manualshive.com logo in svg

ZyXEL Communications UAG Series, Reference Manual

Share
Download
ZyXEL Communications UAG Series Reference Manual Download Page 255

 Chapter 51 Certificates

UAG CLI Reference Guide

255

ca validation 

remote_certificate

Enters the sub command mode for validation of 
certificates signed by the specified remote (trusted) 
certificates.

cdp {activate|deactivate}

Turns certificate revocation on or off. When it is turned on, 
the UAG validates a certificate by getting a Certificate 
Revocation List (CRL) through HTTP or LDAP (can be 
configured after activating the LDAP checking option) and 
online responder (can be configured after activating the 
OCSP checking option). You also need to configure the 
OSCP or LDAP server details.

ldap {activate|deactivate}

Has the UAG check (or not check) incoming certificates 
that are signed by this certificate against a Certificate 
Revocation List (CRL) on a LDAP (Lightweight Directory 
Access Protocol) directory server.

ldap ip {

ip

|

fqdn

} port <1..65535> [id 

name 

password 

password

] [deactivate]

Sets the validation configuration for the specified remote 
(trusted) certificate where the directory server uses LDAP. 

ip

: Type the IP address (in dotted decimal notation) or 

the domain name of the directory server. The domain 
name can use alphanumeric characters, periods and 
hyphens. Up to 255 characters.

port

: Specify the LDAP server port number. You must use 

the same server port number that the directory server 
uses. 389 is the default server port number for LDAP.

The UAG may need to authenticate itself in order to 
access the CRL directory server. Type the login name (up 
to 31 characters) from the entity maintaining the server 
(usually a certification authority). You can use 
alphanumeric characters, the underscore and the dash.

Type the password (up to 31 characters) from the entity 
maintaining the CRL directory server (usually a 
certification authority). You can use the following 
characters: a-zA-Z0-9;|`~!@#$%^&*()_+\{}':,./<>=-

ocsp {activate|deactivate}

Has the UAG check (or not check) incoming certificates 
that are signed by this certificate against a directory 
server that uses OCSP (Online Certificate Status Protocol).

ocsp url 

url

 [id 

name

 password 

password

[deactivate]

Sets the validation configuration for the specified remote 
(trusted) certificate where the directory server uses OCSP. 

url

: Type the protocol, IP address and pathname of the 

OCSP server. 

name: The UAG may need to authenticate itself in order to 
access the OCSP server. Type the login name (up to 31 
characters) from the entity maintaining the server 
(usually a certification authority). You can use 
alphanumeric characters, the underscore and the dash.

password: Type the password (up to 31 characters) from 
the entity maintaining the OCSP server (usually a 
certification authority). You can use the following 
characters: a-zA-Z0-9;|`~!@#$%^&*()_+\{}':,./<>=-

no ca category {local|remote}

 certificate_name

Deletes the specified local (my certificates) or remote 
(trusted certificates) certificate.

no ca validation 

name

Removes the validation configuration for the specified 
remote (trusted) certificate.

Table 164   

ca Commands Summary (continued)

COMMAND

DESCRIPTION

Summary of Contents for UAG Series

Page 1: ...n 1 03 2015 Copyright 2011 ZyXEL Communications Corporation CLI Reference Guide Default Login Details LAN Port https 192 168 1 1 UAG715 http 172 16 0 1 UAG2100 UAG4100 UAG5100 LAN1 http 172 17 0 1 UAG2100 UAG4100 UAG5100 LAN2 User Name admin Password 1234 Copyright 2015 ZyXEL Communications Corporation ...

Page 2: ...mands in this book may differ slightly from your product due to differences in your product firmware or your computer operating system Every effort has been made to ensure that the information in this manual is accurate Related Documentation User s Guide The User s Guide explains how to use the Web Configurator to configure the UAG It is recommended you use the Web Configurator to configure the UA...

Page 3: ...st of supported features and details about feature implementation Note The version number on the cover page refers to the latest firmware version supported by the UAG This guide applies to versions 2 50 4 00 4 01 and 4 10 at the time of writing Please refer to www zyxel com or your product s CD for product specific User Guides and product certifications How To Use This Guide 1 Read Chapter 1 on pa...

Page 4: ... return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first click Maintenance in the navigation panel then the Log sub menu and finally the Log Setting tab to get...

Page 5: ...Document Conventions UAG CLI Reference Guide 5 Server Firewall Telephone Switch Router ...

Page 6: ...1 Wireless Frame Capture 75 Dynamic Channel Selection 77 Wireless Load Balancing 79 Auto Healing 82 Interfaces 84 Trunks 106 IP Drop In 111 Route 114 Routing Protocol 121 Zones 125 DDNS 128 Virtual Servers 131 VPN 1 1 Mapping 136 HTTP Redirect 140 SMTP Redirect 142 ALG 145 UPnP 148 IP MAC Binding 151 Layer 2 Isolation 153 IPnP 156 Web Authentication 158 Walled Garden 166 Advertisement 168 RTLS 169...

Page 7: ...Application Object 232 Addresses 235 Services 238 Schedules 241 AAA Server 243 Authentication Objects 250 Certificates 253 ISP Accounts 258 SSL Application 260 Endpoint Security 262 Dynamic Guest Accounts 269 System 272 System Remote Management 281 File Manager 291 Logs 304 Reports and Reboot 309 Session Timeout 315 Diagnostics 316 Packet Flow Explore 317 Maintenance Tools 321 Watchdog Timer 326 ...

Page 8: ...d Commands in this Guide 28 1 4 How Commands Are Explained 29 1 4 1 Background Information Optional 29 1 4 2 Command Input Values Optional 29 1 4 3 Command Summary 29 1 4 4 Command Examples Optional 29 1 4 5 Command Syntax 29 1 4 6 Changing the Password 30 1 5 CLI Modes 30 1 6 Shortcuts and Help 31 1 6 1 List of Available Commands 31 1 6 2 List of Sub commands or Required User Input 31 1 6 3 Enter...

Page 9: ...scription Services Available on the UAG 48 5 2 1 Content Filtering Subscription Service 48 5 2 2 Maximum Number of Managed APs 49 5 3 Registration Commands V2 50 Only 49 5 3 1 Command Examples 50 5 4 Registration Status Commands V4 00 and Later Only 50 5 4 1 Command Examples 51 5 5 Country Code 51 Chapter 6 AP Management 55 6 1 AP Management Overview 55 6 2 AP Management Commands 55 6 2 1 AP Manag...

Page 10: ...ands 74 8 4 1 Rogue AP Containment Example 74 Chapter 9 Wireless Frame Capture 75 9 1 Wireless Frame Capture Overview 75 9 2 Wireless Frame Capture Commands 75 9 2 1 Wireless Frame Capture Examples 76 Chapter 10 Dynamic Channel Selection 77 10 1 DCS Overview 77 10 2 DCS Commands 77 10 2 1 DCS Examples 78 Chapter 11 Wireless Load Balancing 79 11 1 Wireless Load Balancing Overview 79 11 2 Wireless L...

Page 11: ...d Examples 100 13 5 PPPoE PPTP Specific Commands 101 13 5 1 PPPoE PPTP Interface Command Examples 102 13 6 USB Storage Specific Commands 102 13 6 1 USB Storage General Commands Example 103 13 7 VLAN Interface Specific Commands 103 13 7 1 VLAN Interface Command Examples 104 13 8 Bridge Specific Commands 104 13 8 1 Bridge Interface Command Examples 105 Chapter 14 Trunks 106 14 1 Trunks Overview 106 ...

Page 12: ... 123 17 2 5 Learned Routing Information Commands 124 17 2 6 show ip route Command Example 124 Chapter 18 Zones 125 18 1 Zones Overview 125 18 2 Zone Commands Summary 126 18 2 1 Zone Command Examples 127 Chapter 19 DDNS 128 19 1 DDNS Overview 128 19 2 DDNS Commands Summary 129 19 3 DDNS Commands Example 130 Chapter 20 Virtual Servers 131 20 1 Virtual Server Overview 131 20 1 1 1 1 NAT and Many 1 1 ...

Page 13: ...2 23 1 1 SMTP 142 23 2 SMTP Redirect Commands 142 23 2 1 smtp redirect Sub commands 143 23 2 2 SMTP Redirect Command Examples 144 Chapter 24 ALG 145 24 1 ALG Introduction 145 24 2 ALG Commands 146 24 3 ALG Commands Example 147 Chapter 25 UPnP 148 25 1 UPnP and NAT PMP Overview 148 25 2 UPnP and NAT PMP Commands 148 25 3 UPnP NAT PMP Commands Example 149 Chapter 26 IP MAC Binding 151 26 1 IP MAC Bi...

Page 14: ...l Sub commands 162 29 2 5 web auth type profile Sub commands 163 29 2 6 web auth user agreement Sub commands 164 29 2 7 Web Authentication Policy Insert Command Example 165 Chapter 30 Walled Garden 166 30 1 Walled Garden Overview 166 30 2 Walled Garden Commands 166 30 2 1 walled garden rule Sub commands 167 30 2 2 Walled Garden Command Example 167 Chapter 31 Advertisement 168 31 1 Advertisement Ov...

Page 15: ...ypal Sub commands 183 35 2 2 Payment Service Command Example 183 Chapter 36 Printer Manager 184 36 1 Printer Manager Overview 184 36 2 Printer manager Commands 184 36 2 1 Printer manager Printer Sub commands 185 36 2 2 Printer manager Command Example 185 Chapter 37 Free Time 186 37 1 Free Time Overview 186 37 2 Free Time Commands 186 37 3 Free Time Commands Example 187 Chapter 38 SMS 188 38 1 SMS ...

Page 16: ... VPN Commands 205 41 2 1 SSL VPN Commands 206 41 2 2 Setting an SSL VPN Rule Tutorial 207 Chapter 42 Application Patrol 210 42 1 Application Patrol Overview 210 42 2 Application Patrol Commands Summary 210 42 2 1 Application Patrol Commands 211 Chapter 43 Content Filtering 213 43 1 Content Filtering Overview 213 43 2 Content Filtering Policies 213 43 3 External Web Filtering Service 213 43 4 Conte...

Page 17: ...6 Addresses 235 46 1 Address Overview 235 46 2 Address Commands Summary 235 46 2 1 Address Object Commands 236 46 2 2 Address Group Commands 236 Chapter 47 Services 238 47 1 Services Overview 238 47 2 Services Commands Summary 238 47 2 1 Service Object Commands 238 47 2 2 Service Group Commands 239 Chapter 48 Schedules 241 48 1 Schedule Overview 241 48 2 Schedule Commands Summary 241 48 2 1 Schedu...

Page 18: ...ificate Commands 253 51 3 Certificates Commands Input Values 253 51 4 Certificates Commands Summary 254 51 5 Certificates Commands Examples 257 Chapter 52 ISP Accounts 258 52 1 ISP Accounts Overview 258 52 1 1 PPPoE and PPTP Account Commands 258 Chapter 53 SSL Application 260 53 1 SSL Application Overview 260 53 1 1 SSL Application Object Commands 260 53 1 2 SSL Application Command Examples 261 Ch...

Page 19: ... 56 7 2 Authentication Server Command Examples 279 56 8 ZON Overview 279 56 8 1 LLDP 279 56 8 2 ZON Commands 280 56 8 3 ZON Examples 280 Chapter 57 System Remote Management 281 57 1 Remote Management Overview 281 57 1 1 Remote Management Limitations 281 57 1 2 System Timeout 281 57 2 Common System Command Input Values 282 57 3 HTTP HTTPS Commands 282 57 3 1 HTTP HTTPS Command Examples 284 57 4 SSH...

Page 20: ...8 6 FTP File Transfer 296 58 6 1 Command Line FTP File Upload 296 58 6 2 Command Line FTP Configuration File Upload Example 297 58 6 3 Command Line FTP File Download 297 58 6 4 Command Line FTP Configuration File Download Example 298 58 7 UAG File Usage at Startup 298 58 8 Notification of a Damaged Recovery Image or Firmware 299 58 9 Restoring the Recovery Image 300 58 10 Restoring the Firmware 30...

Page 21: ...cket Flow Explore 317 63 1 Packet Flow Explore 317 63 2 Packet Flow Explore Commands 317 63 3 Packet Flow Explore Commands Example 318 Chapter 64 Maintenance Tools 321 64 1 Maintenance Command Examples 323 64 1 1 Packet Capture Command Example 324 Chapter 65 Watchdog Timer 326 65 1 Hardware Watchdog Timer 326 65 2 Software Watchdog Timer 326 65 3 Application Watchdog 327 65 3 1 Application Watchdo...

Page 22: ...22 PART I Introduction ...

Page 23: ...23 ...

Page 24: ...e configuration file on the UAG However only one configuration file is used at a time You can perform the following with a configuration file Back up UAG configuration once the UAG is set up to work in your network Restore UAG configuration Save and edit a configuration file and upload it to multiple UAGs of the same model in your network to have the same settings Note You may also edit a configur...

Page 25: ...wer on Display After the initialization the login screen displays Figure 2 Login Screen Enter the user name and password at the prompts Note The default login username is admin and password is 1234 The username and password are case sensitive 1 2 2 Web Configurator Console Note Before you can access the CLI through the web configurator make sure your computer supports the Java Runtime Environment ...

Page 26: ...f the Java plug in is already installed skip to step 4 Otherwise you will be prompted to install the Java plug in If the prompt does not display and the screen remains gray you have to download the setup program 4 The web console starts This might take a few seconds One or more security screens may display Click Yes or Always Figure 3 Web Console Security Warnings Finally the User Name screen appe...

Page 27: ...le Password 6 Enter the password for the user name you specified earlier and click OK If you enter the password incorrectly you get an error message and you may have to close the console window and open it again If you enter the password correctly the console screen appears Figure 7 Web Console 7 To use most commands in this User s Guide enter configure terminal The prompt should change to Router ...

Page 28: ...ram for information on using it Note The default login username is admin and password is 1234 The username and password are case sensitive Figure 8 SSH Login Example 1 3 How to Find Commands in this Guide You can simply look for the feature chapter to find commands In addition you can use the List of Commands Alphabetical at the end of the guide This section lists the commands in alphabetical orde...

Page 29: ...4 Command Examples Optional This section contains any examples for the commands in this feature 1 4 5 Command Syntax The following conventions are used in this guide A command or keyword in courier new must be entered literally as shown Do not abbreviate Values that you need to provide are in italics Required fields that have multiple choices are enclosed in curly brackets A range of numbers is en...

Page 30: ...URATION SUB COMMAND What Guest users can do Unable to access Unable to access Unable to access Unable to access What User users can do Look at but not run available commands Unable to access Unable to access Unable to access What Limited Admin users can do Look at system information like Status screen Run basic diagnostics Look at system information like Status screen Run basic diagnostics Unable ...

Page 31: ...ple 2 1 6 2 List of Sub commands or Required User Input To view detailed help information for a command enter command sub command Figure 11 Help Sub command Information Example Figure 12 Help Required User Input Example Router cr apply atse clear configure Snip shutdown telnet test traceroute write Router Router show aaa access page account ad server address object Snip web auth workspace zone Rou...

Page 32: ...ur keyboard to enter a without the UAG treating it as a help query 1 6 5 Command History The UAG keeps a list of commands you have entered for the current CLI session You can use any commands in the history again by pressing the up or down arrow key to scroll through the previously used commands and press ENTER 1 6 6 Navigation Press CTRL A to move the cursor to the beginning of the line Press CTR...

Page 33: ...es alphanumeric or _ Used in MD5 authentication keys for RIP OSPF and text authentication key for RIP 0 16 alphanumeric or _ Used in text authentication keys for OSPF 0 8 alphanumeric or _ certificate name 1 31 alphanumeric or _ community string 0 63 alphanumeric or first character alphanumeric or connection_id 1 alphanumeric or _ contact 1 61 alphanumeric spaces or _ country code 0 or 2 alphanume...

Page 34: ... add conf at the end import shell script 1 26 zysh alphanumeric or _ add zysh at the end initial string 1 64 alphanumeric spaces or _ isp account password 0 63 alphanumeric or _ isp account username 0 30 alphanumeric or _ key length 512 768 1024 1536 2048 license key 25 S 6 upper case letters or numbers 16 upper case letters or numbers mac address aa bb cc dd ee ff hexadecimal mail server fqdn low...

Page 35: ...g less than 15 chars 1 15 alphanumeric or _ string less than 63 chars 1 63 alphanumeric or _ string 1 alphanumeric or _ subject 1 61 alphanumeric spaces or _ system type 0 2 hexadecimal timezone hh 12 through 12 with or without url 1 511 alphanumeric or _ url Used in content filtering redirect http https alphanumeric or _ starts with http or https may contain one pound sign Used in other content f...

Page 36: ...og out after each management session All unsaved changes will be lost after the system restarts 1 10 Logging Out Enter the exit or end command in configure mode to go to privilege mode Enter the exit command in user mode or privilege mode to log out of the CLI week day sequence i e 1 first 2 second 1 1 4 xauth method 1 31 alphanumeric or _ xauth password 1 31 alphanumeric or _ mac address 0 12 eve...

Page 37: ...mmands and send the results if you need assistance troubleshooting your device For admin logins all commands are visible in user mode but not all can be run there The following table displays which commands can be run in user mode All commands can be run in privilege mode The htm and psm commands are for ZyXEL s internal manufacturing process Table 4 User U and Privilege P Mode Commands COMMAND MO...

Page 38: ...ct support module mode for setting product parameters You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting Note These commands are for ZyXEL s internal manufacturing process reboot P Restarts the device release P Releases DHCP information from an interface rename P Renames a configuration file renew P Renews DHCP information for an interface run...

Page 39: ...xel server MyZyXEL com debug commands debug myzyxel2 show MyZyXEL com debug commands debug myzyxel2 show sms shm MyZyXEL com debug command for SMS debug network arpignore Enable Display the ignoring of ARP responses for interfaces which don t own the IP address cat proc sys net ipv4 conf arp_ignore debug no myzyxel server Set the myZyXEL com registration update server to the official site debug pa...

Page 40: ...yinetpkt zysh ipt op ZLD internal debug commands debug update server Update server debug command debug vpn 1 1 map VPN 1 1 mapping debug commands debug web auth Web authentication debug commands debug remoteWTP remoteWTP cmd Controller debug commands Table 5 Debug Commands continued COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT ...

Page 41: ...41 PART II Reference ...

Page 42: ...42 ...

Page 43: ...ays which configuration settings reference the specified interface or virtual interface object show reference object aaa authentication default auth_method Displays which configuration settings reference the specified AAA authentication object show reference object ca category local remote cert_name Displays which configuration settings reference the specified authentication method object show ref...

Page 44: ...tion settings reference the specified service group object show reference object group interface object_name Displays which configuration settings reference the specified trunk object show reference object group aaa ad group_name Displays which configuration settings reference the specified AAA AD group object show reference object group aaa ldap group_name Displays which configuration settings re...

Page 45: ...h LED on the UAG show mac Displays the UAG s MAC address show mem status Displays what percentage of the UAG s memory is currently being used show ram size Displays the size of the UAG s on board RAM show redundant power status Displays the status of the UAG s power modules The UAG has two power modules It can continue operating on a single power module if one fails show serial number Displays the...

Page 46: ...EN 2 tcp 127 0 0 1 2602 0 0 0 0 0 LISTEN 3 tcp 127 0 0 1 2604 0 0 0 0 0 LISTEN 4 tcp 127 0 0 1 10444 0 0 0 0 0 LISTEN 5 tcp 0 0 0 0 80 0 0 0 0 0 LISTEN 6 tcp 192 168 3 1 53 0 0 0 0 0 LISTEN 7 tcp 10 113 243 21 53 0 0 0 0 0 LISTEN 8 tcp 127 0 0 1 53 0 0 0 0 0 LISTEN 9 tcp 0 0 0 0 21 0 0 0 0 0 LISTEN 10 tcp 0 0 0 0 22 0 0 0 0 0 LISTEN 11 tcp 127 0 0 1 953 0 0 0 0 0 LISTEN 12 tcp 0 0 0 0 443 0 0 0 0 ...

Page 47: ...build information This example shows the current LED states on the UAG The SYS LED lights on and green Router show system uptime system uptime 04 18 00 Router show version ZyXEL Communications Corp model UAG715 firmware version V2 50 AACG 0 BM version 1 22 build date 2012 07 20 13 34 43 Router Router show led status sys green Router ...

Page 48: ...activate a service on a UAG that supports firmware version 2 50 you need to access myZyXEL com via that UAG For a UAG that supports firmware version 4 00 or later go to http portal myZyXEL com with the UAG s serial number and LAN MAC address to register it and activate a service Refer to the web site s on line help for details 5 2 Subscription Services Available on the UAG At the time of writing T...

Page 49: ... Table 9 Command Summary Registration COMMAND DESCRIPTION device register checkuser user_name Checks if the user name exists in the myZyXEL com database device register username user_name password password e mail user domainname country code country_code reseller name name reseller mail email address reseller phone phone number vat vat number Registers the device with an existing account or create...

Page 50: ...d 123456 Router config service register service type trial service content filter Router configure terminal Router config show device register status username example password 123456 device register status yes expiration self check no Router configure terminal Router config show service register status all Service Status Type Count Expiration Content Filter Licensed Trial N A 16 Table 10 Command S...

Page 51: ...stan 002 Albania 003 Algeria 004 American Samoa 005 Andorra 006 Angola 007 Anguilla 008 Antarctica 009 Antigua Barbuda 010 Argentina 011 Armenia 012 Aruba 013 Ascension Island 014 Australia 015 Austria 016 Azerbaijan 017 Bahamas 018 Bahrain 019 Bangladesh 020 Barbados 021 Belarus 022 Belgium 023 Belize 024 Benin 025 Bermuda 026 Bhutan 027 Bolivia 028 Bosnia and Herzegovina 029 Botswana 030 Bouvet ...

Page 52: ...84 Gibraltar 085 Great Britain 086 Greece 087 Greenland 088 Grenada 089 Guadeloupe 090 Guam 091 Guatemala 092 Guernsey 093 Guinea 094 Guinea Bissau 095 Guyana 096 Haiti 097 Heard and McDonald Islands 098 Holy See City Vatican State 099 Honduras 100 Hong Kong 101 Hungary 102 Iceland 103 India 104 Indonesia 105 Ireland 106 Isle of Man 107 Italy 108 Jamaica 109 Japan 110 Jersey 111 Jordan 112 Kazakhs...

Page 53: ... Peru 169 Philippines 170 Pitcairn Island 171 Poland 172 Portugal 173 Puerto Rico 174 Qatar 175 Reunion Island 176 Romania 177 Russian Federation 178 Rwanda 179 Saint Kitts and Nevis 180 Saint Lucia 181 Saint Vincent and the Grenadines 182 San Marino 183 Sao Tome and Principe 184 Saudi Arabia 185 Senegal 186 Seychelles 187 Sierra Leone 188 Singapore 189 Slovak Republic 190 Slovenia 191 Solomon Isl...

Page 54: ...nda 219 Ukraine 220 United Arab Emirates 221 United Kingdom 222 United States 223 Uruguay 224 Uzbekistan 225 Vanuatu 226 Venezuela 227 Vietnam 228 Virgin Islands British 229 Virgin Islands USA 230 Wallis And Futuna Islands 231 Western Sahara 232 Western Samoa 233 Yemen 234 Yugoslavia 235 Zambia 236 Zimbabwe Table 11 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME ...

Page 55: ...s are discussed with the corresponding commands Table 12 Input Values for General AP Management Commands LABEL DESCRIPTION ap_mac The Ethernet MAC address of the managed AP Enter 6 hexidecimal pairs separated by colons You can use 0 9 a z and A Z ap_model The model name of the managed AP such as NWA5160N NWA5560 N NWA5550 N NWA5121 NI or NWA5123 NI slot_name The slot name for the AP s on board wir...

Page 56: ... the connections of all associated stations capwap ap ap_mac Enters the sub command mode for the specified AP slot_name ap profile profile_name Sets the radio slot_name to AP mode and assigns a created profile to the radio no slot_name ap profile Removes the AP mode profile assignment for the specified radio slot_name slot_name monitor profile profile_name Sets the specified radio slot_name to mon...

Page 57: ...wap ap wait list Displays a list of connected but as of yet unmanaged APs This is known as the wait list show capwap ap ap_mac slot_name detail Displays details for the specified radio slot_name on the specified AP ap_mac show capwap ap all ap_mac Displays the management list all or whether the specified AP is on the management list ap_mac show capwap ap all ap_mac config status Displays whether o...

Page 58: ...exit Router config show capwap ap all index 1 Status RUN IP 192 168 1 37 MAC 40 4A 03 05 82 1E Description AP 404A0305821E Model NWA5160N R1 mode AP R1Prof default R2 mode AP R2Prof n a Station 0 RadioNum 2 Mgnt VLAN ID 1 Tag no WTP VLAN ID 1 WTP Tag no Force VLAN disable Firmware Version 2 25 AAS 0 b2 Recent On line Time 08 43 04 2013 05 24 Last Off line Time N A Router config show capwap ap 40 4...

Page 59: ...eral Radio Profile Commands LABEL DESCRIPTION radio_profile_name The radio profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive wlan_role Sets the wireless LAN radio operating mode At the time of writing you can use ap for Access Point wireless_channel_2g Sets the 2 GHz channel used by this radio profi...

Page 60: ...ays all profiles for the selected operating mode radio_profile_name Displays the specified profile for the selected operating mode wlan radio profile rename radio_profile_name1 radio_profile_name2 Gives an existing radio profile radio_profile_name1 a new name radio_profile_name2 no wlan radio profile radio_profile_name Enters configuration mode for the specified radio profile Use the no parameter ...

Page 61: ...Traffic Indication Message DTIM is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode A high DTIM value can cause clients to lose connectivity with the network This value can be set from 1 to 255 The default is 1 beacon interval 40 1000 Sets the beacon interval for this profile When a wirelessly networked device sends a...

Page 62: ... active or inactive Use the no parameter to disable it ch width wlan_htcw Sets the channel width for this profile guard interval wlan_htgi Sets the guard interval for this profile The default for this is short 2g basic speed wlan_2g_basic_speed Sets the 2 4 GHz basic band rates The default is 1 0 2 0 5 5 11 0 2g channel wireless_channel_2g Sets the broadcast band for this profile in the 2 4 GHz fr...

Page 63: ...fault is 6 0 54 0 no htprotection Activates HT protection for this profile Use the no parameter to disable it By default this is disabled output power wlan_power Sets the output power for the radio in this profile The default is 100 no ssid profile wlan_interface_index ssid_profile Assigns an SSID profile to this radio profile Requires an existing SSID profile Use the no parameter to disable it sc...

Page 64: ...ig profile radio subframe ampdu 64 Router config profile radio amsdu Router config profile radio limit amsdu 4096 Router config profile radio block ack Router config profile radio guard interval short Router config profile radio tx mask 5 Router config profile radio rx mask 7 Router config profile radio output power 100 Router config profile radio ssid profile 1 default Table 16 Input Values for M...

Page 65: ...channel exit Exits configuration mode for this profile Table 17 Command Summary Monitor Profile continued COMMAND DESCRIPTION Table 18 Input Values for General SSID Profile Commands LABEL DESCRIPTION ssid_profile_name The SSID profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive ssid The SSID broadcast...

Page 66: ...specified SSID profile Use the no parameter to remove the specified profile bandselect check sta interval 1 60000 Sets how often in seconds the AP checks and deletes old wireless client data bandselect drop authentication 1 16 Sets how many authentication request from a client to a 2 4GHz Wi Fi network is ignored during the specified timeout period bandselect drop probe request 1 32 Sets how many ...

Page 67: ...fied security profile to this SSID profile ssid Sets the SSID This is the name visible on the network to wireless clients Enter up to 32 characters spaces and underscores are allowed The default SSID is ZyXEL uplink rate limit data_rate Sets the maximum outgoing transmission data rate either in mbps or kbps on a per station basis vlan id 1 4094 Applies to each SSID profile that uses localbridge If...

Page 68: ...ofile all security_profile_name Displays the security profile s all Displays all profiles for the selected operating mode security_profile_name Displays the specified profile for the selected operating mode wlan security profile rename security_profile_name1 security_profile_name2 Gives existing security profile security_profile_name1 a new name security_profile_name2 no wlan security profile secu...

Page 69: ...0 30000 Sets the interval in seconds between authentication requests The default is 0 idle 30 30000 Sets the idle interval in seconds that a client can be idle before authentication is discontinued The default is 300 group key 30 30000 Sets the interval in seconds at which the AP updates the group WPA WPA2 encryption key The default is 1800 no dot1x eap Enables 802 1x secure authentication Use the...

Page 70: ...security profile s all Displays all profiles for the selected operating mode macfilter_profile_name Displays the specified profile for the selected operating mode wlan macfilter profile rename macfilter_profile_name1 macfilter_profile_name2 Gives an existing security profile macfilter_profile_name1 a new name macfilter_profile_name2 no wlan macfilter profile macfilter_profile_name Enters configura...

Page 71: ... from neighboring companies for example or even APs maintained by your company s employees that operate outside of the established network 8 2 Rogue AP Detection Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands The following table describes the commands available for rogue AP detection You must u...

Page 72: ...pecified MAC address from the friendly AP list monitoring flush Removes all detected APs from the rogue AP list exit Exits configuration mode for rogue AP detection show rogue ap detection monitoring Displays a table of detected APs and information about them such as their MAC addresses when they were last seen and their SSIDs to name a few show rogue ap detection list rogue friendly all Displays ...

Page 73: ... every AP on the network will respect it Note Containing a rogue AP means broadcasting unviable login data at it preventing legitimate wireless clients from connecting to it This is a kind of Denial of Service attack Router config show rogue ap detection list friendly no mac description 1 11 11 11 11 11 11 third floor 2 00 13 49 11 22 33 3 00 13 49 00 00 05 4 00 13 49 00 00 01 5 00 0D 0B CB 39 33 ...

Page 74: ...XX XX XX format of the AP to be contained The no command removes the entry Table 27 Command Summary Rogue AP Containment COMMAND DESCRIPTION rogue ap containment Enters sub command mode for rogue AP containment no activate Activates rogue AP containment Use the no parameter to deactivate rogue AP containment no contain ap_mac Isolates the device associated with the specified MAC address Use the no...

Page 75: ...s which allows a network administrator to capture wireless traffic information and download it to an Ethereal Tcpdump compatible format packet file for analysis 9 2 Wireless Frame Capture Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 28 Input Values for Wireless Frame Capture Commands LA...

Page 76: ...faces You can use this command multiple times to add additional IPs to the list file prefix file_name Sets the file name prefix for each captured file Enter up to 31 alphanumeric characters Spaces and underscores are not allowed files size mon_dir_size Sets the total combined size in kbytes of all files to be captured exit Exits configuration mode for wireless frame capture no frame capture activa...

Page 77: ...using or at least a channel that has a lower level of interference in order to give the connected stations a minimum degree of channel interference 10 2 DCS Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands The following table describes the commands available for dynamic channel selection You must...

Page 78: ...AP uses in the 2 4 GHz band dcs dcs 5g method auto manual Sets the AP to automatically search for available channels or manually configures the channels the AP uses in the 5 GHz band dcs dfs aware enable disable Enables this to allow an AP to avoid phase DFS channels below the 5 GHz spectrum dcs invoke Sets the managed APs to scan for and select an available channel immediately dcs sensitivity lev...

Page 79: ...e for wireless load balancing You must use the configure terminal command to enter the configuration mode before you can use these commands Table 32 Command Summary Load Balancing COMMAND DESCRIPTION no load balancing activate Enables load balancing Use the no parameter to disable it no load balancing kickout Enables an overloaded AP to disconnect kick idle clients or clients with noticeably weak ...

Page 80: ...alancing max sta 1 127 If load balancing by the number of stations wireless clients this sets the maximum number of devices allowed to connect to a load balanced AP load balancing sigma 51 100 Sets the load balancing sigma value This value is algorithm parameter used to calculate whether an AP is considered overloaded balanced or underloaded It only applies to by traffic mode Note This parameter h...

Page 81: ...set to low and disassociate station is enabled Router config load balancing mode traffic Router config load balancing traffic level low Router config load balancing kickout Router config show load balancing config load balancing config Activate yes Kickout yes Mode traffic Max sta 1 Traffic level low Alpha 5 Beta 10 Sigma 60 Timeout 20 LIInterval 10 KickoutInterval 20 ...

Page 82: ...ND DESCRIPTION no auto healing activate Turns on the auto healing feature Use the no parameter to turn it off auto healing healing interval interval Sets the interval that specifies how often the managed APs scan their neighborhoods and report the status of neighbor APs to the AP controller UAG An AP is considered failed if the AP controller obtains the same scan result that the AP is missing from...

Page 83: ...tend their wireless service coverage areas auto healing update Sets all manged APs to immediately scan their neighborhoods three times in a row and update their neighbor lists to the AP controller UAG show auto healing config Displays the current auto healing configuration Table 34 Command Summary Auto Healing continued COMMAND DESCRIPTION Router config auto healing activate Router config auto hea...

Page 84: ...the layer 2 data link MAC address level Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive and send tagged frames The UAG automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection betwe...

Page 85: ...to set up a virtual interface 13 1 2 Relationships Between Interfaces In the UAG interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physical ports or port groups The relationships between interfaces are explained in the following table Table 35 Ethernet VLAN Bridge PPP and Virtual Interface Characteristics CHARACTERISTICS ETHERNET ...

Page 86: ...Interfaces continued INTERFACE REQUIRED PORT INTERFACE Table 37 Input Values for General Interface Commands LABEL DESCRIPTION interface_name The name of the interface Ethernet interface The UAG715 and UAG5100 uses a name such as wan1 wan2 lan1 lan2 or dmz virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example lan1 y y 1 4 VLAN interface vlanx...

Page 87: ...HCP server gives the specified interface its IP address subnet mask and gateway The no command makes the IP address static IP address for the specified interface See the next command to set this IP address no ip address ip subnet_mask Assigns the specified IP address and subnet mask to the specified interface The no command clears the IP address and the subnet mask no ip gateway ip Adds the specif...

Page 88: ... syslog server and Vantage Report server show interface name Displays all PPP and Ethernet interface system name and user defined name mappings interface name ppp_interface ethernet_interface user_defined_name Specifies a name for a PPP or an Ethernet interface It can use alphanumeric characters hyphens and underscores and it can be up to 11 characters long ppp_interface ethernet_interface This mu...

Page 89: ...ows how to change the user defined name from Partner to Customer using the interface name command Router show interface name No System Name User Defined Name 1 ge1 wan1 2 ge2 wan2 3 ge3 lan1 4 ge4 lan2 5 ge5 dmz Router configure terminal Router config interface name ge4 VIP Router config show interface name No System Name User Defined Name 1 ge1 wan1 2 ge2 wan2 3 ge3 lan1 4 ge4 VIP 5 ge5 dmz Route...

Page 90: ...DHCP extended option settings show ip dhcp pool profile_name Shows information about the specified DHCP pool or about all DHCP pools show ip dhcp pool profile_name dhcp options Shows the specified DHCP pool s DHCP extended option settings ip dhcp pool rename profile_name profile_name Renames the specified DHCP pool from the first profile_name to the second profile_name no ip dhcp pool profile_name...

Page 91: ... hex vivc enterprise_id hex_s enterprise_id hex_s vivs enterprise_id hex_s enterprise_id hex_s Adds or edits a DHCP extended option for the specified DHCP pool text String of up to 250 characters hex String of up to 250 hexadecimal pairs vivc Vendor Identifying Vendor Class option A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the cli...

Page 92: ...mmand removes the setting no second wins server ip Specifies the second WINS server IP address to assign to the remote users The no command removes the setting no lease 0 365 0 23 0 59 infinite Sets the lease time to the specified number of days hours and minutes or makes the lease time infinite The no command resets the first DNS server setting to its default value interface interface_name Enters...

Page 93: ...p dhcp pool second dns server ge1 1st dns Router config ip dhcp pool third dns server 10 1 5 2 Router config ip dhcp pool default router 192 168 1 1 Router config ip dhcp pool lease 0 1 30 Router config ip dhcp pool starting address 192 168 1 10 pool size 30 Router config ip dhcp pool hardware address 00 0F 20 74 B8 18 Router config ip dhcp pool client identifier 00 0F 20 74 B8 18 Router config ip...

Page 94: ... ping check remote address shutdown traffic prioritize upstream VLAN BRIDGE Router config interface vlan1 Router config if vlan description downstream exit ip mss mtu no ping check port shutdown traffic prioritize type upstream vlan id Router config interface br0 Router config if brg description downstream exit ip join mss mtu no ping check shutdown traffic prioritize type upstream Table 41 interf...

Page 95: ... the priority to 1 no ip ospf cost 1 65535 Sets the cost to route packets through the specified interface The no command sets the cost to 10 no ip ospf authentication Disables authentication for OSPF in the specified interface ip ospf authentication Enables text authentication for OSPF in the specified interface ip ospf authentication message digest Enables MD5 authentication for OSPF in the speci...

Page 96: ...n The no command sets the number of seconds to 40 See ip ospf hello interval for more information no ip ospf retransmit interval 1 65535 Sets the number of seconds the UAG waits for an acknowledgment in response to a link state advertisement before it re sends the advertisement Link state advertisements LSA are used to share the link state and routing information between routers Table 42 interface...

Page 97: ...about connectivity check interface interface_name Enters sub command mode no ping check activate Enables ping check for the specified interface The no command disables ping check for the specified interface ping check domain_name ip default gateway Specifies what the UAG pings for the ping check you can specify a fully qualified domain name IP address or the default gateway for the interface ping ...

Page 98: ... the MAC address of an interface Router configure terminal Router config interface wan1 Router config if wan1 ping check 1 1 1 2 method tcp port 8080 Router config if wan1 exit Router config show ping check Interface wan1 Check Method tcp IP Address 1 1 1 2 Period 30 Timeout 5 Fail Tolerance 5 Activate yes Port 8080 Router config Table 44 Input Values for Ethernet Interface Commands LABEL DESCRIPT...

Page 99: ... mac Has the interface use a MAC address that you specify Table 45 interface Commands MAC Setting continued COMMAND DESCRIPTION Table 46 Basic Interface Setting Commands COMMAND DESCRIPTION show port grouping Displays which physical ports are assigned to each representative interface port grouping interface_name port 1 x Adds the specified physical port to the specified representative interface 1 ...

Page 100: ...1 with the following parameters IP 1 2 3 4 subnet 255 255 255 0 Router configure terminal Router config show port grouping No Representative Name Port1 Port2 Port3 Port4 Port5 1 wan1 yes no no no no 2 wan2 no yes no no no 3 lan1 no no yes no no 4 lan2 no no no yes no 5 dmz no no no no yes Router config port grouping lan1 Router config port grouping port 5 Router config port grouping exit Router co...

Page 101: ...ters underscores _ or dashes but the first character cannot be a number This value is case sensitive Table 48 interface Commands PPPoE PPTP Interfaces COMMAND DESCRIPTION interface dial interface_name Connects the specified PPPoE PPTP interface interface disconnect interface_name Disconnects the specified PPPoE PPTP interface interface interface_name Creates the specified interface if necessary an...

Page 102: ...um Transmission Unit in bytes show interface ppp system default Displays system default PPP interfaces non deletable that come with the UAG show interface ppp user define Displays all PPP interfaces that were manually configured on the UAG Table 48 interface Commands PPPoE PPTP Interfaces continued COMMAND DESCRIPTION Router configure terminal Router config interface ppp0 Router config if ppp acco...

Page 103: ... USB storage device logging usb storage flushThreshold 1 100 Configures the maximum storage space in percentage for storing system logs on the connected USB storage device no diag info copy usb storage Sets to have the UAG save or stop saving the current system diagnostics information to the connected USB storage device You may need to send this file to customer support for troubleshooting show di...

Page 104: ...Commands LABEL DESCRIPTION interface_name VLAN interface vlanx x 0 4094 See Table 37 on page 86 for detailed information about the interface name Table 51 interface Commands VLAN Interfaces COMMAND DESCRIPTION interface interface_name Creates the specified interface if necessary and enters sub command mode no port interface_name Specifies the Ethernet interface on which the VLAN interface runs The...

Page 105: ...on the number of bridge interfaces your UAG model supports See Table 37 on page 86 for detailed information about the interface name Table 53 interface Commands Bridge Interfaces COMMAND DESCRIPTION interface interface_name Creates the specified interface if necessary and enters sub command mode no join interface_name Adds the specified Ethernet interface or VLAN interface to the specified bridge ...

Page 106: ...licy routing You can also define multiple trunks for the same physical interfaces This allows you to send specific traffic types through the interface that works best for that type of traffic and if that interface s connection goes down the UAG can still send its traffic through another interface 14 2 Trunk Scenario Examples Suppose one of the UAG s interfaces is connected to an ISP that is also y...

Page 107: ...a trunk name and enters the trunk sub command mode where you can configure the trunk The no command removes the trunk algorithm wrr llf spill over Sets the trunk s load balancing algorithm exit Leaves the trunk sub command mode flush Deletes a trunk s interface settings interface num append insert num interface name weight 1 10 limit 1 2097152 passive This subcommand adds an interface to a trunk S...

Page 108: ... default for traffic going to or from the WAN interfaces show system default interface group Displays the WAN trunk the UAG first attempts to use Table 55 interface group Commands Summary continued COMMAND DESCRIPTION Router configure terminal Router config interface group wrr example Router if group mode trunk Router if group algorithm wrr Router if group interface 1 wan1 weight 2 Router if group...

Page 109: ...w that the desired file is actually on file server C At the same time register server B informs file server C that a computer located at the WAN1 s IP address will download a file 3 The UAG is using active active load balancing So when LAN user A tries to retrieve the file from file server C the request goes out through WAN2 4 File server C finds that the request comes from WAN2 s IP address inste...

Page 110: ...ands Summary COMMAND DESCRIPTION no ip load balancing link sticking activate Turns link sticking on or off no ip load balancing link sticking timeout timeout Sets for how many seconds 30 3600 the UAG sends all of each local computer s traffic through one WAN interface show ip load balancing link sticking status Displays the current link sticking settings Router config ip load balancing link sticki...

Page 111: ...face can connect to the original ISP The drop in LAN interface is connected to the existing NAT router or firewall if any in your network A second WAN interface which is not in drop in mode is connected to another ISP You can use trunks for WAN traffic load balancing to increase overall network throughput and reliability Note The WAN interface ge1 for example in drop in mode must use a static IP a...

Page 112: ...l command to enter the configuration mode before you can use these commands Table 57 Input Values for General Drop In Commands LABEL DESCRIPTION interface_name The name of the Ethernet interface This depends on the UAG model See Table 57 on page 112 for detailed information about the interface name Table 58 IP Drop In Commands COMMAND DESCRIPTION no ip drop in activate Disables the drop in mode on...

Page 113: ... mode and show the settings Router configure terminal Router config ip drop in Router drop in wan host 10 1 2 3 Router drop in wan interface wan1 lan interface lan1 Router drop in activate Router drop in exit Router config show ip drop in status active yes wan_interface wan1 lan_interface lan1 Router config show ip drop in wan host Index WanHost 1 10 1 2 3 Router config ...

Page 114: ...ION address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive interface_name The name of the interface See Table 37 on page 86 for detailed information about the interface name policy_number The number of a policy route 1 X where X is the highest number of policy ro...

Page 115: ...s the maximum bandwidth and priority for the policy The no command removes bandwidth settings from the rule You can also turn maximize bandwidth usage on or off conn check IPv4 FQDN method icmp tcp period 5 600 timeout 1 10 fail tolerance 1 10 port 1 65535 Sets the domain name or IP address of the gateway to which the matched packets are routed The UAG can regularly check the connection to the gat...

Page 116: ...ress object interface interface_name trunk trunk_name tunnel tunnel_name Sets the next hop to which the matched packets are routed The no command resets next hop settings to the default auto no schedule schedule_object Sets the schedule The no command removes the schedule setting to the default none none means any time no service service_name any Sets the IP protocol The no command resets service ...

Page 117: ...the packets to a directly connected network Use the no command to disable it no policy controll virtual server rules activate Gives policy routes priority over NAT virtual server rules 1 1 SNAT Use the no command to give NAT virtual server rules priority over policy routes show bwm activation Displays whether or not the global setting for bandwidth management on the UAG is enabled show bwm usage p...

Page 118: ...AF41 34 Medium Drop Precedence AF12 12 AF22 20 AF32 28 AF42 36 High Drop Precedence AF13 14 AF23 22 AF33 30 AF43 38 Router config address object TW_SUBNET 192 168 2 0 255 255 255 0 Router config address object GW_1 192 168 2 250 Router config policy insert 1 Router policy route description example Router policy route destination any Router policy route interface ge1 Router policy route next hop ga...

Page 119: ...n use these commands See Section Table 59 on page 114 for information on input values Table 62 Command Summary Static Route COMMAND DESCRIPTION no ip route w x y z w x y z interface w x y z 0 127 Sets a static route The no command deletes a static route ip route replace w x y z w x y z interface w x y z 0 127 with w x y z w x y z interface w x y z 0 127 Changes an existing route s settings show ip...

Page 120: ...tic route with IP address 10 10 10 0 and subnet mask 255 255 255 0 and with the next hop interface wan1 Then use the show command to display the setting Router config ip route 10 10 10 0 255 255 255 0 wan1 Router config Router config show ip route settings Route Netmask Nexthop Metric 10 10 10 0 255 255 255 0 ge1 0 ...

Page 121: ...hey are discussed further in the next two sections 17 2 Routing Protocol Commands Summary The following table describes the values required for many routing protocol commands Other values are discussed with the corresponding commands The following sections list the routing protocol commands Table 63 OSPF vs RIP OSPF RIP Network Size Large Small with up to 15 routers Metric Bandwidth hop count thro...

Page 122: ...to bi directional no authentication mode md5 text Sets the authentication mode for RIP The no command sets the authentication mode to none no authentication string authkey Sets the password for text authentication The no command clears the password authentication key 1 255 key string authkey Sets the MD5 ID and password for MD5 authentication no authentication key Clears the MD5 ID and password no...

Page 123: ...about virtual links for the specified area router ospf no area IP virtual link IP Creates the specified virtual link in the specified area The no command removes the specified virtual link no area IP virtual link IP authentication Enables text authentication in the specified virtual link The no command disables authentication in the specified virtual link no area IP virtual link IP authentication ...

Page 124: ...OMMAND DESCRIPTION show ip route kernel connected static ospf rip bgp Displays learned routing and other routing information Router show ip route Flags A Activated route S Static route C directly Connected O OSPF derived R RIP derived G selected Gateway reject B Black hole L Loop IP Address Netmask Gateway IFace Metric Flags Persist 0 0 0 0 0 172 16 1 254 wan1 0 ASG 127 0 0 0 8 0 0 0 0 lo 0 ACG 17...

Page 125: ...s The UAG uses zones not interfaces in many security and policy settings such as firewall rules and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 16 Example Zones ...

Page 126: ...w zone default binding Displays the pre configured interface and zone mappings that come with the UAG show zone none binding Displays the interfaces tunnels and SSL VPNs that are not associated with a zone yet show zone system default Displays the pre configured default zones that you cannot delete from the UAG show zone user define Displays all customized zones no zone profile_name Creates the zo...

Page 127: ...er config zone A Router zone interface vlan123 Router zone interface vlan234 Router zone block Router zone exit Router config show zone No Name Block Member 1 LAN1 no lan1 2 LAN2 no lan2 3 WAN yes wan1 wan2 wan1_ppp wan2_ppp 4 DMZ yes dmz 5 SSL_VPN no 6 IPSec_VPN no 7 A yes vlan123 vlan234 Router config show zone A blocking intra zone traffic yes No Type Member 1 interface vlan123 2 interface vlan...

Page 128: ...be able to use Dynamic DNS services with the UAG When registration is complete the DNS service provider gives you a password or key At the time of writing the UAG supports the following DNS service providers See the listed websites for details about the DNS services offered by each Note Record your DDNS account s user name password and domain name to use to configure the UAG After you configure th...

Page 129: ...s username You can use up to 31 alphanumeric characters and the underscore _ password You can use up to 64 alphanumeric characters and the underscore _ no host hostname Sets the domain name in the specified DDNS profile The no command clears the domain name hostname You may up to 254 alphanumeric characters dashes or periods but the first character must be alphanumeric no ip select iface auto cust...

Page 130: ...e used to access the server that will host the DDSN service For example url api dynamic update php hostname home example com ip 10 1 1 1 The no command disables it no ddns server fqdn Sets the IP address of the server that will host the DDSN service For example ddns server www dnspark net The no command disables it no additional ddns options dyndns_system ip_server_name Avaialable for User custom ...

Page 131: ...e network servers that will initiate sessions to the outside clients and a range of public IP addresses use many 1 1 NAT to have the UAG translate the source IP address of each server s outgoing traffic to the same one of the public IP addresses that the outside clients use to access the server The private and public ranges must have the same number of IP addresses One many 1 1 NAT rule works like...

Page 132: ...the specified virtual server and maps the specified destination IP address protocol and destination port to the specified destination IP address and destination port The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address object NAT loopback allows local users to use a domain name to access this virtual server nat 1 ...

Page 133: ...he NAT type is either 1 1 NAT or many 1 1 NAT See Section 20 1 1 on page 131 for more information Using this command without nat 1 1 map means the NAT type is Virtual Server This makes computers on a private network behind the UAG available to a public network outside the UAG like the Internet The deactivate command disables the virtual server rule ip virtual server activate deactivate profile_nam...

Page 134: ... public IP address of 1 1 1 2 2 Configure NAT You need a NAT rule to send HTTP traffic coming to IP address 1 1 1 2 on wan1 to the HTTP server s private IP address of 192 168 3 7 Use the following settings This NAT rule is for any HTTP traffic coming in on wan1 to IP address 1 1 1 2 The NAT rule sends this traffic to the HTTP server s private IP address of 192 168 3 7 defined in the DMZ_HTTP objec...

Page 135: ...the DMZ web server Now the public can go to IP address 1 1 1 2 to access the HTTP server Router config ip virtual server To VirtualServer WWW interface wan1 original ip wan1_HTTP map to DMZ_HTTP map type port protocol tcp original port 80 mapped port 80 Router config Router config firewall insert 1 Router firewall description To VirtualServer WWW Router firewall from WAN Router firewall to DMZ Rou...

Page 136: ...IP address coming from remote servers in different VPN tunnels 21 2 VPN 1 1 Mapping Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 77 Input Values for vpn 1 1 map Commands LABEL DESCRIPTION interface_name The name of the interface This depends on the UAG model See Table 37 on page 86 for ...

Page 137: ...ied VPN 1 1 mapping pool profile first profile_name to the specified name second profile_name vpn 1 1 map rule append Enters the vpn 1 1 map rule sub command mode to create a new VPN 1 1 mapping rule at the end of the current list See Table 80 on page 138 for the sub commands vpn 1 1 map rule flush Clears all VPN 1 1 mapping rules vpn 1 1 map rule insert 1 16 Enters the vpn 1 1 map rule sub comman...

Page 138: ...gure an address group object at the time of writing Note It s recommended that the IP addresses of the configured address object and the WAN interface are in the same subnet so that the UAG can receive response packets from the remote node exit Leaves the sub command mode interface interface_name Sets the interface through which the UAG sends traffic from the matched users Router configure termina...

Page 139: ...associate up to four pool profiles to a VPN 1 1 mapping rule The no command removes the specified pool file no user user_name any Sets the user or user group for which you want to use this rule The no command resets the user setting to the default any any means all users Table 80 vpn 1 1 map rule Sub commands continued COMMAND DESCRIPTION Router configure terminal Router config vpn 1 1 map rule 1 ...

Page 140: ... the corresponding commands The following table describes the commands available for HTTP redirection You must use the configure terminal command to enter the configuration mode before you can use these commands Table 81 Input Values for HTTP Redirect Commands LABEL DESCRIPTION description The name to identify the rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first ...

Page 141: ... the specified rule name ip http redirect flush Clears all HTTP redirect rules show ip http redirect description Displays HTTP redirect settings Table 82 Command Summary HTTP Redirect continued COMMAND DESCRIPTION Router configure terminal Router config ip http redirect example1 interface lan1 redirect to 10 10 2 3 80 Router config ip http redirect example1 interface lan1 redirect to 10 10 2 3 80 ...

Page 142: ...his is why many e mail applications require you to specify both the SMTP server and the POP or IMAP server even though they may actually be the same server 23 2 SMTP Redirect Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 83 Input Values for SMTP Redirect Commands LABEL DESCRIPTION interf...

Page 143: ...fied rule number See Table 85 on page 143 for the sub commands smtp redirect move 1 16 to 1 16 Moves the specified rule to the specified location and renumbers the other rules accordingly show smtp redirect 1 16 Displays settings of the specified or all SMT redirect rules show smtp redirect activation Shows whether the SMTP redirect feature is enabled or disabled on the UAG show smtp redirect begi...

Page 144: ...nal Router config smtp redirect 1 Router smtp redirect activate Router smtp redirect interface lan2 Router smtp redirect server smtp zyxel com tw Router smtp redirect source lan1_1 Router smtp redirect user admin Router smtp redirect exit Router config show smtp redirect smtp redirect rule 1 active yes user admin incoming interface lan2 source address any smtp server smtp zyxel com tw Router confi...

Page 145: ...P traffic s data stream When a device behind the UAG uses an application for which the UAG has VoIP pass through enabled the UAG translates the device s private IP address inside the data stream to a public IP address It also records session port numbers and allows the related sessions to go through the firewall so the application s traffic can come in from the WAN to the LAN The UAG only needs to...

Page 146: ... it Use transformation to have the UAG modify IP addresses and port numbers embedded in the SIP data payload You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload The no command turns off the SIP ALG or removes the settings that you specify no alg h323 ftp signal port 1025 65535 signal extra port 1025 65535 tr...

Page 147: ... ALG UAG CLI Reference Guide 147 24 3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H 323 Router configure terminal Router config alg sip Router config no alg h323 ...

Page 148: ...lic IP address and port number and make them known to the peer device with which it wants to communicate The client can automatically configure the NAT router to create a port mapping to allow the peer to contact it 25 2 UPnP and NAT PMP Commands The following table lists the ip upnp commands You must use the configure terminal command to enter the configuration mode before you can use these comma...

Page 149: ...the name s of the internal interface s on which the UAG supports UPnP and or NAT PMP show ip upnp port mapping Displays the UPnP and or NAT PMP port mapping rules on the UAG show ip upnp status Displays the UPnP and or NAT PMP configuration Table 87 ip upnp Commands continued COMMAND DESCRIPTION Router configure terminal Router config ip upnp Router config upnp nat pmp activate Router config upnp ...

Page 150: ...pnp External Port 1122 Protocol tcp Internal Port 1122 Internal Client 172 16 1 2 Description test1 No 1 Remote Host null Client Type upnp External Port 5566 Protocol tcp Internal Port 5566 Internal Client 172 16 1 2 Description test2 Router config no ip upnp port mapping port 5566 type tcp Router config show ip upnp port mapping No 0 Remote Host null Client Type upnp External Port 1122 Protocol t...

Page 151: ...he specified interface The no command turns IP MAC binding off for the specified interface no ip ip mac binding interface_name log Turns on the IP MAC binding logs for the specified interface The no command turns IP MAC binding logs off for the specified interface ip ip mac binding exempt name start ip end ip Adds a named IP range as being exempt from IP MAC binding no ip ip mac binding exempt nam...

Page 152: ...llowing example enables IP MAC binding on the lan1 interface and displays the interface s IP MAC binding status Router configure terminal Router config ip ip mac binding lan1 activate Router config show ip ip mac binding lan1 Name lan1 Status Enable Log No Binding Count 0 Drop Count 0 Router config ...

Page 153: ...ept the devices in the white list Note Layer 2 isolation does not check the wireless traffic In the following example layer 2 isolation is enabled on the UAG s interface Vlan1 A printer PC and AP are in the Vlan1 The IP address of network printer C is added to the white list The connected AP then cannot communicate with the PC D but can access the network printer C server B wireless client A and t...

Page 154: ... on the white list on the UAG IP addresses that are not listed in the white list are blocked from communicating with other devices in the layer 2 isolation enabled internal interface s except for broadcast packets white list append Enters the layer 2 isolation white list sub command mode to add a rule to the end of the white list See Table 90 on page 154 for the sub commands white list flush Remov...

Page 155: ... the IP address This is the IP address of device that can be accessed by the devices connected to an internal interface on which layer 2 isolation is enabled Table 90 l2 isolation white list Sub commands continued COMMAND DESCRIPTION Router configure terminal Router config l2 isolation Router l2 isolation activate Router l2 isolation interface lan2 Router l2 isolation white list 1 Router white lis...

Page 156: ...ess or a static IP address that is in the same subnet as the UAG s IP address Note You must enable NAT to use the IPnP feature 28 2 IPnP Commands The following table lists the ipnp commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 91 ipnp Commands COMMAND DESCRIPTION no ip ipnp activate Enables IPnP on the UAG The no comman...

Page 157: ...the UAG and interface lan1 It also displays the IPnP settings Router configure terminal Router config ip ipnp activate Router config ip ipnp config Router ipnp interface lan1 Router ipnp exit Router config show ip ipnp activation IPnP Status yes Router config show ip ipnp interface interface lan1 Router config ...

Page 158: ...tion required unnecessary no log log alert Sets the default authentication policy that the UAG uses on traffic that does not match any exceptional service or other authentication policy required Users need to be authenticated They must manually go to the UAG s login screen The UAG will not redirect them to the login screen unnecessary Users do not need to be authenticated no log log alert Select w...

Page 159: ...me profile_name_old profile_name_new Gives an existing authentication type profile a new name web auth user agreement Enters sub command mode to configure user agreement pages and related settings See Table 98 on page 164 for the sub commands show web auth activation Displays whether forcing user authentication is enabled or not show web auth default rule Displays settings of the default web authe...

Page 160: ... welcome page s URL when you select to use the default login page built into the UAG for example http IIS server IP Address welcome html You can use up to 255 characters 0 9a zA Z _ in quotes The no command removes the URL The Internet Information Server IIS is the web server on which the web portal files are installed no login url url Sets the login page s URL for example http IIS server IP Addre...

Page 161: ...lly go to the login screen The UAG will not redirect them to the login screen no description description Sets the description for the specified condition The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 printable ASCII characters long no destination address_object group_name Sets the destination criteria for the specified condition ...

Page 162: ...the execution order of the condition show Displays information about the specified condition Table 94 web auth policy Sub commands continued COMMAND DESCRIPTION Table 95 web auth type default user agreement Sub commands COMMAND DESCRIPTION no idle detection timeout 1 60 Sets the UAG to monitor how long each access user is logged in and idle in other words there is no traffic for this access user T...

Page 163: ...reached user agreement logon re auth time 0 1440 Sets the number of minutes the user can be logged into the UAG in one session before having to log in again no user agreement welcome url url Sets the welcome page s URL for example http IIS server IP Address logout html You can use up to 255 characters 0 9a zA Z _ in quotes The no command removes the URL and sets the UAG to use the welcome page of ...

Page 164: ... Information Server IIS is the web server on which the user agreement files are installed no idle detection timeout 1 60 Sets the UAG to monitor how long each access user is logged in and idle in other words there is no traffic for this access user The UAG automatically logs out the access user once the specified idle timeout has been reached no internal page customization Sets the UAG to use the ...

Page 165: ... required Schedule no specified Endpoint security Activate endpoint security object use EPS WinXP and EPS WinVista for the first and second checking EPS objects Router configure terminal Router config web auth policy insert 1 Router config web auth 1 activate Router config web auth 1 description EPS on LAN Router config web auth 1 source LAN1_SUBNET Router config web auth 1 destination DMZ_Servers...

Page 166: ...entry for web site that all users are allowed to access without logging in and enters sub command mode See Section Table 100 on page 167 for the sub commands walled garden rule append Creates a new walled garden URL entry at the end of the current list and enters sub command mode See Table 100 on page 167 for the sub commands walled garden rule flush Deletes all walled garden URL entries walled ga...

Page 167: ...escription description You can use up to 31 alphanumeric characters A Z a z 0 9 and underscores _ Spaces are not allowed The first character must be a letter no hidden Sets the UAG to not display the web site link in the user login screen This is helpful if a user s access to a specific web site is required to stay connected but he or she does not need to visit that web site The no command display...

Page 168: ...description url url Sets a descriptive name for the advertisement web page and enters the web site address to create a new rule The no command removes the advertisement rule description You can use up to 31 alphanumeric characters A Z a z 0 9 and underscores _ Spaces are not allowed The first character must be a letter url the URL or IP address of the web site Use http followed by up to 262 charac...

Page 169: ... Wi Fi tags A dedicated RTLS SSID is recommended Ekahau RTLS Controller in blink mode with TZSP Updater enabled Secure policies to allow RTLS traffic if the UAG Secure Policy control is enabled or the Ekahau RTLS Controller is behind a firewall For example if the Ekahau RTLS Controller is behind a firewall open ports 8550 8553 and 8569 to allow traffic the APs send to reach the Ekahau RTLS Control...

Page 170: ...disables tracking rtls ekahau ip address ip Specifies the IP address of the Ekahau RTLS Controller rtls ekahau ip port 1 65535 Specifies the server port of the Ekahau RTLS Controller show rtls ekahau config Displays RTLS configuration details show rtls ekahau cli Displays commands run on the AP The AP runs the flush command before executing other commands Router configure terminal Router config rt...

Page 171: ...on from within the LAN zone and the firewall allows the response However the firewall blocks Telnet traffic initiated from the WAN zone and destined for the LAN zone The firewall allows VPN traffic between any of the networks Figure 19 Default Firewall Action Your customized rules take precedence and override the UAG s default settings The UAG checks the schedule user name user s login name on the...

Page 172: ...one Use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive The UAG uses pre defined zone names like DMZ LAN1 LAN2 SSL VPN IPSec VPN and WAN rule_number The priority number of a firewall rule 1 X where X is the highest number of rules the UAG model supports See the UAG s User s Guide for details schedule_object The name of the schedule You may use 1 31 a...

Page 173: ...e sub commands firewall secure policy default rule action allow deny reject no log log alert Sets how the firewall handles packets that do not match any other firewall rule firewall secure policy delete rule_number Removes a firewall rule firewall secure policy flush Removes all firewall rules firewall secure policy insert rule_number Enters the firewall sub command mode to add a firewall rule bef...

Page 174: ...on the UAG s internal network from being forwarded to the WAN network according to a 1 1 NAT or Many 1 1 NAT rule The no command forwards the matched packets no description description Sets a descriptive name up to 60 printable ASCII characters for a firewall rule The no command removes the descriptive name from the rule no destinationip address_object Sets the destination IP address The no comman...

Page 175: ... list no to zone_object Device Sets the zone to which the packets are sent The no command removes the zone to which the packets are sent and resets it to the default any any means all interfaces or VPN tunnels no user user_name Sets a user aware firewall rule The rule is activated only when the specified user logs into the system The no command resets the user name to the default any any means all...

Page 176: ...ion limit rule The no command disables the session limit rule no address address_object Sets the source IP address The no command sets this to any which means all IP addresses no description description Sets a descriptive name up to 64 printable ASCII characters for a session limit rule The no command removes the descriptive name from the rule exit Quits the sub command mode no limit 0 8192 Sets t...

Page 177: ...sed up The UAG accounts the time that the user is logged in for Internet access billing accumulation idle detection timeout 1 60 Specifies the idle timeout between 1 and 60 minutes The UAG automatically disconnects a computer from the network after a period of inactivity The user may need to enter the username and password again before access to the network is allowed billing accumulation expire d...

Page 178: ...0 Specifies a time unit and number to set how long to wait before the UAG deletes an account that has not been used billing username password length 4 6 Sets how manay characters the username and password of a newly created dynamic guest account will have no billing wlan ssid profile profile_name Sets the name of the SSID profile to which you can apply the general billing settings The no command s...

Page 179: ...ns there is no data limit for the user account quota type total upload download Sets a limit for the user account This only applies to user s traffic that is received or transmitted through the external interface Note When the limit is exceeded the user is not allowed to access the Internet through the UAG total set a limit on the total traffic in both directions upload download set a limit on the...

Page 180: ... charge Router configure terminal Router config billing profile billing_1hour Router billing profile button a activate Router billing profile button a price 2 Router billing profile button a time period hour 1 Router billing profile button a exit Router config show billing profile Billing Profile billing_30mins activate yes time period 30 minute price eur 0 00 Billing Profile billing_1hour activat...

Page 181: ...rvice Commands COMMAND DESCRIPTION payment service account delivery onscreen activate deactivate Allows or disallows the UAG to display the user account information in the web screen payment service account delivery sms activate deactivate Allows or disallows the UAG to use Short Message Service SMS to send account information in a text message to the user s mobile device no payment service activa...

Page 182: ... notification message color 00FF00 color_name rgb 0 0 255 Specifies the font color of the important information You can use the color name hexadecimal codes or enter decimal color code of your own payment service success page successful message message Specifies a note to display in the second page after the user s online payment is made successfully show payment service account delivery Displays ...

Page 183: ...s aud cad chf czk dkk eur gbp hkd huf ils jpy mxn nok nzd php pln sek sgd thb twd or usd gateway url Sets the address of the PayPal gateway provided to you by PayPal after applying for your PayPal account no identity token identity_token Sets the ID token provided to you by PayPal after successfully applying for your PayPal account The no command removes the ID token Router configure terminal Rout...

Page 184: ...sed account generator and or the button on a connected statement printer no printer manager encrypt activate Turns on data encryption Data transmitted between the UAG and the printer will be encrypted with a secret key The no command disables data encryption printer manager encrypt secret key secret_key Sets a key for data encryption secret_key four alphanumeric characters A Z a z 0 9 printer mana...

Page 185: ...ly uploaded to the UAG The UAG automatically installs it in the connected printers to make sure the printers are upgraded to the same version show printer manager printout type Displays the current account printout format show printer manager settings Displays the printer management settings show printer manager workableIP Displays the number and IP address s of printer s that can synchronize with...

Page 186: ...creen no free time deliver method sms Sets the UAG to send account information in an SMS text message to the user s mobile device The no command sets the UAG to not send account information in an SMS text message to the user s mobile device no free time maximum register number 1 5 Specifies the maximum number of the users that are allowed to log in for Internet access with a free guest account bef...

Page 187: ...so sent account information via SMS text messages It then displays the free time settings Router configure terminal Router config free time activate Router config free time deliver method onscreen Router config free time deliver method sms Router config show free time status Activate yes Time Period 30 Reset Time 00 00 Maximum registration number before reset time 1 Delivery Method onscreen sms Ro...

Page 188: ...S service sms service default country code country_code Sets the default country code for the mobile phone number to which you want to send SMS messages country_code one to four digits sms service provider vianett Enters the sms service vianett sub command mode to configure your ViaNett account information no password password Sets the password for your ViaNett account no username e mail Sets the ...

Page 189: ...tings Router configure terminal Router config sms service activate Router config sms service provider vianett Router sms service vianett username test example com Router sms service vianett password 12345 Router sms service vianett exit Router config show sms service enable sms service yes SMS Country Code 0 SMS Provider Selected vianett SMS Service Vianett username test example com password 12345...

Page 190: ...ds COMMAND DESCRIPTION bwm 1 127 Enters the config bwm sub command mode to configure a bandwidth management policy See Table 119 on page 191 for the sub commands no bwm activate Enables bandwidth management on the UAG The no command disabled bandwidth management bwm append Enters the config bwm sub command mode to add a policy to the end of the policy list See Table 119 on page 191 for the sub com...

Page 191: ... AF class or QoS access class of incoming or outgoing packets to which this policy applies any means all DSCP value or no DSCP marker The no command resets the DSCP code to the default any no inbound ceiling 0 1048576 maximize bandwidth usage Sets the maximum bandwidth allowed for incoming traffic or enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwid...

Page 192: ...the priority for traffic that matches this policy The smaller the number the higher the priority Outbound refers to the traffic the UAG sends out from a connection s initiator The no command resets the outbound guarantee bandwidth to the default 0 no outbound dscp mark 0 63 class af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs0 cs1 cs2 cs3 cs4 cs5 cs6 cs7 default wmm_be0 wmm_be24 wm...

Page 193: ...e no command resets the source IP address es to the default any any means all IP addresses no type per user shared Sets the type of bandwidth management per user to allow every user that matches this policy to use up to the bandwidth configured in this policy shared to have users that match this policy to share the bandwidth configured in this policy The no command resets the bandwidth management ...

Page 194: ...rs Router config bwm append 6 inbound guarantee bandwidth 800 priority 3 Router config bwm append 6 outbound guarantee bandwidth 700 priority 3 Router config bwm append 6 show Current Configuration index 6 Activate yes Description example BWM Type shared Schedule none User trial users Incoming_Type any Incoming_Interface any Outgoing_Type any Outgoing_Interface any Src any Dst any Service_Type ser...

Page 195: ...nications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is one example of a VPN tunnel Figure 20 VPN Example The VPN tunnel connects the UAG X and the remote IPSec router Y These routers then connect the local network A and remote net...

Page 196: ...IPSec VPN commands Other values are discussed with the corresponding commands Table 120 Input Values for IPSec VPN Commands LABEL DESCRIPTION profile_name The name of a VPN concentrator You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive policy_name The name of an IKE SA You may use 1 31 alphanumeric characters un...

Page 197: ...ey or a certificate for authentication certificate certificate name Sets the certificate that can be used for authentication no dpd Enables Dead Peer Detection DPD The no command disables DPD DPD allows the UAG to make sure the remote IPSec device is there before transmitting data through the IKE SA dpd interval 15 60 Sets how often in seconds the UAG checks if the remote IPSec device is available...

Page 198: ...ip fqdn domain_name mail e_mail dn distinguished_name Sets the local ID type and content to the specified IP address domain name or e mail address peer id type any ip ip fqdn domain_name mail e_mail dn distinguished_name Sets the peer ID type and content to any value the specified IP address domain name or e mail address no xauth type server xauth_method client name username password password Enab...

Page 199: ...ransport Sets the encapsulation mode transform set crypto_algo_esp crypto_algo_esp crypto_algo_esp Sets the active protocol to ESP and sets the encryption and authentication algorithms for each proposal crypto_algo_esp esp null md5 esp null sha esp null sha256 esp null sha512 esp des md5 esp des sha esp des sha256 esp des sha512 esp 3des md5 esp 3des sha esp 3des sha256 esp 3des sha512 esp aes128 ...

Page 200: ...Sec SA The no command disables in bound traffic SNAT in the IPSec SA in snat source address_name destination address_name snat address_name Configures in bound traffic SNAT in the IPSec SA no in dnat activate Enables in bound traffic DNAT in the IPSec SA The no command disables in bound traffic DNAT in the IPSec SA in dnat delete 1 10 Deletes the specified rule for in bound traffic DNAT in the spe...

Page 201: ...p Select how the UAG checks the connection The peer must be configured to respond to the method you select period 5 600 Enter the number of seconds between connection check attempts timeout 1 10 Enter the number of seconds to wait for a response before the attempt is a failure fail tolerance 1 10 Enter the number of consecutive failures allowed before the UAG disconnects the VPN tunnel log have th...

Page 202: ...length of the key depends on the algorithm des 8 32 characters 3des 24 32 characters aes128 16 32 characters aes192 24 32 characters aes256 32 characters If you want to enter the key in hexadecimal type 0x at the beginning of the key For example 0x0123456789ABCDEF is in hexadecimal format in 0123456789ABCDEF is in ASCII format If you use hexadecimal you must enter twice as many characters The UAG ...

Page 203: ...user or group of users allowed to use the UAG IPSec VPN client to retrieve the associated VPN rule settings A user may belong to a number of groups If VPN configuration provisioning rules are configured for different groups the UAG will allow VPN rule setting retrieval based on the first match found Admin or limited admin users are not allowed no user Removes the VPN configuration provisioning rul...

Page 204: ... without the quotation marks to specify any VPN connection or policy name that ends with abc A VPN connection named testabc would match There could be any number of any type of characters in front of the abc at the end and the VPN connection or policy name would still match A VPN connection or policy name named testacc for example would not match A in the middle of a VPN connection or policy name ...

Page 205: ...s 41 1 2 SSL Access Policy Limitations You cannot delete an object that is used by an SSL access policy To delete the object you must first unassociate the object from the SSL access policy 41 2 SSL VPN Commands The following table describes the values required for some SSL VPN commands Other values are discussed with the corresponding commands Table 127 Input Values for SSL VPN Commands LABEL DES...

Page 206: ...orary Internet files in the user s browser s cache when the user logs out The UAG returns them to the values present before the user logged in The no command disables this setting no description description Adds information about the SSL VPN access policy Use up to 60 characters 0 9 a z A Z and _ no eps 1 8 eps_profile_name Sets endpoint security objects to be used for the SSL VPN access policy Th...

Page 207: ... for a VPN tunnel between the authenticated users and the internal network This allows the users to access the resources on the network as if they were on the same local network ip pool specify the name of the pool of IP addresses to assign to the user computers for the VPN connection Specify the names of the DNS or WINS servers to assign to the remote users This allows them to access devices on t...

Page 208: ... 254 255 255 255 0 Router config if ge exit Router config address object IP POOL 192 168 100 1 192 168 100 10 Router config address object DNS1 172 16 5 1 Router config address object DNS2 172 16 5 2 Router config address object NETWORK1 172 16 10 0 24 Router config eps profile EPS 1 Router eps EPS 1 matching criteria all Router eps EPS 1 os type windows Router eps EPS 1 windows version windows xp...

Page 209: ... index 1 active yes name SSL_VPN_TEST description user tester ssl application none network extension yes ip pool IP POOL dns server 1 DNS1 dns server 2 DNS2 wins server 1 none wins server 2 none network NETWORK1 cache clean no eps periodical check activation no eps periodical check 1 eps activation yes eps EPS 1 reference count 0 ...

Page 210: ...application patrol rules for traffic going through the UAG To use a service make sure both the firewall and application patrol allow the service s packets to go through the UAG Application patrol examines every TCP and UDP connection passing through the UAG and identifies what application is using the connection Then you can specify by application whether or not the UAG continues to route the conn...

Page 211: ...routes packets that matches these signatures drop silently drops packets that matches these signatures without notification reject drops packets that matches these signatures and sends notification no application object profile_name Removes the application object from the named profile no app statistics collect Enables application patrol statistics gathering The no command disables it app statisti...

Page 212: ...on version 3 1 4 049 Router config show app signatures date date 2013 12 05 18 09 51 Router config app john Router config app patrol profile john description this is a dummy profile Router config app patrol profile john exit Router config show app profiles APP patrol 1 profile name testfb description application tests ref 0 APP patrol 2 profile name test description this is a test application ref ...

Page 213: ...Doe s access to arts and entertainment web pages during the workday and another policy that lets him access them after work 43 2 Content Filtering Policies A content filtering policy allows you to do the following Use schedule objects to define when to apply a content filtering profile Use address and or user group objects to define to whose web access to apply the content filtering profile Apply ...

Page 214: ...h careers news media personals dating reference open image media search chat instant messaging email blogs newsgroups religion social networking online storage remote access tools shopping auctions real estate society lifestyle sexuality alternative lifestyles restaurants dining food sports recreation hobbies travel vehicles humor jokes software downloads pay to surf peer to peer streaming media m...

Page 215: ...an IP address range by entering the start and end IP addresses separated by a hyphen for example 192 168 2 5 192 168 2 23 keyword A keyword or a numerical IP address to search URLs for and block access to if they contain it Use up to 63 case insensitive characters 0 9a zA Z _ in double quotes For example enter Bad_Site to block access to any web page that includes the exact phrase Bad_Site This do...

Page 216: ...r which it has given the user a warning before allowing access content filter passed warning timeout 1 1440 Sets how long to keep records of sessions for which the UAG has given the user a warning before allowing access no content filter policy policy_number address schedule filtering_profile Sets a content filtering policy The no command removes it content filter policy policy_number shutdown Dis...

Page 217: ...Z 1 32 ipv4_range Range of IPv4 addresses W X Y Z W X Y Z wildcard_domainname wildcard domain name i e zyxel co a z0 9 1 63 a z0 9 1 63 tld top level domain exit Leaves the sub command mode show content filter passed warning Displays the UAG s record of sessions for which it has given the user a warning before allowing access show content filter policy Displays the content filtering policies show ...

Page 218: ... s list of forbidden keywords This has the content filtering profile block access to Web sites with URLs that contain the specified keyword or IP address in the URL no keyword Adds a forbidden keyword or IP address to the content filtering profile s list The no command removes it exit Leaves the sub command mode no content filter profile filtering_profile custom proxy Sets a content filtering prof...

Page 219: ...ommand has the profile not use the external web filtering service no content filter service timeout service_timeout Sets how many seconds the UAG is to wait for a response from the external content filtering server The no command clears the setting no content filter profile filtering_profile commtouch url category category_name Sets a CommTouch content filtering profile to check for specific web s...

Page 220: ...tering database is unavailable no content filter profile filtering_profile commtouch url unrate log Has the UAG not log access to web pages that the CommTouch external web filtering service has not categorized show content filter profile filtering_profile Displays the specified content filtering profile s settings or the settings of all them if you don t specify one Table 134 content filter profil...

Page 221: ...ing adult and pornography websites 5 Enable the external web filtering service Table 136 Commands for Content Filtering Statistics COMMAND DESCRIPTION no content filter statistics collect Turn the collection of content filtering statistics on or off content filter statistics flush Clears the collected statistics show content filter statistics summary Displays the collected statistics show content ...

Page 222: ...Router config content filter profile sales_CF_PROFILE Router config content filter profile sales_CF_PROFILE url category adult mature content Router config content filter profile sales_CF_PROFILE url category pornography Router config content filter profile sales_CF_PROFILE url url server Router config content filter profile sales_CF_PROFILE custom java Router config content filter profile sales_C...

Page 223: ...ces no Spyware Effects Privacy Concerns no Job Search Careers no News Media no Personals Dating no Reference no Open Image Media Search no Chat Instant Messaging no Email no Blogs Newsgroups no Religion no Social Networking no Online Storage no Remote Access Tools no Shopping no Auctions no Real Estate no Society Lifestyle no Sexuality Alternative Lifestyles no Restaurants Dining Food no Sports Re...

Page 224: ... locally regardless of the authentication method setting See Chapter 50 on page 250 for more information about authentication methods Table 137 Types of User Accounts TYPE ABILITIES LOGIN METHOD S Admin Users Admin Change UAG configuration web CLI WWW TELNET SSH FTP Limited Admin Look at UAG configuration web CLI Perform basic diagnostics CLI WWW TELNET SSH Access Users User Access network service...

Page 225: ...r guest manager user guest limited admin Creates the specified user if necessary enables and sets the password and sets the user type for the specified user password You can use 1 63 printable ASCII characters except double quotation marks and question marks username username user type ext user Creates the specified user if necessary and sets the user type to Ext User username username user type m...

Page 226: ...re terminal Router config username test password 1234 user type guest Router config username test logon due time 07 30 Router config username test logon re auth type due time Router config show username test username test password 1 gRsjDU29 rh1PqNQyspuqhoqgC3nlM1 description Local User user type guest time setting manual lease time 1440 re auth type due time re auth time 1440 due time 07 30 refer...

Page 227: ...me to five users default setting no user type admin limited admin pre subscriber user guest ext user ext group user logon re auth type due time re auth time Sets whether the specified type of new user will be logged out and have to log into the UAG again according to the due time or reauthentication time settings users default setting no user type admin limited admin pre subscriber user guest ext ...

Page 228: ... and if so how many minutes of idle time must pass before they are logged out no users idle detection Enables logging users out after a specified number of minutes of idle time The no command disables logging them out no users idle detection timeout 1 60 Sets the number of minutes of idle time before users are automatically logged out The no command sets the idle detection timeout to three minutes...

Page 229: ...ss user account The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device The no command deletes the mapping between the OUI and the MAC role no mac auth database mac oui type int oui mac role username description description Maps the specified OUI Organizationally Unique Identifier authenticated by the UAG s local user database to the specifie...

Page 230: ...s out the specified login Router configure terminal Router config show users all No 0 Name admin Type admin From console Service console Session_Time 25 46 00 Idle_Time unlimited Lease_Timeout unlimited Re_Auth_Type re auth time Re_Auth_Timeout unlimited Due_time N A User_Info admin No 1 Name admin Type admin From 192 168 1 34 Service http https Session_Time 00 02 26 Idle_Time unlimited Lease_Time...

Page 231: ...configure terminal Router config show lockout users No Username Tried From Lockout Time Remaining No From Failed Login Attempt Record Expired Timer 1 172 16 1 5 2 46 Router config unlock lockout users 172 16 1 5 User from 172 16 1 5 is unlocked Router config show lockout users No Username Tried From Lockout Time Remaining No From Failed Login Attempt Record Expired Timer ...

Page 232: ...e associated IDP and App Patrol signature ID number Table 145 application object Commands COMMAND DESCRIPTION show application object object_name Displays information on the named application object application object object_name Creates an object with the specified name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case s...

Page 233: ...ON show object group application object_group_name Displays information on the named application object group object group application object_group_name Creates an application object group with the specified name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive The no command disables it no description descript...

Page 234: ...usage commands Router config show object group application Name Description Ref Member Router config object group application may Router group application description rinse after use Router group application exit Router config show object group application Name Description Ref Member may rinse after use 0 tests Router config ...

Page 235: ...re used to specify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important 46 2 Address Commands Summary The following table describes the values requir...

Page 236: ...ace when you create an object based on an interface no address object object_name Deletes the specified address object address object rename object_name object_name Renames the specified address first object_name to the second object_name Router configure terminal Router config address object A0 192 168 1 1 Router config address object A1 192 168 1 1 192 168 1 20 Router config address object A2 19...

Page 237: ...ommand clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long object group address rename group_name group_name Renames the specified address group from the first group_name to the second group_name Table 149 object group Commands Address Groups continued COMMAND DESCRIPTION Router configure terminal Router config address object A0 192 1...

Page 238: ... table lists the commands for service objects Table 150 Input Values for Service Commands LABEL DESCRIPTION group_name The name of the service group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive object_name The name of the service You may use 1 31 alphanumeric characters underscores _ or dashes but the first...

Page 239: ...er config service object TELNET tcp eq 23 Router config service object FTP tcp range 20 21 Router config service object ICMP_ECHO icmp echo Router config service object MULTICAST protocol 2 Router config show service object Object name Protocol Minmum port Maxmum port Ref TELNET TCP 23 23 0 FTP TCP 20 21 0 ICMP_ECHO ICMP 0 0 0 MULTICAST 2 0 0 0 Router config no service object ICMP_ECHO Router conf...

Page 240: ...oup service rename group_name group_name Renames the specified service group from the first group_name to the second group_name Table 152 object group Commands Service Groups continued COMMAND DESCRIPTION Router configure terminal Router config service object ICMP_ECHO icmp echo Router config object group service SG1 Router group service service object ICMP_ECHO Router group service exit Router co...

Page 241: ...eek Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring schedules always begin and end in the same day Recurring schedules are useful for defining the workday and off work hours 48 2 Schedule Commands Summary The following table describes the values required for many schedule commands Other values are discussed with the corresponding commands The following table lists the schedu...

Page 242: ...g schedule day 3 character day of the week sun mon tue wed thu fri sat Table 154 schedule Commands continued COMMAND DESCRIPTION Router configure terminal Router config schedule object SCHEDULE1 11 00 12 00 mon tue wed thu fri Router config schedule object SCHEDULE2 2006 07 29 11 00 2006 07 31 12 00 Router config show schedule object Object name Type Start End Ref SCHEDULE1 Recurring 11 00 12 00 M...

Page 243: ...otocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIUS RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external or built in RADIUS server RA...

Page 244: ...d clears this setting no ad server ssl Enables the UAG to establish a secure connection to the AD server The no command disables this feature Table 155 ad server Commands continued COMMAND DESCRIPTION Table 156 ldap server Commands COMMAND DESCRIPTION show ldap server Displays current LDAP server settings no ldap server basedn basedn Sets a base distinguished name DN for the default LDAP server A ...

Page 245: ...erver timeout time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting Router configure terminal Router config radius server host 172 16 10 100 auth port 1812 Router config radius server key 876543210 Router config radius server timeout 80 Router config show radius server host 172 16 10 100 authentication port 1812 key 876543210 timeout 80 ...

Page 246: ...ser user object for each group One with sales as the group identifier another for RD and a third for management The no command clears the setting no server host ad_server Enter the IP address in dotted decimal notation or the domain name of an AD server to add to this group The no command clears this setting no server password password Sets the bind password up to 15 alphanumerical characters The ...

Page 247: ...le you could have an attribute named memberOf with values like sales RD and management Then you could also create an ext group user user object for each group One with sales as the group identifier another for RD and a third for management The no command clears the setting no server host ldap_server Enter the IP address in dotted decimal notation or the domain name of an LDAP server to add to this...

Page 248: ...ttempting to authenticate the subscriber The subscriber will see a message that says the RADIUS server was not found The no command clears this setting and sets this to the default setting no server acct secret secret Sets a password up to 32 alphanumeric characters as the key to be shared between the external accounting server and the UAG The key is not sent over the network This key must be the ...

Page 249: ...his setting and sets this to the default setting of 5 seconds Table 160 aaa group server radius Commands continued COMMAND DESCRIPTION Router configure terminal Router config aaa group server radius RADIUSGroup1 Router group server radius server host 192 168 1 100 auth port 1812 Router group server radius server host 172 16 12 100 auth port 1812 Router group server radius server key 12345678 Route...

Page 250: ... profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive clear aaa authentication profile name Deletes all authentication profiles or the specified authentication profile Note You can NOT delete a profile that is currently in use show aaa authentication group name default Displays the specified authentica...

Page 251: ... a profile The no command clears the specified authentication method s for the profile aaa authentication no match default group Enable this to treat a user successfully authenticated by a remote auth server as a defat ext user If the remote authentication server is LDAP the default ext user account is an ldap user If the remote authentication server is AD the default ext user account is an ad use...

Page 252: ...ise the UAG responds an error Router test aaa server ad host 172 16 50 1 port 389 base dn DC ZyXEL DC com bind dn zyxel engineerABC password abcdefg login name attribute sAMAccountName account userABC dn Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20 objectClass top objectClass person objectClass organizationalPerson objectClass user cn MTIzNzco546L5aOr56uRKQ sn User l 2341100 SNI...

Page 253: ...ands Input Values The following table explains the values you can input with the certificate commands Table 163 Certificates Commands Input Values LABEL DESCRIPTION certificate_name The name of a certificate You can use up to 31 alphanumeric and _ characters cn_address A common name IP address identifies the certificate s owner Type the IP address in dotted decimal notation cn_domain_name A common...

Page 254: ...certification authority server You can use up to 511 of the following characters a zA Z0 9 _ Table 163 Certificates Commands Input Values continued LABEL DESCRIPTION Table 164 ca Commands Summary COMMAND DESCRIPTION ca enroll cmp name certificate_name cn type ip cn cn_address fqdn cn cn_domain_name mail cn cn_email ou organizational_unit o organization c country key type rsa dsa key len key_length...

Page 255: ...ate itself in order to access the CRL directory server Type the login name up to 31 characters from the entity maintaining the server usually a certification authority You can use alphanumeric characters the underscore and the dash Type the password up to 31 characters from the entity maintaining the CRL directory server usually a certification authority You can use the following characters a zA Z...

Page 256: ...emote name certificate_name format text pem Displays a summary of the certificates in the specified category local for my certificates or remote for trusted certificates or the details of a specified certificate show ca validation name name Displays the validation configuration for the specified remote trusted certificate show ca spaceusage Displays the storage space in use by certificates Table 1...

Page 257: ...ocal certificate default type SELF subject CN UAG_Factory_Default_Certificate issuer CN UAG_Factory_Default_Certificate status VALID ID UAG_Factory_Default_Certificate type EMAIL valid from 2003 01 01 00 38 30 valid to 2022 12 27 00 38 30 certificate test type REQ subject CN 1 1 1 1 issuer none status VALID ID 1 1 1 1 type IP valid from none valid to none certificate pkcs12request type REQ subject...

Page 258: ...er cannot be a number This value is case sensitive encrypted password ciphertext Sets an encrypted secret for the specified ISP account ciphertext You can use up to 128 printable ASCII characters Spaces are not allowed no user username Sets the username for the specified ISP account The no command clears the username username You can use alphanumeric underscores _ dashes commas and characters and ...

Page 259: ...res _ dashes and characters no server ip Sets the PPTP server for the specified PPTP ISP account The no command clears the server name no encryption nomppe mppe 40 mppe 128 Sets the encryption for the specified PPTP ISP account The no command sets the encryption to nomppe no connection id connection_id Sets the connection ID for the specified PPTP ISP account The no command clears the connection I...

Page 260: ...ect server type rdp server address server address starting port 1 65535 ending port 1 65535 program path program path Creates an SSL application object to allow users to manage LAN computers that have Remote Desktop Protocol remote desktop server software installed Specify the listening ports of the LAN computer s running remote desktop server software The UAG uses a port number from this range to...

Page 261: ...f you enter remote in this field emote users can only access web pages or files in the remote directory If a link contains a file that is not within this domain then SSL VPN users cannot access it no server type Remove the type of service configuration for this SSL application no webpage encrypt Turn on web encrypt to prevent users from saving the web content Table 166 SSL Application Object Comma...

Page 262: ...urity Can Check The settings endpoint security can check vary depending on the OS of the user s computer Depending on the OS EPS can check user computers for the following Operating System Windows Linux Mac OSX or others Windows version and service pack version Windows Auto Update setting and installed security patches Personal firewall installation and activation Anti virus installation and activ...

Page 263: ... example Endpoint Security checking failed Please contact your network administrator for help The no command removes the setting show eps failure messages Displays the message to display when a user s computer fails the endpoint security check no eps profile profile_name Enters the sub command mode The no command removes an endpoint security object no anti virus personal firewall activate If you s...

Page 264: ...iption for this endpoint security object You can use alphanumeric and _ characters and it can be up to 60 characters long no file info file path file_path If you selected windows or linux as the operating system using the os type command you can use this command to check details of specific files on the user s computer The user s computer must pass one of the file information checks to pass this c...

Page 265: ...ce pack number no windows security patch security_patch If you set windows as the operating system using the os type command you can use this command to set a Windows security patch that the user s computer must have installed If you want to enter multiple security patches use this command for each of them The user s computer must have all of the set Windows security patches installed to pass the ...

Page 266: ...ter Router configure terminal Router config show eps signature anti virus No Name Detection 1 Norton_Anti Virus_v2010 no 2 Norton_Internet_Security_v2010 no 3 Norton_360_v3 no 4 Microsoft_Security_Center yes 5 TrendMicro_PC cillin_AntiVirus_v2010 yes 6 TrendMicro_PC cillin_Internet_Security_v2010 yes 7 TrendMicro_PC cillin_Internet_Security_Pro_v2010 yes 8 Avira_Antivir_Personal_v2009 no 9 Kaspers...

Page 267: ...icrosoft_Security_Center yes 4 Windows_Firewall yes 5 TrendMicro_PC cillin_Internet_Security_v2010 yes 6 TrendMicro_PC cillin_Internet_Security_Pro_v2010 yes 7 Windows_Firewall_Public yes 8 Kaspersky_Internet_Security_v2011 yes 9 Kaspersky_Internet_Security_v2012 no Router config Router config eps profile EPS Example Router eps EPS Example windows version windows xp Router eps EPS Example personal...

Page 268: ... Router eps EPS Example exit Router config show eps profile name EPS Example description os type windows windows version windows xp matching criteria all anti virus activation yes anti virus 1 name Kaspersky_Anti Virus_v2011 detect auto protection enable personal firewall activation yes personal firewall 1 name Windows_Firewall detect auto protection enable windows update enable windows service pa...

Page 269: ...uest accounts that are created with the dynamic guest generate freeuser command or the Free Time function 55 2 Dynamic guest Commands This table lists the dynamic guest commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 169 dynamic guest Commands COMMAND DESCRIPTION dynamic guest freeuser user_name Creates a free dynamic gue...

Page 270: ...affic the UAG sends out from a user download refers to the traffic the UAG sends to a user no bandwidth activate Turns on bandwidth management for the user account The no command disables bandwidth management for the user account charge price Sets the account s price up to 99999999 99 per time unit create time yyyy mm dd hh mm Sets the date and time the account is created expire time yyyy mm dd hh...

Page 271: ...terminal Router config dynamic guest generate dynamic guest username gn0ti7 password ihzun7 Router config dynamic guest charge 5 Router config dynamic guest expire time 2013 06 26 14 00 Router config dynamic guest payment info cash Router config dynamic guest phone 0912345678 Router config dynamic guest time period 1440 Router config dynamic guest remaining time 86400 Router config dynamic guest c...

Page 272: ...hich services protocols can access which UAG zones if any from which computers 56 2 Customizing the WWW Login Page Use these commands to customize the Web Configurator login screen You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet See Chapter 44 on page 224 for more on access user accounts The following fi...

Page 273: ...rgb color name color number Sets the color of the message text on the access page no access page message text message Sets a note to display below the access page s title Use up to 64 printable ASCII characters Spaces are allowed access page title title Sets the title for the top of the access page Use up to 64 printable ASCII characters Spaces are allowed access page window color color rgb color ...

Page 274: ...f the login screen and access page show access page settings Lists the current access page settings show login page default title Lists the factory default title for the login page show login page settings Lists the current login page settings show logo settings Lists the current logo background banner and floor line below the banner settings show page customization Lists whether the UAG is set to...

Page 275: ...p 1 2 3 4 last fri mon sat sun thu tue wed hh mm offset Configures the day and time when Daylight Saving Time starts and ends The no command removes the day and time when Daylight Saving Time starts and ends offset a number from 1 to 5 5 by 0 5 increments clock time hh mm ss Sets the new time in hour minute and second format no clock time zone hh Sets your time zone The no command removes time zon...

Page 276: ...t Values for General DNS Commands LABEL DESCRIPTION address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive interface_name The name of the interface This depends on the UAG model See Table 37 on page 86 for detailed information about the interface name Table 176 C...

Page 277: ...provides a DNS server The interface should be activated and set to be a DHCP client The no command deletes a zone forwarder record ip dns server zone forwarder 1 32 append insert 1 32 domain_zone_name user defined w x y z private interface interface_name auto Sets a domain zone forwarder record that specifies a DNS server s IP address private interface Use private if the UAG connects to the DNS se...

Page 278: ...ificate_name The name of the certificate You can use up to 31 alphanumeric and _ characters no auth server trusted client profile_name Creates a trusted RADIUS client profile The no command deletes the specified profile profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive no activate Enables the client...

Page 279: ...batch firmware upgrade in it You can download the ZON Utility at www zyxel com and install it on a computer 56 8 1 LLDP LLDP is a layer 2 protocol that allows a network device to advertise its identity and capabilities on the local network It also allows the device to maintain and store information from adjacent devices which are directly connected to the network device This helps you discover net...

Page 280: ...dp server tx hold 1 10 Sets the multipler used to calculate the TTL Time To Live value for the transmitted LLDP packets The TTL value determines how long the device information can be saved on the neighbors LLDP TTL the multipler the LLDP transmission interval zon lldp server tx interval 1 600 Sets the interval in seconds at which the UAG sends a LLDP packet to the neighbor zon zdp server Activate...

Page 281: ...ment Limitations Remote management will not work when 1 You have disabled that service in the corresponding screen 2 The accepted IP address in the Service Control table does not match the client IP address If it does not match the UAG will disconnect the session immediately 3 There is a firewall rule that blocks it 57 1 2 System Timeout There is a lease timeout for administrators The UAG automati...

Page 282: ...is case sensitive The UAG uses pre defined zone names like DMZ LAN1 LAN2 SSL VPN IPSec VPN and WAN Table 180 Command Summary HTTP HTTPS COMMAND DESCRIPTION no ip http authentication auth_method Sets an authentication method used by the HTTP HTTPS server The no command resets the authentication method used by the HTTP HTTPS server to the factory default default auth_method The name of the authentic...

Page 283: ...he SSL in HTTPS connections and the sequence in which it uses them The cipher_algorithm can be any of the following rc4 RC4 RC4 may impact the UAG s CPU performance since the UAG s encryption accelerator does not support it aes AES des DES 3des Triple DES no ip http secure server cipher suite cipher_algorithm Has the UAG not use the specified encryption algorithm for the SSL in HTTPS connections n...

Page 284: ... protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network 57 4 1 SSH Implementation on the UAG Your UAG supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the UAG for remote management on port 22 by default 57 4 2 Req...

Page 285: ...server port 1 65535 Sets the SSH service port number The no command resets the SSH service port number to the factory default 22 ip ssh server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny Sets a service control rule for SSH service address_object The name of the IP address group object You may use 1 31 alphanumeric characters un...

Page 286: ...lt 23 ip telnet server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny Sets a service control rule for Telnet service address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of...

Page 287: ...p server port 1 65535 Sets the FTP service port number The no command resets the FTP service port number to the factory default 21 no ip ftp server tls required Allows FTP access over TLS The no command disables FTP access over TLS ip ftp server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny Sets a service control rule for FTP ser...

Page 288: ...hput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the UAG s MIBs from www zyxel com 57 8 2 SNMP Traps The UAG will send traps to the SNMP manager when any one of the following events occurs Router configure terminal Router config show ip ftp server status active yes port 21 certificate default TLS no service control No ...

Page 289: ...traps no snmp server host w x y z community_string Sets the IPv4 address of the host that receives the SNMP notifications The no command removes the host that receives the SNMP notifications no snmp server location description Sets the geographic location of up to 60 characters for the UAG The no command removes the geographic location for the UAG no snmp server port 1 65535 Sets the SNMP service ...

Page 290: ...rver host 172 16 15 84 qwerty Table 186 Command Summary ICMP Filter COMMAND DESCRIPTION no ip icmp filter activate Turns the ICMP filter on or off ip icmp filter rule 1 32 append insert 1 32 access group ALL ADDRESS_OBJECT zone ALL ZONE_OBJECT icmp type ALL echo reply destination unreachable source quench redirect echo request router advertisement router solicitation time exceeded parameter proble...

Page 291: ... that you can store on the UAG and run when you need them When you run a shell script the UAG only applies the commands that it contains Other settings do not change You can edit configuration files or shell scripts in a text editor and upload them to the UAG Configuration files use a conf extension and shell scripts use a zysh extension Table 187 FTP File Transfer Notes DIRECTORY FILE TYPE FILE N...

Page 292: ...ingle to have the UAG exit sub command mode Note exit or must follow sub commands if it is to make the UAG exit sub command mode Figure 24 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure wan1 interface wan1 ip address 172 16 13 240 255 255 255 0 ip gateway 172 16 13 254 metric 1...

Page 293: ...he UAG ignores any errors in the configuration file or shell script and applies all of the valid commands The UAG still generates a log for any errors 58 2 3 UAG Configuration File Details You can store multiple configuration files on the UAG You can also have the UAG use a different configuration file without the UAG restarting When you first receive the UAG it uses the system default conf config...

Page 294: ...are no errors the UAG uses it and copies it to the lastgood conf configuration file If there is an error the UAG generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the UAG applies the system default co...

Page 295: ...AG from the source file name to the target file name Specify the directory and file name of the file that you want to copy and the directory and file name to use for the duplicate Always copy the file into the same directory copy running config startup config Saves your configuration changes to the flash non volatile or long term memory The UAG immediately uses configuration changes made via comma...

Page 296: ...g firmware upgrade The no command disables the backup function show backup startup status Displays whether the startup configuration backup function is enabled or not setenv startup stop on error off Has the UAG ignore any errors in the startup config conf file and apply all of the valid commands show setenv startup Displays whether or not the UAG is set to ignore any errors in the startup config ...

Page 297: ...UAG Figure 25 FTP Configuration File Upload Example 58 6 3 Command Line FTP File Download 1 Connect to the UAG 2 Enter bin to set the transfer mode to binary 3 Use cd to change to the directory that contains the files you want to download 4 Use dir or ls if you need to display a list of the files in the directory 5 Use get to download files For example get vpn_setup zysh vpn zysh transfers the vpn...

Page 298: ...aged The boot module also checks and loads the recovery image The UAG notifies you if the recovery image is damaged 2 The recovery image checks and loads the firmware The UAG notifies you if the firmware is damaged C ftp 192 168 1 1 Connected to 192 168 1 1 220 FTP Server UAG 192 168 1 1 User 192 168 1 1 none admin 331 Password required for admin Password 230 User admin logged in ftp bin 200 Type ...

Page 299: ...e session displays the UAG s startup messages If you cannot see any messages check the terminal emulation program s settings see Section 1 2 1 on page 25 and restart the UAG 2 The system startup messages display followed by Press any key to enter debug mode within 1 seconds Note Do not press any keys at this point Wait to see what displays next Figure 28 System Startup Stopped 3 If the console ses...

Page 300: ...extension for example 1 01 XL 0 C0 ri Do the following after you have obtained the recovery image file Note You only need to use this section if you need to restore the recovery image 1 Restart the UAG 2 When Press any key to enter debug mode within 1 seconds displays press a key to enter debug mode Figure 31 Enter Debug Mode 3 Enter atuk to initialize the recovery process If the screen displays E...

Page 301: ...d a half minutes for the Xmodem upload to finish Figure 35 Recovery Image Upload Complete atuk This command is for restoring the recovery image xxx ri Use This command only when 1 the console displays Invalid Recovery Image or 2 the console freezes at Press any key to enter debug mode within 3 seconds for more than one minute Note Please exit this command immediately if you do not need to restore ...

Page 302: ...ed 2 The UAG s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 3 Use an FTP client on your computer to connect to the UAG For example in the Windows command prompt type ftp 192 168 1 1 Keep the console session connected in order to see when the firmware recovery finishes 4 Enter your user name when prompted 5...

Page 303: ... quit BM cmd line console ttyS0 115200 root dev ram init zyinit r dev sda addre ss 0x100000 intird start 000000008425E000 size 00000000000EAF4E vmlinux start 0000000084006000 size 00000000002575CD Uncompressing Linux done Start to check file system dev sda2 30 17640 files 6 7 non contiguous 47365 70432 blocks dev sda3 96 112224 files 2 1 non contiguous 8231 224192 blocks Done INIT version 2 86 boo...

Page 304: ...odel See Table 37 on page 86 for detailed information about the interface name module_name The name of the category kernel syslog The default category includes debugging messages generated by open source software The all category includes all messages in all categories protocol The name of a protocol such as TCP UDP ICMP Table 192 logging Commands Log Entries COMMAND DESCRIPTION show logging entri...

Page 305: ... for each connectivity check The no command has the UAG only log the first connectivity check show connectivity check continuous log status Displays whether or not the UAG generates a log for each connectivity check clear logging system log buffer Clears the system log Router configure terminal Router config show logging status system log 58 events logged suppression active yes suppression interva...

Page 306: ...bug log no logging debug suppression interval 10 600 Sets the log consolidation interval for the debug log The no command sets the interval to ten clear logging debug buffer Clears the debug log Table 195 logging Commands Remote Syslog Server Settings COMMAND DESCRIPTION show logging status syslog Displays the current settings for the remote servers no logging syslog 1 4 Enables the specified remo...

Page 307: ...o 31 characters long password You can use most printable ASCII characters You cannot use square brackets double quotation marks question marks tabs or spaces It can be up to 31 characters long no logging mail 1 2 category module_name level alert all Specifies what kind of information is logged for the specified category The no command disables logging for the specified category no logging mail 1 2...

Page 308: ...ig logging mail 1 subject AAA Router config logging mail 1 authentication username lachang li password XXXXXX Router config logging mail 1 send log to lachang li zyxel com tw Router config logging mail 1 send alerts to lachang li zyxel com tw Router config logging mail 1 from lachang li zyxel com tw Router config logging mail 1 schedule weekly day mon hour 3 minute 3 Router config logging mail 1 T...

Page 309: ...mands for reports Table 198 report Commands COMMAND DESCRIPTION no report Begins data collection The no command stops data collection show report status Displays whether or not the UAG is collecting data and how long it has collected data clear report interface_name Clears the report for the specified interface or for all interfaces show report interface_name ip service url Displays the traffic re...

Page 310: ...er config show report status Report status on Collect Statistics since 2012 07 24 Tue 13 49 06 to 2012 07 24 Tue 14 12 46 Table 199 Session Commands COMMAND DESCRIPTION show conn user username any unknown service service name any unknown source ip any destination ip any begin 1 128000 end 1 128000 Displays information about the selected sessions or about all sessions You can look at all the active...

Page 311: ...system name Determines whether the system name will be appended to the subject of the report e mails no mail subject append date time Determines whether the sending date time will be appended at subject of the report e mails no mail from e_mail Sets the sender e mail address of the report e mails no mail to 1 e_mail Sets to whom the UAG sends the report e mails up to five recipients no mail to 2 e...

Page 312: ...rname 12345 and password 12345 to the SMTP server for authentication Sets the UAG to send the report at 1 57 PM Has the UAG not reset the counters after sending the report Has the report include CPU memory port and session usage along with traffic statistics send now Sends the daily e mail report immediately no smtp tls activate Sets the UAG to use Transport Layer Security TLS to have encrypted co...

Page 313: ...ate Router config daily report smtp auth username 12345 password pass12345 Router config daily report schedule hour 13 minutes 57 Router config daily report no reset counter Router config daily report item cpu usage Router config daily report item mem usage Router config daily report item port usage Router config daily report item session usage Router config daily report item traffic report Router...

Page 314: ...s to restart the device for example if the device begins behaving erratically If you made changes in the CLI you have to use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Use the reboot command to restart the device ...

Page 315: ...r UDP sessions to connect or deliver and for ICMP sessions session timeout tcp established tcp synrecv tcp close tcp finwait tcp synsent tcp closewait tcp lastack tcp timewait 1 300 Sets the timeout for TCP sessions in the ESTABLISHED SYN_RECV FIN_WAIT SYN_SENT CLOSE_WAIT LAST_ACK or TIME_WAIT state show session timeout icmp tcp udp Displays ICMP TCP and UDP session timeouts Router config session ...

Page 316: ... terminal command to enter the configuration mode to be able to use these commands 62 3 Diagnosis Commands Example The following example creates a diagnostic file and displays its name size and creation date Table 203 diagnosis Commands COMMAND DESCRIPTION diag info collect Has the UAG create a new diagnostic file diag info cancel Stops the on going diagnostic information collection show diag info...

Page 317: ... not perform any further flow checking show system snat order Displays the order of SNAT related functions the UAG checks for packets Once a packet matches the criteria of an SNAT rule the UAG uses the corresponding source IP address and does not perform any further flow checking show system route policy route Displays activated policy routes show system route nat 1 1 Displays activated 1 to 1 NAT...

Page 318: ...settings Router show route order route order Direct Route Policy Route VPN 1 1 Mapping Route 1 1 SNAT SiteTo Site VPN Dynamic VPN Static Dynamic Route Default WAN Trunk Main Route Router show system snat order snat order Policy Route SNAT VPN 1 1 Mapping SNAT 1 1 SNAT Loopback SNAT De fault SNAT Router show system route policy route No PR NO Source Destination Incoming DSCP Service Nexthop Type Ne...

Page 319: ...namic vpn No Source Destination VPN Tunnel Router sshow system route vpn 1 1 map No Source Destination Outgoing Gateway Router show ip route static dynamic Flags A Activated route S Static route C directly Connected O OSPF derived R RIP derived G selected Gateway reject B Black hole L Loop IP Address Netmask Gateway IFace Metric Flags Persis t 0 0 0 0 0 10 1 1 254 wan1 0 ASG Router show system sna...

Page 320: ...g example shows the default WAN trunk settings Router show system snat nat 1 1 No VS Name Source Destination Outgoing SNAT Router show system snat default snat Incoming Outgoing SNAT Internal Interface External Interface Outgoing Interface IP Internal Interfaces lan1 lan2 dmz External Interfaces wan1 wan2 wan1_ppp wan2_ppp Router ...

Page 321: ...ter to extend the use of this command protocol_name You can use the name instead of the number for some IP protocols such as tcp udp icmp and so on The names consist of 1 16 alphanumeric characters or dashes The first character cannot be a number hostname You can use up to 252 alphanumeric characters dashes or periods The first character cannot be a period filter_extension You can use 1 256 alphan...

Page 322: ...ed size of all the capture files on the UAG including any existing capture files and any new capture files you generate The UAG stops the capture and generates the capture file when either the file reaches this size or the time period specified using the duration command above expires host ip ip address profile_name any Sets a host IP address or a host IP address object for which to capture packet...

Page 323: ...168 105 133 icmp echo reply 07 24 08 908749 192 168 105 133 192 168 105 40 icmp echo request DF 07 24 08 910606 192 168 105 40 192 168 105 133 icmp echo reply 8 packets received by filter 0 packets dropped by kernel Router packet trace interface lan1 ip proto icmp file extension filter and src host 192 168 105 133 and dst host 192 168 105 40 s 500 n tcpdump listening on eth1 07 26 51 731558 192 16...

Page 324: ...g File suffix Example File size 10 megabytes Duration 150 seconds Save the captured packets to USB storage device Use the ring buffer no arp IP mac_address Edits or creates an ARP table entry no arp ip Removes an ARP table entry Table 207 Maintenance Tools Commands in Configuration Mode continued COMMAND DESCRIPTION Router arp 192 168 1 10 01 02 03 04 05 06 Router show arp table Address HWtype HWa...

Page 325: ...re configure Router packet capture iface add wan1 Router packet capture ip type any Router packet capture host ip any Router packet capture file suffix Example Router packet capture files size 10 Router packet capture duration 150 Router packet capture storage usbstorage Router packet capture ring buffer disable Router packet capture split size 100 Router packet capture Router packet capture exit ...

Page 326: ...t you not modify the software watchdog timer settings Table 208 hardware watchdog timer Commands COMMAND DESCRIPTION no hardware watchdog timer 4 37 Sets how long the system s hardware can be unresponsive before resetting The no command turns the timer off show hardware watchdog timer status Displays the settings of the hardware watchdog timer Table 209 software watchdog timer Commands COMMAND DES...

Page 327: ...Set how many times the UAG is to re check a process before considering it failed The no command changes the setting back to the default no app watch dog alert Has the UAG send an alert the user when the system is out of memory or disk space no app watch dog disk threshold min 1 100 max 1 100 Sets the percentage thresholds for sending a disk usage alert The UAG starts sending alerts when disk usage...

Page 328: ...og Timer UAG CLI Reference Guide 328 65 3 1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring ...

Page 329: ..._try_count recover_max_fail_count uamd 1 1 1 2 1 1 3 firewalld 1 1 0 1 1 1 3 policyd 1 1 1 1 1 1 3 contfltd 1 1 1 1 1 1 3 classify 1 1 0 1 1 1 3 ospfd 1 1 0 1 1 1 3 ripd 1 1 0 1 1 1 3 resd 1 1 0 1 1 1 3 zyshd_wd 1 1 0 1 1 1 3 zyshd 1 1 0 0 1 1 3 httpd 1 1 1 1 1 1 3 dhcpd 1 1 1 1 1 1 3 sshipsecpm 1 1 1 1 1 1 3 zylogd 1 1 0 1 1 1 3 syslog ng 1 1 0 1 1 1 3 zylogger 1 1 0 1 1 1 3 ddns_had 1 1 0 1 1 1 ...

Page 330: ...me 247 no access page color window background 273 no access page message text message 273 no account pppoe pptp profile_name 258 no account e mail 183 no account profile_name 101 no activate 143 no activate 154 no activate 154 no activate 161 no activate 167 no activate 174 no activate 176 no activate 178 no activate 191 no activate 203 no activate 206 no activate 278 no activate 311 no activate 6...

Page 331: ...23 no area IP virtual link IP 123 no area IP virtual link IP authentication 123 no area IP virtual link IP authentication authentication key authkey 123 no area IP virtual link IP authentication message digest 123 no area IP virtual link IP authentication message digest key 1 255 md5 authkey 123 no area IP virtual link IP authentication same as area 123 no area IP virtual link IP authentication ke...

Page 332: ...t _timeout 220 no content filter default block 216 no content filter license license 216 no content filter policy policy_number address schedule filtering_profile 216 no content filter profile filtering_profile 218 no content filter profile filtering_profile commtouch url category category_name 219 no content filter profile filtering_profile custom 218 no content filter profile filtering_profile c...

Page 333: ... no dpd 197 no dscp 0 63 any class af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs0 cs1 cs2 cs3 cs4 cs5 cs6 cs7 default wmm_be0 wmm_be24 wmm_bk16 wmm_bk8 wmm_vi32 wmm_vi40 wmm_vo48 wmm_vo56 191 no dscp any 0 63 115 no dscp class default dscp_class 116 no duplex full half 99 no dynamic guest user_name 270 no encryption nomppe mppe 40 mppe 128 259 no eps 1 8 eps_object_name 161 no eps...

Page 334: ...6 priority 1 7 191 no inbound dscp mark 0 63 class af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs0 cs1 cs2 cs3 cs4 cs5 cs6 cs7 default wmm_be0 wmm_be24 wmm_bk16 wmm_bk8 wmm_vi32 wmm_vi40 wmm_vo48 wmm_vo56 191 no incoming interface interface interface_name trunk group_name 192 no in dnat activate 200 no in snat activate 200 no interface interface_name any 143 no interface num interf...

Page 335: ... 95 no ip route w x y z w x y z interface w x y z 0 127 119 no ip route control virtual server rules activate 119 no ip ssh server 285 no ip ssh server cert certificate_name 285 no ip ssh server port 1 65535 285 no ip ssh server v1 285 no ip telnet server 286 no ip telnet server port 1 65535 286 no ip address ip 155 no ip select iface auto custom 129 no ip select backup iface auto custom 129 no is...

Page 336: ...ng syslog 1 4 port 1 65535 306 no logging system log suppression 305 no logging system log suppression interval 10 600 305 no logging usb storage 103 no login page color background 273 no login page color window background 273 no login page message text message 273 no login url url 160 no logout ip ipv4_address 160 no logout url url 160 no MAC description description2 70 no mac auth database mac m...

Page 337: ...utgoing interface interface interface_name trunk group_name 192 no outonly interface interface_name 122 no outonly interface interface_name 94 no out snat activate 200 no packet capture activate 322 no passive interface interface_name 122 no passive interface interface_name 122 no passive interface interface_name 94 no passive interface interface_name 95 no password password 188 no password passwo...

Page 338: ...scription 246 no server description description 247 no server description description 248 no server group attribute 1 255 248 no server group attribute group attribute 246 no server group attribute group attribute 247 no server host ad_server 246 no server host ldap_server 247 no server host radius_server auth port auth_port 249 no server ip 259 no server key secret 249 no server nas id NAS_IDENTI...

Page 339: ...an_interface_index ssid_profile 63 no sslvpn application application_object 260 no sslvpn profile_name 126 no sslvpn tunnel_name 116 no starting address ip pool size 1 65535 92 no stop rekeying 200 no system default snat 107 no terms of service 161 no terms of service 162 no third dns server ip interface_name 1st dns 2nd dns 3rd dns Device 92 no to zone_object Device 175 no trigger 1 8 incoming se...

Page 340: ...no windows service pack 1 10 265 no wlan macfilter profile macfilter_profile_name 70 no wlan monitor profile monitor_profile_name 65 no wlan radio profile radio_profile_name 60 no wlan security profile security_profile_name 68 no wlan ssid profile ssid_profile_name 66 no wpa2 preauth 69 no xauth type server xauth_method client name username password password 198 no zone profile_name 126 firewall s...

Page 341: ...tivate 112 activate 138 activate 185 activate 197 activate 199 address address_object 138 address object object_name ip ip_range ip_subnet interface ip interface subnet in terface gateway interface 236 address object rename object_name object_name 236 adjust mss auto 200 1500 199 advertisement flush 168 advertisement rename description_old description_new 168 algorithm wrr llf spill over 107 ap_ma...

Page 342: ...m delete 1 127 190 bwm insert 1 127 190 bwm modify 1 127 190 bwm move 1 127 to 1 127 191 ca enroll cmp name certificate_name cn type ip cn cn_address fqdn cn cn_domain_name mail cn cn_email ou organizational_unit o organization c country key type rsa dsa key len key_length num 0 99999999 password password ca ca_name url url 254 ca enroll scep name certificate_name cn type ip cn cn_address fqdn cn ...

Page 343: ...ring_profile commtouch url offline block log warn pass 219 content filter profile filtering_profile commtouch url unrate block log warn pass 219 content filter profile filtering_profile custom list forbid 218 content filter profile filtering_profile custom list keyword 218 content filter profile filtering_profile custom list trust 218 content filter profile filtering_profile url match block log wa...

Page 344: ... 39 debug interface 39 debug interface ifconfig interface 39 debug interface group 39 debug ip dns 39 debug ip virtual server 39 debug ipsec 39 debug l2 isolation 39 debug logging 39 debug manufacture 39 debug myzyxel server 39 debug myzyxel2 show 39 debug myzyxel2 show sms shm 39 debug network arpignore 39 debug no myzyxel server 39 debug payment service 39 debug policy route 39 debug printer man...

Page 345: ...downlink rate limit data_rate 67 dpd interval 15 60 197 draw usage graphics 311 dscp marking 0 63 116 dscp marking class default dscp_class 116 dtim period 1 255 61 duration 0 300 322 dynamic guest freeuser user_name 269 dynamic guest generate 269 dynamic guest generate freeuser 269 eap external internal auth_method 69 enable 37 encapsulation tunnel transport 199 encrypted password ciphertext 258 ...

Page 346: ..._name 0 65535 0 65535 200 in dnat delete 1 10 200 in dnat insert 1 10 protocol all tcp udp original ip address_name 0 65535 0 65535 mapped ip address_name 0 65535 0 65535 200 in dnat move 1 10 to 1 10 200 in snat source address_name destination address_name snat address_name 200 interface 38 interface num append insert num interface name weight 1 10 limit 1 2097152 passive 107 interface dial inter...

Page 347: ...ospf authentication same as area 95 ip ospf message digest key 1 255 md5 password 95 ip route replace w x y z w x y z interface w x y z 0 127 with w x y z w x y z in terface w x y z 0 127 119 ip ssh server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny 285 ip ssh server rule move rule_number to rule_number 285 ip telnet server rul...

Page 348: ...d_name 198 local ip ip ip domain_name interface interface_name 198 local ip ip 202 local policy address_name 200 logging console category module_name level alert crit debug emerg error info notice warn 308 logging mail 1 2 schedule daily hour 0 23 minute 0 59 307 logging mail 1 2 schedule weekly day day hour 0 23 minute 0 59 307 logging mail 1 2 sending_now 307 logging system log category module_n...

Page 349: ...king 116 no friendly ap ap_mac 72 no ip dns server rule 1 32 277 no ip drop in activate 112 no ip ftp server rule rule_number 287 no ip http secure server cipher suite cipher_algorithm 283 no ip http secure server table admin user rule rule_number 283 no ip http server table admin user rule rule_number 283 no ip http redirect description 141 no ip ospf authentication 95 no ip ospf message digest k...

Page 350: ...t paypal 182 payment service sms page info message message 182 payment service success page account message message 182 payment service success page format date dd mm yyyy mm dd yyyy yyyy mm dd format time 12 hour 24 hour 182 payment service success page notification message message 182 payment service success page notification message color 00FF00 color_name rgb 0 0 255 182 payment service succes...

Page 351: ...w file_name 295 rename script old file_name script new file_name 295 renew 38 renew dhcp interface name 92 reset counter now 312 ring buffer enable disable 322 rogue ap ap_mac description2 72 rogue ap containment 74 rogue ap detection 71 role ap 60 router ospf 122 router ospf 123 router ospf 123 router ospf 95 router rip 122 router rip 94 Router config 280 Router config 83 Router config auto heali...

Page 352: ...2 176 session limit move rule_number to rule_number 176 session limit rule_number 176 set pfs group1 group2 group5 none 200 set security association lifetime seconds 180 3000000 200 set session key ah 256 4095 auth_key esp 256 4095 cipher enc_key authenticator auth_key 202 setenv 38 setenv startup stop on error off 296 show 162 show 193 show 226 show 38 show 90 show address object address6 object ...

Page 353: ... 57 show capwap ap all ap_mac config status 57 show capwap ap all statistics 57 show capwap ap ap_mac slot_name detail 57 show capwap ap fallback 57 show capwap ap fallback interval 57 show capwap ap wait list 57 show capwap manual add 57 show capwap station all 57 show clock date 275 show clock status 275 show clock time 275 show comport status 45 show conn user username any unknown service servi...

Page 354: ...lan bridge ppp virtual ethernet virtual vlan virtual bridge all 87 show interface ppp system default 102 show interface ppp user define 102 show interface send statistics interval 87 show interface summary all 87 show interface summary all status 87 show interface group system default user define group name 107 show interface name 88 show ip dhcp binding ip 92 show ip dhcp dhcp options 90 show ip ...

Page 355: ...logging status system log 305 show logging status usb storage 103 show login page default title 274 show login page settings 274 show logo settings 274 show mac 45 show mem status 45 show ntp server 275 show object group address address6 group_name 236 show object group application object_group_name 233 show object group service group_name 239 show ospf area IP virtual link 123 show packet capture...

Page 356: ... service object_name 43 show reference object sslvpn application object_name 43 show reference object sslvpn policy object_name 43 show reference object username username 43 show reference object zone object_name 43 show reference object group aaa ad group_name 44 show reference object group aaa ldap group_name 44 show reference object group aaa radius group_name 44 show reference object group add...

Page 357: ... ip 206 show sslvpn policy profile_name 206 show system default interface group 108 show system default snat 108 show system route default wan trunk 317 show system route dynamic vpn 317 show system route nat 1 1 317 show system route policy route 317 show system route site to site vpn 317 show system route vpn 1 1 map 317 show system snat default snat 317 show system snat nat 1 1 317 show system ...

Page 358: ... 207 show workspace cifs 207 show zon lldp neighbors 280 show zon lldp server config 280 show zon lldp server statistics 280 show zon lldp server status 280 show zon zdp server status 280 show zone profile_name 126 show zone binding iface 126 show zone default binding 126 show zone none binding 126 show zone system default 126 show zone user define 126 shutdown 38 slot_name ap profile profile_name...

Page 359: ...ce_name 116 trigger delete 1 8 116 trigger insert 1 8 incoming service_name trigger service_name 116 trigger move 1 8 to 1 8 116 tx mask chain_mask 63 type external internal 160 type external internal 164 type internal external general 99 type user agreement web portal 163 unlock lockout users ip console 230 uplink rate limit data_rate 67 url 220 url server rating_server timeout query_timeout 216 ...

Page 360: ...thod 203 vpn configuration provision rule append conf_index insert conf_index 203 vpn configuration provision rule delete conf_index move conf_index to conf_index 203 walled garden rule append 166 walled garden rule flush 166 walled garden rule insert 1 20 166 walled garden rule move 1 20 to 1 20 166 wan interface interface_name lan interface interface_name 112 web auth no exceptional service serv...

Page 361: ...ame1 security_profile_name2 68 wlan ssid profile rename ssid_profile_name1 ssid_profile_name2 66 wpa encrypt tkip aes auto 69 wpa psk wpa_key wpa_key_64 69 write 296 write 38 zon lldp server 280 zon lldp server tx hold 1 10 280 zon lldp server tx interval 1 600 280 zon zdp server 280 zone profile_name 126 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands