D-Link NetDefend DFL-260E Скачать руководство пользователя страница 222 | Manualshive

Страница: 222 / 328

background image

3.67. IPsecTunnelSettings

Description

Settings for the IPsec tunnel interfaces used for establishing IPsec VPN connections to and from
this system.

Properties

IPsecMaxTunnels

Amount of IPsec tunnels allowed (0 = automatic).
(Default: 0)

IPsecMaxRules

Amount of IPsec rules allowed (0 = automatic).
(Default: 0)

IKESendInitialContact

Send 'initial contact' messages. (Default: Yes)

IKESendCRLs

Send CRLs in the IKE exchange. (Default: Yes)

IKECRLValidityTime

Maximum number of seconds a CRL is considered
valid (0=obey the 'next update' field in the CRL).
(Default: 86400)

IKEMaxCAPath

Maximum number of CA certificates in a certificate
path. (Default: 15)

IPsecCertCacheMaxCerts

Maximum number of entries in the certificate
cache. (Default: 1024)

IPsecBeforeRules

Pass IKE & IPsec (ESP/AH) traffic sent to the firewall
directly to the IPsec engine without consulting the
ruleset. (Default: Yes)

IPsecGWNameCacheTime

Amount of time to keep an IPsec tunnel open
when the remote DNS name fails to resolve.
(Default: 14400)

DPDMetric

Metric 10s of seconds with no traffic or other
evidence of life in tunnel before SA is removed.
(Default: 3)

FlowMetric

Minimum number of seconds without data traffic
in a flow to activate IKE DPD liveness checks from
the corresponding IKE SA. (Default: 15)

IPsecDPDNoWaitWorryTime

Do not wait for 10 times the value of DPD Metric
after the value of Flow Metric has expired without
aliveness sign before activating IKE DPD. (Default:
No)

DPDKeepTime

Number 10s of seconds a SA will remain in dead
cache after a delete. DPD will not trigger if peer
already is cached as dead. (Default: 2)

DPDExpireTime

Number of seconds that DPD-R-U-THERE messages
will be sent. (Default: 15)

IPsecHardwareAcceleration

IPsec hardware acceleration. (Default: Inline)

Chapter 3: Configuration Reference

222

«
...
220
221
222
223
224
...
»

Содержание NetDefend DFL-260E

Страница 1: ...Network Security Solution http www dlink com NetDefendOS Ver 11 04 01 Network Security Firewall CLI Reference Guide Security Security...

Страница 2: ...nce Guide DFL 260E 860E 870 1660 2560 2560G NetDefendOS version 11 04 01 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2016 10 03 Copy...

Страница 3: ...a particular purpose D Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such rev...

Страница 4: ...24 2 1 5 commit 25 2 1 6 delete 25 2 1 7 pskgen 26 2 1 8 reject 27 2 1 9 reset 28 2 1 10 set 29 2 1 11 show 30 2 1 12 undelete 31 2 2 Runtime 33 2 2 1 about 33 2 2 2 alarm 33 2 2 3 appcontrol 33 2 2...

Страница 5: ...ut 65 2 2 55 lwhttp 66 2 2 56 macstorage 66 2 2 57 memory 66 2 2 58 natpool 67 2 2 59 nd 67 2 2 60 ndsnoop 68 2 2 61 netobjects 69 2 2 62 ospf 69 2 2 63 pcapdump 71 2 2 64 pipes 73 2 2 65 pptp 74 2 2...

Страница 6: ...4 ALG 117 3 4 1 ALG_FTP 117 3 4 2 ALG_H323 118 3 4 3 ALG_HTTP 118 3 4 4 ALG_POP3 120 3 4 5 ALG_PPTP 121 3 4 6 ALG_SIP 121 3 4 7 ALG_SMTP 122 3 4 8 ALG_TFTP 124 3 4 9 ALG_TLS 125 3 5 AntiVirusPolicy 1...

Страница 7: ...eControlPolicy 177 3 42 FragSettings 178 3 43 GeolocationFilter 180 3 44 GotoRule 181 3 45 GRETunnel 182 3 46 HighAvailability 183 3 47 HTTPALGBanners 184 3 48 HTTPAuthBanners 185 3 49 HTTPPoster 186...

Страница 8: ...LoopbackInterface 249 3 86 MiscSettings 250 3 87 MulticastPolicy 251 3 88 MulticastSettings 252 3 89 NATPool 253 3 90 OSPFProcess 254 3 90 1 OSPFArea 255 3 91 Pipe 259 3 92 PipeRule 262 3 93 PPPoETun...

Страница 9: ...StateSettings 304 3 124 TCPSettings 305 3 125 ThresholdRule 307 3 125 1 ThresholdAction 307 3 126 UpdateCenter 309 3 127 UserAuthRule 310 3 128 VLAN 313 3 129 VLANSettings 315 3 130 VoIPProfile 316 3...

Страница 10: ...12 Show a range of rules 78 2 13 Interface ping test between all interfaces 79 2 14 Interface ping test between interfaces if1 and if2 80 2 15 Start 30 min burn in testing RAM storage media and crypt...

Страница 11: ...s Used for specifying that more than one value can be specified for the option Example 1 Command option notation One of the usages for the help command looks like this help category COMMANDS TYPES Top...

Страница 12: ...100 gw world routes flushl3cache Because the table name option is followed by ellipses it is possible to specify more than one routing table Since table name is optional as well the user can specify...

Страница 13: ...nd line interface for NetDefendOS The CLI is case sensitive However the tab completion feature of the CLI does not require the correct case to perform completion and will alter the typed case if it is...

Страница 14: ...vate gw world activate h Full help for activate gw world help activate Help for the arp command Arp is also the name of a configuration object type so it is necessary to specify that the help text for...

Страница 15: ...one page of information is shown Ctrl D or Delete Delete the character to the right of the cursor Ctrl E or End Move the cursor to the end of the line Ctrl F or Right Arrow Move the cursor one charac...

Страница 16: ...evious command lines up arrow for older command lines and down arrow to move back to a newer command line See also Section 2 4 3 history Example 1 3 Command line history Using the command line history...

Страница 17: ...4a tab gw world add Address IP4Address Address was autocompleted gw world add Address IP4Address example_ip a tab gw world add Address IP4Address example_ip Address Address was autocompleted gw world...

Страница 18: ...rs ip1 ip2 ip3 ip5 gw world set IP4Group examplegroup Members tab gw world set IP4Group examplegroup Members ip1 ip2 ip3 ip5 the value was inserted It is now possible to add or remove a member to the...

Страница 19: ...Accessing an IP4Address object without the use of categories gw world show IP4Address example_ip Chapter 1 Introduction 19...

Страница 20: ...commands and options cannot be used unless the logged in user has administrator privileges This is indicated in this guide by a note following the command or Admin only written next to an option Chapt...

Страница 21: ...Chapter 1 Introduction 21...

Страница 22: ...nges This will issue a reconfiguration using the new configuration If the reconfiguration is successful a commit command must be issued within the configured timeout interval in order to save the chan...

Страница 23: ...new object Add objects with an identifier property not index gw world add Address IP4Address example_ip Address 1 2 3 4 Comments This is an example gw world add IP4Address example_ip2 Address 2 3 4 5...

Страница 24: ...e g User objects lie in a sub context or child context of the root in this case in a LocalUserDatabase In order to add or modify users you have to be in the correct context e g a LocalUserDatabase ca...

Страница 25: ...scription Save the new configuration to media This command can only be issued after a successful activate command Usage commit Note Requires Administrator privileges 2 1 6 delete Delete specified obje...

Страница 26: ...cts or has children Category Category that groups object types Identifier The property that identifies the configuration object May not be applicable depending on the specified Type Type Type of confi...

Страница 27: ...ndividual objects gw world set Address IP4Address example_ip Comments This comment will be rejected gw world reject Address IP4Address example_ip gw world add Address IP4Address example_ip2 Address 1...

Страница 28: ...ration object May not be applicable depending on the specified Type Type Type of configuration object to perform operation on Note Requires Administrator privileges 2 1 9 reset Reset unit configuratio...

Страница 29: ...2 5 Set property values Set properties for objects that have an identifier property gw world set Address IP4Address example_ip Address 1 2 3 4 Comments This is an example gw world set IP4Address examp...

Страница 30: ...w what objects have been changed or have errors in the configuration When showing a table of all objects of a certain type the status of each object since the last time the configuration was committed...

Страница 31: ...ed references Show an object or list a type or category show errors verbose Show all errors show changes Show all changes Options changes Show all changes in the current configuration disabled Show di...

Страница 32: ...emove the error in examplerule gw world set IPRule examplerule SourceNetwork examplenet gw world delete Address IP4Address examplenet force gw world undelete Address IP4Address examplenet Usage undele...

Страница 33: ...rrently active alarms Usage alarm history active Options active Show the currently active alarms history Show the 20 latest alarms 2 2 3 appcontrol Show application control status Description Browse t...

Страница 34: ...g families tags risks and a matching expression for the applications names Options application String Exact application name delete_lists ALL Integer Free saved Strings family String Application famil...

Страница 35: ...ion on hash table health hw pattern Show only hardware addresses matching pattern hwsender Ethernet Address Sender ethernet address ip pattern Show only IP addresses matching pattern notify ip Send gr...

Страница 36: ...ame Note Requires Administrator privileges 2 2 6 ats Show active ARP Transaction States Description Show active ARP Transaction States Usage ats num n Options num n Limit list to n entries Default 20...

Страница 37: ...ion with the Agent and attempst to reconnect Admin only version Show protocol version ALL AuthAgent Authentication Agent name 2 2 8 authagentsnoop Toggle snooping and displaying of Authentication Agen...

Страница 38: ...s on the black and white list Note Static blacklist hosts cannot be unblocked If force is not specified only the exact host with the service protocol port and destiny specified is unblocked Example 2...

Страница 39: ...r the host that matches to options info Show detailed information listtime Show time in list for dynamic hosts num ALL Integer Maximum number of entries to show default 20 port port number Number of t...

Страница 40: ...w information about the CAM table s and their entries Usage cam num n Show CAM table information cam Interface num n Show interface specified CAM table information cam Interface flush Flush CAM table...

Страница 41: ...ormation 2 2 14 cfglog Display configuration log Description Display the log of the last configuration read attempt Usage cfglog 2 2 15 connections List current state tracked connections Description L...

Страница 42: ...erface Filter on destination interface destip ip address Filter on destination IP address destport port Filter on TCP UDP destination port ipver IPV6 IPV4 Filter on IP version num n Limit list to n co...

Страница 43: ...nformation about crypto accelerators Description Show information about installed crypto accelerators Usage cryptostat hashinfo Options hashinfo Show information about the hardware fastpath hash 2 2 1...

Страница 44: ...and forward flush Flush all diagnose entries to disk Admin only onlyhigh Only show entries with severity high Admin only 2 2 21 dhcp Display information about DHCP enabled interfaces or modify update...

Страница 45: ...e currently relayed DHCP sessions dhcprelay show num ALL Integer rules routes display filter Show DHCP BOOTP relayer ruleset dhcprelay release ip address interface Interface Terminate relayed session...

Страница 46: ...LACKLIST Release a specific types of IPs dhcpserver releaseip Interface IP address Release an active IP Options fromentry Integer Show entry list from offset n leases Show DHCP server leases mappings...

Страница 47: ...face lease Options lease RENEW RELEASE Modify interface lease list List all DHCPv6 enabled interfaces show Show information about DHCPv6 enabled interface interface DHCPv6 Interface 2 2 25 dhcpv6serve...

Страница 48: ...rver rules show Show ruleset display filter Display filters for leases based on interface mac ip eg if1 2001 DB8 interface Interface IPv6 address IPv6 address 2 2 26 dns DNS client and queries Descrip...

Страница 49: ...2 2 27 dnsbl DNSBL Description Show status of DNSBL Usage dnsbl show SMTP ALG clean Options clean Clear DNSBL statistics for ALG show Show DNSBL statistics for ALG SMTP ALG Name of SMTP ALG 2 2 28 dy...

Страница 50: ...e detailed information can optionally be obtained for specific reassemblies NEW Newest reassembly ALL All reassemblies 0 1023 Assembly N Example 2 9 frags frags NEW frags 254 Usage frags NEW ALL reass...

Страница 51: ...ctive deactivate Go inactive 2 2 31 hostmon Show Host Monitor statistics Description Show active Host Monitor sessions Usage hostmon verbose num n Options num n Limit list to n entries Default 20 verb...

Страница 52: ...20 override List hosts that have overridden the wcf filter server STATUS CONNECT DISCONNECT Web Content Filtering Server options Default status show Show Web Content Filtering cache data url String Li...

Страница 53: ...mits 2 2 35 idppipes Show and remove hosts that are piped by IDP Description Show list of currently piped hosts Usage idppipes List all idppipes idppipes show host ip addr Lists hosts for which new co...

Страница 54: ...erfaces maclist Show MAC addresses for all interfaces num n Limit list to n lines Default 20 pbr table name Only list members of given PBR table s restart Stop and restart the interface Admin only snm...

Страница 55: ...sage Options join Simulate an incoming IGMP join message leave Simulate an incoming IGMP leave message query Simulate an incoming IGMP query message state Show the current IGMP state host address Host...

Страница 56: ...that has been sent to the other cluster member when this node was active and receive statistics show how many packets failures it got as inactive ike Show current IKE SAs Options brief Show only heade...

Страница 57: ...nooping Description Turn IKE on screen snooping on off Useful for troubleshooting IPsec connections Usage ikesnoop Show IKE snooping status ikesnoop on ip address verbose Enable IKE snooping ikesnoop...

Страница 58: ...P pool information Options all Free or renew all IP addresses num n Limit list to n entries Default 100 release Forcibly free IP assigned to subsystem Admin only renew Try to renew IP leases through D...

Страница 59: ...how SA information srcif Interface Interface used to reach the remote endpoint stat Show IPsec statistics usage Show detailed SA statistics information verbose Show verbose information IPsecTunnel IPs...

Страница 60: ...eases 2 2 45 ipsechastat Show statistics about HA synchronization for IPsec Description Shows statistics about IKE IPsec SAs synchronized and how many that failed to import Sent statistics shows how m...

Страница 61: ...to show default 40 8 usage Show detailed SA statistics information verbose Show verbose information tunnel Only show SAs matching pattern Deprecated 2014 05 27 Replaced by command ipsec show Deprecat...

Страница 62: ...iption Kill all IPsec and IKE SAs associated with a given remote IKE peer IP or optional all SA s in the system IKE delete messages are sent Usage killsa ip address iface interface Delete SAs belongin...

Страница 63: ...tate ALL ACTIVE LISTENING child num Integer List L2TP sessions l2tp l2tpv3client L2TPv3 Client l2tpclient PPTP L2TP Client state ALL ACTIVE LISTENING child num Integer List L2TP sessions Options child...

Страница 64: ...2 2 51 ldap LDAP information Description Status and statistics for the configured LDAP databases Usage ldap List all LDAP databases ldap list List all LDAP databases ldap show LDAP Server Show LDAP da...

Страница 65: ...w Show the contents of the current license Options show Show current status and credentials 2 2 53 linkmon Display link montitoring statistics Description If link monitor hosts have been configured li...

Страница 66: ...management state e g full TCP stack interception Compared to the ordinary HTTP ALG the LW HTTP inspector provides better throughput performance without affecting network security Usage lwhttp 2 2 56 m...

Страница 67: ...IP4 Address Translated IP pool name NAT Pool name 2 2 59 nd Show Neighbor Discovery entries for given interface Description List the Neighbor Discovery cache entries of specified interfaces If no int...

Страница 68: ...on hash table health hw pattern Show only hardware addresses matching pattern ip pattern Show only IP addresses matching pattern num n Show only the first n entries per interface Default 20 query ip...

Страница 69: ...ministrator privileges 2 2 61 netobjects Show runtime values of network objects Description Displays named network objects and their contents Example 2 10 List network objects which have names contain...

Страница 70: ...A ALT process OSPF Router Process Show the internal OSPF process routingtable ospf database verbose process OSPF Router Process Show the LSA database ospf lsa lsaID process OSPF Router Process Show de...

Страница 71: ...ooting messages on the console Admin only verbose Increase amount of information to display interface OSPF enabled interface interface OSPF enabled interface lsaID LSA ID OSPF Area OSPF Area OSPF Neig...

Страница 72: ...of packets to capture destport 0 65535 Destination TCP UDP port filter eth Ethernet Address Ethernet address filter ethdest Ethernet Address Ethernet destination address filter ethsrc Ethernet Address...

Страница 73: ...ipe Remove all captured packets from memory write Write the captured packets to disk interface s Name of interface s Note Requires Administrator privileges 2 2 64 pipes Show pipes information Descript...

Страница 74: ...List PPTP sessions pptp pptpclient PPTP L2TP Client state ALL ACTIVE LISTENING CHILDONLY child num Integer List PPTP sessions Options child Include child sessions num Integer Number of entries to list...

Страница 75: ...num Integer Number of entries to list services List all services attached to PPTP ALG sessions List all session using a PPTP tunnel verbose Verbose output PPTP ALG PPTP ALG 2 2 67 reconfigure Initiate...

Страница 76: ...s Rekey IPsec SAs rekeysa ip address Rekey IPsec SAs Options ike Rekey IKE SAs ipsec Rekey IPsec SAs ip address IP address of remote peer Note Requires Administrator privileges 2 2 69 route Alias for...

Страница 77: ...f the routing tables O Learned via OSPF X Route is Disabled M Route is Monitored A Published via Proxy ARP D Dynamic from e g DHCP relay IPsec L2TP PPP servers etc H HA synced from cluster peer Usage...

Страница 78: ...objects that have an associated real time monitor alert are displayed Example 2 11 Show all monitored objects in the alg http category gw world rtmonitor alg http m Usage rtmonitor filter terse monito...

Страница 79: ...disrupted during the test s The outcome of the throughput crypto accelerator tests are dependent on configuration values If the number of large buffers LocalReassSettings LocalReass_NumLarge too low i...

Страница 80: ...e interfaces selftest ping interfaces Interface Run a ping test over the interfaces selftest throughput interfaces Interface Run a throughput test over the interfaces selftest traffic interfaces Inter...

Страница 81: ...tes Default 0 num Integer Number of times to execute the test Default 1 ping Run a ping test over the interfaces size Integer Size of media space to utilize in the test Set in MB Default 1 throughput...

Страница 82: ...ts subsystem Session does not use timeout Usage sessionmanager Show Session Manager status sessionmanager status Show Session Manager status sessionmanager list num n List active sessions sessionmanag...

Страница 83: ...abase Name of user database IP Address IP address message text Message to send session name Name of session LOCAL SSH NETCON HTTP HTTPS Session type 2 2 77 settings Show settings Description Show the...

Страница 84: ...SIP ALG Description List running SIP ALG configurations SIP registration and call information The flags option with snoop allows any combination of the following values 0x00000001 GENERAL 0x00000002 E...

Страница 85: ...Show running ALG configuration parameters sipalg registration SHOW FLUSH alg Show or flush current registration table sipalg calls alg Show active calls table sipalg session alg Show active SIP sessi...

Страница 86: ...Show or flush SIP counters Default show alg SIP ALG name alg SIP ALG name ipaddr IP Address to snoop 2 2 80 smtp List SMTP LogReceiver sessions and send test mail Description List SMTP sessions for c...

Страница 87: ...s sshserver status verbose Show server status and list all connected clients sshserver keygen b bits t RSA DSA Generate SSH Server private keys sshserver restart ssh server Restart SSH Server Options...

Страница 88: ...Options num n Limit display to n entries Default 20 2 2 83 stats Display various general firewall statistics Description Display general information about the firewall such as uptime CPU load resourc...

Страница 89: ...ort 2 2 86 time Display current system time Description Display set the system date and time Usage time Display current system time time verbose Display current system time time set date time Set syst...

Страница 90: ...Description Displays the contents of the user authentication ruleset Example 2 17 Show a range of rules uarules v 1 2 4 5 Usage uarules verbose Integer Range Options verbose Verbose output Integer Ra...

Страница 91: ...VIRUS IDP ALL Show update status and database information Admin only Default all update ANTIVIRUS IDP ALL Force an update now for the specified service Admin only Default all verbose Show verbose stat...

Страница 92: ...dmin only user Show all information for user s with this IP address verbose List all blocked users history Interface Interface user ip IP address for user s 2 2 90 vlan Show information about VLAN Des...

Страница 93: ...p address blockenet ethernet address eraseip ip address eraseenet ethernet address status show Options blockenet ethernet address Block the specified ethernet address blockip ip address Block the spec...

Страница 94: ...lay current active Geolocation Filters num n List n entries Default 20 query Resolve domain name status Display status for GeoIP database IPAddress IP address to resolve 2 3 2 ping Ping host Descripti...

Страница 95: ...et through the rule set simulating that the packet was received by srcif srcip ip address Use this source IP tcp Send TCP ping tos 0 255 Type of service udp Send UDP ping verbose Verbose more informat...

Страница 96: ...s fast as possible may look like Denial of Service attack noresolve Disable reverse DNS lookup of hosts pbr table Route using PBR Table size Integer Packet data size Default 32 srcip ip address Use th...

Страница 97: ...ject types The fastest way to get help is to simply type help followed by the topic that you want help with A topic can be for example a command name e g set or the name of a configuration object type...

Страница 98: ...me logs MemLog searching will only be functioning if a LogReceiverMemory object has been configured Since the system log rate may be high displaying real time logs must be done with some caution For t...

Страница 99: ...tring logid Integer event String action NONE DROP ALLOW BLOCK REJECT String severity EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFO DEBUG starttime DateTime endtime DateTime pattern String srcip I...

Страница 100: ...gs sec Only applicable for real time logs severity EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFO DEBUG Log severity to filter on Equal or higher severity matches source MEMLOG REALTIME BOTH Log s...

Страница 101: ...icate cer user sgw ip certificate certificate_name scp certificate key user sgw ip certificate certificate_name Example 2 27 Upload ssh public key data scp sshkey pub user sgw ip sshclientkey sshclien...

Страница 102: ...ipt show all name Name Show script in console window script store all name Name Store a script to persistent storage script remove all name Name Remove script script List script files Options all Appl...

Страница 103: ...he configuration object May not be applicable depending on the specified Type Parameters List of input arguments Type Type of configuration object to perform operation on Note Requires Administrator p...

Страница 104: ...Chapter 2 Command Reference 104...

Страница 105: ...et page 128 ARPND page 130 ARPNDSettings page 131 AuthAgent page 134 AuthenticationSettings page 135 BlacklistWhiteHost page 136 Certificate page 137 COMPortDevice page 138 ConfigModePool page 139 Con...

Страница 106: ...lientPeanutHull page 166 EmailControlProfile page 167 Ethernet page 171 EthernetDevice page 173 EthernetSettings page 174 EventReceiverSNMP2c page 176 FileControlPolicy page 177 FragSettings page 178...

Страница 107: ...nt page 227 L2TPServer page 229 L2TPServerSettings page 231 L2TPv3Client page 232 L2TPv3Server page 234 LDAPDatabase page 235 LDAPServer page 236 LengthLimSettings page 237 LinkAggregation page 238 Li...

Страница 108: ...page 273 RemoteMgmtSettings page 274 RemoteMgmtSNMP page 276 RemoteMgmtSSH page 277 RouteBalancingInstance page 279 RouteBalancingSpilloverSettings page 280 RouterAdvertisement page 281 RoutingRule pa...

Страница 109: ...block specific source IP addresses on a specific interface Properties Index The index of the object starting at 1 Identifier Name Specifies a symbolic name for the object Action Accept Expect or Drop...

Страница 110: ...te If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list Chapter 3 Configuration Reference 11...

Страница 111: ...fies a symbolic name for the network object Identifier Address FQDN e g www example com ActiveAddress The IP addresses resolved from the name server Optional Comments Text describing the current objec...

Страница 112: ...d for combining several Ethernet Address objects for simplified management Properties Name Specifies a symbolic name for the network object Identifier Members Group members Comments Text describing th...

Страница 113: ...dress The dynamically set address used by e g DHCP enabled Ethernet interfaces Optional UserAuthGroups Groups and user names that belong to this object Objects that filter on credentials can only be u...

Страница 114: ...object Identifier Address An IP address with one instance for each node in the high availability cluster UserAuthGroups Groups and user names that belong to this object Objects that filter on credent...

Страница 115: ...ame as in Section 3 2 1 9 IP4HAAddress 3 2 7 IP6Address The definitions here are the same as in Section 3 2 1 6 IP6Address 3 2 8 IP6Group The definitions here are the same as in Section 3 2 1 5 IP6Gro...

Страница 116: ...e format HH MM For example 13 30 EndTime End Time of occurence in the format HH MM For example 14 15 Occurrence Specify type of occurrence Default Weekly Weekly Specifies days in week the schedule occ...

Страница 117: ...andRate Maximum number of commands per second Default 20 Allow8BitStrings Allow 8 bit strings in control channel Default Yes AllowResumeTransfer Allow RESUME even in case of content scanning Default N...

Страница 118: ...multimedia traffic Properties Name Specifies a symbolic name for the ALG Identifier AllowTCPDataChannels Allow TCP data channels T 120 Default Yes MaxTCPDataChannels Maximum number of TCP data channe...

Страница 119: ...s Disabled Audit or Protect Default Disabled ScanExclude List of files to exclude from antivirus scanning Optional CompressionRatio A compression ratio higher than this value will trigger the action i...

Страница 120: ...Default Blacklist URL Specifies the URL to blacklist or whitelist Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object...

Страница 121: ...Default Drop AllowEncryptedZip Allow encrypted zip files even though the contents can not be scanned Default No MaxArchiveDepth The maximum number of archive layers that the antivirus engine will ext...

Страница 122: ...um number of TCP data channels per call Default 5 Comments Text describing the current object Optional 3 4 7 ALG_SMTP Description Use an SMTP Application Layer Gateway to manage SMTP traffic through t...

Страница 123: ...o MaxArchiveDepth The maximum number of archive layers that the antivirus engine will extract Default 5 ZDEnabled Enable ZoneDefense Block Default No ZDNetwork Hosts within this network will be blocke...

Страница 124: ...en creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 4 8 ALG_TFTP Description Use an TFTP Application Layer Gateway t...

Страница 125: ...Description TLS Alg Properties Name Specifies a symbolic name for the ALG Identifier HostCert Specifies the host certificate RootCert Specifies the root certificates Optional Comments Text describing...

Страница 126: ...gger the action in Compression Ratio Action a value of zero will disable all compression checks Default 20 CompressionRatioAction The action to take when high compression threshold is violated all act...

Страница 127: ...classifiedBytes Maximum number of bytes transfered in one direction on a connection before the application will be forced to unknown Default 7500 RestartOnFatalFailure Restart the device automatically...

Страница 128: ...axUnclassifiedBytes Maximum number of bytes transfered in one direction on a connection before the application will be forced to unknown Default 7500 StrictHTTP Handle plain http more strictly to avoi...

Страница 129: ...he packets before sent into a pipe Default FromPipe FixedPrecedence Specifies the fixed precedence Comments Text describing the current object Optional Note If no Index is specified when creating an i...

Страница 130: ...he interface the address shall be published on IP The IP address to be published or statically bound to a hardware address MACAddress The hardware address associated with the IP address Default 00 00...

Страница 131: ...be changed Default DropLog ARPExpire Lifetime of an ARP entry in seconds Default 900 ARPExpireUnknown Lifetime of an unknown ARP entry in seconds Default 3 ARPMulticast ARP packets claiming to be mul...

Страница 132: ...giving up address resolution Default 3 NDMaxUnicastSolicit Number of Neighbor Solicitations before giving up a zombie during dead peer detection Default 3 NDBaseReachableTime Multiple of randomized t...

Страница 133: ...Default 64 RALinkMTU The value to be placed in MTU options sent A value of zero indicates that no MTU options are sent Default 0 Default 0 RAValidLifetime The value to be placed in the Valid Lifetime...

Страница 134: ...ult auth_agent_psk LogEnabled Enable logging Default Yes LogSeverity Specifies with what severity log events will be sent to the specified log receivers Default Default RoutingTable Specifies the rout...

Страница 135: ...Specific attribute to the RADIUS server at Accounting Request messages Default No VendorSpecificAttributeAuthentication Enable sending Vendor Specific attribute to the RADIUS server at Access Request...

Страница 136: ...hitelisted Service Specifies the service that will be whitelisted Schedule The schedule when the whitelist should be active Optional Comments Text describing the current object Optional Note If no Ind...

Страница 137: ...cifies whether to check CRLs Certificate Revocation Lists when validating certificates Default Enforced CRLDistPointList Specifies the CRL distribution points to use when validating the certificate it...

Страница 138: ...LI Properties Port Port Identifier BitsPerSecond Bits per second Default 9600 DataBits Data bits Default 8 Parity Parity Default None StopBits Stop bits Default 1 FlowControl Flow control Default None...

Страница 139: ...IPPoolNetmask Specifies the netmask to assign to VPN clients DNS Specifies the IP address of a DNS server that a VPN client should be able to connect to Optional NBNSIP Specifies the IP address of a N...

Страница 140: ...fault 80 ConnLife_UDP Connection idle lifetime for UDP Default 130 AllowBothSidesToKeepConnAlive_UDP Allow both sides to keep a UDP connection alive Default No ConnLife_Ping Connection timeout for Pin...

Страница 141: ...stribution point list Identifier Comments Text describing the current object Optional 3 17 1 CRLDistPoint Description A CRL distribution point CDP specifies a location from where a certificate revocat...

Страница 142: ...f month daylight saving time ends Default 1 TimeSynchronization Enable time synchronization Default Disable TimeSyncServerType Type of server for time synchronization UDPTime or SNTP Simple Network Ti...

Страница 143: ...Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type Chapter 3 Configuration Reference 143...

Страница 144: ...as well as an abstract any interface Properties Name Specifies a symbolic name for the interface Identifier SNMPIndex Interface index assigned by the system when persistent interface indexes are enab...

Страница 145: ...ConfigSession Session type used when the current configuration was committed Default BaseConfiguration ConfigIP IP address of the user who committed the current configuration Optional ConfigDate Date...

Страница 146: ...e interfaces where a route is added Optional AddRouteGatewayIP The IP used as gateway to reach hosts on this route Optional RoutingTable Specifies the routing table the clients host route should be ad...

Страница 147: ...ogSeverity Specifies with what severity log events will be sent to the specified log receivers Default Default Comments Text describing the current object Optional Chapter 3 Configuration Reference 14...

Страница 148: ...elays will not be relayed Default 5 MaxLeaseTime Maximum lease time seconds allowed from the DHCP server too high times will be lowered silently Default 10000 MaxAutoRoutes Maximum number of DHCP clie...

Страница 149: ...ault gateway If unspecified or if 0 0 0 0 is specified the IP given to the client will be sent as gateway Optional Domain Domain name used for DNS resolution Optional LeaseTime The time in seconds tha...

Страница 150: ...tIdent The client identifier for the host Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in th...

Страница 151: ...te If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list Chapter 3 Configuration Reference 15...

Страница 152: ...the lease database to disk Default ReconfShut AutoSaveLeaseInterval Seconds between auto saving the lease database to disk Default 86400 Note This object type does not have an identifier and is identi...

Страница 153: ...more and should acquire a new one Default 86400 PreferredLeaseTime The length of time in seconds that an address should be preferred to be used in new communications When expired unless renewed the a...

Страница 154: ...Server host entry Properties Host IPv6 Address of the host MACAddress The hardware address of the host Comments Text describing the current object Optional Note If no Index is specified when creating...

Страница 155: ...g the lease database to disk Default ReconfShut AutoSaveLeaseInterval Seconds between auto saving the lease database to disk Default 86400 Note This object type does not have an identifier and is iden...

Страница 156: ...sent to D Link Default Yes IncludeUsageStatistics Include usage statistics e g CPU load connection count and memory usage to manufacturer The information will improve the quality of future products a...

Страница 157: ...secondary IPv6 DNS Server Optional IP6DNSServer3 IP of the tertiary IPv6 DNS Server Optional MinTTL Overrides lower TTLs received from the DNS server when used in DNS cache Default 1 MinCacheTime Det...

Страница 158: ...atch Optional DestinationNetworkExactly Specifies if the route needs to match a specific network exactly Optional DestinationNetworkIn Specifies if the route just needs to be within a specific network...

Страница 159: ...and maximum value if a route has a higher or lower value then specified it will be set to the specified value Optional SetForward IP to route over Optional Comments Text describing the current object...

Страница 160: ...ied value Optional ProxyARPAllInterfaces Always select all interfaces including new ones for publishing routes via Proxy ARP Default No ProxyARPInterfaces Specifies the interfaces on which the firewal...

Страница 161: ...ame Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the obj...

Страница 162: ...linkddns com suffix Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an inst...

Страница 163: ...ng the dlinkddns com suffix Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating...

Страница 164: ...the dyndns org suffix Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an i...

Страница 165: ...the dyns cx suffix Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an inst...

Страница 166: ...NS names separated by Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an in...

Страница 167: ...lds Default Yes DomainVerification Use DNS to verify reply to domains in emails If a domain appears to be forged the configured score value is added to the total score for that email Default Yes Domai...

Страница 168: ...acklisting using an external database If the sender s IP address is blacklisted the configured score value is added to the total score for that email Default No DNSBL8 IP address blacklisting using an...

Страница 169: ...BlacklistTag For IMAP and POP3 custom text string to tag subject of blacklisted emails For SMTP this has no effect blacklisted messages are rejected instead Default BLACK LISTED IMAP_HideUser Prevent...

Страница 170: ...roperties Action A blacklisted message is treated as spam A whitelisted message will bypass all other anti spam mechanisms Default Blacklist SrcType Source can either be an IP address or an email addr...

Страница 171: ...nnected network Optional EnableIPv6 Enable processing of IPv6 traffic on this interface Default No IPv6IP The IP address of the interface IPv6Network The network of the interface IPv6DefaultGateway Th...

Страница 172: ...utomatically add a route for this interface using the given network Default Yes AutoDefaultGatewayRoute Automatically add a default route for this interface using the given default gateway Default Yes...

Страница 173: ...the Ethernet adapter PCIPort Some Ethernet adapters have multiple ports that share the same bus and slot number This parameter specifies what port to be used Media Specifies if the link speed should...

Страница 174: ...er interface Default 256 Ringsize_r8169_rx Size of r8169 receive ring per interface Default 256 Ringsize_r8169_tx Size of r8169 send ring per interface Default 256 IfaceMon_e1000 Enable interface moni...

Страница 175: ...Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type Chapter 3 Configuration Reference 175...

Страница 176: ...outing table the clients host route should be added to Default main Comments Text describing the current object Optional 3 40 1 LogReceiverMessageException Description A log message exception is used...

Страница 177: ...s a symbolic name for the Profile Identifier FileListType Specifies if the file list contains files to allow or deny Default Block FailModeBehavior Standard behaviour on error Allow or Deny Default De...

Страница 178: ...opLog MinimumFragLength Minimum allowed length of non last fragments Default 8 ReassTimeout Timeout of a reassembly since previous received fragment Default 65 ReassTimeLimit Maximum lifetime of a rea...

Страница 179: ...fault 65 IP6ReassTimeLimit Maximum lifetime of a reassembly since first received fragment Default 90 IP6ReassDoneLinger How long to remember a completed reassembly watching for old dups Default 20 IP6...

Страница 180: ...rule Identifier MatchPrivate Specify if filter should match private networks 10 0 0 0 8 172 16 0 0 12 192 168 0 0 16 fd00 8 Default No MatchUnknown Specify if filter should match unclassified networks...

Страница 181: ...e compared to the received packet DestinationNetwork Specifies the span of IP addresses to be compared to the destination IP of the received packet Service Specifies a service that will be used as a f...

Страница 182: ...iginator IP address to use as source IP in e g NAT Metric Specifies the metric for the auto created route Default 90 AutoInterfaceNetworkRoute Automatically add a route for this interface using the gi...

Страница 183: ...e sync packets to send in a burst Default 20 HAInitialSilence The number of seconds to stay silent on startup or after reconfiguration Default 5 UseUniqueSharedMac Use a unique shared mac address for...

Страница 184: ...pressionForbidden HTML for the CompressionForbidden html web page ContentForbidden HTML for the ContentForbidden html web page URLForbidden HTML for the URLForbidden html web page RestrictedSiteNotice...

Страница 185: ...html web page LoginAlreadyDone HTML for the LoginAlreadyDone html web page LoginChallenge HTML for the LoginChallenge html web page LoginChallengeTimeout HTML for the LoginChallenge html Timeout web p...

Страница 186: ...elay in seconds until the URL is refetched Default 1200 AlwaysRepost Repost on each reconfiguration Default No PostValues HTTP POST the values Default No Comments Text describing the current object Op...

Страница 187: ...ndex MinLimit Lower limit Optional MaxLimit Upper limit Optional EnableMonitoring Enable disable monitoring Default No Comments Text describing the current object Optional Note If no Index is specifie...

Страница 188: ...ch poll result that is in the Alert Critical or Warning level or should a log message only be sent when a new level is reached Default No MemoryAlertLevel Alert log message if free memory is below thi...

Страница 189: ...arding statefully tracked open connections Default Yes ICMP6MaxOptND Total number of options allowed per ICMP6 ND header Default 32 ICMP6NDOnMaxOptND Validate the number of options per extension heade...

Страница 190: ...ject Identifier Type IP DNS E Mail or Distinguished name IP IP address Hostname Host name CommonName Common name of the owner of the certificate Optional OrganizationName Organization name of the owne...

Страница 191: ...ervice Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rule the firewall will only allow that rule to trigger at tho...

Страница 192: ...xisting connection Default No PipeLimit Specifies the bandwidth limit in kbps for hosts triggered by this action PipeNetwork Traffic shaping will only apply to hosts that are within this network Defau...

Страница 193: ...ceived packet MulticastSource Specifies the multicast source to be compared to the received packet RelayInterface Specifies the interface via which to relay IGMP messages TranslateMGroup Translate the...

Страница 194: ...te If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list Chapter 3 Configuration Reference 19...

Страница 195: ...25000 QueryResponseInterval The maximum time until a host client has to send an answer to a query Default 10000 LastMemberQueryInterval The maximum time until a host client has to send an answer to a...

Страница 196: ...he Blowfish preferred key size in bits Default 128 BlowfishMaxKeySize Specifies the maximum Blowfish key size in bits Default 448 TwofishMinKeySize Specifies the minimum Twofish key size in bits Defau...

Страница 197: ...XCBCEnabled Enable AES XCBC integrity algorithm Default No Comments Text describing the current object Optional Chapter 3 Configuration Reference 197...

Страница 198: ...ifies if the interfaces should be considered security equivalent that means that if enabled the interface group can be used as a destination interface in rules where connections might need to be moved...

Страница 199: ...ckets Metric Specifies the metric for the auto created route Default 90 AutoInterfaceNetworkRoute Automatically add a route for this interface using the given remote network Default Yes MTU Specify th...

Страница 200: ...P Specifies base address for sender address SourceNATPool Specifies NAT Pool to fetch sender address to be used SourcePortAction Specify method to determine which port action to use Default None Sourc...

Страница 201: ...network will be blocked at switches if a virus is found WebControl Web Control Default No Web_Policy Selects preconfigured Web Profile FileControl File Control Default No FC_Mode File Control mode De...

Страница 202: ...Transfer Allow RESUME even in case of content scanning Default No TFTPControl Enables TFTP protocol specific settings Default No TFTPAllowedCommands Specifies allowed commands Default ReadWrite TFTPRe...

Страница 203: ...country filter to be compared against the sender Geolocation of the received packet Optional DestinationGeoFilter Specifies the country filter to be compared against the destination Geolocation of the...

Страница 204: ...n with the DHCP server Default main ReceiveInterface Which interface to use when communicating with the DHCP server Optional PrefetchLeases Specifies the number of leases an IP Pool will keep prefetch...

Страница 205: ...when matching traffic with this rule Schedule By adding a schedule to a rule the firewall will only allow that rule to trigger at those designated times Optional NATAction Specify sender address or Us...

Страница 206: ...efault No SLBTCPPorts Specifies the ports that will be monitored SLBTCPPollingInterval Delay in milliseconds between each TCP handshake Default 10000 SLBTCPSamples Specifies the number of attempts to...

Страница 207: ...ent Specifies how the traffic should be forwarded and translated MultiplexAllToOne Rewrite all destination IPs to a single IP Default No AppControl Application Control Default No AC_Mode Application C...

Страница 208: ...Description Server Load Balancing using Static Address Translation Allows distribution of client requests over a number of servers Properties Index The index of the object starting at 1 Identifier Nam...

Страница 209: ...CPSamples Specifies the number of attempts to use for statistical calculations Default 10 SLBTCPMaxPollFails Specifies the maximum number of failed TCP attempts until host is considered to be unreacha...

Страница 210: ...try filter to be compared against the destination Geolocation of the received packet Optional Service Specifies a service that will be used as a filter parameter when matching traffic with this rule S...

Страница 211: ...all destination IPs to a single IP Default No SourceInterface Specifies the name of the receiving interface to be compared to the received packet DestinationInterface Specifies the destination interfa...

Страница 212: ...lt Yes LogSeverity Specifies with what severity log events will be sent to the specified log receivers Default Default Comments Text describing the current object Optional Note If no Index is specifie...

Страница 213: ...to the received packet DestinationInterface Specifies the destination interface to be compared to the received packet SourceNetwork Specifies the sender span of IP addresses to be compared to the rece...

Страница 214: ...es the destination interface to be compared to the received packet SourceNetwork Specifies the sender span of IP addresses to be compared to the received packet DestinationNetwork Specifies the span o...

Страница 215: ...3 63 7 IPRule The definitions here are the same as in Section 3 62 IPRule Chapter 3 Configuration Reference 215...

Страница 216: ...3 63 2 SLBPolicy 3 64 3 MulticastPolicy The definitions here are the same as in Section 3 63 3 MulticastPolicy 3 64 4 StatelessPolicy The definitions here are the same as in Section 3 63 4 StatelessP...

Страница 217: ...size in bits Default 128 BlowfishKeySize Specifies the Blowfish preferred key size in bits Default 128 BlowfishMaxKeySize Specifies the maximum Blowfish key size in bits Default 448 TwofishMinKeySize...

Страница 218: ...12Enabled Enable SHA512 integrity algorithm Default No XCBCEnabled Enable AES XCBC integrity algorithm Default No Comments Text describing the current object Optional Chapter 3 Configuration Reference...

Страница 219: ...to use for the tunnel Optional IKEAlgorithms Specifies the IKE Proposal list used with the tunnel Default High IPsecAlgorithms Specifies the IPsec Proposal list used with the tunnel Default High IKELi...

Страница 220: ...s to use as source IP in e g NAT Default LocalInterface OriginatorIP Manually specified originator IP address to use as source IP in e g NAT OriginatorHAIP Manually specified private originator IP add...

Страница 221: ...ets in tunnel mode If unspecified the value of the inner IP header will be used instead Optional LocalEndpoint Specifies on which local address this tunnel should accept incoming IKE IPsec traffic Opt...

Страница 222: ...ll directly to the IPsec engine without consulting the ruleset Default Yes IPsecGWNameCacheTime Amount of time to keep an IPsec tunnel open when the remote DNS name fails to resolve Default 14400 DPDM...

Страница 223: ...t 3 IKEDisableDPD Disable Dead Peer Detection in IKEv2 Default No IPsecForceRequireCookie Force requirement of cookies Used for test purposes only Default No IPsecDisableCallingStationID Disable calli...

Страница 224: ...ault DropLog DefaultHopLimit The default IP Hop Limit of packets originated by the firewall 32 255 Default 255 IP6Fl Validate IPV6 Flow label header field Default Ignore IP6TC Validate IPV6 Traffic cl...

Страница 225: ...Default Yes LogOnForwardTTL0 Log any attempts of forwarding IPv4 packets with TTL 0 destined for outside the firewall this should never happen Default DropLog Log0000Src Log invalid 0 0 0 0 source add...

Страница 226: ...t specified above Default DropLog DirectedBroadcasts How to handle directed broadcasts being passed from one interface to another Default DropLog TransparentBroadcastNAT How to handle Broadcast packet...

Страница 227: ...t IP address to use as source IP in e g NAT Default LocalInterface OriginatorIP Manually specified originator IP address to use as source IP in e g NAT DNS1 IP of the primary DNS server Optional DNS2...

Страница 228: ...r the auto created route Default 90 MTU Specifies the size in bytes of the largest packet that can be passed onward Default 1456 AutoInterfaceNetworkRoute Automatically add a route for this interface...

Страница 229: ...440 Use an RC4 40 bit MPPE session key with MS CHAP or MS CHAP v2 authentication protocol Default Yes MPPERC456 Use an RC4 56 bit MPPE session key with MS CHAP or MS CHAP v2 authentication protocol De...

Страница 230: ...fRoutingTable All or Specific Default All RoutingTable Specifies the PBR table to insert the interface IP route into It also means that the specified routing table will be used for all routing lookups...

Страница 231: ...ine without consulting the ruleset Default Yes PPTPBeforeRules Pass PPTP connections sent to the firewall directly to the PPTP engine without consulting the ruleset Default Yes Note This object type d...

Страница 232: ...Use this IPsec interface to encypt the traffic to the L2TPv3 server L2TP IPsec Optional AutoRouteMetric Specifies the metric for the auto created route used by the L2TPv3 Client Default 100 HostName T...

Страница 233: ...Proxy ARP Default No ProxyARPInterfaces Specifies the interfaces on which the firewall should publish routes via Proxy ARP Optional Comments Text describing the current object Optional Chapter 3 Confi...

Страница 234: ...Server Used in the Host Name AVP Optional RouterID Router ID Used in the Router ID AVP Optional DHCPPassthrough Allow DHCP to pass through transparently Default No NonIPPassthrough Allow non IP proto...

Страница 235: ...group membership attribute used in the LDAP database Default memberOf GetGroups Retrieve group membership for users Default Yes DomainName The domain name of the server Optional CombinedUsername Combi...

Страница 236: ...rname to use when accessing the LDAP server Optional Password Specifies the password to use when accessing the LDAP server Optional Port Specifies the LDAP service port number Default 389 Comments Tex...

Страница 237: ...axAHLen IPsec AH Authenticated communication Default 2000 MaxSKIPLen SKIP Simple Key management for IP VPN protocol Default 2000 MaxOSPFLen OSPF Open Shortest Path First routing protocol Default 1480...

Страница 238: ...ong LACPSystemPriority System priority value to be sent in LACP messages Default 1 MACAddress The hardware address for the interface Optional IP The IP address of the interface Network The network of...

Страница 239: ...t No NonIPPassthrough Allow non IP protocols to pass through transparently Default No BroadcastFwd By default this traffic is dropped Default No AutoInterfaceNetworkRoute Automatically add a route for...

Страница 240: ...Comments Text describing the current object Optional Chapter 3 Configuration Reference 240...

Страница 241: ...Milliseconds between each monitor attempt Default 250 InitGracePeriod Do not allow triggering of the link monitor for this number of seconds after the last reconfiguration Default 45 RoutingTable Rou...

Страница 242: ...s Default 256 LocalReass_MaxSize Maximum size of a locally reassembled packet Default 10000 LocalReass_NumLarge Number of large 2K local reassembly buffers of the above size Default 32 Note This objec...

Страница 243: ...hentication etc Properties Name Specifies the username to add into the user database Identifier Password The password for this user Groups Specifies the user groups that this user is a member of e g A...

Страница 244: ...ifier LogSeverity Specifies with what severity log events will be sent to the specified log receivers Optional Default Emergency Alert Critical Error Warning Notice Info Comments Text describing the c...

Страница 245: ...IP address of the sending interface is used Optional XMailer Specifies a custom X Mailer email header string The X Mailer header field is typically used to identify the name and version number of the...

Страница 246: ...es with what severity log events will be sent to the specified log receivers Optional Default Emergency Alert Critical Error Warning Notice Info RoutingTable Specifies the routing table the clients ho...

Страница 247: ...e If not configured the IP address of the sending interface will be sent as hostname Optional RFC5424 Send Syslog messages according to RFC5424 Default No LogSeverity Specifies with what severity log...

Страница 248: ...PerSecLimit Limits how many log packets the firewall may send out per second Default 2000 Note This object type does not have an identifier and is identified by the name of the type only There can onl...

Страница 249: ...Automatically add a route for this virtual LAN interface using the given network Default Yes EnableIPv6 Enable processing of IPv6 traffic on this interface Default No IPv6IP IPv6 Interface address IP...

Страница 250: ...etcon etc Default DropLog WCFPerfLog Enables periodical logging of Web Contentent Filtering resolving performance Default Disabled AllowIPRules Allow using IPRules in addition to IPPolicies Default Ye...

Страница 251: ...3 87 MulticastPolicy The definitions here are the same as in Section 3 63 3 MulticastPolicy Chapter 3 Configuration Reference 251...

Страница 252: ...aximum time ms until a host client has to send an answer to a query Default 10000 IGMPStartupQueryInterval The general query interval ms to use during the startup phase default 1 4 of the IGMP Query I...

Страница 253: ...get from the IP Pool IPRange Specifies the range of IP addresses used for NAT translation StateKeepAlive The number of seconds that stateful NAT state will be kept in absence of new connections Defaul...

Страница 254: ...gy change and when it starts a SPF calculation Default 5 LSAGroupPacing This specifies the time in seconds at which interval the OSPF LSAs are collected into a group and refreshed Default 10 RoutesHol...

Страница 255: ...r authentication Optional AuthMD5ID Specifies the MD5 key ID used for MD5 digest authentication AuthMD5Key A 128 bit key used to produce the MD5 digest Optional LogEnabled Enable logging Default Yes L...

Страница 256: ...OSPF interface Optional MetricType Metric value or Bandwidth Default MetricValue Metric Specifies the routing metric for this OSPF interface Default 10 BandwidthValue Specifies the bandwidth for this...

Страница 257: ...gher than the hello interval Default 40 Passive Enable to make it possible to include networks into the OSPF routing process without running OSPF on the interface connected to that network Default No...

Страница 258: ...t connection to the backbone must have at least one area border router with a virtual link to a backbone router or to another router with a link to the backbone Properties Name Specifies a symbolic na...

Страница 259: ...imit for precedence 1 Optional LimitKbps2 Specifies the bandwidth limit in kbps for precedence 2 Optional LimitPPS2 Specifies the packet per second limit for precedence 2 Optional LimitKbps3 Specifies...

Страница 260: ...onal UserLimitKbps3 Specifies the bandwidth limit per group in kbps for precedence 3 Optional UserLimitPPS3 Specifies the throughput limit per group in PPS for precedence 3 Optional UserLimitKbps4 Spe...

Страница 261: ...this value Default 0 PrecedenceDefault Specifies the default precedence for the pipe If a packet enters this pipe without a set precedence it gets assigned this value Should be higher than or equal t...

Страница 262: ...to the destination IP of the received packet Service Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rule the firew...

Страница 263: ...erver service name used to distinguish between two or more PPPoE servers attached to the same network Optional PPPAuthNoAuth Allow no authentication for this tunnel Default No PPPAuthPAP Use PAP authe...

Страница 264: ...ify IP Address object Default No MTU Specifies the size in bytes of the largest packet that can be passed onward Default 1492 SNMPIndex Interface index assigned by the system when persistent interface...

Страница 265: ...al time in milliseconds to wait before sending a new configuration request if no server response is received Default 200 Note This object type does not have an identifier and is identified by the name...

Страница 266: ...ties involved Properties Name Specifies a symbolic name for the pre shared key Identifier Type Specifies the type of the shared key PSKAscii Specifies the PSK as a passphrase PSKHex Specifies the PSK...

Страница 267: ...ing server If no response has been given after for example 2 seconds the firewall will try again by sending a new AccountingRequest packet Default 2 SharedSecret The shared secret phrase for the Authe...

Страница 268: ...P address from which the system sends requests to the remote Remote RADIUS server This parameter is optional and will use IP of routed destination interface if not set Optional IdleTimeout A successfu...

Страница 269: ...t severity log events will be sent to the specified log receivers Default Default RoutingTable Specifies the routing table the clients host route should be added to Default main Comments Text describi...

Страница 270: ...S server If no response has been given after for example 2 seconds the firewall will try again by sending a new Access Request packet Default 2 SharedSecret The shared secret phrase for the Authentica...

Страница 271: ...hreshold Log if statistical value goes above this threshold Optional BackoffInterval The minimum number of seconds between consecutive log messages Default 60 Continuous If set generate event if the v...

Страница 272: ...ast LocalUserDatabase Specifies the local user database to use for login AccessLevel Optionally restrict the access level of users authenticated by the local database Default Admin RadiusServers Speci...

Страница 273: ...ent via HTTP Default No HTTPS Enable remote management via HTTPS Default No AccessLevel Restrict access level to the REST API Default ReadWrite BasicAUTH Require authentication using Basic AUTH Defaul...

Страница 274: ...affic Only RSA certificates are supported Optional HTTPSRootCertificates Specifies eventual root certificates to use for HTTPS traffic Optional SNMPBeforeRules Enable SNMP traffic to the firewall rega...

Страница 275: ...g will trigger a re numbering of all interfaces in the system Default No Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance...

Страница 276: ...version Default SNMPv1_SNMPv2c Snmp3SecurityLevel Enabled SNMPv3 security level Default noAuthNoPriv SNMPGetCommunity Specifies the name of the community to be granted rights to remotely monitor the...

Страница 277: ...algorithm Default Yes AllowAES128 Allow AES 128 encryption algorithm Default Yes AllowAES192 Allow AES 192 encryption algorithm Default Yes AllowAES256 Allow AES 256 encryption algorithm Default Yes...

Страница 278: ...sLevel Optionally restrict the access level of users authenticated by the local database Default Admin RadiusServers Specifies the authentication servers that will be used to authenticate users matchi...

Страница 279: ...make use of multiple routes to the same destination Properties RoutingTable Specify routingtable to deploy route load balancing in Identifier Algorithm Specify which algorithm to use when balancing t...

Страница 280: ...utive seconds over under the threshold limit to trigger state change for the affected routes Default 30 OutboundThreshold Outbound threshold limit Optional OutboundUnit The outbound units Default kbps...

Страница 281: ...the following formula 3 MaxRtrAdvInterval Default Yes RADefaultLifetime The value to be placed in the Router Lifetime field of Router Advertisements sent from the SGW in seconds Default 1800s Default...

Страница 282: ...value of 999999999 represents infinity Default 2592000s Default 2592000 RAPreferredLifetime The value to be placed in the Preferred Lifetime in the Prefix Information option The value of 999999999 re...

Страница 283: ...Specifies the span of IP addresses to be compared to the destination IP of the received packet SourceInterface Specifies the name of the source interface to be compared to the received packet Destinat...

Страница 284: ...CDestLearning Do L3 Cache learning based on destination IPs and MACs in combination with CAM table contents Default Yes Transp_DecrementTTL Decrement TTL on packets forwarded between transparent inter...

Страница 285: ...ackets destined for this route shall be sent through Gateway Specifies the IP address of the next router hop used to reach the destination network If the network is directly connected to the firewall...

Страница 286: ...elect all interfaces including new ones for publishing routes via Proxy ARP Default No ProxyARPInterfaces Specifies the interfaces on which the firewall should publish routes via Proxy ARP Optional Co...

Страница 287: ...ription A route defines what interface and gateway to use in order to reach a specified network Properties Name Specifies a symbolic name for the object Optional Network Specifies the network address...

Страница 288: ...a symbolic name for the object Optional Interface Specifies which interface packets destined for this route shall be sent through Network Specifies the network address for this route BroadcastFwd By...

Страница 289: ...ofile is active on Wednesdays Optional Thu Specifies during which intervals the schedule profile is active on Thursdays Optional Fri Specifies during which intervals the schedule profile is active on...

Страница 290: ...n of service objects which can then be used by different policies in the system Properties Name Specifies a symbolic name for the service Identifier Members Group members Comments Text describing the...

Страница 291: ...ch Redirect message codes should be matched Default 0 255 ParameterProblem Enable matching of Parameter Problem messages Default No ParameterProblemCodes Specifies which Parameter Problem message code...

Страница 292: ...ly used by IP Policies Optional MaxSessionsProtocol Specifies how many concurrent sessions that are permitted using this Protocol Default 200 ALG An Application Layer Gateway ALG capable of managing a...

Страница 293: ...eachable message codes should be matched Default 0 255 PacketTooBig Enable matching of Packet Too Big messages Default No PacketTooBigCodes Specifies which Packet Too Big message codes should be match...

Страница 294: ...t are permitted using this Protocol Default 200 ALG An Application Layer Gateway ALG capable of managing advanced protocols can be specified for this service Optional MaxSessions Specifies how many co...

Страница 295: ...otiate optimal packet sizes This prevents fragmentation by network equipment between the endpoints Path MTU Discovery relies on ICMP message forwarding so ICMP forwarding must also be enabled Default...

Страница 296: ...rough the system Default No EnableIPv4PathMTUDiscovery Path MTU Discovery allows communicating endpoints to negotiate optimal packet sizes This prevents fragmentation by network equipment between the...

Страница 297: ...3 117 SLBPolicy The definitions here are the same as in Section 3 63 2 SLBPolicy Chapter 3 Configuration Reference 297...

Страница 298: ...roperties Name Specifies a symbolic name for the key Identifier Type DSA or RSA Default DSA Subject Value of the Subject header tag of the public key file Optional PublicKey Specifies the public key C...

Страница 299: ...S_128_CBC_SHA1 Default Yes TLS_RSA_WITH_3DES_168_SHA1 Enable cipher RSA_WITH_3DES_168_SHA1 Default Yes TLS_RSA_WITH_RC4_128_SHA1 Enable cipher RSA_WITH_RC4_128_SHA1 Default No TLS_RSA_WITH_RC4_128_MD5...

Страница 300: ...Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type Chapter 3 Configuration Reference 300...

Страница 301: ...NS Server Optional SecondaryDNS IP of the seconday DNS Server Optional Routing Describes how the traffic from the client should be routed Default All Nets ClientRoutes Networks to be routed through th...

Страница 302: ...Pass SSL VPN connections sent to the firewall directly to the SSL VPN engine without consulting the ruleset Default Yes Note This object type does not have an identifier and is identified by the name...

Страница 303: ...3 122 StatelessPolicy The definitions here are the same as in Section 3 63 4 StatelessPolicy Chapter 3 Configuration Reference 303...

Страница 304: ...ions Log packets that violate stateful tracking rules for instance TCP connect sequences Default Yes LogConnections Log connections opening and closing Default Log LogConnectionUsage Log for every pac...

Страница 305: ...rding to MTU of involved interfaces in addition to TCP MSS max Default Yes TCPZeroUnusedACK Force unused ACK fields to zero helps prevent connection spoofing Default Yes TCPZeroUnusedURG Force unused...

Страница 306: ...with FIN normally invalid strip strip URG Default DropLog TCPUrg The TCP URG flag many operating systems cannot handle this correctly Default StripLog TCPECN The Explicit Congestion Notification ECN f...

Страница 307: ...be compared to the destination IP of the received packet Service Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rul...

Страница 308: ...he blacklisting Default No BlackListIgnoreEstablished Do not drop existing connection Default No LogEnabled Enable logging Default Yes LogSeverity Specifies with what severity log events will be sent...

Страница 309: ...e automatic update is run UpdateWeekday Specifies the day of week when the automatic update is run Default mon Hourly Specifies the number of hours between periodical updates UpdateHour Specifies the...

Страница 310: ...e RadiusServers Specifies the authentication servers that will be used to authenticate users matching this rule PrimaryRetryInterval How many seconds to wait before trying to use the primary server ag...

Страница 311: ...efault 1800 SessionTimeout A successfully authenticated user will be logged out automatically after this many seconds even if traffic has been received from the user s IP address Optional UseServerTim...

Страница 312: ...ccounting events should be sent Default Yes InterimValue The interval in seconds in which interim accounting events should be sent Default 600 LogEnabled Enable logging Default Yes LogSeverity Specifi...

Страница 313: ...of the virtual LAN interface Optional DHCPEnabled Enable DHCP client on this interface Default No DHCPHostName Optional DHCP Host Name Leave blank to use default name Optional DHCPDNS1 IP of the prim...

Страница 314: ...ng the given network Default Yes AutoDefaultGatewayRoute Automatically add a default route for this virtual LAN interface using the given default gateway Default Yes DHCPv6DNS1 IP of the primary IPv6...

Страница 315: ...interfaces Properties UnknownVLANTags VLAN packets tagged with an unknown ID Default DropLog Note This object type does not have an identifier and is identified by the name of the type only There can...

Страница 316: ...llow data channels to be established over TCP in addition to UDP Default Yes SIPMaxTCPDataChannels Maximum number of TCP data channels per call Default 5 H323 Enables automatic pinhole creation for H...

Страница 317: ...Comments Text describing the current object Optional Chapter 3 Configuration Reference 317...

Страница 318: ...ction to take for content that has not been classified Default Allow WCFAllowOverride Allows users to override the filter and gain access to blocked sites with a warning that their actions will be log...

Страница 319: ...cklist or whitelist Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index w...

Страница 320: ...UDP or ICMP Default All Port Specifies which UDP or TCP port to use Default 0 Schedule Specifies the schedule when the given addresses should be blocked Optional Comments Text describing the current...

Страница 321: ...old rule violations Properties Addresses Specifies the addresses that should not be blocked Optional Comments Text describing the current object Optional Note This object type does not have an identif...

Страница 322: ...es Name Specifies a symbolic name for the ZoneDefense switch Identifier SwitchModel Specifies the switch model type Default DES 3226S IP The IP address of the management interface of the switch Enable...

Страница 323: ...e manually unblocked Default Yes ContraventionTolerance The maximum number of times ZoneDefense can unblock the host Once a host exceeds this value it remains blocked until it is manually unblocked De...

Страница 324: ...Chapter 3 Configuration Reference 324...

Страница 325: ...nroute 49 E echo 97 F frags 50 G geoip 94 H ha 51 help 97 history 98 hostmon 51 httpalg 51 httpposter 52 hwm 53 I idppipes 53 ifstat 54 igmp 54 ihs 55 see also ipsechastat ike 55 ikesnoop 57 ippool 57...

Страница 326: ...ationSettings 135 B BlacklistWhiteHost 136 C Certificate 137 COMPortDevice 138 ConfigModePool 139 ConnTimeoutSettings 140 CRLDistPoint 141 CRLDistPointList 141 D DateTime 142 DefaultInterface 144 Devi...

Страница 327: ...opbackInterface 249 M MiscSettings 250 MonitoredHost 286 MulticastPolicy 211 216 251 MulticastSettings 252 N NATPool 253 O OSPFAggregate 257 OSPFArea 255 OSPFInterface 256 OSPFNeighbor 257 OSPFProcess...

Страница 328: ...V VLAN 313 VLANSettings 315 VoIPProfile 316 W WebProfile 318 Z ZoneDefenseBlock 320 ZoneDefenseExcludeList 321 ZoneDefenseSwitch 322 ZoneDefenseSwitchSettings 323 Index 328...

Отзывы:

Нет отзывов

Похожие инструкции для NetDefend DFL-260E

Бренд: Far Tools Страницы: 24

Бренд: Patton electronics Страницы: 13

Бренд: Angel Cool Страницы: 2

Бренд: IBM Страницы: 34

Бренд: Xantech Страницы: 4

E SERIES BROADBAND SERVICES ROUTERS 11.3.X - ERX MODULE GUIDE REV 27-9-2010

Бренд: Juniper Страницы: 122

Бренд: ADIC Страницы: 140

Бренд: PairGain Страницы: 80

Secure Site Manager 16

Бренд: Black Box Страницы: 16

Бренд: Planet Страницы: 54

Бренд: Xinje Страницы: 76

Бренд: Juniper Страницы: 6

Бренд: Beckhoff Страницы: 84

Бренд: Supero Страницы: 54

Бренд: Helmholz Страницы: 14

Бренд: Billion Страницы: 158

Dimension GS-2024

Бренд: ZyXEL Communications Страницы: 266

Бренд: Juniper Страницы: 9

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды