background image

Table of Contents

Preface ...............................................................................................................10
1. Introduction .....................................................................................................12

1.1. Running a command ...............................................................................12
1.2. Help ....................................................................................................13

1.2.1. Help for commands ......................................................................13
1.2.2. Help for object types ....................................................................13

1.3. Function keys ........................................................................................14
1.4. Command line history .............................................................................15
1.5. Tab completion ......................................................................................16

1.5.1. Inline help ..................................................................................16
1.5.2. Autocompleting Current and Default value .......................................16
1.5.3. Configuration object type categories ................................................17

1.6. User roles .............................................................................................18

2. Command Reference .........................................................................................20

2.1. Configuration ........................................................................................20

2.1.1. activate ......................................................................................20
2.1.2. add ............................................................................................20
2.1.3. cancel ........................................................................................21
2.1.4. cc .............................................................................................22
2.1.5. commit ......................................................................................23
2.1.6. delete ........................................................................................23
2.1.7. pskgen .......................................................................................24
2.1.8. reject .........................................................................................24
2.1.9. reset ..........................................................................................26
2.1.10. set ...........................................................................................26
2.1.11. show ........................................................................................27
2.1.12. undelete ...................................................................................29

2.2. Runtime ...............................................................................................31

2.2.1. about .........................................................................................31
2.2.2. alarm .........................................................................................31
2.2.3. arp ............................................................................................31
2.2.4. arpsnoop ....................................................................................32
2.2.5. ats .............................................................................................33
2.2.6. blacklist .....................................................................................33
2.2.7. buffers .......................................................................................34
2.2.8. cam ...........................................................................................35
2.2.9. certcache ....................................................................................36
2.2.10. cfglog ......................................................................................36
2.2.11. connections ...............................................................................36
2.2.12. cpuid .......................................................................................37
2.2.13. crashdump ................................................................................38
2.2.14. cryptostat ..................................................................................38
2.2.15. dconsole ...................................................................................38
2.2.16. dhcp ........................................................................................39
2.2.17. dhcprelay ..................................................................................39
2.2.18. dhcpserver ................................................................................40
2.2.19. dns ..........................................................................................41
2.2.20. dnsbl .......................................................................................41
2.2.21. dynroute ...................................................................................42
2.2.22. frags ........................................................................................42
2.2.23. ha ............................................................................................43
2.2.24. hostmon ...................................................................................44
2.2.25. httpalg .....................................................................................44
2.2.26. httpposter .................................................................................45
2.2.27. hwaccel ....................................................................................45
2.2.28. hwm ........................................................................................46
2.2.29. idppipes ...................................................................................46

4

Содержание DFL-210 - NetDefend - Security Appliance

Страница 1: ...Network Security Solution http www dlink com Security Security DFL 210 800 1600 2500 DFL 260 860 1660 2560 G Ver 2 27 01 Network Security Firewall CLI Reference Guide...

Страница 2: ...ide DFL 210 260 800 860 1600 1660 2500 2560 2560G NetDefendOS version 2 27 01 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2010 06 22...

Страница 3: ...s for a particular purpose D Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of su...

Страница 4: ...22 2 1 5 commit 23 2 1 6 delete 23 2 1 7 pskgen 24 2 1 8 reject 24 2 1 9 reset 26 2 1 10 set 26 2 1 11 show 27 2 1 12 undelete 29 2 2 Runtime 31 2 2 1 about 31 2 2 2 alarm 31 2 2 3 arp 31 2 2 4 arpsn...

Страница 5: ...63 2 2 57 rtmonitor 64 2 2 58 rules 64 2 2 59 selftest 65 2 2 60 services 67 2 2 61 sessionmanager 68 2 2 62 settings 69 2 2 63 shutdown 70 2 2 64 sipalg 70 2 2 65 sshserver 72 2 2 66 stats 73 2 2 67...

Страница 6: ...17 2 BroadcomEthernetPCIDriver 113 3 17 3 E1000EthernetPCIDriver 113 3 17 4 E100EthernetPCIDriver 114 3 17 5 IXP4NPEEthernetDriver 114 3 17 6 MarvellEthernetPCIDriver 115 3 17 7 R8139EthernetPCIDrive...

Страница 7: ...agement 173 3 48 1 RemoteMgmtHTTP 173 3 48 2 RemoteMgmtNetcon 173 3 48 3 RemoteMgmtSNMP 174 3 48 4 RemoteMgmtSSH 174 3 49 RouteBalancingInstance 176 3 50 RouteBalancingSpilloverSettings 177 3 51 Routi...

Страница 8: ...s 198 3 55 19 RoutingSettings 199 3 55 20 SSLSettings 200 3 55 21 StateSettings 201 3 55 22 TCPSettings 202 3 55 23 VLANSettings 203 3 56 SSHClientKey 204 3 57 ThresholdRule 205 3 57 1 ThresholdAction...

Страница 9: ...rags 43 2 10 List network objects which have names containing net 56 2 11 Show all monitored objects in the alg http category 64 2 12 Show a range of rules 65 2 13 Interface ping test between all inte...

Страница 10: ...for the option Example 1 Command option notation One of the usages for the help command looks like this help category COMMANDS TYPES Topic This means that help has an option called category which has...

Страница 11: ...s followed by ellipses it is possible to specify more than one routing table Since table name is optional as well the user can specify zero or more policy based routing tables gw world routes Virroute...

Страница 12: ...eference for all commands and configuration object types that are available in the command line interface for NetDefendOS 1 1 Running a command The commands described in this guide can be run by typin...

Страница 13: ...gw world activate h Full help for activate gw world help activate Help for the arp command Arp is also the name of a configuration object type so it is necessary to specify that the help text for the...

Страница 14: ...of informa tion is shown Ctrl D or Delete Delete the character to the right of the cursor Ctrl E or End Move the cursor to the end of the line Ctrl F or Right Arrow Move the cursor one character to th...

Страница 15: ...d lines up arrow for older command lines and down arrow to move back to a newer command line See also Section 2 4 3 history Example 1 3 Command line history Using the command line history via the arro...

Страница 16: ...ip a tab gw world add Address IP4Address example_ip Address Address was autocompleted gw world add Address IP4Address example_ip Address 1 2 3 4 Tab completion of references gw world set Address IP4Gr...

Страница 17: ...add or remove a member to the list without having to enter all the other members again Edit the default value gw world add LogReceiverSyslog example Address example_ip LogSeverity tab gw world add Lo...

Страница 18: ...s and options cannot be used unless the logged in user has administrator priviege This is indicated in this guide by a note following the command or Admin only written next to an option 1 6 User roles...

Страница 19: ...1 6 User roles Chapter 1 Introduction 19...

Страница 20: ...privilege 2 1 2 add Create a new object Description Create a new object and add it to the configuration Specify the type of object you want to create and the identifier if the type has one unless the...

Страница 21: ...e silent key value pair Options force Add object even if it has errors silent Do not show any errors Category Category that groups object types Identifier The property that identifies the configuratio...

Страница 22: ...rrect context e g a LocalUserDatabase called exampledb Only objects in the current context can be accessed Example 2 2 Change context Change to a sub child context gw world cc LocalUserDatabase exampl...

Страница 23: ...guration Add the force flag to delete the object even if it is referenced by other objects or if it is a context that has child objects that aren t deleted This may cause objects referring to the spec...

Страница 24: ...hared key of specified size containing randomized key data If a key with the spe cified name exists the existing key is modified Otherwise a new key object is created Usage pskgen Name comments String...

Страница 25: ...er user1 Comments Something gw world exampledb set User user2 Comments that will be gw world exampledb set User user3 Comments rejected gw world exampledb cc gw world reject LocalUserDatabase exampled...

Страница 26: ...r privilege 2 1 10 set Set property values Description Set property values of configuration objects Specify the type of object you want to modify and the identifier if the type has one Set the proper...

Страница 27: ...already en abled Category Category that groups object types Identifier The property that identifies the configuration object May not be applic able depending on the specified Type key value pair One...

Страница 28: ...Address IP4Address example_ip gw world main show Route 1 gw world show Client DynDnsClientDyndnsOrg Show a table of all objects of a type and a selection of their properties as well as their status gw...

Страница 29: ...ete Restore previously deleted objects Description Restore a previously deleted object This is possible as long as the activate command has not been called See also delete Example 2 7 Undelete an obje...

Страница 30: ...dentifies the configuration object May not be applicable depending on the specified Type Type Type of configuration object to perform operation on Note Requires Administrator privilege 2 1 12 undelete...

Страница 31: ...alarm history active Options active Show the currently active alarms history Show the 20 latest alarms 2 2 3 arp Show ARP entries for given interface Description List the ARP cache entries of specifie...

Страница 32: ...ware addresses matching pattern hwsender Ethernet Address Sender ethernet address ip pattern Show only IP addresses matching pattern notify ip Send gratuitous ARP for ip num n Show only the first n en...

Страница 33: ...num n Limit list to n entries Default 20 2 2 6 blacklist Blacklist Description Block and unblock hosts on the black and white list Note Static blacklist hosts cannot be unblocked If force is not spec...

Страница 34: ...n only creationtime Show creation time dest ip address Destination address to block unblock ExceptExtablished flag is set on dynamic Show dynamic hosts only force Unblock all services for the host tha...

Страница 35: ...buffer buffers Num Decode buffer number Num Options recent Decode most recently freed buffer Num Decode given buffer number 2 2 8 cam CAM table information Description Show information about the CAM t...

Страница 36: ...2 2 9 certcache Show the contents of the certificate cache Description Show all certificates in the certificate cache Usage certcache 2 2 10 cfglog Display configuration log Description Display the lo...

Страница 37: ...e filter expression Admin only destiface interface Filter on destination interface destip ip addr Filter on destination IP address destport port Show only given destination TCP UDP port num n Limit li...

Страница 38: ...sage cryptostat 2 2 15 dconsole Displays the content of the diagnose console Description The diagnose console is used to help troubleshooting internal problems within the security gateway Usage dconso...

Страница 39: ...on about DHCP enabled interface dhcp lease RENEW RELEASE interface Modify interface lease Options lease RENEW RELEASE Modify interface lease list List all DHCP enabled interfaces show Show information...

Страница 40: ...Display filter filters relays based on interface ip ip address IP address 2 2 18 dhcpserver Show content of the DHCP server ruleset Description Show the content of the DHCP server ruleset and various...

Страница 41: ...rules Show DHCP server rules show Show ruleset display filter Display filters for leases based on interface mac ip eg if1 192 168 interface Interface ip address IP address 2 2 19 dns DNS client and qu...

Страница 42: ...ption Show the dynamic routing policy filter ruleset and current exports In the Flags field of the dynrouting exports the following letters are used o Route describe the optimal path to the network u...

Страница 43: ...gs frags NEW frags 254 Usage frags NEW ALL reassembly id free done num n Options done List done lingering reassemblies free List free instead of active num n List n entries Default 20 NEW ALL reassemb...

Страница 44: ...5 httpalg Commands related to the HTTP Application Layer Gateway Description Show information about the WCF cache or list the overridden WCF hosts Usage httpalg override flush List or flush hosts that...

Страница 45: ...atch the specified characters verbose Verbose wcfcache Show statistics of WCF functionality 2 2 26 httpposter Display HTTPPoster_URLx status Description Display configuration and status of configured...

Страница 46: ...how and remove hosts that are piped by IDP Description Show list of currently piped hosts Usage idppipes show host ip addr Lists hosts for which new connections are piped by IDP idppipes unpipe all ho...

Страница 47: ...ame Only list members of given PBR table s restart Stop and restart the interface Admin only Interface Name of interface 2 2 31 igmp IGMP Interfaces Description Show information about the current stat...

Страница 48: ...ry message state Show the current IGMP state host address Host IP address Interface Interface MC address Multicast Address router address Router IP address 2 2 32 ikesnoop Enable or disable IKE snoopi...

Страница 49: ...free IP assigned to subsystem ippool show verbose max n Show IP pool information Options all Free all IP addresses max n Limit list to n entries Default 10 release Forcibly free IP assigned to subsys...

Страница 50: ...2 2 36 ipsecstats Show the SAs in use Description List the currently active IKE and IPsec SAs optionally only showing SAs matching the pattern giv en for the argument tunnel Usage ipsecstats ike tunne...

Страница 51: ...orce Show specific number if interface ipsectunnels Show interfaces Options force Bypass confirmation question iface recv iface IPsec interface to show information about num ALL Integer Maximum number...

Страница 52: ...s Manage language files on disk Description Manage language files on disk Usage languagefiles Show all language files on disk languagefiles remove String Remove a language file from disk Options remov...

Страница 53: ...abases reset Reset status for LDAP database show Show status and statistics LDAP Server LDAP database 2 2 41 license Show contents of the license file Description Show contents of the license file Usa...

Страница 54: ...not actually pass through the ruleset e g traffic allowed by IPsecBeforeRules NetconBeforeRules SNMPBeforeRules if such settings are enabled Note If local lockdown has been set by the core itself due...

Страница 55: ...s Description Show current NAT Pools and in depth information Usage natpool verbose pool name IP4 Address num Integer Options num Integer Maximum number of items to list default 20 verbose Verbose mor...

Страница 56: ...g net netobjects net Usage netobjects String num num Options num num Number of entries to show Default 20 String Name or pattern 2 2 49 ospf Show runtime OSPF information Description Show runtime info...

Страница 57: ...cess Show troubleshooting messages on the console ospf ifacedown interface process OSPF Router Process Take specified interface offline ospf ifaceup interface process OSPF Router Process Take specifie...

Страница 58: ...table 2 2 50 pcapdump Packet capturing Description Packet capture engine Usage pcapdump Show capture status pcapdump start interface s size value snaplen value count value out out nocap eth Ethernet A...

Страница 59: ...ernet Address Ethernet source address filter filename String Filename for capture file icmp ICMP filter ip IP4 Address IP address filter ipdest IP4 Address Destination IP address filter ipsrc IP4 Addr...

Страница 60: ...ethernet devices pciscan all Show all detected devices pciscan ethernet Show all detected ethernet devices pciscan cfgupdate Updates the config with detected devices pciscan force_driver Integer BROA...

Страница 61: ...ommand is not executed right away it is queued until the end of the second when pipe values are calculated Usage pipes List all pipes pipes users Pipe expr String List users of a given pipe pipes show...

Страница 62: ...ssions List all session using a PPTP tunnel verbose Verbose output PPTP ALG PPTP ALG 2 2 54 reconfigure Initiates a configuration re read Description Restart the Security Gateway using the currently a...

Страница 63: ...show only switched routes Explanation of Flags field of the routing tables O Learned via OSPF X Route is Disabled M Route is Monitored A Published via Proxy ARP D Dynamic from e g DHCP relay IPsec L2...

Страница 64: ...e beginning of a name If no filter is specified all objects are displayed If the option monitored is specified only objects that have an associated real time monitor alert are displayed Example 2 11 S...

Страница 65: ...of the throughput crypto accelerator tests are dependent on configuration values If the number of large buffers LocalReassSettings LocalReass_NumLarge too low it might lower throughput result In the f...

Страница 66: ...elftest media size Integer Check the sanity of the disk drive selftest mac Check if there are MAC address collisions on the interfaces selftest ping interfaces Interface Run a ping test over the inter...

Страница 67: ...Check the sanity of the disk drive memory Check the sanity of the RAM minutes Integer Test duration in minutes Default 0 num Integer Number of times to execute the test Default 1 ping Run a ping test...

Страница 68: ...tly active users Explanation of Timeout flags for sessions D Session is disabled S Session uses a timeout in its subsystem Session does not use timeout Usage sessionmanager Show Session Manager status...

Страница 69: ...st List active sessions message Send message to session num n List n number of session status Show Session Manager status database Name of user database IP Address IP address message text Message to s...

Страница 70: ...conds Seconds until shutdown Default 5 Note Requires Administrator privilege 2 2 64 sipalg SIP ALG Description List running SIP ALG configurations SIP registration and call information The flags optio...

Страница 71: ...RORS NOTE verbose option outputs a lot of information on the console which may lead to system in stability Use with caution Usage sipalg definition alg Show running ALG configuration parameters sipalg...

Страница 72: ...ions snoop ON OFF VERBOSE Enable or disable SIP snooping NOTE verbose option out puts a lot of information on the console which may lead to system instability Use with caution statistics SHOW FLUSH Sh...

Страница 73: ...created verbose Verbose output ssh server SSH Server Note Requires Administrator privilege 2 2 66 stats Display various general firewall statistics Description Display general information about the fi...

Страница 74: ...Usage time Display current system time time set date time Set system local time YYYY MM DD HH MM SS time sync force Synchronize time with timeserver s specified in settings Options force Force synchro...

Страница 75: ...nd manage autoupdate information Description Show autoupdate mechanism status or force an update Usage updatecenter update ANTIVIRUS IDP ALL Initiate an update check of the specified database updatece...

Страница 76: ...ist only privileges actually used by the policy are displayed Usage userauth List all authenticated users userauth list num n List all authenticated users userauth privilege List all known privileges...

Страница 77: ...attached Virtual LAN Interfaces or in depth information about a specified VLAN Usage vlan List attached VLANs vlan Interface Display VLANs connected to physical iface iface Options Interface Display V...

Страница 78: ...p address pbr table count 1 10 length 4 8192 port 0 65535 udp tcp tos 0 255 verbose Options count 1 10 Number of packets to send Default 1 length 4 8192 Packet size Default 4 pbr table Route using PBR...

Страница 79: ...types The fastest way to get help is to simply type help followed by the topic that you want help with A topic can be for example a command name e g set or the name of a configuration object type e g...

Страница 80: ...ts device data accessible by SCP Description Lists device data which are available through SCP Example 2 19 Transfer script files to and from the device Upload scp myscript user sgw ip script myscript...

Страница 81: ...delete script files Script files are transfered to and from the device by the SCP protocol On the device they are stored in the script folder Example 2 23 Execute script script sgs add IP4Address Nam...

Страница 82: ...ce Force script execution name Name Name of script quiet Quiet script execution remove Remove script show Show script in console window store Store a script to persistent storage verbose Verbose mode...

Страница 83: ...2 4 5 script Chapter 2 Command Reference 83...

Страница 84: ...e 105 ConfigModePool page 106 DateTime page 107 Device page 108 DHCPRelay page 109 DHCPServer page 110 DNS page 112 Driver page 113 DynamicRoutingRule page 118 EthernetDevice page 121 HighAvailability...

Страница 85: ...MonitorAlert page 171 RemoteIDList page 172 RemoteManagement page 173 RouteBalancingInstance page 176 RouteBalancingSpilloverSettings page 177 RoutingRule page 178 RoutingTable page 179 ScheduleProfil...

Страница 86: ...that the sender must belong to for this rule to be carried out LogEnabled Enable logging Default Yes LogSeverity Specifies with what severity log events will be sent to the specified log receiv ers D...

Страница 87: ...IP address with one instance for each node in the high availab ility cluster UserAuthGroups Groups and user names that belong to this object Objects that fil ter on credentials can only be used as so...

Страница 88: ...al 3 2 1 3 EthernetAddress Description Use an Ethernet Address item to define a symbolic name for an Ethernet MAC address Properties Name Specifies a symbolic name for the network object Identifier Ad...

Страница 89: ...but has no credentials user names or groups defined This means that the object only requires that a user is authenticated but ig nores any kind of group membership Default No Comments Text describing...

Страница 90: ...For example 13 30 EndTime End Time of occurence in the format HH MM For example 14 15 Occurrence Specify type of occurrence Default Weekly Weekly Specifies days in week the schedule occurrence should...

Страница 91: ...control channel Default Yes AllowResumeTransfer Allow RESUME even in case of content scanning Default No Antivirus Disabled Audit or Protect Default Disabled ScanExclude List of files to exclude from...

Страница 92: ...logical channel addresses Default Yes MaxGKRegLifeTime Max Gatekeeper Registration Lifetime Default 1800 Comments Text describing the current object Optional 3 4 3 ALG_HTTP Description Use an HTTP Ap...

Страница 93: ...tedZip Allow encrypted zip files even though the contents can not be scanned Default No ZDEnabled Enable ZoneDefense Block Default No ZDNetwork Hosts within this network will be blocked at switches if...

Страница 94: ...le List of file types to allow or deny Optional VerifyContentMimetype Verify that file extentions correspond to the MIME type Default No Antivirus Disabled Audit or Protect Default Disabled ScanExclud...

Страница 95: ...ber of sessions per SIP URI Default 5 MaxRegistrationTime The maximum allowed time between registration requests Default 3600 SipSignalTmout Timeout value for last seen SIP message Default 43200 DataC...

Страница 96: ...Action a value of zero will disable all compression checks Default 20 CompressionRatioAction The action to take when high compression threshold is viol ated all actions are logged Default Drop AllowEn...

Страница 97: ...fied when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 4 8 ALG_TFTP Description Use an TFTP Application Layer Ga...

Страница 98: ...ame Specifies a symbolic name for the ALG Identifier HostCert Specifies the host certificate RootCert Specifies the root certificate Optional Comments Text describing the current object Optional 3 4 9...

Страница 99: ...e ad dress shall be published on IP The IP address to be published or statically bound to a hardware address MACAddress The hardware address associated with the IP address Default 00 00 00 00 00 00 Co...

Страница 100: ...ervice Specifies the service that will be whitelisted Schedule The schedule when the whitelist should be active Optional Comments Text describing the current object Optional Note If no Index is specif...

Страница 101: ...symbolic name for the certificate Identifier Type Local Remote or Request CertificateData Certificate data PrivateKey Private key NoCRLs Disable CRLs Certificate Revocation Lists Default No PKAType En...

Страница 102: ...one instance of this type 3 8 2 DynDnsClientDyndnsOrg Description Configure the parameters used to connect to the dyndns org DynDNS service Properties DNSName The DNS name excluding the dyndns org su...

Страница 103: ...8 4 DynDnsClientPeanutHull Description Configure the parameters used to connect to the Peanut Hull DynDNS service Properties DNSNames Specifies the DNS names separated by Username Username Password Th...

Страница 104: ...ies Description TODO Default New Group Color TODO Default 9EBEE7 Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be e...

Страница 105: ...ies Port Port Identifier BitsPerSecond Bits per second Default 9600 DataBits Data bits Default 8 Parity Parity Default None StopBits Stop bits Default 1 FlowControl Flow control Default None Comments...

Страница 106: ...ask Specifies the netmask to assign to VPN clients DNS Specifies the IP address of a DNS server that a VPN client should be able to connect to Optional NBNSIP Specifies the IP address of a NBNS WINS s...

Страница 107: ...f server for time synchronization UDPTime or SNTP Simple Network Time Protocol Default SNTP TimeSyncServer1 DNS hostname or IP Address of Timeserver 1 TimeSyncServer2 DNS hostname or IP Address of Tim...

Страница 108: ...tion ConfigIP IP address of the user who committed the current configuration Optional ConfigDate Date when the current configuration was committed Optional DeviceID Device identification string Option...

Страница 109: ...the routing table the clients host route should be added to Default main MaxRelaysPerInterface Specifies how many relays are allowed per interface that means how many DHCP clients are allowed to be re...

Страница 110: ...ent as gateway Optional Domain Domain name used for DNS resolution Optional LeaseTime The time in seconds that a DHCP lease should be provided to a host after this the client have to renew the lease D...

Страница 111: ...this type the object will be placed last in the list and the Index will be equal to the length of the list 3 15 2 DHCPServerCustomOption Description Extend the DHCP Server functionality by adding cust...

Страница 112: ...erver2 IP of the secondary DNS Server Optional DNSServer3 IP of the tertiary DNS Server Optional Comments Text describing the current object Optional Note This object type does not have an identifier...

Страница 113: ...type 3 17 2 BroadcomEthernetPCIDriver Description Broadcom NE Gigabit Ethernet Properties Comments Text describing the current object Optional Note This object type does not have an identifier and is...

Страница 114: ...nly There can only be one instance of this type 3 17 4 E100EthernetPCIDriver Description Intel E100 Fast Ethernet Adaptor Properties RxRingsize Rx ringsize Default 32 TxRingsize Tx ringsize Default 12...

Страница 115: ...fied by the name of the type only There can only be one instance of this type 3 17 7 R8139EthernetPCIDriver Description RealTek 8139 Fast Ethernet Adaptor Properties Comments Text describing the curre...

Страница 116: ...y the name of the type only There can only be one instance of this type 3 17 10 TulipEthernetPCIDriver Description Tulip Fast Ethernet Adaptor Properties Comments Text describing the current object Op...

Страница 117: ...This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type 3 17 11 X3C905EthernetPCIDriver Chapter 3 Configuration Referenc...

Страница 118: ...s if the route needs to match a specific network ex actly Optional DestinationNetworkIn Specifies if the route just needs to be within a specific net work Optional NextHop The next hop router on the r...

Страница 119: ...e If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 18 2 DynamicRoutingRuleAddRoute Des...

Страница 120: ...which the security gateway should publish routes via Proxy ARP Optional Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the o...

Страница 121: ...net adapter PCIPort Some Ethernet adapters have multiple ports that share the same bus and slot number This parameter specifies what port to be used Media Specifies if the link speed should be auto ne...

Страница 122: ...nowledgments from the cluster peer Default 1024 HASyncMaxPktBurst The maximum number of state sync packets to send in a burst Default 20 HAInitialSilence The number of seconds to stay silent on startu...

Страница 123: ...rbidden HTML for the CompressionForbidden html web page ContentForbidden HTML for the ContentForbidden html web page URLForbidden HTML for the URLForbidden html web page RestrictedSiteNotice HTML for...

Страница 124: ...ge LoginAlreadyDone HTML for the LoginAlreadyDone html web page LoginChallenge HTML for the LoginChallenge html web page LoginChallengeTimeout HTML for the LoginChallenge html Timeout web page LogoutS...

Страница 125: ...e posted when the security gateway is loaded Optional URL3 The third URL that will be posted when the security gateway is loaded Optional RepDelay Delay in seconds until all URLs are refetched Default...

Страница 126: ...MinLimit Lower limit Optional MaxLimit Upper limit Optional EnableMonitoring Enable disable monitoring Default No Comments Text describing the current object Optional Note If no Index is specified whe...

Страница 127: ...Identifier Type IP DNS E Mail or Distinguished name IP IP address Hostname Host name CommonName Common name of the owner of the certificate Optional OrganizationName Organization name of the owner of...

Страница 128: ...raffic with this rule Schedule By adding a schedule to a rule the security gateway will only al low that rule to trigger at those designated times Optional InsertionEvasion Protect against insertion e...

Страница 129: ...action PipeNetwork Traffic shaping will only apply to hosts that are within this network Default 0 0 PipeNewConnections Enable piping of new connections from and to the same host Default No PipeTimeWi...

Страница 130: ...d pack et MulticastSource Specifies the multicast source to be compared to the received packet RelayInterface Specifies the interface via which to relay IGMP messages TranslateMGroup Translate the mul...

Страница 131: ...o Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 27 IGMPRule Chapter 3 Configuration Refer...

Страница 132: ...ryResponseInterval The maximum time until a host client has to send an answer to a query Default 10000 LastMemberQueryInterval The maximum time until a host client has to send an answer to a group and...

Страница 133: ...ze Specifies the Blowfish preferred key size in bits Default 128 BlowfishMaxKeySize Specifies the maximum Blowfish key size in bits Default 448 TwofishMinKeySize Specifies the minimum Twofish key size...

Страница 134: ...e default gateway of the interface Optional Broadcast The broadcast address of the connected network Optional PrivateIP The private IP address of this high availability node Optional NOCHB This will d...

Страница 135: ...CP lease Optional DHCPServerFilter IP address range s for the DHCP servers from which leases are accepted Optional DHCPDisallowIPConflicts Do not allow IP collisions with static routes Default Yes DHC...

Страница 136: ...Specifies the PBR table to insert the interface IP route into It also means that the specified routing table will be used for all routing lookups unless overridden by a PBR rule Default main Comments...

Страница 137: ...800 IPsecLifeTimeSeconds The lifetime of the IPsec connection in seconds Whenever it s exceeded a re key will be initiated providing new IPsec encryption and authentication session keys Default 3600 I...

Страница 138: ...be used or not Default None PFSDHGroup Specifies which Diffie Hellman group to use with PFS Default 2 SetupSAPer Setup security association per network host or port Default Net DeadPeerDetection Enab...

Страница 139: ...ress to use as source IP in e g NAT DNS1 IP of the primary DNS server Optional DNS2 IP of the secondary DNS server Optional Username Specifies the username to use for this PPTP L2TP interface Password...

Страница 140: ...Table Specifies the PBR table to insert the interface IP route into It also means that the specified routing table will be used for all routing lookups unless overridden by a PBR rule Default main Com...

Страница 141: ...l AllowedRoutes Restricts networks for which routes may automatically be added Default all nets MPPEAllowStateful Allow usage of Stateful MPPE less secure use only for compat ibility Default No Member...

Страница 142: ...s dynamically assigned Properties Name Specifies a symbolic name for the interface Identifier EthernetInterface The physical Ethernet interface that connects to the PPPoE server network IP The host na...

Страница 143: ...to manually specify IP Address object Default No MTU Specifies the size in bytes of the largest packet that can be passed onward Default 1492 MemberOfRoutingTable All or Specific Default All RoutingT...

Страница 144: ...No AutoInterfaceNetworkRoute Automatically add a route for this virtual LAN interface using the given network Default Yes AutoDefaultGatewayRoute Automatically add a default route for this virtual LAN...

Страница 145: ...ce Which interface to use when communicating with the DHCP server Optional PrefetchLeases Specifies the number of leases an IP Pool will keep prefetched Default 3 MaxFree Maximum number of free addres...

Страница 146: ...e received packet DestinationInterface Specifies the the destination interface to be compared to the received packet DestinationNetwork Specifies the span of IP addresses to be compared to the des tin...

Страница 147: ...cifies the maximum number of failed ping attempts until host is considered to be unreachable Default 2 SLBPingMaxAverageLatency Specifies the max average latency for the sample attempts Default 800 SL...

Страница 148: ...all destination IPs to a single IP Default No RuleSet Assuming action is Goto where to redirect rule lookup LogEnabled Enable logging Default Yes LogSeverity Specifies with what severity log events w...

Страница 149: ...3 32 2 1 IPRule The definitions here are the same as in Section 3 32 1 IPRule 3 32 2 IPRuleFolder Chapter 3 Configuration Reference 149...

Страница 150: ...its Default 128 BlowfishKeySize Specifies the Blowfish preferred key size in bits Default 128 BlowfishMaxKeySize Specifies the maximum Blowfish key size in bits Default 448 TwofishMinKeySize Specifies...

Страница 151: ...AP database Default userPassword GroupsAttr Specifies the group membership attribute used in the LDAP database Default memberOf GetGroups Retrieve group membership for users Default Yes DomainName The...

Страница 152: ...e to use when accessing the LDAP server Optional Password Specifies the password to use when accessing the LDAP server Optional Port Specifies the LDAP service port number Default 389 Comments Text de...

Страница 153: ...econds between each monitor attempt Default 250 InitGracePeriod Do not allow triggering of the link monitor for this number of seconds after the last reconfiguration Default 45 RoutingTable Routing ta...

Страница 154: ...etc Properties Name Specifies the username to add into the user database Identifier Password The password for this user Groups Specifies the user groups that this user is a member of e g Adminis trato...

Страница 155: ...lients host route should be added to Default main Comments Text describing the current object Optional 3 38 1 1 LogReceiverMessageException Description A log message exception is used to override the...

Страница 156: ...ss The IP address of the SMTP server Port Specifies the which port to use to connect to the SMTP server Default 25 Receiver1 The email address that the event information is sent to Receiver2 Alternate...

Страница 157: ...514 Facility Specifies what facility is used when logging Default local0 LogSeverity Specifies with what severity log events will be sent to the specified log receiv ers Optional Default Emergency Ale...

Страница 158: ...he IP Pool IPRange Specifies the range of IP addresses used for NAT translation StateKeepAlive The number of seconds that stateful NAT state will be kept in absence of new connections Default 120 MaxS...

Страница 159: ...es the time in seconds that the routing table will be kept unchanged after a reconfiguration of OSPF entries or a HA failover Default 45 RefBandwidthValue Set the reference bandwidth that is used when...

Страница 160: ...ects OSPF interfaces neighbors aggregates and virtual links Properties Name Specifies a symbolic name for the area Identifier AreaID Specifies the area id if 0 0 0 0 is specified this is the backbone...

Страница 161: ...ce Default 10 RtrDeadInterval If no HELLO packets are received from a neighbor within this interval in seconds that neighbor router will be declared to be down Default 40 RxmtInterval Specifies the nu...

Страница 162: ...onging to the local intra area with one contiguous network which may then be advertised or hidden Properties Network The aggregate network used to combine several small routes Advertise Advertise the...

Страница 163: ...he authentication type for the OSPF protocol exchanges Default None AuthPassphrase Specifies the passphrase used for authentication Optional AuthMD5ID Specifies the MD5 key ID used for MD5 digest auth...

Страница 164: ...ps for precedence 3 Optional LimitPPS3 Specifies the packet per second limit for precedence 3 Optional LimitKbps4 Specifies the bandwidth limit in kbps for precedence 4 Optional LimitPPS4 Specifies th...

Страница 165: ...itPPS6 Specifies the throughput limit per group in PPS for precedence 6 Optional UserLimitKbps7 Specifies the bandwidth limit per group in kbps for precedence 7 the highest precedence Optional UserLim...

Страница 166: ...Default 7 Comments Text describing the current object Optional 3 41 Pipe Chapter 3 Configuration Reference 166...

Страница 167: ...estina tion IP of the received packet Service Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rule the security gate...

Страница 168: ...involved Properties Name Specifies a symbolic name for the pre shared key Identifier Type Specifies the type of the shared key PSKAscii Specifies the PSK as a passphrase PSKHex Specifies the PSK as a...

Страница 169: ...used when trying to contact the RADIUS ac counting server If no response has been given after for example 2 seconds the security gateway will try again by sending a new AccountingRequest packet Defaul...

Страница 170: ...nds used when trying to contact the RADIUS ac counting server If no response has been given after for example 2 seconds the security gateway will try again by sending a new AccountingRequest packet De...

Страница 171: ...if statistical value goes above this threshold Optional BackoffInterval The minimum number of seconds between consecutive log messages Default 60 Continuous If set generate event if the value goes fro...

Страница 172: ...SKHex Specifies the PSK as a hexadecimal key IDType Selects the type of remote identity to use IDValue Specify the remote identity of the tunnel ID Comments Text describing the current object Optional...

Страница 173: ...TTPS Default No Network Specifies the network for which remote access is granted Comments Text describing the current object Optional 3 48 2 RemoteMgmtNetcon Description Configure Netcon management to...

Страница 174: ...SH Server to enable remote management access to the system Properties Name Specifies a symbolic name for the SSH server Identifier Interface Specifies the interface for which remote access is granted...

Страница 175: ...ents that can be connected at the same time Default 5 SessionIdleTime The number of seconds a user can be idle before the session is closed Default 1800 LoginGraceTime When the user has supplied the u...

Страница 176: ...ultiple routes to the same destination Properties RoutingTable Specify routingtable to deploy route load balancing in Identifier Algorithm Specify which algorithm to use when balancing the routes Defa...

Страница 177: ...seconds over under the threshold limit to trig ger state change for the affected routes Default 30 OutboundThreshold Outbound threshold limit Optional OutboundUnit TODO Default kbps InboundThreshold I...

Страница 178: ...er span of IP addresses to be compared to the re ceived packet DestinationInterface Specifies the the destination interface to be compared to the re ceived packet DestinationNetwork Specifies the span...

Страница 179: ...er hop used to reach the destination network If the network is directly connected to the security gateway interface no gateway address is spe cified Optional LocalIP The IP address specified here will...

Страница 180: ...bing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3...

Страница 181: ...object Optional Interface Specifies which interface packets destined for this route shall be sent through Network Specifies the network address for this route Metric Specifies the metric for this rout...

Страница 182: ...tive on Wednesdays Optional Thu Specifies during which intervals the schedule profile is active on Thursdays Optional Fri Specifies during which intervals the schedule profile is active on Fridays Opt...

Страница 183: ...to this service Default All EchoRequest Enable matching of Echo Request messages Default No EchoRequestCodes Specifies which Echo Request message codes should be matched Default 0 255 DestinationUnre...

Страница 184: ...vice Default 200 Comments Text describing the current object Optional 3 54 3 ServiceIPProto Description An IP Protocol Service is a definition of an IP protocol with specific parameters Properties Nam...

Страница 185: ...efault 0 65535 SYNRelay Enable SYN flood protection SYN Relay Default No PassICMPReturn Enable passing an ICMP error message only if it is related to an existing connection using this service Default...

Страница 186: ...changed Default DropLog ARPExpire Lifetime of an ARP entry in seconds Default 900 ARPExpireUnknown Lifetime of an unknown ARP entry in seconds Default 3 ARPMulticast ARP packets claiming to be multica...

Страница 187: ...is identified by the name of the type only There can only be one instance of this type 3 55 3 ConnTimeoutSettings Description Timeout settings for various protocols Properties ConnLife_TCP_SYN Connec...

Страница 188: ...seconds allowed from the DHCP server too high times will be lowered silently Default 10000 MaxAutoRoutes Maximum number of DHCP client IPs automatically added to the routing table Default 256 AutoSave...

Страница 189: ...efault 256 Ringsize_e100_rx Size of e100 receive ring per interface Default 32 Ringsize_e100_tx Size of e100 send ring per interface Default 128 Ringsize_yukonii_rx Size of Yukon II receive ring per i...

Страница 190: ...ed packets Properties PseudoReass_MaxConcurrent Maximum number of concurrent fragment reassemblies Set to 0 to drop all fragments Default 1024 IllegalFrags Illegaly constructed fragments partial overl...

Страница 191: ...use percentage as unit for monitoring else it is megabyte Default Yes MemoryLogRepetition Should we send a log message for each poll result that is in the Alert Critical or Warning level or should we...

Страница 192: ...the next update field in the CRL Default 86400 IKEMaxCAPath Maximum number of CA certificates in a certificate path Default 15 IPsecCertCacheMaxCerts Maximum number of entries in the certificate cache...

Страница 193: ...P Time To Live value accepted on receipt Default 3 TTLOnLow What action to take on too low unicast TTL values Default DropLog TTLMinMulticast The minimum IP multicast Time To Live value accepted on re...

Страница 194: ...cepted on re ceipt Default 1 TTLOnLowBroadcast What action to take on too low broadcast TTL values Default DropLog Note This object type does not have an identifier and is identified by the name of th...

Страница 195: ...ault 1480 MaxIPIPLen IPIP FWZ Encapsulated tunneled transport used by VPN 1 Default 2000 MaxIPCompLen IPsec IPComp Compressed communication Default 2000 MaxL2TPLen L2TP Layer 2 Tunneling Protocol Defa...

Страница 196: ...the type only There can only be one instance of this type 3 55 16 MiscSettings Description Miscellaneous Settings Properties UDPSrcPort0 How to treat UDP packets with source port 0 Default DropLog Por...

Страница 197: ...MulticastSettings Description Advanced Multicast Settings Properties AutoAddMulticastCoreRoute Auto generate core route for 224 0 0 1 239 255 255 255 Default Yes IGMPBeforeRules Allows IGMP traffic to...

Страница 198: ...log in before reverting to the previous configuration Default 30 WebUIBeforeRules Enable HTTP S traffic to the security gateway regardless of configured IP Rules Default Yes WWWSrv_HTTPPort Specifies...

Страница 199: ...e one instance of this type 3 55 19 RoutingSettings Description Configure the routing capabilities of the system Properties RouteFailOver_IfacePollInterval Time ms between polling of interface failure...

Страница 200: ...nder Action to take if sender MAC in the ethernet header is the null address 0000 0000 0000 Default DropLog BroadcastEnetSender Action to take if sender MAC in the ethernet header is the broadcast eth...

Страница 201: ...type 3 55 21 StateSettings Description Parameters for the state engine in the system Properties ConnReplace What to do when the connection table is full Default Re placeLog LogOpenFails Log packets th...

Страница 202: ...lt 7000 TCPMSSAutoClamping Automatically clamp TCP MSS according to MTU of involved inter faces in addition to TCP MSS max Default Yes TCPZeroUnusedACK Force unused ACK fields to zero helps prevent co...

Страница 203: ...ng Default StripLog TCPRF The TCP Reserved field should be zero Used in OS fingerprinting Also part of ECN extension Default StripLog TCPNULL TCP NULL packets without SYN ACK FIN or RST normally in va...

Страница 204: ...Name Specifies a symbolic name for the key Identifier Type DSA or RSA Default DSA Subject Value of the Subject header tag of the public key file Optional PublicKey Specifies the public key Comments T...

Страница 205: ...to the destina tion IP of the received packet Service Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rule the secur...

Страница 206: ...stIgnoreEstablished Do not drop existing connection Default No LogEnabled Enable logging Default Yes LogSeverity Specifies with what severity log events will be sent to the spe cified log receivers De...

Страница 207: ...pecifies the day of month when the automatic update is runs UpdateWeekday Specifies the day of week when the automatic update is runs Default mon Hourly Specififes the number of hours between periodic...

Страница 208: ...entication servers that will be used to au thenticate users matching this rule RadiusMethod Specifies the authentication method used for encrypting the user password Default PAP LocalUserDB Specifies...

Страница 209: ...of the number of bytes sent by the user Default Yes PacketsSent Enable reporting of the number of packets sent by the user Default Yes BytesReceived Enable reporting of the number of bytes received b...

Страница 210: ...3 59 UserAuthRule Chapter 3 Configuration Reference 210...

Страница 211: ...story 80 hostmon 44 httpalg 44 httpposter 45 hwaccel 45 hwm 46 I idppipes 46 ifstat 47 igmp 47 ikesnoop 48 ippool 49 ipsecglobalstats 49 ipseckeepalive 50 ipsecstats 50 ipsectunnels 51 K killsa 51 L l...

Страница 212: ...DHCPRelay 109 DHCPRelaySettings 188 DHCPServer 110 DHCPServerCustomOption 111 DHCPServerPoolStaticHost 110 DHCPServerSettings 188 DNS 112 DynamicRoutingRule 118 DynamicRoutingRuleAddRoute 119 DynamicR...

Страница 213: ...P Pipe 164 PipeRule 167 PPPoETunnel 142 PSK 168 R R8139EthernetPCIDriver 115 R8169EthernetPCIDriver 115 RadiusAccounting 169 RadiusServer 170 RealTimeMonitorAlert 171 RemoteIDList 172 RemoteMgmtHTTP...

Отзывы: