manualshive.com logo in svg

ZyXEL Communications ZyWall, Reference Manual

Looking for a user-friendly network security solution? Look no further than ZyXEL Communications ZyWall! Get started quickly with our comprehensive Quick Start Manual. Download this manual for free from our website and unlock the potential of your network security like never before.

Share
Download
background image

 Chapter 15 Firewall

ZyWALL (ZLD) CLI Reference Guide

129

firewall 

zone_object

 {

zone_object

|ZyWALL} 

rule_number

Enters the firewall sub-command mode to set 
a direction specific through-ZyWALL rule or 
to-ZyWALL rule. See 

Table 65 on page 130

 for 

the sub-commands.

firewall 

zone_object

 {

zone_object

|ZyWALL} append

Enters the firewall sub-command mode to add 
a direction specific through-ZyWALL rule or 
to-ZyWALL rule to the end of the global rule 
list. Se

Table 65 on page 130

 for the sub-

commands.

firewall 

zone_object

 {

zone_object

|ZyWALL} delete 

<1..5000>

Removes a direction specific through-
ZyWALL rule or to-ZyWALL rule.

<1..5000>

: the index number in a direction 

specific firewall rule list.

firewall 

zone_object

 {

zone_object

|ZyWALL} flush

Removes all direction specific through-
ZyWALL rule or to-ZyWALL rules.

firewall 

zone_object 

{

zone_object

|ZyWALL} insert 

rule_number

Enters the firewall sub-command mode to add 
a direction specific through-ZyWALL rule or 
to-ZyWALL rule before the specified rule 
number. See 

Table 65 on page 130

 for the 

sub-commands.

firewall 

zone_object

 {

zone_object

|ZyWALL} move 

rule_number

 to 

rule_number

Moves a direction specific through-ZyWALL 
rule or to-ZyWALL rule to the number that you 
specified.

[no] firewall activate

Enables the firewall on the ZyWALL. The 

no

 

command disables the firewall.

firewall append

Enters the firewall sub-command mode to add 
a global firewall rule to the end of the global 
rule list. See 

Table 65 on page 130

 for the 

sub-commands.

firewall default-rule action {allow | deny | 

reject} { no log | log [alert] }

Sets how the firewall handles packets that do 
not match any other firewall rule.

firewall delete 

rule_number

Removes a firewall rule.

firewall flush

Removes all firewall rules.

firewall insert 

rule_number

Enters the firewall sub-command mode to add 
a firewall rule before the specified rule 
number. See 

Table 65 on page 130

 for the 

sub-commands.

firewall move 

rule_number

 to 

rule_number

Moves a firewall rule to the number that you 
specified.

show connlimit max-per-host

Displays the highest number of sessions that 
the ZyWALL will permit a host to have at one 
time.

show firewall

Displays all firewall settings.

show firewall 

rule_number

Displays a firewall rule’s settings.

show firewall 

zone_object

 {

zone_object

|ZyWALL}

Displays all firewall rules settings for the 
specified packet direction.

show firewall 

zone_object

 {

zone_object

|ZyWALL} 

rule_number

Displays a specified firewall rule’s settings for 
the specified packet direction.

show firewall status

Displays whether the firewall is active or not.

Table 64   

Command Summary: Firewall (continued)

COMMAND

DESCRIPTION

Summary of Contents for ZyWall

Page 1: ...www zyxel com ZyWALL ZLD CLI Reference Guide Version 2 20 2 21 2 2011 Edition 3 DEFAULT LOGIN User Name admin Password 1234 ...

Page 2: ......

Page 3: ...er to www zyxel com or your product s CD for product specific User Guides and product certifications How To Use This Guide 1 Read Chapter 1 on page 11 for how to access and use the CLI Command Line Interface 2 Read Chapter 2 on page 27 to learn about the CLI user and privilege modes 3 Subsequent chapters are arranged by menu item as defined in the web configurator Read each chapter carefully for d...

Page 4: ...ont A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first ...

Page 5: ...eference Guide 5 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer Server Firewall Telephone Switch Router ...

Page 6: ...Document Conventions ZyWALL ZLD CLI Reference Guide 6 ...

Page 7: ...Registration 37 Network 45 Interfaces 47 Trunks 85 Route 91 Routing Protocol 99 Zones 103 DDNS 107 Virtual Servers 111 HTTP Redirect 117 ALG 121 Firewall 125 Firewall 127 VPN 135 IPSec VPN 137 SSL VPN 147 L2TP VPN 153 Application Patrol 161 Application Patrol 163 Anti X 175 Anti Virus 177 IDP Commands 185 Content Filtering 203 Anti Spam 215 Device HA 225 Device HA 227 ...

Page 8: ...jects 263 Certificates 267 ISP Accounts 273 SSL Application 277 Endpoint Security 281 System 289 System 291 System Remote Management 299 Maintenance 313 File Manager 315 Logs 333 Reports and Reboot 339 Session Timeout 345 Diagnostics 347 Packet Flow Explore 349 Maintenance Tools 353 Watchdog Timer 359 Command List 363 List of Commands Alphabetical 365 ...

Page 9: ...9 PART I Introduction Command Line Interface 11 User and Privilege Modes 27 Object Reference 31 Status 33 Registration 37 ...

Page 10: ...10 ...

Page 11: ...are saved as a series of commands in a configuration file on the ZyWALL You can store more than one configuration file on the ZyWALL However only one configuration file is used at a time You can perform the following with a configuration file Back up ZyWALL configuration once the ZyWALL is set up to work in your network Restore ZyWALL configuration Save and edit a configuration file and upload it ...

Page 12: ...ays if your terminal emulation program s speed is set lower than the ZyWALL s No text displays if the speed is set higher than the ZyWALL s If changing your terminal emulation program s speed does not get anything to display restart the ZyWALL If restarting the ZyWALL does not get anything to display contact your local customer support Figure 1 Console Port Power on Display After the initializatio...

Page 13: ...ccess the CLI using the web console your computer establishes a SSH Secure SHell connection to the ZyWALL Follow the steps below to access the web console 1 Log into the web configurator 2 Click the Console icon in the top right corner of the web configurator screen 3 If the Java plug in is already installed skip to step 4 Otherwise you will be prompted to install the Java plug in If the prompt do...

Page 14: ...default login username is admin It is case sensitive Figure 5 Web Console Connecting Then the Password screen appears Figure 6 Web Console Password 6 Enter the password for the user name you specified earlier and click OK If you enter the password incorrectly you get an error message and you may have to close the console window and open it again If you enter the password correctly the console scre...

Page 15: ...he bottom left corner and Run Then type telnet and the ZyWALL s IP address For example enter telnet 192 168 1 1 the default management IP address 3 Click OK A login screen displays Enter the user name and password at the prompts The default login username is admin and password is 1234 The username and password are case sensitive 1 2 4 SSH Secure SHell You can use an SSH client program to access th...

Page 16: ...the User s Guide for background information about most features This section provides background information about features that you cannot configure in the web configurator In addition this section identifies related commands in other chapters 1 4 2 Command Input Values Optional This section lists common input values for the commands for the feature in one or more tables C ssh2 admin 192 168 1 1 ...

Page 17: ...service object service object object name tcp udp eq 1 65535 range 1 65535 1 65535 1 Enter service object exactly as it appears 2 Enter the name of the object where you see object name 3 Enter tcp or udp depending on the service object you want to create 4 Finally do one of the following Enter eq exactly as it appears followed by a number between 1 and 65535 Enter range exactly as it appears follo...

Page 18: ...ommand or command TAB What Limited Admin users can do Look at system information like Status screen Run basic diagnostics Look at system information like Status screen Run basic diagnostics Unable to access Unable to access What Admin users can do Look at system information like Status screen Run basic diagnostics Look at system information like Status screen Run basic diagnostics Configure simple...

Page 19: ...and sub command Figure 11 Help Sub command Information Example Figure 12 Help Required User Input Example Router cr apply atse clear configure Snip shutdown telnet test traceroute write Router Router show wlan ap interface aaa access page account ad server address object Snip wlan workspace zone Router show Router config ip telnet server cr port rule Router config ip telnet server Router config ip...

Page 20: ...your keyboard to enter a without the ZyWALL treating it as a help query 1 6 5 Command History The ZyWALL keeps a list of commands you have entered for the current CLI session You can use any commands in the history again by pressing the up y or down z arrow key to scroll through the previously used commands and press ENTER 1 6 6 Navigation Press CTRL A to move the cursor to the beginning of the li...

Page 21: ...config if ge description description Table 3 Input Value Formats for Strings in CLI Commands TAG VALUES LEGAL VALUES 1 all ALL authentication key Used in IPSec SA 32 40 16 20 0x or 0X 32 40 hexadecimal values alphanumeric or _ Used in MD5 authentication keys for RIP OSPF and text authentication key for RIP 0 16 alphanumeric or _ Used in text authentication keys for OSPF 0 8 alphanumeric or _ certi...

Page 22: ...alphanumeric or first character alphanumeric or full file name 0 256 alphanumeric or _ hostname Used in hostname command 0 63 alphanumeric or _ first character alphanumeric or Used in other commands 0 252 alphanumeric or first character alphanumeric or import configuration file 1 26 conf alphanumeric or _ add conf at the end import shell script 1 26 zysh alphanumeric or _ add zysh at the end initi...

Page 23: ...ers numbers or protocol name 0 30 alphanumeric or _ first character letters or _ quoted string less than 127 chars 1 255 alphanumeric spaces or _ quoted string less than 63 chars 1 63 alphanumeric spaces or _ quoted string 0 alphanumeric spaces or punctuation marks enclosed in double quotation marks must put a backslash before double quotation marks that are part of input value itself service name...

Page 24: ...r https may contain one pound sign Used in other content filtering commands http alphanumeric or _ starts with http may contain one pound sign user name Used in VPN extended authentication 1 31 alphanumeric or _ Used in other commands 0 30 alphanumeric or _ first character letters or _ username 6 20 alphanumeric or _ registration user name 1 alphanumeric or _ logging commands user domainname 1 80 ...

Page 25: ...e changes before you log out after each management session All unsaved changes will be lost after the system restarts 1 10 Logging Out Enter the exit or end command in configure mode to go to privilege mode Enter the exit command in user mode or privilege mode to log out of the CLI ...

Page 26: ...Chapter 1 Command Line Interface ZyWALL ZLD CLI Reference Guide 26 ...

Page 27: ... commands are for trouble shooting purposes for example the htm hardware test module and debug commands Customer support may ask you to run some of these commands and send the results if you need assistance troubleshooting your device For admin logins all commands are visible in user mode but not all can be run there The following table displays which commands can be run in user mode All commands ...

Page 28: ...You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting Note These commands are for ZyXEL s internal manufacturing process reboot P Restarts the device release P Releases DHCP information from an interface rename P Renames a configuration file renew P Renews DHCP information for an interface run P Runs a script setenv U P Turns stop on error on ter...

Page 29: ...l Shows app patrol protocol list cat etc l7_protocols protocol list debug ca Certificate debug commands debug content filter Content Filtering debug commands debug device ha Device HA debug commands debug eps Endpoint security debug commands debug force auth Authentication policy debug commands debug gui GUI cgi related debug commands debug gui Web Configurator releated debug commands debug hardwa...

Page 30: ...bug show content filter server Category based content filtering debug command debug show myzyxel server status Myzyxel com debug commands debug show ipset Lists the ZyWALL s received cards debug show myzyxel server status Myzyxel com debug commands debug sslvpn SSL VPN debug commands debug cmdexec corefile ip kernel mac id rewrite observer switch system zyinetpkt zysh ipt op ZLD internal debug com...

Page 31: ...erence object schedule profile Displays which configuration settings reference the specified schedule object show reference object interface interface_name virtual_interface_name Displays which configuration settings reference the specified interface or virtual interface object show reference object aaa authentication default auth_method Displays which configuration settings reference the specifie...

Page 32: ... object group address profile Displays which configuration settings reference the specified address group object show reference object group service profile Displays which configuration settings reference the specified service group object show reference object group interface profile Displays which configuration settings reference the specified trunk object show reference object group aaa ad grou...

Page 33: ...he ZyWALL show mac Displays the ZyWALL s MAC address show mem status Displays what percentage of the ZyWALL s memory is currently being used show ram size Displays the size of the ZyWALL s on board RAM show redundant power status Displays the status of the ZyWALL s power modules The ZyWALL has two power modules It can continue operating on a single power module if one fails show serial number Disp...

Page 34: ...atus memory usage 39 Router config show ram size ram size 510MB Router config show serial number serial number S060Z12020460 Router config show socket listen No Proto Local_Address Foreign_Address State 1 tcp 0 0 0 0 2601 0 0 0 0 0 LISTEN 2 tcp 0 0 0 0 2602 0 0 0 0 0 LISTEN 3 tcp 127 0 0 1 10443 0 0 0 0 0 LISTEN 4 tcp 0 0 0 0 2604 0 0 0 0 0 LISTEN 5 tcp 0 0 0 0 80 0 0 0 0 0 LISTEN 6 tcp 127 0 0 1 ...

Page 35: ... 18 udp 127 0 0 1 63000 0 0 0 0 0 19 udp 127 0 0 1 63001 0 0 0 0 0 20 udp 127 0 0 1 63002 0 0 0 0 0 21 udp 0 0 0 0 161 0 0 0 0 0 22 udp 127 0 0 1 63009 0 0 0 0 0 23 udp 192 168 1 1 1701 0 0 0 0 0 24 udp 1 1 1 1 1701 0 0 0 0 0 25 udp 10 0 0 8 1701 0 0 0 0 0 26 udp 172 23 37 205 1701 0 0 0 0 0 27 udp 172 23 37 240 1701 0 0 0 0 0 28 udp 127 0 0 1 1701 0 0 0 0 0 29 udp 127 0 0 1 63024 0 0 0 0 0 30 udp...

Page 36: ...xample shows the current LED states on the ZyWALL The SYS LED lights on and green The AUX and HDD LEDs are both off Router show system uptime system uptime 04 18 00 Router show version ZyXEL Communications Corp model ZyWALL USG 100 firmware version 2 20 AQQ 0 b3 BM version 1 08 build date 2009 11 21 01 18 06 Router show led status sys green aux off hdd off Router ...

Page 37: ...to http www myZyXEL com with the ZyWALL s serial number and LAN MAC address to register it Refer to the web site s on line help for details To activate a service on a ZyWALL you need to access myZyXEL com via that ZyWALL 5 1 1 Subscription Services Available on the ZyWALL The ZyWALL can use anti virus IDP AppPatrol Intrusion Detection and Prevention and application patrol SSL VPN and content filte...

Page 38: ... number license key in the Registration Service screen The one year ZyXEL engine anti virus service subscription is automatically extended to 18 months The IDP and application patrol features use the IDP AppPatrol signature files on the ZyWALL IDP detects malicious or suspicious packets and responds immediately Application patrol conveniently manages the use of various applications on the network ...

Page 39: ...er Registers the device with an existing account or creates a new account and registers the device at one time country_code see Table 10 on page 41 service register checkexpire Gets information of all service subscriptions from myZyXEL com and updates the status table service register service type standard license key key_value Activates a standard service subscription with the license key service...

Page 40: ...the ZyWALL Router configure terminal Router config device register username alexctsui password 123456 Router config service register service type trial service content filter Router configure terminal Router config show device register status username example password 123456 device register status yes expiration self check no Router configure terminal Router config show service register status all...

Page 41: ...Bhutan 027 Bolivia 028 Bosnia and Herzegovina 029 Botswana 030 Bouvet Island 031 Brazil 032 British Indian Ocean Territory 033 Brunei Darussalam 034 Bulgaria 035 Burkina Faso 036 Burundi 037 Cambodia 038 Cameroon 039 Canada 040 Cape Verde 041 Cayman Islands 042 Central African Republic 043 Chad 044 Chile 045 China 046 Christmas Island 047 Cocos Keeling Islands 048 Colombia 049 Comoros 050 Congo De...

Page 42: ...nd 103 India 104 Indonesia 105 Ireland 106 Isle of Man 107 Italy 108 Jamaica 109 Japan 110 Jersey 111 Jordan 112 Kazakhstan 113 Kenya 114 Kiribati 115 Korea Republic of 116 Kuwait 117 Kyrgyzstan 118 Lao People s Democratic Republic 119 Latvia 120 Lebanon 121 Lesotho 122 Liberia 123 Liechtenstein 124 Lithuania 125 Luxembourg 126 Macau 127 Macedonia Former Yugoslav Republic 128 Madagascar 129 Malawi...

Page 43: ...enadines 182 San Marino 183 Sao Tome and Principe 184 Saudi Arabia 185 Senegal 186 Seychelles 187 Sierra Leone 188 Singapore 189 Slovak Republic 190 Slovenia 191 Solomon Islands 192 Somalia 193 South Africa 194 South Georgia and the South Sandwich Islands 185 Spain 196 Sri Lanka 197 St Pierre and Miquelon 198 St Helena 199 Suriname 200 Svalbard and Jan Mayen Islands 201 Swaziland 202 Sweden 203 Sw...

Page 44: ...25 Vanuatu 226 Venezuela 227 Vietnam 228 Virgin Islands British 229 Virgin Islands USA 230 Wallis And Futuna Islands 231 Western Sahara 232 Western Samoa 233 Yemen 234 Yugoslavia 235 Zambia 236 Zimbabwe Table 10 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME ...

Page 45: ...45 PART II Network Interfaces 47 Trunks 85 Route 91 Routing Protocol 99 Zones 103 DDNS 107 Virtual Servers 111 HTTP Redirect 117 ALG 121 ...

Page 46: ...46 ...

Page 47: ...ction between physical ports at the layer 2 data link MAC address level Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive and send tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces...

Page 48: ...re created For example virtual interfaces created on Ethernet interface ge1 are called ge1 1 ge1 2 and so on Virtual interfaces created on VLAN interface vlan2 are called vlan2 1 vlan2 2 and so on You cannot specify the number after the colon in the web configurator it is a sequential number You can specify the number after the colon if you use the CLI to set up a virtual Interface Parameters Tabl...

Page 49: ... a number x For most interfaces x is limited by the maximum number of the type of interface For WLAN interfaces the first number identifies the slot and the second number identifies the individual interface DHCP client Yes Yes No Yes Yes Yes No Routing metric Yes Yes Yes Yes Yes Yes Yes Interface Parameters Bandwidth restrictions Yes Yes Yes Yes Yes Yes Yes Packet size MTU Yes Yes Yes Yes Yes Yes ...

Page 50: ...e if the member interface has a virtual interface or PPPoE PPTP interface on top of it Table 14 Relationships Between Different Types of Interfaces INTERFACE REQUIRED PORT INTERFACE auxiliary interface auxiliary port port group physical port Ethernet interface physical port port group VLAN interface Ethernet interface bridge interface Ethernet interface WLAN interface VLAN interface PPPoE PPTP int...

Page 51: ...rx y x the number of the bridge interface y 1 4 PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports profile_name The name of the DHCP pool You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive domain_name Fully qualified domain name You may up to 254 alph...

Page 52: ...elative to other interfaces The lower the number the higher the priority no mss 536 1460 Specifies the maximum segment size MSS the interface is to use MSS is the largest amount of data specified in bytes that the interface can handle in a single unfragmented piece The no command has the interface use its default MSS no mtu 576 1500 Specifies the Maximum Transmission Unit which is the maximum numb...

Page 53: ...ernet_interface user_defined_name Specifies a name for a PPP or an Ethernet interface It can use alphanumeric characters hyphens and underscores and it can be up to 11 characters long ppp_interface ethernet_interface This must be the system name of a PPP or an Ethernet interface Use the show interface name command to see the system name of interfaces user_defined_name This name cannot be one of th...

Page 54: ...le also shows how to change the user defined name from Partner to Customer using the interface name command Router show interface name No System Name User Defined Name 1 ge1 ge1 2 ge2 ge2 3 ge3 ge3 4 ge4 ge4 5 ge5 ge5 Router configure terminal Router config interface name ge4 VIP Router config show interface name No System Name User Defined Name 1 ge1 ge1 2 ge2 ge2 3 ge3 ge3 4 ge4 VIP 5 ge5 ge5 Ro...

Page 55: ... Commands DHCP Settings COMMAND DESCRIPTION show ip dhcp pool profile_name Shows information about the specified DHCP pool or about all DHCP pools ip dhcp pool rename profile_name profile_name Renames the specified DHCP pool from the first profile_name to the second profile_name no ip dhcp pool profile_name Creates a DHCP pool if necessary and enters sub command mode You can use the DHCP pool to c...

Page 56: ...ommand clears this field host_name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Use the following commands if you want to create a pool of IP addresses These commands have no effect if you use the host command You can still set them however network IP 1 32 network ip mask no network Specifies the IP address...

Page 57: ...he no command removes the setting no second wins server ip Specifies the second WINS server IP address to assign to the remote users The no command removes the setting no lease 0 365 0 23 0 59 infinite Sets the lease time to the specified number of days hours and minutes or makes the lease time infinite The no command resets the first DNS server setting to its default value interface interface_nam...

Page 58: ... 168 1 10 pool size 30 Router config ip dhcp pool hardware address 00 0F 20 74 B8 18 Router config ip dhcp pool client identifier 00 0F 20 74 B8 18 Router config ip dhcp pool client name TWtester1 Router config ip dhcp pool exit Router config interface ge1 Router config if ip dhcp pool DHCP_TEST Router config if exit Router config show ip dhcp server status binding interface ge1 binding pool DHCP_...

Page 59: ... description downstream exit ip join mss mtu no ping check shutdown traffic prioritize upstream Router config interface aux Router config if aux authentication description dial timeout dialing type exit idle initial string no password phone number port speed shutdown traffic prioritize username Table 18 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE PPTP Table 19 inte...

Page 60: ...tion of the specified interface to in only The no command makes OSPF bi directional in the specified interface interface interface_name Enters sub command mode no ip ospf priority 0 255 Sets the priority of the specified interface to the specified value The no command sets the priority to 1 no ip ospf cost 1 65535 Sets the cost to route packets through the specified interface The no command sets t...

Page 61: ...number of seconds to 10 See ip ospf dead interval for more information no ip ospf dead interval 1 65535 Sets the number of seconds the ZyWALL waits for hello messages from peer routers before it assumes the peer router is not available and deletes associated routing information The no command sets the number of seconds to 40 See ip ospf hello interval for more information no ip ospf retransmit int...

Page 62: ...k continuous log status Displays the continuous log setting about connectivity check interface interface_name Enters sub command mode no ping check activate Enables ping check for the specified interface The no command disables ping check for the specified interface ping check domain_name ip default gateway Specifies what the ZyWALL pings for the ping check you can specify a fully qualified domain...

Page 63: ...nterface Router configure terminal Router config interface wan1 Router config if wan1 ping check 1 1 1 2 method tcp port 8080 Router config if wan1 exit Router config show ping check Interface wan1 Check Method tcp IP Address 1 1 1 2 Period 30 Timeout 5 Fail Tolerance 5 Activate yes Port 8080 Router config Table 22 Input Values for Ethernet Interface Commands LABEL DESCRIPTION interface_name The n...

Page 64: ... route to add routing and SNAT settings for the interface no use defined mac Has the interface use its default MAC address use defined mac Has the interface use a MAC address that you specify Table 23 interface Commands MAC Setting continued COMMAND DESCRIPTION Table 24 Basic Interface Setting Commands COMMAND DESCRIPTION show port grouping Displays which physical ports are assigned to each repres...

Page 65: ...he Ethernet ports Table 24 Basic Interface Setting Commands continued COMMAND DESCRIPTION Router configure terminal Router config show port grouping No Representative Name Port1 Port2 Port3 Port4 Port5 1 ge1 yes no no no no 2 ge2 no yes no no no 3 ge3 no no yes no no 4 ge4 no no no yes no 5 ge5 no no no no yes Router config port grouping ge1 Router config port grouping port 5 Router config port gr...

Page 66: ...sts the PPPoE PPTP interface commands Router configure terminal Router config interface ge1 1 Router config if vir ip address 1 2 3 4 255 255 255 0 Router config if vir ip gateway 4 6 7 8 Router config if vir upstream 345 Router config if vir downstream 123 Router config if vir description I am vir interface Router config if vir exit Table 25 Input Values for PPPoE PPTP Interface Commands LABEL DE...

Page 67: ...r is not available at this IP address no connection is made The no command lets the ZyWALL get the IP address of the PPPoE PPTP server automatically when it establishes the connection no mss 536 1452 Specifies the maximum segment size MSS the interface can use MSS is the largest amount of data specified in bytes that the interface can handle in a single unfragmented piece The no command has the Zy...

Page 68: ...SM network available to you you may want to use this so the ZyWALL does not spend time looking for a WCDMA network wcdma has this interface only use a 3G or 3 5G network respectively You may want to use this if you want to make sure the interface does not use the GSM network no network selection auto home Home network is the network to which you are originally subscribed Home has the 3G device con...

Page 69: ...WALL to not create a log when the time or data limit is exceeded Specify recursive to have the ZyWALL only create a log one time when the time or data limit is exceeded budget new connection allow disallow Sets to permit allow or drop block disallow new 3G connections when the time or data limit is exceeded budget current connection keep drop Sets to maintain the existing 3G connection keep or dis...

Page 70: ... Sets how often in minutes the ZyWALL saves time and data usage records for a connection using the 3G card show interface cellular corresponding slot device status support device Shows the status of the specified cellular interface show interface cellular corresponding slot Shows which cellular interface is on which slot and whether which cellular interface has been configured show interface cellu...

Page 71: ... locked PIN the PIN is locked on the 3G device s SIM card Unlock PUK fail Your attempt to unlock a WCDMA 3G device s PUK failed because you entered an incorrect PUK Unlock PIN fail Your attempt to unlock a WCDMA 3G device s PIN failed because you entered an incorrect PIN Unlock device fail Your attempt to unlock a CDMA2000 3G device failed because you entered an incorrect device code Device unlock...

Page 72: ...ZyWALL successfully applied all of your configuration and you can use the 3G connection Table 28 Cellular Status STATUS DESCRIPTION Router config interface cellular2 Router config if cellular device AC850 Router config if cellular band wcdma Router config if cellular pin 1234 Router config if cellular connectivity nail up Router config if cellular description This is cellular2 Router config if cel...

Page 73: ...mands COMMAND DESCRIPTION show usb storage Displays the status of the connected USB storage device no usb storage activate Enables or disables the connected USB storage service usb storage warn number percentage megabyte Sets a number and the unit percentage or megabyte to have the ZyWALL send a warning message when the remaining USB storage space is less than the set value usb storage mount Mount...

Page 74: ...g info copy usb storage Displays whether enable or disable the ZyWALL saves the current system diagnostics information to the connected USB storage device no corefile copy usb storage Sets to have the ZyWALL save or not save a process s core dump to the connected USB storage device if the process terminates abnormally crashes You may need to send this file to customer support for troubleshooting s...

Page 75: ...CTS RTS reduces data collisions caused by wireless clients that are associated with the same AP but out of range of one another The no command turns off CTS RTS no frag 256 2346 Sets the threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent no super Enables super mode fast frame and packet bursting role ap Sets the ZyWA...

Page 76: ...cking prevents wireless clients in this profile s BSS from communicating with one another group key 30 30000 Sets the WPA2 group key update timer This is the interval in seconds for how often the AP sends a new group key out to all clients no hide Obscures the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning idle 30 30000 Sets the WPA2 idle timeout The ZyWALL ...

Page 77: ...key Configures WPA security using TKIP or AES and a Pre Shared Key PSK security wpa wpa2 tkip aes eap internal profile name tls cert certificate name This allows users to either use WPA or WPA2 enterprise security to connect to the wireless interface You have to also configure to use either TKIP or AES and an existing AAA authentication method object profile name Set the certificate the ZyWALL use...

Page 78: ... stations associating to the ZyWALL must have the same SSID ssid Use up to 32 printable 7 bit ASCII characters as a name for the wireless LAN station limit 1 255 Sets the highest number of wireless clients that are allowed to connect to the wireless interface at the same time wep key 1 4 key There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users T...

Page 79: ... format of the wireless station that is to be allowed or denied access to the ZyWALL The no command removes the entry description You can use alphanumeric and _ characters and it can be up to 60 characters long no wlan mac filter activate Turns the MAC address filter on or off wlan mac filter associate allow deny Defines the filter action for the list of MAC addresses in the MAC address filter tab...

Page 80: ...net interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 100 and 200 models use a name such as wan1 wan2 opt lan1 ext wlan or dmz Table 35 interface Commands VLAN Interfaces COMMAND DESCRIPTION interface interface_name Creates the specified interface if necessary and enters sub command mode no port inte...

Page 81: ...LL USG 100 and 200 models use a name such as wan1 wan2 opt lan1 ext wlan or dmz VLAN interface vlanx x 0 4094 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports Table 37 interface Commands Bridge Interfaces COMMAND DESCRIPTION interface interface_name Creates the specified interface if necessary and enters sub command mode no join interface_nam...

Page 82: ...interface waits for activity before it automatically disconnects The no command disables the idle timeout no initial string initial_string Specifies the initial string of the auxiliary interface The no command sets the initial string to ATZ initial_string You can use up to 64 characters Semicolons and backslashes are not allowed no password password Specifies the password of the auxiliary interfac...

Page 83: ...mmands show how to dial disconnect and stop the auxiliary interface Router configure terminal Router config interface aux Router config if aux phone number 0340508888 Router config if aux dialing type tone Router config if aux port speed 115200 Router config if aux initial string ATZ Router config if aux timeout 10 Router config if aux retry count 2 Router config if aux retry interval 100 Router c...

Page 84: ...Chapter 6 Interfaces ZyWALL ZLD CLI Reference Guide 84 ...

Page 85: ...ith policy routing You can also define multiple trunks for the same physical interfaces This allows you to send specific traffic types through the interface that works best for that type of traffic and if that interface s connection goes down the ZyWALL can still send its traffic through another interface 7 2 Trunk Scenario Examples Suppose one of the ZyWALL s interfaces is connected to an ISP tha...

Page 86: ... interface for your ZyWALL model The ZyWALL USG 100 and 200 models use a name such as wan1 wan2 opt lan1 ext wlan or dmz PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports VLAN interface vlanx x 0 4094 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports num The interface s position i...

Page 87: ...rder in a trunk no interface num interface name Removes an interface from the trunk system default interface group group name Sets the ZyWALL to first attempt to use the the specified WAN trunk no system default snat Enables or disables Source NAT SNAT When SNAT is enabled the ZyWALL uses the IP address of the outgoing interface as the source IP address of the packets it sends out through the WAN ...

Page 88: ...c through ge1 until it hits the limit of 1000 kbps The ZyWALL sends anything over 1000 kbps through ge3 Router configure terminal Router config interface group llf example Router if group mode trunk Router if group algorithm llf Router if group interface 1 ge3 Router if group interface 2 vlan5 Router if group loadbalancing index outbound Router if group exit Router config Router configure terminal...

Page 89: ... to server B 2 However remote server B is actually a redirect server So server B sends a file list to LAN user A The file list lets LAN user A s computer know that the desired file is actually on file server C At the same time register server B informs file server C that a computer located at the WAN1 s IP address will download a file 3 The ZyWALL is using active active load balancing So when LAN ...

Page 90: ...Command Example This example shows how to activate link sticking and set the timeout to 600 seconds ten minutes Table 41 ip load balancing link sticking Commands Summary COMMAND DESCRIPTION no ip load balancing link sticking activate Turns link sticking on or off no ip load balancing link sticking timeout timeout Sets for how many seconds 30 3600 the ZyWALL sends all of each local computer s traff...

Page 91: ...numeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive interface_name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 100 and 200 models use a name such as wan1 wan2 opt lan1 ext wlan or dmz virtual inter...

Page 92: ...icy_number Enters the policy route sub command mode to configure add or insert a policy no auto destination When you set tunnel as the next hop type using the next hop tunnel command for this route you can use this command to have the ZyWALL use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of what you configur...

Page 93: ...sured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 95 for more details no dscp marking Use this command to have the ZyWALL not modify the DSCP value of the route s outgoing packets no interface interface_name Sets the interface on which the incoming packets are received The no command rese...

Page 94: ...Sec rules You must manually create these policy routes The ZyWALL automatically obtains source and destination addresses for dynamic IPSec rules that do not match any of the policy routes The no command has the ZyWALL automatically obtain source and destination addresses for all dynamic IPSec rules policy default route Enters the policy route sub command mode to set a route with the name default r...

Page 95: ...isplays the specified range of policy route settings show policy route controll ipsec dynamic rules Displays whether the ZyWALL checks policy routes first before IPSec dynamic rules show policy route override direct route Displays whether or not the ZyWALL forwards packets that match a policy route according to the policy route instead of sending the packets to a directly connected network show po...

Page 96: ...way R1 via gateway R2 The static routes are for you to tell the ZyWALL about the networks beyond the network connected to the ZyWALL directly Router config address object TW_SUBNET 192 168 2 0 255 255 255 0 Router config address object GW_1 192 168 2 250 Router config policy insert 1 Router policy route description example Router policy route destination any Router policy route interface ge1 Route...

Page 97: ...ace ge1 Then use the show command to display the setting Table 45 Command Summary Static Route COMMAND DESCRIPTION no ip route w x y z w x y z interface w x y z 0 127 Sets a static route The no command disables a static route ip route replace w x y z w x y z interface w x y z 0 127 with w x y z w x y z interface w x y z 0 127 Changes an existing route s settings show ip route settings Displays sta...

Page 98: ...Chapter 8 Route ZyWALL ZLD CLI Reference Guide 98 ...

Page 99: ...e 99 and they are discussed further in the next two sections 9 2 Routing Protocol Commands Summary The following table describes the values required for many routing protocol commands Other values are discussed with the corresponding commands The following sections list the routing protocol commands Table 46 OSPF vs RIP OSPF RIP Network Size Large Small with up to 15 routers Metric Bandwidth hop c...

Page 100: ...ersion to 2 no passive interface interface_name Sets the direction to In Only for the specified interface The no command sets the direction to bi directional no authentication mode md5 text Sets the authentication mode for RIP The no command sets the authentication mode to none no authentication string authkey Sets the password for text authentication The no command clears the password authenticat...

Page 101: ... removes the area no area IP authentication Enables text authentication in the specified area The no command disables authentication in the specified area no area IP authentication message digest Enables MD5 authentication in the specified area The no command disables authentication in the specified area no area IP authentication authentication key authkey Sets the password for text authentication...

Page 102: ...l link s authentication method to the area s default authentication no area IP virtual link IP authentication key authkey Sets the password for text authentication in the specified virtual link The no command clears the password area IP virtual link IP message digest key 1 255 md5 authkey Sets the MD5 ID and password for MD5 authentication in the specified virtual link no area IP virtual link IP m...

Page 103: ...yWALL uses zones not interfaces in many security and policy settings such as firewall rules and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 16 Example Z...

Page 104: ... and zone mappings that come with the ZyWALL show zone none binding Displays the interfaces tunnels and SSL VPNs that are not associated with a zone yet show zone system default Displays the pre configured default zones that you cannot delete from the ZyWALL show zone user define Displays all customized zones no zone profile_name Creates the zone if necessary and enters sub command mode The no com...

Page 105: ...2 to zone A and block intra zone traffic Router configure terminal Router config zone A Router zone interface ge1 Router zone interface ge2 Router zone block Router zone exit Router config show zone No Name Block Member 1 A yes ge1 ge2 Router config show zone A blocking intra zone traffic yes No Type Member 1 interface ge1 2 interface ge2 ...

Page 106: ...Chapter 10 Zones ZyWALL ZLD CLI Reference Guide 106 ...

Page 107: ...e able to use Dynamic DNS services with the ZyWALL When registration is complete the DNS service provider gives you a password or key At the time of writing the ZyWALL supports the following DNS service providers See the listed websites for details about the DNS services offered by each Record your DDNS account s user name password and domain name to use to configure the ZyWALL After you configure...

Page 108: ...he specified DDNS profile The no command clears these fields username You can use up to 31 alphanumeric characters and the underscore _ password You can use up to 64 alphanumeric characters and the underscore _ no host hostname Sets the domain name in the specified DDNS profile The no command clears the domain name hostname You may up to 254 alphanumeric characters dashes or periods but the first ...

Page 109: ...me Sets the backup WAN interface in the specified DDNS profile The no command clears it no ha iface interface_name Sets the HA interface in the specified DDNS profile The no command clears it no backmx Enables the backup mail exchanger The no command disables it no wildcard Enables the wildcard feature The no command disables it Table 57 ip ddns Commands continued COMMAND DESCRIPTION ...

Page 110: ...Chapter 11 DDNS ZyWALL ZLD CLI Reference Guide 110 ...

Page 111: ...private network servers that will initiate sessions to the outside clients and a range of public IP addresses use many 1 1 NAT to have the ZyWALL translate the source IP address of each server s outgoing traffic to the same one of the public IP addresses that the outside clients use to access the server The private and public ranges must have the same number of IP addresses One many 1 1 NAT rule w...

Page 112: ...re information Using this command without nat 1 1 map means the NAT type is Virtual Server This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL like the Internet The deactivate command disables the virtual server rule ip virtual server profile_name interface interface_name original ip any IP address_object map to address_object ip map type po...

Page 113: ...e original ip any IP address_object map to address_object ip map type original service service_object mapped service service_object nat loopback nat 1 1 map deactivate nat 1 1 map deactivate deactivate Creates or modifies the specified virtual server and maps the specified destination IP address protocol and service object to the specified destination IP address and service object The original des...

Page 114: ... wan1 on USG 100 and 200 models interface and map it to the HTTP server s private IP address of 192 168 3 7 Figure 17 Public Server Example Network Topology Follow the following steps for the setting 1 Configure Address object Router configure terminal Router config ip virtual server WAN LAN_H323 interface wan1 original ip 10 0 0 8 map to 192 168 1 56 map type port protocol tcp original port 1720 ...

Page 115: ...ple both use TCP port 80 So you set the port mapping type to port the protocol type to TCP and the original and mapped ports to 80 3 Configure firewall Create a firewall rule to allow HTTP traffic from the WAN zone to the DMZ web server Now the public can go to IP address 1 1 1 2 to access the HTTP server Router configure terminal Router config address object DMZ_HTTP 192 168 3 7 Router config add...

Page 116: ...Chapter 12 Virtual Servers ZyWALL ZLD CLI Reference Guide 116 ...

Page 117: ...est except HTTP traffic destined for the ZyWALL to a web proxy server 13 1 1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources services A proxy server can act as a firewall or an ALG application layer gateway between the private network and the Internet or other networks It also keeps hackers from knowing internal IP add...

Page 118: ...Ethernet interface add a colon and the number of the virtual interface For example gex y x 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y 1 4 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPo...

Page 119: ...ct rule disable it and display the settings Router configure terminal Router config ip http redirect example1 interface ge1 redirect to 10 10 2 3 80 Router config ip http redirect example1 interface ge1 redirect to 10 10 2 3 80 deactivate Router config show ip http redirect Name Interface Proxy Server Port Active example1 ge1 10 10 2 3 80 no ...

Page 120: ...Chapter 13 HTTP Redirect ZyWALL ZLD CLI Reference Guide 120 ...

Page 121: ...oIP traffic s data stream When a device behind the ZyWALL uses an application for which the ZyWALL has VoIP pass through enabled the ZyWALL translates the device s private IP address inside the data stream to a public IP address It also records session port numbers and allows the related sessions to go through the firewall so the application s traffic can come in from the WAN to the LAN The ZyWALL...

Page 122: ...ng it Use transformation to have the ZyWALL modify IP addresses and port numbers embedded in the SIP data payload You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload The no command turns off the SIP ALG or removes the settings that you specify no alg h323 ftp signal port 1025 65535 signal extra port 1025 655...

Page 123: ...G ZyWALL ZLD CLI Reference Guide 123 14 3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H 323 Router configure terminal Router config alg sip Router config no alg h323 ...

Page 124: ...Chapter 14 ALG ZyWALL ZLD CLI Reference Guide 124 ...

Page 125: ...125 PART III Firewall Firewall 127 ...

Page 126: ...126 ...

Page 127: ...PN tunnels Group the ZyWALL s interfaces into different zones based on your needs You can configure firewall rules for data passing between zones or even between interfaces and or VPN tunnels in a zone The following figure shows the ZyWALL s default firewall rules in action as well as demonstrates how stateful inspection works User 1 can initiate a Telnet session from within the LAN zone and respo...

Page 128: ...e of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive user_name The name of a user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone For the ZyWALL USG 300 an...

Page 129: ... you specified no firewall activate Enables the firewall on the ZyWALL The no command disables the firewall firewall append Enters the firewall sub command mode to add a global firewall rule to the end of the global rule list See Table 65 on page 130 for the sub commands firewall default rule action allow deny reject no log log alert Sets how the firewall handles packets that do not match any othe...

Page 130: ...ch the packets are received The no command removes the zone on which the packets are received and resets it to the default any any means all interfaces or VPN tunnels no log alert Sets the ZyWALL to create a log and optionally an alert when packets match this rule The no command sets the ZyWALL not to create a log or alert when packets match this rule no schedule schedule_object Sets the schedule ...

Page 131: ...nd mode to add a firewall rule Set the direction of travel of packets to which the rule applies Set the destination IP address es Set the service to which this rule applies Set the action the ZyWALL is to take on packets which match this rule Router configure terminal Router config service object MyService tcp eq 1234 Router config address object Dest_1 10 0 0 10 10 0 0 15 Router config firewall i...

Page 132: ...low status yes firewall rule 4 description user any schedule none from WAN to LAN source IP any source port any destination IP any service any log log action deny status yes Router config show firewall WAN LAN 2 firewall rule 4 description user any schedule none from WAN to LAN source IP any source port any destination IP any service any log no action deny status yes Router config Table 66 Input V...

Page 133: ...e rule exit Quits the firewall sub command mode no limit 0 8192 Sets the limit for the number of concurrent NAT firewall sessions this rule s users or addresses can have 0 means any no user user_name Sets a session limit rule for the specified user The no command resets the user name to the default any any means all users session limit append Enters the session limit sub command mode to add a sess...

Page 134: ...Chapter 15 Firewall ZyWALL ZLD CLI Reference Guide 134 ...

Page 135: ...135 PART IV VPN IPSec VPN 137 SSL VPN 147 L2TP VPN 153 ...

Page 136: ...136 ...

Page 137: ...nd a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is one example of a VPN tunnel Figure 19 VPN Example The VPN tunnel connects the ZyWALL X and the remote IPSec router Y These routers then connect the local network A and remote network B A VPN tunnel is usually established in two phases Each phase ...

Page 138: ...ng commands Table 68 Input Values for IPSec VPN Commands LABEL DESCRIPTION profile_name The name of a VPN concentrator You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive policy_name The name of an IKE SA You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number Th...

Page 139: ...necessary and enters sub command mode The no command deletes the specified IKE SA activate deactivate Activates or deactivates the specified IKE SA authentication pre share rsa sig Specifies whether to use a pre shared key or a certificate for authentication certificate certificate name Sets the certificate that can be used for authentication no dpd Enables Dead Peer Detection DPD The no command d...

Page 140: ...e mail e_mail dn distinguished_name Sets the local ID type and content to the specified IP address domain name or e mail address peer id type any ip ip fqdn domain_name mail e_mail dn distinguished_name Sets the peer ID type and content to any value the specified IP address domain name or e mail address no xauth type server xauth_method client name username password password Enables extended authe...

Page 141: ... map_name Creates the specified IPSec SA if necessary and enters sub command mode The no command deletes the specified IPSec SA crypto map rename map_name map_name Renames the specified IPSec SA first map_name to the specified name second map_name crypto map map_name activate deactivate Activates or deactivates the specified IPSec SA ipsec isakmp policy_name Specifies the IKE SA for this IPSec SA ...

Page 142: ...policy address_name Sets the address object for the remote policy remote network no policy enforcement Drops traffic whose source and destination IP addresses do not match the local and remote policy This makes the IPSec SA more secure The no command allows traffic whose source and destination IP addresses do not match the local and remote policy Note You must allow traffic whose source and destin...

Page 143: ... ip address_name 0 65535 0 65535 Maps the specified IP address and port range original ip to the specified IP address and port range mapped ip and appends this rule to the end of the rule list for in bound traffic DNAT in dnat insert 1 10 protocol all tcp udp original ip address_name 0 65535 0 65535 mapped ip address_name 0 65535 0 65535 Maps the specified IP address and port range original ip to ...

Page 144: ...ers aes128 16 32 characters aes192 24 32 characters aes256 32 characters If you want to enter the key in hexadecimal type 0x at the beginning of the key For example 0x0123456789ABCDEF is in hexadecimal format in 0123456789ABCDEF is in ASCII format If you use hexadecimal you must enter twice as many characters The ZyWALL automatically ignores any characters above the minimum number of characters re...

Page 145: ... connection or policy name vary For example use a c without the quotation marks to specify abc acc and so on Wildcards let multiple VPN connection or policy names match the pattern For example use abc without the quotation marks to specify any VPN connection or policy name that ends with abc A VPN connection named testabc would match There could be any number of any type of characters in front of ...

Page 146: ...Chapter 16 IPSec VPN ZyWALL ZLD CLI Reference Guide 146 ...

Page 147: ...bjects 17 1 2 SSL Access Policy Limitations You cannot delete an object that is used by an SSL access policy To delete the object you must first unassociate the object from the SSL access policy 17 2 SSL VPN Commands The following table describes the values required for some SSL VPN commands Other values are discussed with the corresponding commands Table 74 Input Values for SSL VPN Commands LABEL...

Page 148: ...or off no application application_object Adds the SSL application object to the SSL VPN access policy no cache clean activate Cleans the cookie history and temporary Internet files in the user s browser s cache when the user logs out The ZyWALL returns them to the values present before the user logged in The no command disables this setting no description description Adds information about the SSL...

Page 149: ...erval The no command disables this setting no network extension activate ip pool address_object 1st dns address_object ip 2nd dns address_object ip 1st wins address_object ip 2nd wins address_object ip network address_object Use this to configure for a VPN tunnel between the authenticated users and the internal network This allows the users to access the resources on the network as if they were on...

Page 150: ...account named tester with password 1234 Router config interface ge2 Router config if ge ip address 10 1 1 254 255 255 255 0 Router config if ge exit Router config interface ge3 Router config if ge ip address 172 16 10 254 255 255 255 0 Router config if ge exit Router config address object IP POOL 192 168 100 1 192 168 100 10 Router config address object DNS1 172 16 5 1 Router config address object...

Page 151: ... network extension 1st dns DNS1 Router policy SSL_VPN_TEST network extension 2nd dns DNS2 Router policy SSL_VPN_TEST network extension network NETWORK1 Router policy SSL_VPN_TEST eps activate Router policy SSL_VPN_TEST eps 1 EPS 1 Router policy SSL_VPN_TEST exit Router config show sslvpn policy SSL_VPN_TEST index 1 active yes name SSL_VPN_TEST description user tester ssl applicaiton none network e...

Page 152: ...Chapter 17 SSL VPN ZyWALL ZLD CLI Reference Guide 152 ...

Page 153: ...l L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first see Chapter 16 on page 137 for information on IPSec and then an L2TP tunnel is built inside it At the time of writing the L2TP remote user must have a public IP address in order for L2TP VPN to work the remote user canno...

Page 154: ...ault_L2TP_VPN_GW Use this address object in the local policy For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default_L2TP_VPN_GW gateway entry Configure the My Address setting according to your requirements Replace the default Pre Shared Key 18 3 Policy Route You must configure a pol...

Page 155: ...ds on the number of bridge interfaces your ZyWALL model supports ppp_interface PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports map_name The name of an IPSec SA You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive user_name The name of a user group Yo...

Page 156: ...the remote user does not respond The no command returns the default setting no l2tp over ipsec first dns server ip interface_name 1st dns 2nd dns 3rd dns ppp_interface aux 1st dns 2nd dns Specifies the first DNS server IP address to assign to the remote users You can specify a static IP address or a DNS server that an interface received from its DHCP server The no command removes the setting no l2...

Page 157: ... 37 205 Configure the Pre Shared Key This example uses top secret 18 5 2 Configuring the Default L2TP VPN Connection Example The following commands configure the Default_L2TP_VPN_Connection entry Enforce and configure the local and remote policies For the Local Policy create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW ...

Page 158: ... object that you want to allow the remote users to access LAN_SUBNET in this example Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users L2TP_POOL in this example Set the next hop to be the Default_L2TP_VPN_Connection tunnel Router config crypto map Default_L2TP_VPN_Connection Router config crypto Default_L2TP_VPN_Connection policy enforcement Router conf...

Page 159: ...ext hop tunnel Default_L2TP_VPN_ConnectionRouter policy route no deactivate Router policy route exit Router config show policy route 3 index 3 active yes description WIZ_VPN user any schedule none interface ge1 tunnel none sslvpn none source PC_SUBNET destination L2TP_POOL service any nexthop type Tunnel nexthop Default_L2TP_VPN_Connection bandwidth 0 bandwidth priority 0 maximize bandwidth usage ...

Page 160: ...Chapter 18 L2TP VPN ZyWALL ZLD CLI Reference Guide 160 ...

Page 161: ...161 PART V Application Patrol Application Patrol 163 ...

Page 162: ...162 ...

Page 163: ...es like text messaging voice video conferencing and file transfers Application patrol also has powerful bandwidth management including traffic prioritization to enhance the performance of delay sensitive applications like voice and video The ZyWALL checks firewall rules before application patrol rules for traffic going through the ZyWALL To use a service make sure both the firewall and application...

Page 164: ... use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Table 79 app Commands Pre Defined Applications COMMAND DESCRIPTION no app protocol_name activate Enables application patrol for the specified application The no command disables application patrol for the specified application no app protocol_name allowport 1 65535 If t...

Page 165: ..._name rule rule_number or app protocol_name rule modify rule_number Enters sub command mode for editing the rule at the specified row See Table 81 on page 165 for the sub commands app protocol_name rule default or app protocol_name rule modify default Enters sub command mode for editing the default rule for the application See Table 81 on page 165 for the sub commands no app protocol_name rule rul...

Page 166: ...source address to the rule no to zone_name Specifies the destination zone no user username Adds the specified user to the rule Table 81 app protocol rule Sub commands continued COMMAND DESCRIPTION Table 82 app Commands Exception Rules in Pre Defined Applications COMMAND DESCRIPTION app protocol_name exception insert rule_number Creates a new rule at the specified row and enters sub command mode Se...

Page 167: ...e priority no destination profile_name Adds the specified destination address to the rule no from zone_name Specifies the source zone no inbound dscp mark 0 63 class default dscp_class This is how the ZyWALL handles the DSCP value of the outgoing packets to a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to h...

Page 168: ... list and enters sub command mode app other 1 64 Enters sub command mode for editing the rule at the specified row app other default Enters sub command mode for editing the default rule for traffic of an unidentified application app other move rule_number to rule_number Moves the specified rule first index to the specified location The process is 1 remove the specified rule from the table 2 re num...

Page 169: ...ion s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 no log alert Creates log entries and alerts for traffic that matches the rule The no command does not create any log entries no outbound dscp mark 0 63 class default dscp_class This is how the ZyWALL handles the DSCP value of th...

Page 170: ...stics Display the statistics of this application show app protocol_name rule rule_number Displays the rule configuration of this application show app protocol_name rule rule_number statistics Displays the rule statistics of this application show app protocol_name rule default Displays the default rule configuration of this application show app protocol_name rule default statistics Displays the def...

Page 171: ...c is enabled show bwm activation Displays whether or not the global setting for bandwidth management on the ZyWALL is enabled Table 87 app Commands Pre Defined Applications continued COMMAND DESCRIPTION Router configure terminal Router config show bwm activation bwm activation yes Router configure terminal Router config show app http config application http active yes mode portless default access ...

Page 172: ...y to zone any source address any destination address any access forward action login na action message na action audio na action video na action file transfer na DSCP inbound marking preserve DSCP outbound marking preserve bandwidth excess usage no bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no Router configure terminal Router config show app other config bandwidth graph yes ...

Page 173: ...forward DSCP inbound marking preserve DSCP outbound marking preserve bandwidth excess usage no bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no index default activate yes port 0 schedule none user any from zone any to zone any source address any destination address any protocol any access forward DSCP inbound marking preserve DSCP outbound marking preserve bandwidth excess usag...

Page 174: ...Chapter 19 Application Patrol ZyWALL ZLD CLI Reference Guide 174 ...

Page 175: ...175 PART VI Anti X Anti Virus 177 IDP Commands 185 Content Filtering 203 Anti Spam 215 ...

Page 176: ...176 ...

Page 177: ...ive The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN av_file_pattern Use up to 80 characters to specify a file pattern Alphanumeric characters underscores _ dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab z...

Page 178: ...service status no anti virus eicar activate Turns detection of the EICAR test file on or off show anti virus eicar activation Displays whether or not detection of the EICAR test file is turned on anti virus reload signatures Recovers the anti virus signatures You should only need to do this if instructed to do so by a support technician no anti virus skip unknown file type activate Sets whether or...

Page 179: ...pop3 Sets the protocols of traffic to scan for viruses no infected action destroy send win msg Sets the action to take when the ZyWALL detects a virus in a file The file can be destroyed filled with zeros from the point where the virus was found The ZyWALL can also send a message alert to the file s intended user using a Microsoft Windows computer connected to the to interface no bypass white list...

Page 180: ...t Router config av rule 1 no bypass black list Router config av rule 1 file decompression Router config av rule 1 no file decompression unsupported destroy Router config av rule 1 exit Router config show anti virus rule 1 Anti Virus Rule 1 active yes log log from zone WAN to zone LAN scan protocols http yes ftp yes smtp yes pop3 yes imap4 yes infected action destroy yes send windows message yes by...

Page 181: ...black list replace old_av_file_pattern new_av_file_pattern activate deactivate Replaces the specified black list file pattern with a new file pattern Table 91 Commands for Anti virus White and Black Lists continued COMMAND DESCRIPTION Router config anti virus white list activate Router config anti virus white list file pattern Router config anti virus white list file pattern exe activate Router co...

Page 182: ...ID of the signature you want to find name type the name or part of the name of the signature s you want to find This search is not case sensitive severity type the severity level of the signatures you want to find high medium or low Router config anti virus search signature name MSN signature 1 virus id 41212 virus name MSN category virus severity Low Table 93 Update Signatures COMMAND DESCRIPTION...

Page 183: ...er config show anti virus update auto yes schedule weekly at Friday 13 o clock Router config show anti virus update status current status Anti Virus Current signature version 1 046 on device is latest at Tue Apr 17 10 18 00 2007 last update time 2007 04 07 10 41 01 Router config show anti virus signatures status current version 1 046 release date 2007 04 06 10 41 29 signature number 4124 Table 94 ...

Page 184: ... statistics It also shows how to sort the display by the most common destination IP addresses Router config anti virus statistics collect Router config show anti virus statistics collect collect statistics yes Router config show anti virus statistics summary file scanned 0 virus detected 0 Router config show anti virus statistics ranking destination ...

Page 185: ...lists valid input for IDP commands 21 2 General IDP Commands 21 2 1 IDP Activation You must register for the IDP AppPatrol signature service at least the trial before you can use it See Chapter 5 on page 37 Table 95 Input Values for IDP Commands LABEL DESCRIPTION zone_profile The name of a zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9_ The name cannot start with a number ...

Page 186: ... activation Displays IDP signature anomaly detection or system protect service status idp reload Recovers the IDP signatures You should only need to do this if instructed to do so by a support technician Router configure terminal Router config idp signature activate Router config show idp signature activation idp signature activation yes Router config no idp signature activate Router config show i...

Page 187: ... idp signature base profile No Base Profile Name 1 none 2 all 3 wan 4 lan 5 dmz Router config Table 98 IDP Zone to Zone Rule Commands COMMAND DESCRIPTION idp signature anomaly rule append 1 32 insert 1 32 Create an IDP signature or anomaly rule and enter the sub command mode bind profile Binds the IDP profile to the entry s traffic direction no bind Removes the IDP profile s binding no from zone z...

Page 188: ...p signature 1 activate Router config show idp signature rules Signature rules idp rule 1 from zone any to zone LAN profile LAN_IDP activate yes Table 99 Editing Creating IDP Signature Profiles COMMAND DESCRIPTION idp signature newpro base all lan wan dmz none Creates a new IDP signature profile called newpro newpro uses the base profile you specify Enters sub command mode All the following command...

Page 189: ...tributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep Also sets TCP scan detection logs or alerts and blocking no deactivates TCP scan detection its logs alerts or blocking no scan detection udp xxx activate log alert block Activates or deactivates UDP scan detection options where udp xxx udp portscan udp decoy portscan udp por...

Page 190: ...irectory traversal http inspection http xxx log alert Sets http inspection log or alert no http inspection http xxx log Deactivates http inspection logs no http inspection http xxx action drop reject sender reject receiver reject both Sets http inspection action no tcp decoder tcp xxx activate Activates or deactivates tcp decoder options where tcp xxx undersize len undersize offset oversize offset...

Page 191: ...s selected TCP scan detection settings for the specified IDP profile show idp anomaly profile scan detection udp portscan udp decoy portscan udp portsweep udp distributed portscan udp filtered portscan udp filtered decoy portscan udp filtered distributed portscan udp filtered portsweep details Shows UDP scan detection settings for the specified IDP profile show idp anomaly profile scan detection i...

Page 192: ...p anomaly profile udp decoder all details Shows udp decoder settings for the specified IDP profile show idp anomaly profile udp decoder truncated header undersize len oversize len details Shows specified udp decoder settings for the specified IDP profile show idp anomaly profile icmp decoder all details Shows all icmp decoder settings for the specified IDP profile show idp anomaly profile icmp dec...

Page 193: ...nature Search Command COMMAND DESCRIPTION idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate any yes no log any no log log alert action action_mask Searches for signature s in a profile by the parameters specified The quoted string is any text within the signature name in quotes for examp...

Page 194: ...atures in the LAN_IDP profile containing the text worm within the signature name show idp search system protect my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate any yes no log any no log log alert action action_mask Searches for signature s in a system protect profile by the parameters specified The quoted ...

Page 195: ...reate a new signature or edit an existing one It is recommended you use the web configurator to create edit signatures using the web configurator Anti X IDP Custom Signatures screen Table 104 Service and Action Command Values SERVICE SERVICE ACTION 1 DNS 2 FINGER 4 FTP 8 MYSQL 16 ICMP 32 IM 64 IMAP 128 MISC 256 NETBIOS 512 NNTP 1024 ORACLE 2048 P2P 4096 POP2 8192 POP3 16384 RPC 32768 RSERVICES 655...

Page 196: ... idp customize signature edit quoted_string Edits an existing custom signature no idp customize signature custom_sid Deletes a custom signature show idp signatures custom signature custom_sid details contents non contents Displays custom signature information show idp signatures custom signature all details Displays all custom signatures information show idp signatures custom signature number Disp...

Page 197: ...id 9000000 sid 9000000 message test edit policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no Router config show idp signatures custom signature 9000000 details sid 9000000 message test edit policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris ...

Page 198: ... contents sid 9000000 ack dport 0 dsize dsize_rel flow_direction flow_state flow_stream fragbits_reserve fragbits_dontfrag fragbits_morefrag fragoffset fragoffset_rel icmp_id icmp_seq icode icode_rel id ipopt itype itype_rel sameip seq sport 0 tcp_flag_ack tcp_flag_fin tcp_flag_push tcp_flag_r1 tcp_flag_r2 tcp_flag_rst tcp_flag_syn tcp_flag_urg threshold_type threshold_track threshold_count thresh...

Page 199: ...98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no Router config show idp signatures custom signature number signatures 1 Table 106 Update Signatures COMMAND DESCRIPTION idp signature system protect update signatures Immediately downloads IDP or system protect signatures from an update server no idp signature system protect update...

Page 200: ...ignatures COMMAND DESCRIPTION Router configure terminal Router config idp signature update signatures IDP signature update in progress Please check system log for future information Router config idp update auto Router config no idp update auto Router config idp update hourly Router config idp update daily 10 Router config idp update weekly fri 13 Router config show idp update auto yes schedule we...

Page 201: ...resses for detected intrusion attempts Table 107 Commands for IDP Statistics continued COMMAND DESCRIPTION Router configure terminal Router config idp statistics collect Router config no idp statistics activate Router config idp statistics flush Router config show idp statistics collect status IDP collect statistics status yes Router config show idp statistics summary scanned session 268 packet dr...

Page 202: ...Chapter 21 IDP Commands ZyWALL ZLD CLI Reference Guide 202 ...

Page 203: ...ertainment web pages during the workday and another policy that lets him access them after work 22 2 Content Filtering Policies A content filtering policy allows you to do the following Use schedule objects to define when to apply a content filtering profile Use address and or user group objects to define to whose web access to apply the content filtering profile Apply a content filtering profile ...

Page 204: ...ress and category are then stored in the ZyWALL s content filtering 22 4 Content Filtering Reports See the web configurator User s Guide to see how to view content filtering reports after you have activated the category based content filtering subscription service 22 5 Content Filter Command Input Values The following table explains the values you can input with the content filter commands Table 1...

Page 205: ...ng an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address The range is 0 to 32 To find the bit number convert the subnet mask to binary and add all of the 1 s together Take 255 255 255 0 for example 255 converts to eight 1 s in binary There are three 255 s so add three eights together and you get the bit number 24 An example is 192 168 2...

Page 206: ...cation Cultural Charitable Organization Financial Services Brokerage Trading Online Games Government Legal Military Political Activist Groups Health Computers Internet Search Engines Portals Spyware Malware Sources Spyware Effects Privacy Concerns Job Search Careers News Media Personals Dating Reference Open Image Media Search Chat Instant Messaging Email Blogs Newsgroups Religion Social Networkin...

Page 207: ...ief Society Daily Living Unrated Table 109 Content Filtering Web Category Names CATEGORY NAME CATEGORY NAME Table 110 content filter General Commands COMMAND DESCRIPTION no content filter active Turns on content filtering The no command turns it off no content filter block message message Sets the message to display when content filtering blocks access to a web page The no command clears the setti...

Page 208: ...ts the port the ZyWALL uses to check if requested web pages pose a threat to users or their computers show content filter passed warning Displays the ZyWALL s record of sessions for which it has given the user a warning before allowing access show content filter policy Displays the content filtering policies show content filter settings Displays the general content filtering settings show content ...

Page 209: ...rofile url category category_name Sets a content filtering profile to check for specific web site categories The no command has the profile not check for the specified categories no content filter profile filtering_profile url match unsafe block log warn Sets the action for attempted access to web pages that match the profile s selected unsafe categories The no command clears the setting Block acc...

Page 210: ...ent filter url server test url server rating_server timeout query_timeout Tests whether or not a web site is saved in the external content filter server s database of restricted web pages show content filter profile filtering_profile Displays the specified content filtering profile s settings or the settings of all them if you don t specify one Table 111 content filter Filtering Profile Commands S...

Page 211: ...commands to block sales from accessing adult and pornography websites 5 Enable the external web filtering service You must register for the external web filtering service before you can use it see Chapter 5 on page 37 6 You can also customize the filtering profile The following commands block active X java and proxy access Router config content filter statistics collect Router config show content ...

Page 212: ...g content filter profile sales_CF_PROFILE url category adult mature content Router config content filter profile sales_CF_PROFILE url category pornography Router config content filter profile sales_CF_PROFILE url url server Router config content filter profile sales_CF_PROFILE custom java Router config content filter profile sales_CF_PROFILE custom activex Router config content filter profile sale...

Page 213: ...s no Spyware Effects Privacy Concerns no Job Search Careers no News Media no Personals Dating no Reference no Open Image Media Search no Chat Instant Messaging no Email no Blogs Newsgroups no Religion no Social Networking no Online Storage no Remote Access Tools no Shopping no Auctions no Real Estate no Society Lifestyle no Sexuality Alternative Lifestyles no Restaurants Dining Food no Sports Recr...

Page 214: ...Chapter 22 Content Filtering ZyWALL ZLD CLI Reference Guide 214 ...

Page 215: ...ed with the corresponding commands 23 2 1 General Anti Spam Commands The following table describes general anti spam commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 114 Input Values for General Anti Spam Commands LABEL DESCRIPTION rule_number The index number of an anti spam rule 1 X where X is the highest number of anti ...

Page 216: ...and optionally an alert when packets match this rule and are found to be spam The no command sets the ZyWALL not to create a log or alert when packets match this rule no from zone zone_object Sets the zone on which the packets are received The no command removes the zone setting This is equal to any so the rule applies to all packets the ZyWALL sends out no to zone zone_object Sets the zone to whi...

Page 217: ...g as rule 1 match action pop3 forward with tag Router config as rule 1 log Router config as rule 1 bypass white list Router config as rule 1 bypass black list Router config as rule 1 exit Router config show anti spam rule 1 Anti Spam Rule 1 active yes log log from zone WAN to zone DMZ scan protocols smtp yes pop3 yes match action smtp forward pop3 forward with tag bypass white list yes bypass blac...

Page 218: ... the entry on or off no anti spam white list rule_number mail header mail header mail header value activate deactivate Adds edits or removes a white list entry to check e mail for specific header fields and values Also turns the entry on or off no anti spam white list rule_number subject subject activate deactivate Adds edits or removes a white list entry to check e mail for specific content in th...

Page 219: ...e first header with the name you specified in the entry So if the e mail has more than one Received header the ZyWALL checks the first one 23 2 4 DNSBL Anti Spam Commands This section describes the commands for checking the sender and relay IP addresses in e mail headers against DNS Domain Name Service based spam Black Lists DNSBLs You must use the configure terminal command to enter the configura...

Page 220: ... which anti spam checks e mail header IP addresses against the DNSBLs forward checks the first N IP addresses Checking starts from the first IP address in the mail header This is the IP of the sender or the first server that forwarded the mail backward checks the last N IP addresses Checking starts from the last IP address in the mail header This is the IP of the last server that forwarded the mai...

Page 221: ... dnsbl timeout dnsbl displays the anti spam tag for e mails that have a sender or relay IP address in the header that matches a blacklist maintained by a DNSBL domain dnsbl timeout displays the message or label to add to the mail subject of e mails that the ZyWALL forwards if queries to the DNSBL domains time out show anti spam dnsbl statistics Displays anti spam DNSBL statistics for each configur...

Page 222: ...pam dnsbl max query ip 4 Router config show anti spam dnsbl max query ip dnsbl max query ip 4 Router config anti spam dnsbl ip check order forward Router config show anti spam dnsbl ip check order anti spam dnsbl IP check order forward Router config anti spam tag dnsbl DNSBL Router config show anti spam tag dnsbl dnsbl tag DNSBL Router config anti spam tag dnsbl timeout DNSBL timeout Router config...

Page 223: ...ddress source lists the source IP addresses of the most spam mail address lists the most common source mail address for spam Table 121 Commands for Anti spam Statistics continued COMMAND DESCRIPTION Router config anti spam statistics collect Router config show anti spam statistics collect collect statistics yes collect statistics time since 2008 03 11 07 16 01 to 2008 03 11 07 16 13 Router config ...

Page 224: ...Chapter 23 Anti Spam ZyWALL ZLD CLI Reference Guide 224 ...

Page 225: ...225 PART VII Device HA Device HA 227 ...

Page 226: ...226 ...

Page 227: ... different ZyWALLs as the master ZyWALL for individual interfaces Legacy mode configuration involves a greater degree of complexity Active passive mode is recommended for general failover deployments The ZyWALLs must all support and be set to use the same device HA mode either active passive or legacy Management Access You can configure a separate management IP address for each interface You can u...

Page 228: ... virus gets IDP AppPatrol updates from the master but not anti virus updates It is highly recommended to subscribe the master and backup ZyWALLs to the same services 24 2 General Device HA Commands This table lists the general commands for device HA 24 3 Active Passive Mode Device HA Virtual Router The master and backup ZyWALL form a single virtual router Cluster ID You can have multiple ZyWALL vi...

Page 229: ... following sections list the device ha commands 24 4 1 Active Passive Mode Device HA Commands This table lists the commands for configuring active passive mode device HA Table 123 Input Values for device ha Commands LABEL DESCRIPTION interface_name The name of the interface This depends on the ZyWALL model For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet ...

Page 230: ...yWALL It specifies the password to require from synchronizing backup ZyWALLs Every router in the virtual router must use the same password The no command sets the password setting to blank which means no backups can synchronize with this master password Use 4 63 alphanumeric characters underscores _ dashes and characters no device ha ap mode backup sync authentication password password Sets the pa...

Page 231: ...te in hh mm yyyy mm dd format the ZyWALL will synchronize with the master show device ha ap mode status Displays the ZyWALL s key device HA settings show device ha ap mode master sync Displays the master ZyWALL s synchronization settings show device ha ap mode backup sync Displays the backup ZyWALL s synchronization settings show device ha ap mode backup sync status Displays the backup ZyWALL s cu...

Page 232: ...numeric characters long Table 126 device ha Commands VRRP Groups COMMAND DESCRIPTION show device ha vrrp group Displays information about all VRRP groups no device ha vrrp group vrrp_group_name Creates the specified VRRP group if necessary and enters sub command mode The no command deletes the specified VRRP group no vrid 1 254 Sets the specified VRRP group s ID to the specified VR ID The no comma...

Page 233: ...chronization COMMAND DESCRIPTION show device ha sync Displays the current settings for synchronization show device ha sync backup next sync time Displays the next time and date in hh mm yyyy mm dd format the ZyWALL will synchronize with the master show device ha sync status Displays the current status of synchronization no device ha sync from hostname ip Specifies the fully qualified domain name F...

Page 234: ...ands Synchronization continued COMMAND DESCRIPTION Table 128 device ha Commands Synchronization COMMAND DESCRIPTION device ha link monitoring activate Turns on device HA link monitoring no device ha link monitoring Turns off device HA link monitoring show device ha link monitoring Displays the current link monitoring setting device ha stop stub interface activate Has the master ZyWALL shut down an...

Page 235: ...235 PART VIII Objects User Group 237 Addresses 245 Services 249 Schedules 253 AAA Server 255 Authentication Objects 263 Certificates 267 ISP Accounts 273 SSL Application 277 Endpoint Security 281 ...

Page 236: ...236 ...

Page 237: ...ration and services in the ZyWALL 25 1 1 User Types There are the types of user accounts the ZyWALL uses The default admin account is always authenticated locally regardless of the authentication method setting See Chapter 30 on page 263 for more information about authentication methods Table 129 Types of User Accounts TYPE ABILITIES LOGIN METHOD S Admin Users Admin Change ZyWALL configuration web...

Page 238: ...ser or about all users set up in the ZyWALL username username nopassword user type admin guest limited admin user Creates the specified user if necessary disables the password and sets the user type for the specified user username username password password user type admin guest limited admin user Creates the specified user if necessary enables and sets the password and sets the user type for the ...

Page 239: ...if necessary and enters sub command mode The no command deletes the specified user group no description description Sets the description for the specified user group The no command clears the description for the specified user group no groupname groupname Adds the specified user group second groupname to the specified user group first groupname no user username Adds the specified user to the speci...

Page 240: ... disables the limit or allows an unlimited number of simultaneous logins no users simultaneous logon administration access limit 1 1024 Sets the limit for the number of simultaneous logins by users of the specified account type The no command sets the limit to one show users update lease settings Displays whether or not access users can automatically renew their lease time no users update lease au...

Page 241: ...mmand removes the specified service from the exceptional list force auth policy 1 1024 Creates the specified condition for forcing user authentication if necessary and enters sub command mode The conditions are checked in sequence starting at 1 See Table 135 on page 242 for the sub commands force auth policy append Creates a new condition for forcing user authentication at the end of the current l...

Page 242: ...ified condition The no command removes the destination criteria making the condition effective for all destinations no eps 1 8 eps_object_name Associates the specified End Point Security EPS object with the specified condition The ZyWALL checks authenticated users computers against the condition s endpoint security objects in the order of 1 to 8 You have to configure order 1 and then the others if...

Page 243: ...a for the specified condition The no command removes the source criteria making the condition effective for all sources show Displays information about the specified condition Table 135 force auth policy Sub commands continued COMMAND DESCRIPTION Router configure terminal Router config force auth policy insert 1 Router config force auth 1 activate Router config force auth 1 description EPS on LAN ...

Page 244: ...mited 23 58 32 23 55 53 4 admin admin 172 23 23 83 telnet 00 03 30 unlimited 23 59 59 23 56 30 Router config users force logout 192 168 1 34 Logout user admin from 192 168 1 34 OK Logout user admin from 192 168 1 34 OK Total 2 users have been forced logout Router config show users all No Name Type From Service Session Time Idle Time Lease Timeout Re Auth Timeout 1 admin admin 172 23 23 83 http htt...

Page 245: ...cify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important 26 2 Address Commands Summary The following table describes the values required for many ad...

Page 246: ... parameters ip_range 1 255 0 255 0 255 1 255 1 255 0 255 0 255 1 255 ip_subnet 1 255 0 255 0 255 0 255 1 32 interface You only need to specify an interface with you create an object based on an interface no address object object_name Deletes the specified address address object rename object_name object_name Renames the specified address first object_name to the second object_name Router configure...

Page 247: ...the specified address group second group_name to the specified address group first group_name The no command removes the specified address group from the specified address group no description description Sets the description to the specified value The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long object group address...

Page 248: ...Chapter 26 Addresses ZyWALL ZLD CLI Reference Guide 248 ...

Page 249: ...rst table lists the commands for service objects Table 140 Input Values for Service Commands LABEL DESCRIPTION group_name The name of the service group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive object_name The name of the service You may use 1 31 alphanumeric characters underscores _ or dashes but the fi...

Page 250: ...ble 141 service object Commands Service Objects continued COMMAND DESCRIPTION Router configure terminal Router config service object TELNET tcp eq 23 Router config service object FTP tcp range 20 21 Router config service object ICMP_ECHO icmp echo Router config service object MULTICAST protocol 2 Router config show service object Object name Protocol Minmum port Maxmum port Ref TELNET TCP 23 23 0 ...

Page 251: ...ption description You can use alphanumeric and _ characters and it can be up to 60 characters long object group service rename group_name group_name Renames the specified service group from the first group_name to the second group_name Table 142 object group Commands Service Groups continued COMMAND DESCRIPTION Router configure terminal Router config service object ICMP_ECHO icmp echo Router confi...

Page 252: ...Chapter 27 Services ZyWALL ZLD CLI Reference Guide 252 ...

Page 253: ...hedules are useful for long holidays and vacation periods Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring schedules always begin and end in the same day Recurring schedules are useful for defining the workday and off work hours 28 2 Schedule Commands Summary The fo...

Page 254: ...chedule date yyyy mm dd date format yyyy 01 12 01 31 schedule object object_name time time day day day day day day day Creates or updates a recurring schedule day 3 character day of the week sun mon tue wed thu fri sat Router configure terminal Router config schedule object SCHEDULE1 11 00 12 00 mon tue wed thu fri Router config schedule object SCHEDULE2 2006 07 29 11 00 2006 07 31 12 00 Router co...

Page 255: ...se the local user database to authenticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login informatio...

Page 256: ... 32 alphanumerical characters in order to hide the real password from people behind you when you are configuring AD server password This password is displayed as what you typed when you use the show ad server command no ad server port port_no Sets the AD port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no ad server search time limit time Sets the...

Page 257: ... Commands continued COMMAND DESCRIPTION Table 147 radius server Commands COMMAND DESCRIPTION show radius server Displays the default RADIUS server settings no radius server host radius_server auth port auth_port Sets the RADIUS server address and service port number Enter the IP address in dotted decimal notation or the domain name of a RADIUS server The no command clears the settings no radius se...

Page 258: ...d clears this setting no server binddn binddn Sets the user name the ZyWALL uses to log into the AD server group The no command clears this setting no server cn identifier uid Sets the user name the ZyWALL uses to log into the AD server group The no command clears this setting no server description description Sets the descriptive information for the AD server group You can use up to 60 printable ...

Page 259: ...er ldap group name Displays the specified LDAP server group settings no aaa group server ldap group name Sets a descriptive name for an LDAP server group Use this command to enter the sub command mode The no command deletes the specified server group aaa group server ldap rename group name group name Changes the descriptive name for an LDAP server group aaa group server ldap group name Enter the s...

Page 260: ...rver port port_no Sets the LDAP port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no server search time limit time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting and set this to the default setting of 5 seconds no server ssl Enables the ZyWALL to establish a secure connection to the LD...

Page 261: ...e of a RADIUS server to add to this server group The no command clears this setting no server key secret Sets a password up to 15 alphanumeric characters as the key to be shared between the RADIUS server s and the ZyWALL The no command clears this setting no server timeout time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting and set thi...

Page 262: ...Chapter 29 AAA Server ZyWALL ZLD CLI Reference Guide 262 ...

Page 263: ...ommands you use to configure an authentication profile Table 151 aaa authentication Commands COMMAND DESCRIPTION aaa authentication rename profile name old profile name new Changes the profile name profile name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive clear aaa authentication profile name Deletes all au...

Page 264: ...n only be used once in a profile The no command clears the specified authentication method s for the profile no aaa authentication profile name member1 member2 member3 member4 Sets the profile to use the authentication method s in the order specified member group ad group ldap group radius or local Note You must specify at least one member for each profile Each type of member can only be used once...

Page 265: ...e the ZyWALL responds an error Table 152 test aaa Command COMMAND DESCRIPTION test aaa server secure server ad ldap host hostname ipv4 address host hostname ipv4 address port 1 65535 base dn base dn string bind dn bind dn string password password login name attribute attribute alternative login name attribute attribute account account name Tests whether a user account exists on the specified authe...

Page 266: ...Chapter 30 Authentication Objects ZyWALL ZLD CLI Reference Guide 266 ...

Page 267: ... Certificate Commands This section describes the commands for configuring certificates 31 3 Certificates Commands Input Values The following table explains the values you can input with the certificate commands Table 153 Certificates Commands Input Values LABEL DESCRIPTION certificate_name The name of a certificate You can use up to 31 alphanumeric and _ characters cn_address A common name IP addr...

Page 268: ... up to 31 of the following characters a zA Z0 9 _ ca_name When you have the ZyWALL enroll for a certificate immediately online you must have the certification authority s certificate already imported as a trusted certificate Specify the name of the certification authority s certificate It can be up to 31 alphanumeric and _ characters url When you have the ZyWALL enroll for a certificate immediatel...

Page 269: ... certificates that are signed by this certificate against a Certificate Revocation List CRL on a LDAP Lightweight Directory Access Protocol directory server ldap ip ip fqdn port 1 65535 id name password password deactivate Sets the validation configuration for the specified remote trusted certificate where the directory server uses LDAP ip Type the IP address in dotted decimal notation or the doma...

Page 270: ...acters a zA Z0 9 _ no ca category local remote certificate_name Deletes the specified local my certificates or remote trusted certificates certificate no ca validation name Removes the validation configuration for the specified remote trusted certificate show ca category local remote name certificate_name certpath Displays the certification path of the specified local my certificates or remote tru...

Page 271: ...ificate default type SELF subject CN ZyWALL 1050_Factory_Default_Certificate issuer CN ZyWALL 1050_Factory_Default_Certificate status VALID ID ZyWALL 1050_Factory_Default_Certificate type EMAIL valid from 2003 01 01 00 38 30 valid to 2022 12 27 00 38 30 certificate test type REQ subject CN 1 1 1 1 issuer none status VALID ID 1 1 1 1 type IP valid from none valid to none certificate pkcs12request t...

Page 272: ...Chapter 31 Certificates ZyWALL ZLD CLI Reference Guide 272 ...

Page 273: ...ofile_name use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive no user username Sets the username for the specified ISP account The no command clears the username username You can use alphanumeric underscores _ dashes and characters and it can be up to 30 characters long no password password Sets the password for the spec...

Page 274: ... _ dashes and colons Table 155 PPPoE and PPTP ISP Account Commands continued COMMAND DESCRIPTION Table 156 Cellular Account Commands COMMAND DESCRIPTION show account cellular profile_name Displays information about the specified account no account cellular profile_name Creates a new cellular ISP account with name profile_name if necessary and enters sub command mode The no command deletes the spec...

Page 275: ...63 printable ASCII characters Spaces are not allowed no authentication none pap chap Sets the authentication for the cellular account The no command sets the authentication to none no idle 0 360 Sets the idle timeout for the cellular account Zero disables the idle timeout The no command sets the idle timeout to zero Table 156 Cellular Account Commands continued COMMAND DESCRIPTION ...

Page 276: ...Chapter 32 ISP Accounts ZyWALL ZLD CLI Reference Guide 276 ...

Page 277: ...pplication application_object Enters the sub command mode to create an SSL VPN application object server type file sharing owa web server url URL entry point entry_point Specify the type of service for this SSL application file sharing create a file share application for VPN SSL owa Outlook Web Access to allow users to access e mails contacts calenders via an Microsoft Outlook like interface using...

Page 278: ...te desktop application server type vnc server address server address starting port 1 65535 ending port 1 65535 Creates an SSL application object to allow users to manage LAN computers that have Virtual Network Computing remote desktop server software installed Specify the listening ports of the LAN computer s running remote desktop server software The ZyWALL uses a port number from this range to s...

Page 279: ...amed ZW5 for a web server at IP address 192 168 1 12 Router config sslvpn application ZW5 Router sslvpn application server type web server url http 192 168 1 12 Router sslvpn application exit Router config show sslvpn application SSL Application ZW5 Server Type web server URL http 192 168 1 12 Entry Point Encrypted URL aHR0cDovLzE5Mi4xNjguMS4xMi8 Web Page Encryption yes Reference 1 ...

Page 280: ...Chapter 33 SSL Application ZyWALL ZLD CLI Reference Guide 280 ...

Page 281: ...ecurity Can Check The settings endpoint security can check vary depending on the OS of the user s computer Depending on the OS EPS can check user computers for the following Operating System Windows Linux Mac OSX or others Windows version and service pack version Windows Auto Update setting and installed security patches Personal firewall installation and activation Anti virus installation and act...

Page 282: ...or example Endpoint Security checking failed Please contact your network administrator for help The no command removes the setting show eps failure messages Displays the message to display when a user s computer fails the endpoint security check no eps profile profile_name Enters the sub command mode The no command removes an endpoint secruity object no anti virus personal firewall activate If you...

Page 283: ...and you can use this command to set an application that a user s computer must be running The user s computer must have all of the trusted applications running to pass this checking item Include the filename extension for Linux operating systems no description description Type a description for this endpoint security object You can use alphanumeric and _ characters and it can be up to 60 character...

Page 284: ...ws Auto Update feature must be installed but does not matter if it is activated or not The no command does not check the Windows Auto Update feature no windows service pack 1 10 If you set windows as the operating system using the os type command you can enter the minimum Windows service pack number the user s computer must have installed The user s computer must have this service pack or higher F...

Page 285: ...al firewall status Displays all the anti virus software packages personal firewall software packages or EPS signature information respectively The status command displays the EPS signature version release date and the total number of software packages for which the ZyWALL s endpoint security can check no eps rename profile_name new_profile_name Changes an endpoint security object name Table 159 En...

Page 286: ...ecurity_v2009 yes 2 Kaspersky_Internet_Security_v2010 yes 3 Microsoft_Security_Center yes 4 Windows_Firewall yes 5 TrendMicro_PC cillin_Internet_Security_v2010 yes 6 TrendMicro_PC cillin_Internet_Security_Pro_v2010 yesRouter config Router config eps profile EPS Example Router eps EPS Example windows version windows xp Router eps EPS Example personal firewall activate Router eps EPS Example anti vi...

Page 287: ...sage Router eps EPS Example exit Router config show eps profile name EPS Example description os type windows windows version windows xp matching criteria all anti virus activation yes anti virus 1 name Kaspersky_Anti Virus_v2010 detect auto protection enable personal firewall activation yes personal firewall 1 name Windows_Firewall detect auto protection enable windows update enable windows servic...

Page 288: ...Chapter 34 Endpoint Security ZyWALL ZLD CLI Reference Guide 288 ...

Page 289: ...289 PART IX System System 291 System Remote Management 299 ...

Page 290: ...290 ...

Page 291: ...ne which services protocols can access which ZyWALL zones if any from which computers 35 2 Customizing the WWW Login Page Use these commands to customize the Web Configurator login screen You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet See Chapter 25 on page 237 for more on access user accounts The follo...

Page 292: ... Table 160 Command Summary Customization COMMAND DESCRIPTION no access page color window background Sets whether or not the access page uses a colored background access page message color color rgb color name color number Sets the color of the message text on the access page no access page message text message Sets a note to display below the access page s title Use up to 64 printable ASCII charac...

Page 293: ...olor color rgb color name color number Sets the color of the login page s window border logo background color color rgb color name color number Sets the color of the logo banner across the top of the login screen and access page show access page settings Lists the current access page settings show login page default title Lists the factory default title for the login page show login page settings ...

Page 294: ... sun thu tue wed hh mm offset Configures the day and time when Daylight Saving Time starts and ends The no command removes the day and time when Daylight Saving Time starts and ends offset a number from 1 to 5 5 by 0 5 increments clock time hh mm ss Sets the new time in hour minute and second format no clock time zone hh Sets your time zone The no command removes time zone settings no ntp Saves yo...

Page 295: ...ly important because without it you must know the IP address of a machine before you can access it 35 6 1 Domain Zone Forwarder A domain zone forwarder contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain zones for features like VPN DDNS and the time server A domain zone is a fully qualified domain name without the host For example zyxel com tw is the domain zon...

Page 296: ...d the number of the virtual interface For example gex y x 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y 1 12 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPoE PPTP interface pppx x 0 N wher...

Page 297: ...ess interface_name This is the interface through which the ISP provides a DNS server The interface should be activated and set to be a DHCP client The no command deletes a zone forwarder record ip dns server zone forwarder 1 32 append insert 1 32 domain_zone_name user defined w x y z private interface interface_name auto Sets a domain zone forwarder record that specifies a DNS server s IP address ...

Page 298: ...Chapter 35 System ZyWALL ZLD CLI Reference Guide 298 ...

Page 299: ...emote Management Limitations Remote management will not work when 1 You have disabled that service in the corresponding screen 2 The accepted IP address in the Service Control table does not match the client IP address If it does not match the ZyWALL will disconnect the session immediately 3 There is a firewall rule that blocks it 36 1 2 System Timeout There is a lease timeout for administrators T...

Page 300: ...lue is case sensitive The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN Table 167 Command Summary HTTP HTTPS COMMAND DESCRIPTION no ip http authentication auth_method Sets an authentication method used by the HTTP HTTPS server The no command resets the authentication method used by the HTTP HTTPS server to the factory default default auth...

Page 301: ... SSL in HTTPS connections and the sequence in which it uses them The cipher_algorithm can be any of the following rc4 RC4 RC4 may impact the ZyWALL s CPU performance since the ZyWALL s encryption accelerator does not support it aes AES des DES 3des Triple DES no ip http secure server cipher suite cipher_algorithm Has the ZyWALL not use the specified encryption algorithm for the SSL in HTTPS connec...

Page 302: ...rotocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network 36 4 1 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for remote management on port 22 by default 36 ...

Page 303: ...he SSH service port number The no command resets the SSH service port number to the factory default 22 ip ssh server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny Sets a service control rule for SSH service address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but ...

Page 304: ... service port number back to the factory default 23 ip telnet server rule rule_number append insert rule_number access group ALL address_object zone ALL zone_object action accept deny Sets a service control rule for Telnet service address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This v...

Page 305: ...efore you can use these commands Router configure terminal Router config ip telnet server rule 11 access group RD zone LAN action accept Router configure terminal Router config show ip telnet server status active yes port 23 service control No Zone Address Action Router config Table 170 Command Summary FTP COMMAND DESCRIPTION no ip ftp server Allows FTP access to the ZyWALL The no command disables...

Page 306: ...dress_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use pre de...

Page 307: ...is trap is sent when the Ethernet link is up authenticationFailure 1 3 6 1 6 3 1 1 5 5 This trap is sent when an SNMP request comes from non authenticated hosts Table 172 Command Summary SNMP COMMAND DESCRIPTION no snmp server Allows SNMP access to the ZyWALL The no command disables SNMP access to the ZyWALL no snmp server community community_string ro rw Enters up to 64 characters to set the pass...

Page 308: ...NMP service address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 mod...

Page 309: ...0 2 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR Data Terminal Ready signal is dropped by the DTE When the Drop DTR When Hang Up check box is selected the ZyWALL uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH Table 173 Command Summary ICMP Filter COMMAND DESCRIPTION no ip icmp filter activate Tu...

Page 310: ... no answer rings Sets how many times the ZyWALL lets the incoming dial in management session ring before processing it The no command sets it to one no description description Specifies the description for the dial in management connection The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long no initial string initial_str...

Page 311: ... on or off cnm agent keepalive interval 10 90 Sets the keepalive interval no cnm agent periodic inform activate Turns the periodic inform on or off cnm agent periodic inform interval 10 86400 Sets the periodic inform interval cnm agent trigger inform interval initiates a TR069 connection to the server You can also specify the interval for the inform messages no cnm agent auth activate Enables or d...

Page 312: ...st cnm agent server type vantage tr069 Configure the server type of the management server as either a Vantage CNM server or a TR069 ACS server Table 175 Command Summary Vantage CNM COMMAND DESCRIPTION Router configure terminal Router config cnm agent activate Router config cnm agent manager https 1 2 3 4 vantage TR069 Router config show cnm agent configuration Activate YES ACS URL https 1 2 3 4 va...

Page 313: ...313 PART X Maintenance File Manager 315 Logs 333 Reports and Reboot 339 Diagnostics 347 Packet Flow Explore 349 Maintenance Tools 353 ...

Page 314: ...314 ...

Page 315: ... that you can store on the ZyWALL and run when you need them When you run a shell script the ZyWALL only applies the commands that it contains Other settings do not change You can edit configuration files or shell scripts in a text editor and upload them to the ZyWALL Configuration files use a conf extension and shell scripts use a zysh extension Table 177 FTP File Transfer Notes DIRECTORY FILE TY...

Page 316: ...an use exit or a command line consisting of a single to have the ZyWALL exit sub command mode Figure 28 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create address objects for remo...

Page 317: ...inds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on error off in the configuration file or shell script The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands The ZyWALL still generates a log for any errors 37 2 ...

Page 318: ... power off and back on the ZyWALL uses the system default conf configuration file with the ZyWALL s default settings If there is a startup config conf the ZyWALL checks it for errors and applies it If there are no errors the ZyWALL uses it and copies it to the lastgood conf configuration file If there is an error the ZyWALL generates a log and copies the startup config conf configuration file to t...

Page 319: ... apply conf system default conf command to reset the ZyWALL to go back to its system defaults copy cert conf idp packet_trace script tmp file_name a conf cert conf idp packet_trace script tmp file_name b conf Saves a duplicate of a file on the ZyWALL from the source file name to the target file name Specify the directory and file name of the file that you want to copy and the directory and file na...

Page 320: ... execute a specific shell script file You must still use the write command to save your configuration changes to the flash non volatile or long term memory show running config Displays the settings of the configuration file that the system is using setenv startup stop on error off Has the ZyWALL ignore any errors in the startup config conf file and apply all of the valid commands show setenv start...

Page 321: ...TP File Download 1 Connect to the ZyWALL 2 Enter bin to set the transfer mode to binary 3 Use cd to change to the directory that contains the files you want to download 4 Use dir or ls if you need to display a list of the files in the directory 5 Use get to download files For example get vpn_setup zysh vpn zysh transfers the vpn_setup zysh configuration file on the ZyWALL to your computer and rena...

Page 322: ...s damaged The boot module also checks and loads the recovery image The ZyWALL notifies you if the recovery image is damaged 2 The recovery image checks and loads the firmware The ZyWALL notifies you if the firmware is damaged C ftp 192 168 1 1 Connected to 192 168 1 1 220 FTP Server ZyWALL 192 168 1 1 User 192 168 1 1 none admin 331 Password required for admin Password 230 User admin logged in ftp...

Page 323: ...the ZyWALL via a terminal emulation program such as HyperTerminal Your console session displays the ZyWALL s startup messages If you cannot see any messages check the terminal emulation program s settings see Section 1 2 1 on page 12 and restart the ZyWALL 2 The system startup messages display followed by Press any key to enter debug mode within 3 seconds Do not press any keys at this point Wait t...

Page 324: ...nzip it The recovery image uses a ri extension for example 1 01 XL 0 C0 ri Do the following after you have obtained the recovery image file You only need to use this section if you need to restore the recovery image 1 Restart the ZyWALL 2 When Press any key to enter debug mode within 3 seconds displays press a key to enter debug mode Figure 35 Enter Debug Mode 3 Enter atuk to initialize the recove...

Page 325: ...d File to display the following screen Figure 38 Example Xmodem Upload 6 Wait for about three and a half minutes for the Xmodem upload to finish Figure 39 Recovery Image Upload Complete 7 Enter atgo The ZyWALL starts up If Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen the firmware file is damaged and you need to use the procedure in Section 37 10...

Page 326: ...2 The ZyWALL s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 3 Use an FTP client on your computer to connect to the ZyWALL For example in the Windows command prompt type ftp 192 168 1 1 Keep the console session connected in order to see when the firmware recovery finishes 4 Hit enter to log in anonymously 5...

Page 327: ...L recovers the firmware Figure 43 Firmware Received and Recovery Started 9 The console session displays done when the firmware recovery is complete Then the ZyWALL automatically restarts Figure 44 Firmware Recovery Complete and Restart 10 The username prompt displays after the ZyWALL starts up successfully The firmware recovery process is now complete and the ZyWALL is ready to use ...

Page 328: ...ZyWALL can still operate if the default system database is damaged or missing but related features like anti virus or IDP may not function properly If the default system database file is not valid the ZyWALL displays a warning message in your console session at startup or when reloading the anti virus or IDP signatures It also generates a log Here are some examples Use this section to restore the ...

Page 329: ...ole Session Warning When Reloading IDP Figure 48 Default System Database Missing Log Anti virus This procedure requires the ZyWALL s default system database file Download the firmware package from www zyxel com and unzip it The default system database file uses a db extension for example 1 01 XL 0 C0 db Do the following after you have obtained the default system database file ...

Page 330: ...onnect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen Connect your computer to the ZyWALL s port 1 only port 1 can be used Figure 51 Use FTP with Port 1 and IP 192 168 1 1 to Upload File 5 The ZyWALL s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 6 Use an FTP clie...

Page 331: ... FTP Default System Database Transfer Command 10 Wait for the file transfer to complete Figure 53 FTP Default System Database Transfer Complete 11 The console session displays done after the default system database is recovered Figure 54 Default System Database Received and Recovery Complete 12 The username prompt displays after the ZyWALL starts up successfully The default system database recover...

Page 332: ...Chapter 37 File Manager ZyWALL ZLD CLI Reference Guide 332 Figure 55 Startup Complete ...

Page 333: ... log entries Table 181 Input Values for Log Commands LABEL DESCRIPTION module_name The name of the category kernel syslog The default category includes debugging messages generated by open source software The all category includes all messages in all categories Table 182 logging Commands Log Entries COMMAND DESCRIPTION show logging entries priority pri category module_name srcip ip dstip ip servic...

Page 334: ... log activate Has the ZyWALL generate a log for each connectivity check The no command has the ZyWALL only log the first connectivity check show connectivity check continuous log status Displays whether or not the ZyWALL generates a log for each connectivity check clear logging system log buffer Clears the system log Router configure terminal Router config show logging status system log 512 events...

Page 335: ...bug log no logging debug suppression interval 10 600 Sets the log consolidation interval for the debug log The no command sets the interval to ten clear logging debug buffer Clears the debug log Table 185 logging Commands Remote Syslog Server Settings COMMAND DESCRIPTION show logging status syslog Displays the current settings for the remote servers no logging syslog 1 4 Enables the specified remo...

Page 336: ...e interval in seconds for how often the ZyWALL sends a system status log to the VRPT server Table 187 logging Commands E mail Profile Settings COMMAND DESCRIPTION show logging status mail Displays the current settings for the e mail profiles no logging mail 1 2 Enables the specified e mail profile The no command disables the specified e mail profile no logging mail 1 2 address ip hostname Sets the...

Page 337: ... specified e mail profile The no command clears the schedule field logging mail 1 2 schedule daily hour 0 23 minute 0 59 Sets a daily e mail schedule for the specified e mail profile logging mail 1 2 schedule weekly day day hour 0 23 minute 0 59 Sets a weekly e mail schedule for the specified e mail profile day sun mon tue wed thu fri sat Table 187 logging Commands E mail Profile Settings continue...

Page 338: ... whether or not debugging information for the specified priority is displayed in the console log if logging for this category is enabled no logging console category module_name Enables logging for the specified category in the console log The no command disables logging Table 188 logging Commands Console Port Settings continued COMMAND DESCRIPTION ...

Page 339: ...r reports Table 189 report Commands COMMAND DESCRIPTION no report Begins data collection The no command stops data collection show report status Displays whether or not the ZyWALL is collecting data and how long it has collected data clear report interface_name Clears the report for the specified interface or for all interfaces show report interface_name ip service url Displays the traffic report ...

Page 340: ... 140 114 79 60 Router config show report status Report status on Collection period 0 days 0 hours 0 minutes 18 seconds Table 190 session Commands COMMAND DESCRIPTION show conn user username any unknown service service name any unknown source ip any destination ip any begin 1 128000 end 1 128000 Displays information about the selected sessions or about all sessions You can look at all the active se...

Page 341: ... authentication daily report no smtp address Resets the SMTP mail server configuration daily report no smtp auth username Resets the authentication configuration daily report mail subject set subject Configures the subject of the report e mails daily report no mail subject set Clears the configured subject for the report e mails daily report no mail subject append system name Determines whether th...

Page 342: ...t the report e mails daily report reset counter now Discards all report data and starts all of the counters over at zero Table 192 Email Daily Report Commands continued COMMAND DESCRIPTION Router config no daily report activate Router config daily report smtp address example SMTP mail server com Router config daily report mail subject set test subject Router config no daily report mail subject app...

Page 343: ...boot command to restart the device Router config show daily report status email daily report status activate yes scheduled time 13 57 reset counter no smtp address example SMTP mail server com smtp auth yes smtp username 12345 smtp password pass12345 mail subject test subject append system name no append date time yes mail from my email example com mail to 1 example administrator example com mail ...

Page 344: ...Chapter 39 Reports and Reboot ZyWALL ZLD CLI Reference Guide 344 ...

Page 345: ... sessions to connect or deliver and for ICMP sessions session timeout session tcp established tcp synrecv tcp close tcp finwait tcp synsent tcp closewait tcp lastack tcp timewait 1 300 Sets the timeout for TCP sessions in the ESTABLISHED SYN_RECV FIN_WAIT SYN_SENT CLOSE_WAIT LAST_ACK or TIME_WAIT state show session timeout icmp tcp timewait udp Displays ICMP TCP and UDP session timeouts Router con...

Page 346: ...Chapter 40 Session Timeout ZyWALL ZLD CLI Reference Guide 346 ...

Page 347: ...iagnostics information Use the configure terminal command to enter the configuration mode to be able to use these commands 41 3 Diagnosis Commands Example The following example creates a diagnostic file and displays its name size and creation date Table 194 diagnosis Commands COMMAND DESCRIPTION diag info collect Has the ZyWALL create a new diagnostic file show diag info Displays the name size and...

Page 348: ...Chapter 41 Diagnostics ZyWALL ZLD CLI Reference Guide 348 ...

Page 349: ...tions the ZyWALL checks for packets Once a packet matches the criteria of a routing rule the ZyWALL takes the corresponding action and does not perform any further flow checking show system snat order Displays the order of SNAT related functions the ZyWALL checks for packets Once a packet matches the criteria of an SNAT rule the ZyWALL uses the corresponding source IP address and does not perform ...

Page 350: ... loopback Displays activated activated NAT rules which use SNAT with NAT loopback enabled show system snat default snat Displays the default WAN trunk settings Table 195 Packet Flow Explore Commands continued COMMAND DESCRIPTION Router show route order route order Policy Route Direct Route 1 1 SNAT SiteToSite VPN Dynamic VPN Static Dynamic Route Default WAN Trunk Main Route Router show system snat...

Page 351: ... NAT rules Router show system route dynamic vpn No Source Destination VPN Tunnel Router show system route default wan trunk No Source Destination Trunk 1 any any trunk_ex Router show system route dynamic vpn No Source Destination VPN Tunnel Router show ip route static dynamic Flags A Activated route S Static route C directly Connected O OSPF derived R RIP derived G selected Gateway reject B Black ...

Page 352: ...Router show system snat nat loopback Note Loopback SNAT will be only applied only when the initiator is located at the network which the server locates at No VS Name Source Destination SNAT Router show system snat nat 1 1 No VS Name Source Destination Outgoing SNAT Router show system snat default snat Incoming Outgoing SNAT Internal Interface External Interface Outgoing Interface IP Internal Inter...

Page 353: ...uration the ZyWALL keeps dumping traffic until you use Ctrl C Use the extension filter to extend the use of this command protocol_name You can use the name instead of the number for some IP protocols such as tcp udp icmp and so on The names consist of 1 16 alphanumeric characters underscores _ or dashes The first character cannot be a number hostname You can use up to 252 alphanumeric characters d...

Page 354: ... any Sets a host IP address or a host IP address object for which to capture packets any means to capture packets for all hosts host port 0 65535 If you set the IP Type to any tcp or udp using the ip type command below you can specify the port number of traffic to capture iface add del interface_name virtual_interface_name Adds or deletes an interface or a virtual interface for which to capture pa...

Page 355: ... 6 packets received by filter 0 packets dropped by kernel Router packet trace interface ge2 ip proto icmp file extension filter s 500 n tcpdump listening on eth1 07 24 07 898639 192 168 105 133 192 168 105 40 icmp echo request DF 07 24 07 900450 192 168 105 40 192 168 105 133 icmp echo reply 07 24 08 908749 192 168 105 133 192 168 105 40 icmp echo request DF 07 24 08 910606 192 168 105 40 192 168 ...

Page 356: ...979 ms 2 172 23 6 253 2 983 ms 2 961 ms 2 980 ms 3 172 23 6 1 5 991 ms 5 968 ms 6 984 ms 4 Table 197 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION show arp table Displays the current Address Resolution Protocol table arp IP mac_address Edits or creates an ARP table entry no arp ip Removes an ARP table entry Router arp 192 168 1 10 01 02 03 04 05 06 Router show arp table Addr...

Page 357: ...eck current packet capture status and list all stored packet captures Router config packet capture configure Router packet capture iface add wan1 Router packet capture iface del lan2 Router packet capture iface del wan2 Router packet capture ip type any Router packet capture host ip any Router packet capture file suffix Example Router packet capture files size 10000 Router packet capture duration ...

Page 358: ...Chapter 43 Maintenance Tools ZyWALL ZLD CLI Reference Guide 358 You can use FTP to download a capture file Open and study it using a packet analyzer tool for example Ethereal or Wireshark ...

Page 359: ...irmware fails 1 The software watchdog timer commands are for support engineers It is recommended that you not modify the software watchdog timer settings Table 198 hardware watchdog timer Commands COMMAND DESCRIPTION no hardware watchdog timer 4 37 Sets how long the system s hardware can be unresponsive before resetting The no command turns the timer off show hardware watchdog timer status Display...

Page 360: ...Set how many times the ZyWALL is to re check a process before considering it failed The no command changes the setting back to the default no app watch dog alert Has the ZyWALL send an alert the user when the system is out of memory or disk space no app watch dog disk threshold min 1 100 max 1 100 Sets the percentage thresholds for sending a disk usage alert The ZyWALL starts sending alerts when d...

Page 361: ...lert yes console print always retry count 3 interval 60 mem threshold 80 90 disk threshold 80 90 Router config show app watch dog monitor list app_name min_process_count max_process_count negative integer means unlimited uamd 1 1 firewalld 5 5 policyd 6 7 contfltd 3 5 appd 5 6 classify 1 1 ospfd 1 1 ripd 1 1 resd 1 1 zyshd_wd 1 1 sshipsecpm 1 1 zylogd 1 1 syslog ng 1 1 zylogger 1 1 ddns_had 1 1 tp...

Page 362: ...Chapter 44 Watchdog Timer ZyWALL ZLD CLI Reference Guide 362 ...

Page 363: ...363 PART XI Command List List of Commands Alphabetical 365 ...

Page 364: ...364 ...

Page 365: ...gin message audio video file transfer 165 no action block login message audio video file transfer 167 no action block login message audio video file transfer 169 no activate 130 no activate 133 no activate 148 no activate 165 no activate 167 no activate 168 no activate 179 no activate 187 no activate 216 no activate 233 no activate 242 no activate 310 no activate 75 no address address_object 133 n...

Page 366: ...no app other protocol_name bandwidth graph 170 no app protocol_name activate 164 no app protocol_name allowport 1 65535 164 no app protocol_name bandwidth graph 169 no app protocol_name bwm 164 no app protocol_name defaultport 1 65535 164 no app protocol_name log alert 165 no application application_object 148 no application forbidden process process_name 283 no application trusted process process...

Page 367: ...ar may nov oct sep 1 2 3 4 last fri mon sat sun thu tue wed hh mm end apr aug dec feb jan jul jun mar may nov oct sep 1 2 3 4 last fri mon sat sun thu tue wed hh mm offset 294 no clock time zone hh 294 no cnm agent acs password password for ACS connection request 311 no cnm agent acs username username for ACS connection request 311 no cnm agent activate 311 no cnm agent auth activate 311 no cnm ag...

Page 368: ... _timeout 207 no content filter timeout _timeout 210 no corefile copy usb storage 74 no crypto ignore df bit 141 no crypto map map_name 141 no crypto map_name 145 no crypto profile_name 104 no ctmatch dnat snat 130 no ctsrts 256 2346 75 no custom ip 108 no daily report reset counter 342 no deactivate 92 no default router ip 56 no description description 130 no description description 133 no descri...

Page 369: ...42 no eps profile profile_name 282 no eps rename profile_name new_profile_name 285 no eps 1 8 eps_object_name 242 no eps 1 8 eps_profile_name 148 no fall back 139 no file decompression unsupported destroy 179 no file info file path file_path 283 no file info file path file_path eq gt lt ge le neq file size 1 1073741824 283 no file info file path file_path eq gt lt ge le neq file size 1 1073741824 ...

Page 370: ... 232 no interface interface_name 51 no interface interface_name 68 no interface interface_name 93 no interface group group name 86 no ip address dhcp 52 no ip address ip subnet_mask 52 no ip address ip subnet_mask 76 no ip ddns profile profile_name 108 no ip dhcp pool profile_name 55 no ip dhcp pool profile_name 57 no ip dns server a record fqdn w x y z 296 no ip dns server mx record domain_name w...

Page 371: ...r ipsec second wins server ip 156 no l2tp over ipsec user user_name 156 no ldap server basedn basedn 256 no ldap server binddn binddn 256 no ldap server cn identifier uid 256 no ldap server host ldap_server 256 no ldap server password password 256 no ldap server port port_no 257 no ldap server search time limit time 257 no ldap server ssl 257 no lease 0 365 0 23 0 59 infinite 57 no limit 0 8192 13...

Page 372: ...bject ip 2nd wins address_object ip network address_object 149 no network selection auto home 68 no next hop auto gateway address object interface interface_name trunk trunk_name tunnel tunnel_name 93 no ntp 294 no ntp server fqdn w x y z 294 no object group address group_name 247 no object group group_name 247 no object group group_name 251 no object group service group_name 250 no outbound dscp ...

Page 373: ...ction udp xxx activate log alert block 189 no scan detection open port activate log alert block 190 no schedule profile_name 166 no schedule profile_name 167 no schedule profile_name 168 no schedule schedule_name 243 no schedule schedule_object 130 no schedule schedule_object 93 no second dns server ip interface_name 1st dns 2nd dns 3rd dns ZyWALL 57 no second wins server ip 57 no security dot1x a...

Page 374: ...p server host w x y z community_string 307 no snmp server location description 307 no snmp server port 1 65535 308 no software watchdog timer 10 600 359 no source address_object group_name 243 no source address_object any 93 no source profile_name 166 no source profile_name 167 no source profile_name 168 no sourceip address_object 130 no sourceport tcp udp eq 1 65535 range 1 65535 1 65535 130 no s...

Page 375: ...ity_patch 284 no windows service pack 1 10 284 no wlan mac filter activate 79 no wlan mac filter mac_address description description 79 no xauth type server xauth_method client name username password password 140 no zone profile_name 104 no ip gateway ip metric 0 15 76 signature anomaly system protect activate 186 signature anomaly system protect activation 186 aaa authentication rename profile na...

Page 376: ... anti virus statistics flush 183 anti virus update daily 0 23 182 anti virus update hourly 182 anti virus update signatures 182 anti virus update weekly sun mon tue wed thu fri sat 0 23 182 anti virus white list replace old_av_file_pattern new_av_file_pattern activate deacti vate 180 app other del forward drop reject 168 app other append 168 app other default 168 app other insert rule_number 168 a...

Page 377: ...password password ca ca_name url url 268 ca generate pkcs10 name certificate_name cn type ip cn cn_address fqdn cn cn_domain_name mail cn cn_email ou organizational_unit o organization c country key type rsa dsa key len key_length 269 ca generate pkcs12 name name password password 269 ca generate x509 name certificate_name cn type ip cn cn_address fqdn cn cn_domain_name mail cn cn_email ou organiz...

Page 378: ... report no item mem usage 341 daily report no item port usage 342 daily report no item session usage 342 daily report no item traffic report 342 daily report no mail subject append date time 341 daily report no mail subject append system name 341 daily report no smtp auth activate 341 daily report mail from e_mail 341 daily report mail subject set subject 341 daily report mail to 1 e_mail 341 dail...

Page 379: ... details 27 device ha ap mode backup sync now 231 device ha ap mode cluster id 1 32 229 device ha ap mode priority 1 254 230 device ha ap mode role master backup 229 device ha link monitoring activate 234 device ha mode active passive legacy 228 device ha stop stub interface activate 234 device register checkuser user_name 39 device register username user_name password password e mail user domainn...

Page 380: ...ve 1 1024 to 1 1024 241 force auth policy 1 1024 241 group1 140 group2 140 group5 140 group key 30 30000 76 groupname rename groupname groupname 239 guard interval short long 75 host ip ip address profile_name any 354 host port 0 65535 354 htm 28 http inspection http xxx log alert 190 icmp decoder truncated header truncated timestamp header truncated address header action drop reject sender reject...

Page 381: ...ame 62 interface interface_name 63 interface interface_name 66 interface interface_name 80 interface interface_name 81 interface reset interface_name virtual_interface_name all 53 interface send statistics interval 15 3600 53 interface name ppp_interface ethernet_interface user_defined_name 53 interface rename old_user_defined_name new_user_defined_name 53 ip dhcp pool rename profile_name profile_...

Page 382: ...rvice service_object mapped service service_object nat loopback nat 1 1 map deacti vate nat 1 1 map deactivate deactivate 113 ip virtual server profile_name interface interface_name original ip any IP address_object map to address_object ip map type port protocol any tcp udp original port 1 65535 mapped port 1 65535 nat loopback nat 1 1 map deactivate nat 1 1 map deactivate deactivate 112 ip virtu...

Page 383: ...ther rule_number 168 no app protocol_name rule rule_number 165 no area IP virtual link IP message digest key 1 255 102 no arp ip 356 no authentication key 100 no bind 187 no budget log recursive 69 no budget log percentage recursive 70 no ca category local remote certificate_name 270 no ca validation name 270 no device ha link monitoring 234 no device ha stop stub interface 234 no dscp marking 93 ...

Page 384: ... 165 or 166 or 166 os type windows linux mac osx others 284 output power 100 50 25 12 5 75 out snat source address_name destination address_name snat address_name 142 packet capture configure 353 packet trace 28 packet trace interface interface_name ip proto 0 255 protocol_name any src host ip hostname any dst host ip hostname any port 1 65535 any file duration 1 3600 extension filter filter_exten...

Page 385: ... wep wpa wpa wpa2 wpa2 77 security wep mode open share 77 security wep 64 128 default key 1 4 77 security wpa tkip aes eap external 77 security wpa tkip aes eap internal profile name tls cert certificate name 77 security wpa tkip aes psk key psk key 77 security wpa2 tkip aes eap external 77 security wpa2 tkip aes eap internal profile name tls cert certificate name 77 security wpa2 tkip aes psk key...

Page 386: ... group name 258 show aaa group server ldap group name 259 show aaa group server radius group name 260 show access page settings 293 show account pppoe profile_name pptp profile_name 273 show account cellular profile_name 274 show address object object_name 246 show ad server 256 show anti spam activation 215 show anti spam black list status 219 show anti spam dnsbl domain 220 show anti spam dnsbl ...

Page 387: ...tch dog config 360 show app watch dog monitor list 360 show arp table 356 show boot status 33 show bridge available member 81 show bwm activation 171 show bwm activation 94 show bwm usage policy route policy_number interface interface_name 94 show ca category local remote name certificate_name format text pem 270 show ca category local remote name certificate_name certpath 270 show ca spaceusage 2...

Page 388: ...how eps signature anti virus personal firewall status 285 show extension slot 33 show fan speed 33 show firewall 129 show firewall rule_number 129 show firewall status 129 show firewall zone_object zone_object ZyWALL 129 show firewall zone_object zone_object ZyWALL rule_number 129 show force auth activation 241 show force auth exceptional service 241 show force auth policy 1 1024 all 241 show fqdn...

Page 389: ...le signature all custom signature details 188 show idp profile signature sid details 188 show idp profiles 187 show idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate any yes no log any no log log alert action action_mask 194 show idp search system protect my_profile name quoted_string si...

Page 390: ...ow language setting all 312 show ldap server 256 show led status 33 show lockout users 243 show logging debug entries priority pri category module_name srcip ip dstip ip service service_name begin 1 512 end 1 512 keyword keyword 335 show logging debug entries field field begin 1 1024 end 1 1024 335 show logging debug status 335 show logging entries priority pri category module_name srcip ip dstip ...

Page 391: ... object zone profile 32 show reference object group aaa ad group_name 32 show reference object group aaa ldap group_name 32 show reference object group aaa radius group_name 32 show reference object group address profile 32 show reference object group interface profile 32 show reference object group service profile 32 show reference object group username username 32 show report interface_name ip s...

Page 392: ...formation interval 336 show vrpt send interface statistics interval 336 show vrpt send system status interval 336 show wlan mac filter 79 show wlan mac filter status 79 show workspace application 149 show workspace cifs 149 show zone profile_name 104 show zone binding iface 104 show zone default binding 104 show zone none binding 104 show zone system default 104 show zone user define 104 shutdown ...

Page 393: ...decoder truncated header undersize len oversize len log alert 190 udp filtered distributed portscan udp filtered portsweep details 191 unlock lockout users ip console 243 usb storage mount 73 usb storage umount 73 usb storage warn number percentage megabyte 73 use defined mac 64 username rename username username 238 username username no description description 238 username username no logon lease ...

Page 394: ...List of Commands Alphabetical ZyWALL ZLD CLI Reference Guide 394 ...

Reviews:

No comments

Related manuals for ZyWall

Aaeon ICS-6270 User Manual preview
ICS-6270
Brand: Aaeon Pages: 104
D-Link DFL-260 - NetDefend - Security Appliance Brochure & Specs preview
DFL-260 - NetDefend - Security Appliance
Brand: D-Link Pages: 7
Watchguard XTM 2050 Quick Start Manual preview
XTM 2050
Brand: Watchguard Pages: 22
FEITIAN MultiPass FIDO Product Manual preview
MultiPass FIDO
Brand: FEITIAN Pages: 7
Tosibox Lock 200 User Manual preview
Lock 200
Brand: Tosibox Pages: 44
Aaeon FWS-2271 User Manual preview
FWS-2271
Brand: Aaeon Pages: 100
IBASE Technology FWA6304-D25 User Manual preview
FWA6304-D25
Brand: IBASE Technology Pages: 16
IBM Proventia Getting Started preview
Proventia
Brand: IBM Pages: 7
St. Bernard iPrism 3000 User Manual preview
iPrism 3000
Brand: St. Bernard Pages: 4
Caswell CAR-5040 Series User Manual preview
CAR-5040 Series
Brand: Caswell Pages: 134

Brands by name

Popular brands

Load more brands