................... 151

Wireless Commands ................................................ .... ... ... ... .... ... ... ... ... .... ... ........................... 165

WWAN Commands ..................................................................................................................169

Appendices and Index of Commands ................................................................................175

ZyWALL (ZyNOS) CLI Reference Guide

Contents Overview

ZyWALL (ZyNOS) CLI Reference Guide

PART I

Introduction

How to Access and Use the CLI (13) Common Commands (17)

CHAPTER 1

How to Access and Use the CLI

This chapter introduces the command line interface (CLI).

1.1 Accessing the CLI

Use any of the following methods to access the CLI.

1.1.1 Console Port

You may use this method if your ZyWALL has a console port.

1 Connect your computer to the console port on the ZyWALL using the appropriate cable. 2 Use terminal emulation software with the following settings:

Table 3 Default Settings for the Console Port

SETTING DEFAULT VALUE

Terminal Emulation VT100 Baud Rate 9600 bps Parity None Number of Data Bits 8 Number of Stop Bits 1 Flow Control None

3 Press [ENTER] to open the login screen.

1.1.2 Telnet

4 Open a Telnet session to the ZyWALL’s IP address. If this is your first login, use the

default values.

Table 4 Default Management IP Address

SETTING DEFAULT VALUE

IP Address 192.168.1.1 Subnet Mask 255.255.255.0

Make sure your computer IP address is in the same subnet, unless you are accessing the ZyWALL through one or more routers. In the latter case, make sure remote management of the ZyWALL is allowed via Telnet.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 1 How to Access and Use the CLI

1.1.3 SSH

You may use this method if your ZyWALL supports SSH connections.

1 Connect your computer to one of the Ethernet ports. 2 Use a SSH client program to access the ZyWALL. If this is your first login, use the

default values in Table 4 on page 13 and Table 5 on page 14. Make sure your computer IP address is in the same subnet, unless you are accessing the ZyWALL through one or more routers.

1.2 Logging in

Use the administrator username and password. If this is your first login, use the default values. in some ZyWALLs you may not need to enter the user name.

Table 5 Default User Name and Password

SETTING DEFAULT VALUE

User Name admin Password 1234

The ZyWALL automatically logs you out of the management interface after five minutes of inactivity . If this happens to you, simply log back in again. Use the sys stdio co mman d to extend the idle timeout. For example, the ZyWALL automatically logs you out of the management interface after 60 minutes of inactivity after you use the sys stdio 60 command.

1.3 Using Shortcuts and Getting Help

This table identifies some shortcuts in the CLI, as well as how to get help.

Table 6 CLI Shortcuts and Help

COMMAND / KEY(S) DESCRIPTION

yz (up/down arrow keys) Scrolls through the list of recently-used commands. You can edit

any command or press [ENTER] to run it again.

[CTRL]+U Clears the current command. ? Displays the keywords and/or input values that are allowed in

place of the ?.

help Displays the (full) commands that are allowed in place of help.

Use the help command to view the available commands on the ZyWALL. Follow these steps to create a list of supported commands:

1 Log into the CLI.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 1 How to Access and Use the CLI

2 Type help and press [ENTER]. A list comes up which shows all the commands

available for this device.

ras> help Valid commands are: sys exit ether aux config wwan wlan ip ipsec bridge bm certificates 8021x radius radserv wcfg ras>

Abbreviations

Commands can be abbreviated to the smallest unique string that differentiates the command. For example sys version could be abbreviated to s v.

ras> sys version

ZyNOS version: V4.03(XD.0)Preb2_0802_1 | 08/03/2007 romRasSize: 3596736 system up time: 42:41:02 (ea784b ticks) bootbase version: V1.08 | 01/28/2005 CPU chip revision: 1 CPU chip clock: 266MHz CPU core revision: 0 ras> s v

ZyNOS version: V4.03(XD.0)Preb2_0802_1 | 08/03/2007 romRasSize: 3596736 system up time: 42:41:05 (ea796a ticks) bootbase version: V1.08 | 01/28/2005 CPU chip revision: 1 CPU chip clock: 266MHz CPU core revision: 0 ras>

1.4 Saving Your Configuration

In the ZyWALL some commands are saved as you run them and others require you to run a save command. For example, type ip stroute save to save the static route rule in nonvolatile memory. See the related section of this guide to see if a save command is required.

" Unsaved configuration changes to commands that require you to run a save

command are lost once you restart the ZyWALL

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 1 How to Access and Use the CLI

1.5 Logging Out

Enter exit to log out of the CLI.

Table 7 Exit Command

COMMAND DESCRIPTION M

exit Logs you out of the CLI. R+B

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 2

Common Commands

This chapter introduces some of the more commonly-used commands in the ZyWALL. For more detailed usage, see the corresponding feature chapter in this guide.

In the following examples, ras is the prompt as that is the default. If you configure a system name, then that prompt will display as the system name you configured. For example, change the system name to zyxel using the sys hostname zyxel command; the command prompt will then display as zyxel>.

2.1 Change the Idle Timeout

By default, the ZyWALL automatically logs you out of the management interface after five minutes of inactivity. Use the sys stdio command to extend the idle timeout. The following example extends the idle timeout to 120 minutes.

ras> sys stdio 120 Stdio Timeout = 120 minutes ras>

2.2 Interface Information

ZyWALL interfaces are defined as shown in Table 2 on page 6.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

The first command in this example shows information about the LAN port, for example, it has an IP address of 192.168.1.1. The second command is used to change this IP address to

192.168.100.100.

ras> ip ifconfig enif0 enif0: mtu 1500 mss 1460 inet 192.168.1.1, netmask 0xffffff00, broadcast 192.168.1.255 RIP RX:Ver 1 & 2, TX:Ver 1, [InOctets 0] [InUnicast 0] [InMulticast 0] [InDiscards 0] [InErrors 0] [InUnknownProtos 0] [OutOctets 156] [OutUnicast 0] [OutMulticast 3] [OutDiscards 0] [OutErrors 0] ras> ip ifconfig enif0 192.168.100.100/24 enif0: mtu 1500 mss 1460 inet 192.168.100.100, netmask 0xffffff00, broadcast 192.168.100.255 RIP RX:Ver 1 & 2, TX:Ver 1, [InOctets 0] [InUnicast 0] [InMulticast 0] [InDiscards 0] [InErrors 0] [InUnknownProtos 0] [OutOctets 728] [OutUnicast 0] [OutMulticast 14] [OutDiscards 0] [OutErrors 0] ras>

" Afterwards, you have to use this new IP address to access the ZyW ALL via the

LAN port.

To view information on all interfaces, enter ip ifconfig. To view DHCP information on the LAN port, enter ip dhcp enif0 status.

ras> ip dhcp enif0 status DHCP on iface enif0 is server Start assigned IP address: 192.168.1.33/24 Number of IP addresses reserved: 128 Hostname prefix: dhcppc DNS server: 0.0.0.0 0.0.0.0 0.0.0.0 WINS server: 0.0.0.0 0.0.0.0 Domain Name : Default gateway: 192.168.1.1 Lease time: 259200 seconds Renewal time: 129600 seconds Rebind time: 226800 seconds Probing count: 4 Probing type: ICMP slot state timer type hardware address hostname 0 UNCERTAIN 0 0 00 1 UNCERTAIN 0 0 00

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

Use these commands to release and renew DHCP-assigned information on the specified interface.

ras> ip dhcp enif1 client release ras> ip dhcp enif1 status

DHCP on iface enif1 is client Hostname : zyxel.zyxel.com Domain Name : zyxel.com Server IP address: 0.0.0.0 Client IP address: 0.0.0.0/27 DNS server : 0.0.0.0, 0.0.0.0 Default gateway: 0.0.0.0 Lease time : 0 seconds Renewal time: 0 seconds Rebind time : 0 seconds Client State = 8, retry = 0 periodtimer = 286, timer = 0 flags = 2 Status: Packet InCount: 3, OutCount: 3, DiscardCount: 0

ras> ip dhcp enif1 client renew ras> ip dhcp enif1 status

DHCP on iface enif1 is client Hostname : zyxel.zyxel.com Domain Name : zyxel.com Server IP address: 172.16.5.2 Client IP address: 172.16.37.48/24 DNS server : 172.16.5.2, 172.16.5.1, 0.0.0.0 Default gateway: 172.16.37.254 Lease time : 604800 seconds Renewal time: 302400 seconds Rebind time : 529200 seconds Client State = 3, retry = 0 periodtimer = 272, timer = 302397 flags = 2 Status: Packet InCount: 3, OutCount: 2, DiscardCount: 0

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

To view the ARP table for the LAN port, enter ip arp status enif0.

ras> ip arp status enif0 received 1458 badtype 0 bogus addr 0 reqst in 312 replies 9 reqst out 16 cache hit 11278 (88%), cache miss 1521 (11%) IP-addr Type Time Addr stat iface

172.16.1.44 10 Mb Ethernet 290 00:13:49:6b:10:55 41 enif0

172.16.1.123 10 Mb Ethernet 290 00:0a:e4:06:11:91 41 enif0

172.16.1.3 10 Mb Ethernet 290 00:02:e3:57:ea:4f 41 enif0

172.16.1.122 10 Mb Ethernet 280 00:c0:a8:fa:e9:27 41 enif0

172.16.1.105 10 Mb Ethernet 280 00:0f:fe:0a:2d:3b 41 enif0

172.16.1.30 10 Mb Ethernet 270 00:60:b3:45:2b:c5 41 enif0

172.16.1.53 10 Mb Ethernet 210 00:16:d3:b8:3d:1a 41 enif0

172.16.1.32 10 Mb Ethernet 160 00:16:36:10:26:2d 41 enif0

172.16.1.2 10 Mb Ethernet 130 00:16:d3:37:c7:33 41 enif0

172.16.1.42 10 Mb Ethernet 150 00:00:e8:71:e3:f9 41 enif0

172.16.1.14 10 Mb Ethernet 250 00:13:49:fb:99:16 41 enif0

172.16.1.7 10 Mb Ethernet 190 00:0d:60:cb:fd:08 41 enif0

172.16.1.52 10 Mb Ethernet 130 00:0f:fe:32:b4:12 41 enif0 num of arp entries= 13

Each ZyWALL can support a specific number of NAT sessions in total. You can limit the number of NAT sessions allowed per host by using the ip nat session command. In the following example, each host may have up to 4000 NAT sessions open at one time. The total number of NAT sessions must not exceed the number for your ZyWALL.

ras> ip nat session 4000 ip nat session NAT session number per host: 4000 ras>

To see the IP routing table, enter the following command.

ras> ip route status Dest FF Len Device Gateway Metric stat Timer Use

192.168.1.0 00 24 enet0 192.168.1.1 1 041b 0 0

192.168.100.0 00 24 enet0 192.168.100.100 1 041b 0 0 default 00 0 Idle WAN 2 102 002b 0 0 ras>

ZyWALL (ZyNOS) CLI Reference Guide

2.3 Basic System Information

Use the following sys version and sys atsh commands to view information about your ZyWALL.

ras> sys version ZyNOS version: V4.03(XD.0)Preb2_0802_1 | 08/03/2007 romRasSize: 3596736 system up time: 23:51:53 (831816 ticks) bootbase version: V1.08 | 01/28/2005 CPU chip revision: 1 CPU chip clock: 266MHz CPU core revision: 0

ras> sys atsh ZyNOS version : V4.03(XD.0)Preb2_0802_1 | 08/03/2007 Ram Size : 32768 Kbytes Flash Size : Intel 64M * 1 romRasSize : 3596736 bootbase version : V1.08 | 01/28/2005 Vendor Name : ZyXEL Communications Corp. Product Model : ZyWALL 5 MAC Address : 001349000001 Default Country Code : FF Boot Module Debug Flag : 0 RomFile Version : 38 RomFile Checksum : b4fc

Chapter 2 Common Commands

Use the following command to view CPU utilization.

ras> sys cpu display CPU usage status: baseline 1472882 ticks sec ticks load sec ticks load sec ticks load sec ticks load 0 1393404 5.39 1 1472882 0.00 2 1472882 0.00 3 1472882 0.00 4 1097036 25.51 5 1455444 1.18 6 1460440 0.84 7 1469623 0.22 8 1472882 0.00 9 1458718 0.96 10 15369 98.96 11 721711 51.00 12 1462602 0.69 13 1465369 0.51 14 1464771 0.55 15 1469584 0.22 16 1472882 0.00 17 1472882 0.00 18 1465200 0.52 19 1459341 0.91 20 1457914 1.01 21 1454838 1.22 22 1472882 0.00 23 1472882 0.00 24 1458275 0.99 25 1472882 0.00 26 1472882 0.00 27 1472882 0.00 28 1472882 0.00 29 1472882 0.00 30 1472882 0.00 31 1472882 0.00 32 1472882 0.00 33 1472882 0.00 34 1472882 0.00 35 1472882 0.00 36 1472882 0.00 37 1472882 0.00 38 1472882 0.00 39 1460334 0.85 40 1472882 0.00 41 1472882 0.00 42 1472882 0.00 43 1472882 0.00 44 1472882 0.00 45 1472882 0.00 46 1472882 0.00 47 1472882 0.00 48 1472882 0.00 49 1472882 0.00 50 1472882 0.00 51 1472882 0.00 52 1472882 0.00 53 1472882 0.00 54 1459578 0.90 55 1472882 0.00 56 1472882 0.00 57 1472882 0.00 58 1472882 0.00 59 1472882 0.00 60 1472882 0.00 61 1472882 0.00 62 1472882 0.00 Average CPU Load = 3.5% ras>

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

Use the following command to view the ZyWALL’s time and date.

ras> sys datetime time Current time is 08:26:56 ras> sys datetime date Current date is Wed 2007/08/08 ras>

Use the following command to restart your ZyWALL right away.

ras> sys reboot

Bootbase Version: V1.08 | 01/28/2005 14:47:16 RAM:Size = 32 Mbytes FLASH: Intel 64M

ZyNOS Version: V4.03(XD.0)Preb2_0802_1 | 08/03/2007 16:48:04

Press any key to enter debug mode within 3 seconds.

............................................................

Use the following command to reset the ZyWALL to the factory defaults. Make sure you back up your current configuration first (using the web configurator or SMT). The ZyWALL will restart and the console port speed will also reset to 9,600 bps.

ras> sys romreset Do you want to restore default ROM file(y/n)?y

..................................................................OK

System Restart! (Console speed will be changed to 9600 bps)

Bootbase Version: V1.08 | 01/30/2005 14:41:51 RAM:Size = 64 Mbytes FLASH: Intel 128M

ZyNOS Version: V4.03(WZ.0)Preb2_0803 | 08/03/2007 11:08:13

Press any key to enter debug mode within 3 seconds.

............................................................

Use the following command to change the console port speed. A higher console port speed is recommended when uploading firmware via the console port. A console port speed of 1 1 5,200 bps is necessary to view CNM debug messages and packet traces on the ZyWALL.

ras> sys baud ? Usage: baud <1..5>(1:38400, 2:19200, 3:9600, 4:57600, 5:115200) ras> sys baud 5

Saving to ROM. Please wait... Change Console Speed to 115200. Then hit any key to continue ras>

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

" After you change the console port speed, you need to change it also on your

terminal emulation software (such as HyperTerminal) in order to reconnect to the ZyWALL.

Use the following command to see whether the ZyWALL is acting act as a bridge or router

ras> sys mode Device mode: router ras>

Use the following command to change the ZyWALL mode (bridge or router).

Usage: sys mode <router | bridge> ras> sys mode router Device mode: router ras>

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

Use the following command to display all ZyWALL logs. Logs are very useful for troubleshooting. If you are having problems with your ZyWALL, then customer support may request that you send them the logs.

ras> sys logs display

# .time notes source destination message ============================================================ 0|2007-08-16 09:39:27 |WAN1 | WAN interface gets IP:172.16.17.48 1|2007-08-16 09:38:40 |User:admin | Successful SMT login 2|2007-08-16 09:38:37 |User:admin | SMT login failed (password error) 3|2007-08-16 09:35:10 |

80.85.129.103:123 |172.16.17.48:1135 Time set from NTP server: 0.pool.ntp.org, offset: +208949688 sec 4|2001-01-01 00:00:18 |WAN1 | WAN interface gets IP:172.16.17.48 5|2001-01-01 00:00:16 |WAN1 | WAN1 connection is up. 6|2001-01-01 00:00:16 |WAN2 | WAN2 connection is down.

ras>

Use the following command to display all ZyWALL error logs

ras> sys logs errlog disp 47 Mon Jan 1 00:00:03 2001 PINI INFO Channel 0 ok 48 Mon Jan 1 00:00:25 2001 PP0e INFO LAN promiscuous mode <0> 51 Mon Jan 1 00:00:25 2001 PINI INFO main: init completed 52 Mon Jan 1 00:00:25 2001 PP22 INFO No DNS server available 53 Mon Jan 1 00:11:53 2001 PINI INFO Last errorlog repeat 114 Times 54 Mon Jan 1 00:11:53 2001 PINI INFO SMT Session Begin 55 Mon Jan 1 00:15:25 2001 PP22 INFO No DNS server available 56 Mon Jan 1 00:51:15 2001 PINI INFO Channel 0 ok 57 Mon Jan 1 00:51:37 2001 PP0e INFO LAN promiscuous mode <0> 60 Mon Jan 1 00:51:37 2001 PINI INFO main: init completed 61 Mon Jan 1 00:51:37 2001 PP22 INFO No DNS server available 62 Mon Jan 1 00:51:41 2001 PINI INFO SMT Session Begin 63 Mon Jan 1 00:52:37 2001 PP1c INFO No DNS server available Clear Error Log (y/n):

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

Use the following commands for system debugging. A console po rt speed of 115,200 bps is necessary to view packet traces on the ZyWALL.

ras> sys trcpacket sw on ras> sys trcdisp brief 0 09:21:27.180 ENET1-T[0342] UDP 0.0.0.0:68->255.255.255.255:67 1 09:21:30.180 ENET1-T[0342] UDP 0.0.0.0:68->255.255.255.255:67 2 09:21:37.180 ENET1-T[0342] UDP 0.0.0.0:68->255.255.255.255:67 3 09:21:53.180 ENET1-T[0342] UDP 0.0.0.0:68->255.255.255.255:67 4 09:21:55.180 ENET1-T[0342] UDP 0.0.0.0:68->255.255.255.255:67 ras> sys trcdisp enif0 bothway

TIME:09:24:53.180 enet1-XMIT len:342 call=0 0000: ff ff ff ff ff ff 00 13 49 00 00 02 08 00 45 00 0010: 01 48 04 df 00 00 ff 11 b5 c6 00 00 00 00 ff ff 0020: ff ff 00 44 00 43 01 34 e6 79 01 01 06 00 00 00 0030: 1f 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040: 00 00 00 00 00 00 00 13 49 00 00 02 00 00 00 00 0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The extended ping command is used to have the ZyWALL pin g IP address 172.16.1.202 five times in the following example.

ras> ip pingext 172.16.1.202 -n 5 Resolving 172.16.1.202 ... 172.16.1.202 sent rcvd size rtt avg max min 1 1 36 510 510 510 510 2 2 36 530 520 530 510 3 3 36 850 630 850 510 4 4 36 1030 730 1030 510 5 5 36 1070 798 1070 510

Extended Ping From device to 172.16.1.202: Packets: Sent = 5, Received = 5, Lost = 0 (0% loss), Approximate Round Trip Times in milli-seconds: RTT: Average = 798ms, Maximum = 1070ms, Minimum = 510ms ras>

2.4 UTM and myZyXEL.com

Use these commands to create an account at myZyXEL.com and view what services you have activated.

" Ensure your ZyWALL is connected to the Internet before you use the following

commands.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

You need to create an account at my ZyXEL.com in order to activate content filtering, antispam and anti-virus UTM (Unified Threat Management) services. See the myZyXEL.com chapter for information on the country code you should use.

ras> sys myZyxelCom register <username> <password> <email> <countryCode>

This command displays your ZyWALL’s registration information.

ras> sys myZyxelCom display

username : aseawfasf password : aaaaaa

email : aa@aa.aa.aa

sku : CFRT=1&CFST=319&ZASS=469&ISUS=469&ZAVS=469

country code : 204

register MAC : 0000AA220765 CF expired day : 2008-05-26 14:58:19 AS expired day : 2008-10-23 14:58:19 2In1 expired day : 2008-10-23 14:58:19 Last update day : 2007-07-12 14:58:19

This command displays ZyWALL service registration details.

ras> sys myZyxelCom serviceDisplay Content Filter Service : Actived, Licenced, Trial, Expired : 2007-07-08 16:36:15 Anti-Spam Service : Actived, Licenced, Trial, Expired : 2007-09-06 16:36:18 IDP/Anti-Virus Service : Actived, Licenced, Trial, Expired : 2007-09-06 16:36:18 ras>

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

Use these commands to enable anti-spam on the ZyWALL for traffic going from WAN1 to LAN.

ras> as enable 1 Anti spam: enabled

ras> as dir wan1 lan on From\To lan wan1 dmz wan2 wlan vpn ======================================= lan off off off off off off wan1 on off off off off off dmz off off off off off off wan2 off off off off off off wlan off off off off off off vpn off off off off off off ras>

Use the following commands to enable anti-virus on the ZyWALL You first need to use the load command.

ras> av load ras> av config enable on ras> av save ras> av disp AV Enable : On AV Forward Over ZIP Session : Off AV Forward Over ZIP Session : Off

------------------------------------

Use the following commands to enable content filtering on the ZyWALL, then on the external database (DB) and then display the default policy.

ras> ip cf common enable on ras> ip cf externalDB enable on ras> ip cf policy displayAll index Name Active IP Group Start Addr End Addr ==========================================================================

1 Default Policy Y 0.0.0.0/0.0.0.0

The default policy does not actually block anything. Use the following commands to edit the default policy, turn the external database service content filtering (category-based content filtering), see what the categories are, block a category 92 in the following example) and then save the policy.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

ras> ip cf policy edit 1 ras> ip cf policy config webControl enable on ras> ip cf policy config webControl display The Categories: type 1 :Adult/Mature Content type 2 :Pornography type 3 :Sex Education type 4 :Intimate Apparel/Swimsuit type 5 :Nudity type 6 :Alcohol/Tobacco type 7 :Illegal/Questionable type 8 :Gambling type 9 :Violence/Hate/Racism type10 :Weapons type11 :Abortion type12 :Hacking type13 :Phishing type14 :Arts/Entertainment type15 :Business/Economy type16 :Alternative Spirituality/Occult type17 :Illegal Drugs type18 :Education type19 :Cultural/Charitable Organization type20 :Financial Services type21 :Brokerage/Trading type22 :Online Games type23 :Government/Legal type24 :Military type25 :Political/Activist Groups type26 :Health type27 :Computers/Internet type28 :Search Engines/Portals type29 :Spyware/Malware Sources type30 :Spyware Effects/Privacy Concerns type31 :Job Search/Careers type32 :News/Media type33 :Personals/Dating type34 :Reference type35 :Open Image/Media Search type36 :Chat/Instant Messaging type37 :Email type38 :Blogs/Newsgroups type39 :Religion type40 :Social Networking type41 :Online Storage type42 :Remote Access Tools type43 :Shopping type44 :Auctions type45 :Real Estate type46 :Society/Lifestyle type47 :Sexuality/Alternative Lifestyles type48 :Restaurants/Dining/Food type49 :Sports/Recreation/Hobbies type50 :Travel type51 :Vehicles type52 :Humor/Jokes type53 :Software Downloads type54 :Pay to Surf type55 :Peer-to-Peer type56 :Streaming Media/MP3s type57 :Proxy Avoidance type58 :For Kids type59 :Web Advertisements type60 :Web Hosting type61 :Unrated ras> ip cf policy config webControl category block 2 The Categories: type 1 :Adult/Mature Content type 2 (block):Pornography

------ras> ip cf policy save ras>

ZyWALL (ZyNOS) CLI Reference Guide

You may also configure and schedule new policies using commands as well as configure what to block using the external database.

2.5 Firewall

Use the following command to enable the firewall on the ZyWALL.

ras> sys firewall active yes ras>

2.6 VPN

Use the following command to show what IPsec VPN tunnels are active on your ZyWALL.

ras> ipsec show_runtime sa Runtime SA status:

Chapter 2 Common Commands

No phase 1 IKE SA exist No phase 2 IPSec SA exist Active SA pair = 0

ras>

Use the following command to manually bring up a previously configured VPN tunnel.

ras> ipsec dial 1 Start dialing for tunnel <rule# 1>...

.....................

2.7 Dialing PPPoE and PPTP Connections

This example shows dialing up remote node “WAN 1” using PPPoE.

ras> poe dial "WAN 1" Start dialing for node <WAN 1>... ### Hit any key to continue.###

$$$ DIALING dev=6 ch=0..........

$$$ OUTGOING-CALL phone() $$$ CALL CONNECT speed<100000000> type<6> chan<0> $$$ LCP opened $$$ PAP sending user/pswd $$$ IPCP negotiation started $$$ IPCP neg' Primary DNS 192.168.30.1 $$$ IPCP neg' Primary DNS 172.16.5.2 $$$ IPCP opened

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 2 Common Commands

This example shows dialing up remote node “WAN 1” using PPTP.

ras> pptp dial "WAN 1" Start dialing for node <WAN 1>... ### Hit any key to continue.###

ras>

ZyWALL (ZyNOS) CLI Reference Guide

PART II

Reference

Antispam Commands (33) Antivirus Commands (35) Auxiliary (Dial Backup) Commands (39) Bandwidth Management Commands (43) Bridge Commands (51) Certificates Commands (55) CNM Agent Commands (63) Configuration Commands (67) Device Related Commands (83) Ethernet Commands (85) Firewall Commands (87) IDP Commands (93) IP Commands (97) IPSec Commands (121) Load Balancing Commands (133) myZyXEL.com Commands (135) PPPoE Commands (145) PPTP Commands (149) System Commands (151) Wireless Commands (165)

CHAPTER 3

Antispam Commands

Use these commands to configure antispam settings on the ZyWALL.

3.1 Command Summary

The following table describes the values required for many antispam (as) commands. Other values are discussed with the corresponding commands.

Table 8 as Command Input Values

LABEL DESCRIPTION

interface Specifies an interface. The options are lan|wan1|dmz|wlan|vpn (not case

number, startnumber, endnumber

timeout Specifies the timeout period in seconds.

sensitive) Specifies an index number less than or equal to the total number of entries on a

black or white list.

The following section lists the commands for this feature. .

Table 9 as Commands

COMMAND DESCRIPTION M

as asAction [0|1] When the mail session limit has been exceeded the ZyWALL

as delete blackRule <number|start-number>[end- number]

as delete whiteRule <number|start-number>[end- number]

as dir <interface><interface> <on|off>

as display antispam Displays the antispam config uration. R+B as display runtimedata

as display serverlist Displays the list of rating servers. The rating server provides

as enable <0|1> Enables (1) or disables (0) antispam. R+B

either forwards further mail to recipients (0) or blocks further mail (1).

Deletes the blacklist filter. The user can delete one filter or a set of filters.

Deletes the whitelist filter. The user can delete one filter or a set of filters.

Enables or disables antispam checking depending on the source and destination of the mail.

Displays runtime data for the antispam ACL (Access Control List) structure.

a score for each mail on how likely it is to be spam or not.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 3 Antispam Commands

Table 9 as Commands (continued)

COMMAND DESCRIPTION M

as failTolerance [timeout] Sets the timeout interval for a rating server. If the rating

server times out a second time, this server is removed from server list. Minimum timeout value is 0 and has no upper limit.

as freeSession Frees (deletes) all mail sessions. R+B as getServerList <y|n> Sends a request for a server list manually. R+B as rtnct clear Clears the record of non-routed emails. R as rtnct disp Counts ho w many emails were not routed and records the

reason for not routing.

as scoreTimeout <timeout> Sets a timeout period for a query to a rating server for an

antispam score. timeout value is 0-30 seconds.

as xtag <tag><content> Sets a message (xtag) in the mail header. The tag depends

on the mail application used. Examples are <X-Mailer> or <X-MimeOLE>.

tag content

R+B

The following table shows a list of default values.

Table 10 as Default Values

VARIABLE DEFAULT VALUE

asAction 1 antispam disabled failTolerance 120 seconds scoreTimeout 7 seconds

3.2 Command Examples

Use this example to load the antispam module and configure it to filter email received from the WAN and addressed to a client on the LAN.

ras> as enable 1 Anti spam: enabled ras> as dir WAN1 LAN on From\To lan wan1 dmz wan2 wlan vpn ======================================= lan off off off off off off wan1 on off off off off off dmz off off off off off off wan2 off off off off off off wlan off off off off off off vpn off off off off off off ras>

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 4

Antivirus Commands

Use these commands to configure antivirus related settings on the ZyWALL.

4.1 Command Summary

The following table describes the values required for many antivirus (av) commands. Other values are discussed with the corresponding commands.

Table 11 av Command Input Values

LABEL DESCRIPTION

protocol Specifies a protocol. The options are ftp|http|pop3|smtp interface Specifies an interface. The options are lan|wan1|dmz|wlan|vpn.

The following section lists the commands for this feature. .

Table 12 av Commands

COMMAND DESCRIPTION M

av config decompress <on|off> Enables or disables zip file decompression on the fly to one

av config enable <on|off> Enables or disables the antivirus function. R+B av config [protocol] active

<on|off> av config [protocol] dir

[interface][interface][on|off] av config [protocol] display Shows the antivirus setting for the specified protocol. R+B av config httpScanAllMime

<on|off>

av config overZipSession [0|1] Blocks (0) or forwards (1) a mail with an attached zip file

av config pop3ScanAllMime <on|off>

level of decompression. TCP packet assembly checking also needs to be enabled to support this function. Use av tune config l7...asm to enable TCP packet assembly checking if is not already enabled.

Enables or disables the antivirus function for the specified protocol.

Configures antivirus protection for the specified protocol based on the source and destination of traffic.

Enables or disables scanning of ASCII files transferred using HTTP, such as .txt, .html. By default, the ZyWALL scans MIME type files, for example, .doc, .ppt, .zip, .exe.

when the maximum number of received zip files has been exceeded.

Enables or disables scanning of ASCII files transferred using POP3 (email), such as .txt, .html. By default, the ZyWALL scans MIME type files, for example, .doc, .ppt, .zip, .exe.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 4 Antivirus Commands

Table 12 av Commands (continued)

COMMAND DESCRIPTION M

av config smtpScanAllMime <on|off>

av display Shows the antivirus settings. R+B av load Loads the antivi ru s settings. R+B av save Saves the antivirus settings. R+B av signature load <signature-

id>

av signature config active <on|off>

av signature config alert <on|off>

av signature config destroyFile <on|off>

av signature config log <on|off>

av signature config sendWinMsg <on|off>

av signature display Displays the currently loaded signature’s settings. R+B av signature reset Resets all of the antivirus signatures to their default settings. R+B av signature save Saves your configuration changes for the signature you

av tune config l4Icmpcjsum <on|off>

av tune config l4Tcpcksum <on|off>

av tune config l4Tcpmssck <on|off>

av tune config l4Tcpwindowck <on|off>

av tune config l4Udpcksum <on|off>

av tune config l7Ftpasm <on|off>

av tune config l7Ftpdataasm <on|off>

av tune config l7Httpasm <on|off>

av tune config l7Otherasm <on|off>

Enables or disables scanning of ASCII files transferred using SMTP (email), such as .txt, .html. By default, the ZyWALL scans MIME type files, for example,.doc, .ppt, .zip, .exe.

Loads the specified signature (so you can configure it). signature-id: Each intrusion signature has a unique

identification number. This number may be searched at myZyXEL.com for more detailed information.

Turns the signature you loaded on or off. R+B

Enables or disables alerts for the signature you loaded. R+B

Enables or disables the destruction of files that match the virus signature you loaded.

Enables or disables logs for packets that match the signature you loaded.

Enables or disables a pop-up message in Windows notifying the detection of a file that matches the vir us sign a ture you loaded.

loaded. Use the following av tune config commands to configure

tune settings such as checksum checking and packet ordering for IDP/Anti-Virus/Anti-Spam protection. While these features improve security, there is a tradeoff in performance.

Enables or disables ICMP checksum checking. Enables or disables TCP checksum checking. R+B

Enables or disables TCP MSS (Maximum Segm en t Size) checking.

Enables or disables TCP window checking. R+B

Enables or disables UDP checksum checking. R+B

Enables or disables TCP packet assembly checking for FTP traffic.

Enables or disables TCP packet assembly checking for FTPDATA.

Enables or disables TCP packet assembly checking for HTTP.

Enables or disables TCP packet assembly checking for other protocols.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 4 Antivirus Commands

Table 12 av Commands (continued)

COMMAND DESCRIPTION M

av tune config l7Pop3asm <on|off>

av tune config l7Smtpasm <on|off>

av tune display Displays the tune configuration. R+B av tune load Loads the tune configuration. R+B av tune save Saves the tune configuration. R+B av update config autoupdate

<on|off> av update config dailyTime <00-

23> av update config method <1-3> Configures the signature update method.

av update config weeklyDay <1-7>Configures which day of the week the signature is updated.

av update config weeklyTime <00-23>

av update display Shows the signature information and the update settings. R+B av update load Loads the signature update setting. R+B av update save Saves the signature update setting. R+B av update start Starts the signature update. R+B

Enables or disables TCP packet assembly checking for POP3.

Enable or disables TCP packet assembly checking for SMTP.

Enables or disables the signature autoupdate. R+B

Configures the signature update time of day. R+B

1 : hourly 2 : daily 3 : weekly

1 : sun 2 : mon 3 : tue 4 : wed 5 : thu 6 : fri 7 : sat

Configures which hour of the day the signature is updated. R+B

R+B

The following table shows a list of default values.

Table 13 av Default Values

VARIABLE DEFAULT VALUE

decompress on av on or off off av protocol off av alert on av breakfile on log on sendmsg (popup) on overZipSession off ScanAllMime off checksum off

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 4 Antivirus Commands

Table 13 av Default Values

VARIABLE DEFAULT VALUE

17...asm (packet order checking)

autoupdate off

4.2 Command Examples

This example loads the antivirus signature, enables antivirus protection, zip file decompression, and virus scanning on SMTP traffic from the LAN to the WAN.

ras> av load ras> av config enable on ras> av config decompress on ras> av config smtp active on ras> av config smtp dir lan wan1 on From\To lan wan1 dmz wlan vpn ======================================= lan off on off off off wan1 off off off off off dmz off off off off off wlan off off off off off vpn off off off off off ras> av save

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 5

Auxiliary (Dial Backup)

Commands

Use these commands to configure dial backup (auxiliary) port settings on the ZyWALL.

5.1 Command Summary

The following table describes the values required for many dial backup commands. Other values are discussed with the corresponding commands.

Table 14 Dial Backup Command Input Values

LABEL DESCRIPTION

aux-port This identifies the channel (device) for dial backup.

aux0: This is the dial backup port. aux1: This is the 3G WAN connection. This only applies to devices with a 3G

WAN connection.

The following section lists the aux commands.

Table 15 Dial Backup Commands

COMMAND DESCRIPTION M

aux atring <aux-port> Shows the AT command strings that the ZyWALL has sent to

the WAN device and the responses.

aux cdmamdm flag [1|0] 1 allows the ZyWALL to dial a CDMA modem connected to

the dial backup port.

aux cnt clear <aux-port> Clears the auxiliary port’s counter information. R aux cnt disp <aux-port> Displays the auxiliary port’s counter information. R aux dial <aux-port> <phone-number> Has the ZyWALL dial the modem. Include a # symbol at the

beginning of the phone number as required.

aux disableDSRCheck The LG 340 wireless modem does not send a DSR when it is

ready. Use this command with a LG 340 wireless modem to have the ZyWALL not check for a DSR signal.

aux dqtest <aux-port> Sends the AT command to the WAN device R aux drop <aux-port> Disconnects the auxiliary port’s connection. R aux enableDSRCheck Has the ZyWALL check for a DSR signal from the modem.

Use this command if you have stopped using a LG 340 wireless modem and want to change to a regular modem (that sends a DSR when it is ready).

aux init <aux-port> Initializes the auxiliary port’s connection. R

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 5 Auxiliary (Dial Backup) Commands

Table 15 Dial Backup Commands (continued)

COMMAND DESCRIPTION M

aux mstatus <aux-port> Displays the status of the modem’s last call. R aux mtype <aux-port> Displays the type of modem connected to the auxiliary port. R aux netstat <aux-port> Displays upper layer packet information for the specified

device.

aux rate <aux-port> Displays the transmit and receive rates. R aux signal <aux-port> Displays the auxiliary port’s signal. R aux usrmdm flag [1|0] 1 allows the ZyWALL to dial a US Robotics modem

connected to the dial backup port.

5.2 Command Examples

This example displays upper layer packet information for the dial backup port.

as> aux netstat aux0 Name : aux0, Dev type : 3, Chann id: 0

RX(pkt): 0, RX discard: 0, RX error: 0, RX(octet): 0 TX(pkt): 0, TX discard: 0, TX error: 0, TX(octet): 0

The following table describes the labels in this display.

Table 16 aux netstat aux0

LABEL DESCRIPTION

Name Name of the channel. Dev type The type of auxiliary device, there are several possibilities:

0: NONE 1: 56k modem 2: modems other than 56k 3: TA 4: X25_PAD 5: MultiProtocol over AAL5 6: PPP over Ethernet, RFC-2516 7: PPTP

8: 3G modem Chann id The number of the channel that the device is using. RX (pkt) Received packets. TX (pkt Transmitted packets. RX discard Received octets the ZyWALL discarded. TX discard Transmitted octets the ZyWA LL discarded. RX error Received errored frames. TX error Transmitted errored frames. RX(octet) Received errored octets. TX(octet) Transmitted errored octets.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 5 Auxiliary (Dial Backup) Commands

This example displays the dial backup port’s transmit and receive rates.

ras> aux rate aux0 No. TX(byte) Rx(byte) TX Rate RX Rate TX Queue ==== ======== ======== ========= ========= ========== 1 0 0 0 0 0 2 0 0 0 0 0 3 0 0 0 0 0 4 0 0 0 0 0 5 0 0 0 0 0 6 0 0 0 0 0 7 0 0 0 0 0 8 0 0 0 0 0 9 0 0 0 0 0 10 0 0 0 0 0 11 0 0 0 0 0 12 0 0 0 0 0 13 0 0 0 0 0 14 0 0 0 0 0 15 0 0 0 0 0 16 0 0 0 0 0 17 0 0 0 0 0 18 0 0 0 0 0 19 0 0 0 0 0 20 0 0 0 0 0

The following table describes the labels in this display.

Table 17 aux rate aux0

LABEL DESCRIPTION

No. The entry in the rate statistics. TX (byte) Transmitted bytes. Rx (byte Received bytes. TX Rate Transmission rate. RX Rate Received rate TX Queue Number of packets waiting to be transmitted.

This example displays details about the dial backup port’s signal.

ras> aux signal aux0

DTR: OFF DSR: OFF RTS: OFF CTS: OFF DCD: OFF

The following table describes the labels in this display.

Table 18 aux rate aux0

LABEL DESCRIPTION

DTR Data Terminal Ready: The signal the ZyWALL sends to the modem to indicate the

ZyWALL is ready to receive data. DSR Data Set Ready: The signal the modem sends to the ZyWALL to indicate the

modem is ready to receive data.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 5 Auxiliary (Dial Backup) Commands

Table 18 aux rate aux0 (continued)

LABEL DESCRIPTION

RTS Request to Send: The signal the ZyWALL sends to the modem to have the modem

prepare to receive data. CTS Clear to Send: The signal the modem sends to the ZyWALL to acknowledge the

ZyWALL and allow the ZyWALL to transmit data. DCD Data Carrier Detect: The signal the modem sends to the ZyWALL when the

modem has a connection with the remote device.

This example shows the AT command strings that the ZyWALL has sent to the modem connected to the dial backup port and the responses.

ras> aux atring aux0 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

94b13960: 02 0d 0c 00 be af 00 00 00 00 08 00 61 74 68 0d ............ath.

94b13970: 0d 0a 4f 4b 0d 0a 61 74 26 66 73 30 3d 30 0d 0d ..OK..at&fs0=0.. 94b13980: 0a 4f 4b 0d 0a 61 74 64 30 2c 34 30 35 30 38 38 .OK..atd0,405088 94b13990: 38 38 0d 0d 0a 42 55 53 59 0d 0a 61 74 64 30 2c 88...BUSY..atd0, 94b139a0: 34 30 35 30 38 38 38 38 0d 0d 0a 52 49 4e 47 49 40508888...RINGI

94b139b0: 4e 47 0d 0a 0d 0a 42 55 53 59 0d 0a 61 74 64 30 NG....BUSY..atd0

94b139c0: 2c 34 30 35 30 38 38 38 38 0d 0d 0a 43 4f 4e 4e ,40508888...CONN 94b139d0: 45 43 54 20 31 31 35 32 30 30 2f 56 2e 33 34 20 ECT 115200/V.34 94b139e0: 31 36 38 30 30 2f 56 34 32 62 0d 0d 0a 4e 4f 20 16800/V42b...NO 94b139f0: 43 41 52 52 49 45 52 0d 0a 61 74 68 0d 0d 0a 4f CARRIER..ath...O 94b13a00: 4b 0d 61 74 68 0d 0d 0a 4f 4b 0d 0a 61 74 26 66 K.ath...OK..at&f 94b13a10: 73 30 3d 30 0d 0d 0a 4f 4b 0d 0a 61 74 64 30 2c s0=0...OK..atd0, 94b13a20: 34 30 35 30 38 38 38 38 0d 0d 0a 43 4f 4e 4e 45 40508888...CONNE 94b13a30: 43 54 20 31 31 35 32 30 30 2f 56 2e 33 34 20 31 CT 11 5200/V.34 1 94b13a40: 34 34 30 30 2f 56 34 32 62 0d 0d 0a 4e 4f 20 43 4400/V42b...NO C 94b13a50: 41 52 52 49 45 52 0d 0a 61 74 68 0d 0d 0a 4f 4b ARRIER..ath...OK 94b13a60: 0d 61 74 68 0d 0d 0a 4f 4b 0d 0a 61 74 26 66 73 .ath...OK..at&fs 94b13a70: 30 3d 30 0d 0d 0a 4f 4b 0d 0a 61 74 64 30 2c 34 0=0...OK..atd0,4 94b13a80: 30 35 30 38 38 38 38 0d 0d 0a 43 4f 4e 4e 45 43 0508888...CONNEC 94b13a90: 54 20 31 31 35 32 30 30 2f 56 2e 33 34 20 20 39 T 115200/V.34 9

94b13aa0: 36 30 30 2f 56 34 32 62 0d 00 00 00 00 00 00 00 600/V42b........

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 6

Bandwidth Management

Commands

Use these commands to configure band width management (BWM) settings on the ZyWALL.

6.1 Command Summary

The following table describes the values required for many commands. Other values are discussed with the corresponding commands.

Table 19 Bm Class Command Input Values

LABEL DESCRIPTION

<interface> This is an interface name including lan, wan/wan1, dmz, wan2, wlan. name <class-

name> class-number This is a class number. Each class for each interface has an unique number.

This is a class name. Enter a descriptive name of up to 20 alphanumeric characters, including spaces.

The number format is "xx.xx.xx.xx...xx" and the range of xx is from 01 to 98. Each ".xx” is a subclass. And the length of "xx.xx.xx.xx..." is the depth of this class. Different model supports different class depth.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 6 Bandwidth Management Commands

The following section lists the commands for this feature.

Table 20 Bm Interface Commands

COMMAND DESCRIPTION M

bm interface <interface> <enable|disable> [bandwidth <bps>] [prr|wrr] [efficient]

bm class <interface> <add|del|mod> <class-number> [bandwidth <bps>] [name <class_name>] [priority <x>] [borrow <on|off>]

bm monitor <interface> [class-number] Displays the bandwidth usage of the specified interface

bm filter <interface> add <class- number> [service <type>] <single|range|subnet> <dst-start-ip> [dst-end-ip] <dport> <dportend> <single|range|subnet> <src-start-ip> [src-end-ip] <sport> <sportend> <protocol>

Enables or disables BWM for traffic going out of the specified interface.

bps: The unit is bps and its minimum is 2000. You can alternatively type “K” or “k” to specify kbps while “M” or “m” to specify Mbps. If you do not specify the bandwidth, the default value is 100 Mbps.

prr|wrr: Sets the queuing mechanism to fairnessbased (WRR) or priority-based (PRR).

efficient: Turns on the Maximum Bandwidth Usage option.

Adds, deletes, or modifies a class for the specified interface with the specified bandwidth. You can also configure other options including name, priority, or bandwidth borrowing.

add|del|mod: Adds, deletes, or modifies the class. When you delete a class, it also deletes its sub-classes.

bandwidth <bps>: Uses this command when you add or modify a class. The unit is bps and its minimum is

2000. Y ou can alternatively type “K” or “k” to specify kbps while “M” or “m” to specify Mbps.

name <class_name>: The name is for your information. priority <x>: Sets the class priority ranging from 0

(the lowest) to 7 (the highest). borrow <on|off>: The class can borrow bandwidth

from its parent class when the borrow is set on, and vice versa.

or its class. The first time you use the command turns it on; the second time turns it off, and so on.

Adds a filter for the specified class. The filter contains destination address (netmask), destination port, source address (netmask), source port and protocol. Use 0 to not include items in the filter.

service <type>: This is service type including ftp, sip, or h323 in lower cases.

Following are the settings for filter rule's destination address.

single|range|subnet

dst-start-ip dst-end-ip dport dportend

Following are the settings for filter rule's source address.

single|range|subnet

src-start-ip src-end-ip sport sportend

dst-end-ip, src-end-ip: When you configure a

single address, you don't need to specify these options. When you configure a range address, these are network ending IP address. When you configure a subnet, these are subnet mask, ex. 255.255.255.0.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 6 Bandwidth Management Commands

Table 20 Bm Interface Commands (continued)

COMMAND DESCRIPTION M

bm filter <interface> del <classnumber>

bm show <interface|class|filter|statistics> <interface>

bm moveFilter <interface> <from> <to> Changes the BWM filter order.

bm config [load|save|clear] Loads, saves, clears BWM configuration from/to the non-

bm vpnTraffic <on|off> Sets the BWM classifier to use the outer IP header of

bm packetBased <on|off> Sets the BWM classifier operation to be session based or

Deletes a filter for the specified class. R+B

Displays interface setting, class, filter setting, or statistics for the specified interface.

from, to: A filter index number.

volatile memory.

encrypted VPN traffic (when sets on) or the IP header of unencrypted VPN traffic (when sets off).

packet based. By default, it is session based.

R+B

6.2

Syntax:

Managing the Bandwidth of VPN Traffic

bm vpnTraffic [on|off]

By default the ZyWALL uses the outer source and destination IP addresses of encrypted VPN packets in managing the bandwidth of the VPN traffic (when using "on" with this command). These are the IP addresses of the ZyWALL and the remote IPSec router. The following figure shows an example of this. The ZyWALL uses the IP addresses of the ZyWALL (X in the figure) and the remote IPSec router (Y) to manage the bandwidth of the VPN traffic.

Figure 1 Managing the Bandwidth of an IPSec tunnel

Use on with this command to be able to create a single bandwidth management group that includes all of the phase 2 IPSec SAs that are connecting through the same remote IPSec router. With this setting the bandwidth management applies to ESP or AH packets so you can only specify IP addresses in the BWM filter settings.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 6 Bandwidth Management Commands

Figure 2 Managing the Bandwidth of VPN traffic between hosts

How you configure this command affects how you can implement bandwidth management as follows.

• Leave this command set to

off to be able to create bandwidth management groups for

individual unencrypted VPN traffic that are connecting through the same remote IPSec router. With this setting you can also specify the type of traffic either using the service list (like SIP or FTP) or by specifying port numbers in BWM filter settings.

•Use off with this command to set the ZyWALL uses the source and destination IP addresses of unencrypted VPN packets in managing the bandwidth of the VPN traffic. This means that it looks at the IP address of the computer that sent the packets and the IP address of the computer to which it is sending the packets. The following figure shows an example of this. The ZyWALL uses the IP addresses of computers A and B to manage the bandwidth of the VPN traffic.

6.3 Command Examples

This example displays the LAN interface’s BWM settings and then configures the LAN interface using bandwidth 10,000 bps and the priority-based queuing method.

ras> bm show interface lan =============================================================================== Interface : LAN [ Enabled ]

bandwidth = 100M (bps) allocated bandwidth = 0 (bps) MTU = 1500 (byte) =============================================================================== ras> bm interface iface lan enable bandwidth 10000 prr

This example adds one LAN class using following settings.

• Class number: 1

• Bandwidth: 5,000,000 bps

• Class Name: LAN-class1

ras> bm config load ras> bm class lan add 1 bandwidth 5M name LAN-class1 ras> bm config save

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 6 Bandwidth Management Commands

This example modifies one existing LAN class using following settings and displays what we configured then.

• Class number: 1

• Bandwidth: 50,000,000 bps

• Priority:2

• Enable the Borrowing option: Yes

ras> bm config load ras> bm class lan mod 1 bandwidth 50M ras> bm config save ras> bm show class lan =============================================================================== Class: 0 Name: Root Class depth: 0 priority: 0 filter setting: No queue: 0/30 borrow class: No parent class: No

total bandwidth: 100M (bps) allocated bandwidth: 50M (bps) =============================================================================== Class: 1 Name: LAN-class1 depth: 1 priority: 2 filter setting: No queue: 0/30 borrow class: 1 parent class: 0 (Root Class)

total bandwidth: 50M (bps) allocated bandwidth: 0 (bps) =============================================================================== Class: 99 Name: Default Class depth: 1 priority: 0 filter setting: Yes queue: 0/30 borrow class: 0 parent class: 0 (Root Class)

total bandwidth: 50M (bps) allocated bandwidth: 0 (bps) ===============================================================================

This example adds one LAN subclass using following settings and displays what we configured then.

• Class number: 1.5 (subclass 5 under the class 1)

• Bandwidth: 600,000 bps.

• Class Name: LAN-FTP

• Priority: 3

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 6 Bandwidth Management Commands

• Enable the Borrowing option: No

ras> bm config load ras> bm class lan add 1.5 bandwidth 600k name LAN-FTP priority 3 borrow off ras> bm config save ras> bm show class lan =============================================================================== Class: 0 Name: Root Class depth: 0 priority: 0 filter setting: No queue: 0/30 borrow class: No parent class: No

total bandwidth: 50M (bps) allocated bandwidth: 600K (bps) =============================================================================== Class: 1.5 Name: LAN-FTP depth: 2 priority: 3 filter setting: No queue: 0/30 borrow class: No parent class: 1 (LAN-class1)

total bandwidth: 600K (bps) allocated bandwidth: 0 (bps) =============================================================================== Class: 99 Name: Default Class depth: 1 priority: 0 filter setting: Yes queue: 0/30 borrow class: 0 parent class: 0 (Root Class)

total bandwidth: 50M (bps) allocated bandwidth: 0 (bps) ===============================================================================

This example modifies one existing LAN subclass using following settings.

• Class number: 1.5

• Bandwidth: 800,000 bps.

• Enable the Borrowing option: Yes

ras> bm config load ras> bm class lan mod 1.5 bandwidth 800k borrow on ras> bm config save ras>

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 6 Bandwidth Management Commands

This example adds a filter on the LAN subclass using following settings.

• Class number: 1.5

• Destination address: Single, 10.1.1.20, FTP ports from 20 to 21.

• Source address: Subnet, 192.168.1.0/24, any port.

• Protocol: any protocol.

ras> bm config load ras> bm filter lan add 1.5 single 10.1.1.20 20 21 subnet 192.168.1.0

255.255.255.0 0 0 0 Filter setting is done. ras> bm config save ras> bm show filter lan =============================================================================== Class 1.5 Name: LAN-FTP Protocol: 0 Destination type: SINGLE Destination address: 10.1.1.20/10.1.1.20 Destination port: 20~21 Source type: SUBNET Source address: 192.168.1.0/255.255.255.0 Source port: 0~0 =============================================================================== Class 99 Name: Default Class Protocol: 0 Destination type: SINGLE Destination address: 0.0.0.0/0.0.0.0 Destination port: 0~0 Source type: SINGLE Source address: 0.0.0.0/0.0.0.0 Source port: 0~0 =============================================================================== ras>

This example monitors the runtime situation for all WAN classes. Each interface has one root class (0) and one default class (99). In this example, you can see

only one user-defined class (1). The root class (0) displays total traffic amount for the WAN interface. The current bandwidth usage matching to the class 1 rule is 500Kb. For traffic that doesn't match any user-defined class rule, it is counted in the default class (99).

ras> bm monitor wan WAN - 0: 500Kb 1: 500Kb 99: 0b WAN - 0: 500Kb 1: 500Kb 99: 0b WAN - 0: 500Kb 1: 500Kb 99: 0b WAN - 0: 900Kb 1: 500Kb 99: 400b WAN - 0: 900Kb 1: 500Kb 99: 400b

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 6 Bandwidth Management Commands

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 7

Bridge Commands

Use these commands to configure bridge settings on the ZyWALL.

7.1 Command Summary

The following table describes the values required for many bridge commands. Other values are discussed with the corresponding commands.

Table 21 Bridge Command Input Values

LABEL DESCRIPTION

interface This identifies an interface.

1: WAN1 2: WAN2 3: LAN 4: Wireless card 5: DMZ 6: WLAN (ports in WLAN port role)

The following section lists the bridge commands.

Table 22 Bridge Commands

COMMAND DESCRIPTION M

bridge block <ipx|poe|ip|arp|bpdu|unknow> <on|off>

bridge cnt clear Resets the bridging statistics counter. R+B bridge cnt disp Displays the bridging statistics table. R+B bridge iface active <yes|no> Sets the ZyWALL to bridge mode or router mode. R+B bridge iface address [ip-

address] bridge iface display Displays the bridge mode interface settings. B bridge iface dns1 [ip-address] Sets the bridge mode first system DNS server IP address. B bridge iface dns2 [ip-address] Sets the bridge mode second system DNS server IP address. B bridge iface dns3 [ip-address] Sets the bridge mode third system DNS server IP address. B bridge iface gateway [gateway-

ip] bridge iface mask [mask] Sets the bridge mode network mask. B bridge rstp bridge disable Turns off RSTP. B

Blocks IPX, PoE, IP, ARP, BPDU, and/or unknown Ethernet frames from passing through in bridge mode.

Sets the bridge mode management IP address. B

Sets the bridge mode default gateway. B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 7 Bridge Commands

Table 22 Bridge Commands (continued)

COMMAND DESCRIPTION M

bridge rstp bridge enable Turns on RSTP (Rapid Spanning Tree Protocol). B bridge rstp bridge forwardDelay

[forwarding-delay]

bridge rstp bridge helloTime [hello-time]

bridge rstp bridge maxAge [max- age]

bridge rstp bridge priority [priority]

bridge rstp bridge version <STP:0|RSTP:2>

bridge rstp disp Displays RSTP information. B bridge rstp port disable

<interface> bridge rstp port edgePort

<interface> <True:1|False:0> bridge rstp port enable

<interface> bridge rstp port mcheck

<interface> bridge rstp port p2pLink

bridge rstp port pathCost <interface> [path-cost]

bridge rstp port priority <interface> [priority]

bridge rstp state Displays general RSTP status information. B bridge rstp trace Turns on RSTP debug/trace messages. B bridge stat clear Resets the bridging packet statistics counter. R+B bridge stat disp Displays the bridging packet statistics table. R+B

Sets the RSTP forwarding delay (4~30). This is the number of seconds a bridge remains in the listening and learning port states. The default is 15 seconds.

Sets the RSTP hello time (1~10) in seconds the root bridge waits before sending a hello packet.

Sets the RSTP max age (6~40). This is how many seconds a bridge waits to get a Hello BPDU from the root bridge.

Sets the ZyWALL’s RSTP bridge priority (0~61440). The lower the number, the higher the priority. Bridge priority determines the root bridge, which in turn determines Hello Time, Max Age and Forward Delay.

Sets the ZyWALL to use STP or RSTP. B

Turns off RSTP on the specified port. B

Sets the specified port to be an edge or non-edge port. B

Turns on RSTP on the specified port. B

Sets migrate check on this port B

Sets a point to point link on the specified port. B

Sets the RSTP path cost on the specified port. B

Sets the RSTP priority on the specified port. B

ZyWALL (ZyNOS) CLI Reference Guide

7.2 Command Examples

This example enables RSTP on the ZyWALL; enables RSTP on the WAN and displays the RSTP settings.

ras> bridge rstp bridge enable ras> bridge rstp port enable 3 ras> bridge rstp disp Bridge Info: (a)BridgeID: 8000-0000aa100586 (b)TimeSinceTopoChange: 745 (c)TopoChangeCount: 0 (d)TopoChange: 0 (e)DesignatedRoot: 8000-0000aa100586 (f)RootPathCost: 0 (g)RootPort: 0x0000 (h)MaxAge: 20 (seconds) (i)HelloTime: 2 (seconds) (j)ForwardDelay: 15 (seconds) (k)BridgeMaxAge: 20 (seconds) (l)BridgeHelloTime: 2 (seconds) (m)BridgeForwardDelay: 15 (seconds) (n)TransmissionLimit: 3 (o)ForceVersion: 2

Chapter 7 Bridge Commands

Port [03] Info: (a)Uptime: 746 (seconds) (b)State: FORWARDING (c)PortID: 0x8003 (d)PathCost: 250 (e)DesignatedRoot: 8000-0000aa100586 (f)DesignatedCost: 0 (g)DesignatedBridge: 8000-0000aa100586 (h)DesignatedPort: 0x8003 (i)TopoChangeAck: False (j)adminEdgePort: True (k)operEdgePort: True (m)MAC_Operational: True (n)adminPointToPointMAC: (o)operPointToPointMAC: True rx_cfg_bpdu[ 0] rx_tcn_bpdu[ 0] rx_rstp_bpdu[ 0]

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 7 Bridge Commands

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 8

Certificates Commands

Use these commands to configure certificate s.

8.1 Command Summary

The following table describes the values required for many certificates commands. Other values are discussed with the corresponding commands.

Table 23 Certificates Commands Input Values

LABEL DESCRIPTION

auth-key Specifies the certificate’s key for user authentication. If the key contains spaces,

ca-address The IP address or domain name of the CA (Certification Authority) server. ca-cert The name of the CA certificate. ip-

address[:port

]

key-length The length of the key to use in creating a certificate or certificate request. Valid

name The identifying name of a certificate or certification request. Use up to 31

proxyurl The address and port of an optional HTTP proxy to use. server-name A descriptive name for a directory server. Use up to 31 ASCII characters (spaces

subject A certificate’s subject name and alternative name. Both are required.

timeout The verification timeout value in seconds (optional). The default timeout value is

url The location of a certificate to be imported.

put it in quotes. To leave it blank, type "".

Specifies the server address (required) and port (optional). The format is "serveraddress[:port]". The default port is 389.

options are 512, 768, 1024, 1536 and 2048 bits.

"login:password".

characters to identify a certificate. You may use any character (not including spaces).

are not permitted).

The format is "subject-name-dn;{ip,dns,email}=value". Example 1: "CN=ZyWALL,OU=CPE SW2,O=ZyXEL,C=TW;ip=172.21.177.79" Example 2: "CN=ZyWALL,O=ZyXEL,C=TW;dns=www.zyxel.com" Example 3: "CN=ZyWALL,O=ZyXEL,C=TW;email=dummy@zyxel.com.tw" If the name contains spaces, put it in quotes.

20 seconds.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 8 Certificates Commands

The following section lists the certificates commands.

Table 24 Certificates Commands

COMMAND DESCRIPTION M

certificates ca_trusted crl_issuer <name> [on|off]

certificates ca_trusted delete <name>

certificates ca_trusted export <name>

certificates ca_trusted http_import <url> <name> [proxyurl]

certificates ca_trusted import <name>

certificates ca_trusted list Displays all trusted CA certificate names and their basic

certificates ca_trusted rename <old-name> <new-name>

certificates ca_trusted verify <name> [timeout]

certificates ca_trusted view <name>

certificates cert_manager reinit

certificates dir_service add <server-name> <ip- address[:port]> [login:pswd]

certificates dir_service delete <server-name>

certificates dir_service edit <server-name> <ip- address[:port]> [login:pswd]

certificates dir_service list Displays all directory server entry names and their basic

certificates dir_service rename <old-server-name> <new- server-name>

certificates dir_service view <server-name>

certificates my_cert create scep_enroll <name> <ca- address> <ca-cert><ra-sign> <ra-encr> <auth key> <subject> [key length]

Specifies whether or not the specified CA issues a CRL.

on|off: specifies whether or not the CA issues CRL. If [on|off] is not specified, the current CRL issuer status of the

CA displays. Removes the specified trusted CA certificate. R+B

Exports the specified PEM-encoded certificate to your CLI session’s window for you to copy and paste.

Imports the specified certificate file from the specified remote web server as a trusted CA. The certificate file must be in one of the following formats: 1) Binary X.509, 2) PEM-encoded X.509, 3) Binary PKCS#7, and 4) PEM-encoded PKCS#7.

Imports the specified PEM-encoded CA certificate from your CLI session. After you enter the command, copy and paste the PEMencoded certificate into your CLI session window. With some terminal emulation software you may need to move your mouse around to get the transfer going.

information. Renames the specified trusted CA certificate. R+B

Has the ZyWALL verify the certification path of the specified trusted CA certificate.

Displays details about the specified trusted CA certificate. R+B

Re-initializes the certificate manager. R+B

Adds a new directory server entry. R+B

Removes the specified directory server entry. R+B

Edits the specified directory server entry. R+B

information. Renames the specified directory server entry. R+B

Displays details about the specified directory server entry. R+B

Creates a certificate request and enrolls for a certificate immediately online using SCEP protocol.

ra-sign: specifies the name of the RA (Registration Authority) signing certificate. If it is not required, type ““ to leave it blank.

ra-encr: specifies the name of the RA encryption certificate. If it is not required, type ““ to leave it blank .

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 8 Certificates Commands

Table 24 Certificates Commands (continued)

COMMAND DESCRIPTION M

certificates my_cert create cmp_enroll <name> <ca-address> <ca-cert> <auth-key> <subject> [key-length]

certificates my_cert create request <name> <subject> [key- length]

certificates my_cert create self_signed <name> <subject> <key-length> [validity-period]

certificates my_cert def_selfsigned [name]

certificates my_cert delete <name>

certificates my_cert export <name>

certificates my_cert http_import <url> <name> [proxy-url]

certificates my_cert import [name]

certificates my_cert list Displays all my certificate names and basic information. R+B certificates my_cert poll_req

<name> certificates my_cert rename

<old-name> <new-name> certificates my_cert

replace_factory

certificates my_cert verify <name> [timeout]

certificates my_cert view <name>

certificates remote_trusted delete <name>

Creates a certificate request and enroll for a certificate immediately online using CMP protocol.

Creates a certificate request and saves it on the ZyWALL for later manual enrollment.

Creates a self-signed local host certificate. key-length: specifies the key size. Valid options are 0, 512,

768, 1024, 1536 and 2048 bits. 0 applies the default value of

1024. validity-period: specifies the validity period in years. Valid

range is 1~30. The default is 3. Sets the specified self-signed certificate as the default self-signed

certificate. If you do not specify a name, the name of the current self-signed certificate displays.

Removes the specified local host certificate. R+B

Exports the PEM-encoded certificate to your CLI session window for you to copy and paste.

Imports the specified certificate file from the specified remote web server as the device’s own certificate. The certificate file must be in one of the following formats: 1) Binary X.509, 2) PEM-encoded X.509, 3) Binary PKCS#7, and 4) PEM-encoded PKCS#7.

A certification request corresponding to the imported certificate must already exist. The certification request is automatically deleted after the importation.

Imports the PEM-encoded certificate from your CLI session. A corresponding certification request must already exist on the ZyWALL. The certification request is automatically deleted after the importation. The name is optional, if you do not specify one, the certificate adopts the name of the certification request. After you enter the command, copy and paste the PEM-encoded certificate into your CLI session window. With some terminal emulation software you may need to move your mouse around to get the transfer going.

Queries an SCEP server about a certification request that is pending in an SCEP server's queue.

Renames the specified my certificate. R+B

Creates a certificate using your device MAC address that is specific to this device. The factory default certificate is a common default certificate for all ZyWALL models.

Has the ZyWALL verify the certification path of the specified local host certificate.

Displays information about the specified local host certificate. R+B

Removes the specified trusted remote host certificate. R+B

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 8 Certificates Commands

Table 24 Certificates Commands (continued)

COMMAND DESCRIPTION M

certificates remote_trusted export <name>

certificates remote_trusted http_import <url> <name> [proxy-url]

certificates remote_trusted import <name>

certificates remote_trusted list

certificates remote_trusted rename <old-name> <new-name>

certificates remote_trusted verify <name> [timeout]

certificates remote_trusted view <name>

Exports the PEM-encoded certificate to your CLI session’s window for you to copy and paste.

Imports the specified certificate file from the specified remote web server as the device’s trusted remote host. The certificate file must be in one of the following formats: 1) Binary X.509, 2) PEMencoded X.509, 3) Binary PKCS#7, and 4) PEM-encoded PKCS#7.

proxy-url: Specifies the location of the certificate to be imported.

Imports the specified PEM-encoded remote host certificate from your CLI session. After you enter the command, copy and paste the PEM-encoded certificate into your CLI session window. With some terminal emulation software you may need to move your mouse around to get the transfer going.

Displays all trusted remote host certificate names and their basic information.

Renames the specified trusted remote host certificate. R+B

Has the ZyWALL verify the certification path of the specified trusted remote host certificate.

Displays information about the specified trusted remote host certificate.

R+B

8.2 Command Examples

This example creates and displays a self signed certificate named “test” with a subject alternative common name of “cert-test” organization of “my-company”, country of “TW”, and IP 172.16.2.2. It uses a 512 bit key and is valid for 5 years.

ras> certificates my_cert create self_signed test "CN=cert-test,O=mycompany,C=TW;ip=172.16.2.2" 512 5 The self-signed certificate has been successfully generated. ras> certificates my_cert list PKI Storage Space in Use: 2% [ Certificate Name ] Type [ Subject Name ] [ Issuer Name ] From [To] auto_generated_self_signed_cert *SELF CN=ZyWALL 70 ... CN=ZyWALL 70... 2000 2030 test SELF CN=cert-test,... CN=cert-test... 2007 2012

-------------------------------------------------------------------------------Total number of certificates: 2 Legends: NYV - Not Yet Valid, EXPD - Expired, EXPG - Expiring, CERT Certificate, REQ - Certification Request, SELF - Self-signed Certificate, *SELF

- Default Self-signed Certificate

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 8 Certificates Commands

This example displays the certificate that the ZyWALL is using as the default self-signed certificate. Then it has the ZyWALL use the self signed certificate named “test” as the default self-signed certificate.

ras> certificates my_cert def_self_signed The default self-signed certificate: auto_generated_self_signed_cert ras> certificates my_cert def_self_signed test Would you like to make "test" as the default self-signed certificate? (y/n):y ras> certificates my_cert def_self_signed The default self-signed certificate: test

This example exports the self signed certificate named “test”. After the certificate displays on the screen, copy and paste it into a text editor (like Notepad) and save it as a .crt or .cer file.

ras> certificates my_cert export test

-----BEGIN CERTIFICATE----MIIBlzCCAUGgAwIBAgIEOlptnzANBgkqhkiG9w0BAQUFADA2MQswCQYDVQQGEwJU VzETMBEGA1UEChMKbXktY29tcGFueTESMBAGA1UEAxMJY2VydC10ZXN0MB4XDTAx MDEwODAxNDcxMVoXDTA2MDEwOTAxNDcxMVowNjELMAkGA1UEBhMCVFcxEzARBgNV BAoTCm15LWNvbXBhbnkxEjAQBgNVBAMTCWNlcnQtdGVzdDBcMA0GCSqGSIb3DQEB AQUAA0sAMEgCQQDmnKh6ZZ5xaPukE4+djC6bu0Uyjf5aQ/QysD+Udv8xF0L/DpT1 c3xnu8hkp/RCFS3/fK6ALiLsoMCOUmqg5bdDAgMBAAGjNzA1MA4GA1UdDwEBAAQE AwICpDAPBgNVHREECDAGhwSsFyXLMBIGA1UdEwEBAAQIMAYBAf8CAQEwDQYJKoZI hvcNAQEFBQADQQC9hq27VCDTu6L2JsDgU8jXwYghDDKXzPR5PZ4/oryX5PFILrtr rNLh2eTCExnyyEggaRhJ0B63Ucam7hG4k5xW

-----END CERTIFICATE-----

This example imports a VeriSign certificate as a trusted CA. The CA certificate has to be PEM-encoded. Refer to Section 8.2.1 on page 59 for how to save a certificate in PEM-encoded format.

ras> certificates ca_trusted import VeriSign Please paste the PEM-encoded certificate onto the screen. Press Ctrl+D when finished or Ctrl+C to cancel. Note: 9600 bps console port speed guarantees minimum transmission error rate.

-----END CERTIFICATE-----rTJXwT4OPjr0l91X817/OWOgHz8UA==ZHuO3ABc

8.2.1 Saving Certificates as PEM-encoded Format

Do the following to save a certificate in PEM-encoded format.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 8 Certificates Commands

1 In Windows Explorer, locate and double-click the (non PEM-encoded) certificate file.

2 Click Details and Copy to File.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 8 Certificates Commands

3 Click Next in the welcome screen. Select Base-64 encoded X.509 (.CER).

4 Type a file name (or browse for one).

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 8 Certificates Commands

5 Click Finish.

6 Open the newly created file in a text editor (like Notepad) to be able to copy and paste

the certificate into your CLI session.

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 9

CNM Agent Commands

Use these commands to configure CNM agent settings on the ZyWALL.

9.1 Command Summary

The following section lists the commands for this feature.

Table 25 CNM Commands

COMMAND DESCRIPTION M

cnm active [0:disable|1:enable] Enables or disables the CNM service on the ZyWALL.

After enabled, the ZyWALL communicates with the CNM server through ZyWALL’s WA N.

cnm sgid Displays the unique ID received from the CNM server

after the ZyWALL registered successfully.

cnm managerIp Displays the CNM server's IP address. R+B cnm debug [0:disable|1:enable] Controls whether the debugging information is displayed

on the console. You must change the baud rate to 115200 bps before enabling the CNM debug mode.

cnm reset Resets the CNM service to the initial status on the

ZyWALL. The ZyWAL L will register itself to the CNM server again if the service is enabled.

cnm encry [none|des|3des] [key] Displays or sets the encryption mode and key.

The encryption key is 8 characters when the encryption mode is set to “DES”.

The encryption key is 24 characters when the encryption mode is set to “3DES”.

cnm keepalive <10~90> Sets how often (in seconds) the ZyWALL sends a

keepalive packet to inform the CNM server of its existence.

cnm version Displays the CNM agent version. R+B cnm alarmqueue display Displays the alert messages waiting to be sent to the

CNM server.

cnm alarmqueue send Sends all alert messages in the queue to the CNM server

immediately and clears the queue.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 9 CNM Agent Commands

9.2 Command Examples

This example displays the CNM agent version on the ZyWALL.

ras> cnm version cnm version: 2.0.2(AGZ.1)b1

This example configures the CNM settings and activates the service on the ZyWALL using the following settings.

• CNM server IP address: 10.1.1.252

• Encryption mode: DES

• Encryption key: 12345678

• How often to send a keepalive packet to the CNM server: every 60 seconds

ras> cnm managerIp 10.1.1.252 managerIp 10.1.1.252 ras> cnm encry des 12345678 cnm encry des 12345678 ras> cnm keepalive 60 cnm keepalive 60ras> cnm active 1 cnm active 1 Last Register Time: 0-0-0 0:0:0

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 9 CNM Agent Commands

This example displays the CNM debug messages. It's useful for monitoring register or keepalive packets the ZyWALL sends and receives to and from the CNM server.

ras> cnm debug 1 cnm debug 1 <0:Disable 1:Enable> CNM debug messges can only be printed at 115200 baud rate. ras> agentIpAddr: 10.1.1.252 CNM protocol version = 1 sendSgmpRegisterRequest sessionID = [0] sgmpAgentRx iface_p=b04088 cnt=1 sgmpRxEventProcess opType 1 procAgentRegister SessionID is modified by Vantage to [0] received SGMP_T_REGISTER:SGMP_C_RESPONSE Error tUnit=4096 sendSgmpRegisterAck ackCode=9 procAgentRetrieve event SGMP_EVENT_REGISTER_RESP sendSgmpRetrieveStoreRequest opType=2 sgmpd state SGMP_STATE_REGISTERING sgmpAgentRx iface_p=b04088 cnt=1 sgmpRxEventProcess opType 2 procAgentRetrieve, agentState = 1 SessionID is modified by Vantage to [0] received SGMP_T_RETRIEVE:SGMP_C_RESPONSE sendSgmpRetrieveStoreAck opType=2 ackCode=9 procAgentRetrieve event SGMP_EVENT_RETRIEVE_RESP sgmpd state SGMP_STATE_RETRIEVE_INIT event: SGMP_EVENT_RETRIEVE_SUCCESS sendRetrieveStoreSucc opType=2 opCode=3 sendSgmpRegisterSuccess sgmpd state SGMP_STATE_ACTIVE No Alarms Exist! sgmpAgentRx iface_p=b04088 cnt=1 sgmpRxEventProcess opType 9 SessionID is modified by Vantage to [478043139] tUint = 4110, Amount_Item = 1, nUnit = 1 procInquireData FORWARD COMPATIBILITY Device (1b55) unsupport CNM Forward Compatibility!! Fail to send Forward Comp Information to CNM. call sendSgmpInquireSuccess sendSgmpInquireSuccess opType=9 opCode=4 sessionID =[1909254747] Send SGMP KA Trap IP=10.1.1.252, life=0, interval=90 (secs) No Alarms Exist! Send SGMP KA Trap IP=10.1.1.252, life=90, interval=90 (secs) No Alarms Exist!

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 9 CNM Agent Commands

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 10

Configuration Commands

Use these commands to configure your configuration settings on the ZyWALL. Many of these commands are also available in the web configurator.

10.1 Command Summary

The following table describes the values required for many config commands. Other values are discussed with the corresponding commands.

Table 26 config Command Input Values

LABEL DESCRIPTION

day

entry#

mask non-zero-

number rule#

rule-action

send-emailpolicy

set#

Specifies which custom service (from 1~100). A custom service allows you to configure a port for specific applications such as P2P applications. The available sub-fields are:

name <string> range <start-port><end-port> ip-protocol <icmp|tcp|udp|tcp/udp|user-defined> user-defined-ip <1~255> icmp-type <0~255> icmp-code <0~255>

Describes a subnet mask in dotted decimal notation. A non-zero number used to indicate a black or white filter rule is enabled.

Specifies which rule from in a set. A rule is used to describe an action to be taken when a packet matches the rule description. The number of rules available depends on the product.

See Section 10.3.2 on page 81 for a detailed description of the parameters. Specifies the action to take when a rule applies to a packet. The options are

permit|drop|reject.

Specifies when to send an e-mail. Options are full|hourly|daily|weekly|none.

Specifies which set. A set is a named set of rules and actions applying to packets with a specified source and destination interface. Set numbers go from 1~255. See Section 10.3.1 on page 77 for a detailed description of the parameters.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 26 config Command Input Values

LABEL DESCRIPTION

string, e-

< 31 ASCII characters.

mail timeout

This is measured in seconds between 0~4294967295 seconds. Editing, deleting or inserting these values has no effect. To configure these timeout values use tos commands, as these are global settings.

The following section lists the commands for this feature.

Table 27 config Command Summary

COMMAND DESCRIPTION M

config cli Displays the features you can configu r e w it h th e config

config delete anti-spam blackRule Removes the antispam blacklist. The blacklist is a list of IP

config delete anti-spam whiteRule Removes the antispam whitelist. The whitelist is a list of IP

config delete custom-service <entry#>

config delete custom-service <entry#> icmp-code

config delete custom-service <entry#> icmp-type

config delete custom-service <entry#> ip-protocol

config delete custom-service <entry#> name

config delete custom-service <entry#> range

config delete custom-service <entry#> user-defined-ip

config delete firewall active Deletes the active setting in the firewall rule configuration. R+B config delete firewall attack block Deletes the block setting in the firewall rule configuration. R+B config delete firewall attack

block-minute config delete firewall attack max-

incomplete-high config delete firewall attack max-

incomplete-low

config delete firewall attack minute-high

config delete firewall attack minute-low

command.

addresses of known spammers to be blocked.

addresses known to be safe. Deletes the specified custom service entry. R+B

Deletes the ICMP code. This field is optional for ICMP. The code and type of an ICMP packet together indicate the purpose of the packet.

Deletes the ICMP type. R+B

Deletes the IP protocol for a selected custom service. R+B

Deletes the name of the selected custom service. R+B

Deletes the port range setting for the custom service. R+B

Deletes the IP protocol setting for the custom service. R+B

Deletes the block attack in minutes setting in the firewall rule configuration.

Deletes the setting for DOS (Denial of Service) detection based on the maximum number of sessions allowed.

When the ZyWALL detects a DOS attack it begins to delete half-open sessions until it reaches a specified number of half-open sessions. This commands deletes this set number.

Deletes the setting for DOS detection based on the maximum number of sessions allowed per minute.

When the ZyWALL detects a DOS attack it begins to delete half-open sessions until it reaches a specified number of half-open sessions per minute. This commands deletes this set number.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 27 config Command Summary (continued)

COMMAND DESCRIPTION M

config delete firewall attack sendalert

config delete firewall attack tcpmax-incomplete

config delete firewall e-mail Removes all settings for e-mailing the firewall log. R+B config delete firewall e-mail day Deletes the setting for which day the firewall log e-mail is

config delete firewall e-mail email-to

config delete firewall e-mail hour Deletes the setting for which hour the e-mail is sent. R+B config delete firewall e-mail mail-

server config delete firewall e-mail

minute config delete firewall e-mail

policy config delete firewall e-mail

return-addr config delete firewall e-mail

subject config delete firewall set <set#> Removes the specified set of rules applying to traffic from a

config delete firewall set <set#> connection-timeout

config delete firewall set <set#> default-action

config delete firewall set <set#> fin-wait-timeout

config delete firewall set <set#> icmp-timeout

config delete firewall set <set#> log

config delete firewall set <set#> name

config delete firewall set <set#> rule <rule#>

config delete firewall set <set#> rule <rule#> action

config delete firewall set <set#> rule <rule#> active

Deletes the setting for whether an alert should be sent on registering an attack.

Deletes the setting for DOS detection based on the maximum number of sessions allowed with the same destination host address.

sent. Deletes the setting for where the e-mail is sent to. R+B

Deletes the setting for which e-mail server is used to send the e-mail.

Deletes the setting for which minute the e-mail is sent at. R+B

Deletes the setting for the schedule for when the e-mail is sent.

Deletes the setting for the return address for the e-mail log. R+B

Deletes the setting for the subject of the e-mail log. R+B

given interface to another. Deletes the setting for the connection time out for traffic to

which this set applies. This command has no effect on firewall settings. To configure timeout values use tos commands

Deletes the setting for the default action for traffic to which this set applies.

Deletes the setting for the wait time for FIN when concluding a TCP session before it is terminated.

This command has no effect on firewall settings. To configure timeout values use tos commands

Deletes the setting for the timeout for an idle ICMP session before it is terminated.

This command has no effect on firewall settings. To configure timeout values use tos commands

Deletes the log of traffic to which this set applies. R+B

Deletes the name of a set. R+B

Removes a specified rule in a set from the firewall configuration.

Deletes whether a packet is permitted, dropped or rejected when it matches this rule.

Deletes whether a rule is enabled or not. R+B

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 27 config Command Summary (continued)

COMMAND DESCRIPTION M

config delete firewall set <set#> rule <rule#> alert

config delete firewall set <set#> rule <rule#> custom-icmp

config delete firewall set <set#> rule <rule#> custom-ip

config delete firewall set <set#> rule <rule#> destaddr-range

config delete firewall set <set#> rule <rule#> destaddr-single

config delete firewall set <set#> rule <rule#> destaddr-subnet

config delete firewall set <set#> rule <rule#> destport-custom

config delete firewall set <set#> rule <rule#> log

config delete firewall set <set#> rule <rule#> name

config delete firewall set <set#> rule <rule#> protocol

config delete firewall set <set#> rule <rule#> srcaddr-range

config delete firewall set <set#> rule <rule#> srcaddr-single

config delete firewall set <set#> rule <rule#> srcaddr-subnet

config delete firewall set <set#> rule <rule#> tcp destport-any

config delete firewall set <set#> rule <rule#> tcp destport-range

config delete firewall set <set#> rule <rule#> tcp destport-single

config delete firewall set <set#> rule <rule#> udp destport-any

config delete firewall set <set#> rule <rule#> udp destport-range

config delete firewall set <set#> tcp-idle-timeout

config delete firewall set <set#> udp-idle-timeout

Deletes whether or not there is notification of a DoS attack or a violation of the alert settings.

Deletes the desired ICMP custom service. R+B

Deletes the desired user defined IP Protocol custom service.

Deletes the IP address range setting in a rule applying to a packet with a destination IP address which falls within the specified range.

Deletes the IP address setting for a rule applying to a packet with the destination IP address.

Deletes the IP address and subnet mask settings for a rule applying to a packet with the destination IP address and subnet mask.

Deletes the desired TCP/UDP custom port name. R+B

Deletes a log for a rule when the packet matches the rule. R+B

Deletes the rule name. R+B

Deletes the protocol number for a rule. R+B

Deletes the IP address range for a rule applying to a packet with a source IP address that falls within a specified range.

Deletes the IP address setting in a rule applying to a packet with a specified source IP address.

Deletes the IP address and subnet mask setting in a rule applying to a packet with a specified source IP address and subnet mask.

Deletes the rule applying to a TCP packet with any destination port.

Deletes the port setting for a rule applying to a TCP packet with a destination port falling within the specified range.

Deletes the port setting for a rule applying to a TCP packet with the specified destination port.

Deletes the rule applying to a UDP packet with any destination port.

Deletes the port range setting for a rule applying to a UDP packet with a destination port falling within the specified range.

Deletes the timeout for an idle TCP session before it is terminated.

This command has no effect on firewall settings. To configure timeout values use tos commands.

Deletes the timeout for an idle UDP session before it is terminated.

This command has no effect on firewall settings. To configure timeout values use tos commands.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 27 config Command Summary (continued)

COMMAND DESCRIPTION M

config display anti-spam Displays all the antispam settings. R+B config display custom-service Displays all configured custom services. See Table 26 on

config display custom-service <entry#>

config display firewall Displays all the firewall settings for all firewall sets.

config display firewall attack Displays all the attack alert settings. These are:

config display firewall buffer Displays the firewall ACL (Access Control List) buffer size.

config display firewall e-mail Displays all the firewal l e- mail log settings. These are:

config display firewall set <set#> Displays current entries of a set. See Table 26 on page 67

config display firewall set <set#> rule <rule#>

config edit anti-spam action <0|1> Sets the action for spam:

config edit anti-spam blackRule <0|1>

config edit anti-spam externDB <0|1>

config edit anti-spam markString <spam-tag>

config edit anti-spam phishingString <phishing-tag>

config edit anti-spam query <0|1> Sets the action for mail which receives a “no spam” score.

config edit anti-spam queryString <no-spam-score-tag>

page 67 for a list of custom-service parameters.

Displays the custom service for the entry number given (1~100).

Available firewall sub-commands are:

• active

• e-mail

•attack

•set

send-alert block minute-high minute-low max-incomplete-high max-incomplete-low tcp-max-incomplete

The size is product dependent and cannot be changed.

mail-server return-addr email-to subject policy

for a list of set parameters. Displays the current entries of a rule in a set . See Table 26

on page 67 for a list of rule parameters.

0: add a tag 1: discard mail.

Enables (1) or disables (0) the antispam blacklist filter. R+B

Enables (1) or disables (0) the external database query feature. Queries are sent to an external database to check whether an e-mail is likely to be spam.

Sets the Spam tag string (< 16 chars). This tag is added to the subject of spam mail.

Sets the phishing tag string (< 16 chars). This tag is added to the subject of spam mail.

0: add a tag 1: discard mail

Sets the tag string (< 16 chars) for mail which receives a “no spam” score. This tag is added to the subject of spam mail.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 27 config Command Summary (continued)

COMMAND DESCRIPTION M

config edit anti-spam rule <rule#> email <1:whitelist|2:blacklist> active <0:disable|non-zero- number:enable> data <e-mail>

config edit anti-spam rule <rule#> ip <1:whitelist|2:blacklist> active <0:disable|non-zero-

number:enable> address <ipaddress> netmask <mask>

config edit anti-spam rule <rule#> mime <1:whitelist|2:blacklist> active <0:disable|non-zero-

number:enable> header <mimeheader> value <mime-value>

config edit anti-spam switch <0|1> Enables (1) or disables (0) the antispam function. R+B config edit anti-spam threshold

config edit anti-spam whiteRule <0|1>

config edit custom-service <entry#> icmp-code <0~255>

config edit custom-service <entry#> icmp-type <0~255>

config edit custom-service <entry#> ip-protocol <icmp|tcp|udp|tcp/udp|userdefined>

config edit custom-service <entry#> name <string>

config edit custom-service <entry#> range <start- port><endport>

config edit custom-service <entry#> user-defined-ip <1~255>

config edit firewall active <yes|no>

config edit firewall attack block <yes|no>

config edit firewall attack blockminute <0~255>

Sets an antispam rule based on the e-mail address on a black or white list filter.

e-mail: should be < 64 chars.

Sets an antispam rule based on the IP address and subnet mask on a black or white list filter.

Sets an antispam rules based on the MIME type on a black or white list filter.

<mime-header>: This indicates the MIME type. <mime-value>: This is a user-defined t a g attached to

emails.

Sets the spam score threshold. If the spam score is higher than this threshold, this mail is judged as spam mail.

<threshold>: A number from 1~100. Enables (1) or disables (0) the antispam whitelist filter. R+B

Configures the ICMP code. This field is optional for ICMP. The code and type of an ICMP packet together indicate the purpose of the packet.

Use config edit custom-service <entry#> icmp-type to configure the ICMP type first.

Configures the ICMP type. R+B

Configures the IP protocol for a selected custom-service. R+B

Sets the name of the selected custom-service. R+B

When the IP protocol is set to TCP and/or UDP, this command configures the port range for a specified customservice entry.

For single port configuration, the start port is equal to the end port.

When the IP protocol is set to “user-defined”, this command configures the user defined IP protocol.

Activates or deactivates the saved firewall settings. R+B

Select “yes” to block traffic when it exceeds the tcp-maxincomplete threshold.

Select “no” to delete the oldest half-open session when the number of half-opened sessions exceeds the tcp-maxincomplete threshold.

Sets the time a session is blocked once an attack is detected. This command is only valid when 'block' is set to “yes”. The unit is minute.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 27 config Command Summary (continued)

COMMAND DESCRIPTION M

config edit firewall attack maxincomplete-high <0~255>

config edit firewall attack maxincomplete-low <0~255>

config edit firewall attack minutehigh <0~255>

config edit firewall attack minutelow <0~255>

config edit firewall attack sendalert <yes|no>

config edit firewall attack tcpmax-incomplete <0~255>

config edit firewall e-mail day <day>

config edit firewall e-mail e-mailto <e-mail>

config edit firewall e-mail hour <0~23>

config edit firewall e-mail mailserver <ip-address>

config edit firewall e-mail minute <0~59>

config edit firewall e-mail policy <send-email-policy>

config edit firewall e-mail returnaddr <e-mail>

config edit firewall e-mail subject <mail-subject>

config edit firewall set <set#> connection-timeout <timeout>

config edit firewall set <set#> default-action <rule-action>

config edit firewall set <set#> fin-wait-timeout <timeout>

config edit firewall set <set#> icmp-timeout <timeout>

Sets the threshold for DOS detection based on the maximum number of half-opened sessions allowed. Halfopened sessions will be deleted after this level is reached to bring the number down to max-incomplete-low.

Sets the level at which the firewall will stop deleting halfopened sessions once a DOS attack has been detected.

Sets the threshold to start deleting the old half-opened sessions based on the number of half-opened sessions per minute.

Sets the threshold to stop deleting the old half-opened session once a DOS attack has been detected and sufficient half-opened sessions have been deleted. This threshold is based on the number of half-opened sessions per minute.

This activates or deactivates notification by e-mail of DoS attacks detected by the firewall.

Sets the threshold for DoS detection based on the maximum number of sessions allowed with the same destination host address.

Sets the day to send the log when the e-mail policy is set to weekly.

Sets the mail address to send the log. R+B

Sets the hour to send the log when the e-mail policy is set to daily or weekly.

Sets the IP address of the mail server’s used to send the alert.

Sets the minute to send to log when the e-mail policy is set to daily or weekly.

Sets the policy for when the firewall log is e-mailed. R+B

Sets the mail address for returning an e-mail alert. R+B

Sets the e-mail subject. R+B

Sets the connection timeout for traffic to which a rule in the set applies.

This command has no effect on firewall settings. To configure timeout values use tos commands.

Sets the default action for traffic for which the set applies. R+B

Sets the wait time for FIN when concluding a TCP session before it is terminated.

This command has no effect on firewall settings. To configure timeout values use tos commands.

Sets the timeout for an idle ICMP session before it is terminated.

This command has no effect on firewall settings. To configure timeout values use tos commands.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 27 config Command Summary (continued)

COMMAND DESCRIPTION M

config edit firewall set <set#> log <yes|no>

config edit firewall set <set#> name <string>

config edit firewall set <set#> rule <rule#> action <rule-action>

config edit firewall set <set#> rule <rule#> active <yes|no>

config edit firewall set <set#> rule <rule#> alert <yes|no>

config edit firewall set <set#> rule <rule#> custom-icmp <string>

config edit firewall set <set#> rule <rule#> custom-ip <string>

config edit firewall set <set#> rule <rule#> destaddr-range <start-ip><end-ip>

config edit firewall set <set#> rule <rule#> destaddr-single <ip- address>

config edit firewall set <set#> rule <rule#> destaddr-subnet <ip- address> <mask>

Edits whether a log of sessions for which the set applies is sent.

Edits the name for a set. R+B

Edits whether a packet is permitted, dropped or rejected when it matches this rule.

Edits whether a rule is enabled or not. R+B

Activates or deactivates notification of a DoS attack or if there is a violation of any alert settings. When a DoS attack is detected the function will send an e-mail to the SMTP destination address and log an alert.

Sets the desired ICMP custom service.

1. You must first configure a ICMP service name using

config edit custom-service <entry#> name <string>.

2. Then use config edit custom-service <entry#> ip-protocol icmp to set the protocol to

ICMP.

3. Then use config edit custom-service <entry#> icmp-type to specify the ICMP type.

4. Then use config edit custom-service <entry#> icmp-code to specify the ICMP code.

5. After you save it you can add the custom-service to a firewall rule.

Sets the desired user defined IP Protocol custom service.

1. You must first configure an IP protocol name using

config edit custom-service <entry#> name <string>.

2. Then use config edit custom-service <entry#> ip-protocol user-defined-ip to

enable setting the user-defined IP protocol.

3. You must use config edit custom-service <entry#> user-defined-ip <0~255> to set the IP protocol.

4. After you save it you can add the custom-service to a firewall rule.

Edits the rule to apply to a packet with a destination IP address which falls within the specified range.

Edits the rule to apply to a packet with the destination IP address.

Edits the rule to apply to a packet with the destination IP address and subnet mask.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 27 config Command Summary (continued)

COMMAND DESCRIPTION M

config edit firewall set <set#> rule <rule#> destport-custom <string>

config edit firewall set <set#> rule <rule#> log <none|match>

config edit firewall set <set#> rule <rule#> name <string>

config edit firewall set <set#> rule <rule#> protocol <0~255>

config edit firewall set <set#> rule <rule#> srcaddr-range <start- ip><end-ip>

config edit firewall set <set#> rule <rule#> srcaddr-single <ip- address>

config edit firewall set <set#> rule <rule#> srcaddr-subnet <ip- address> <mask>

config edit firewall set <set#> rule <rule#> tcp destport-any

config edit firewall set <set#> rule <rule#> tcp destport-range <start-port><endport>

config edit firewall set <set#> rule <rule#> tcp destport-single <port>

config edit firewall set <set#> rule <rule#> udp destport-any

config edit firewall set <set#> rule <rule#> udp destport-range <start-port><endport>

config edit firewall set <set#> rule <rule#> udp destport-single <port>

config edit firewall set <set#> tcp-idle-timeout <timeout>

Sets the desired TCP/UDP custom port name.

1. Y ou must first configure a TCP/UDP service name using

config edit custom-service <entry#> name <string>.

2. Then specify the IP Protocol using config edit custom-service <entry#> ip-protocol. The

options are TCP, UDP or TCP/UDP.

3. Use config edit custom-service <entry#> range to set the port range(s) of the custom service.

4. After you save it you can add the custom-service to a firewall rule.

Sends a log for a rule when the packet matches the rule. R+B

Edits the rule name. R+B

Edits the protocol number for a rule. R+B

Edits the rule to apply to a packet with a source IP address that falls within the specified range.

Edits the rule to apply to a packet with the specified source IP address.

Edits the rule to apply to a packet with any source IP address and subnet mask.

Edits the rule to apply to a TCP packet with any destination port. When using “?” with this command the system crashes.

Edits the rule to apply to a TCP packet with a destination port falling within the specified range.

For non-consecutive port numbers, users may repeat this command line to enter the multiple port numbers.

Edits the rule to apply to a TCP packet with the specified destination port.

Edits the rule to apply to a UDP packet with any destination port.

Edits the rule to apply to a UDP packet with a destination port falling within the specified range.

For non-consecutive port numbers, users may repeat this command line to enter the multiple port numbers.

Edits the rule to apply to a UDP packet with the specified destination port.

Edits the timeout for an idle TCP session before it is terminated.

This command has no effect on firewall settings. To configure timeout values use tos commands.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 27 config Command Summary (continued)

COMMAND DESCRIPTION M

config edit firewall set <set#> udp-idle-timeout <timeout>

config insert firewall set <set#> rule <rule#>

config retrieve anti-spam Retrieves the current saved anti-spam settings. R+B config retrieve custom-service

<entry#> config retrieve firewall Retrieves current saved firewall settings. R+B config save all Saves users’ configurations into flash memory. R+B config save anti-spam Saves the current antispam settings. R+B config save custom-service

<entry#> config save firewall Saves the current firewall settings. R+B

Edits the timeout for an idle UDP session before it is terminated.

This command has no effect on firewall settings. To configure timeout values use tos commands.

Inserts s new rule into a set. Use config edit commands to edit the rule and set subfields.

Retrieves the custom service entry specified by <entry#>. R+B

Saves the custom service entry specified by <entry#>. R+B

R+B

10.2 Default Values

The following table shows a list of default values.

Table 28 config Default Values

VARIABLE DEFAULT VALUE

ACL set name: “ACL Default Set” anti-spam action <0|1> 1 anti-spam blackRule <0|1> 0 anti-spam markString <spam-tag> “SPAM” anti-spam phishingString <phishing-tag> “PHISHING” anti-spam query <0|1> 0 anti-spam switch <0|1> 0 anti-spam threshold <threshold> 90 anti-spam whiteRule <0|1> 0 connection-timeout 30 seconds fin-wait-timeout 60 seconds firewall active <yes|no> yes firewall attack block <yes|no> no firewall attack block-minute <0~255> 10 firewall attack max-incomplete-high <0~255> 100 firewall attack max-incomplete-low <0~255> 80 firewall attack minute-high <0~255> 100 firewall attack minute-low <0~255> 80 firewall attack send-alert <yes|no> no

ZyWALL (ZyNOS) CLI Reference Guide

Table 28 config Default Values

VARIABLE DEFAULT VALUE

firewall attack tcp-mac-incomplete <0~255> 30 firewall e-mail policy none icmp-timeout 60 seconds tcp-idle-timeout 3600 seconds udp-idle-timeout 60 seconds

10.3 Command Examples

10.3.1 Firewall Example

Type the following commands to setup a firewall rule in WAN to WAN direction, with source IP = 1.1.1.1 and destination IP = 2.2.2.2. The configured service is SSH(TCP:22), logging is enabled, and the default action taken when a packet matches a rule is to permit the packet. Save your settings and then display them for checking.

Chapter 10 Configuration Commands

config insert firewall set 8 rule 1 config edit firewall set 8 rule 1 srcaddr-single 1.1.1.1 config edit firewall set 8 rule 1 destaddr-single 2.2.2.2 config edit firewall set 8 rule 1 tcp destport-single 22 config edit firewall set 8 rule 1 log match config edit firewall set 8 rule 1 action permit config edit firewall set 8 rule 1 name SSH ras> config display firewall set 8 ACL set number: 8(WAN1 to WAN1/ZyWALL) ACL set name: Cmz-Rules ACL set number of rules: 1 ACL set default action: drop ACL pnc enable: no ACL log enable: no ACL logone enable: no ACL set timeout values: ICMP idle timeout (s): 60 UDP idle timeout (s): 60 TCP connection timeout (s): 30 TCP FIN-wait timeout (s): 60 TCP idle timeout (s): 3600 Free space remaining in ACL buffer: 161160 ras> config display set 8 rule 1 ACL rule number: 1 ACL rule active: yes ACL rule action: permit ACL rule protocol: ACL rule log: match ACL rule alert: no Source Single IP address: 1.1.1.1 Destination Single IP address: 2.2.2.2 TCP destination port number(s): 22 ACL rule name: SSH ras> config save firewall

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

The following table describes the fields displayed using the config display set command in the example above.

Table 29 config display set

LABEL DESCRIPTION

ACL set number Shows the index number of this set and the interfaces it applies

ACL set name Shows the name of this set. ACL set number of rules Shows the number of rules in this set. ACL set default action Shows the default action when a packet matches a rule in the

ACL pnc enable Shows whether the pnc service is enabled. This service is

ACL log enable Shows whether the log is enabled or not. ACL logone enable Shows whether logone is enabled or not. This function is

ICMP idle timeout(s) Shows the timeout for an idle ICMP session before it is

UDP idle timeout(s) Shows the timeout for an idle UDP session before it is

TCP connection timeout(s) Shows the connection timeout for traffic to which a rule in the

TCP FIN-wait timeout(s) Shows the wait time for FIN when concluding a TCP session

TCP idle timeout(s) Shows the timeout for an idle TCP session before it is

to. See

set. The options are: permit|drop|reject.

currently not available.

terminated.

set applies.

before it is terminated.

terminated.

The following table describes the fields displayed using the config display set <index> rule command in the example above, as well as other related fields that may

appear when configuring a rule using this command.

Table 30 config display set <index> rule <rule#>

LABEL DESCRIPTION

ACL rule number Shows the index number of this rule. ACL rule active Shows whether this rule is active or not. ACL rule action Shows the action taken when a packet matches a rule. The

ACL rule protocol Shows the protocol number this rule applies to. They range

ACL rule log Shows whether the logging of packets matching the rule is

ACL rule alert Shows whether or not an alert is sent when a packet matches

Source Single IP address Shows the source IP address of packets to which the rule

Source IP address, subnet mask

options are: permit|drop|reject.

from 0~255. For example, 1=ICMP, 6=TCP, 17=UDP, see RFC791.

enabled or not.

the rule.

applies. Shows the source IP address and subnet mask of packets to

which the rule applies.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 30 config display set <index> rule <rule#>

LABEL DESCRIPTION

Source Starting IP address,

Ending IP address Destination Single IP

address Destination IP address,

subnet mask Destination Starting IP

address, Ending IP address

TCP destination port number(s)

TCP destination port range(s)

UDP destination port number(s)

UDP destination port range(s)

Custom dest. TCP/UDP port name

Custom IP protocol name Shows the name of a custom IP service. Custom ICMP protocol name Shows the name of a custom ICMP service. ACL rule name Shows the name of this rule.

Shows the range of source IP addresses of packets to which the rule applies.

Shows the destination IP address of packets to which the rule applies.

Shows the destination IP address and subnet mask of packets to which the rule applies.

Shows the range of source IP addresses of packets to which the rule applies.

Shows the destination TCP port of packets to which the rule applies.

Shows the range of destination TCP port of packets to which the rule applies.

Shows the destination UDP port of packets to which the rule applies.

Shows the range of destination UDP ports of packets to which the rule applies.

Shows the name of the custom destination port.

The following table shows the interfaces assigned to each set number.

Table 31 Set-Interface Assignments

SET NUMBER INTERFACE

1 LAN to WAN1 2 WAN1 to LAN 3 DMZ to LAN 4 DMZ to WAN1 5 WAN1 to DMZ 6 LAN to DMZ 7 LAN to LAN 8 WAN1 to WAN1 9 DMZ to DMZ 10 LAN to WLAN 11 WLAN to LAN 12 WAN1 to WLAN 13 WLAN to WAN1 14 DMZ to WLAN 15 WLAN to DMZ

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 31 Set-Interface Assignments

SET NUMBER INTERFACE

16 WLAN to WLAN 17 LAN to WAN2 18 WAN2 to LAN 19 WAN1 to WAN2 20 WAN2 to WAN 21 WAN2 to WAN2 22 DMZ to WAN2 23 WAN2 to DMZ 24 WLAN to WAN2 25 WAN2 to WLAN 26 LAN to VPN 27 VPN to LAN 28 WAN1 to VPN 29 VPN to WAN 30 WAN2 to VPN 31 VPN to WAN2 32 DMZ to VPN 33 VPN to DMZ 34 WLAN to VPN 35 VPN to WLAN 36 VPN to VPN

ZyWALL (ZyNOS) CLI Reference Guide

10.3.2 Anti-spam Example

This example shows how to set up an anti-spam blacklist filter, which is set to active, with an IP address of 192.168.1.33, and subnet mask of 255.255.255.255.

ras> config edit anti-spam rule 2 ip 2 active 1 address 192.168.1.33 netmask

255.255.255.255 ras> config save anti-spam ras> config display anti-spam ACL set header information: ANTI_SPAM ACL set number: 1 ANTI_SPAM ACL set number of rules: 2 ANTI_SPAM ACL set name: Anti-Spam ACL set ANTI-SPAM Information: ANTI_SPAM ANTI_SPAM:DISABLE, WhiteList:DISABLE, BlackList:DISABLE ANTI_SPAM SPAM Mail Tag:[SPAM] ANTI_SPAM Phishing Mail Tag:[PHISHING] ANTI_SPAM Action:Add Tag to SMTP/POP3 SPAM Mail ANTI_SPAM Disable External Database ANTI_SPAM Action for Query timeout:Add Tag to SMTP/POP3 SPAM Mail ACL rule header information: ANTI_SPAM ACL rule number: 1 ANTI_SPAM ACL rule: White Rule ACL rule header information: ANTI_SPAM ACL rule number: 2 ANTI_SPAM ACL rule: Black Rule ANTI_SPAM Index:0, flags:1, IP:192.168.1.33 ,Netmask:255.255.255.255

Chapter 10 Configuration Commands

The following table describes the fields displayed using the config display set command in the example above.

Table 32 config display set <entry#>

LABEL DESCRIPTION

ANTI_SPAM ACL set number Shows the index of this set. ANTI_SPAM ACL set number of

rules ANTI_SPAM ACL set name Shows the name of the set. ANTI_SPAM Shows whether the anti-spam function is enabled or not. WhiteList Shows whether the whitelist service is enabled or not. BlackList Shows whether the blacklist function is enabled or not. ANTI_SPAM SPAM Mail Tag Shows the tag the antispam service attaches to mail identified

ANTI_SPAM Phishing Mail Tag Shows the tag the antispam service attaches to mail identified

ANTI_SPAM Action Shows the action taken when the antispam service identifies

ANTI_SPAM Disable External Database

ANTI_SPAM Action for Query timeout

Shows the number of rules in this set,

as spam.

as phishing mail.

mail as spam. Shows whether an external database of known spam

characteristics is used or not. Shows the action taken when a query to an external database

times out.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 10 Configuration Commands

Table 32 config display set <entry#>

LABEL DESCRIPTION

ANTI_SPAM ACL rule number Shows the index number of a rule in the set. A set may only

ANTI_SPAM ACL rule Shows whether a rule in the set is based on a white or blacklist. ANTI_SPAM Index XX, flags XX,

IP: XXX.XXX.XXX.XXX, Netmask: XXX.XXX.XXX.XXX

10.3.3 Custom Service Example

This example shows how to configure a custom service named “PERMITTED_ICMP”, using ICMP protocol, of type 3 and code 1.

ras> config edit custom-service 1 name PERMITTED_ICMP ras> config edit custom-service 1 ip-protocol icmp ras> config edit custom-service 1 type 3 ras> config edit custom-service 1 code 1 ras> config save custom-service 1 ras> config display custom-service 1

have two rules.

Shows the email addresses, IP address/subnet masks, or MIME types/values that are included in the whitelist and blacklists of each rule. This example shows an IP address/ subnet mask based rule.

The index shows the index number of an email address, IP address/subnet mask, or MIME type/value entry.

A “0” flag indicates the rule is disabled, a non-zero flag shows it is enabled.

Custom Service #1: Custom Service Name: PERMITTED_ICMP Custom Service Type: ICMP Custom Service ICMP Type: 3 Custom Service ICMP Code: 1

The following table describes the fields displayed using the config display custom- service command in the example above.

Table 33 config display custom-service

LABEL DESCRIPTION

Custom Service Name Shows the name for the service you have configured. Custom Service Type Shows the TCP/IP protocol selected for this service. Custom Service ICMP Type Shows the ICMP type. ICMP messages are assigned a type to

indicate their use. For example, destination unreachable ICMP packets are identified by the value 3 in the type field.

Custom Service ICMP Code Shows the ICMP code. The ICMP type can be further specified

by the ICMP code. For example, type 3, code 3 ICMP packets indicate the host is unreachable.

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 11

Device Related Commands

Use these commands to configure dial-up WAN connections such as PPPoE (poe),

PPTP (pne) and auxilary (aux) calls using the modem connected to the auxiliary port (if your ZyWALL has one).

11.1 Overview

A remote node is the remote gateway (and the network behind the remote gateway) across a WAN connection. Remote node 1 may be your ISP for example. You may configure multiple remote nodes in products with SMT menus or those with multiple WAN ports. In products without SMT menus or multiple WAN ports, a remote node is the ISP you configured in the web configurator.

A channel is a subset of an interface, such as a LAN or WAN interface. An interface may have more than one channel, but it usually has just one. The method used for the WAN dial-up WAN link.

Table 34 Channel-name Command Input Values

LABEL DESCRIPTION

channel-name

poe0: poe0 is the PPPoE connection to WAN 1.

poe1: poe1 pne0: pne0 pne1:pne1 is the PPTP connection to WAN 2 (if your ZyWALL has WAN 2). aux0: aux0 is the connection using the modem connected to the auxiliary port

(if your ZyWALL has one). all: all includes all the above mentioned channels.

is the PPPoE connection to WAN 2 (if your ZyWALL has WAN 2). is the PPTP connection to WAN 1.

channel-name is the encapsulation

11.2 Command Summary

The following section lists the commands for this feature.

Table 35 device Command Summary

COMMAND DESCRIPTION M

device channel disp <CHANNEL_NAME> [LEVEL]

device channel drop <channel-name> Drops the specified channel.

device channel name <ALL|USE> Lists names of all channels or the names of the

ZyWALL (ZyNOS) CLI Reference Guide

Displays details on the specified channel, for example. H+R+B

channel-name: The options are poe0|poe1|pne0|pne1|aux0|all.

channels used.

R+B

H+R+B

Chapter 11 Device Related Commands

Table 35 device Command Summary

COMMAND DESCRIPTION M

device channel threshold <channel_name> [NUMBER]

device dial <node#> Dials to a remote node. Enter sys rn disp to display

Sets the channel threshold. H+R+B

a list of remote nodes to dial.

11.3 Command Example

This example triggers a call to the ISP.

ras> device dial 1 Start dialing for node <MyISP>...

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 12

Ethernet Commands

Use these commands to configure the settings of ethernet ports on ZyWALL.

12.1 Command Summary

The following section lists the commands for this feature.

Table 36 Ethernet Commands

COMMAND DESCRIPTION M

ether edit load <ether-number> Loads the ethernet configuration for the specified

interface. ether-number: Use the following for a ZyWALL with a single WAN

Ethernet interface.

1: lan 2: wan 3: dmz 4: wlan

Use the following for a ZyWALL with two WAN Ethernet interfaces.

1: lan 2: wan 3: dmz 4: wan2

5: wlan ether edit mtu <value> Sets the ethernet mtu size. R+ B ether edit speed <speed> Sets the ethernet speed in Mbps and duplex.

speed: auto,10/full,10/half,100/full,100/half

ether edit save Saves the ethernet configuration. R+B ether dynamicPort set <port> <type> Se ts the specified physical port mapping to DMZ,

WLAN, or LAN.

port: 1-4

type: DMZ, WLAN, LAN

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 12 Ethernet Commands

12.2 Command Examples

This example changes the ZyWALL’s WAN speed to 10 Mbps and full duplex.

ras> ether edit load 2 ras> ether edit speed 10/full ras> ether edit save

This example assigns the ZyWALL’s physical port 4 to be DMZ.

ras> ether dynamicPort set 4 DMZ

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 13

Firewall Commands

Use these commands to configure firewall settings on the ZyWALL.

13.1 Command Summary

The following table describes input values for some of the firewall commands. Other values are discussed with the corresponding commands.

Table 37 Firewall Command Input Values

LABEL DESCRIPTION

from A traffic source (where the traffic enters the ZyWALL). Use one of the following.

lan|wan1|wan2|dmz|wlan|vpn

rule-number The number of a specific firewall rule. set-number The number of a set of firewall rules. The firewall rules are grouped in sets by

packet direction. Refer to Table 38 on page 87 for which set number to use for each firewall direction.

to A traffic destination (where the traffic leaves the ZyWALL). Use one of the

following.

lan|wan1|wan2|dmz|wlan|vpn

Table 38 Firewall Set Numbers

FIREWALL DIRECTION

LAN to WAN 1 WLAN to WAN 13 WAN2 to WLAN 25 WAN to LAN 2 DMZ to WLAN 14 LAN to VPN 26 DMZ to LAN 3 WLAN to DMZ 15 VPN to LAN 27 DMZ to WAN 4 WLAN to WLAN 16 WAN to VPN 28 WAN to DMZ 5 LAN to WAN2 17 VPN to WAN 29 LAN to DMZ 6 WAN2 to LAN 18 WAN2 to VPN 30 LAN to LAN 7 WAN to WAN2 19 VPN to WAN2 31 WAN to WAN 8 WAN2 to WAN 20 DMZ to VPN 32 DMZ to DMZ 9 WAN2 to WAN2 21 VPN to DMZ 33 LAN to WLAN 10 DMZ to WAN2 22 WLAN to VPN 34 WLAN to LAN 11 WAN2 to DMZ 23 VPN to WLAN 35 WAN to WLAN 12 WLAN to WAN2 24 VPN to VPN 36

ZyWALL (ZyNOS) CLI Reference Guide

SETNUMBER

FIREWALL DIRECTION

SETNUMBER

FIREWALL DIRECTION

SETNUMBER

Chapter 13 Firewall Commands

The following section lists the firewall commands.

Table 39 Firewall Commands

COMMAND DESCRIPTION M

sys firewall acl disp [setnumber] [rule-number]

sys firewall active <yes|no> Enables or disables the firewall. R+ B sys firewall cnt clear Clears the firewall log count. R+B sys firewall cnt disp Displays the firewall log type and count. R+B sys firewall dos display Displays the SMTP DoS defender setting. R+B sys firewall dos ignore

<lan|wan1|wan2|dmz|wlan|vpn> [on|off]

sys firewall dos smtp Enables or disables the SMTP Denial of Service (DoS)

sys firewall dynamicrule timeout [value]

sys firewall ignore logBroadcast <from> <to> <on|off>

sys firewall ignore triangle Sets if the firewall ignores triangle route packets on the LAN or

sys firewall schedule display Displays the firewall schedule. R+B sys firewall schedule load <set-

number rule-number> sys firewall schedule save Saves and applies the firewall schedule. R+B sys firewall schedule timeOfDay

<always|hh:mm hh:mm> sys firewall schedule week

allweek [on|off] sys firewall schedule week

friday [on|off] sys firewall schedule week

monday [on|off] sys firewall schedule week

saturday [on|off] sys firewall schedule week

sunday [on|off] sys firewall schedule week

thursday [on|off] sys firewall schedule week

tuesday [on|off] sys firewall schedule week

wednesday [on|off]

Displays all of the firewall rules, rules for a specific direction of packet travel, or a a specific rule.

Sets whether or not the firewall ignores DoS attacks on the specified interface.

defender. Sets the dynamic rule timeout value (in seconds). The value

must be 8 or higher. Sets whether or not the firewall ignores log broadcasts. R+B

WAN.

Loads the firewall schedule by rule. R+B

Sets what time the firewall schedule applies to. R+B

Turns the firewall schedule on or off for all week. R+B

Turns the firewall schedule on or off for Fridays. R+B

Turns the firewall schedule on or off for Mondays. R+B

Turns the firewall schedule on or off for Saturdays. R+B

Turns the firewall schedule on or off for Sundays. R+B

Turns the firewall schedule on or off for Thursdays. R+B

Turns the firewall schedule on or off for Tuesdays. R+B

Turns the firewall schedule on or off for Wednesdays. R+B

R+B

ZyWALL (ZyNOS) CLI Reference Guide

13.2 Command Examples

This example displays the firewall log type and count.

ras> sys firewall cnt disp

ICMP Idle Timeout: 0 UDP Idle Timeout: 0 TCP Idle Timeout: 0 TCP SYN Idle Timeout: 0 TCP FIN Idle Timeout: 0 Land Attack: 0 IP Spoof Attack: 0 ICMP Echo Attack: 0 ICMP Attack: 0 Netbios Attack: 0 Trace Route Attack: 0 Tear Drop Attack: 0 Syn Flood Attack: 0 SMTP Attack: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0 ACL name: ACL Default Set Blocks: 0 Minute High: 0 Max Incomplete High: 0 TCP Max Incomplete: 0

Chapter 13 Firewall Commands

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 13 Firewall Commands

This example loads a firewall schedule for LAN to WAN firewall rule 1 and sets the schedule to apply the rule on all days of the week except Saturday and saves the schedule.

ras> sys firewall schedule load 2 1 Schedule Active(0=no, 1=yes): 0 ras> sys firewall schedule week monday off Sun: 1, Mon: 0, Tue: 1, Wed: 1, Thu: 1, Fri: 1, Sat: 1. Schedule Enable All Day On. ras> sys firewall schedule save Save schedule successful. ras> sys firewall acl disp 2 1

ACL Runtime Data for ACL Set Number: 2 Number of Rules: 2 ACL default action (0=Drop, 1=Permit, 2=Reject): 0 ICMP Idle Timeout: 0 UDP Idle Timeout: 0 TCP SYN Wait Timeout: 0 TCP FIN Wait Timeout: 0 TCP Idle Timeout: 0 DNS Idle Timeout: 0 Runtime Rule Number: 1 Name: W2L_Rule_1 Active (0=no, 1=yes): 0 Schedule (0=no, 1=yes): 1 Sun: 1, Mon: 0, Tue: 1, Wed: 1, Thu: 1, Fri: 1, Sat: 1. Schedule Enable All Day On. Action (0=block, 1=permit, 2=reject): 1 Log (0=disable, 1=enable, 2=not-m, 3=both): 0 Alert (0=no, 1=yes): 0 Protocol: 0 Source IP Any: 1 Source IP Number of Single: 0 Source IP Number of Range: 0 Source IP Number of Subnet: 0 Dest IP Any: 1 Dest IP Number of Single: 0 Dest IP Number of Range: 0 Dest IP Number of Subnet: 0 TCP Source Port Any: 1 TCP Source Port Number of Single: 0 TCP Source Port Number of Range: 0 UDP Source Port Any: 1 UDP Source Port Number of Single: 0 UDP Source Port Number of Range: 0 TCP Dest Port Any: 0 TCP Dest Port Number of Single: 0 TCP Dest Port Number of Range: 0 UDP Dest Port Any: 0 UDP Dest Port Number of Single: 1 UDP Dest Port Number of Range: 0 Dest Port Single Port[1]: 68 ICMP Custom Service Number with only Type defined: 0 ICMP Custom Service Number with both Type and Code defined: 0 Number of User Defined IP Protocol: 0

------------------------

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 13 Firewall Commands

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 13 Firewall Commands

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 14

IDP Commands

Use these commands to configure IDP (Intrusion Detection and Prevention) settings on the ZyWALL.

14.1 Command Summary

The following section lists the commands for this feature.

Table 40 IDP Commands

COMMAND DESCRIPTION M

idp config clean Clears out all the IDP matrix settings. R+B idp config dir dmz-dmz <on|off> Configures the protected traffic direction setting. R+B idp config dir dmz-lan <on|off> Configures the protected traffic direction setting. R+B idp config dir dmz-wan <on|off> Configures the protected traffic direction setting. R+B idp config dir dmz-wan2 <on|off> Configures the protected traffic direction setting. R+B idp config dir dmz-wlan <on|off> Configures the protected traffic direction setting. R+B idp config dir lan-dmz <on|off> Configures the protected traffic direction setting. R+B idp config dir lan-lan <on|off> Configures the protected traffic direction setting. R+B idp config dir lan-wan <on|off> Configures the protected traffic direction setting. R+B idp config dir lan-wan2 <on|off> Configures the protected traffic direction setting. R+B idp config dir lan-wlan <on|off> Configures the protected traffic direction setting. R+B idp config dir wan2-lan <on|off> Configures the protected traffic direction setting. R+B idp config dir wan2-wan <on|off> Configures the protected traffic direction setting. R+B idp config dir wan2-wan2

<on|off> idp config dir wan2-wlan

<on|off> idp config dir wan-dmz <on|off> Configures the protected traffic direction setting. R+B idp config dir wan-dmz <on|off> Configures the protected traffic direction setting. R+B idp config dir wan-lan <on|off> Configures the protected traffic direction setting. R+B idp config dir wan-lan <on|off> Configures the protected traffic direction setting. R+B idp config dir wan-wan <on|off> Configures the protected traffic direction setting. R+B idp config dir wan-wan2 <on|off> Configures the protected traffic direction setting. R+B idp config dir wan-wlan <on|off> Configures the protected traffic direction setting. R+B

Configures the protected traffic direction setting. R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 14 IDP Commands

Table 40 IDP Commands (continued)

COMMAND DESCRIPTION M

idp config dir wlan-dmz <on|off> Configures the protected traffic direction setting. R+B idp config dir wlan-lan <on|off> Configures the protected traffic direction setting. R+B idp config dir wlan-wan <on|off> Configures the protected traffic direction setting. R+B idp config dir wlan-wan2

<on|off> idp config dir wlan-wlan

<on|off> idp config enable <on|off> Turns IDP on or off. R+B idp config save Saves the enable setting and the protected traffic directions. R+B idp config tune config l4cpmssck

<on|off>

idp config tune config l4Icmpcjsum <on|off>

idp config tune config l4Smtpasm <on|off>

idp config tune config l4Tcpcksum <on|off>

idp config tune config l4Tcpwindowck <on|off>

idp config tune config l4Udpcksum <on|off>

idp config tune config l7Ftpasm <on|off>

idp config tune config l7Ftpdataasm <on|off>

idp config tune config l7Httpasm <on|off>

idp config tune config l7Otherasm <on|off>

idp config tune config l7Pop3asm <on|off>

idp config tune display Displays the tune configuration. R+B idp config tune load Loads the tune configuration. IDP tuning allows you to enable or

idp config tune save Saves the tune configuration. R+B idp display Displays whether or not IDP is enabled and what traffic flows

Configures the protected traffic direction setting. R+B

Enables or disables the TCP packet header MSS check. This has the ZyWALL not check invalid packets, which can reduce the number of false alarms.

Enables or disables the ICMP packet header checksum check. This has the ZyWALL not check invalid packets, which can reduce the number of false alarms.

Enables or disables TCP assembly for SMTP. Disabling packet assembly can enhance throughput, but may allow more intrusions to go undetected.

Enables or disables the TCP packet header checksum check. This has the ZyWALL not check invalid packets, which can reduce the number of false alarms.

Enables or disables the TCP packet window check. This has the ZyWALL not check invalid packets, which can reduce the number of false alarms.

Enables or disables the UDP packet header checksum check. This has the ZyWALL not check invalid packets, which can reduce the number of false alarms.

Enables or disables TCP assembly for FTP. Disabling packet assembly can enhance throughput, but may allow more intrusions to go undetected.

Enables or disables TCP assembly for FTPDATA. Disabling packet assembly can enhance throughput, but may allow more intrusions to go undetected.

Enables or disables TCP assembly for HTTP. Disabling packet assembly can enhance throughput, but may allow more intrusions to go undetected.

Enables or disables TCP assembly for other protocols. Disabling packet assembly can enhance throughput, but may allow more intrusions to go undetected.

Enables or disables TCP assembly for POP3. Disabling packet assembly can enhance throughput, but may allow more intrusions to go undetected.

disable packet header checks and packet assembly.

the ZyWALL checks for intrusions.

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 14 IDP Commands

Table 40 IDP Commands (continued)

COMMAND DESCRIPTION M

idp load Loads the enable setting and the protected traffic directions. R+B idp signature config action

<1~6>

idp signature config active <on|off>

idp signature config alert <on|off>

idp signature config log <on|off>

idp signature display Displays the currently loaded signature’s settings. R+B idp signature load <signature-

id>

idp signature reset Resets the signature setting to its default settings. R+B idp signature save Saves the signatures settings. R+B idp update config autoupdate

<on|off> idp update config dailyTime

<00~23> idp update config method <1~3> Sets how often to update the IDP signatures.

idp update config weeklyDay <1~7>

idp update config weeklyTime <00~23>

idp update display Shows signature information and the update setting. R+B idp update load Loads the signature update settings. R+B

Sets the action the ZyWALL takes upon finding a match for the signature.

1: No Action. The intrusion is detected but no action is taken. 2: Drop Packet. The packet is silently discarded. 3: Drop Session. When the firewall is enabled, subsequent

TCP/IP packets belonging to the same connection are dropped. Neither sender nor receiver are sent TCP RST packets. If the firewall is not enabled only the packet that matched the signature is dropped.

4: Reset Sender. When the firewall is enabled, the TCP/IP connection is silently torn down. Just the sender is sent TCP RST packets. If the firewall is not enabled only the packet that matched the signature is dropped.

5: Reset Receiver When the firewall is enabled, the TCP/IP connection is silently torn down. Just the receiver is sent TCP RST packets. If the firewall is not enabled only the packet that matched the signature is dropped.

6: Reset Both. When the firewall is enabled, the TCP/IP connection is silently torn down. Both sender and receiver are sent TCP RST packets. If the firewall is not enabled only the packet that matched the signature is dropped.

Enables or disables the signature. R+B

Enables or disables the sending of an alert e-mail when a match is found for the signature.

Enables or disables log generation when a match is found for the signature.

Loads the specified signature (so you can configure it). signature-id: Each intrusion signature has a unique

identification number. This number may be searched at myZyXEL.com for more detailed information.

Enables or disables automatic updating of IDP signatures. R+B

Sets the hour for daily updates. R+B

1: hourly 2: daily 3:weekly

Sets the day for weekly updates. R+B

Sets the hour for weekly updates. R+B

R+B

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 14 IDP Commands

Table 40 IDP Commands (continued)

COMMAND DESCRIPTION M

idp update save Saves the signature update settings. R+B idp update start Starts the signature update. R+B

14.2 Command Examples

This example loads signature 1051222 and displays its current settings. Then it sets the ZyWALL to send an alert upon finding a match for the signature. Finally it saves the signature’s settings.

ras> idp signature load 1051222 ras> idp signature display RuleID : 1051222 AttackType : SPAM Platform : Windows,UNIX,NetworkDevice Severity : Medium Name : SPAM Drug Active : On Log : On Alert : Off Action : Drop Session ras> idp signature config alert on ras> idp signature display RuleID : 1051222 AttackType : SPAM Platform : Windows,UNIX,NetworkDevice Severity : Medium Name : SPAM Drug Active : On Log : On Alert : On Action : Drop Session ras> idp signature save

ZyWALL (ZyNOS) CLI Reference Guide

CHAPTER 15

IP Commands

Use these commands to configure IP settings on the ZyWALL.

15.1 Command Summary

The following table describes input values for some of the ip commands. Other values are discussed with the corresponding commands.

Table 41 IP Command Input Values

LABEL DESCRIPTION

isp-group-idx The number of an ISP configuration on the ZyWALL. For example, the ISP

number The number of system report records to display. For example, if you specify 10,

configured for the WAN 1 interface is ISP group index 1.0

the top 10 report entries display.

15.1.1 ALG Commands

The following section lists the ALG commands.

Table 42 ALG Commands

COMMAND DESCRIPTION M

ip alg disable <ALG_FTP|ALG_H323|ALG_SIP>

ip alg disp Shows wheth er the ALG is enabled or disabled. R+B ip alg enable

<ALG_FTP|ALG_H323|ALG_SIP> ip alg ftpPortNum [port] Sets the FTP ALG to support a different port number (instead

ip alg siptimeout <timeout> Sets the SIP timeout in seconds. 0 means no timeout. R+B

Turns off the specified ALG (Application Layer Gateway). R+B

Turns on the specified ALG. R+B

R+B

of the default).

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 15 IP Commands

15.1.2 ARP Commands

The following section lists the ARP commands.

Table 43 ARP Commands

COMMAND DESCRIPTION M

ip arp ackGratuitous active [yes|no]

ip arp ackGratuitous forceUpdate [on|off]

ip arp add <ip-address> ether <mac-address>

ip arp attpret <on|off> Allows or disallows ZyWALL to receive ARP from a different

ip arp force <on|off> Enables or disables the ARP timeout function. R+B ip arp gratuitous <on|off> Turns duplicate IP address detection (based on gratuitous

ip arp status <interface> Displays an interface’s ARP status. R+B ip arp reqUpdateTable <on|off> Sets whether or not the ZyWALL updates its ARP table based

Turns the acceptance of gratuitous ARP (Address Resolution Protocol) packets on or off. See Section 15.1.3 on page 98 for details.

Has the ZyWALL update an existing ARP entry for which a gratuitous request was received. See Section 15.1.3 on page

98 for details.

Adds ARP information. R+B

network or not.

ARPs) on or off.

on the source IP address and MAC address of received ARP request packets. This is off by default. If you turn this on, the setting changes back to off when the ZyWALL restarts.

R+B

15.1.3 ARP Behavior and the ARP ackGratuitous Command Details

The ZyWALL does not accept ARP reply information if the ZyWALL did not send out a corresponding request. This helps prevent the ZyWALL from updating its ARP table with an incorrect IP address to MAC address mapping due to a spoofed ARP. An incorrect IP to MAC address mapping in the ZyWALL’s ARP table could cause the ZyWALL to send packets to the wrong device.

15.1.3.1 Commands for Using or Ignoring Gratuitous ARP Requests

A gratuitous ARP request is an ARP request that a host sends to resolve its own IP address. The packet uses the host’s own IP address as the source and destination IP address. The packet uses the Ethernet broadcast address (FF:FF:FF:FF:FF:FF) as the destination MAC address. This is used to determine if any other hosts on the network are using the same IP address as the sending host. The other hosts in the network can also update their ARP table IP address to MAC address mappings with this host’s MAC address.

The

ip arp ackGratuitous commands set how the ZyWALL handles gratuitous ARP

requests.

•Use

ip arp ackGratuitous active no to have the ZyWALL ignore gratuitous ARP

requests.

ip arp ackGratuitous active yes to have the ZyWALL respond to gratuitous

ARP requests.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 15 IP Commands

For example, say the regular gateway goes down and a backup gateway sends a gratuitous ARP request. If the request is for an IP address that is not already in the ZyWALL’s ARP table, the ZyWALL sends an ARP request to ask which host is using the IP address. After the ZyWALL receives a reply from the backup gateway, it adds an ARP table entry.

If the ZyWALL’s ARP table already has an entry for the IP address, the ZyWALL’s response depends on how you configure the

ip arp ackGratuitous forceUpdate

command.

•Use

ip arp ackGratuitous forceUpdate on to have the ZyWALL update the

MAC address in the ARP entry.

•Use

ip arp ackGratuitous forceUpdate off to have the ZyW ALL not update

the MAC address in the ARP entry.

A backup gateway (as in the following graphic) is an example of when you might want to turn on the forced update for gratuitous ARP requests. One day gateway A shuts down and the backup gateway (B) comes online using the same static IP address as gateway A. Gateway B broadcasts a gratuitous ARP request to ask which host is using its IP address. If ackGratuitous is on and set to force updates, the ZyWALL receives the gratuitous ARP request and updates its ARP table. This way the ZyWALL has a correct gateway ARP entry to forward packets through the backup gateway. If ackGratuitous is off or not set to force updates, the ZyWALL will not update the gateway ARP entry and cannot forward packets through gateway B.

Figure 3 Backup Gateway

Updating the ARP entries could increase the danger of spoofing attacks. It is only recommended that you turn on ackGratuitous and force update if you need it like in the previous backup gateway example. Turning on the force updates option is more dangerous than leaving it off because the ZyWALL updates the ARP table even when there is an existing entry.

ZyWALL (ZyNOS) CLI Reference Guide

Chapter 15 IP Commands

15.1.4 Binding Commands

The following section lists the commands for having a (non-WAN) Ethernet interface filter packets based on IP address to MAC address binding.

Table 44 Binding Commands

COMMAND DESCRIPTION M

ip binding <enifx> active <yes|no>

ip binding <enifx> exempt active <yes|no>

ip binding <enifx> exempt range <start-ip> <end-ip>

ip binding <enifx> status Displays the IP/MAC binding settings for the specified

Enable this to have the specified interface accept traffic only from devices which have received an IP address from the ZyWALL.

Sets whether or not the ZyWALL packets from a range of source IP addresses that were not assigned by the ZyWALL.

Sets the range of IP addresses that are exempt from IP to MAC address binding on the specified interface.

interface.

15.1.5 Content Filtering Commands

The following section lists the content filtering commands.

R+B

Table 45 Content Filtering Commands

COMMAND DESCRIPTION M

ip cf bypass [LAN|DMZ|WAN] [on|off]

ip cf common denymsg [message] Sets or displays the content filtering denied access message. R+B ip cf common display Shows the general content filtering settings. R+B ip cf common enable <on|off> Turns content filtering on or off. R+B ip cf common redirurl [url] Sets or displays the content filtering denied access redirect

ip cf externalDB cache delete <entry_number|All>

ip cf externalDB cache display Displays the category ratings of URLs that the ZyWALL has

ip cf externalDB cache timeout [hours]

ip cf externalDB enable [on|off] Turns the external database checking on or off. R+B ip cf externalDB enableLog

<on|off> ip cf externalDB exDblogserver

[server-address] ip cf externalDB matchweb [none

log|block|both]

Sets content filtering to ignore an interface’s web traffic. R+B

R+B

URL. Removes an individual entry from the cache of URLs rated by

the external content filter server or clears the entire cache.

received from the external content filter server. Sets how many hours a categorized web site address remains

in the cache.

Turns content filtering external database logs on or off. R+B

Sets the address for content filtering external database logs. R+B

Sets the log and block action for websites that match a category in the content filtering external database configuration.

R+B

100

ZyWALL (ZyNOS) CLI Reference Guide

ZyXEL Communications ZyNOS User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

CLI Reference Guide

About This CLI Reference Guide

Document Conventions

Contents Overview

Introduction

How to Access and Use the CLI

1.1 Accessing the CLI

1.1.1 Console Port

1.1.2 Telnet

1.1.3 SSH

1.2 Logging in

1.3 Using Shortcuts and Getting Help

1.4 Saving Your Configuration

1.5 Logging Out

Common Commands

2.1 Change the Idle Timeout

2.2 Interface Information

2.3 Basic System Information

2.4 UTM and myZyXEL.com

2.5 Firewall

2.6 VPN

2.7 Dialing PPPoE and PPTP Connections

Reference

Antispam Commands

3.1 Command Summary

3.2 Command Examples

Antivirus Commands

4.1 Command Summary

4.2 Command Examples

5.1 Command Summary

5.2 Command Examples

6.1 Command Summary

Managing the Bandwidth of VPN Traffic

6.3 Command Examples

Bridge Commands

7.1 Command Summary

7.2 Command Examples

Certificates Commands

8.1 Command Summary

8.2 Command Examples

8.2.1 Saving Certificates as PEM-encoded Format

CNM Agent Commands

9.1 Command Summary

9.2 Command Examples

Configuration Commands

10.1 Command Summary

10.2 Default Values

10.3 Command Examples

10.3.1 Firewall Example

10.3.2 Anti-spam Example

10.3.3 Custom Service Example

Device Related Commands

11.1 Overview

11.2 Command Summary

11.3 Command Example

Ethernet Commands

12.1 Command Summary

12.2 Command Examples

Firewall Commands

13.1 Command Summary

13.2 Command Examples

IDP Commands

14.1 Command Summary

14.2 Command Examples

IP Commands

15.1 Command Summary

15.1.1 ALG Commands

15.1.2 ARP Commands

15.1.3 ARP Behavior and the ARP ackGratuitous Command Details

15.1.4 Binding Commands

15.1.5 Content Filtering Commands