ZyXEL Communications ZyWALL USG Series Reference Manual Download Page 181 | Manualshive

Page: 181 / 426

background image

Chapter 26 Web Authentication

ZyWALL / USG (ZLD) CLI Reference Guide

181

26.3 SSO Overview

SSO (Single Sign-On) integrates Domain Controller and ZyWALL / USG authentication mechanisms,
so that users just need to log in once (single login) to get access to permitted resources.

• The ZyWALL / USG, the DC, the SSO agent and the LDAP or AD server must all be in the same

domain and be able to communicate with each other.

• SSO does not support IPv6 or RADIUS; you must use it in an IPv4 network environment with

Windows AD (Active Directory) or LDAP (Lightweight Directory Access Protocol) authentication
databases.

• You must enable Web Authentication to use SSO.

26.3.1 SSO Configuration Commands

Use these commands to configure the ZyWALL / USG to communicate with SSO.

interface

interface_name

Sets an interface on which packets for the policy must be received.

[no] schedule

schedule_name

Sets the time criteria for the specified condition. The

no

command removes

the time criteria, making the condition effective all the time.

[no] source {

address_object

|

group_name

}

Sets the source criteria for the specified condition. The

no

command

removes the source criteria, making the condition effective for all sources.

[no] sso

Enables SSO web authentication. The

no

command disables SSO web

authentication.

show sso { agent | port |

presharekey}

Displays information about the specified condition.

Table 95

web-auth policy Sub-commands (continued)

COMMAND

DESCRIPTION

Table 96

SSO Commands and Subcommnds

COMMAND

DESCRIPTION

sso agent primary

Enters SSO primary agent subcommand mode.

sso agent secondary

Enters secondary agent subcommand mode. A secondary agent is an
optional backup SSO agent.

router(config-sso-primary)#

router(config-sso-secondary)#

[no] ip <w.x.y.z>

Sets the primary or ssecondary SSO agent

ipv4 address.

Use

[no]

to

disable the IPv4 address.

Type the IPv4 address of the SSO agent. The ZyWALL / USG and the SSO
agent must be in the same domain and be able to communicate with each
other.

router(config-sso-primary)#

router(config-sso-secondary)#

[no] port <1025..65535>

Sets the primary or ssecondary agent port

<1025..65535>.

Use

[no]

to

disable the port. Type the same port number here as in the

Agent

Listening Port

field on the SSO agent. Type a number ranging from 1025

to 65535.

sso presharekey <preshared key>

Sets the SSO preshared key. Type 8-32 printable ASCII characters or
exactly 32 hex characters (0-9; a-f). The Agent PreShareKey is used to
encrypt communications between the ZyWALL / USG and the SSO agent

sso encrypted-presharekey <ciphertext>

Sets the SSO encrypted preshared key.

sso_port <1025..65535>

Sets the SSO listening port. This port is used to wait for receiving
information from Agent. Type a number ranging from 1025 to 65535.

«
...
179
180
181
182
183
...
»

Summary of Contents for ZyWALL USG Series

Page 1: ... Security Firewalls Version 4 11 Edition 1 04 2015 Copyright 2011 ZyXEL Communications Corporation CLI Reference Guide Default Login Details LAN Port IP Address http 192 168 1 1 User Name admin Password 1234 Copyright 2015 ZyXEL Communications Corporation ...

Page 2: ...r 1 on page 21 for how to access and use the CLI Command Line Interface Read Chapter 2 on page 35 to learn about the CLI user and privilege modes Related Documentation Quick Start Guide The Quick Start Guide shows how to connect the ZyWALL USG and access the Web Configurator wizards See the wizard real time help for information on configuring each screen It also contains a connection diagram and p...

Page 3: ...n 74 Wireless Load Balancing 76 Auto Healing 79 Interfaces 81 Trunks 115 Route 119 Routing Protocol 129 Zones 133 DDNS 137 Virtual Servers 141 HTTP Redirect 145 ALG 149 UPnP 153 IP MAC Binding 157 Layer 2 Isolation 160 Secure Policy 163 Web Authentication 179 RTLS 183 IPSec VPN 185 SSL VPN 199 L2TP VPN 203 Bandwidth Management 209 Application Patrol 215 Anti Virus 219 IDP Commands 225 Content Filt...

Page 4: ... Authentication Objects 297 Authentication Server 300 Certificates 303 ISP Accounts 307 SSL Application 309 DHCPv6 Objects 312 System 315 System Remote Management 327 File Manager 339 Logs 359 Reports and Reboot 365 Session Timeout 371 Diagnostics 373 Packet Flow Explore 375 Maintenance Tools 379 Watchdog Timer 385 ...

Page 5: ...nformation Optional 26 1 4 2 Command Input Values Optional 26 1 4 3 Command Summary 26 1 4 4 Command Examples Optional 26 1 4 5 Command Syntax 26 1 4 6 Changing the Password 27 1 5 CLI Modes 27 1 6 Shortcuts and Help 28 1 6 1 List of Available Commands 28 1 6 2 List of Sub commands or Required User Input 28 1 6 3 Entering Partial Commands 29 1 6 4 Entering a in a Command 29 1 6 5 Command History 2...

Page 6: ...ands 50 5 2 1 Command Examples 51 Chapter 6 AP Management 53 6 1 AP Management Overview 53 6 2 AP Management Commands 53 6 2 1 AP Management Commands Example 55 Chapter 7 Wireless LAN Profiles 56 7 1 Wireless LAN Profiles Overview 56 7 2 AP Radio Profile Commands 56 7 2 1 AP Profile Commands Example 60 7 3 AP Monitor Profile Commands 61 7 4 SSID Profile Commands 62 7 4 1 SSID Profile Example 64 7 ...

Page 7: ... 11 Wireless Load Balancing 76 11 1 Wireless Load Balancing Overview 76 11 2 Wireless Load Balancing Commands 76 11 2 1 Wireless Load Balancing Examples 77 Chapter 12 Auto Healing 79 12 1 Auto Healing Overview 79 12 2 Auto Healing Commands 79 12 2 1 Auto Healing Examples 80 Chapter 13 Interfaces 81 13 1 Interface Overview 81 13 1 1 Types of Interfaces 81 13 1 2 Relationships Between Interfaces 84 ...

Page 8: ... Storage General Commands Example 112 13 9 VLAN Interface Specific Commands 112 13 9 1 VLAN Interface Command Examples 113 13 10 Bridge Specific Commands 113 13 10 1 Bridge Interface Command Examples 114 Chapter 14 Trunks 115 14 1 Trunks Overview 115 14 2 Trunk Scenario Examples 115 14 3 Trunk Commands Input Values 116 14 4 Trunk Commands Summary 116 14 5 Trunk Command Examples 117 Chapter 15 Rout...

Page 9: ...ter 19 Virtual Servers 141 19 1 Virtual Server Overview 141 19 1 1 1 1 NAT and Many 1 1 NAT 141 19 2 Virtual Server Commands Summary 141 19 2 1 Virtual Server Command Examples 143 19 2 2 Tutorial How to Allow Public Access to a Server 144 Chapter 20 HTTP Redirect 145 20 1 HTTP Redirect Overview 145 20 1 1 Web Proxy Server 145 20 2 HTTP Redirect Commands 146 20 2 1 HTTP Redirect Command Examples 14...

Page 10: ...b Commands 167 25 2 2 Secure Policy Command Examples 169 25 3 Session Limit Commands 171 25 4 ADP Commands Overview 173 25 4 1 ADP Command Input Values 174 25 4 2 ADP Activation Commands 174 25 4 3 ADP Global Profile Commands 174 25 4 4 ADP Zone to Zone Rule Commands 174 25 4 5 ADP Add Edit Profile Commands 175 Chapter 26 Web Authentication 179 26 1 Web Authentication Overview 179 26 2 Web Authent...

Page 11: ... Policy 199 29 1 1 SSL Application Objects 199 29 1 2 SSL Access Policy Limitations 199 29 2 SSL VPN Commands 199 29 2 1 SSL VPN Commands 200 29 2 2 Setting an SSL VPN Rule Tutorial 201 Chapter 30 L2TP VPN 203 30 1 L2TP VPN Overview 203 30 2 IPSec Configuration 203 30 2 1 Using the Default L2TP VPN Connection 204 30 3 Policy Route 204 30 4 L2TP VPN Commands 205 30 4 1 L2TP VPN Commands 205 30 5 L2...

Page 12: ...3 3 Update Anti virus Signatures 223 33 3 1 Update Signature Examples 223 33 4 Anti virus Statistics 224 33 4 1 Anti virus Statistics Example 224 Chapter 34 IDP Commands 225 34 1 Overview 225 34 2 General IDP Commands 225 34 2 1 IDP Activation 225 34 3 IDP Profile Commands 226 34 3 1 Global Profile Commands 226 34 3 2 Editing Creating IDP Signature Profiles 227 34 3 3 Signature Search 227 34 4 IDP...

Page 13: ...ter 37 SSL Inspection 257 37 1 SSL Inspection Overview 257 37 2 SSL Inspection Commands Summary 257 37 2 1 SSL Inspection Exclusion Commands 258 37 2 2 SSL Inspection Profile Settings 258 37 2 3 SSL Inspection Certificate Cache 259 37 2 4 SSL Inspection Certificate Update 259 37 2 5 SSL Inspection Statistics 260 37 2 6 SSL Inspection Command Examples 261 Chapter 38 Device HA 263 38 1 Device HA Ove...

Page 14: ...ands 280 41 2 2 Address Group Commands 282 Chapter 42 Services 285 42 1 Services Overview 285 42 2 Services Commands Summary 285 42 2 1 Service Object Commands 285 42 2 2 Service Group Commands 286 Chapter 43 Schedules 289 43 1 Schedule Overview 289 43 2 Schedule Commands Summary 289 43 2 1 Schedule Command Examples 290 Chapter 44 AAA Server 291 44 1 AAA Server Overview 291 44 2 Authentication Ser...

Page 15: ...and Examples 301 Chapter 47 Certificates 303 47 1 Certificates Overview 303 47 2 Certificate Commands 303 47 3 Certificates Commands Input Values 303 47 4 Certificates Commands Summary 304 47 5 Certificates Commands Examples 306 Chapter 48 ISP Accounts 307 48 1 ISP Accounts Overview 307 48 1 1 PPPoE and PPTP Account Commands 307 48 1 2 Cellular Account Commands 308 Chapter 49 SSL Application 309 4...

Page 16: ...Overview 325 51 10 1 LLDP 325 51 10 2 ZON Commands 325 51 10 3 ZON Examples 326 Chapter 52 System Remote Management 327 52 1 Remote Management Overview 327 52 1 1 Remote Management Limitations 327 52 1 2 System Timeout 327 52 2 Common System Command Input Values 328 52 3 HTTP HTTPS Commands 328 52 3 1 HTTP HTTPS Command Examples 330 52 4 SSH 330 52 4 1 SSH Implementation on the ZyWALL USG 330 52 4...

Page 17: ...oad 346 53 7 2 Command Line FTP Configuration File Upload Example 346 53 7 3 Command Line FTP File Download 346 53 7 4 Command Line FTP Configuration File Download Example 347 53 8 ZyWALL USG File Usage at Startup 347 53 9 Notification of a Damaged Recovery Image or Firmware 348 53 10 Restoring the Recovery Image 349 53 11 Restoring the Firmware 351 53 12 Restoring the Default System Database 353 ...

Page 18: ...xample 373 Chapter 58 Packet Flow Explore 375 58 1 Packet Flow Explore 375 58 2 Packet Flow Explore Commands 375 58 3 Packet Flow Explore Commands Example 376 Chapter 59 Maintenance Tools 379 59 1 Maintenance Command Examples 381 59 1 1 Packet Capture Command Example 382 Chapter 60 Watchdog Timer 385 60 1 Hardware Watchdog Timer 385 60 2 Software Watchdog Timer 385 60 3 Application Watchdog 386 60...

Page 19: ...19 PART I Introduction ...

Page 20: ...20 ...

Page 21: ...figuration file on the ZyWALL USG However only one configuration file is used at a time You can perform the following with a configuration file Back up ZyWALL USG configuration once the ZyWALL USG is set up to work in your network Restore ZyWALL USG configuration Save and edit a configuration file and upload it to multiple ZyWALL USGs of the same model in your network to have the same settings Not...

Page 22: ...ure 1 Console Port Power on Display After the initialization the login screen displays Figure 2 Login Screen Enter the user name and password at the prompts Note The default login username is admin and password is 1234 The username and password are case sensitive 1 2 2 Web Configurator Console Note Before you can access the CLI through the web configurator make sure your computer supports the Java...

Page 23: ...en 3 If the Java plug in is already installed skip to step 4 Otherwise you will be prompted to install the Java plug in If the prompt does not display and the screen remains gray you have to download the setup program 4 The web console starts This might take a few seconds One or more security screens may display Click Yes or Always Figure 3 Web Console Security Warnings Finally the User Name scree...

Page 24: ... Console Password 6 Enter the password for the user name you specified earlier and click OK If you enter the password incorrectly you get an error message and you may have to close the console window and open it again If you enter the password correctly the console screen appears Figure 7 Web Console 7 To use most commands in this User s Guide enter configure terminal The prompt should change to R...

Page 25: ...s with your SSH program for information on using it Note The default login username is admin and password is 1234 The username and password are case sensitive Figure 8 SSH Login Example 1 3 How to Find Commands in this Guide You can simply look for the feature chapter to find commands In addition you can use the List of Commands Alphabetical at the end of the guide This section lists the commands ...

Page 26: ...4 4 Command Examples Optional This section contains any examples for the commands in this feature 1 4 5 Command Syntax The following conventions are used in this User s Guide A command or keyword in courier new must be entered literally as shown Do not abbreviate Values that you need to provide are in italics Required fields that have multiple choices are enclosed in curly brackets A range of numb...

Page 27: ...ONFIGURATION SUB COMMAND What Guest users can do Unable to access Unable to access Unable to access Unable to access What User users can do Look at but not run available commands Unable to access Unable to access Unable to access What Limited Admin users can do Look at system information like Status screen Run basic diagnostics Look at system information like Status screen Run basic diagnostics Un...

Page 28: ...le 2 1 6 2 List of Sub commands or Required User Input To view detailed help information for a command enter command sub command Figure 11 Help Sub command Information Example Figure 12 Help Required User Input Example Router cr apply atse clear configure Snip shutdown telnet test traceroute write Router Router show wlan ap interface aaa access page account ad server address object Snip wlan works...

Page 29: ... on your keyboard to enter a without the ZyWALL USG treating it as a help query 1 6 5 Command History The ZyWALL USG keeps a list of commands you have entered for the current CLI session You can use any commands in the history again by pressing the up or down arrow key to scroll through the previously used commands and press ENTER 1 6 6 Navigation Press CTRL A to move the cursor to the beginning o...

Page 30: ...uter config if ge description description Table 3 Input Value Formats for Strings in CLI Commands TAG VALUES LEGAL VALUES 1 all ALL authentication key Used in IPSec SA 32 40 16 20 0x or 0X 32 40 hexadecimal values alphanumeric or _ Used in MD5 authentication keys for RIP OSPF and text authentication key for RIP 0 16 alphanumeric or _ Used in text authentication keys for OSPF 0 8 alphanumeric or _ ...

Page 31: ...her commands 0 252 alphanumeric or first character alphanumeric or import configuration file 1 26 conf alphanumeric or _ add conf at the end import shell script 1 26 zysh alphanumeric or _ add zysh at the end initial string 1 64 alphanumeric spaces or _ isp account password 0 63 alphanumeric or _ isp account username 0 30 alphanumeric or _ ipv6_addr An IPv6 address The 128 bit IPv6 address is writ...

Page 32: ...key 16 64 0x or 0X 16 64 hexadecimal values alphanumeric or _ profile name 0 30 alphanumeric or _ first character letters or _ proto name 1 16 lower case letters numbers or protocol name 0 30 alphanumeric or _ first character letters or _ quoted string less than 127 chars 1 255 alphanumeric spaces or _ quoted string less than 63 chars 1 63 alphanumeric spaces or _ quoted string 0 alphanumeric spac...

Page 33: ...ed in content filtering redirect http https alphanumeric or _ starts with http or https may contain one pound sign Used in other content filtering commands http alphanumeric or _ starts with http may contain one pound sign user name Used in VPN extended authentication 1 31 alphanumeric or _ Used in other commands 0 30 alphanumeric or _ first character letters or _ username 6 20 alphanumeric or _ r...

Page 34: ... Line Interface ZyWALL USG ZLD CLI Reference Guide 34 1 10 Logging Out Enter the exit or end command in configure mode to go to privilege mode Enter the exit command in user mode or privilege mode to log out of the CLI ...

Page 35: ...f you need assistance troubleshooting your device For admin logins all commands are visible in user mode but not all can be run there The following table displays which commands can be run in user mode All commands can be run in privilege mode The psm commands are for ZyXEL s internal manufacturing process Table 4 User U and Privilege P Mode Commands COMMAND MODE DESCRIPTION apply P Applies a conf...

Page 36: ...acturing process reboot P Restarts the device release P Releases DHCP information from an interface rename P Renames a configuration file renew P Renews DHCP information for an interface run P Runs a script setenv U P Turns stop on error on terminates booting if an error is found in a configuration file or off ignores configuration file errors and continues booting show U P Displays command statis...

Page 37: ...ging debug commands debug manufacture Manufacturing related debug commands debug myzyxel server Myzyxel com debug commands debug network arpignore Enable Display the ignoring of ARP responses for interfaces which don t own the IP address cat proc sys net ipv4 conf arp_ignore debug server register Set the myzyxel com registration server debug policy route Policy route debug command debug reset cont...

Page 38: ...Chapter 2 User and Privilege Modes ZyWALL USG ZLD CLI Reference Guide 38 ...

Page 39: ...39 PART II Reference ...

Page 40: ...40 ...

Page 41: ...Displays which configuration settings reference the specified interface or virtual interface object show reference object aaa authentication default auth_method Displays which configuration settings reference the specified AAA authentication object show reference object ca category local remote cert_name Displays which configuration settings reference the specified authentication method object sho...

Page 42: ...eference object group address6 object_name Displays which configuration settings reference the specified IPv6 address group object show reference object group service object_name Displays which configuration settings reference the specified service group object show reference object group interface object_name Displays which configuration settings reference the specified trunk object show referenc...

Page 43: ...s of the extension card slot and USB ports and the names of devices connected to them show led status Displays the status of each LED on the ZyWALL USG show mac Displays the ZyWALL USG s MAC address show mem status Displays what percentage of the ZyWALL USG s memory is currently being used show ram size Displays the size of the ZyWALL USG s on board RAM show serial number Displays the serial numbe...

Page 44: ...tilization 0 CPU core 1 utilization for 1 min 0 CPU core 1 utilization for 5 min 2 CPU core 2 utilization 0 CPU core 2 utilization for 1 min 0 CPU core 2 utilization for 5 min 0 CPU core 3 utilization 0 CPU core 3 utilization for 1 min 0 CPU core 3 utilization for 5 min 0 Router config show fan speed FAN1 F00 rpm limit hi 6500 limit lo 1400 max 6650 min 6642 avg 6644 FAN2 F01 rpm limit hi 6500 lim...

Page 45: ... tcp 0 0 0 0 2604 0 0 0 0 0 LISTEN 5 tcp 0 0 0 0 80 0 0 0 0 0 LISTEN 6 tcp 127 0 0 1 8085 0 0 0 0 0 LISTEN 7 tcp 1 1 1 1 53 0 0 0 0 0 LISTEN 8 tcp 172 23 37 205 53 0 0 0 0 0 LISTEN 9 tcp 10 0 0 8 53 0 0 0 0 0 LISTEN 10 tcp 172 23 37 240 53 0 0 0 0 0 LISTEN 11 tcp 192 168 1 1 53 0 0 0 0 0 LISTEN 12 tcp 127 0 0 1 53 0 0 0 0 0 LISTEN 13 tcp 0 0 0 0 21 0 0 0 0 0 LISTEN 14 tcp 0 0 0 0 22 0 0 0 0 0 LIST...

Page 46: ... 0 18 udp 127 0 0 1 63000 0 0 0 0 0 19 udp 127 0 0 1 63001 0 0 0 0 0 20 udp 127 0 0 1 63002 0 0 0 0 0 21 udp 0 0 0 0 161 0 0 0 0 0 22 udp 127 0 0 1 63009 0 0 0 0 0 23 udp 192 168 1 1 1701 0 0 0 0 0 24 udp 1 1 1 1 1701 0 0 0 0 0 25 udp 10 0 0 8 1701 0 0 0 0 0 26 udp 172 23 37 205 1701 0 0 0 0 0 27 udp 172 23 37 240 1701 0 0 0 0 0 28 udp 127 0 0 1 1701 0 0 0 0 0 29 udp 127 0 0 1 63024 0 0 0 0 0 30 u...

Page 47: ...on This example shows the current LED states on the ZyWALL USG The SYS LED lights on and green The HDD LEDs is off Router show system uptime system uptime 04 18 00 Router show version ZyXEL Communications Corp model ZyWALL USG 110 firmware version 2 20 AQQ 0 b3 BM version 1 08 build date 2014 01 21 01 18 06 Router show led status sys green usbled off Router ...

Page 48: ...Chapter 4 Status ZyWALL USG ZLD CLI Reference Guide 48 ...

Page 49: ...lity See the Introduction chapter in the ZyWALL USG User s Guide or the product datasheet for details You can purchase an EiCard and enter the license key from it at http www myzyxel com to have the ZyWALL use UTM services or have the ZyWALL USG use more SSL VPN tunnels See the respective chapters in the User s Guide for more information about UTM features The ZyWALL USG s anti virus packet scanne...

Page 50: ...the commands available for registration You must use the configure terminal command to enter the configuration mode before you can use these commands Table 8 Command Summary Registration COMMAND DESCRIPTION service register checkexpire Gets information of all service subscriptions from myZyXEL com and updates the status table show device register status Displays whether the device is registered an...

Page 51: ...ow many days remain before the service expires Router configure terminal Router config show device register status username example password 123456 device register status yes expiration self check no Router configure terminal Router config show service register status all Service Status Type Count Expiration IDP Signature Licensed Standard N A 176 Anti Virus Not Licensed None N A 0 SSLVPN Not Lice...

Page 52: ...Chapter 5 Registration ZyWALL USG ZLD CLI Reference Guide 52 ...

Page 53: ...ds Other input values are discussed with the corresponding commands Table 9 Input Values for General AP Management Commands LABEL DESCRIPTION ap_mac The Ethernet MAC address of the managed AP Enter 6 hexidecimal pairs separated by colons You can use 0 9 a z and A Z ap_model The model name of the managed AP such as NWA5160N NWA5560 N NWA5550 N NWA5121 NI or NWA5123 NI slot_name The slot name for th...

Page 54: ...not the ZyWALL USG changes the AP s management VLAN to match the one you configure using the vlan sub command The management VLAN on the ZyWALL USG and AP must match for the ZyWALL USG to manage the AP vlan 1 4094 tag untag Sets the VLAN ID for the specified AP as well as whether packets sent to and from that ID are tagged or untagged exit Exits the sub command mode for the specified AP capwap man...

Page 55: ...B 03 exit Router config show capwap ap all index 1 Status RUN IP 192 168 1 37 MAC 40 4A 03 05 82 1E Description AP 404A0305821E Model NWA5160N R1 mode AP R1Prof default R2 mode AP R2Prof n a Station 0 RadioNum 2 Mgnt VLAN ID 1 Tag no WTP VLAN ID 1 WTP Tag no Force VLAN disable Firmware Version 2 25 AAS 0 b2 Recent On line Time 08 43 04 2013 05 24 Last Off line Time N A Router config show capwap ap...

Page 56: ...for General Radio and Monitor Profile Commands LABEL DESCRIPTION radio_profile_name The radio profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive wlan_role Sets the wireless LAN radio operating mode At the time of writing you can use ap for Access Point wireless_channel_2g Sets the 2 GHz channel used ...

Page 57: ...s all Displays all profiles for the selected operating mode radio_profile_name Displays the specified profile for the selected operating mode wlan radio profile rename radio_profile_name1 radio_profile_name2 Gives an existing radio profile radio_profile_name1 a new name radio_profile_name2 no wlan radio profile radio_profile_name Enters configuration mode for the specified radio profile Use the no...

Page 58: ...very Traffic Indication Message DTIM is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode A high DTIM value can cause clients to lose connectivity with the network This value can be set from 1 to 255 The default is 1 beacon interval 40 1000 Sets the beacon interval for this profile When a wirelessly networked device se...

Page 59: ...ck ack active or inactive Use the no parameter to disable it ch width wlan_htcw Sets the channel width for this profile guard interval wlan_htgi Sets the guard interval for this profile The default for this is short 2g basic speed wlan_2g_basic_speed Sets the 2 4 GHz basic band rates The default is 1 0 2 0 5 5 11 0 2g channel wireless_channel_2g Sets the broadcast band for this profile in the 2 4 ...

Page 60: ...d interval an output power of 100 5g support speed disable wlan_5g_support_speed Disables or sets the 5 GHz support rate The default is 6 0 54 0 tx mask chain_mask Sets the outgoing chain mask rate rx mask chain_mask Sets the incoming chain mask rate no htprotection Activates HT protection for this profile Use the no parameter to disable it By default this is disabled output power wlan_power Sets ...

Page 61: ... config profile radio subframe ampdu 64 Router config profile radio amsdu Router config profile radio limit amsdu 4096 Router config profile radio block ack Router config profile radio guard interval short Router config profile radio tx mask 5 Router config profile radio rx mask 7 Router config profile radio output power 100 Router config profile radio ssid profile 1 default Table 13 Input Values ...

Page 62: ...h channel exit Exits configuration mode for this profile Table 14 Command Summary Monitor Profile continued COMMAND DESCRIPTION Table 15 Input Values for General SSID Profile Commands LABEL DESCRIPTION ssid_profile_name The SSID profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive ssid The SSID broadca...

Page 63: ...r the specified SSID profile Use the no parameter to remove the specified profile bandselect check sta interval 1 60000 Sets how often in seconds the AP checks and deletes old wireless client data bandselect drop authentication 1 16 Sets how many authentication request from a client to a 2 4GHz Wi Fi network is ignored during the specified timeout period bandselect drop probe request 1 32 Sets how...

Page 64: ...ied security profile to this SSID profile ssid Sets the SSID This is the name visible on the network to wireless clients Enter up to 32 characters spaces and underscores are allowed The default SSID is ZyXEL uplink rate limit data_rate Sets the maximum outgoing transmission data rate either in mbps or kbps on a per station basis vlan id 1 4094 Applies to each SSID profile that uses localbridge If ...

Page 65: ...ity profile all security_profile_name Displays the security profile s all Displays all profiles for the selected operating mode security_profile_name Displays the specified profile for the selected operating mode wlan security profile rename security_profile_name1 security_profile_name2 Gives existing security profile security_profile_name1 a new name security_profile_name2 no wlan security profil...

Page 66: ...auth 30 30000 Sets the interval in seconds between authentication requests The default is 0 idle 30 30000 Sets the idle interval in seconds that a client can be idle before authentication is discontinued The default is 300 group key 30 30000 Sets the interval in seconds at which the AP updates the group WPA WPA2 encryption key The default is 1800 no dot1x eap Enables 802 1x secure authentication U...

Page 67: ... Displays the security profile s all Displays all profiles for the selected operating mode macfilter_profile_name Displays the specified profile for the selected operating mode wlan macfilter profile rename macfilter_profile_name1 macfilter_profile_name2 Gives an existing security profile macfilter_profile_name1 a new name macfilter_profile_name2 no wlan macfilter profile macfilter_profile_name En...

Page 68: ... can include APs from neighboring companies for example or even APs maintained by your company s employees that operate outside of the established network 8 2 Rogue AP Detection Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands The following table describes the commands available for rogue AP dete...

Page 69: ... the specified MAC address from the friendly AP list monitoring flush Removes all detected APs from the rogue AP list exit Exits configuration mode for rogue AP detection show rogue ap detection monitoring Displays a table of detected APs and information about them such as their MAC addresses when they were last seen and their SSIDs to name a few show rogue ap detection list rogue friendly all Dis...

Page 70: ... then every AP on the network will respect it Note Containing a rogue AP means broadcasting unviable login data at it preventing legitimate wireless clients from connecting to it This is a kind of Denial of Service attack Router config show rogue ap detection list friendly no mac description 1 11 11 11 11 11 11 third floor 2 00 13 49 11 22 33 3 00 13 49 00 00 05 4 00 13 49 00 00 01 5 00 0D 0B CB 3...

Page 71: ...XX XX XX XX XX format of the AP to be contained The no command removes the entry Table 24 Command Summary Rogue AP Containment COMMAND DESCRIPTION rogue ap containment Enters sub command mode for rogue AP containment no activate Activates rogue AP containment Use the no parameter to deactivate rogue AP containment no contain ap_mac Isolates the device associated with the specified MAC address Use ...

Page 72: ...ture commands which allows a network administrator to capture wireless traffic information and download it to an Ethereal Tcpdump compatible format packet file for analysis 9 2 Wireless Frame Capture Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 25 Input Values for Wireless Frame Capture...

Page 73: ...interfaces You can use this command multiple times to add additional IPs to the monitor list file prefix file_name Sets the file name prefix for each captured file Enter up to 31 alphanumeric characters Spaces and underscores are not allowed files size mon_dir_size Sets the total combined size in kbytes of all files to be captured exit Exits configuration mode for wireless frame capture no frame c...

Page 74: ...er AP is using or at least a channel that has a lower level of interference in order to give the connected stations a minimum degree of channel interference 10 2 DCS Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands The following table describes the commands available for dynamic channel selection...

Page 75: ... the AP uses in the 2 4 GHz band dcs dcs 5g method auto manual Sets the AP to automatically search for available channels or manually configures the channels the AP uses in the 5 GHz band dcs dfs aware enable disable Enables this to allow an AP to avoid phase DFS channels below the 5 GHz spectrum dcs invoke Sets the managed APs to scan for and select an available channel immediately dcs sensitivit...

Page 76: ... for wireless load balancing You must use the configure terminal command to enter the configuration mode before you can use these commands Table 29 Command Summary Load Balancing COMMAND DESCRIPTION no load balancing activate Enables load balancing Use the no parameter to disable it no load balancing kickout Enables an overloaded AP to disconnect kick idle clients or clients with noticeably weak c...

Page 77: ...oad balancing max sta 1 127 If load balancing by the number of stations wireless clients this sets the maximum number of devices allowed to connect to a load balanced AP load balancing sigma 51 100 Sets the load balancing sigma value This value is algorithm parameter used to calculate whether an AP is considered overloaded balanced or underloaded It only applies to by traffic mode Note This parame...

Page 78: ...el is set to low and disassociate station is enabled Router config load balancing mode traffic Router config load balancing traffic level low Router config load balancing kickout Router config show load balancing config load balancing config Activate yes Kickout yes Mode traffic Max sta 1 Traffic level low Alpha 5 Beta 10 Sigma 60 Timeout 20 LIInterval 10 KickoutInterval 20 ...

Page 79: ...MAND DESCRIPTION no auto healing activate Turns on the auto healing feature Use the no parameter to turn it off auto healing healing interval interval Sets the interval that specifies how often the managed APs scan their neighborhoods and report the status of neighbor APs to the AP controller ZyWALL USG An AP is considered failed if the AP controller obtains the same scan result that the AP is mis...

Page 80: ...extend their wireless service coverage areas auto healing update Sets all manged APs to immediately scan their neighborhoods three times in a row and update their neighbor lists to the AP controller ZyWALL USG show auto healing config Displays the current auto healing configuration Table 31 Command Summary Auto Healing continued COMMAND DESCRIPTION Router config auto healing activate Router config...

Page 81: ...ess level Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive and send tagged frames The ZyWALL USG automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection between Ethernet or VLAN int...

Page 82: ...ters Table 32 Characteristics of Ethernet VLAN Bridge PPPoE PPTP and Virtual Interface for some ZyWALL USG models CHARACTERISTICS ETHERNET VLAN BRIDGE PPPOE PPTP VIRTUAL Name gex vlanx brx pppx IP Address Assignment static IP address Yes Yes Yes Yes Yes DHCP client Yes Yes Yes Yes No routing metric Yes Yes Yes Yes Yes Interface Parameters bandwidth restrictions Yes Yes Yes Yes Yes packet size MTU ...

Page 83: ...ecify the number after the colon if you use the CLI to set up a virtual interface Each name consists of letters interface type followed by a number x For most interfaces x is limited by the maximum number of the type of interface For WLAN interfaces the first number identifies the slot and the second number identifies the individual interface Cellular interfaces can be added to the WAN zone or no ...

Page 84: ...N interface to a bridge if the member interface has a virtual interface or PPPoE PPTP interface on top of it Table 35 Relationships Between Different Types of Interfaces INTERFACE REQUIRED PORT INTERFACE Ethernet interface physical port port group VLAN interface Ethernet interface bridge interface Ethernet interface VLAN interface PPPoE PPTP interface For some ZyWALL USG models Ethernet interface ...

Page 85: ...model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL USG model supports profile_name The name of the DHCP pool You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensiti...

Page 86: ...er the higher the priority no metric 0 15 Sets the tunnel PPPoE PPTP or cellular interface s priority relative to other interfaces The lower the number the higher the priority no mss 536 1460 Specifies the maximum segment size MSS the interface is to use MSS is the largest amount of data specified in bytes that the interface can handle in a single unfragmented piece The no command has the interfac...

Page 87: ... infinity Sets the IPv6 prefix that the ZyWALL USG advertises to its clients whether or not to advertise it and how long before the prefix s preference and lifetime expire nd ra min rtr interval 3 1350 Sets the minimum IPv6 router advertisement transmission interval nd ra max rtr interval 4 1800 Sets the maximum IPv6 router advertisement transmission interval nd ra reachable time 0 3600000 Sets th...

Page 88: ... number of seconds a DHCPv6 client should wait before refreshing information retrieved from DHCPv6 dhcp6 duid duid mac Specify the DHCP Unique IDentifier DUID of the interface or have it generated from the interface s default MAC address dhcp6 lease object dhcp6_profile For a DHCPv6 server interface specify the profile of DHCPv6 lease settings to offer to DHCPv6 clients dhcp6 request object dhcp6_...

Page 89: ...isable this option in the DHCPv6 clients dhcp6 lease object dhcp6_profile Removes the specified profile of DHCPv6 lease settings to offer to DHCPv6 clients dhcp6 request object dhcp6_profile Removes the specified profile of DHCPv6 request settings that determine what additional information to get from the DHCPv6 server interface reset interface_name virtual_interface_name al l Resets the interface...

Page 90: ...his example also shows how to change the user defined name from Partner to Customer using the interface name command Router configure terminal Router config interface ge1 Router config if ip address dhcp Router config if exit Router show interface name No System Name User Defined Name 1 ge1 ge1 2 ge2 ge2 3 ge3 ge3 4 ge4 ge4 5 ge5 ge5 Router configure terminal Router config interface name ge4 VIP R...

Page 91: ...ration terminal mode and select an interface Router show interface name No System Name User Defined Name 1 ge1 ge1 2 ge2 ge2 3 ge3 ge3 4 ge4 Customer 5 ge5 ge5 Router configure terminal Router config interface reset ge4 Router config interface reset Customer Router config Table 38 interface Commands IGMP Proxy Commands COMMAND DESCRIPTION no igmp activate Enables IGMP proxy on this interface The n...

Page 92: ... config if lan1 exit Table 39 interface Commands DHCP Settings COMMAND DESCRIPTION show ip dhcp dhcp options Shows the DHCP extended option settings show ip dhcp pool profile_name Shows information about the specified DHCP pool or about all DHCP pools show ip dhcp pool profile_name dhcp options Shows the specified DHCP pool s DHCP extended option settings ip dhcp pool rename profile_name profile_n...

Page 93: ...et them however dhcp option 1 254 option_name boolean 0 1 uint8 0 255 uint16 0 65535 uint32 0 4294967295 ip ipv4 ipv4 ipv4 fqdn fqdn fqdn fqdn text text hex hex vivc enterprise_id hex_s enterprise_id hex_s vivs enterprise_id hex_s enterprise_id hex_s Adds or edits a DHCP extended option for the specified DHCP pool text String of up to 250 characters hex String of up to 250 hexadecimal pairs vivc V...

Page 94: ...the first WINS server IP address to assign to the remote users The no command removes the setting no second wins server ip Specifies the second WINS server IP address to assign to the remote users The no command removes the setting no lease 0 365 0 23 0 59 infinite Sets the lease time to the specified number of days hours and minutes or makes the lease time infinite The no command resets the first...

Page 95: ...nfig ip dhcp pool second dns server ge1 1st dns Router config ip dhcp pool third dns server 10 1 5 2 Router config ip dhcp pool default router 192 168 1 1 Router config ip dhcp pool lease 0 1 30 Router config ip dhcp pool starting address 192 168 1 10 pool size 30 Router config ip dhcp pool hardware address 00 0F 20 74 B8 18 Router config ip dhcp pool client identifier 00 0F 20 74 B8 18 Router con...

Page 96: ... Router config if vir description downstream exit ip no shutdown upstream Router config interface wan1_ppp Router config if ppp account bind connectivity description downstream exit ipv6 local address metric mss mtu no ping check remote address shutdown traffic prioritize upstream CELLULAR VLAN Router config interface cellular1 Router config if cellular account band budget connectivity description...

Page 97: ...tonly interface interface_name Sets the RIP direction of the specified interface to out only The no command makes RIP bi directional in the specified interface interface interface_name Enters sub command mode no ip rip send receive version 1 2 Sets the send or receive version to the specified version number The no command sets the send or received version to the current global setting for RIP See ...

Page 98: ...assword 1 8 alphanumeric characters or underscores ip ospf message digest key 1 255 md5 password Sets the ID and password for OSPF MD5 authentication in the specified interface password 1 16 alphanumeric characters or underscores no ip ospf message digest key Clears the ID and password for OSPF MD5 authentication in the specified interface no ip ospf hello interval 1 65535 Sets the number of secon...

Page 99: ...nectivity check interface interface_name Enters sub command mode no ping check activate Enables ping check for the specified interface The no command disables ping check for the specified interface ping check domain_name ip default gateway Specifies what the ZyWALL USG pings for the ping check you can specify a fully qualified domain name IP address or the default gateway for the interface ping ch...

Page 100: ...interface Router configure terminal Router config interface wan1 Router config if wan1 ping check 1 1 1 2 method tcp port 8080 Router config if wan1 exit Router config show ping check Interface wan1 Check Method tcp IP Address 1 1 1 2 Period 30 Timeout 5 Fail Tolerance 5 Activate yes Port 8080 Router config Table 44 Input Values for Ethernet Interface Commands LABEL DESCRIPTION interface_name The ...

Page 101: ...l Set this if you want to manually configure a policy route to add routing and SNAT settings for the interface no use defined mac Has the interface use its default MAC address use defined mac Has the interface use a MAC address that you specify Table 45 interface Commands MAC Setting continued COMMAND DESCRIPTION Table 46 Basic Interface Setting Commands COMMAND DESCRIPTION show port grouping Disp...

Page 102: ...how port grouping No Representative Name Port1 Port2 Port3 Port4 Port5 Port6 Port7 1 wan1 yes no no no no no no 2 wan2 no yes no no no no no 3 opt no no yes no no no no 4 lan1 no no no yes yes yes no 5 lan2 no no no no no no no 6 reserved no no no no no no no 7 dmz no no no no no no yes Router config Router config port grouping lan2 Router config port grouping port 7 Router config port grouping ex...

Page 103: ...haracters underscores _ or dashes but the first character cannot be a number This value is case sensitive Table 48 interface Commands PPPoE PPTP Interfaces COMMAND DESCRIPTION interface dial interface_name Connects the specified PPPoE PPTP interface interface disconnect interface_name Disconnects the specified PPPoE PPTP interface interface interface_name Creates the specified interface if necessa...

Page 104: ... request object to use dhcp6_suffix_128 Specify the ending part of the IPv6 address a slash and the prefix length The ZyWALL USG appends it to the delegated prefix For example you got a delegated prefix of 2003 1234 5678 48 You want to configure an IP address of 2003 1234 5678 1111 1 128 for this interface then enter 1111 0 0 0 1 128 for the dhcp6_suffix_128 ipv6 dhcp6 client Sets the IPv6 interfa...

Page 105: ...ownstream 123 Router config if ppp connectivity dial on demand Router config if ppp description I am ppp0 Router config if ppp exit Router interface dial ppp0 Router interface disconnect ppp0 Table 49 Interface Cellular Commands COMMAND DESCRIPTION no interface interface_name Creates the specified interface if necessary and enters sub command mode The no command deletes the specified interface acc...

Page 106: ...om the ZyWALL USG to the ISP download upload set a limit on the total traffic in both directions If you change the value the ZyWALL USG resets the statistics Use the no command to disable data budget control budget reset day 0 31 Sets the date on which the ZyWALL USG resets the budget every month If the date you selected is not available in a month such as 30th or 31st the ZyWALL USG resets the bu...

Page 107: ... of the cellular interface s peer like a gateway or PPPoE server interface cellular budget auto save 5 1440 Sets how often in minutes the ZyWALL USG saves time and data usage records for a connection using the 3G card show interface cellular corresponding slot device status support device Shows the status of the specified cellular interface show interface cellular corresponding slot Shows which ce...

Page 108: ...DMA2000 3G device failed because you entered an incorrect device code Device unlocked You entered the correct device code and unlocked a CDMA2000 3G device Get dev info fail The ZyWALL USG cannot get cellular device information Get dev info ok The ZyWALL USG succeeded in retrieving 3G device information Searching network The 3G device is searching for a network Get signal fail The 3G device cannot...

Page 109: ...rface cellular2 Router config if cellular device AC850 Router config if cellular band wcdma Router config if cellular pin 1234 Router config if cellular connectivity nail up Router config if cellular description This is cellular2 Router config if cellular mtu 1200 Router config if cellular exit Router config interface cellular2 Router config if cellular pin 4567 Router config if cellular exit Rout...

Page 110: ...ce tunnel mode ip gre Sets this interface to use GRE tunnel mode no mtu 576 1480 Specifies the Maximum Transmission Unit which is the maximum number of bytes in each packet moving through this interface The ZyWALL USG divides larger packets into smaller fragments The no command resets the MTU to 1480 no downstream 0 1048576 Specifies the downstream bandwidth for the specified interface The no comm...

Page 111: ...tatus Inactive active no Table 52 USB Storage General Commands COMMAND DESCRIPTION show usb storage Displays the status of the connected USB storage device no usb storage activate Enables or disables the connected USB storage service usb storage warn number percentage megabyte Sets a number and the unit percentage or megabyte to have the ZyWALL USG send a warning message when the remaining USB sto...

Page 112: ...rrent system diagnostics information to the connected USB storage device no corefile copy usb storage Sets to have the ZyWALL USG save or not save a process s core dump to the connected USB storage device if the process terminates abnormally crashes You may need to send this file to customer support for troubleshooting show corefile copy usb storage Displays whether enable or disable the ZyWALL US...

Page 113: ...e_name Specifies the Ethernet interface on which the VLAN interface runs The no command clears the port no vlan id 1 4094 Specifies the VLAN ID used to identify the VLAN The no command clears the VLAN ID show port vlan id Displays the Ethernet interface VLAN settings Router configure terminal Router config interface vlan100 Router config if vlan vlan id 100 Router config if vlan port ge1 Router co...

Page 114: ...Creates the specified interface if necessary and enters sub command mode no join interface_name Adds the specified Ethernet interface or VLAN interface to the specified bridge The no command removes the specified interface from the specified bridge show bridge available member Displays the available interfaces that could be added to a bridge Router configure terminal Router config interface br0 Ro...

Page 115: ...ation with policy routing You can also define multiple trunks for the same physical interfaces This allows you to send specific traffic types through the interface that works best for that type of traffic and if that interface s connection goes down the ZyWALL USG can still send its traffic through another interface 14 2 Trunk Scenario Examples Suppose one of the ZyWALL USG s interfaces is connect...

Page 116: ...ther ZyWALL USG models use a name such as wan1 wan2 opt lan1 or dmz PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL USG model supports VLAN interface vlanx x 0 4094 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL USG model supports num The interface s position in the trunk s list of members 1 8 CR Carriage...

Page 117: ...interface num interface name Removes an interface from the trunk system default interface group group name Sets the ZyWALL USG to first attempt to use the the specified WAN trunk no system default snat Enables or disables Source NAT SNAT When SNAT is enabled the ZyWALL USG uses the IP address of the outgoing interface as the source IP address of the packets it sends out through the WAN interfaces ...

Page 118: ...ALL USG sends traffic through ge1 until it hits the limit of 1000 kbps The ZyWALL USG sends anything over 1000 kbps through ge3 Router configure terminal Router config interface group spill example Router if group mode trunk Router if group algorithm spill over Router if group interface 1 ge1 limit 1000 Router if group interface 2 ge3 limit 1000 Router if group loadbalancing index total Router if ...

Page 119: ...ed to incoming packets on a per interface basis prior to the normal routing 15 2 Policy Route Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 59 Input Values for General Policy Route Commands LABEL DESCRIPTION address_object The name of the IP address group object You may use 1 31 alphanum...

Page 120: ... ZyWALL USG s User s Guide for details schedule_object The name of the schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive service_name The name of the service group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive use...

Page 121: ...incoming packets that are marked with DSCP value 0 Use one of the pre defined AF classes including af11 af13 af21 af23 af31 af33 and af41 af43 to apply this policy route to incoming packets that are marked with the DSCP AF class The af entries stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for ...

Page 122: ...l users policy6 policy_number append insert policy_number Enters the IPv6 policy route sub command mode to configure add or insert a policy no deactivate Disables the specified policy The no command enables the specified policy no description description Sets a descriptive name for the IPv6 policy The no command removes the name for the policy no destination address6_object any Sets the destinatio...

Page 123: ...hed packets must have The no command resets the source IP address to the default any any means all IP addresses no srcport profile_name any Sets the source port that the matched packets must have The no command resets the source port to the default any any means all ports no tunnel tunnel_name Sets the incoming interface to an IPSec VPN tunnel The no command removes the IPSec VPN tunnel through wh...

Page 124: ...check Displays the policy route for the connection check show policy route conn check policy_number Displays the specified policy route for the connection check show policy route conn check status policy_number Displays the connection check status for the specified policy route show policy route controll ipsec dynamic rules Displays whether the ZyWALL USG checks policy routes first before IPSec dy...

Page 125: ... 61 Assured Forwarding AF Behavior Group CLASS 1 CLASS 2 CLASS 3 CLASS 4 Low Drop Precedence AF11 10 AF21 18 AF31 26 AF41 34 Medium Drop Precedence AF12 12 AF22 20 AF32 28 AF42 36 High Drop Precedence AF13 14 AF23 22 AF33 30 AF43 38 Router config address object TW_SUBNET 192 168 2 0 255 255 255 0 Router config address object GW_1 192 168 2 250 Router config policy insert 1 Router policy route desc...

Page 126: ...z interface w x y z 0 127 Changes an existing route s settings show ip route settings Displays static route information Use show ip route to see learned route information See Section 16 2 5 on page 132 ip6 route destv6 prefix ipv6_global_address ipv6_link_local interface 0 127 Sets an IPv6 static route ip6 route destv6 prefix ipv6_link_local interface 0 127 Sets an IPv6 link local static route no ...

Page 127: ...teway on interface ge2 and uses metric 2 The following command deletes a specific static IPv6 route The following command deletes all static IPv6 routes with the same prefix Router config ip route 10 10 10 0 255 255 255 0 ge1 Router config Router config show ip route settings Route Netmask Nexthop Metric 10 10 10 0 255 255 255 0 ge1 0 Router config ip6 route 2002 22 22 34 64 ge2 1 Router config ip...

Page 128: ...Chapter 15 Route ZyWALL USG ZLD CLI Reference Guide 128 ...

Page 129: ...le 63 on page 129 and they are discussed further in the next two sections 16 2 Routing Protocol Commands Summary The following table describes the values required for many routing protocol commands Other values are discussed with the corresponding commands The following sections list the routing protocol commands Table 63 OSPF vs RIP OSPF RIP Network Size Large Small with up to 15 routers Metric B...

Page 130: ...tion mode md5 text Sets the authentication mode for RIP The no command sets the authentication mode to none no authentication string authkey Sets the password for text authentication The no command clears the password authentication key 1 255 key string authkey Sets the MD5 ID and password for MD5 authentication no authentication key Clears the MD5 ID and password no outonly interface interface_na...

Page 131: ...ified area router ospf no area IP virtual link IP Creates the specified virtual link in the specified area The no command removes the specified virtual link no area IP virtual link IP authentication Enables text authentication in the specified virtual link The no command disables authentication in the specified virtual link no area IP virtual link IP authentication message digest Enables MD5 authe...

Page 132: ...link Table 68 router Commands Virtual Links in OSPF Areas continued COMMAND DESCRIPTION Table 69 ip route Commands Learned Routing Information COMMAND DESCRIPTION show ip route kernel connected static ospf rip bgp Displays learned routing and other routing information Router show ip route Flags A Activated route S Static route C directly Connected O OSPF derived R RIP derived G selected Gateway re...

Page 133: ...unnels The ZyWALL USG uses zones not interfaces in many security and policy settings such as firewall rules and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 15 Example Zones...

Page 134: ...s show zone binding iface Displays each interface and zone mappings show zone default binding Displays the pre configured interface and zone mappings that come with the ZyWALL USG show zone none binding Displays the interfaces tunnels and SSL VPNs that are not associated with a zone yet show zone system default Displays the pre configured default zones that you cannot delete from the ZyWALL USG sh...

Page 135: ...ng commands add Ethernet interfaces ge1 and ge2 to zone A Router configure terminal Router config zone A Router zone interface ge1 Router zone interface ge2 Router zone exit Router config show zone No Name Member 1 A ge1 ge2 Router config show zone A No Type Member 1 interface ge1 2 interface ge2 ...

Page 136: ...Chapter 17 Zones ZyWALL USG ZLD CLI Reference Guide 136 ...

Page 137: ...When registration is complete the DNS service provider gives you a password or key At the time of writing the ZyWALL USG supports the following DNS service providers See the listed websites for details about the DNS services offered by each Note Record your DDNS account s user name password and domain name to use to configure the ZyWALL USG After you configure the ZyWALL USG it automatically sends...

Page 138: ...HTTPS no service type dyndns dyndns_static dyndns_custom dynu basic dynu premium no ip peanut hull 3322 dyn 3322 static Selfhost User custom Sets the service type in the specified DDNS profile The no command clears it no username username password password Sets the username and password in the specified DDNS profile The no command clears these fields username You can use up to 31 alphanumeric char...

Page 139: ...ger The no command disables it no wildcard Enables the wildcard feature The no command disables it no url URL TEXT Type the URL that can be used to access the server that will host the DDSN service For example url api dynamic update php hostname home example com ip 10 1 1 1 The no command disables it no ddns server FQDN DNS Type the IP address of the server that will host the DDSN service For exam...

Page 140: ...Chapter 18 DDNS ZyWALL USG ZLD CLI Reference Guide 140 ...

Page 141: ...ge of private network servers that will initiate sessions to the outside clients and a range of public IP addresses use many 1 1 NAT to have the ZyWALL USG translate the source IP address of each server s outgoing traffic to the same one of the public IP addresses that the outside clients use to access the server The private and public ranges must have the same number of IP addresses One many 1 1 ...

Page 142: ...e specified virtual server and maps the specified destination IP address protocol and destination port to the specified destination IP address and destination port The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address object NAT loopback allows local users to use a domain name to access this virtual server nat 1 1 ...

Page 143: ...NAT See Section 19 1 1 on page 141 for more information Using this command without nat 1 1 map means the NAT type is Virtual Server This makes computers on a private network behind the ZyWALL USG available to a public network outside the ZyWALL USG like the Internet The deactivate command disables the virtual server rule ip virtual server activate deactivate profile_name Activates or deactivates t...

Page 144: ... IP address 1 1 1 2 The NAT rule sends this traffic to the HTTP server s private IP address of 192 168 3 7 defined in the DMZ_HTTP object HTTP traffic and the HTTP server in this example both use TCP port 80 So you set the port mapping type to port the protocol type to TCP and the original and mapped ports to 80 3 Configure secure policy rule Create a firewall rule to allow HTTP traffic from the W...

Page 145: ...quest except HTTP traffic destined for the ZyWALL USG to a web proxy server 20 1 1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources services A proxy server can act as a firewall or an ALG application layer gateway between the private network and the Internet or other networks It also keeps hackers from knowing internal ...

Page 146: ...nterface add a colon and the number of the virtual interface For example gex y x 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y 1 4 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL USG model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPoE PPTP...

Page 147: ...rect rule disable it and display the settings Router configure terminal Router config ip http redirect example1 interface ge1 redirect to 10 10 2 3 80 Router config ip http redirect example1 interface ge1 redirect to 10 10 2 3 80 deactivate Router config show ip http redirect Name Interface Proxy Server Port Active example1 ge1 10 10 2 3 80 no ...

Page 148: ...Chapter 20 HTTP Redirect ZyWALL USG ZLD CLI Reference Guide 148 ...

Page 149: ...oIP traffic s data stream When a device behind the ZyWALL USG uses an application for which the ZyWALL USG has VoIP pass through enabled the ZyWALL USG translates the device s private IP address inside the data stream to a public IP address It also records session port numbers and allows the related sessions to go through the firewall so the application s traffic can come in from the WAN to the LA...

Page 150: ... need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload The no command turns off the SIP ALG or removes the settings that you specify alg sip defaultport Enters ALG SIP default port sub command Router SIP Signaling Port no port 1025 65535 Enter the custom UDP port number for SIP traffic The no command removes the custom U...

Page 151: ...ZyWALL USG ZLD CLI Reference Guide 151 21 3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H 323 Router configure terminal Router config alg sip Router config no alg h323 ...

Page 152: ...Chapter 21 ALG ZyWALL USG ZLD CLI Reference Guide 152 ...

Page 153: ...ublic IP address and port number and make them known to the peer device with which it wants to communicate The client can automatically configure the NAT router to create a port mapping to allow the peer to contact it 22 2 UPnP and NAT PMP Commands The following table lists the ip upnp commands You must use the configure terminal command to enter the configuration mode before you can use these com...

Page 154: ...erface Displays the name s of the internal interface s on which the ZyWALL USG supports UPnP and or NAT PMP show ip upnp port mapping Displays the UPnP and or NAT PMP port mapping rules on the ZyWALL USG show ip upnp status Displays the UPnP and or NAT PMP configuration Table 80 ip upnp Commands continued COMMAND DESCRIPTION Router configure terminal Router config ip upnp Router config upnp nat pm...

Page 155: ...nt Type upnp External Port 1122 Protocol tcp Internal Port 1122 Internal Client 172 16 1 2 Description test1 No 1 Remote Host null Client Type upnp External Port 5566 Protocol tcp Internal Port 5566 Internal Client 172 16 1 2 Description test2 Router config no ip upnp port mapping port 5566 type tcp Router config show ip upnp port mapping No 0 Remote Host null Client Type upnp External Port 1122 P...

Page 156: ...Chapter 22 UPnP ZyWALL USG ZLD CLI Reference Guide 156 ...

Page 157: ...AC binding for the specified interface The no command turns IP MAC binding off for the specified interface no ip ip mac binding interface_name log Turns on the IP MAC binding logs for the specified interface The no command turns IP MAC binding logs off for the specified interface ip ip mac binding exempt name start ip end ip Adds a named IP range as being exempt from IP MAC binding no ip ip mac bi...

Page 158: ...he following example enables IP MAC binding on the LAN1 interface and displays the interface s IP MAC binding status Router configure terminal Router config ip ip mac binding lan1 activate Router config show ip ip mac binding lan1 Name lan1 Status Enable Log No Binding Count 0 Drop Count 0 Router config ...

Page 159: ...Chapter 23 IP MAC Binding ZyWALL USG ZLD CLI Reference Guide 159 ...

Page 160: ...d except the devices in the white list Note Layer 2 isolation does not check the wireless traffic In the following example layer 2 isolation is enabled on the ZyWALL USG s interface Vlan1 A printer PC and AP are in the Vlan1 The IP address of network printer C is added to the white list The connected AP then cannot communicate with the PC D but can access the network printer C server B wireless cl...

Page 161: ...n the white list on the ZyWALL USG IP addresses that are not listed in the white list are blocked from communicating with other devices in the layer 2 isolation enabled internal interface s except for broadcast packets white list append Enters the layer 2 isolation white list sub command mode to add a rule to the end of the white list See Table 83 on page 161 for the sub commands white list flush ...

Page 162: ...d removes the IP address This is the IP address of device that can be accessed by the devices connected to an internal interface on which layer 2 isolation is enabled Table 83 l2 isolation white list Sub commands continued COMMAND DESCRIPTION Router configure terminal Router config l2 isolation Router l2 isolation activate Router l2 isolation interface lan2 Router l2 isolation white list 1 Router ...

Page 163: ...gured to allow or deny traffic that matches the criteria above send a log or alert for traffic that matches the criteria above to apply the actions configured in the UTM profiles application patrol content filter IDP anti virus anti spam to traffic that matches the criteria above Note Secure policies can be applied to both IPv4 and IPv6 traffic The secure policies can also limit the number of user...

Page 164: ...r of a secure policy 1 X where X is the highest number of rules the ZyWALL USG model supports See the ZyWALL USG s User s Guide for details schedule_object The name of the schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive service_name The name of the service group You may use 1 31 alphanumeric character...

Page 165: ...the specified rule number See Table 86 on page 167 for the sub commands secure policy move rule_number to rule_number Moves a secure policy rule to the number that you specified show secure policy Displays all Secure Policy settings show secure policy rule_number Displays a secure policy rule s settings show secure policy zone_object zone_object ZyWALL Displays all secure policy rules settings for...

Page 166: ...Sets how the IPv6 secure policy handles packets that do not match any other secure policy rule secure policy6 delete rule_number Removes a IPv6 secure policy rule secure policy6 flush Removes all IPv6 secure policy rules secure policy6 insert rule_number Enters the IPv6 secure policy sub command mode to add a secure policy rule before the specified rule number See Table 86 on page 167 for the sub ...

Page 167: ...on Sets a descriptive name up to 60 printable ASCII characters for a secure policy rule The no command removes the descriptive name from the rule no destinationip address_object Sets the destination IP address The no command resets the destination IP address es to the default any any means all IP addresses no destinationip6 address_object Sets the destination IPv6 address The no command resets the...

Page 168: ...d overrides the anti x profile log setting The no command does not apply the named anti x profile to traffic that matches the secure policy rule no as profile profile name no log log by profile activate deactivate Applies the already created named anti x profile to traffic that matches the secure policy rule Log by profile generates a log for all traffic that matches criteria in the anti x profile...

Page 169: ...le Log by profile generates a log for all traffic that matches criteria in the anti x profile no log does turns off logging and overrides the anti x profile log setting The no command does not apply the named anti x profile to traffic that matches the secure policy rule no app profile profile name no log log by profile activate deactivate Applies the already created named anti x profile to traffic...

Page 170: ...ure policy rule 11 name WAN_to_Device description user any schedule none from WAN to ZyWALL source IP any source port any destination IP any service Default_Allow_WAN_To_ZyWALL log no action allow status yes connection match no content filter profile none enable no log by profile anti spam profile none enable no log by profile anti virus profile none enable no log by profile idp profile none enabl...

Page 171: ... profile none enable no log by profile idp profile none enable no log by profile ssl inspection profile none enable no log by profile app patrol profile none enable no log by profile secure policy rule 11 name WAN_to_Device description user any schedule none from WAN to ZyWALL source IP any source port any destination IP any service Default_Allow_v6_WAN_To_ZyWALL log no action allow status yes con...

Page 172: ...e no command removes the descriptive name from the rule exit Quits the sub command mode no limit 0 8192 Sets the limit for the number of concurrent NAT firewall sessions this rule s users or addresses can have 0 means any no user user_name Sets a session limit rule for the specified user The no command resets the user name to the default any any means all users session limit append Enters the sess...

Page 173: ...The no command removes the descriptive name from the rule exit Quits the sub command mode no limit 0 8192 Sets the limit for the number of concurrent NAT firewall IPv6 sessions this rule s users or addresses can have 0 means any no user user_name Sets an IPv6 session limit rule for the specified user The no command resets the user name to the default any any means all users session limit6 append E...

Page 174: ...Sec VPN OPT and WAN adp profile The name of an ADP profile It can consist of alphanumeric characters the underscore and the dash and it is 1 31 characters long Spaces are not allowed Table 90 ADP Activation Commands LABEL DESCRIPTION no idp anomaly activate Anomaly detection does not require registration The no command disables the specified service show idp anomaly activation Displays anomaly det...

Page 175: ...on sensitivity low medium high Sets scan detection sensitivity no scan detection sensitivity Clears scan detection sensitivity The default sensitivity is medium scan detection block period 1 3600 Sets for how many seconds the ZyWALL USG blocks all packets from being sent to the victim destination of a detected anomaly attack no scan detection tcp xxx activate log alert block Activates TCP scan det...

Page 176: ...options icmp decoder bad icmp l4 size icmp smurf log alert Sets icmp decoder log or alert options no icmp decoder bad icmp l4 size icmp smurf log Deactivates icmp decoder log options icmp decoder bad icmp l4 size icmp smurf action drop reject sender reject receiver reject both Sets icmp decoder action no icmp decoder bad icmp l4 size icmp smurf action Deactivates icmp decoder actions exit Use exit...

Page 177: ...coder settings for the specified ADP profile show idp anomaly profile udp decoder all details Shows udp decoder settings for the specified ADP profile show idp anomaly profile udp decoder bad udp l4 size udp land udp smurf details Shows specified udp decoder settings for the specified ADP profile show idp anomaly profile icmp decoder all details Shows all icmp decoder settings for the specified AD...

Page 178: ...Chapter 25 Secure Policy ZyWALL USG ZLD CLI Reference Guide 178 ...

Page 179: ...lt rule authentication required unnecessary no log log alert Sets the default authentication policy that the ZyWALL USG uses on traffic that does not match any exceptional service or other authentication policy required Users need to be authenticated They must manually go to the ZyWALL USG s login screen The ZyWALL USG will not redirect them to the login screen unnecessary Users do not need to be ...

Page 180: ...yWALL USG through the specifically designated web portal when web authentication is enabled show web auth policy 1 1024 all Displays details about the policies for forcing user authentication show web auth portal status Displays the web portal page settings show web auth status Displays the web portal page settings Table 94 web auth Commands continued COMMAND DESCRIPTION Table 95 web auth policy S...

Page 181: ...es SSO web authentication show sso agent port presharekey Displays information about the specified condition Table 95 web auth policy Sub commands continued COMMAND DESCRIPTION Table 96 SSO Commands and Subcommnds COMMAND DESCRIPTION sso agent primary Enters SSO primary agent subcommand mode sso agent secondary Enters secondary agent subcommand mode A secondary agent is an optional backup SSO agen...

Page 182: ...ary agent IP and Port configurations show sso agent status Displays primary and secondary agent status show sso port Displays the ZySSO port configured show sso presharekey Shows the configured ZySSO presharekey Router config sso agent primary Router config sso primary ip 1 1 1 1 Router config sso primary port 2158 Router config sso primary exit Router config sso presharekey 12345678 Router config...

Page 183: ...or the Ekahau Wi Fi tags A dedicated RTLS SSID is recommended Ekahau RTLS Controller in blink mode with TZSP Updater enabled Secure policies to allow RTLS traffic if the ZyWALL USG Secure Policy control is enabled or the Ekahau RTLS Controller is behind a firewall For example if the Ekahau RTLS Controller is behind a firewall open ports 8550 8553 and 8569 to allow traffic the APs send to reach the...

Page 184: ...ahau Wi Fi tags The no command disables tracking rtls ekahau ip address ip Specifies the IP address of the Ekahau RTLS Controller rtls ekahau ip port 1 65535 Specifies the server port of the Ekahau RTLS Controller show rtls ekahau config Displays RTLS configuration details show rtls ekahau cli Displays commands run on the AP The AP runs the flush command before executing other commands Router conf...

Page 185: ... data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is one example of a VPN tunnel Figure 19 VPN Example The VPN tunnel connects the ZyWALL USG X and the remote IPSec router Y These routers then connect the local networ...

Page 186: ...s are discussed with the corresponding commands Table 100 Input Values for IPSec VPN Commands LABEL DESCRIPTION profile_name The name of a VPN concentrator You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive policy_name The name of an IKE SA You may use 1 31 alphanumeric characters underscores _ or dashes but the ...

Page 187: ...red key for authentication certificate certificate name Sets the certificate that can be used for authentication no dpd Enables Dead Peer Detection DPD The no command disables DPD dpd interval 15 60 Sets the Dead Peer Detection DPD period no fall back Set this to have the ZyWALL USG reconnect to the primary address when it becomes available again and stop using the secondary connection if the conn...

Page 188: ...ss domain name or e mail address no xauth type server auth_method client name username password password Enables extended authentication and specifies whether the ZyWALL USG is the server or client If the ZyWALL USG is the server it also specifies the extended authentication method aaa authentication profile_name if the ZyWALL USG is the client it also specifies the username and password to provid...

Page 189: ...aes128 md5 esp aes128 sha esp aes128 sha256 esp aes128 sha512 esp aes192 md5 esp aes192 sha esp aes192 sha256 esp aes192 sha512 esp aes256 md5 esp aes256 sha esp aes256 sha256 esp aes256 sha512 transform set crypto_algo_ah crypto_algo_ah crypto_algo_ah Sets the active protocol to AH and sets the encryption and authentication algorithms for each proposal crypto_algo_ah ah md5 ah sha ah sha256 ah sh...

Page 190: ...cified IPSec SA in dnat move 1 10 to 1 10 Moves the specified rule first rule number to the specified location second rule number for in bound traffic DNAT in dnat append protocol all tcp udp original ip address_name 0 65535 0 65535 mapped ip address_name 0 65535 0 65535 Maps the specified IP address and port range original ip to the specified IP address and port range mapped ip and appends this r...

Page 191: ... 3des 24 32 characters aes128 16 32 characters aes192 24 32 characters aes256 32 characters If you want to enter the key in hexadecimal type 0x at the beginning of the key For example 0x0123456789ABCDEF is in hexadecimal format in 0123456789ABCDEF is in ASCII format If you use hexadecimal you must enter twice as many characters The ZyWALL USG automatically ignores any characters above the minimum ...

Page 192: ...a user or group of users allowed to use the ZyWALL USG IPSec VPN client to retrieve the associated VPN rule settings A user may belong to a number of groups If VPN configuration provisioning rules are configured for different groups the ZyWALL USG will allow VPN rule setting retrieval based on the first match found Admin or limited admin users are not allowed no user Removes the VPN configuration ...

Page 193: ...VPN connection or policy name would still match A VPN connection or policy name named testacc for example would not match A in the middle of a VPN connection or policy name has the ZyWALL USG check the beginning and end and ignore the middle For example with abc 123 any VPN connection or policy name starting with abc and ending in 123 matches no matter how many characters are in between The whole ...

Page 194: ... pre shared key that can be used for authentication The pre_shared_key can be 8 32 alphanumeric characters or _ 16 64 hexadecimal 0 9 A F characters preceded by 0x The pre shared key is case sensitive local id type ip ip fqdn domain_name mail e_mail dn distinguished_name Sets the local ID type and content to the specified IP address domain name or e mail address peer id type any ip ip fqdn domain_...

Page 195: ...onnection fall back check interval 60 86400 Sets how often in seconds the ZyWALL USG checks if the primary address is available transform set isakmp algo isakmp_algo isakmp_algo Sets the encryption and authentication algorithms for each IKEv2 SA proposal isakmp_algo des md5 des sha 3des md5 3des sha aes128 md5 aes128 sha aes192 md5 aes192 sha aes256 md5 aes256 sha aes256 sha256 aes256 sha512 lifet...

Page 196: ...or for IPSec SAs where the remote gateway address is 0 0 0 0 no crypto map map_name Creates the specified IPSec SA if necessary and enters sub command mode The no command deletes the specified IPSec SA crypto map rename map_name map_name Renames the specified IPSec SA first map_name to the specified name second map_name crypto map map_name activate deactivate Activates or deactivates the specified...

Page 197: ...nforcement Drops traffic whose source and destination IP addresses do not match the local and remote policy This makes the IPSec SA more secure The no command allows traffic whose source and destination IP addresses do not match the local and remote policy Note You must allow traffic whose source and destination IP addresses do not match the local and remote policy if you want to use the IPSec SA ...

Page 198: ...ncentrator The no command removes the specified IPSec SA from the specified IPv6 VPN concentrator vpn concentrator6 rename profile_name profile_name Renames the specified IPv6 VPN concentrator first profile_name to the specified name second profile_name Table 110 vpn concentrator Commands VPN Concentrator continued COMMAND DESCRIPTION ...

Page 199: ...ed by an SSL access policy To delete the object you must first unassociate the object from the SSL access policy 29 2 SSL VPN Commands The following table describes the values required for some SSL VPN commands Other values are discussed with the corresponding commands Table 111 Input Values for SSL VPN Commands LABEL DESCRIPTION profile_name The descriptive name of an SSL VPN access policy You ma...

Page 200: ...ject ip network address_object Use this to configure for a VPN tunnel between the authenticated users and the internal network This allows the users to access the resources on the network as if they were on the same local network ip pool specify the name of the pool of IP addresses to assign to the user computers for the VPN connection Specify the names of the DNS or WINS servers to assign to the ...

Page 201: ... the local network for SSL VPN authenticated users to access 3 Create the SSL VPN user account named tester with password 1234 4 Create an SSL VPN rule named SSL_VPN_TEST Enable it and apply objects you just created Router config interface ge2 Router config if ge ip address 10 1 1 254 255 255 255 0 Router config if ge exit Router config interface ge3 Router config if ge ip address 172 16 10 254 25...

Page 202: ...ig show sslvpn policy SSL_VPN_TEST index 1 active yes name SSL_VPN_TEST description user tester ssl application none network extension yes traffic enforcement no netbios broadcast no ip pool IP POOL dns server 1 DNS1 dns server 2 DNS2 wins server 1 none wins server 2 none network NETWORK1 reference count 0 ...

Page 203: ...r network like the Internet In L2TP VPN an IPSec VPN tunnel is established first see Chapter 28 on page 185 for information on IPSec and then an L2TP tunnel is built inside it Note At the time of writing the L2TP remote user must have a public IP address in order for L2TP VPN to work the remote user cannot be behind a NAT router or a firewall 30 2 IPSec Configuration You must configure an IPSec VP...

Page 204: ...ect that uses host type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default_L2TP_VPN_GW gateway entry Configure the My Address setting according to your requirements Replace the default Pre Shared Key 30 3 Policy Route You must configure a policy route to let remote users access resources on a network behind the ZyWALL USG Set the policy route s...

Page 205: ...upports map_name The name of an IPSec SA You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive user_name The name of a user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Table 114 L2TP VPN Commands COMMAND DESCRIPTION l2...

Page 206: ...l if the remote user does not respond The no command returns the default setting no l2tp over ipsec first dns server ip interface_name 1st dns 2nd dns 3rd dns ppp_interface 1st dns 2nd dns Specifies the first DNS server IP address to assign to the remote users You can specify a static IP address or a DNS server that an interface received from its DHCP server The no command removes the setting no l...

Page 207: ...P_HOST in this example 30 5 3 Configuring the L2TP VPN Settings Example The following commands configure and display the L2TP VPN settings Set it to use the Default_L2TP_VPN_Connection VPN connection Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 In this example it is already created and called L2TP_POOL This example uses the default authentication method the ZyWALL U...

Page 208: ...r config l2tp over ipsec user L2TP test Router config l2tp over ipsec activate Router config show l2tp over ipsec L2TP over IPSec activate yes crypto Default_L2TP_VPN_Connection address pool L2TP_POOL authentication default user L2TP test keepalive timer 60 first dns server aux 1st dns second dns server aux 1st dns first wins server second wins server Router config policy 3 Router policy route sou...

Page 209: ...le lists the bwm commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 115 bwm Commands COMMAND DESCRIPTION bwm 1 127 Enters the config bwm sub command mode to configure a bandwidth management policy See Table 116 on page 210 for the sub commands no bwm activate Enables bandwidth management on the ZyWALL USG The no command disa...

Page 210: ...s group for whom this policy applies The no command resets the destination IP address es to the default any any means all IP addresses no dscp 0 63 any class af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs0 cs1 cs2 cs3 cs4 cs5 cs6 cs7 default wmm_be0 wmm_be24 wmm_bk16 wmm_bk8 wmm_vi32 wmm_vi40 wmm_vo48 wmm_vo56 Specifies a DSCP code point value or sets an AF class or QoS access clas...

Page 211: ...enerate a log and alert for packets that match the policy no outbound ceiling 0 1048576 maximize bandwidth usage Sets the maximum bandwidth allowed for outgoing traffic or enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface The no command resets the outbound maximum bandwidth to the default 0 no outbound guarantee bandwidt...

Page 212: ...ess or address group for whom this policy applies The no command resets the source IP address es to the default any any means all IP addresses no type per user shared per ip source Sets the type of bandwidth management per user to allow every user that matches this policy to use up to the bandwidth configured in this policy shared to have users that match this policy to share the bandwidth configu...

Page 213: ...from the specfied VLAN with the configured priority code marked interface any Marks matching outgoing traffic from any VLAN with the configured priority code marked interface trunk trunk_name Marks matching outgoing traffic from the specfied trunk with the configured priority code marked interface none Doesn t mark outgoing traffic with priority code for this BWM rule Table 116 bwm Sub commands co...

Page 214: ... bwm append 6 inbound guarantee bandwidth 800 priority 3 Router config bwm append 6 outbound guarantee bandwidth 700 priority 3 Router config bwm append 6 show Current Configuration index 6 Activate yes Description example BWM Type shared Schedule none User trial users Incoming_Type any Incoming_Interface any Outgoing_Type any Outgoing_Interface any Src any Dst any Service_Type service object Serv...

Page 215: ...pplication patrol rules for traffic going through the ZyWALL USG To use a service make sure both the firewall and application patrol allow the service s packets to go through the ZyWALL USG Application patrol examines every TCP and UDP connection passing through the ZyWALL USG and identifies what application is using the connection Then you can specify by application whether or not the ZyWALL USG ...

Page 216: ...ate Displays the date yyyy mm dd and time the set was released show app profiles profile name Shows the description application name and object reference number associated with the named profile show app profiles profile name application Shows the application name action and log associated with the named profile no app profile name Creates a profile with the specified name You may use 1 31 alphanu...

Page 217: ...version version 3 1 4 049 Router config show app signatures date date 2013 12 05 18 09 51 Router config app john Router config app patrol profile john description this is a dummy profile Router config app patrol profile john exit Router config show app profiles APP patrol 1 profile name testfb description application tests ref 0 APP patrol 2 profile name test description this is a test application...

Page 218: ...Chapter 32 Application Patrol ZyWALL USG ZLD CLI Reference Guide 218 ...

Page 219: ...st character cannot be a number This value is case sensitive av_file_pattern Use up to 80 characters to specify a file pattern Alphanumeric characters underscores _ dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the p...

Page 220: ...virus mail infect ext activate Has the ZyWALL USG add a notification text file to an e mail after destroying a virus infected e mail attachment no anti virus mail infect ext activate Has the ZyWALL USG not add a notification text file to an e mail after destroying a virus infected e mail attachment Table 121 anti virus profile Commands COMMAND DESCRIPTION anti virus rename old_profile_name new_pro...

Page 221: ... the named profile Table 121 anti virus profile Commands COMMAND DESCRIPTION Router config anti virus office1 Router config av profile office1 infected action destroy Router config av profile office1 file decompression Router config av profile office1 no file decompression unsupported destroy Router config av profile office1 exit Router config show an anti spam anti virus Router config show anti v...

Page 222: ...v_file_pattern activate deactivate Replaces the specified black list file pattern with a new file pattern Table 122 Commands for Anti virus White and Black Lists continued COMMAND DESCRIPTION Router config anti virus white list activate Router config anti virus white list file pattern Router config anti virus white list file pattern exe activate Router config anti virus black list activate Router ...

Page 223: ...sun mon tue wed thu fri sat 0 23 Enables automatic signature download once a week at the time and day specified show anti virus update Displays signature update schedule show anti virus update status Displays signature update status show anti virus signatures status Displays details about the current signature set Router configure terminal Router config anti virus update signatures ANTI VIRUS sign...

Page 224: ... collected statistics show anti virus statistics summary Displays the collected statistics show anti virus statistics collect Displays whether the collection of anti virus statistics is turned on or off show anti virus statistics ranking destination destination6 source source6 virus name Query and sort the anti virus statistics entries by destination IP address source IP address or virus name viru...

Page 225: ...table shows the IDP signature and system protect activation commands Table 126 Input Values for IDP Commands LABEL DESCRIPTION zone_profile The name of a zone For some ZyWALL USG models use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive For other ZyWALL USG models use pre defined zone names like DMZ LAN1 SSL VPN IPSec VPN OPT and WAN idp_profile The...

Page 226: ...ON idp rename signature profile1 profile2 Rename an IDP signature originally named profile1 to profile2 no idp signature profile3 Delete an IDP signature or system protect profile named profile3 idp signature profile signature sid activate log alert action drop reject sender reject receiver reject both Sets the action and log for the specified signature show idp signature profile signature all det...

Page 227: ...ile new_profile Router config no idp signature bye_profile Router config show idp signature base profile No Base Profile Name 1 none 2 all 3 wan 4 lan 5 dmz Router config Table 129 Editing Creating IDP Signature Profiles COMMAND DESCRIPTION idp signature newpro base all lan wan dmz none Creates a new IDP signature profile called newpro newpro uses the base profile you specify Enters sub command mo...

Page 228: ...M sid 0 severity 0 platform 0 policytype 0 service 0 activate any log any action searches for all signatures in the LAN_IDP profile containing the text worm within the signature name show idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate any yes no log any no log log alert action action_...

Page 229: ...bled Generates logs 34 4 IDP Custom Signatures Use these commands to create a new signature or edit an existing one Table 132 Service and Action Command Values SERVICE SERVICE ACTION 1 DNS 2 FINGER 4 FTP 8 MYSQL 16 ICMP 32 IM 64 IMAP 128 MISC 256 NETBIOS 512 NNTP 1024 ORACLE 2048 P2P 4096 POP2 8192 POP3 16384 RPC 32768 RSERVICES 65536 SMTP 131072 SNMP 262144 SQL 524288 TELNET 1048576 TFTP 2097152 ...

Page 230: ...e alert tcp any any any any msg test sid 9000000 idp customize signature edit quoted_string Edits an existing custom signature no idp customize signature custom_sid Deletes a custom signature idp customize_import name sig_name Edits an existing signature show idp signatures custom signature custom_sid details contents non contents Displays custom signature information show idp signatures custom si...

Page 231: ... sid 9000000 sid 9000000 message test edit policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no Router config show idp signatures custom signature 9000000 details sid 9000000 message test edit policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solari...

Page 232: ...on contents sid 9000000 ack dport 0 dsize dsize_rel flow_direction flow_state flow_stream fragbits_reserve fragbits_dontfrag fragbits_morefrag fragoffset fragoffset_rel icmp_id icmp_seq icode icode_rel id ipopt itype itype_rel sameip seq sport 0 tcp_flag_ack tcp_flag_fin tcp_flag_push tcp_flag_r1 tcp_flag_r2 tcp_flag_rst tcp_flag_syn tcp_flag_urg threshold_type threshold_track threshold_count thre...

Page 233: ...laris no SGI no other Unix no network device no service outbreak no Router config show idp signatures custom signature number signatures 1 Table 134 Update Signatures COMMAND DESCRIPTION idp signature update signatures Immediately downloads IDP signatures from an update server no idp signature update auto Enables disables automatic signature downloads at regular times and days idp signature update...

Page 234: ...ow idp signature update status current status IDP signature download failed do 1 retry at Sat Jan 4 22 47 47 2003 last update time 2003 01 01 01 34 39 Router config show idp signature signatures version version 1 2000 Router config show idp signature signatures number signatures 2000 Router config show idp signature signatures date date 2005 11 13 13 56 03 Table 135 Commands for IDP Statistics COM...

Page 235: ...tatus IDP collect statistics status yes Router config show idp statistics summary scanned session 268 packet dropped 0 packet reset 0 Router config show idp statistics ranking signature name ranking 1 signature id 8003796 signature name ICMP L3retriever Ping type Scan severity verylow occurence 22 ranking 2 signature id 8003992 signature name ICMP Large ICMP Packet type DDOS severity verylow occur...

Page 236: ...Chapter 34 IDP Commands ZyWALL USG ZLD CLI Reference Guide 236 ...

Page 237: ...profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and another policy that lets him access them after work 35 2 External Web Filtering Service When you register for and enable the external web filtering service your ZyWALL USG accesses an external database that has millions of web sites categorized based on content...

Page 238: ...greeting cards sports hacking streaming media downloads hate intolerance tasteless health medicine translators illegal drugs transportation illegal software travel image sharing violence information security weapons instant messaging web based email trust_hosts The IP address or domain name of a trusted web site Use a host name such as www good site com Do not use the complete URL of the site that...

Page 239: ...ess range by entering the start and end IP addresses separated by a hyphen for example 192 168 2 5 192 168 2 23 IPv6 support format like Single ip 2001 1 Range format 2001 1 2001 5 Prefix format 2001 1 64 keyword A keyword or a numerical IP address to search URLs for and block access to if they contain it Use up to 63 case insensitive characters 0 9a zA Z _ in double quotes For example enter Bad_S...

Page 240: ...ub command mode content filter common list trust forbid Enters the sub command for configuring a common list of trusted or forbidden web sites The content filtering profile commands let you configure trusted or forbidden URLs for individual profiles URL checking is applied in the following order profile trusted web sites common trusted web sites profile forbidden web sites common forbidden web sit...

Page 241: ...s it exit Leaves the sub command mode no content filter profile filtering_profile custom java Sets a content filtering profile to block Java The no command sets the profile to allow Java content filter profile filtering_profile custom list keyword Enters the sub command for configuring the content filtering profile s list of forbidden keywords This has the content filtering profile block access to...

Page 242: ...ilable Block access allow and log access display a warning message before allowing access or allow access content filter profile filtering_profile commtouch url unrate block log warn pass Sets the action for attempted access to web pages that the CommTouch external web filtering service has not categorized Block access allow and log access display a warning message before allowing access or allow ...

Page 243: ...es 5 Enable the external web filtering service Note You must register for the external web filtering service before you can use it see Chapter 5 on page 49 Table 139 Commands for Content Filtering Statistics COMMAND DESCRIPTION no content filter statistics collect Turn the collection of content filtering statistics on or off content filter statistics flush Clears the collected statistics show cont...

Page 244: ...ob search Router config content filter profile sales_CF_PROFILE commtouch url category business Router config content filter profile sales_CF_PROFILE url url server Router config content filter profile sales_CF_PROFILE custom java Router config content filter profile sales_CF_PROFILE custom activex Router config content filter profile sales_CF_PROFILE custom proxy Router config content filter prof...

Page 245: ... no Illegal Drugs no Job Search yes Streaming Media and Downloads no News no Non profits and NGOs no Nudity no Personal Sites no Phishing and Fraud yes Politics no Pornography Sexually Explicit no Real Estate no Religion no Restaurants and Dining no Search Engines and Portals no Shopping no Social Networking no Spam Sites yes Sports no Malware yes Translators no Travel no Violence no Weapons no We...

Page 246: ...Chapter 35 Content Filtering ZyWALL USG ZLD CLI Reference Guide 246 ...

Page 247: ...e rules You must use the configure terminal command to enter the configuration mode before you can use these commands Table 140 Input Values for General Anti Spam Commands LABEL DESCRIPTION xheader name The name part that comes before the colon of a field to add to an e mail header Use up to 16 ASCII characters xheader value The value part that comes after the colon of a field to add to an e mail ...

Page 248: ... or not to identify spam by content such as malicious content no anti spam virus outbreak activate Set whether or not to scan emails for attached viruses anti spam tag mail content virus outbreak tag Specify the labels to add to the beginning of the mail subject if content analysis identified it as spam or it contains a virus no anti spam xheader mail content virus outbreak xheader name xheader va...

Page 249: ...abel the ZyWALL USG adds to the mail subject of e mails that it tags and forwards when queries to the mail scan servers time out show anti spam xheader query timeout Display the name and value for the X Header the ZyWALL USG adds to e mails that it tags and forwards when queries to the mail scan servers time out Table 141 Commands for Anti Spam Profile Rules continued COMMAND DESCRIPTION Router co...

Page 250: ...rns the white list checking on or off Turn on the white list to forward e mail that matches an active white list entry without doing any more anti spam checking on that individual e mail no anti spam white list rule_number ip address ip subnet_mask activate deactivate Adds edits or removes a white list entry to check e mail for a specific source or relay IPv4 address Also turns the entry on or off...

Page 251: ...dits or removes a black list entry to check e mail for specific content in the subject line Also turns the entry on or off anti spam tag black list tag Configures a message or label up to 15 ASCII characters to add to the mail subject of e mails that match an anti spam black list entry show anti spam white list status Displays the current anti spam white list Use status to show the activation stat...

Page 252: ...omain anti spam dnsbl query timeout smtp drop forward forward with tag Sets how the ZyWALL USG handles SMTP mail mail going to an e mail server if the queries to the DNSBL domains time out anti spam dnsbl query timeout pop3 forward forward with tag Sets how the ZyWALL USG handles POP3 mail mail coming to an e mail client if the queries to the DNSBL domains time out anti spam dnsbl max query ip 1 5...

Page 253: ...m tag dnsbl dnsbl timeout dnsbl displays the anti spam tag for e mails that have a sender or relay IP address in the header that matches a blacklist maintained by a DNSBL domain dnsbl timeout displays the message or label to add to the mail subject of e mails that the ZyWALL USG forwards if queries to the DNSBL domains time out show anti spam dnsbl statistics Displays anti spam DNSBL statistics fo...

Page 254: ...nti spam dnsbl ip check order anti spam dnsbl IP check order forward Router config anti spam tag dnsbl DNSBL Router config show anti spam tag dnsbl dnsbl tag DNSBL Router config anti spam tag dnsbl timeout DNSBL timeout Router config show anti spam tag dnsbl timeout dnsbl timeout tag DNSBL timeout Router config show anti spam dnsbl statistics DNSBL domain 1 domain DNSBL example com average time 0 ...

Page 255: ...cs continued COMMAND DESCRIPTION Router config anti spam statistics collect Router config show anti spam statistics collect collect statistics yes collect statistics time since 2008 03 11 07 16 01 to 2008 03 11 07 16 13 Router config show anti spam statistics summary total mails scanned 0 total clear mails 0 clear mail by whitelist 0 total spam mails 0 spam detected by blacklist 0 spam detected by...

Page 256: ...Chapter 36 Anti Spam ZyWALL USG ZLD CLI Reference Guide 256 ...

Page 257: ...S Advanced Encryption Standard SSLv3 TLS1 0 Transport Layer Security Support SSLv3 TLS1 0 is currently supported with option to pass or block SSLv2 traffic Traffic using TLS1 1 Transport Layer Security or TLS1 2 is downgraded to TLS1 0 for SSL Inspection No Compression Support at time of writing No Client Authentication Request Support at time of writing 37 2 SSL Inspection Commands Summary The fo...

Page 258: ...6 IPv6_PREFIX IPv6_RANGE SSL_INSPECTION_WILDCARD_C NAME Identify the certificate in one of the following ways Type an IPv4 or IPv6 address For example type 192 168 1 35 or 2001 7300 3500 1 Type an IPv4 IPv6 in CIDR notation For example type 192 168 1 1 24 or 2001 7300 3500 1 64 Type an IPv4 IPv6 address range For example type 192 168 1 1 192 168 1 35 or 2001 7300 3500 1 2001 7300 3500 35 Type a DN...

Page 259: ...command sets the action and log for SSLv2 traffic unsupported suite action pass block no log log alert Sets the action and log for unsupported suite traffic untrusted cert chain action pass block no log log alert As a SSL session is being established servers send their certificate chain to clients The ZyWALL USG trusts its own certificates and imported trusted certificates to verify the certificat...

Page 260: ...t cert update tmp sslinsp_certs default_trusted current status Connecting to update server to get SSL certificate at Fri Apr 10 03 47 37 2015 Router config show ssl inspection default cert update current status SSL Certificate update has succeeded success at Fri Apr 10 03 47 49 2015 Router config Table 151 SSL Inspection Certificate Update Commands COMMAND DESCRIPTION Table 152 SSL Inspection Stat...

Page 261: ...tion profile dummy certificate default Router config ssl inspection profile dummy sslv2 action block log Router config ssl inspection profile dummy unsupported suite action block log Router config ssl inspection profile dummy untrusted cert chain action block log Router config ssl inspection profile dummy exit Router config show ssl inspection profile dummy SSL Inspection 3 profile name dummy desc...

Page 262: ...Chapter 37 SSL Inspection ZyWALL USG ZLD CLI Reference Guide 262 ...

Page 263: ...ment Access You can configure a separate management IP address for each interface You can use it to access the ZyWALL USG for management whether the ZyWALL USG is the master or a backup The management IP address should be in the same subnet as the interface IP address Synchronization Use synchronization to have a backup ZyWALL USG copy the master ZyWALL USG s configuration signatures anti virus ID...

Page 264: ...SG virtual routers on your network Use a different cluster ID to identify each virtual router Monitored Interfaces in Active Passive Mode Device HA You can select which interfaces device HA monitors If a monitored interface on the ZyWALL USG loses its connection device HA has the backup ZyWALL USG take over Enable monitoring for the same interfaces on the master and backup ZyWALL USGs Each monitor...

Page 265: ...ALL USG if a lower priority ZyWALL USG is the master when this ZyWALL USG is enabled device ha ap mode role master backup Sets the ZyWALL USG to be the master or a backup in the virtual router device ha ap mode cluster id 1 32 Sets the cluster ID number A virtual router consists of a master ZyWALL USG and all of its backup ZyWALL USGs If you have multiple ZyWALL USG virtual routers on your network...

Page 266: ...yWALL USG synchronizes with the master no device ha ap mode backup sync from master_address port port Sets the address of the master ZyWALL USG with which this backup ZyWALL USG is to synchronize master_address The master ZyWALL USG s IP address or fully qualified domain name FQDN port The master ZyWALL USG s FTP port number device ha ap mode backup sync now Synchronize now show device ha ap mode ...

Page 267: ...address of 192 168 1 3 on lan1 wan1 and lan1 are monitored The synchronization password is set to mySyncPassword Router config device ha ap mode lan1 manage ip 192 168 1 3 255 255 255 0 Router config device ha ap mode role master Router config device ha ap mode master sync authentication password mySyncPassword Router config device ha ap mode wan1 activate Router config device ha ap mode lan1 acti...

Page 268: ...Chapter 38 Device HA ZyWALL USG ZLD CLI Reference Guide 268 ...

Page 269: ...n the ZyWALL USG 39 1 1 User Types There are the types of user accounts the ZyWALL USG uses Note The default admin account is always authenticated locally regardless of the authentication method setting See Chapter 45 on page 297 for more information about authentication methods Table 156 Types of User Accounts TYPE ABILITIES LOGIN METHOD S Admin Users Admin Change ZyWALL USG configuration web CLI...

Page 270: ...ername username password password user type admin guest limited admin user Creates the specified user if necessary enables and sets the password and sets the user type for the specified user password You can use 1 63 printable ASCII characters except double quotation marks and question marks username username user type ext user Creates the specified user if necessary and sets the user type to Ext ...

Page 271: ... for the specified user group no groupname groupname Adds the specified user group second groupname to the specified user group first groupname no user username Adds the specified user to the specified user group groupname rename groupname groupname Renames the specified user group first groupname to the specified group name second groupname Table 160 username groupname Commands Summary Settings C...

Page 272: ...ltaneous logins by users of the specified account type The no command disables the limit or allows an unlimited number of simultaneous logins no users simultaneous logon administration access limit 1 1024 Sets the limit for the number of simultaneous logins by users of the specified account type The no command sets the limit to one show users update lease settings Displays whether or not access us...

Page 273: ...ernal server to the specified MAC role MAC address user account The no command deletes the mapping between the MAC address and the MAC role no mac auth database mac mac_address type int mac address mac role username description description Maps the specified MAC address authenticated by the ZyWALL USG s local user database to the specified MAC role MAC address user account The no command deletes t...

Page 274: ...g wlan security default mac auth activate Router config wlan security default mac auth auth method Auth1 Router config wlan security default mac auth delimiter account colon Router config wlan security default mac auth case account upper Router config wlan security default exit Table 162 username groupname Commands Summary Additional COMMAND DESCRIPTION show users username all current Displays inf...

Page 275: ... 1 34 Service http https Session_Time 00 02 26 Idle_Time unlimited Lease_Timeout unlimited Re_Auth_Timeout unlimited User_Info admin Router config users force logout 192 168 1 34 Logout user admin from 192 168 1 34 OK Total 1 user has been forced logout Router config show users all No 0 Name admin Type admin From console Service console Session_Time 25 48 33 Idle_Time unlimited Lease_Timeout unlim...

Page 276: ...object sid This is the associated IDP and App Patrol signature ID number Table 164 application object Commands COMMAND DESCRIPTION show application object object Displays information on the named application object application object object Creates an object with the specified name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This valu...

Page 277: ...CRIPTION show object group application object Displays information on the named application object group object group application object Creates an object group with the specified name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive The no command disables it no description description Write a description of t...

Page 278: ...mple usage commands Router config show object group application Name Description Ref Member Router config object group application may Router group application description rinse after use Router group application exit Router config show object group application Name Description Ref Member may rinse after use 0 tests Router config ...

Page 279: ... are used to specify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important 41 2 Address Commands Summary The following table describes the values requ...

Page 280: ...range ipv6_subnet Creates the specified IPv6 address object using the specified parameters The no command removes the specified address object ipv6_address IPv6 address ipv6_range IPv6 address range For example fe80 1234 1 fe80 1234 ffff ipv6_subnet IPv6 prefix format For example fe80 211 85ff fe0e dec 128 no address6 object object_name interface ip interface dhcpv6 link local slaac static addr_in...

Page 281: ...object A0 192 168 1 1 Router config address object A1 192 168 1 1 192 168 1 20 Router config address object A2 192 168 1 0 24 Router config show address object Object name Type Address Ref A0 HOST 192 168 1 1 0 A1 RANGE 192 168 1 1 192 168 1 20 0 A2 SUBNET 192 168 1 0 24 0 Router config no address object A2 Router config show address object Object name Type Address Ref A0 HOST 192 168 1 1 0 A1 RAN...

Page 282: ...ff feaa cb88 ge1 0 Router config no address6 object B2 Router config show address6 object Object name Type Address Type Index Address Note Ref B0 HOST fe80 211 85ff fe0e cdec 0 B1 RANGE fe80 211 85ff fe0e 1 fe80 211 85ff fe0e ff 0 B3 INTERFACE IP LINK LOCAL 1 fe80 213 49ff feaa cb88 ge1 0 Table 168 object group Commands Address Groups COMMAND DESCRIPTION show object group address address6 group_na...

Page 283: ...es the specified address group from the first group_name to the second group_name Table 168 object group Commands Address Groups continued COMMAND DESCRIPTION Router configure terminal Router config address object A0 192 168 1 1 Router config address object A1 192 168 1 2 192 168 2 20 Router config address object A2 192 168 3 0 24 Router config object group address RD Router group address address ...

Page 284: ...Chapter 41 Addresses ZyWALL USG ZLD CLI Reference Guide 284 ...

Page 285: ...first table lists the commands for service objects Table 169 Input Values for Service Commands LABEL DESCRIPTION group_name The name of the service group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive object_name The name of the service You may use 1 31 alphanumeric characters underscores _ or dashes but the ...

Page 286: ...eter problem time exceeded neighbor advertisement redirect unreachable Creates the specified ICMPv6 message using the specified parameters Table 170 service object Commands Service Objects continued COMMAND DESCRIPTION Router configure terminal Router config service object TELNET tcp eq 23 Router config service object FTP tcp range 20 21 Router config service object ICMP_ECHO icmp echo Router conf...

Page 287: ...ription description You can use alphanumeric and _ characters and it can be up to 60 characters long object group service rename group_name group_name Renames the specified service group from the first group_name to the second group_name Table 171 object group Commands Service Groups continued COMMAND DESCRIPTION Router configure terminal Router config service object ICMP_ECHO icmp echo Router con...

Page 288: ...Chapter 42 Services ZyWALL USG ZLD CLI Reference Guide 288 ...

Page 289: ...ected days of the week Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring schedules always begin and end in the same day Recurring schedules are useful for defining the workday and off work hours 43 2 Schedule Commands Summary The following table describes the values required for many schedule commands Other values are discussed with the corresponding commands The following tab...

Page 290: ...curring schedule day 3 character day of the week sun mon tue wed thu fri sat Table 173 schedule Commands continued COMMAND DESCRIPTION Router configure terminal Router config schedule object SCHEDULE1 11 00 12 00 mon tue wed thu fri Router config schedule object SCHEDULE2 2006 07 29 11 00 2006 07 31 12 00 Router config show schedule object Object name Type Start End Ref SCHEDULE1 Recurring 11 00 1...

Page 291: ...th a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIUS RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external or bu...

Page 292: ... clears this setting no ad server ssl Enables the ZyWALL USG to establish a secure connection to the AD server The no command disables this feature Table 174 ad server Commands continued COMMAND DESCRIPTION Table 175 ldap server Commands COMMAND DESCRIPTION show ldap server Displays current LDAP server settings no ldap server basedn basedn Sets a base distinguished name DN for the default LDAP ser...

Page 293: ... radius server timeout time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting Router configure terminal Router config radius server host 172 23 10 100 auth port 1812 Router config radius server key 876543210 Router config radius server timeout 80 Router config show radius server host 172 23 10 100 authentication port 1812 key 876543210 ti...

Page 294: ...n ext group user user object for each group One with sales as the group identifier another for RD and a third for management The no command clears the setting no server host ad_server Enter the IP address in dotted decimal notation or the domain name of an AD server to add to this group The no command clears this setting no server password password Sets the bind password up to 15 alphanumerical ch...

Page 295: ...es For example you could have an attribute named memberOf with values like sales RD and management Then you could also create an ext group user user object for each group One with sales as the group identifier another for RD and a third for management The no command clears the setting no server host ldap_server Enter the IP address in dotted decimal notation or the domain name of an LDAP server to...

Page 296: ...nd create a ext group user user object for each of them The no command clears the setting no server host radius_server Enter the IP address in dotted decimal notation or the domain name of a RADIUS server to add to this server group The no command clears this setting no server key secret Sets a password up to 15 alphanumeric characters as the key to be shared between the RADIUS server s and the Zy...

Page 297: ...me old profile name new Changes the profile name profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive clear aaa authentication profile name Deletes all authentication profiles or the specified authentication profile Note You can NOT delete a profile that is currently in use show aaa authentication grou...

Page 298: ...ch profile Each type of member can only be used once in a profile aaa authentication no match default group Enable this to treat a user successfully authenticated by a remote auth server as a defat ext user If the remote authentication server is LDAP the default ext user account is an ldap user If the remote authentication server is AD the default ext user account is an ad user If the remote authe...

Page 299: ...ALL USG responds an error Router test aaa server ad host 172 16 50 1 port 389 base dn DC ZyXEL DC com bind dn zyxel engineerABC password abcdefg login name attribute sAMAccountName account userABC dn Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20 objectClass top objectClass person objectClass organizationalPerson objectClass user cn MTIzNzco546L5aOr56uRKQ sn User l 2341100 SNIP ...

Page 300: ...used by the authentication server no auth server authentication Resets the authentication method used by the authentication server to the factory default default no auth server cert certificate_name Specifies a certificate used by the authentication server ZyWALL USG The no command resets the certificate used by the authentication server to the factory default default certificate_name The name of ...

Page 301: ... auth server trusted client Displays all RADIUS client profile settings show auth server trusted client profile_name Displays the specified RADIUS client profile settings Table 182 Command Summary Authentication Server continued COMMAND DESCRIPTION Router configure terminal Router config auth server activate Router config auth server trusted client AP 1 Router config trusted client AP 1 activate R...

Page 302: ...Chapter 46 Authentication Server ZyWALL USG ZLD CLI Reference Guide 302 ...

Page 303: ...ificates Commands Input Values The following table explains the values you can input with the certificate commands Table 183 Certificates Commands Input Values LABEL DESCRIPTION certificate_name The name of a certificate You can use up to 31 alphanumeric and _ characters cn_address A common name IP address identifies the certificate s owner Type the IP address in dotted decimal notation cn_domain_...

Page 304: ...te immediately online you must have the certification authority s certificate already imported as a trusted certificate Specify the name of the certification authority s certificate It can be up to 31 alphanumeric and _ characters url When you have the ZyWALL USG enroll for a certificate immediately online enter the IP address or URL of the certification authority server You can use up to 511 of t...

Page 305: ...cation authority You can use alphanumeric characters the underscore and the dash Type the password up to 31 characters from the entity maintaining the CRL directory server usually a certification authority You can use the following characters a zA Z0 9 _ ocsp activate deactivate Has the ZyWALL USG check or not check incoming certificates that are signed by this certificate against a directory serv...

Page 306: ...se by certificates Table 184 ca Commands Summary continued COMMAND DESCRIPTION Router configure terminal Router config ca generate x509 name test_x509 cn type ip cn 10 0 0 58 key type rsa key len 512 Router config show ca category local certificate default type SELF subject CN ZyWALL 1050_Factory_Default_Certificate issuer CN ZyWALL 1050_Factory_Default_Certificate status VALID ID ZyWALL 1050_Fact...

Page 307: ...racters underscores _ or dashes but the first character cannot be a number This value is case sensitive encrypted password ciphertext Sets a encrypted secret for the specified account ciphertext no user username Sets the username for the specified ISP account The no command clears the username username You can use alphanumeric underscores _ dashes commas and characters and it can be up to 64 chara...

Page 308: ...about the specified account no account cellular profile_name Creates a new cellular ISP account with name profile_name if necessary and enters sub command mode The no command deletes the specified ISP account profile_name the cellular ISP account name format is cellularx where x is a number For example cellular1 no apn access_point_name Sets the Access Point Name APN for the cellular ISP account T...

Page 309: ...pplication application_object Enters the sub command mode to create an SSL VPN application object server type file sharing owa web server url URL entry point entry_point Specify the type of service for this SSL application file sharing create a file share application for SSL VPN owa Outlook Web Access to allow users to access e mails contacts calenders via an Microsoft Outlook like interface using...

Page 310: ...ote desktop application server type vnc server address server address starting port 1 65535 ending port 1 65535 Creates an SSL application object to allow users to manage LAN computers that have Virtual Network Computing remote desktop server software installed Specify the listening ports of the LAN computer s running remote desktop server software The ZyWALL USG uses a port number from this range...

Page 311: ... named ZW5 for a web server at IP address 192 168 1 12 Router config sslvpn application ZW5 Router sslvpn application server type web server url http 192 168 1 12 Router sslvpn application exit Router config show sslvpn application SSL Application ZW5 Server Type web server URL http 192 168 1 12 Entry Point Encrypted URL aHR0cDovLzE5Mi4xNjguMS4xMi8 Web Page Encryption yes Reference 1 ...

Page 312: ...s the server side IPv6 DUID binding lease show dhcp6 interface Displays all DHCPv6 server client and relay interfaces show dhcp6 lease object dhcp6_profile Displays the specified DHCPv6 lease object or all of them show dhcp6 object binding interface_name Displays the DHCPv6 object bound to the specified interface show dhcp6 request object dhcp6_profile Displays the specified DHCPv6 request object ...

Page 313: ...s the specified SIP server DNS server NTP server prefix delegation or SIP server DHCP request object dhcp6 request object rename dhcp6_profile dhcp6_profile Renames the specified DHCPv6 request object to the specified name no dhcp6 request object dhcp6_profile Deletes the specified DHCPv6 request object Table 189 DHCPv6 Object Commands continued COMMAND DESCRIPTION Router config dhcp6 lease object...

Page 314: ...uid 00 01 02 03 04 05 06 07 Router config show dhcp6 lease object pfx DHCP6 Lease Object pfx Object Type prefix delegation Object Value 2005 64 DUID 00 01 02 03 04 05 06 07 Bind Iface REFERENCE 0 Router config dhcp6 lease object rename pfx pd Router config show dhcp6 lease object pd DHCP6 Lease Object pd Object Type prefix delegation Object Value 2005 64 DUID 00 01 02 03 04 05 06 07 Bind Iface REF...

Page 315: ...mine which services protocols can access which ZyWALL USG zones if any from which computers 51 2 Customizing the WWW Login Page Use these commands to customize the Web Configurator login screen You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet See Chapter 39 on page 269 for more on access user accounts The...

Page 316: ...olor rgb color name color number Sets the color of the message text on the access page no access page message text message Sets a note to display below the access page s title Use up to 64 printable ASCII characters Spaces are allowed access page title title Sets the title for the top of the access page Use up to 64 printable ASCII characters Spaces are allowed access page window color color rgb c...

Page 317: ...top of the login screen and access page show access page settings Lists the current access page settings show login page default title Lists the factory default title for the login page show login page settings Lists the current login page settings show logo settings Lists the current logo background banner and floor line below the banner settings show page customization Lists whether the ZyWALL U...

Page 318: ...sep 1 2 3 4 last fri mon sat sun thu tue wed hh mm offset Configures the day and time when Daylight Saving Time starts and ends The no command removes the day and time when Daylight Saving Time starts and ends offset a number from 1 to 5 5 by 0 5 increments clock time hh mm ss Sets the new time in hour minute and second format no clock time zone hh Sets your time zone The no command removes time z...

Page 319: ...locally using cached Resource Records RR obtained from a previous query and kept for a period of time If the ZyWALL USG does not have the requested information it can forward the request to DNS servers This is known as recursion The ZyWALL USG can ask a DNS server to use recursion to resolve its DNS client requests If recursion on the ZyWALL USG or a DNS server is disabled they cannot forward DNS ...

Page 320: ...of the virtual interface For example gex y x 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y 1 12 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL USG model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPoE PPTP interface pppx x 0 N where N depen...

Page 321: ...rd no ip dns server rule 1 32 Deletes a service control rule show ip dns server Displays all DNS entries show ip dns server database Displays all configured records show ip dns server status Displays whether this service is enabled or not show ip dns security options all Displays security options configured for the customized and default rules ip dns server aaaa record FQDN_DNS FQDN_WILDCARD_DNS I...

Page 322: ...any PROFILE Sets the address object to be any or a previously created one no removes the address object from this DNS security options profile no additional from cache activate Activated allows the ZyWALL USG to reply to queries with previosuly cached DNS requests Deactivated no does not no recursion activate Activated recursion allows the ZyWALL USG to forward queries it can t find in its DNS dat...

Page 323: ... default certificate_name The name of the certificate You can use up to 31 alphanumeric and _ characters no auth server trusted client profile_name Creates a trusted RADIUS client profile The no command deletes the specified profile profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive no activate Enabl...

Page 324: ...ter config auth server trusted client AP 1 Router config trusted client AP 1 activate Router config trusted client AP 1 ip address 10 10 1 2 255 255 255 0 Router config trusted client AP 1 secret 12345678 Router config trusted client AP 1 exit Router config show auth server status activation yes authentication method default certificate default Router config show auth server trusted client AP 1 Cl...

Page 325: ...abilities on the local network It also allows the device to maintain and store information from adjacent devices which are directly connected to the network device This helps you discover network changes and perform necessary network reconfiguration and management 51 10 2 ZON Commands The following table describes the commands available for ZON You must use the configure terminal command to enter ...

Page 326: ...P discovery on the ZyWALL USG show zon lldp neighbors Displays the the ZyWALL USG s neighboring devices via LLDP show zon lldp server config Displays the LLDP settings show zon lldp server statistics Displays the LLDP traffic statistics show zon lldp server status Displays whether LLDP discovery is enabled show zon zdp server status Displays whether ZDP discovery is enabled Table 199 Command Summa...

Page 327: ...e Management Limitations Remote management will not work when 1 You have disabled that service in the corresponding screen 2 The accepted IP address in the Service Control table does not match the client IP address If it does not match the ZyWALL USG will disconnect the session immediately 3 There is a firewall rule that blocks it 52 1 2 System Timeout There is a lease timeout for administrators T...

Page 328: ... value is case sensitive For other ZyWALL USG models use pre defined zone names like DMZ LAN1 SSL VPN IPSec VPN OPT and WAN Table 201 Command Summary HTTP HTTPS COMMAND DESCRIPTION no ip http authentication auth_method Sets an authentication method used by the HTTP HTTPS server The no command resets the authentication method used by the HTTP HTTPS server to the factory default default auth_method ...

Page 329: ...rithms up to four that the ZyWALL USG uses for the SSL in HTTPS connections and the sequence in which it uses them The cipher_algorithm can be any of the following rc4 RC4 RC4 may impact the ZyWALL USG s CPU performance since the ZyWALL USG s encryption accelerator does not support it aes AES des DES 3des Triple DES no ip http secure server cipher suite cipher_algorithm Has the ZyWALL USG not use ...

Page 330: ...tocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network 52 4 1 SSH Implementation on the ZyWALL USG Your ZyWALL USG supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL USG for remote management on port 22 by d...

Page 331: ... port 1 65535 Sets the SSH service port number The no command resets the SSH service port number to the factory default 22 ip ssh server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny Sets a service control rule for SSH service address_object The name of the IP address group object You may use 1 31 alphanumeric characters undersco...

Page 332: ...ip telnet server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny Sets a service control rule for Telnet service address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the z...

Page 333: ...erver port 1 65535 Sets the FTP service port number The no command resets the FTP service port number to the factory default 21 no ip ftp server tls required Allows FTP access over TLS The no command disables FTP access over TLS ip ftp server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny Sets a service control rule for FTP servic...

Page 334: ...rted MIBs The ZyWALL USG supports MIB II that is defined in RFC 1213 and RFC 1215 The ZyWALL USG also supports private MIBs zywall mib and zyxel zywall ZLD Common mib to collect information about CPU and memory usage and VPN total throughput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the ZyWALL USG s MIBs from www zyx...

Page 335: ...racters for the person in charge of the ZyWALL USG The no command removes the contact information for the person in charge of the ZyWALL USG no snmp server enable informs traps Enables all SNMP notifications informs or traps The no command disables all SNMP notifications informs or traps no snmp server host w x y z fqdn ipv6 address community_string Sets the IPv4 or IPv6 address of the host that r...

Page 336: ...thentication privacy and privilege for an SNMPv3 user snmp server version v2c v3 Sets the SNMP version for the ZyWALL USG The SNMP version on the ZyWALL USG must match the version on the SNMP manager show snmp status Displays SNMP Settings show snmp server v3user status Displays authentication privacy and privilege for configured SNMPv3 users Table 206 Command Summary SNMP continued COMMAND DESCRI...

Page 337: ... 1 32 append insert 1 32 access group ALL ADDRESS_OBJECT zone ALL ZONE_OBJECT icmp type ALL echo reply destination unreachable source quench redirect echo request router advertisement router solicitation time exceeded parameter problem timestamp request timestamp reply address mask request address mask reply action accept deny Sets an ICMP filter rule ADDRESS_OBJECT The name of the IP address grou...

Page 338: ...Chapter 52 System Remote Management ZyWALL USG ZLD CLI Reference Guide 338 ...

Page 339: ...ands that you can store on the ZyWALL USG and run when you need them When you run a shell script the ZyWALL USG only applies the commands that it contains Other settings do not change You can edit configuration files or shell scripts in a text editor and upload them to the ZyWALL USG Configuration files use a conf extension and shell scripts use a zysh extension Table 208 FTP File Transfer Notes D...

Page 340: ...le to have the ZyWALL USG exit sub command mode Note exit or must follow sub commands if it is to make the ZyWALL USG exit sub command mode Figure 27 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254...

Page 341: ...ores any errors in the configuration file or shell script and applies all of the valid commands The ZyWALL USG still generates a log for any errors 53 2 3 ZyWALL USG Configuration File Details You can store multiple configuration files on the ZyWALL USG You can also have the ZyWALL USG use a different configuration file without the ZyWALL USG restarting When you first receive the ZyWALL USG it use...

Page 342: ...If there are no errors the ZyWALL USG uses it and copies it to the lastgood conf configuration file If there is an error the ZyWALL USG generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the ZyWALL USG...

Page 343: ...e ZyWALL USG from the source file name to the target file name Specify the directory and file name of the file that you want to copy and the directory and file name to use for the duplicate Always copy the file into the same directory copy running config startup config Saves your configuration changes to the flash non volatile or long term memory The ZyWALL USG immediately uses configuration chang...

Page 344: ...mory The ZyWALL USG immediately uses configuration changes made via commands but if you do not use the write command the changes will be lost when the ZyWALL USG restarts Table 211 File Manager Commands Summary continued COMMAND DESCRIPTION Table 212 File Manager Dual Firmware Commands COMMAND DESCRIPTION set firmware boot option 0 1 Sets the behavior of the ZyWALL USG when firmware is uploaded to...

Page 345: ... boot option boot option 0 Router config Router config set firmware boot number 2 Welcome to USG110 Username Terminate All Processes OK kill_process_and_umountfs returns 7 Restarting system snipped Welcome to USG110 Username admin Password Router configure terminal Router config show version ZyXEL Communications Corp image number model firmware version build date boot status 1 USG110 V4 11 AAPH 0 ...

Page 346: ...348 to recover the firmware 53 7 2 Command Line FTP Configuration File Upload Example The following example transfers a configuration file named tomorrow conf from the computer and saves it on the ZyWALL USG as next conf Note Uploading a custom signature file named custom rules overwrites all custom signatures on the ZyWALL Figure 28 FTP Configuration File Upload Example 53 7 3 Command Line FTP Fi...

Page 347: ...d today conf from the ZyWALL USG and saves it on the computer as current conf Figure 29 FTP Configuration File Download Example 53 8 ZyWALL USG File Usage at Startup The ZyWALL USG uses the following files at system startup Figure 30 ZyWALL USG File Usage at Startup C ftp 192 168 1 1 Connected to 192 168 1 1 220 FTP Server ZyWALL 192 168 1 1 User 192 168 1 1 none admin 331 Password required for ad...

Page 348: ...or firmware file Use this section if your device has stopped responding for an extended period of time and you cannot access or ping it Note that the ZyWALL USG does not respond while starting up It takes less than five minutes to start up with the default configuration but the start up time increases with the complexity of your configuration 1 Use a console cable and connect to the ZyWALL USG via...

Page 349: ...ection 53 11 on page 351 to restore it If the message does not display the firmware is OK and you do not need to use the firmware recovery procedure Figure 33 Firmware Damaged 53 10 Restoring the Recovery Image This procedure requires the ZyWALL USG s recovery image Download the firmware package from www zyxel com and unzip it The recovery image uses a ri extension for example 1 01 XL 0 C0 ri Do t...

Page 350: ... Enter Y and wait for the Starting XMODEM upload message before activating XMODEM upload on your terminal Figure 36 Starting Xmodem Upload 5 This is an example Xmodem configuration upload using HyperTerminal Click Transfer then Send File to display the following screen Figure 37 Example Xmodem Upload 6 Wait for about three and a half minutes for the Xmodem upload to finish Figure 38 Recovery Image...

Page 351: ...r normal firmware uploads You only need to use this section if you need to recover the firmware 1 Connect your computer to the ZyWALL USG s port 1 only port 1 can be used 2 The ZyWALL USG s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 3 Use an FTP client on your computer to connect to the ZyWALL USG For ex...

Page 352: ...e transfer is complete Firmware received or ZLD current received displays Wait up to four minutes while the ZyWALL USG recovers the firmware Figure 42 Firmware Received and Recovery Started 9 The console session displays done when the firmware recovery is complete Then the ZyWALL USG automatically restarts Figure 43 Firmware Recovery Complete and Restart ...

Page 353: ...efault System Database The default system database stores information such as the default anti virus or IDP signatures The ZyWALL USG can still operate if the default system database is damaged or missing but related features like anti virus or IDP may not function properly If the default system database file is not valid the ZyWALL USG displays a warning message in your console session at startup...

Page 354: ...System Database Console Session Warning at Startup Anti virus Figure 46 Default System Database Console Session Warning When Reloading IDP Figure 47 Default System Database Missing Log Anti virus This procedure requires the ZyWALL USG s default system database file Download the firmware package from www zyxel com and unzip it The default system database file uses a db extension ...

Page 355: ...igure 49 atkz u Command for Restoring the Default System Database 4 Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen Connect your computer to the ZyWALL USG s port 1 only port 1 can be used Figure 50 Use FTP with Port 1 and IP 192 168 1 1 to Upload File 5 The ZyWALL USG s FTP server IP address for firmware recovery is 192 168 1 1 so set your compute...

Page 356: ...put followed by the path and name of the firmware file This examples uses put e ftproot ZLD FW 1 01 XL 0 C0 db Figure 51 FTP Default System Database Transfer Command 10 Wait for the file transfer to complete Figure 52 FTP Default System Database Transfer Complete 11 The console session displays done after the default system database is recovered Figure 53 Default System Database Received and Recov...

Page 357: ...rence Guide 357 12 The username prompt displays after the ZyWALL USG starts up successfully The default system database recovery process is now complete and the ZyWALL USG IDP and anti virus features are ready to use again Figure 54 Startup Complete ...

Page 358: ...Chapter 53 File Manager ZyWALL USG ZLD CLI Reference Guide 358 ...

Page 359: ... N where N equals the highest numbered Ethernet interface for your ZyWALL USG model For othere ZyWALL USG models use a name such as wan1 wan2 opt lan1 or dmz Virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example gex y x 1 N y 1 4 VLAN interface vlanx x 0 4094 Virtual interface on top of VLAN interface vlanx y x 0 4094 y 1 12 Bridge interface...

Page 360: ...i cat all Table 215 logging Commands System Log Settings COMMAND DESCRIPTION show logging status system log Displays the current settings for the system log logging system log category module_name disable level normal level all Specifies what kind of information if any is logged in the system log and debugging log for the specified category no logging system log suppression interval 10 600 Sets th...

Page 361: ...g no file manage normal dial in normal adp normal default all Table 216 logging Commands Debug Log Settings COMMAND DESCRIPTION show logging debug status Displays the current settings for the debug log show logging debug entries priority pri category module_name srcip ip srcip6 ipv6_addr dstip ip dstip6 ipv6_addr service service_name srciface interface_name dstiface interface_name protocol protoco...

Page 362: ...compatible format vrpt ZyXEL s Vantage Report syslog compatible format Table 218 logging Commands VRPT Settings COMMAND DESCRIPTION vrpt send device information interval 15 3600 Sets the interval in seconds for how often the ZyWALL USG sends a device information log to the VRPT server vrpt send interface statistics interval 15 3600 Sets the interval in seconds for how often the ZyWALL USG sends an...

Page 363: ...tions between the mail server and the ZyWALL USG no logging mail 1 2 tls authenticate server If you choose TLS Security you may also select this to have the ZyWALL USG authenticate the mail server in the TLS handshake no logging mail 1 2 authentication Enables SMTP authentication The no command disables SMTP authentication no logging mail 1 2 authentication username username password password Sets...

Page 364: ...Router configure terminal Router config logging mail 1 address mail zyxel com tw Router config logging mail 1 subject AAA Router config logging mail 1 authentication username lachang li password XXXXXX Router config logging mail 1 send log to lachang li zyxel com tw Router config logging mail 1 send alerts to lachang li zyxel com tw Router config logging mail 1 from lachang li zyxel com tw Router ...

Page 365: ...he commands for reports Table 221 report Commands COMMAND DESCRIPTION no report Begins data collection The no command stops data collection show report status Displays whether or not the ZyWALL USG is collecting data and how long it has collected data clear report interface_name Clears the report for the specified interface or for all interfaces show report interface_name ip service url Displays t...

Page 366: ...oming Router config show report ge1 url No Hit URL 1 1 140 114 79 60 Router config show report status Report status on Collection period 0 days 0 hours 0 minutes 18 seconds Table 222 Session Commands COMMAND DESCRIPTION show conn user username any unknown service service name any unknown source ip any destination ip any begin 1 128000 end 1 128000 Displays information about the selected sessions o...

Page 367: ...aily report status Displays the e mail daily report settings daily report Enters the sub command mode for configuring daily e mail reports settings no activate Turns daily e mail reports on or off draw usage graphics Has the report e mail include usage graphs smtp address ip hostname Sets the SMTP mail server IP address or domain name no smtp auth activate Enables or disables SMTP authentication s...

Page 368: ...Determines whether or not content filtering statistics are included in the report e mails no item cpu usage Determines whether or not CPU usage statistics are included in the report e mails no item idp report Determines whether or not IDP statistics are included in the report e mails no item mem usage Determines whether or not memory usage statistics are included in the report e mails no item port...

Page 369: ... daily report mail subject append date time Router config daily report mail from my email example com Router config daily report mail to 1 example administrator example com Router config daily report no mail to 2 Router config daily report no mail to 3 Router config daily report mail to 4 my email example com Router config daily report no mail to 5 Router config daily report smtp auth activate Rou...

Page 370: ...reboot Use the reboot command to restart the device Router config show daily report status email daily report status activate yes scheduled time 13 57 reset counter no smtp address example SMTP mail server com smtp port 25 smtp auth yes smtp username 12345 smtp password pass12345 mail subject test subject append system name no append date time yes mail from my email example com mail to 1 example a...

Page 371: ...DP sessions to connect or deliver and for ICMP sessions session timeout session tcp established tcp synrecv tcp close tcp finwait tcp synsent tcp closewait tcp lastack tcp timewait 1 300 Sets the timeout for TCP sessions in the ESTABLISHED SYN_RECV FIN_WAIT SYN_SENT CLOSE_WAIT LAST_ACK or TIME_WAIT state show session timeout icmp tcp timewait udp Displays ICMP TCP and UDP session timeouts Router c...

Page 372: ...Chapter 56 Session Timeout ZyWALL USG ZLD CLI Reference Guide 372 ...

Page 373: ...ct diagnostics information Use the configure terminal command to enter the configuration mode to be able to use these commands 57 3 Diagnosis Commands Example The following example creates a diagnostic file and displays its name size and creation date Table 227 diagnosis Commands COMMAND DESCRIPTION diag info collect Has the ZyWALL USG create a new diagnostic file show diag info Displays the name ...

Page 374: ...Chapter 57 Diagnostics ZyWALL USG ZLD CLI Reference Guide 374 ...

Page 375: ...nding action and does not perform any further flow checking show system snat order Displays the order of SNAT related functions the ZyWALL USG checks for packets Once a packet matches the criteria of an SNAT rule the ZyWALL USG uses the corresponding source IP address and does not perform any further flow checking show system route policy route Displays activated policy routes show system route na...

Page 376: ...wing example shows the default WAN trunk s settings Router show route order route order Policy Route Direct Route 1 1 SNAT SiteToSite VPN Dynamic VPN Static Dynamic Route Default WAN Trunk Main Route Router show system snat order snat order Policy Route SNAT 1 1 SNAT Loopback SNAT Default SNAT Router show system route policy route No PR NO Source Destination Incoming DSCP Service Nexthop Type Next...

Page 377: ...e dynamic vpn No Source Destination VPN Tunnel Router show ip route static dynamic Flags A Activated route S Static route C directly Connected O OSPF derived R RIP derived G selected Gateway reject B Black hole L Loop IP Address Netmask Gateway IFace Metric Flags Persis t 0 0 0 0 0 10 1 1 254 wan1 0 ASG Router show system snat policy route No PR NO Outgoing SNAT Router show system snat nat 1 1 No ...

Page 378: ...he following example shows the default WAN trunk settings Router show system snat default snat Incoming Outgoing SNAT Internal Interface External Interface Outgoing Interface IP Internal Interfaces lan1 hidden lan2 dmz External Interfaces wan1 wan2 wan1_ppp wan2_ppp Router ...

Page 379: ...me IP protocols such as tcp udp icmp and so on The names consist of 1 16 alphanumeric characters or dashes The first character cannot be a number hostname You can use up to 252 alphanumeric characters dashes or periods The first character cannot be a period filter_extension You can use 1 256 alphanumeric characters spaces or _ characters traceroute ip hostname Displays the route taken by packets t...

Page 380: ...maximum number of bytes to capture per packet The ZyWALL USG automatically truncates packets that exceed this size As a result when you view the packet capture files in a packet analyzer the actual size of the packets may be larger than the size of captured packets storage internal usbstorage Sets to have the ZyWALL USG only store packet capture entries on the ZyWALL USG internal or on a USB stora...

Page 381: ...19 24 44 259219 192 168 1 1 192 168 1 10 icmp echo reply 19 24 45 268839 192 168 1 10 192 168 1 1 icmp echo request 19 24 45 269238 192 168 1 1 192 168 1 10 icmp echo reply 6 packets received by filter 0 packets dropped by kernel Router packet trace interface ge2 ip proto icmp file extension filter s 500 n tcpdump listening on eth1 07 24 07 898639 192 168 105 133 192 168 105 40 icmp echo request D...

Page 382: ... byte packets 1 172 23 37 254 3 049 ms 1 947 ms 1 979 ms 2 172 23 6 253 2 983 ms 2 961 ms 2 980 ms 3 172 23 6 1 5 991 ms 5 968 ms 6 984 ms 4 Table 231 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION show arp table Displays the current Address Resolution Protocol table arp IP mac_address Edits or creates an ARP table entry no arp ip Removes an ARP table entry Router arp 192 168...

Page 383: ... capture file Open and study it using a packet analyzer tool for example Ethereal or Wireshark Router config packet capture configure Router packet capture iface add wan1 Router packet capture ip type any Router packet capture host ip any Router packet capture file suffix Example Router packet capture files size 10 Router packet capture duration 150 Router packet capture storage usbstorage Router ...

Page 384: ...Chapter 59 Maintenance Tools ZyWALL USG ZLD CLI Reference Guide 384 ...

Page 385: ...ended that you not modify the software watchdog timer settings Table 232 hardware watchdog timer Commands COMMAND DESCRIPTION no hardware watchdog timer 4 37 Sets how long the system s hardware can be unresponsive before resetting The no command turns the timer off show hardware watchdog timer status Displays the settings of the hardware watchdog timer Table 233 software watchdog timer Commands CO...

Page 386: ...ow many times the ZyWALL USG is to re check a process before considering it failed The no command changes the setting back to the default no app watch dog alert Has the ZyWALL USG send an alert the user when the system is out of memory or disk space no app watch dog disk threshold min 1 100 max 1 100 Sets the percentage thresholds for sending a disk usage alert The ZyWALL USG starts sending alerts...

Page 387: ...er ZyWALL USG ZLD CLI Reference Guide 387 60 3 1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring ...

Page 388: ...r_max_try_count recover_max_fail_count uamd 1 1 1 2 1 1 3 firewalld 1 1 0 1 1 1 3 policyd 1 1 1 1 1 1 3 contfltd 1 1 1 1 1 1 3 classify 1 1 0 1 1 1 3 ospfd 1 1 0 1 1 1 3 ripd 1 1 0 1 1 1 3 resd 1 1 0 1 1 1 3 zyshd_wd 1 1 0 1 1 1 3 zyshd 1 1 0 0 1 1 3 httpd 1 1 1 1 1 1 3 dhcpd 1 1 1 1 1 1 3 sshipsecpm 1 1 1 1 1 1 3 zylogd 1 1 0 1 1 1 3 syslog ng 1 1 0 1 1 1 3 zylogger 1 1 0 1 1 1 3 ddns_had 1 1 0 1...

Page 389: ... pppoe pptp profile_name 307 no account cellular profile_name 308 no account profile_name 103 no activate 161 no activate 161 no activate 167 no activate 172 no activate 172 no activate 175 no activate 180 no activate 192 no activate 200 no activate 210 no activate 300 no activate 323 no activate 367 no activate 57 no activate 62 no activate 68 no activate 71 no additional ddns options 139 no addr...

Page 390: ...i spam xheader mail content virus outbreak xheader name xheader value 248 no anti spam xheader white list black list mail header mail header value 251 no anti spam xheader dnsbl mail header mail header value 253 no anti spam xheader query timeout xheader name xheader value 248 no anti virus activate 220 no anti virus black list activate 221 no anti virus black list file pattern av_file_pattern act...

Page 391: ...o auto healing activate 79 no av profile profile name no log log by profile activate deactivate 168 no backmx 139 no backup custom ip 138 no backup iface interface_name 139 no band auto wcdma gsm lte 105 no bind interface_name 103 no block ack 59 no block intra 64 no budget active 106 no budget data active download upload download upload 1 100000 106 no budget time active 1 672 106 no bwm activate...

Page 392: ...cs collect 243 no corefile copy usb storage 112 no crypto ignore df bit 188 no crypto map map_name 189 no crypto map map_name 196 no crypto map_name 192 no crypto map_name 198 no crypto profile_name 134 no ctmatch dnat snat 167 no ctsrts 0 2347 58 no custom ip 138 no dcs activate 74 no ddns server FQDN DNS 139 no deactivate 121 no deactivate 122 no default router ip 93 no description description 2...

Page 393: ...48 wmm_vo56 210 no dscp any 0 63 121 no dscp any 0 63 122 no dscp class default dscp_class 121 no dscp class default dscp_class 122 no duplex full half 101 no eap type server AAA_method user id name any client name username password PASSWORD encrypted password PASSWORD 194 no eap type server auth_method user id name any client name username password PASSWORD encrypted password PASSWORD 196 no encr...

Page 394: ...e 123 no interface interface_name 134 no interface interface_name 161 no interface interface_name 86 no interface tunnel_iface 110 no interface group group name 116 no ip w x y z 181 no ip address dhcp 86 no ip address ip subnet_mask 300 no ip address ip subnet_mask 323 no ip address ip subnet_mask 86 no ip ddns profile profile_name 138 no ip dhcp pool profile_name 92 no ip dhcp pool profile_name ...

Page 395: ...port 368 no item av report 368 no item cf report 368 no item cpu usage 368 no item idp report 368 no item mem usage 368 no item port usage 368 no item session usage 368 no item traffic report 368 no join interface_name 114 no keyword 241 no l2tp over ipsec activate 205 no l2tp over ipsec first dns server ip interface_name 1st dns 2nd dns 3rd dns ppp_interface 1st dns 2nd dns 206 no l2tp over ipsec...

Page 396: ...cal_1 local_2 local_3 local_4 local_5 local_6 local_7 362 no logging syslog 1 4 format cef vrpt 362 no logging system log suppression 360 no logging system log suppression interval 10 600 360 no logging usb storage 111 no login page color background 316 no login page color window background 316 no login page message text message 316 no MAC description description2 67 no mac auth database mac mac_a...

Page 397: ...bject group group_name 287 no object group service group_name 286 no outbound ceiling 0 1048576 maximize bandwidth usage 211 no outbound guarantee bandwidth 0 1048576 priority 1 7 211 no outbound dscp mark 0 63 class af11 af12 af13 af21 af22 af23 af31 af32 af33 af41 af42 af43 cs0 cs1 cs2 cs3 cs4 cs5 cs6 cs7 default wmm_be0 wmm_be24 wmm_bk16 wmm_bk8 wmm_vi32 wmm_vi40 wmm_vo48 wmm_vo56 211 no outgoi...

Page 398: ... second wins server ip 94 no secret secret 300 no secret secret 323 no secure policy activate 165 no secure policy asymmetrical route activate 164 no secure policy6 activate 166 no secure policy6 asymmetrical route activate 166 no server alternative cn identifier uid 294 no server alternative cn identifier uid 295 no server basedn basedn 294 no server basedn basedn 295 no server binddn binddn 294 ...

Page 399: ... 335 no software watchdog timer 10 600 385 no source address6_object any 123 no source address_object group_name 181 no source address_object any 122 no source address_object 212 no sourceip address_object 167 no sourceip6 address_object 168 no sourceport tcp udp eq 1 65535 range 1 65535 1 65535 168 no speed 100 10 101 no srcport profile_name any 122 no srcport profile_name any 123 no ssid profile...

Page 400: ...ge encrypt 310 no wildcard 139 no wlan macfilter profile macfilter_profile_name 67 no wlan monitor profile monitor_profile_name 62 no wlan radio profile radio_profile_name 57 no wlan security profile security_profile_name 65 no wlan ssid profile ssid_profile_name 63 no wpa2 preauth 66 no xauth type server auth_method client name username password password 188 no zone profile_name 134 no adderss6 o...

Page 401: ...0 1500 189 adjust mss auto 200 1500 196 algorithm wrr llf spill over 116 anti spam dnsbl 1 5 domain dnsbl_domain activate deactivate 252 anti spam dnsbl ip check order forward backward 252 anti spam dnsbl max query ip 1 5 252 anti spam dnsbl query timeout pop3 forward forward with tag 252 anti spam dnsbl query timeout smtp drop forward forward with tag 252 anti spam dnsbl query timeout time 1 10 2...

Page 402: ...entication pre share rsa sig 195 authentication key 1 255 key string authkey 130 auth_method 300 auth_method 323 auth server authentication 300 auth server authentication 323 auto healing activate yes 80 auto healing healing threshold 85 dBm 80 auto healing healing interval interval 79 auto healing healing threshold 79 auto healing interval 10 80 auto healing margin 80 auto healing margin 0 80 aut...

Page 403: ...ate cert_name 258 ch width wlan_htcw 59 clear 35 clear aaa authentication profile name 297 clear aaa group server ad group name 293 clear aaa group server ldap group name 294 clear aaa group server radius group name 295 clear ip dhcp binding ip 94 clear logging debug buffer 361 clear logging system log buffer 360 clear report interface_name 365 clock date yyyy mm dd time hh mm ss 318 clock time hh...

Page 404: ...method auto manual 75 dcs dcs 5g method auto manual 75 dcs dfs aware enable disable 75 dcs invoke 75 dcs sensitivity level high medium low 75 dcs time interval interval 75 deactivate 187 deactivate 189 deactivate 193 deactivate 195 deactivate 196 debug 35 debug cmdexec corefile ip kernel mac id rewrite observer switch system zyinetpkt zysh ipt op 37 debug alg 36 debug anti spam 36 debug app 36 deb...

Page 405: ...cp6 refresh time 600 4294967294 infinity 88 dhcp6 lease object dhcp6_profile 88 dhcp6 lease object dhcp6_profile 89 dhcp6 lease object dhcp6_profile sip server ntp server dns server ipv6_addr dhcp6_profile 312 dhcp6 lease object dhcp6_profile address ipv6_addr duid duid 312 dhcp6 lease object dhcp6_profile address pool ipv6_addr ipv6_addr 312 dhcp6 lease object dhcp6_profile prefix delegation ipv6...

Page 406: ...t 241 exit 241 exit 241 exit 35 exit 368 exit 54 exit 60 exit 62 exit 64 exit 66 exit 67 exit 69 exit 71 exit 73 exit 86 FACILITY 362 fall back check interval 60 86400 187 fall back check interval 60 86400 194 fall back check interval 60 86400 195 file_name 72 file prefix file_name 73 files size 1 10000 380 files size mon_dir_size 73 file suffix profile_name 380 filter action allow deny 67 flood d...

Page 407: ...y no log log alert action action_mask 228 idp signature newpro base all lan wan dmz none 227 idp signature profile signature sid activate log alert action drop reject sender reject receiver reject both 226 idp signature update daily 0 23 233 idp signature update hourly 233 idp signature update signatures 233 idp signature update weekly sun mon tue wed thu fri sat 0 23 233 idp statistics flush 234 ...

Page 408: ... zone forwarder move 1 32 to 1 32 321 ip ftp server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny 333 ip ftp server rule move rule_number to rule_number 333 ip gateway ip metric 0 15 86 ip http secure server cipher suite cipher_algorithm cipher_algorithm cipher_algorithm cipher_algorithm 329 ip http secure server table admin user...

Page 409: ...nat 1 1 map deactivate nat 1 1 map deactivate deactivate 142 ip virtual server rename profile_name profile_name 143 ip6 route destv6 prefix ipv6_global_address ipv6_link_local interface 0 127 126 ip6 route destv6 prefix ipv6_link_local interface 0 127 126 ip6 route replace destv6 prefix gatewayv6 interface 0 127 with destv6 prefix gatewayv6 interface 0 127 126 ip_address 72 ipsec isakmp policy_nam...

Page 410: ...me disable level normal level all 360 logging usb storage category category disable 111 logging usb storage category category level all normal 111 logging usb storage flushThreshold 1 100 111 login page background color color rgb color name color number 316 login page message color color rgb color name color number 316 login page title title 316 login page title color color rgb color name color nu...

Page 411: ...e digest key 1 255 132 no arp ip 382 no authentication key 130 no auth server authentication 300 no auth server authentication 323 no bind 175 no budget log 106 no budget log percentage 107 no ca category local remote certificate_name 305 no ca validation name 305 no certificate 258 no content filter profile filtering_profile commtouch url match log 242 no content filter profile filtering_profile ...

Page 412: ...inspection profile SSI_profile_name 259 no sslvpn policy profile_name 200 no tcp decoder tcp xxx log 176 no udp decoder bad udp l4 size udp land udp smurf action 176 no udp decoder bad udp l4 size udp land udp smurf log 176 no use defined mac 101 no user 192 no username username 270 nslookup 36 ntp sync 318 object group address rename group_name group_name 283 object group application object 277 o...

Page 413: ...ort 1 65535 ending port 1 65535 program path program path 310 port status Port 1 x 101 priority code 0 7 212 proto type icmp icmp6 igmp igrp pim ah esp vrrp udp tcp any 380 psm 36 qos wlan_qos 64 reboot 36 redistribute static ospf metric 0 16 130 release 36 release dhcp interface name 94 remote policy address_name 189 remote policy address_name 197 rename 36 rename conf idp packet_trace script tmp...

Page 414: ...licy rule_number 164 secure policy zone_object zone_object ZyWALL append 164 secure policy zone_object zone_object ZyWALL delete 1 5000 165 secure policy zone_object zone_object ZyWALL flush 165 secure policy zone_object zone_object ZyWALL insert rule_number 165 secure policy zone_object zone_object ZyWALL move rule_number to rule_number 165 secure policy zone_object zone_object ZyWALL rule_number...

Page 415: ...72 session limit6 move rule_number to rule_number 173 session limit6 rule_number 172 session status update alg active inactive 167 session status update reply time 5 300 166 set firmware boot number 1 2 344 set firmware boot option 0 1 344 set pfs group1 group2 group5 none 189 set pfs group1 group2 group5 none 197 set security association lifetime seconds 180 3000000 189 set security association l...

Page 416: ...221 show anti virus search signature all name virus_name from id to id 222 show anti virus signatures status 223 show anti virus skip unknown file type activation 220 show anti virus statistics collect 224 show anti virus statistics ranking destination destination6 source source6 virus name 224 show anti virus statistics summary 224 show anti virus update 223 show anti virus update status 223 show...

Page 417: ...profile filtering_profile commtouch 242 show content filter settings 240 show content filter statistics collect 243 show content filter statistics summary 243 show content filter statistics summary 243 show corefile copy usb storage 112 show cpu all 43 show cpu status 43 show crypto map map_name 188 show crypto map6 map_name 196 show daily report status 367 show dcs config 75 show ddns profile_nam...

Page 418: ...n action_mask 228 show idp signature all details 226 show idp signature base profile all none wan lan dmz settings 226 show idp signature profile signature all details 226 show idp signature profile signature sid details 226 show idp signature profiles 226 show idp signature signatures version date number 233 show idp signature update 233 show idp signature update status 233 show idp signatures cu...

Page 419: ...show ipv6 static address interface 85 show ipv6 status 325 show isakmp keepalive 187 show isakmp policy policy_name 187 show isakmp sa 193 show l2 isolation 161 show l2 isolation activation 161 show l2 isolation white list rule_number 161 show l2 isolation white list activation 161 show l2tp over ipsec 206 show l2tp over ipsec session 206 show language setting all 324 show ldap server 292 show led...

Page 420: ...setting 101 show port status 101 show port vlan id 113 show port grouping 101 show radius server 293 show ram size 43 show reference object aaa authentication default auth_method 41 show reference object account pppoe object_name 41 show reference object account pptp object_name 41 show reference object address object_name 41 show reference object address6 object_name 41 show reference object ca c...

Page 421: ...ow secure policy zone_object zone_object ZyWALL 165 show secure policy zone_object zone_object ZyWALL rule_number 165 show secure policy6 166 show secure policy6 any ZyWALL 166 show secure policy6 block_rules 166 show secure policy6 filter from zone_object to zone_object srcip6 ip address dstip6 ip ser vice any tcp udp icmp gre esp user defined port number user user_name sch schedule_object 165 sh...

Page 422: ...75 show system route dynamic vpn 375 show system route nat 1 1 375 show system route policy route 375 show system route site to site vpn 375 show system snat default snat 375 show system snat nat 1 1 375 show system snat nat loopback 375 show system snat order 375 show system snat policy route 375 show system uptime 43 show usb storage 111 show username username 270 show users username all current...

Page 423: ...n 68 1512 380 snmp server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny 335 snmp server rule move rule_number to rule_number 335 snmp server v3user username description authentication md5 sha privacy none des aes privilege ro rw 336 snmp server version v2c v3 336 split size 1 2048 380 src ip add del ipv4_address local 73 ssid 64 ...

Page 424: ... isakmp_algo 187 tunnel destination ipv4 110 tunnel mode ipv6ip manual 6to4 110 tunnel mode ip gre 110 tunnel source ipv4 tunnel_bind_interface _any 110 tx mask chain_mask 60 type internal external general 101 udp decoder bad udp l4 size udp land udp smurf action drop reject sender reject receiver reject both 176 udp decoder bad udp l4 size udp land udp smurf log alert 176 unlock lockout users ip ...

Page 425: ...al 15 3600 362 web auth no exceptional service service_name 179 web auth default rule authentication required unnecessary no log log alert 179 web auth login setting 179 web auth method portal 179 web auth policy 1 1024 179 web auth policy append 180 web auth policy delete 1 1024 180 web auth policy flush 180 web auth policy insert 1 1024 180 web auth policy move 1 1024 to 1 1024 180 WEEKDAYS 363 ...

Page 426: ...List of Commands Alphabetical ZyWALL USG ZLD CLI Reference Guide 426 ...

Reviews:

No comments

Related manuals for ZyWALL USG Series

Brand: Arista Pages: 34

Brand: Watchguard Pages: 12

Brand: Fortinet Pages: 52

DFL-210 - NetDefend - Security Appliance

Brand: D-Link Pages: 476

H3C SECPATH F1000-S

Brand: H3C Pages: 78

Brand: IBM Pages: 7

Brand: Stormshield Pages: 59

NetworkProtection

Brand: Norman Pages: 79

Brand: Cyphre Pages: 219

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands