manualshive.com logo in svg

D-Link NetDefend DFL-CP310, Справочное руководство CLI, Страница: 1 / 455

Поделиться
Скачать
D-Link NetDefend DFL-CP310 Скачать руководство пользователя страница 1

 

D-Link NetDefend 

Internet Security Firewall 

CLI Reference Guide 

Version 1.0 
Revised: 01/17/06

 

 

 

 

Содержание NetDefend DFL-CP310

Страница 1: ...D Link NetDefend Internet Security Firewall CLI Reference Guide Version 1 0 Revised 01 17 06 ...

Страница 2: ...the software and 2 offer you this license which gives you legal permission to copy distribute and or modify the software Also for each author s protection and ours we want to make certain that everyone understands that there is no warranty for this free software If the software is modified by someone else and passed on we want its recipients to know that what they have is not the original so that ...

Страница 3: ...valent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automati...

Страница 4: ...ETY PRECAUTIONS Carefully read the Safety Instructions the Installation and Operating Procedures provided in this User s Guide before attempting to install or operate the appliance Failure to follow these instructions may result in damage to equipment and or personal injuries Before cleaning the appliance unplug the power cord Use only a soft cloth dampened with water for cleaning When installing ...

Страница 5: ...3 Using the NetDefend Command Line Interface 7 General Guidelines 8 Command Line Editing 9 Running Commands 9 Using the NetDefend Portal 10 Using SSH 11 Importing CLI Scripts 13 Typical Return Values 14 Chapter 4 CLI Commands 17 Variable Operation Commands 18 add 19 clear 22 delete 25 set 28 show 30 Appliance Operation Commands 32 quit 33 reset certificate 34 reset defaults 35 reset firmware 36 Co...

Страница 6: ...43 Informational Commands 44 authenticate 46 export 49 help 53 info certificate 56 info computers 59 info connections 64 info device 67 info fw 70 info logs 72 info nat 74 info net 78 info ospf 80 info ospf database 81 info ospf interface 84 info ospf neighbor 86 info ospf routes 88 info ports 90 info printers 92 info probe 94 ii D Link NetDefend CLI Reference Guide ...

Страница 7: ...fo wireless ap 112 Chapter 5 CLI Variables 115 certificate 118 clock 121 device 123 dhcp scopes 125 dialup 131 fw 134 fw rules 137 fw servers 145 ha 148 ha effect 152 ha track 154 https 156 hotspot 159 mailfilter antispam 162 mailfilter antivirus 164 mailfilter protocols 166 net dmz 168 net dmz ha 175 net dmz ospf 177 Contents iii ...

Страница 8: ...n probe 210 net wan2 214 net wan2 ospf 216 net wan2 ospf md5 217 net wan2 probe 218 net wlan 219 net wlan ha 225 netobj 226 ospf 231 ospf area 234 ospf network 236 ospf redistribute 238 ospf redistribute connected 239 ospf redistribute kernel 241 port dmz 243 port lan1 port lan2 port lan3 port lan4 245 port serial 247 port wan 249 iv D Link NetDefend CLI Reference Guide ...

Страница 9: ...rtdefense ai p2p emule 288 smartdefense ai p2p gnutella 290 smartdefense ai p2p kazaa 292 smartdefense ai routing igmp 294 smartdefense network security dos flooding 296 smartdefense network security dos land 299 smartdefense network security dos ping of death 301 smartdefense network security dos teardrop 303 smartdefense network security ip icmp cisco ios 305 smartdefense network security ip icm...

Страница 10: ...ecurity tcp small pmtu 329 smartdefense network security tcp strict tcp 331 smp 333 snmp 335 ssh 338 statistics 341 syslog 343 users 345 vlan 350 vlan ospf 357 vlan ospf md5 359 vpn externalserver 361 vpn internalserver 364 vpn sites 366 vpn sites ospf 378 vpn sites ospf md5 380 vstream 382 vstream archive options 385 vstream options 388 vstream policy rule 392 webfilter 400 webfilter categories 4...

Страница 11: ...Contents wireless wep 416 wireless wpa 419 wireless wpapsk 421 Chapter 6 Country Codes 423 Glossary of Terms 429 Index 437 Contents vii ...

Страница 12: ......

Страница 13: ...des both wired and wireless models The D Link firewall based on the world leading Check Point Embedded NGX Stateful Inspection technology inspects and filters all incoming and outgoing traffic blocking all unauthorized traffic The NetDefend firewall also allows sharing your Internet connection among several PCs or other network devices enabling advanced office networking and saving the cost of pur...

Страница 14: ...bles on page 115 Like CLI commands the CLI variables appear in alphabetical order However the variables are not divided into groups because a single variable may be used by more than one group of commands The following information is provided for each CLI command or variable Purpose Describes the command or variable s purpose and provides background information Effect Describes the effect of runni...

Страница 15: ...rewalls For information on specific NetDefend firewall models refer to your NetDefend firewall s User Guide see Related Publications on page 4 Document Conventions and Syntax To make finding information in this manual easier some types of information are marked with special symbols or formatting Boldface type is used for button names Note Notes are denoted by indented text and preceded by the Note...

Страница 16: ...Courier style in boxes This is an example of a CLI command Related Publications Use this guide in conjunction with the User Guide provided with your appliance NetDefend Secured by Check Point User Guide 4 D Link NetDefend CLI Reference Guide ...

Страница 17: ...run commands using a console 1 Connect the serial console to your NetDefend firewall s serial port using an RS 232 Null modem cable 2 Log on to the NetDefend Portal For instructions refer to the User Guide 3 Click Network in the main menu and click the Ports tab The Ports page appears 4 In the RS232 drop down list select Console 5 Click Apply You can now control the NetDefend firewall from the ser...

Страница 18: ......

Страница 19: ... interface to run a CLI command and provides a list of typical return values Using the NetDefend Command Line Interface This chapter includes the following topics General Guidelines 8 Running Commands 9 Typical Return Values 14 Chapter 3 Using the NetDefend Command Line Interface 7 ...

Страница 20: ...ue to the command or variable For example instead of typing delete netobj 3 You can type del neto 3 You cannot abbreviate netobj to net because these letters are not unique to netobj If a command or variable is composed of multiple words you may only abbreviate the final word For example instead of typing show qos classes 1 You can type sh qos cl 1 You cannot abbreviate qos classes to qos Do not e...

Страница 21: ...Line Editing When using SSH or Serial Console You can press the TAB key to either complete the current command or show a list of possible completions All commands entered during a CLI session are saved in a command history You can browse through the command history by using the UP and DOWN arrow keys Running Commands Depending on your NetDefend model you can control your appliance via the command ...

Страница 22: ...end Portal 1 Log on to the NetDefend Portal For instructions refer to the User Guide 2 Click Setup in the main menu and click the Tools tab The Tools page appears 3 Click Command The Command Line page appears 4 In the upper field type a command 5 Click Go The command is implemented Return values appear in the lower field 10 D Link NetDefend CLI Reference Guide ...

Страница 23: ...ons refer to the User Guide 2 Click Setup in the main menu and click the Management tab The Management page appears 3 Specify from where SSH access should be granted See Access Options on page 12 for information Warning If remote SSH is enabled your NetDefend firewall settings can be changed remotely so it is especially important to make sure all NetDefend firewall users passwords are difficult to...

Страница 24: ...work only This disables remote access capability This is the default Internal Network and VPN The internal network and your VPN IP Address Range A particular range of IP addresses Additional fields appear in which you can enter the desired IP address range ANY Any IP address 12 D Link NetDefend CLI Reference Guide ...

Страница 25: ...refer to the User Guide 3 Click Setup in the main menu and click the Tools tab The Tools page appears 4 Click Import The Import Settings page appears 5 Do one of the following In the Import Settings field type the full path to the configuration file Or Click Browse and browse to the configuration file 6 Click Upload A confirmation message appears 7 Click OK The NetDefend firewall settings are impo...

Страница 26: ...nd and variable in this guide When you run a command whose purpose is not informational the command line interface typically returns one of the values listed in the table below Table 2 Typical Return Values Value Explanation OK The command was implemented successfully Failed The command failed item deleted added cleared The add delete clear command was implemented successfully item cannot be delet...

Страница 27: ...n run the command again Syntax error error The syntax of the command you entered is incorrect The erroneous syntax is displayed Invalid index The command you entered relates to a table in an incorrect way For example in the case of delete device the command applies only to tables and the variable is not a type of table Chapter 3 Using the NetDefend Command Line Interface 15 ...

Страница 28: ......

Страница 29: ...ables Appliance Operation Commands CLI commands for managing the NetDefend firewall Informational Commands CLI commands for displaying information about your NetDefend firewall its settings Several CLI commands use CLI variables For information on CLI variables see CLI Variables on page 115 This chapter includes the following topics Variable Operation Commands 18 Appliance Operation Commands 32 In...

Страница 30: ...form the following actions on variables Add a variable to a table Delete a variable from a table Modify a variable Display a variable s settings Display a table of variables Clear a table of variables For information on CLI variables see CLI Variables on page 115 18 D Link NetDefend CLI Reference Guide ...

Страница 31: ...f the following A self signed certificate DHCP scopes Firewall rules Network objects OSPF areas OSPF networks QoS classes RADIUS servers Static routes SmartDefense worm patterns SmartDefense blocked and allowed FTP commands Users VLAN networks VPN sites VStream Antivirus policy rules SYNTAX add variable Chapter 4 CLI Commands 19 ...

Страница 32: ... RADIUS server routes A static route smartdefense ai cifs file sharing patterns A worm pattern that SmartDefense should detect smartdefense ai ftp command An FTP command that SmartDefense should allow or block users A NetDefend Portal user vlan A VLAN network vpn sites A VPN site vstream policy rules A VStream Antivirus policy rule For information on these variables and how to use them with the ad...

Страница 33: ...Variable Operation Commands EXAMPLE The following command adds the user JohnSmith and assigns him the password JohnS1 add users name JohnSmith password JohnS1 Chapter 4 CLI Commands 21 ...

Страница 34: ...Network objects OSPF areas OSPF networks QoS classes RADIUS servers Static routes SmartDefense worm patterns SmartDefense blocked and allowed FTP commands Users VLAN networks VPN sites VStream Antivirus policy rules Note You cannot delete the admin user user 1 the Default QoS class QoS class 1 or the Default static route static route 1 SYNTAX clear variable 22 D Link NetDefend CLI Reference Guide ...

Страница 35: ...adius servers RADIUS servers routes Static routes smartdefense ai cifs file sharing patterns Worm patterns detected by SmartDefense smartdefense ai ftp command FTP commands that SmartDefense allows or blocks users NetDefend Portal users vlan VLAN networks vpn sites VPN sites vstream policy rules VStream Antivirus policy rules For information on these variables and how to use them with the clear co...

Страница 36: ...Variable Operation Commands EXAMPLE The following command deletes all users except the admin user clear users 24 D Link NetDefend CLI Reference Guide ...

Страница 37: ...ervers Network objects OSPF areas OSPF networks QoS classes RADIUS servers Static routes SmartDefense worm patterns SmartDefense blocked and allowed FTP commands Users VLAN networks VPN sites VStream Antivirus policy rules Note You cannot delete the admin user user 1 the Default QoS class QoS class 1 or the Default static route static route 1 SYNTAX delete variable Chapter 4 CLI Commands 25 ...

Страница 38: ...ADIUS server routes A static route smartdefense ai cifs file sharing patterns A worm pattern that SmartDefense should detect smartdefense ai ftp command An FTP command that SmartDefense should allow or block users A NetDefend Portal user vlan A VLAN network vpn sites A VPN site vstream policy rules A VStream Antivirus policy rule For information on these variables and how to use them with the dele...

Страница 39: ...mands EXAMPLE 1 The following command deletes the second user in the Users table delete users 2 EXAMPLE 2 The following command deletes the FTP server rule in the Servers table delete fw servers ftp Chapter 4 CLI Commands 27 ...

Страница 40: ...ept for the following certificate A variable that represents a category of variables but does not have fields of its own For example the variable net can be used in the command show net to display the settings for all variables in the net category such as net lan net dmz etc but it has no fields of its own and therefore cannot be used with set For information on variables and how to use them with ...

Страница 41: ...et users 2 password mysecretpassword EXAMPLE 2 The following command enables the internal VPN Server set vpn internalserver mode enabled EXAMPLE 3 The following command sets the FTP server rule so that only FTP connections made through a VPN are allowed set fw servers ftp enconly true Chapter 4 CLI Commands 29 ...

Страница 42: ...N VALUES The desired variables and their fields Note The following information is displayed in encrypted format NetDefend Portal user passwords Password for authenticating to the ISP Passwords for VPN authentication Shared secrets for VPN authentication Registration key for authenticating to Service Center Passwords and keys for wireless authentication EXAMPLE 1 The following command displays all ...

Страница 43: ...following command displays all server rules show fw servers The following command displays all of the FTP server rule s settings show fw servers ftp Use the following command to find out whether the FTP server rule specifies that only FTP connections made through a VPN are allowed show fw servers ftp enconly Chapter 4 CLI Commands 31 ...

Страница 44: ... with a new self signed certificate Reset the NetDefend firewall to its default settings Reset the NetDefend firewall to the firmware version that shipped with the appliance Reboot the NetDefend firewall Clear the Event Log Reboot the my firewall Web service Reset the SmartDefense list of worm patterns to its defaults Clear Traffic Monitor reports Uninstall the VStream Antivirus signature database...

Страница 45: ...o log out of the current session when connected to the NetDefend Portal via SSH or a serial console EFFECT After you run this command the SSH client or serial console logs off the NetDefend Portal SYNTAX quit PARAMETERS None RETURN VALUES None Chapter 4 CLI Commands 33 ...

Страница 46: ... generated and downloaded to your appliance In this case there is no need to generate a self signed certificate EFFECT After you run this command the NetDefend firewall generates a new self signed certificate and replaces the old certificate with the new one This may take a few seconds SYNTAX reset certificate PARAMETERS None RETURN VALUES A message indicating that the certificate was replaced suc...

Страница 47: ...nformation on resetting the firmware version see reset firmware on page 36 Warning This operation erases all your settings and password information You will have to set a new password and reconfigure your NetDefend firewall for Internet connection EFFECT After you run this command the NetDefend firewall is restarted and the PWR SEC LED flashes quickly This may take a few minutes SYNTAX reset defau...

Страница 48: ...efend firewall to the firmware version that shipped with the appliance EFFECT The NetDefend firewall is restarted and the PWR SEC LED flashes quickly This may take a few minutes SYNTAX reset firmware PARAMETERS None RETURN VALUES See Typical Return Values on page 14 36 D Link NetDefend CLI Reference Guide ...

Страница 49: ...t the NetDefend firewall If your NetDefend firewall is not functioning properly rebooting it may solve the problem EFFECT The PWR SEC LED flashes quickly This may take a few minutes SYNTAX reset gateway PARAMETERS None RETURN VALUES See Typical Return Values on page 14 Chapter 4 CLI Commands 37 ...

Страница 50: ...Event Log displays the most recent events including the date and the time that each event occurred and its type EFFECT The logs in the Event Log are cleared SYNTAX reset logs PARAMETERS None RETURN VALUES A message indicating that the Event Log was reset successfully 38 D Link NetDefend CLI Reference Guide ...

Страница 51: ... reset services command is used to restart the NetDefend Service Center connection EFFECT The NetDefend Service Center connection is restarted SYNTAX reset services PARAMETERS None RETURN VALUES See Typical Return Values on page 14 Chapter 4 CLI Commands 39 ...

Страница 52: ...worm patterns to its defaults For information on configuring this list see smartdefense ai cifs file sharing patterns on page 271 EFFECT The list of worm patterns is reset to its defaults SYNTAX reset smartdefense ai cifs file sharing patterns PARAMETERS None RETURN VALUES A message indicating that the list of worm patterns was reset successfully 40 D Link NetDefend CLI Reference Guide ...

Страница 53: ...c Monitor displays reports for incoming and outgoing traffic for selected network interfaces and QoS classes EFFECT The statistics displayed in all Traffic Monitor reports are cleared SYNTAX reset statistics PARAMETERS None RETURN VALUES A message indicating that the Traffic Monitor was reset successfully Chapter 4 CLI Commands 41 ...

Страница 54: ...and daily database are uninstalled and VStream Antivirus is disabled To re install the VStream Antivirus databases use the updatenow command See updatenow on page 43 Note You must be subscribed to VStream Antivirus signature updates in order to re install the databases SYNTAX reset vstream database PARAMETERS None RETURN VALUES A message indicating that the VStream Antivirus databases were reset s...

Страница 55: ...ice The NetDefend firewall automatically checks for software updates and installs them without user intervention in the following cases Your NetDefend firewall is remotely managed Your NetDefend firewall is locally managed and it is set it to automatically check for software updates However you can still use this command to check for updates manually if needed EFFECT The system checks for new upda...

Страница 56: ...gs NAT rules that are currently in effect Your appliance s network interfaces Your appliance s general OSPF settings OSPF database details The OSPF mode each for network interface and VTI Virtual Tunnel Interface OSPF neighbors OSPF routes The status of the NetDefend firewall s ports including each Ethernet connection s duplex state Network printers details Connection probing results for the WAN a...

Страница 57: ...ignatures Information about the defined Internet connections Information about your wireless access point Information about wireless stations in the WLAN You can also do the following Export your appliance s configuration Check whether a user name and password combination are valid Display help on any CLI command Chapter 4 CLI Commands 45 ...

Страница 58: ...RN VALUES An indication of whether the username and password combination is valid ok Authentication succeeded The combination is valid failed Authentication failed The username password or username password combination is invalid Information about the user s permissions write Indicates whether the user has write permissions This can have the following values true The user has write permissions fal...

Страница 59: ...to the NetDefend firewall using their VPN client This can have the following values true The user has write permissions false The user does not have write permissions For information on setting up VPN remote access refer to the User Guide filteroverride Indicates whether the user is allowed to override Web Filtering This can have the following values true the user has write permissions false the u...

Страница 60: ...e username JohnS and the password mysecretpassword authenticate JohnS mysecretpassword Running this command results in information such as the following 700000 ok permissions write true read true vpnaccess true filteroverride true 48 D Link NetDefend CLI Reference Guide ...

Страница 61: ...g the configuration you can copy it and paste it in a cfg file You can then change the settings as desired and import the modified file to one or more NetDefend firewalls For information on importing configuration files refer to the User Guide You want to backup the NetDefend firewall settings After exporting the configuration you can copy it and paste it in a cfg file You can then use this file t...

Страница 62: ...net lan net dmz etc For information on variables and how to use them with the export command see CLI Variables on page 115 If you do not include this parameter all settings are exported RETURN VALUES The desired NetDefend Portal firewall settings The exported settings are in CLI script format and can be executed EXAMPLE The following command exports the NetDefend Portal firewall user database expo...

Страница 63: ...00 08 da 77 70 70 firmware version 6 0 45x Device settings set device productkey 7a747a a77a4a 79a8bf hostname behindnat undefined Clock settings set clock timezone GMT 08 00 ntp1 ntp2 High availability settings set ha mode disabled syncinterface lan priority 0 groupid 55 Chapter 4 CLI Commands 51 ...

Страница 64: ...al Commands lower priority when not connected set ha track wan1 0 wan2 0 Effect other modules according to current status set ha effect vpn enabled END Configuration script 52 D Link NetDefend CLI Reference Guide ...

Страница 65: ...to display information variable String One or more variables that follow the command and create a valid expression RETURN VALUES When you run this command the following information appears A brief description of the command A list of variables that can follow the command EXAMPLE To display information about the add command enter the following command help add Chapter 4 CLI Commands 53 ...

Страница 66: ...wall settings vpn VPN settings users User database routes Static routes database radius RADIUS settings qos Quality of Service netobj Network Objects certificate Certificate Creation vlan VLAN Networks ospf OSPF router setting dhcp DHCP settings vstream Vstream settings 54 D Link NetDefend CLI Reference Guide ...

Страница 67: ... level vpnaccess Allow user to login using VPN client filteroverride Allow user to override Web Filtering hotspotaccess Allow HotSpot access expire Expiration date EXAMPLE 3 You cannot display information about a variable alone help users If you attempt to do so an error message is displayed along with suggestions for correcting the command syntax help users 700002 Syntax error users Possible comp...

Страница 68: ...for your appliance s certificate and for the CA s certificate GMT The time zone of the Validity Start Time and Validity End Time relative to GMT Greenwich Mean Time Validity Start Time The day of the week date and time from which this certificate is valid This information is presented in the format Day MM DD hh mm ss YYYY where Day the day of the week MM the month DD the date hh hours mm minutes s...

Страница 69: ...nformation Fingerprint The certificate s fingerprint EXAMPLE Running this command results in information such as the following 700000 Certificate Information Device Certificate GMT GMT 02 00 Validity Start Time Sat Dec 3 08 47 42 2005 Validity End Time Sat Nov 29 08 47 42 2025 Certificate DN O EmbeddedNG OU Gateways CN 00 07 d7 77 70 70 Fingerprint FEET DAB BODY HULL LYNN VARY GOSH SETS DOT DAR DO...

Страница 70: ...lidity Start Time Sat Dec 3 08 47 39 2005 Validity End Time Sat Nov 29 08 47 39 2025 Certificate DN O EmbeddedNG OU LocalCA CN CA 00 07 d7 77 70 70 Fingerprint NO THAT JUST SUM MENU SLAM DING GURU MICE HUGO WOK VASE 58 D Link NetDefend CLI Reference Guide ...

Страница 71: ... the LAN DMZ WLAN and OfficeMode network The device s IP address mac The device s MAC address type The device s type This can be either of the following firewall computer name The device s name license The status of the device s license This can be either of the following licensed the device is licensed inactive the device did not communicate through the firewall and therefore did not use a licens...

Страница 72: ...al The signal strength in dB XR Indicates whether the wireless client supports Extended Range XR mode Possible values are yes The wireless client supports XR mode no The wireless client does not support XR mode wpa was negotiated Indicates whether WPA was negotiated with the wireless client Possible values are yes WPA was negotiated no WPA was not negotiated wpa2 was negotiated Indicates whether W...

Страница 73: ... number of transmitted and received frames for which an error occurred discard frames The total number of discarded frames received dropped frames The total number of dropped frames transmitted unicast frames The number of unicast frames transmitted and received broadcast frames The number of broadcast frames transmitted and received multicast frames The number of multicast frames transmitted and ...

Страница 74: ...e following lan 192 168 10 1 mac 00 08 da 77 70 6e type firewall name Gateway license N A 192 168 10 12 mac 00 0c 6e 41 5d 6a type computer name HOME license licensed wlan 192 168 252 1 mac 00 20 ed 08 7a e0 type firewall name Gateway license N A 62 D Link NetDefend CLI Reference Guide ...

Страница 75: ...2 Mbps tx rate 11 Mbps WLAN mode B signal 22 dB XR no wpa was negotiated no wpa2 was negotiated no cipher WEP receive frames ok 159 errors 0 discarded frames 0 unicast frames 93 broadcast frames 57 multicast frames 9 transmit frames ok 76 errors 0 dropped frames 0 unicast frames 76 Chapter 4 CLI Commands 63 ...

Страница 76: ...RETURN VALUES Connection table The number of currently active connections The following information is displayed for each connection src_ip The source IP address sport The source port dst_ip The destination IP address dport The destination port ip_p The IP protocol time The connection timeout in seconds If no packets pass for this interval of time the firewall terminates the connection 64 D Link N...

Страница 77: ...lass to which the connection belongs Internal attributes The connection s internal attributes This can be any of the following BOTH_FIN ESTABLISHED The connection was terminated by both parties SRC_FIN ESTABLISHED The connection was terminated by the source party DST_FIN ESTABLISHED The connection was terminated by the destination party ESTABLISHED The connection is in established state MORE_INSPE...

Страница 78: ... connect Connection table 8 connections src_ip sport dst_ip dport ip_p time Options QoS class Internal attributes 192 168 10 12 3163 192 168 10 1 80 6 13 Plain Default BOTH_FIN ESTABLISHED 192 168 10 12 3162 192 168 10 1 80 6 3 Plain Default BOTH_FIN ESTABLISHED 66 D Link NetDefend CLI Reference Guide ...

Страница 79: ...der Hardware version The version of the hardware Appliance Type The type of the current NetDefend firewall hardware Product Key The installed Product Key Product Name The licensed software and the number of allowed nodes Used Nodes The number of nodes used Uptime The time that elapsed from the moment the unit was turned on Debug Firmware Indicates whether the currently installed firmware is a spec...

Страница 80: ...ld displays N A VStream database Main Information about the VStream Antivirus main database The date and time at which the database was last updated Version The version number Size The database s size CRC The database s CRC Cyclic Redundancy Check value for file verification VStream database Daily Information about the VStream Antivirus daily database The date and time at which the database was la...

Страница 81: ...y 747478 22234 e5d66f Product Name D Link NetDefend 10 nodes Used Nodes 1 Uptime 45 days 02 05 53 Debug Firmware No Free Memory User 914K Kernel 1829K Running Firmware 6 0 45x Primary Firmware 6 0 45x Backup Firmware N A VStream database Main Sep 13 2005 12 20 GMT Version 1 1 0 Size 703312 bytes CRC 0x823d70ef VStream database Daily Dec 04 2005 06 29 GMT Version 1 1 46 Size 175754 bytes CRC 0x6d73...

Страница 82: ...a packets in the active connection Total The total number of incoming data packets Accepted The number of incoming data packets received Dropped The number of incoming data packets that were blocked by the firewall Outbound packets Statistics for outgoing data packets in the active connection Total The total number of outgoing data packets Accepted The number of data packets sent Dropped The numbe...

Страница 83: ... Running this command results in information such as the following 700000 Firewall statistics Inbound packets Total 35867 Accepted 14919 Dropped 20948 Outbound packets Total 13641 Accepted 13477 Dropped 164 Chapter 4 CLI Commands 71 ...

Страница 84: ...vent occurred and its type SYNTAX info logs PARAMETERS None RETURN VALUES The Event Log The following information is displayed for each event Number The log s number in the Event Log Date The date in the format day month Time The time in the format HH MM SS where HH hours MM minutes SS seconds Log The log identification number 72 D Link NetDefend CLI Reference Guide ...

Страница 85: ... rules and default policy rules A negative number Indicates an implied rule EXAMPLE Running this command results in information such as the following Event Logs 00299 4 12 09 33 22 Log 60031 User admin logged in Source IP 192 168 10 12 00298 4 12 09 32 44 Log 50000 Dropped Inbound packet Policy rule Src 217 132 249 147 SPort 1339 Dst 217 132 214 83 DPort 139 IPP 6 Rule 15 00297 4 12 09 32 34 Log 5...

Страница 86: ...ivate IP addresses of the internal network computers behind the network s single Internet IP address For information on configuring Hide NAT for an internal network see net lan on page 181 net dmz on page 168 net wlan on page 219 and vlan on page 350 Static NAT Allows the mapping of Internet IP addresses or address ranges to hosts inside the internal network For information on configuring Static N...

Страница 87: ...ation This can be the following An internal network An IP address An IP range any Any destination original ports The original port This can be the following A port A range of ports any Any port translated source The translated source This can be the following An internal network An IP address An IP range original The original destination translated destination The translated destination This can b...

Страница 88: ...s created locally by configuring an Allow Forward rule Hide NAT for an internal network or Static NAT for a network object management The rule was downloaded from the remote management EXAMPLE Running this command results in information such as the following NAT Table 2 NAT rules 1 original source lan original destination any original ports any translated source 217 132 233 250 translated destinat...

Страница 89: ...Commands 2 original source dmz original destination any original ports any translated source 217 132 233 250 translated destination original translated ports original type hide source local Chapter 4 CLI Commands 77 ...

Страница 90: ...formation about the DMZ interface 4 Display information about the WLAN interface 5 Display information about the OfficeMode interface If you do not include this parameter information is displayed for all networks RETURN VALUES The following information is displayed for each network interface name The network interface s name Note The OfficeMode network s name is office ip The appliance s current I...

Страница 91: ...on such as the following net 1 name wan ip 217 132 214 83 mac 00 08 da 77 70 70 2 name lan ip 192 168 10 1 mac 00 08 da 77 70 6e 3 name dmz ip 192 168 253 1 mac 00 08 da 77 70 6f 4 name wlan ip 192 168 252 1 mac 00 20 ed 08 7a e0 5 name office ip 192 168 254 1 mac undefined Chapter 4 CLI Commands 79 ...

Страница 92: ...AMPLE Running this command results in information such as the following OSPF Routing Process Router ID 1 2 3 4 Supports only single TOS TOS0 routes This implementation conforms to RFC2328 RFC1583Compatibility flag is disabled SPF schedule delay 1 secs Hold time between two SPFs 1 secs Refresh timer 10 secs Number of external LSA 0 Number of areas attached to this router 5 80 D Link NetDefend CLI R...

Страница 93: ...se command is used to display information about the OSPF link state database SYNTAX info ospf database PARAMETERS None RETURN VALUES Information about reported link states EXAMPLE Running this command results in information such as the following Chapter 4 CLI Commands 81 ...

Страница 94: ...000005 0x0629 1 192 168 10 11 192 168 10 11 570 0x80000008 0xe85d 1 Net Link States Area 0 0 0 0 Link ID ADV Router Age Seq CkSum 192 168 10 11 192 168 10 11 570 0x80000004 0x24e8 Summary Link States Area 0 0 0 0 Link ID ADV Router Age Seq CkSum Route 1 1 2 0 192 168 10 4 1053 0x80000001 0x36a1 1 1 2 0 24 10 0 0 0 192 168 10 11 3 0x80000002 0xb613 10 0 0 0 24 ASBR Summary Link States Area 0 0 0 0 ...

Страница 95: ...eac9 0 AS External Link States Link ID ADV Router Age Seq CkSum Route 0 0 0 0 62 90 32 131 999 0x80000001 0x0120 E1 0 0 0 0 0 0x0 0 0 0 0 192 168 10 3 1090 0x80000001 0xb2bd E2 0 0 0 0 0 0x0 0 0 0 0 192 168 10 4 1057 0x80000001 0xa34e E2 0 0 0 0 0 0x0 62 90 32 0 192 168 10 3 634 0x80000004 0x7a12 E2 62 90 32 0 24 0x0 Chapter 4 CLI Commands 83 ...

Страница 96: ...erface command is used to display the status and OSPF settings of each network interface and VTI Virtual Tunnel Interface SYNTAX info ospf interface PARAMETERS None RETURN VALUES OSPF information for each network interface and VIT 84 D Link NetDefend CLI Reference Guide ...

Страница 97: ... Priority 1 Designated Router ID 192 168 10 101 Interface Address 192 168 10 101 No backup designated router on this network Multicast group memberships OSPFAllRouters OSPFDesignatedRouters Timer intervals configured Hello 10s Dead 40s Wait 40s Retransmit 5 Hello due in 7 952s Neighbor Count is 0 Adjacent neighbor count is 0 wan is up ifindex 3 MTU 1500 bytes BW 0 Kbit UP BROADCAST RUNNING MULTICA...

Страница 98: ...t of OSPF neighbors The information provided for each OSPF neighbor includes the following Neighbor ID Pri State The OSPF neighbor s router ID Dead Time Address The interval of time in seconds after which the OSPF neighbor will be considered dead if it does not communicate in any way Interface The NetDefend firewall s IP address used for communicating with this neighbor 86 D Link NetDefend CLI Ref...

Страница 99: ...ce RXmtL RqstL DBsmL 192 168 10 3 1 Full DROther 34 231s 192 168 10 3 lan 192 168 10 101 0 0 0 192 168 10 4 1 Full DROther 34 234s 192 168 10 4 lan 192 168 10 101 0 0 0 192 168 10 10 1 Full DROther 33 112s 192 168 10 10 lan 192 168 10 101 0 0 0 192 168 10 11 1 Full Backup 34 230s 192 168 10 11 lan 192 168 10 101 0 0 0 Chapter 4 CLI Commands 87 ...

Страница 100: ...ype The NetDefend firewall supports the following route types K A kernel route Kernel routes are routes that are recognized by the OSPF daemon via the kernel For example a static route C A connected route Connected routes are routes that are created for each new network defined on the NetDefend firewall For example LAN R An RIP route O An OSPF route OSPF routes are routes learned via OSPF I An ISI...

Страница 101: ... FIB route K 0 0 0 0 0 via 212 143 205 164 ppp0 C 127 0 0 0 8 is directly connected lo C 172 27 144 0 20 is directly connected wan C 192 168 10 0 24 is directly connected lan C 192 168 252 0 24 is directly connected wlan C 192 168 254 1 32 is directly connected lo C 212 143 205 164 32 is directly connected ppp0 K 212 143 205 253 32 via 172 27 144 1 wan Chapter 4 CLI Commands 89 ...

Страница 102: ...etDefend model SBX 166LHG 2 port status information is only available for the WAN and DMZ ports and not for LAN ports 1 4 SYNTAX info ports PARAMETERS None RETURN VALUES A list of the enabled ports and their statuses Note LAN ports 1 4 appear under lan each on a different line A port s status can be either of the following speed mode The current link speed 10 Mbps or 100 Mbps and duplex Full Duple...

Страница 103: ...unning this command results in information such as the following info ports wan speed 100 mbps mode full duplex lan no link no link no link speed 100 mbps mode full duplex dmz speed 100 mbps mode full duplex Chapter 4 CLI Commands 91 ...

Страница 104: ...ter Product name The model of the printer Serial number The serial number of the printer TCP Port The TCP port used by the print server for this printer Pending Jobs The number of print jobs in queue for the printer Status The printer s status A printer can have the following statuses Initialize The printer is initializing Ready The printer is ready Not Ready The printer is not ready For example i...

Страница 105: ...EXAMPLE Running this command results in information such as the following Vendor name Hewlett Packard Product name PSC 2100 Series Serial number MY31TF62YJ0F TCP Port 9100 Pending Jobs 0 Status Ready Chapter 4 CLI Commands 93 ...

Страница 106: ...the WAN2 port depending on your NetDefend firewall s configuration For information on configuring connection probing for the WAN port see net wan probe on page 210 For information on configuring connection probing for the WAN2 port see net wan2 probe on page 218 SYNTAX info probe PARAMETERS None RETURN VALUES For each configured Internet connection the following information is displayed The connec...

Страница 107: ...g failed for all listed servers all statuses are DOWN then the Internet connection is considered to be down The IP address or DNS name of the probed server EXAMPLE Running this command results in information such as the following wan1 DNS UP 194 90 1 5 DNS DOWN 212 143 212 143 In this example one DNS server responded to probing within 45 seconds and the Internet connection is therefore up Chapter ...

Страница 108: ... see info statistics interface on page 99 For information on displaying traffic reports for specific QoS classes see info statistics qos on page 102 SYNTAX info statistics PARAMETERS None RETURN VALUES A list of traffic reports for all currently enabled networks For example if the DMZ network is enabled it will appear in the list If Traffic Shaper is enabled the list also includes the defined QoS ...

Страница 109: ...coming traffic in kilobits second Outgoing The rate of outgoing traffic in kilobits second EXAMPLE Running this command results in information such as the following Interfaces Traffic Report wan Interface Total Traffic Time Incoming kbits seconds Outgoing kbits seconds 13 29 32 13 59 32 15 1 13 59 32 14 29 32 2 2 14 29 32 14 59 32 1 0 14 59 32 15 29 32 3 1 15 29 32 15 59 32 11 0 Chapter 4 CLI Comm...

Страница 110: ... 08 59 32 0 4 08 59 32 09 29 32 0 2 09 29 32 09 59 32 0 2 09 59 32 10 29 32 0 11 QoS Traffic Report Class Default Total Traffic Time Incoming kbits seconds Outgoing kbits seconds 03 29 32 03 59 32 15 11 03 59 32 04 29 32 1 4 04 29 32 04 59 32 11 19 04 59 32 05 29 32 0 3 05 29 32 05 59 32 0 15 98 D Link NetDefend CLI Reference Guide ...

Страница 111: ...t appears under normal circumstances and usually does not indicate an attack SYNTAX info statistics interface interface type PARAMETERS interface String The network interface for which to display traffic statistics If you do not include this parameter information is displayed for all network interfaces type String The type of traffic to display This can have the following values allowed Allowed tr...

Страница 112: ...time If desired you can change this interval For information see statistics on page 341 The following information is displayed in each row Time The interval s start and end time in the format HH MM SS HH MM SS where HH hours MM minutes SS seconds Incoming The rate of incoming traffic in kilobits second Outgoing The rate of outgoing traffic in kilobits second 100 D Link NetDefend CLI Reference Guid...

Страница 113: ...cked Results in information such as the following Interfaces Traffic Report lan Interface Dropped Traffic Time Incoming kbits seconds Outgoing kbits seconds 04 01 34 04 31 34 0 4 04 31 34 05 01 34 0 11 05 01 34 05 31 34 23 0 05 31 34 06 01 34 0 0 06 01 34 06 31 34 2 0 Chapter 4 CLI Commands 101 ...

Страница 114: ...information is displayed for all QoS classes RETURN VALUES Traffic reports for the specified type of QoS class Each traffic report row displays traffic rates in kilobits second for a specific interval of time If desired you can change this interval For information see statistics on page 341 The following information is displayed in each row Time The interval s start and end time in the format HH M...

Страница 115: ... Urgent Results in information such as the following QoS Traffic Report Class Urgent Total Traffic Time Incoming kbits seconds Outgoing kbits seconds 04 09 50 04 39 50 1 10 04 39 50 05 09 50 8 0 05 09 50 05 39 50 3 3 05 39 50 06 09 50 0 5 06 09 50 06 39 50 9 7 Chapter 4 CLI Commands 103 ...

Страница 116: ...se for a period of time Remote Access VPN sites configured for Manual Login A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site after you have manually logged on to the site All open tunnels connecting to the site are closed when you manually log off SYNTAX info tunnels PARAMETERS None RETURN VALUES The following information is displayed fo...

Страница 117: ...ly negotiated between the two sites The encryption and authentication schemes used for the connection are the strongest of those used at the two sites Your NetDefend firewall supports AES 3DES and DES encryption schemes and MD5 and SHA authentication schemes duration The time at which the tunnel was established This information is presented in the format HH MM SS where HH hours MM minutes SS secon...

Страница 118: ...e VPN peer is not responding EXAMPLE Running this command for all network interfaces results in information such as the following site src dst encryption duration username status office 212 150 8 84 192 114 68 8 3DES SHA1 0 00 02 01 JohnS ok office_2 212 150 8 84 212 150 8 81 AES 256 SHA1 0 00 00 22 N A ok 106 D Link NetDefend CLI Reference Guide ...

Страница 119: ...ystem of incremental updates to the main database allows for quicker updates and saves on network bandwidth SYNTAX info vstream PARAMETERS None RETURN VALUES Main database The date and time at which the main database was last updated followed by the version number Daily database The date and time at which the daily database was last updated followed by the version number Next update The date and t...

Страница 120: ...esults in information such as the following Main database Sep 13 2005 02 20 30 PM GMT Version 1 1 0 Daily database Dec 4 2005 08 29 22 AM GMT Version 1 1 46 Next update Not Subscribed for Updates Service Status OK 108 D Link NetDefend CLI Reference Guide ...

Страница 121: ...TERS connection Integer The Internet connection for which to display information This can have the following values 1 Display information for the primary connection 2 Display information for the secondary connection If you do not include this parameter and both connections are configured information is displayed for both connections Chapter 4 CLI Commands 109 ...

Страница 122: ...secondary connected Indicates whether the connection is currently up This can have the following values true The connection is up false The connection is down idle_timeout The amount of time in minutes that the connection can remain idle Once this period of time has elapsed the dialup modem will disconnect This field is only relevant for the Dialup connection type 110 D Link NetDefend CLI Referenc...

Страница 123: ...xample a dialup Internet connection is configured as the secondary connection and information is displayed for all connections wan 1 name primary connected true idle_timeout 0 2 name secondary connected false idle_timeout 15 Chapter 4 CLI Commands 111 ...

Страница 124: ...ls supporting a wireless interface SYNTAX info wireless ap PARAMETERS None RETURN VALUES Operation Mode The operation mode used for the wireless connection This can be any of the following 11b 11g 11bg 108g static 108g dynamic For information about the operation modes see wireless on page 404 MAC The MAC address of the appliance s wireless interface 112 D Link NetDefend CLI Reference Guide ...

Страница 125: ... of the certified region may result in the violation of government regulations Country The country where you are located Channel The channel currently used for the wireless connection followed by the exact frequency in parenthesis EXAMPLE Running this command results in information such as the following Operation Mode 11b MAC 00 20 ed 08 7a e0 Region WORLD Country United States Channel 6 2437 Mhz ...

Страница 126: ......

Страница 127: ...e syntax and examples provided for show can be used for export as well This chapter includes the following topics certificate 118 clock 121 device 123 dhcp scopes 125 dialup 131 fw 134 fw rules 137 fw servers 145 ha 148 ha effect 152 ha track 154 https 156 hotspot 159 mailfilter antispam 162 mailfilter antivirus 164 mailfilter protocols 166 net dmz 168 net dmz ha 175 net dmz ospf 177 net dmz ospf ...

Страница 128: ...251 qos classes 253 radius permissions 259 radius servers 262 routes 265 smartdefense ai cifs file sharing 268 smartdefense ai cifs file sharing patterns 271 smartdefense ai ftp 274 smartdefense ai ftp bounce 277 smartdefense ai ftp commands 279 smartdefense ai im icq 282 smartdefense ai im skype 284 smartdefense ai im yahoo 285 smartdefense ai p2p bittorrent 286 smartdefense ai p2p emule 288 smar...

Страница 129: ... security ip icmp welchia 321 smartdefense network security port scan host port scan 323 smartdefense network security port scan ip sweep scan 326 smartdefense network security tcp small pmtu 329 smartdefense network security tcp strict tcp 331 smp 333 snmp 335 ssh 338 statistics 341 syslog 343 users 345 vlan 350 vlan ospf 357 vlan ospf md5 359 vpn externalserver 361 vpn internalserver 364 vpn sit...

Страница 130: ...ic key information about itself After two entities exchange and validate each other s certificates they can begin encrypting information between themselves using the public keys in the certificates The NetDefend firewall supports certificates encoded in the PKCS 12 Personal Information Exchange Syntax Standard format Note If a certificate is already installed you must clear the certificate before ...

Страница 131: ...name of your organization unit String The name of your division gatewayname String The gateway s name This name will appear on the certificate and will be visible to remote users inspecting the certificate expyear Integer The year when this certificate should expire This can be any year until 2037 Note You must renew the certificate when it expires expmonth Integer The month when this certificate ...

Страница 132: ...division is Marketing the country is Great Britain and the certificate s expiration date is December 31 2014 add cert country GB organization MyCompany unit Marketing gatewayname 00 08 DA 77 70 70 expyear 2014 expmonth 12 expday 31 EXAMPLE 2 The following command clears the installed certificate clear certificate 120 D Link NetDefend CLI Reference Guide ...

Страница 133: ...t clock time time day day month month year year timezone timezone ntp1 ntp1 ntp2 ntp2 When used with show show clock time day month year timezone ntp1 ntp2 FIELDS time String The current time in the format HH MM SS meridian where HH hours MM minutes SS seconds meridian AM or PM day Integer The day of the month For example 4 month Integer The current month For example December is 12 Chapter 5 CLI V...

Страница 134: ...p1 String The IP address of the Primary NTP server ntp2 String The IP address of the Secondary NTP server EXAMPLE 1 The following command sets the time to January 2 2006 12 00 PM set clock time 12 00 00PM day 2 month 1 year 2006 EXAMPLE 2 The following command shows the first NTP server configured for the appliance show clock ntp1 122 D Link NetDefend CLI Reference Guide ...

Страница 135: ...y FIELDS behindnat IP Address or String This value indicates whether or not the appliance is located behind a NAT device This can have the following values The NAT device s IP address This address will be used as the appliance s public IP address undefined The appliance is not located behind a NAT device hostname String The hostname for authentication Note Most ISPs do not require a specific hostn...

Страница 136: ...o mycomputer1 and the Product Key to aaaaaa bbbbbb cccccc set device hostname mycomputer1 productkey aaaaaa bbbbbb cccccc EXAMPLE 2 The following command displays the appliance s public IP address show device behindnat 124 D Link NetDefend CLI Reference Guide ...

Страница 137: ... dhcp scopes network network domain domain dns dns dns1 dns1 dns2 dns2 wins wins wins1 wins1 wins2 wins2 ntp1 ntp1 ntp2 ntp2 callmgr1 callmgr1 callmgr2 callmgr2 tftpserver tftpserver tftpbootfile tftpbootfile When used with set set dhcp scopes number network network domain domain dns dns dns1 dns1 dns2 dns2 wins wins wins1 wins1 wins2 wins2 ntp1 ntp1 ntp2 ntp2 callmgr1 callmgr1 callmgr2 callmgr2 t...

Страница 138: ... For example if the domain suffix is set to mydomain com and the client tries to resolve the name mail the suffix will be automatically appended to the name resulting in mail mydomain com dns String Indicates whether the gateway should act as a DNS relay server and automatically pass its own IP address to DHCP clients This can have the following values automatic The gateway should act as an automa...

Страница 139: ...can have the following values An IP address undefined The Secondary DNS server is not defined The default value is undefined This field is only relevant if the dns field is set to manual wins String Indicates whether DHCP clients should be automatically assigned the same WINS servers as specified by the Internet connection This can have the following values automatic DHCP clients should be automat...

Страница 140: ...condary WINS server to use instead of the gateway This can have the following values An IP address undefined The Secondary WINS server is not defined The default value is undefined This field is only relevant if the wins field is set to manual ntp1 IP Address or String The IP address of the Primary Network Time Protocol NTP server to use for synchronizing the time on the DHCP clients This can have...

Страница 141: ...undefined The Primary VoIP server is not defined The default value is undefined callmgr2 IP Address or String The IP address of the Secondary VoIP call managers to assign to the DHCP clients This can have the following values An IP address undefined The Secondary VoIP server is not defined The default value is undefined tftpserver IP Address or String The IP address of the Trivial File Transfer Pr...

Страница 142: ...dd dhcp scopes network lan domain mydomain com EXAMPLE 2 The following command modifies scope 1 in the DHCP Scope table so that the TFTP server is 1 2 3 4 set dhcp scopes 1 tftpserver 1 2 3 4 EXAMPLE 3 The following command deletes scope 1 from the DHCP Scope table delete dhcp scopes 1 EXAMPLE 4 The following command displays all DHCP settings for scope 2 show dhcp scopes 2 EXAMPLE 5 The following...

Страница 143: ...n not in use Note Before setting up the dialup modem you must connect it to your NetDefend firewall s serial port You can use either a regular or ISDN dialup modem Note After you have finished setting up the modem you must configure a Dialup Internet connection If you want to use the dialup connection as a backup connection you must configure a LAN or broadband connection as the primary Internet c...

Страница 144: ...l 56K Ambient Chipset Generic Modem 1 Generic Modem 2 Generic Modem 3 Generic ISDN Async Sync PPP Generic ISDN Sync PPP 64K Generic ISDN Sync PPP 128K Dual channel Reminder The values are case sensitive To enter a string containing spaces enclose the string in quotation marks speed Integer The modem s port speed in bits per second This can have the following values 9600 19200 38400 57600 115200 Th...

Страница 145: ... type This information is provided automatically if a standard modem type is used EXAMPLE 1 The following command sets up a custom modem with a port speed of 57600 bps and the installation string AT F The dial mode is tone set dialup type Hayes Accura 56K speed 57600 dialmode tone EXAMPLE 2 The following command displays all dialup modem settings show dialup Chapter 5 CLI Variables 133 ...

Страница 146: ...ewall level Displaying and exporting the above firewall settings Displaying and exporting all firewall settings including Firewall rules Server rules For information on displaying and exporting specific firewall rules and server rules see fw rules on page 137 and fw servers on page 145 Warning Defining an exposed host may make the designated computer vulnerable to hacker attacks Defining an expose...

Страница 147: ...eave it unchanged unless you have a specific need for a higher or lower security level All inbound traffic is blocked All outbound traffic is allowed to the Internet except for Windows file sharing NBT ports 137 138 139 and 445 high Enforces strict control on all incoming and outgoing connections All inbound traffic is blocked Restricts all outbound traffic except for the following Web traffic HTT...

Страница 148: ...ollowing command sets the firewall level to High set fw level high EXAMPLE 2 The following command displays all firewall settings including firewall rules and server rules show fw 136 D Link NetDefend CLI Reference Guide ...

Страница 149: ... from the Internet WAN to the LAN and allows all outgoing connection attempts from the LAN to the Internet WAN For further information on the default security policy refer to the User Guide User defined rules have priority over the default rules and provide you with greater flexibility in defining and customizing your security policy For detailed information on the rule types refer to the User Gui...

Страница 150: ...dex log log disabled disabled When used with delete delete fw rules number When used with show show fw rules number action service src dest ports protocol qosclass redirectport index log disabled When used with clear clear fw rules FIELDS number Integer The firewall rule s row in the Firewall Rules table action String The type of rule you want to create This can have the following values allowandf...

Страница 151: ...stom The rule should apply to a specific non standard service You must include the protocol and ports fields 0 or any The rule should apply to any service 80 or web 21 or ftp 23 or telnet 25 or smtp 110 or pop3 137 or nbt 500 or vpn 1720 or h323 1723 or pptp The default value is 0 or any Chapter 5 CLI Variables 139 ...

Страница 152: ... values An IP address An IP address range To specify a range use the following format Start IP Address End IP Address any The rule should apply to any source wan lan dmz officemode vpn notvpn Not VPN The name of a VPN site The name of a network object The default value is any 140 D Link NetDefend CLI Reference Guide ...

Страница 153: ...y to any destination wan lan dmz officemode vpn notvpn Not VPN The name of a VPN site The name of a network object The default value is any ports Integer The ports to which the rule applies This can have the following values A port number The rule will apply to this port only A port range To specify a range use the following format Start Port Number End Port Number Note If you do not enter a port ...

Страница 154: ...dth policy for the selected QoS class If Traffic Shaper is not enabled this setting is ignored For information on Traffic Shaper and QoS classes refer to the User Guide This field is only relevant when defining an Allow rule or an Allow and Forward rule If you do not include this field the connections are assigned to the Default QoS class redirectport Integer The port to which you want to redirect...

Страница 155: ...utomatically added to the bottom of the Firewall Rules table log String Indicates whether to log the specified blocked or allowed connections This can have the following values true Log the specified connections false Do not log the specified connections By default accepted connections are not logged and blocked connections are logged disabled String Indicates whether the rule is disabled This can...

Страница 156: ...lowing command modifies rule 1 in the Firewall Rule table so that it becomes a Block rule set fw rules 1 action block EXAMPLE 3 The following command deletes rule 1 in the Firewall Rule table delete fw rules 1 EXAMPLE 4 The following command displays the destination IP address for rule 1 in the Firewall Rule table show fw rules 1 dest EXAMPLE 5 The following command deletes all rules in the Firewa...

Страница 157: ...ver This is useful if you want to host public Internet servers Web Server Mail Server etc in your network Note Configuring servers allows you to create simple Allow and Forward rules for common services and it is equivalent to creating Allow and Forward rules in the Rules page For information on creating rules see fw rules on page 137 SYNTAX When used with set set fw servers service hostip hostip ...

Страница 158: ...can have the following values An IP address undefined The service is not configured The default value is undefined enconly String Indicates whether to allow only connections made through a VPN This can have the following values true Allow only connections through a VPN false Allow all connections The default value is false Note If you did not specify a host IP address for the service changes to th...

Страница 159: ...ugh a VPN only set fw servers ftp hostip 192 168 10 21 enconly true EXAMPLE 2 The following command deletes the defined FTP server delete fw servers ftp EXAMPLE 3 The following command displays the FTP server s IP address show fw servers ftp hostip Chapter 5 CLI Variables 147 ...

Страница 160: ...ter the default gateway through which all network traffic is routed and one acting as the Backup If the Master fails the Backup automatically and transparently takes over all the roles of the Master This ensures that your network is consistently protected by an NetDefend firewall and connected to the Internet The NetDefend firewall supports configuring multiple HA clusters on the same network segm...

Страница 161: ...w ha mode syncinterface priority groupid FIELDS mode String The appliance s High Availability mode This can have the following values enabled High Availability is enabled on this appliance disabled High Availability is not enabled on this appliance The default value is disabled Chapter 5 CLI Variables 149 ...

Страница 162: ...ation interface must be the same for all gateways in the High Availability cluster and must always be connected and enabled on all gateways Otherwise multiple appliances may become active causing unpredictable problems The synchronization interface must have a virtual IP address which can be set using the command set net x ha where x is the network name lan dmz or wlan priority Integer The gateway...

Страница 163: ...f only one HA cluster exists there is no need to change the default value EXAMPLE 1 The following command enables High Availability on the appliance The synchronization interface is the LAN network the gateway s priority is 100 and the gateway is assigned to cluster 56 set ha mode enabled syncinterface lan priority 100 groupid 56 EXAMPLE 2 The following command displays the appliance s priority sh...

Страница 164: ... affect VPN tunnels For information on configuring High Availability see ha on page 148 SYNTAX When used with set set ha effect vpn vpn When used with show show ha effect vpn FIELDS vpn String Indicates whether the gateways status within the High Availability cluster should affect existing VPN tunnels This can have the following values enabled When the gateway s status is Passive all existing VPN ...

Страница 165: ...ollowing command disables the High Availability effect on VPN tunnels set ha effect vpn disabled EXAMPLE 2 The following command displays the gateway s High Availability effect setting show ha effect Chapter 5 CLI Variables 153 ...

Страница 166: ... amount if its Internet connection goes down If the Active Gateway s priority drops below another gateway s priority then the other gateway becomes the Active Gateway Note You can also track the status of the LAN and DMZ ports by using the command set port lan1 hatrack and set port dmz hatrack For information see port lan1 port lan2 port lan3 port lan4 on page 245 and port dmz on page 243 For info...

Страница 167: ... secondary Internet connection goes down This must be an integer between 0 and 255 The default value is 0 EXAMPLE 1 The following command enables Internet connection tracking for the primary Internet connection The gateway s priority will be reduced by 10 if the primary connection goes down set ha track wan1 10 EXAMPLE 2 The following command displays the gateway s Internet connection tracking set...

Страница 168: ...end firewall users can securely access the NetDefend Portal from the Internet by accessing the URL https X X X X 981 where X X X X is the NetDefend Internet IP address Note The URL https my firewall is always accessible from the Internal Network even when the HTTPS Remote Access is disabled SYNTAX When used with set set https mode mode iprange iprange When used with show show https mode iprange 15...

Страница 169: ... the iprange field any Any IP address vpn The internal network and your VPN The default value is internal Warning If remote HTTPS is enabled your NetDefend firewall settings can be changed remotely so it is especially important to make sure all NetDefend firewall users passwords are difficult to guess iprange IP Address or String The desired IP address range This can have the following values An I...

Страница 170: ...users to access the NetDefend Portal using HTTPS from any IP address set https mode any EXAMPLE 2 The following command displays the IP address or IP address range from which HTTPS access is granted show https iprange 158 D Link NetDefend CLI Reference Guide ...

Страница 171: ...for specific networks see net dmz on page 168 net lan on page 181 and net wlan on page 219 For information on granting HotSpot access to users see users on page 345 You can choose to exclude specific network objects from HotSpot enforcement For information see netobj on page 226 Important SecuRemote VPN software users who are authenticated by the Internal VPN Server are automatically exempt from H...

Страница 172: ...red to enter their username and password before logging on to My HotSpot This can have the following values none No authentication is required password Authentication is required The default value is none multiplelogin String Indicates whether to allow a single user to log on to My HotSpot from multiple computers at the same time This can have the following values enabled Login from multiple compu...

Страница 173: ...ically re directed to HTTPS false Users can log on using HTTP HTTPS is not required The default value is false EXAMPLE 1 The following command defines terms of use for the My HotSpot page and requires users to log on to the page set hotspot terms b Internet access is limited to 1 hour b auth password EXAMPLE 2 The following command displays all Secure HotSpot settings show hotspot Chapter 5 CLI Va...

Страница 174: ...that it is suspected spam You can create rules to divert such messages to a special folder Note Email Antispam is only available if you are connected to a Service Center and subscribed to this service Note If you are remotely managed contact your Service Center to enable disable the Email Antispam service For information on temporarily disabling the Email Antispam service refer to the User Guide F...

Страница 175: ...internal network computers disabled Disables the service for all internal network computers The default value is disabled EXAMPLE 1 The following command enables the Email Antispam service set mailfilter antispam mode enabled EXAMPLE 2 The following command displays the Email Antispam mode show mailfilter antispam Chapter 5 CLI Variables 163 ...

Страница 176: ...anning while VStream Antivirus scans for viruses in the NetDefend gateway itself Email Antivirus is specific to email scanning incoming POP3 and outgoing SMTP connections only while VStream Antivirus supports additional protocols including incoming SMTP and outgoing POP3 connections You can use either antivirus solution or both in conjunction For information on VStream Antivirus see vstream on pag...

Страница 177: ...alues enabled Enables the service for all internal network computers disabled Disables the service for all internal network computers The default value is disabled EXAMPLE 1 The following command enables the Email Antivirus service set mailfilter antivirus mode enabled EXAMPLE 2 The following command displays the Email Antivirus mode show mailfilter antivirus Chapter 5 CLI Variables 165 ...

Страница 178: ... you are connected to a Service Center and subscribed to this service Note If you are remotely managed contact your Service Center to change the Email Filtering protocol settings SYNTAX When used with set set mailfilter protocols pop3 pop3 smtp smtp When used with show show mailfilter protocols pop3 smtp FIELDS pop3 String Indicates whether incoming email in the POP3 protocol should be scanned Thi...

Страница 179: ...l The default value is enabled EXAMPLE 1 If Email Filtering is enabled you can use the following command to enable the service for outgoing email set mailfilter protocols smtp enabled For information on enabling the Email Filtering service see antivirus EXAMPLE 2 The following command displays all Email Filtering protocol settings show mailfilter protocols Chapter 5 CLI Variables 167 ...

Страница 180: ...tion on configuring displaying and exporting specific DMZ High Availability settings see net dmz ha on page 175 For information on configuring displaying and exporting specific DMZ OSPF settings see net dmz ospf on page 177 and net dmz ospf md5 on page 179 In addition to the LAN network you can define a second internal network called a DMZ demilitarized zone network By default all traffic is allow...

Страница 181: ...dress automatically it is recommended to assign it an IP address outside of the DHCP address range If you do assign it an IP address within the DHCP address range the DHCP server will not assign this IP address to another computer SYNTAX When used with set set net dmz mode mode hidenat hidenat address address netmask netmask dhcpserver dhcpserver dhcprange dhcprange dhcprelayip dhcprelayip hotspot...

Страница 182: ...llowing values enabled Hide NAT is enabled disabled Hide NAT is disabled The default value is enabled Note If Hide NAT is disabled you must obtain a range of Internet IP addresses from your ISP Hide NAT is enabled by default Note Static NAT and Hide NAT can be used together address IP Address The IP address of the DMZ network s default gateway Note The DMZ network must not overlap the LAN network ...

Страница 183: ...devices on the DMZ network with their network configuration details If you already have a DHCP server in the DMZ s internal network and you want to use it instead of the NetDefend DHCP server you must disable the NetDefend DHCP server since you cannot have two DHCP servers or relays on the same network segment If you want to use a DHCP server on the Internet or via a VPN instead of the NetDefend D...

Страница 184: ...e NetDefend DHCP server automatically sets the DHCP address range A DHCP address range Relevant only if the NetDefend DHCP server is enabled To specify a range use the following format Start IP Address End IP Address The default value is automatic dhcprelayip IP Address or String The IP address of the desired relay DHCP server This can have the following values An IP address undefined No relay DHC...

Страница 185: ...ether to enable Secure HotSpot for the DMZ network This can have the following values enabled Secure HotSpot is enabled for the DMZ disabled Secure HotSpot is disabled for the DMZ The default value is disabled Chapter 5 CLI Variables 173 ...

Страница 186: ...The following command enables Hide NAT for the DMZ network set net dmz hidenat enabled EXAMPLE 2 The following command displays the DMZ network s DHCP range show net dmz dhcprange 174 D Link NetDefend CLI Reference Guide ...

Страница 187: ...efend firewalls For more information on High Availability see ha on page 148 SYNTAX When used with set set net dmz ha virtualip virtualip When used with show show net dmz ha virtualip FIELDS virtualip IP Address The default gateway IP address This can have the following values An IP address This can be any unused IP address in the DMZ network and must be the same for both gateways undefined High A...

Страница 188: ...g command sets the DMZ network s virtual IP address set net dmz ha virtualip 192 168 10 14 EXAMPLE 2 The following command displays the appliance s DMZ High Availability settings show net dmz ha 176 D Link NetDefend CLI Reference Guide ...

Страница 189: ...ying and exporting specific authentication settings see net dmz ospf md5 on page 179 This variable is only relevant if OSPF is enabled For information see ospf on page 231 SYNTAX When used with set set net dmz ospf cost cost When used with show show net dmz ospf cost FIELDS cost Integer The cost of this sending a packet on the DMZ interface Routers send a packet to the route that matches the packe...

Страница 190: ...ospf EXAMPLE 1 The following command sets the DMZ s OSPF cost set net dmz ospf cost 10 EXAMPLE 2 The following command displays the DMZ s OSPF settings show net dmz ospf 178 D Link NetDefend CLI Reference Guide ...

Страница 191: ... net dmz ospf md5 enabled enabled key key password password When used with show show net dmz ospf md5 enabled key password FIELDS enabled String Indicates whether to use the MD5 authentication scheme for OSPF connections This can have the following values true Use the MD5 authentication scheme false Do not use the MD5 authentication scheme The default value is disabled key Integer The key ID to us...

Страница 192: ...enables authentication for OSPF connections set net dmz ospf md5 enabled true key 1 password thepassword EXAMPLE 2 The following command displays the DMZ s OSPF MD5 authentication settings show net dmz ospf md5 180 D Link NetDefend CLI Reference Guide ...

Страница 193: ... OSPF settings For information on configuring displaying and exporting specific LAN High Availability settings see net lan ha on page 187 For information on configuring displaying and exporting specific LAN OSPF settings see net lan ospf on page 188 and net lan ospf md5 on page 189 Note The DHCP server only serves computers that are configured to obtain an IP address automatically If a computer is...

Страница 194: ...the new range Otherwise manually reconfigure your computer to use the new address range using the TCP IP settings For information on configuring TCP IP refer to the User Guide SYNTAX When used with set set net lan hidenat hidenat address address netmask netmask dhcpserver dhcpserver dhcprange dhcprange dhcprelayip dhcprelayip hotspot hotspot When used with show show net lan hidenat address netmask...

Страница 195: ...of Internet IP addresses from your ISP Hide NAT is enabled by default Note Static NAT and Hide NAT can be used together address IP Address The NetDefend firewall s internal IP address netmask IP Address The subnet mask that applies to the appliance s internal IP address Note The internal network range is defined both by the NetDefend firewall s internal IP address and by the subnet mask For exampl...

Страница 196: ...evices on your network with their network configuration details If you already have a DHCP server in your internal network and you want to use it instead of the NetDefend DHCP server you must disable the NetDefend DHCP server since you cannot have two DHCP servers or relays on the same network segment If you want to use a DHCP server on the Internet or via a VPN instead of the NetDefend DHCP serve...

Страница 197: ... NetDefend DHCP server is enabled To specify a range use the following format Start IP Address End IP Address The default value is automatic dhcprelayip IP Address The IP address of the desired relay DHCP server This can have the following values An IP address undefined No relay DHCP server is defined The default value is undefined This field is only relevant if DHCP relay is enabled hotspot Strin...

Страница 198: ...XAMPLE 1 The following command enables Hide NAT for the LAN set net lan hidenat enabled EXAMPLE 2 The following command displays the LAN DHCP range show net lan dhcprange 186 D Link NetDefend CLI Reference Guide ...

Страница 199: ...net lan ha net lan ha See net dmz ha on page 175 Chapter 5 CLI Variables 187 ...

Страница 200: ...net lan ospf net lan ospf See net dmz ospf on page 177 188 D Link NetDefend CLI Reference Guide ...

Страница 201: ...net lan ospf md5 net lan ospf md5 See net dmz ospf md5 on page 179 Chapter 5 CLI Variables 189 ...

Страница 202: ...ly assigned by an ISP This may lead to the following problems VPN Clients on the same network will be unable to communicate with each other via the NetDefend Internal VPN Server This is because their IP addresses are on the same subnet and they therefore attempt to communicate directly over the local network instead of through the secure VPN link Some networking protocols or resources may require ...

Страница 203: ... it an IP address outside of the DHCP address range If you do assign it an IP address within the DHCP address range the DHCP server will not assign this IP address to another computer SYNTAX When used with set set net officemode mode mode hidenat hidenat address address netmask netmask dhcpserver dhcpserver dhcprange dhcprange When used with show show net officemode mode hidenat address netmask dh...

Страница 204: ...llowing values enabled Hide NAT is enabled disabled Hide NAT is disabled The default value is enabled Note If Hide NAT is disabled you must obtain a range of Internet IP addresses from your ISP Hide NAT is enabled by default Note Static NAT and Hide NAT can be used together address IP Address The IP address of the OfficeMode network s default gateway Note The OfficeMode network must not overlap th...

Страница 205: ... on the OfficeMode network with their network configuration details If you already have a DHCP server in the OfficeMode s internal network and you want to use it instead of the NetDefend DHCP server you must disable the NetDefend DHCP server since you cannot have two DHCP servers or relays on the same network segment If you want to use a DHCP server on the Internet or via a VPN instead of the NetD...

Страница 206: ...ing values automatic The NetDefend DHCP server automatically sets the DHCP address range A DHCP address range Relevant only if the NetDefend DHCP server is enabled To specify a range use the following format Start IP Address End IP Address The default value is automatic EXAMPLE 1 The following command enables Hide NAT for the OfficeMode network set net officemode hidenat enabled EXAMPLE 2 The foll...

Страница 207: ... gateway address address netmask netmask password password username username pptpserver pptpserver pptpclientip pptpclientip pptpclientmask pptpclientmask pptpservice pptpservice ppoeservice ppoeservice mtu mtu externalip externalip phonenumber phonenumber clonedmac clonedmac usedhcp usedhcp staticwins staticwins connectonlyactive connectonlyactive staticdns staticdns disabled disabled dns1 dns1 d...

Страница 208: ...eway is not defined The default value is undefined This field is only relevant for LAN connections with a static IP address address IP Address The static IP address of your NetDefend firewall This can have the following values An IP address undefined The static IP address is not defined The default value is undefined This field is only relevant for LAN connections with a static IP address 196 D Li...

Страница 209: ...d username String Your user name pptpserver IP Address If you selected PPTP this is the IP address of the PPTP server as given by your ISP If you selected Telstra BPA this is the IP address of the Telstra authentication server as given by Telstra pptpclientip IP Address The static IP address of your NetDefend firewall This can have the following values An IP address undefined The static IP address...

Страница 210: ...ly relevant for the PPTP connection type pptpservice String Your PPTP service name If your ISP has not provided you with a service name leave this field empty This field is only relevant when using PPTP or PPPoE connection type pppoeservice String Your PPPoE service name If your ISP has not provided you with a service name leave this field empty This field is only relevant for the PPTP or PPPoE co...

Страница 211: ...st and use MTU values between 1300 and 1500 phonenumber Integer The phone number that the modem should dial as given by your ISP This field is only relevant for the Dialup connection type externalip IP Address The external IP address This can have the following values The IP address of the PPTP or PPPoE client as given by your ISP undefined The external IP is not defined The default value is undef...

Страница 212: ...ing DHCP This can have the following values enabled Obtain an IP address automatically using DHCP disabled Do not obtain an IP address automatically using DHCP If the connection type is LAN you must provide values for the gateway address and netmask fields If the connection type is PPTP you must provide values for the pptpclientmask and pptpclientip fields The default value is enabled staticwins S...

Страница 213: ... even if it is a Passive Gateway The default value is false This field is only relevant if High Availability is configured For information on High Availability see ha on page 148 staticdns String Indicates whether the NetDefend firewall should automatically automatically configure DNS servers This can have the following values enabled The NetDefend firewall will not automatically configure DNS ser...

Страница 214: ...etDefend firewall to use a particular connection by disabling the other connection Note The Internet connection s Enabled Disabled status is persistent through NetDefend firewall reboots dns1 IP Address or String The primary DNS server IP address This can have the following values An IP address undefined This server is not defined The default value is undefined dns2 IP Address or String The second...

Страница 215: ...utgoing traffic This can have the following values A rate in bytes second The rate should be slightly lower than your Internet connection s maximum measured upstream speed It is recommended to try different rates in order to determine which one provides the best results For information on using Traffic Shaper see qos classes on page 253 unlimited Traffic Shaper is not enabled for outgoing traffic ...

Страница 216: ... best results unlimited Traffic Shaper is not enabled for outgoing traffic The default is unlimited Note Traffic Shaper cannot control the number or type of packets it receives from the Internet it can only affect the rate of incoming traffic by dropping received packets This makes the shaping of inbound traffic less accurate than the shaping of outbound traffic It is therefore recommended to enab...

Страница 217: ...ctivity The dialup modem should only dial a connection if no other connection exists and there is outgoing activity that is packets need to be transmitted to the Internet If another connection opens or if the connection times out the dialup modem will disconnect The default value is disable This field is useful when configuring a dialup backup connection For information see refer to the User Guide...

Страница 218: ...es false A default route is created automatically meaning that the traffic to all non internal networks will be routed via this connection true A default route is not created automatically and you can create the routes manually using static routes For information on using static routes see netobj on page 226 The default value is false 206 D Link NetDefend CLI Reference Guide ...

Страница 219: ...ith DHCP set net wan mode lan disabled false EXAMPLE 3 The following command configures the NetDefend firewall for a PPPoE primary Internet connection set net wan mode pppoe user JohnSmith net il myisp password 123456 staticdns enabled disabled false EXAMPLE 4 The following command configures the NetDefend firewall for a PPTP primary Internet connection with DHCP set net wan mode pptp user JohnSmi...

Страница 220: ...net wan ospf net wan ospf See net dmz ospf on page 177 208 D Link NetDefend CLI Reference Guide ...

Страница 221: ...net wan ospf md5 net wan ospf md5 See net dmz ospf md5 on page 179 Chapter 5 CLI Variables 209 ...

Страница 222: ... WAN port depending on your NetDefend firewall s configuration Therefore connection probing for the WAN port can affect the primary and secondary Internet connections In contrast connection probing for the WAN2 port will not affect the primary Internet connection since this connection can only use the WAN port SYNTAX When used with set set wan probe probenexthop probenexthop method method dest1 de...

Страница 223: ...t if the default gateway does not respond the Internet connection is considered to be down If it is determined that the Internet connection is down and two Internet connections are defined a failover will be performed to the second Internet connection ensuring continuous Internet connectivity This field can have the following values enabled Check for loss of connectivity to the default gateway dis...

Страница 224: ...f for 45 seconds none of the defined servers respond to pinging the Internet connection is considered to be down Use this method if you have reliable servers that can be pinged that are a good indicator of Internet connectivity and that are not likely to fail simultaneously that is they are not at the same location dns Probe the primary and secondary DNS servers If for 45 seconds neither gateway r...

Страница 225: ...ies the IP addresses or DNS names of the desired VPN gateways EXAMPLE 1 The following command enables next hop probing and DNS connection probing for the Internet connection currently using the WAN port set net wan probe probenexthop enabled method dns EXAMPLE 2 The following command displays all connection probing settings for the Internet connection currently using the WAN port show net wan prob...

Страница 226: ...s see net wan2 probe on page 218 When you configure both a primary and a secondary Internet connection the secondary connection acts as a backup so that if the primary connection fails the NetDefend firewall remains connected to the Internet Note You can configure different DNS servers for the primary and secondary connections The NetDefend firewall acts as a DNS relay and routes requests from com...

Страница 227: ...12 150 8 65 netmask 255 255 255 224 staticdns disabled dns1 212 150 48 169 disabled false EXAMPLE 3 The following command configures the NetDefend firewall for a PPPoE secondary Internet connection with a static IP address set net wan2 mode pppoe gateway undefined address undefined netmask undefined password 123456 username JohnSmith net il myisp mtu automatic usedhcp disabled staticdns disabled d...

Страница 228: ...net wan2 ospf net wan2 ospf See net dmz ospf on page 177 216 D Link NetDefend CLI Reference Guide ...

Страница 229: ...net wan2 ospf md5 net wan2 ospf md5 See net dmz ospf md5 on page 179 Chapter 5 CLI Variables 217 ...

Страница 230: ...net wan2 probe net wan2 probe See net wan probe on page 210 218 D Link NetDefend CLI Reference Guide ...

Страница 231: ...splaying and exporting specific WLAN High Availability settings see net wlan ha on page 225 When using wireless NetDefend models you can define a wireless internal network called a WLAN network For information on configuring wireless connection settings including the operation mode security settings and wireless transmitter settings see wireless on page 404 For information on default security poli...

Страница 232: ...t assign this IP address to another computer SYNTAX When used with set set net wlan mode mode hidenat hidenat address address netmask netmask dhcpserver dhcpserver dhcprange dhcprange dhcprelayip dhcprelayip hotspot hotspot When used with show show net wlan mode hidenat address netmask dhcpserver dhcprange dhcprelayip hotspot FIELDS mode String The WLAN network mode This can have the following val...

Страница 233: ...the following values enabled Hide NAT is enabled disabled Hide NAT is disabled The default value is enabled Note If Hide NAT is disabled you must obtain a range of Internet IP addresses from your ISP Hide NAT is enabled by default Note Static NAT and Hide NAT can be used together address IP Address The IP address of the WLAN network s default gateway Note The WLAN network must not overlap the LAN ...

Страница 234: ... on the WLAN network with their network configuration details If you already have a DHCP server in the DMZ s internal network and you want to use it instead of the NetDefend DHCP server you must disable the NetDefend DHCP server since you cannot have two DHCP servers or relays on the same network segment If you want to use a DHCP server on the Internet or via a VPN instead of the NetDefend DHCP se...

Страница 235: ...NetDefend DHCP server is enabled To specify a range use the following format Start IP Address End IP Address The default value is automatic dhcprelayip IP Address The IP address of the desired relay DHCP server This can have the following values An IP address undefined No relay DHCP server is defined The default value is undefined This field is only relevant if DHCP relay is enabled hotspot String...

Страница 236: ...e following command enables Hide NAT for the WLAN network set net wlan hidenat enabled EXAMPLE 2 The following command displays the WLAN network s DHCP range show net wlan dhcprange 224 D Link NetDefend CLI Reference Guide ...

Страница 237: ...net wlan ha net wlan ha See net dmz ha on page 175 Chapter 5 CLI Variables 225 ...

Страница 238: ...AT allows the mapping of Internet IP addresses or address ranges to hosts inside the internal network This is useful if you want a computer in your private network to have its own Internet IP address For example if you have both a mail server and a Web server in your network you can map each one to a separate Internet IP address Assign the network object s IP address to a MAC address You can guara...

Страница 239: ...hotspotexclude hotspotexclude When used with delete delete netobj number When used with show show netobj number name type ip staticnat mac hotspotexclude When used with clear clear netobj FIELDS number Integer The network object s row in the Network Objects table name String The network object s name type String The type of network object This can have the following values computer network Chapter...

Страница 240: ...s or String Indicates whether to perform Static NAT This can have the following values The Internet IP address to which you want to map the network object s IP address Relevant only if the network object is a computer The Internet IP address range to which you want to map the network object s IP address range Relevant only if the network object is a network To specify a range use the following for...

Страница 241: ...ample 00 08 d1 52 81 e2 undefined DHCP reservation is not performed This field is only relevant for network objects that are computers The default value is undefined hotspotexclude String Indicates whether to exclude the network object from HotSpot enforcement This can have the following values enabled The network object is excluded from HotSpot enforcement disabled HotSpot rules will be enforced ...

Страница 242: ...e network object is excluded from HotSpot enforcement set netobj 1 mac 00 0c 6e 41 5d 6a hotspotexclude enabled EXAMPLE 3 The following command deletes network object 1 in the Network Objects table delete netobj 1 EXAMPLE 4 The following command displays the Static NAT settings for network object 1 in the Network Objects table show netobj 1 staticnat EXAMPLE 5 The following command deletes all net...

Страница 243: ... settings see ospf redistribute on page 238 ospf redistribute connected on page 239 and ospf redistribute kernel on page 241 The NetDefend firewall supports OSPF version 2 a dynamic routing protocol that distributes routing information between routers in a single autonomous system AS Each router in the AS distributes its local state that is the router s usable interfaces and reachable neighbors to...

Страница 244: ...router id When used with show show ospf mode router id FIELDS mode String The OSPF mode This can have the following values disable OSPF is disabled internal Enables OSPF for all internal networks all Enables OSPF for all networks The default value is internal router id IP Address or String The OSPF router identifier This can have the following values An IP address undefined No OSPF router is defin...

Страница 245: ...ospf EXAMPLE 1 The following command enables OSPF for all internal networks set ospf mode internal EXAMPLE 2 The following command displays all OSPF settings show ospf Chapter 5 CLI Variables 233 ...

Страница 246: ...rea table An AS is divided into areas each of which contains a number of networks Each area has its own authentication settings SYNTAX When used with add add ospf area id id auth md5 auth md5 When used with set set ospf area number id id auth md5 auth md5 When used with delete delete ospf area number When used with show show ospf area number id auth md5 When used with clear clear ospf area 234 D L...

Страница 247: ... command adds an OSPF area that uses the MD5 authentication scheme add ospf area id 1 2 3 4 auth md5 true EXAMPLE 2 The following command modifies area 1 in the OSPF Areas table so that it does not use the MD5 authentication scheme set ospf area 1 auth md5 false EXAMPLE 3 The following command deletes area 1 in the OSPF Areas table delete ospf area 1 EXAMPLE 4 The following command displays all OS...

Страница 248: ...To enable OSPF for a specific network you must add the network as and OSPF network and assign it to an OSPF area SYNTAX When used with add add ospf network address address mask mask area area When used with set set ospf network number address address mask mask area area When used with delete delete ospf network number When used with show show ospf network number address mask area When used with cl...

Страница 249: ...address 1 2 3 4 mask 255 255 255 255 area 2 3 4 5 EXAMPLE 2 The following command assigns network 1 in the OSPF Networks table to a different area set ospf network 1 area 3 4 5 6 EXAMPLE 3 The following command deletes network 1 in the OSPF Networks table delete ospf network 1 EXAMPLE 4 The following command displays all OSPF networks show ospf network EXAMPLE 5 The following command deletes all n...

Страница 250: ...ng and exporting specific routing information distribution settings see ospf redistribute connected on page 239 and ospf redistribute kernel on page 241 These settings control how OSPF external routing information is redistributed SYNTAX When used with show show ospf redistribute FIELDS None EXAMPLE The following command displays all OSPF redistribution settings show ospf redistribute 238 D Link N...

Страница 251: ...ute connected enabled enabled metric metric metric type metric type When used with show show ospf redistribute connected enabled metric metric type FIELDS enabled String Indicates whether to enable redistribution of OSPF routing information for connected networks This can have the following values true Enable redistribution false Disable redistribution The default value is false metric Integer The...

Страница 252: ...ing routing information for connected networks set ospf redistribute connected enabled true metric 10 metric type 1 EXAMPLE 2 The following command displays all redistribution settings for connected networks show ospf redistribute connected 240 D Link NetDefend CLI Reference Guide ...

Страница 253: ...te kernel enabled enabled metric metric metric type metric type When used with show show ospf redistribute kernel enabled metric metric type FIELDS enabled String Indicates whether to enable redistribution of OSPF routing information for for routes updated in the NetDefend Portal This can have the following values true Enable redistribution false Disable redistribution The default value is false m...

Страница 254: ... for for routes updated in the NetDefend Portal set ospf redistribute kernel enabled true metric 10 metric type 1 EXAMPLE 2 The following command displays all redistribution settings for for routes updated in the NetDefend Portal show ospf redistribute kernel 242 D Link NetDefend CLI Reference Guide ...

Страница 255: ...etwork String The DMZ WAN2 port s assignment This can have the following values dmz The DMZ network For information on configuring the DMZ see net dmz on page 168 wan2 A second WAN connection For information on setting up a backup Internet connection refer to the User Guide and to net wan2 on page 214 trunk A VLAN trunk For information on VLANs and VLAN trunks see vlan on page 350 The default valu...

Страница 256: ...ects the link speed and duplex 10 full 10 half 100 full 100 half The default value is automatic EXAMPLE 1 The following command assigns the DMZ WAN2 port to a secondary WAN connection set port dmz network wan2 EXAMPLE 2 The following command displays the DMZ WAN2 port s assignment show port dmz 244 D Link NetDefend CLI Reference Guide ...

Страница 257: ...network network hatrack hatrack link link set port lan2 network network hatrack hatrack link link set port lan3 network network hatrack hatrack link link set port lan4 network network hatrack hatrack link link When used with show show port lan1 network hatrack link show port lan2 network hatrack link show port lan3 network hatrack link show port lan4 network hatrack link FIELDS network String The ...

Страница 258: ... This can have the following values automatic The port automatically detects the link speed and duplex 10 full 10 half 100 full 100 half The default value is automatic EXAMPLE 1 The following command assigns the LAN1 port to a VLAN network called Marketing set port lan1 network Marketing EXAMPLE 2 The following command displays the LAN4 port s assignment show port lan4 246 D Link NetDefend CLI Ref...

Страница 259: ...t SYNTAX When used with set set port serial mode mode When used with show show port serial mode FIELDS mode String The RS232 port s assignment This can have the following values auxiliary A dialup modem For information on configuring a dialup modem see dialup on page 131 console A serial console For information on using a serial console refer to the User Guide The default value is auxiliary Chapte...

Страница 260: ... following command assigns the RS232 port for use with a serial console set port serial mode console EXAMPLE 2 The following command displays the RS232 port s assignment show port serial 248 D Link NetDefend CLI Reference Guide ...

Страница 261: ...d exporting the WAN port s speed and duplex SYNTAX When used with set set port wan link link When used with show show port wan link FIELDS link String The WAN port s link speed and duplex This can have the following values automatic The port automatically detects the link speed and duplex 10 full 10 half 100 full 100 half The default value is automatic Chapter 5 CLI Variables 249 ...

Страница 262: ...The following command sets the WAN port s speed and duplex to automatic set port wan link automatic EXAMPLE 2 The following command displays the WAN port s assignment show port dmz 250 D Link NetDefend CLI Reference Guide ...

Страница 263: ...for printing Usually no special configuration is required on the NetDefend firewall However you may sometimes need to change the port number after completing printer setup For example you may want to replace a malfunctioning network printer with another existing network printer without reconfiguring the client computers To do this you must change the replacement printer s port number to the malfun...

Страница 264: ...P port number Note Printer port numbers may not overlap and must be high ports EXAMPLE 1 The following command assigns TCP port 9100 to printer 1 set printer 1 port 9100 EXAMPLE 2 The following command displays all printers and their port numbers show printers 252 D Link NetDefend CLI Reference Guide ...

Страница 265: ...ht If a specific QoS class is not using all of its bandwidth the leftover bandwidth is divided among the remaining QoS classes in accordance with their relative weights Your NetDefend firewall offers different degrees of traffic shaping depending on its model Simplified Traffic Shaper Includes a fixed set of four predefined classes You can assign network traffic to each class but you cannot modify...

Страница 266: ...oing traffic and you create an Allow rule associating all outgoing VPN traffic with the Urgent QoS class then Traffic Shaper will handle outgoing VPN traffic as specified in the bandwidth policy for the Urgent class If you do not assign a connection type to a class Traffic Shaper automatically assigns the connection type to the built in Default class SYNTAX When used with add add qos classes name ...

Страница 267: ...t class will be allocated twice the amount of bandwidth as the second when the lines are congested uplimit Integer or String The maximum rate in bytes second of incoming traffic belonging to this class This can have the following values A rate unlimited The maximum rate of incoming traffic belonging to this class is unlimited The default value is unlimited downlimit Integer or String The maximum r...

Страница 268: ...y sensitive traffic with a lower latency That is Traffic Shaper attempts to send packets with an interactive level before packets with a normal or bulk level The default value is normal dscp Integer The class s DiffServ Code Point DSCP The DSCP must be between 0 and 63 If you include this field packets belonging to this class will be marked with a DSCP The marked packets will be given priority on ...

Страница 269: ...nging to this class is calculated according to the class s weight The default value is none downguarantee Integer or String The guaranteed minimum bandwidth in bytes second for incoming traffic belonging to this class This can have the following values A rate none The bandwidth for incoming traffic belonging to this class is calculated according to the class s weight The default value is none Chap...

Страница 270: ...raffic set qos classes 1 delayclass interactive EXAMPLE 3 The following command deletes QoS class 1 in the Quality of Service Classes table delete qos classes 1 EXAMPLE 4 The following command displays the maximum rate of outgoing traffic for QoS class 1 in the Quality of Service Classes table show qos classes 1 downlimit EXAMPLE 5 The following command deletes all QoS classes in the Quality of Se...

Страница 271: ... firewall When a user accesses the NetDefend Portal and tries to log on the NetDefend firewall sends the entered user name and password to the RADIUS server The server then checks whether the RADIUS database contains a matching user name and password pair If so then the user is logged on and assigned specific permissions SYNTAX When used with set set radius permissions adminaccess adminaccess vpna...

Страница 272: ...er to remotely access your network via VPN This can have the following values true Authenticated users can remotely access your network via VPN false Authenticated users cannot remotely access your network via VPN This field is only relevant if the NetDefend Remote Access VPN Server is enabled See vpn server on page 361 filteroverride String Indicates whether to allow all users authenticated by th...

Страница 273: ...nticated users cannot access the My HotSpot page This option is only relevant if Secure HotSpot is enabled See hotspot on page 159 EXAMPLE 1 The following command enables users authenticated by the RADIUS server to override Web Filtering and modify system settings set radius permissions adminaccess readwrite filteroverride true EXAMPLE 2 The following command displays all RADIUS permissions show r...

Страница 274: ...ervers in the RADIUS table SYNTAX When used with add add radius servers address address secret secret port port realm realm timeout timeout tries tries When used with set set radius servers number address address secret secret port port realm realm timeout timeout tries tries When used with show show radius servers number address secret port realm timeout tries When used with clear clear radius se...

Страница 275: ...ended to the username as follows username realm For example if you set the realm to myrealm and the user JohnS attempts to log on to the NetDefend Portal the NetDefend firewall will send the RADIUS server an authentication request with the username JohnS myrealm This field is only relevant if your organization uses RADIUS realms timeout Integer The interval of time in seconds between attempts to c...

Страница 276: ... number is specified so the default port 1812 will be used EXAMPLE 2 The following command specifies that RADIUS server 1 should use port 1814 set radius servers 1 port 1814 EXAMPLE 3 The following command displays the IP address of RADIUS server 1 in the RADIUS table show radius servers 1 address EXAMPLE 4 The following command deletes all network objects in the Network Objects table clear radius...

Страница 277: ...nd destination that does not match any defined static route will be routed to the default gateway A static route can be based on the packet s destination IP address or based on the source IP address in which case it is a source route Note You cannot delete or modify the Default static route route 1 SYNTAX When used with add add routes gateway gateway metric metric network network netmask netmask s...

Страница 278: ...f the destination network This can have the following values A subnet mask undefined The route applies to all destination network subnet masks gateway IP Address The IP address of the gateway next hop router to which to route the packets destined for this network metric Integer The static route s metric The gateway sends a packet to the route that matches the packet s destination and has the lowes...

Страница 279: ...th a metric of 90 add routes network 192 168 253 1 netmask 255 255 255 0 gateway 212 143 205 233 metric 90 EXAMPLE 2 The following command changes the metric of route 2 to 80 set routes 2 metric 80 EXAMPLE 3 The following command deletes route 2 delete routes 2 EXAMPLE 4 The following command displays the settings for all routes show routes EXAMPLE 5 The following command clears the Static Routes ...

Страница 280: ...1 Microsoft operating systems and Samba clients rely on Common Internet File System CIFS a protocol for sharing files and printers However this protocol is also widely used by worms as a means of propagation You can configure how CIFS worms should be handled SYNTAX When used with set set smartdefense ai cifs file sharing enforce enforce log log When used with show show smartdefense ai cifs file sh...

Страница 281: ...e ai cifs file sharing log String Indicates whether to log CIFS worm attacks This can have the following values disabled Do not log attacks log Log attacks The default value is disabled Chapter 5 CLI Variables 269 ...

Страница 282: ...CIFS worm blocking and logging set smartdefense ai cifs file sharing enforce enabled log log EXAMPLE 2 The following command displays all CIFS file sharing defense settings including worm patterns show smartdefense ai cifs file sharing 270 D Link NetDefend CLI Reference Guide ...

Страница 283: ... from the server If a match is detected SmartDefense takes action according to the file sharing settings specified in smartdefense ai cifs file sharing on page 268 You can reset the CIFS worm patterns to their defaults See reset smartdefense ai cifs file sharing patterns on page 40 SYNTAX When used with add add smartdefense ai cifs file sharing patterns name name active active regexp regexp When u...

Страница 284: ...orm Patterns table name String The worm s name active String Indicates whether SmartDefense should check files for this worm pattern This can have the following values true Check files for this worm pattern false Do not check files for this worm pattern The default value is false regexp String The worm pattern s regular expression 272 D Link NetDefend CLI Reference Guide ...

Страница 285: ...m Patterns table set smartdefense ai cifs file sharing patterns 1 active false EXAMPLE 3 The following command deletes worm pattern 1 in the CFS Worm Patterns table delete smartdefense ai cifs file sharing patterns 1 EXAMPLE 4 The following command displays all worm patterns show smartdefense ai cifs file sharing patterns EXAMPLE 5 The following command clears the CFS Worm Patterns table clear sma...

Страница 286: ...ce settings see smartdefense ai ftp bounce on page 277 For information on configuring specific FTP Command settings see smartdefense ai ftp commands on page 279 FTP settings allow you to configure various protections related to the FTP protocol SYNTAX When used with set set smartdefense ai ftp enforce commands enforce commands known ports known ports port overflow port overflow When used with show...

Страница 287: ...alue is enabled known ports String Indicates whether to block the FTP server from connecting to well known ports This provides a second layer of protection against FTP bounce attacks by preventing such attacks from reaching well known ports Note Known ports are published ports associated with services for example SMTP is port 25 This field can have the following values enabled Block the FTP server...

Страница 288: ...lps prevent potential attacks against the FTP server This field can have the following values enabled Block PORT commands that contain a number greater than 255 disabled Do not block PORT commands that contain a number greater than 255 The default value is disabled EXAMPLE 1 The following command enables blocking the FTP server from connecting to well known ports set smartdefense ai ftp known port...

Страница 289: ...FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker s own IP address The FTP server then sends data to the victim machine SYNTAX When used with set set smartdefense ai ftp bounce enforce enforce log log When used with show show smartdefense ai ftp bounce enforce log FIELDS enforce String Indicates whether to enable FTP Bounc...

Страница 290: ...ks disabled Do not log FTP Bounce attacks The default value is enabled EXAMPLE 1 The following command enables blocking and logging FTP Bounce attacks set smartdefense ai ftp bounce enforce enabled log enabled EXAMPLE 2 The following command displays all FTP Bounce settings show smartdefense ai ftp bounce 278 D Link NetDefend CLI Reference Guide ...

Страница 291: ...fy which FTP commands should be considered illegal If SmartDefense detects an illegal FTP command it takes action according to enforce commands settings specified in smartdefense ai ftp on page 274 SYNTAX When used with add add smartdefense ai ftp commands command command allowed allowed When used with set set smartdefense ai ftp commands number command command allowed allowed When used with delet...

Страница 292: ...ther the FTP command is legal This can have the following values true The FTP command is legal SmartDefense will allow this command false The FTP command is illegal SmartDefense will handle this command in accordance with enforce commands settings specified in smartdefense ai ftp on page 274 The default value is true 280 D Link NetDefend CLI Reference Guide ...

Страница 293: ...in the FTP Commands table as legal set smartdefense ai ftp commands 1 allowed false EXAMPLE 3 The following command deletes FTP command 1 in the FTP Commands table delete smartdefense ai ftp commands 1 EXAMPLE 4 The following command displays all FTP commands show smartdefense ai ftp commands EXAMPLE 5 The following command clears the FTP Commands table clear smartdefense ai ftp commands Chapter 5...

Страница 294: ...s Note SmartDefense can detect ICQ traffic regardless of the TCP port being used to initiate the session SYNTAX When used with set set smartdefense ai im icq enforce enforce log log block proprietary block proprietary When used with show show smartdefense ai im icq enforce log block proprietary FIELDS enforce String Indicates whether to enable ICQ connection blocking This can have the following va...

Страница 295: ...his can have the following values enabled Proprietary protocol blocking is enabled This in effect prevents all communication using this instant messenger application disabled Proprietary protocol blocking is disabled The default value is enabled EXAMPLE 1 The following command enables blocking and logging ICQ connections set smartdefense ai im icq enforce enabled log enabled EXAMPLE 2 The followin...

Страница 296: ...detect Skype traffic regardless of the TCP port being used to initiate the session SYNTAX When used with set set smartdefense ai im skype enforce enforce log log block proprietary block proprietary When used with show show smartdefense ai im skype enforce log block proprietary FIELDS See smartdefense ai im icq on page 282 EXAMPLE 1 The following command enables blocking and logging Skype connectio...

Страница 297: ...e can detect Yahoo traffic regardless of the TCP port being used to initiate the session SYNTAX When used with set set smartdefense ai im yahoo enforce enforce log log block proprietary block proprietary When used with show show smartdefense ai im yahoo enforce log block proprietary FIELDS See smartdefense ai im icq on page 282 EXAMPLE 1 The following command enables blocking and logging Yahoo con...

Страница 298: ...ents not only downloads but also search operations Note SmartDefense can detect BitTorrent traffic regardless of the TCP port being used to initiate the session SYNTAX When used with set set smartdefense ai p2p bittorrent enforce enforce log log block proprietary block proprietary When used with show show smartdefense ai p2p bittorrent enforce log block proprietary FIELDS enforce String Indicates ...

Страница 299: ...is can have the following values enabled Proprietary protocol blocking is enabled This in effect prevents all communication using this instant messenger application disabled Proprietary protocol blocking is disabled The default value is enabled EXAMPLE 1 The following command enables blocking and logging BitTorrent connections set smartdefense ai p2p bittorrent enforce enabled log enabled EXAMPLE ...

Страница 300: ...tary protocols and preventing the initial connection to the eMule networks This prevents not only downloads but also search operations Note SmartDefense can detect eMule traffic regardless of the TCP port being used to initiate the session SYNTAX When used with set set smartdefense ai p2p emule enforce enforce log log block proprietary block proprietary When used with show show smartdefense ai p2p...

Страница 301: ...ing command enables blocking and logging eMule connections set smartdefense ai p2p emule enforce enabled log enabled EXAMPLE 2 The following command displays all eMule SmartDefense settings show smartdefense ai p2p emule Chapter 5 CLI Variables 289 ...

Страница 302: ...oprietary protocols and preventing the initial connection to the Gnutella networks This prevents not only downloads but also search operations Note SmartDefense can detect Gnutella traffic regardless of the TCP port being used to initiate the session SYNTAX When used with set set smartdefense ai p2p gnutella enforce enforce log log block proprietary block proprietary When used with show show smart...

Страница 303: ...ommand enables blocking and logging Gnutella connections set smartdefense ai p2p gnutella enforce enabled log enabled EXAMPLE 2 The following command displays all Gnutella SmartDefense settings show smartdefense ai p2p gnutella Chapter 5 CLI Variables 291 ...

Страница 304: ...tary protocols and preventing the initial connection to the KaZaA networks This prevents not only downloads but also search operations Note SmartDefense can detect KaZaA traffic regardless of the TCP port being used to initiate the session SYNTAX When used with set set smartdefense ai p2p kazaa enforce enforce log log block proprietary block proprietary When used with show show smartdefense ai p2p...

Страница 305: ...ing command enables blocking and logging KaZaA connections set smartdefense ai p2p kazaa enforce enabled log enabled EXAMPLE 2 The following command displays all KaZaA SmartDefense settings show smartdefense ai p2p kazaa Chapter 5 CLI Variables 293 ...

Страница 306: ...e IGMP protocol usually target a vulnerability in the multicast routing software hardware used by sending specially crafted IGMP packets SYNTAX When used with set set smartdefense ai routing igmp enforce enforce log log enforce mcast enforce mcast When used with show show smartdefense ai routing igmp enforce log enforce mcast FIELDS enforce String Indicates whether to enable IGMP attack blocking T...

Страница 307: ... or broadcast address might constitute and attack therefore the NetDefend firewall blocks such packets This field can have the following values enabled Non multicast IGMP packet blocking is enabled All IGMP packets that are sent to non multicast addresses will be blocked disabled Non multicast IGMP packet blocking is disabled The default value is enabled EXAMPLE 1 The following command enables blo...

Страница 308: ...igh volumes of non TCP traffic Since such traffic is connectionless the related state information cannot be cleared or reset and the firewall State table is quickly filled up This prevents the firewall from accepting new connections and results in a Denial of Service DoS You can protect against Non TCP Flooding attacks by limiting the percentage of state table capacity used for non TCP connections...

Страница 309: ...itional non TCP connection is enabled disabled Blocking additional non TCP connection is disabled The default value is disabled log String Indicates whether to log non TCP connections that exceed the percent threshold This can have the following values enabled Log the connections disabled Do not log the connections The default value is disabled percent Integer The maximum percentage of state table...

Страница 310: ... TCP connections that exceed the 50 of the state table capacity set smartdefense network security dos flooding enforce enabled log enabled percent 50 EXAMPLE 2 The following command displays all Non TCP Flooding settings show smartdefense network security dos flooding 298 D Link NetDefend CLI Reference Guide ...

Страница 311: ... to reply to itself and either reboots or crashes SYNTAX When used with set set smartdefense network security dos land enforce enforce log log When used with show show smartdefense network security dos land enforce log FIELDS enforce String Indicates whether to enable LAND attack blocking This can have the following values enabled LAND attack blocking is enabled disabled LAND attack blocking is di...

Страница 312: ...command enables blocking and logging LAND attacks set smartdefense network security dos land enforce enabled log enabled EXAMPLE 2 The following command displays all LAND settings show smartdefense network security dos land 300 D Link NetDefend CLI Reference Guide ...

Страница 313: ...G request that exceeds the maximum IP packet size 64KB Some operating systems are unable to handle such requests and crash SYNTAX When used with set set smartdefense network security dos ping of death enforce enforce log log When used with show show smartdefense network security dos ping of death enforce log FIELDS enforce String Indicates whether to enable Ping of Death attack blocking This can h...

Страница 314: ...Do not log Ping of Death attacks The default value is enabled EXAMPLE 1 The following command enables blocking and logging Ping of Death attacks set smartdefense network security dos ping of death enforce enabled log enabled EXAMPLE 2 The following command displays all Ping of Death settings show smartdefense network security dos ping of death 302 D Link NetDefend CLI Reference Guide ...

Страница 315: ...the latter entirely contained within the former This causes some computers to allocate too much memory and crash SYNTAX The default value is enabled When used with set set smartdefense network security dos teardrop enforce enforce log log When used with show show smartdefense network security dos teardrop enforce log FIELDS enforce String Indicates whether to enable Teardrop attack blocking This c...

Страница 316: ...bled Do not log Teardrop attacks The default value is enabled EXAMPLE 1 The following command enables blocking and logging Teardrop attacks set smartdefense network security dos teardrop enforce enabled log enabled EXAMPLE 2 The following command displays all Teardrop settings show smartdefense network security dos teardrop 304 D Link NetDefend CLI Reference Guide ...

Страница 317: ...5 IP Mobility 77 Sun ND or 103 Protocol Independent Multicast PIM the router will stop processing inbound traffic on that interface SYNTAX When used with set set smartdefense network security ip icmp cisco ios enforce enforce log log num hops num hops proto 103 proto 103 proto 53 proto 53 proto 55 proto 55 proto 77 proto 77 When used with show show smartdefense network security ip icmp cisco ios e...

Страница 318: ...tring Indicates whether to enable dropping IPv4 packets of the PIM Protocol 103 type This can have the following values enabled Packet dropping is enabled for this protocol type disabled Packet dropping is disabled for this protocol type The default value is enabled proto 53 String Indicates whether to enable dropping IPv4 packets of the SWIPE Protocol 53 type This can have the following values en...

Страница 319: ...ckets of the SUN ND Protocol 77 type This can have the following values enabled Packet dropping is enabled for this protocol type disabled Packet dropping is disabled for this protocol type The default value is enabled EXAMPLE 1 The following command enables blocking and logging Cisco IOS DOS attacks as well as dropping PIM Protocol 103 packets set smartdefense network security ip icmp cisco ios e...

Страница 320: ...exploit an attacker might imitate this common behavior and break the data section of a single packet into several fragmented packets Without reassembling the fragments it is not always possible to detect such an attack Therefore the NetDefend firewall always reassembles all the fragments of a given IP packet before inspecting it to make sure there are no attacks or exploits in the packet SYNTAX Wh...

Страница 321: ...ncomplete Integer The maximum number of fragmented packets allowed Packets exceeding this threshold will be dropped The default value is 300 timeout Integer The number of seconds to wait before discarding incomplete packets When the NetDefend firewall receives packet fragments it waits for additional fragments to arrive so that it can reassemble the packet If no packets arrive within the specified...

Страница 322: ...nables dropping IP and logging IP fragments set smartdefense network security ip icmp fragments forbid enabled log enabled EXAMPLE 2 The following command displays all IP Fragments settings show smartdefense network security ip icmp fragments 310 D Link NetDefend CLI Reference Guide ...

Страница 323: ...s with a reply echoing the client s data An attacker can echo the client with a large amount of data causing a buffer overflow You can protect against such attacks by limiting the allowed size for ICMP echo requests SYNTAX When used with set set smartdefense network security ip icmp max ping size enforce enforce log log size size When used with show show smartdefense network security ip icmp max p...

Страница 324: ...nabled size Integer The maximum data size for ICMP echo response The default value is 1500 EXAMPLE 1 The following command enables blocking and logging ICMP echo responses that exceed the size 1400 set smartdefense network security ip icmp max ping size enforce enabled log enabled size 1400 EXAMPLE 2 The following command displays all Max Ping Size settings show smartdefense network security ip ic...

Страница 325: ...rver in your network by establishing a very large number of connections per second To protect against Denial Of Service DoS attacks Network Quota enforces a limit upon the number of connections per second that are allowed from the same source IP address You can configure how connections that exceed that limit should be handled SYNTAX When used with set set smartdefense network security ip icmp net...

Страница 326: ...w connections from the same source is disabled The default value is enabled log String Indicates whether to log connections from a specific source that exceed the max threshold This can have the following values enabled Log the connections disabled Do not log the connections The default value is enabled max Integer The maximum number of network connections allowed per second from the same source I...

Страница 327: ...g connections from a specific source that exceeds 150 connections second set smartdefense network security ip icmp net quota enforce enabled log enabled max 150 EXAMPLE 2 The following command displays all Network Quota settings show smartdefense network security ip icmp net quota Chapter 5 CLI Variables 315 ...

Страница 328: ...e hosts SYNTAX When used with set set smartdefense network security ip icmp null payload enforce enforce log log When used with show show smartdefense network security ip icmp null payload enforce log FIELDS enforce String Indicates whether to enable blocking null payload ping packets This can have the following values enabled Blocking is enabled disabled Blocking is disabled The default value is ...

Страница 329: ... enables blocking and logging null payload packets set smartdefense network security ip icmp null payload enforce enabled log enabled EXAMPLE 2 The following command displays all Null Payload settings show smartdefense network security ip icmp null payload Chapter 5 CLI Variables 317 ...

Страница 330: ...DP and TCP header lengths dropping IP options and verifying the TCP flags SYNTAX When used with set set smartdefense network security ip icmp packet sanity enforce enforce log log disable relaxed udp len verification disable relaxed udp len verification When used with show show smartdefense network security ip icmp packet sanity enforce log disable relaxed udp len verification FIELDS enforce Strin...

Страница 331: ...ied in the UDP header If the two values differ the packet may be corrupted However since different applications may measure UDP header length differently the NetDefend firewall relaxes the UDP length verification sanity check by default performing the check but not dropping offending packets This is called relaxed UDP length verification This field can have the following values true Disable relaxe...

Страница 332: ...king and logging packets that fail a sanity test set smartdefense network security ip icmp packet sanity enforce enabled log enabled EXAMPLE 2 The following command displays all Packet Sanity settings show smartdefense network security ip icmp packet sanity 320 D Link NetDefend CLI Reference Guide ...

Страница 333: ...e computers to infect It does so by sending a specific ping packet to a target and waiting for the reply that signals that the target is alive This flood of pings may disrupt network connectivity SYNTAX When used with set set smartdefense network security ip icmp welchia enforce enforce log log When used with show show smartdefense network security ip icmp welchia enforce log FIELDS enforce String...

Страница 334: ... Do not log the attack The default value is enabled EXAMPLE 1 The following command enables blocking and logging Welchia worm attacks set smartdefense network security ip icmp welchia enforce enabled log enabled EXAMPLE 2 The following command displays all Welchia worm settings show smartdefense network security ip icmp welchia 322 D Link NetDefend CLI Reference Guide ...

Страница 335: ...etermine whether ports are open and vulnerable to an attack This is most commonly done by attempting to access a port and waiting for a response The response indicates whether or not the port is open In a Host Port Scan the attacker scans a specific host s ports to determine which of the ports are open SYNTAX When used with set set smartdefense network security port scan host port scan num num per...

Страница 336: ...t the activity as a port scan The default value is 30 period Integer The maximum number of seconds that can elapse during which the num threshold is exceeded in order for SmartDefense to detect the activity as a port scan SmartDefense detects ports scans by measuring the number of ports accessed over a period of time The number of ports accessed must exceed the num value within the number of secon...

Страница 337: ...to issue logs for scans This can have the following values enabled Log the scan disabled Do not log the scan The default value is disabled EXAMPLE 1 The following command configures SmartDefense to detect the accessing of 30 or more ports within a period of up to 20 seconds as a Host Port Scan set smartdefense network security port scan host port scan num 30 period 20 EXAMPLE 2 The following comma...

Страница 338: ...ether ports are open and vulnerable to an attack This is most commonly done by attempting to access a port and waiting for a response The response indicates whether or not the port is open In a Sweep Scan the attacker scans a specific host s ports to determine which of the ports are open SYNTAX When used with set set smartdefense network security port scan ip sweep scan num num period period exter...

Страница 339: ... detect the activity as a port scan The default value is 50 period Integer The maximum number of seconds that can elapse during which the num threshold is exceeded in order for SmartDefense to detect the activity as a port scan SmartDefense detects ports scans by measuring the number of ports accessed over a period of time The number of ports accessed must exceed the num value within the number of...

Страница 340: ... issue logs for scans This can have the following values enabled Log the scan disabled Do not log the scan The default value is disabled EXAMPLE 1 The following command configures SmartDefense to detect the accessing of 30 or more ports within a period of up to 20 seconds as a Sweep Scan set smartdefense network security port scan ip sweep scan num 30 period 20 EXAMPLE 2 The following command disp...

Страница 341: ...ts Each packet has a large overhead that creates a bottleneck on the server You can protect against this attack by specifying a minimum packet size for data sent over the Internet SYNTAX When used with set set smartdefense network security tcp small pmtu enforce enforce log log size size When used with show show smartdefense network security tcp small pmtu enforce log size FIELDS enforce String In...

Страница 342: ...ent An overly small value will not prevent an attack while an overly large value might degrade performance and cause legitimate requests to be dropped The default value is 300 EXAMPLE 1 The following command enables blocking and logging packets with an MTU value that is smaller than 250 set smartdefense network security tcp small pmtu enforce enabled log enabled size 250 EXAMPLE 2 The following co...

Страница 343: ... packets can occur after the NetDefend restarts since connections which were established prior to the reboot are unknown This is normal and does not indicate an attack You can configure how out of state TCP packets should be handled SYNTAX When used with set set smartdefense network security tcp strict tcp enforce enforce log log When used with show show smartdefense network security tcp strict tc...

Страница 344: ... not log the packet The default value is enabled EXAMPLE 1 The following command enables blocking and logging out of state TCP packets set smartdefense network security tcp strict tcp enforce enabled log enabled size 250 EXAMPLE 2 The following command displays all Strict TCP settings show smartdefense network security tcp strict tcp 332 D Link NetDefend CLI Reference Guide ...

Страница 345: ... to www sofaware com servicecenters to locate your nearest Service Center SYNTAX When used with set set smp server server gatewayid gatewayid registrationkey registrationkey connect connect When used with show show smp server gatewayid registrationkey connect FIELDS server IP Address The desired Service Center s IP address as given to you by your system administrator gatewayid String Your gateway ...

Страница 346: ...ur NetDefend firewall softwareupdates String The Software Updates service mode This can have the following values automatic The appliance automatically checks for software updates and installs them without user intervention manual Software updates must be checked for manually EXAMPLE 1 The following command disconnects you from your Service Center set smp connect disabled EXAMPLE 2 The following d...

Страница 347: ...t SNMP Simple Network Management Protocol You can enable users can do so via the Internet by configuring remote SNMP access The NetDefend firewall supports the following SNMP MIBs SNMPv2 MIB RFC1213 MIB IF MIB IP MIB All SNMP access is read only SYNTAX When used with set set snmp mode mode iprange iprange community community location location contact contact port port When used with show show ssh ...

Страница 348: ... Address or String The desired IP address range This can have the following values An IP address An IP address range To specify a range use the following format Start IP Address End IP Address undefined No IP address range is defined The default value is undefined community String The name of the SNMP community string The SNMP agents use the SNMP community string as a password when connecting to t...

Страница 349: ...nteger The port to use for SNMP The default value is 161 EXAMPLE 1 The following command enables NetDefend users to access the NetDefend Portal using SNMP from any IP address set snmp mode any EXAMPLE 2 The following command displays the IP address or IP address range from which SNMP access is granted show snmp iprange Chapter 5 CLI Variables 337 ...

Страница 350: ...ll via the command line using the SSH Secure Shell management protocol You can enable users can do so via the Internet by configuring remote SSH access You can also integrate the NetDefend firewall with SSH based management systems Note The NetDefend firewall supports SSHv2 clients only SYNTAX When used with set set ssh mode mode iprange iprange When used with show show ssh mode iprange 338 D Link...

Страница 351: ...ork and your VPN The default value is internal Warning If remote SSH is enabled your NetDefend firewall settings can be changed remotely so it is especially important to make sure all NetDefend firewall users passwords are difficult to guess iprange IP Address or String The desired IP address range This can have the following values An IP address An IP address range To specify a range use the foll...

Страница 352: ...nd users to access the NetDefend Portal using SSH from any IP address set ssh mode any EXAMPLE 2 The following command displays the IP address or IP address range from which SSH access is granted show ssh iprange 340 D Link NetDefend CLI Reference Guide ...

Страница 353: ...ou can change the interval at which the NetDefend firewall should collect traffic data SYNTAX When used with set set statistics interval interval When used with show show statistics interval FIELDS interval Integer The interval in seconds at which the NetDefend firewall should collect traffic data The default value is 18000 EXAMPLE 1 The following command configures the NetDefend firewall to colle...

Страница 354: ...statistics EXAMPLE 2 The following command displays the Traffic Monitor settings show statistics 342 D Link NetDefend CLI Reference Guide ...

Страница 355: ... details include the source and destination IP address the destination port and the protocol used for the communication attempt for example TCP or UDP This same information is also available in the Event Log page However while the Event Log can display hundreds of logs a Syslog server can store an unlimited number of logs Furthermore Syslog servers can provide useful tools for managing your logs N...

Страница 356: ... Syslog server is defined The default value is undefined port Integer The port number of the Syslog server The default value is 514 EXAMPLE 1 The following command configures the NetDefend firewall to send logs to computer 192 168 10 11 set syslog address 192 168 10 11 EXAMPLE 2 The following command displays the Syslog server IP address show syslog address 344 D Link NetDefend CLI Reference Guide...

Страница 357: ... the admin user user 1 Name Administrator level Web Filtering override Furthermore you cannot delete this user SYNTAX When used with add add users name name password password adminaccess adminaccess vpnaccess vpnaccess filteroverride filteroverride hotspotaccess hotspotaccess expire expire When used with set set users number name name password password adminaccess adminaccess vpnaccess vpnaccess f...

Страница 358: ...password This must be five to 25 characters letters or numbers adminaccess String The user s level of access to the NetDefend Portal This can have the following values none The user cannot access the NetDefend Portal readonly The user can log on to the NetDefend Portal but cannot modify system settings readwrite The user can log on to the NetDefend Portal and modify system settings The default lev...

Страница 359: ...rver on page filteroverride String Indicates whether to allow the user to override Web Filtering This can have the following values true The user can override Web Filtering false The user cannot override Web Filtering This option only appears if the Web Filtering service is defined See webfilter mode hotspotaccess String Indicates whether to allow the user to log on to the My HotSpot page This can...

Страница 360: ...eridian where MMM month DD day YYYY year hh hours mm minutes ss seconds meridian AM or PM For example Dec 01 2005 06 16 00PM The default value is never EXAMPLE 1 The following command adds the user JohnSmith assigns him the password JohnS1 and sets an expiration time add users name JohnSmith password JohnS1 expire Dec 01 2005 06 16 00PM EXAMPLE 2 The following command specifies that user 2 in the ...

Страница 361: ... following command deletes user 2 delete users 2 EXAMPLE 4 The following command displays the details for all users show users EXAMPLE 5 The following command clears the Users table clear users Chapter 5 CLI Variables 349 ...

Страница 362: ... exporting specific VLAN OSPF settings see vlan ospf on page 357 and vlan ospf md5 on page 359 Clearing the VLAN Networks table Your NetDefend firewall allows you partition your network into several virtual LAN networks VLANs A VLAN is a logical network behind the NetDefend firewall Computers in the same VLAN behave as if they were on the same physical network traffic flows freely between them wit...

Страница 363: ...For information on setting up one of the appliance s ports as a VLAN trunk see port Port based Port based VLAN allows assigning the appliance s LAN ports to VLANs effectively transforming the appliance s four port switch into up to four firewall isolated security zones You can assign multiple ports to the same VLAN or each port to a separate VLAN For information on assigning ports to VLAN networks...

Страница 364: ...The VLAN network s type This can have the following values portbased A port based VLAN tagbased A tag based VLAN tag Integer The VLAN network s VLAN tag By default the appliance assigns a number that is one more than the tag of the last tag based VLAN defined For example if you assigned the tag 9 to the last tag based VLAN you defined then by default the new VLAN network s tag will be 10 This fiel...

Страница 365: ...end firewall operates as a DHCP server This allows the NetDefend firewall to automatically configure all the devices on the VLAN network with their network configuration details If you already have a DHCP server in the VLAN s internal network and you want to use it instead of the NetDefend DHCP server you must disable the NetDefend DHCP server since you cannot have two DHCP servers or relays on th...

Страница 366: ...c The NetDefend DHCP server automatically sets the DHCP address range A DHCP address range Relevant only if the NetDefend DHCP server is enabled To specify a range use the following format Start IP Address End IP Address The default value is automatic dhcprelayip IP Address The IP address of the desired relay DHCP server This can have the following values An IP address undefined No relay DHCP serv...

Страница 367: ...bility see ha on page 1 48 hidenat String Indicates whether to use Hide NAT Hide NAT enables you to share a single public Internet IP address among several computers by hiding the private IP addresses of the internal VLAN computers behind the VLAN network s single Internet IP address This field can have the following values enabled Hide NAT is enabled disabled Hide NAT is disabled The default valu...

Страница 368: ... vlan name office type tagbased hidenat disabled EXAMPLE 2 The following command sets the tag of the first VLAN network in the VLAN Networks table to 10 and disables the DHCP server set vlan 1 tag 10 dhcpserver disabled EXAMPLE 3 The following command deletes the first VLAN network in the VLAN Networks table delete vlan 1 EXAMPLE 4 The following command displays the DHCP range of the first VLAN in...

Страница 369: ...specific authentication settings see vlan ospf md5 on page 359 This variable is only relevant if OSPF is enabled For information see ospf on page 231 FIELDS Integer The cost of sending a packet on the VLAN interface SYNTAX When used with set set vlan number ospf cost cost When used with show show vlan number ospf cost number Integer The VLAN network s row in the VLAN table cost OSPF routers send a...

Страница 370: ... The following command sets the OSPF cost for VLAN network 1 set vlan 1 ospf cost 10 EXAMPLE 2 The following command displays the OSPF settings for VLAN network 1 show vlan 1 ospf 358 D Link NetDefend CLI Reference Guide ...

Страница 371: ...e ospf on page 231 SYNTAX When used with set set vlan number ospf md5 enabled enabled key key password password When used with show show vlan number ospf md5 enabled key password FIELDS number Integer The VLAN network s row in the VLAN table enabled String Indicates whether to use the MD5 authentication scheme for OSPF connections This can have the following values true Use the MD5 authentication ...

Страница 372: ...be the same for OSPF neighbors EXAMPLE 1 The following command enables authentication for OSPF connections for VLAN network 1 set vlan 1 ospf md5 enabled true key 1 password thepassword EXAMPLE 2 The following command displays the OSPF MD5 authentication settings for VLAN network 1 show vlan 1 ospf md5 360 D Link NetDefend CLI Reference Guide ...

Страница 373: ... users can connect to the Remote Access VPN Server via Check Point SecuRemote or a via NetDefend firewall in Remote Access VPN mode Note The Check Point SecuRemote Remote Access VPN Client can be downloaded for free via the NetDefend Portal For instructions refer to the User Guide Note After you have set up the Remote Access VPN Server you can grant users permission to access your network via VPN ...

Страница 374: ...ecting to your internal network This can have the following values enabled Authenticated users connecting from the Internet can bypass NAT disabled Authenticated users connecting from the Internet cannot bypass NAT The default value is disabled bypassfw String Indicates whether to allow authenticated users connecting from the Internet to bypass the firewall and access your internal network without...

Страница 375: ... that authenticated users should be allowed to bypass NAT but not the firewall set vpn externalserver mode enabled bypassnat enabled bypassfw disabled EXAMPLE 2 The following command displays the Remote Access VPN Server Bypass NAT settings show vpn externalserver bypassnat Chapter 5 CLI Variables 363 ...

Страница 376: ...a layer of security to such connections For example while you could create a firewall rule allowing a specific user on the DMZ to access the LAN enabling VPN access for the user means that such connections can be encrypted and authenticated For more information on the internal VPN Server refer to the User Guide Note The Check Point SecuRemote Remote Access VPN Client can be downloaded for free via...

Страница 377: ...ccess your internal network without restriction This can have the following values enabled Authenticated users connecting from internal networks can bypass the firewall disabled Authenticated users connecting from internal networks cannot bypass the firewall The default value is disabled EXAMPLE 1 The following command enables the internal VPN Server and specifies that authenticated users should b...

Страница 378: ...2 loginmode loginmode configmode configmode authmethod authmethod keepalive keepalive bypassnat bypassnat bypassfw bypassfw user user password password topopass topopass servicename servicename net1 net1 netmask1 netmask1 net2 net2 netmask2 netmask2 net3 net3 netmask3 netmask3 usepfs usepfs phase1ikealgs phase1ikealgs phase1exptime phase1exptime phase1dhgroup phase1dhgroup phase2ikealgs phase2ikea...

Страница 379: ...ealgs phase2ikealgs phase2exptime phase2exptime phase2dhgroup phase2dhgroup dnsname dnsname vtilocalip vtilocalip vtiremoteip vtiremoteip When used with delete delete vpn sites number When used with show show vpn sites number name type gateway disabled gateway2 loginmode configmode authmethod keepalive bypassnat bypassfw user password topopass servicename net1 netmask1 net2 netmask2 net3 netmask3 ...

Страница 380: ...ou want to connect as given to you by the network administrator disabled String Indicates whether the VPN site is enabled or disabled This can have the following values true The VPN site is disabled false The VPN site is enabled The default value is false You can only connect to VPN sites that are enabled IP Address or String The IP address of the VPN site to use if the primary VPN site fails This...

Страница 381: ...priate user name and password have been entered automatic Enables the NetDefend firewall to log on to the VPN site automatically You must then include the user and password fields Automatic Login provides all the computers on your internal network with constant access to the VPN site The default value is manual This field is only relevant for Remote Access VPN sites For further information on Auto...

Страница 382: ...u can choose to route all traffic from the remote offices through the central office Note You can only configure one VPN site to route all traffic D Link NetDefend CLI Reference Guide 31 78 380 routebased Allows this VPN site to participate in a route based VPN Route based VPNs allow routing connections over VPN tunnels so that remote VPN sites can participate in dynamic or static routing schemes ...

Страница 383: ...on how to install a certificate secureid Use an RSA SecurID token for VPN authentication When authenticating to the VPN site you must enter a four digit PIN code and the SecurID passcode shown in your SecurID token s display The RSA SecurID token generates a new passcode every minute SecurID is only supported in Remote Access manual login mode The default value is sharedsecret keepalive String Ind...

Страница 384: ...ollowing values enabled The VPN site can bypass the firewall disabled The VPN site cannot bypass the firewall The default value is disabled This field is only relevant for Site to Site VPNs user String A user name The value of this field depends on the type of VPN site For Remote Access VPN sites configured for Automatic Login this is the user name to be used for logging on to the VPN site For Sit...

Страница 385: ...es These fields are only relevant for VPN sites with manually specified network configurations netmask1 through netmask3 IP Address The subnet mask for the destination network address This field can have the following values A subnet mask undefined No subnet mask is defined The default value is undefined These fields are only relevant for VPN sites with manually specified network configurations us...

Страница 386: ... 3des md5 3des sha1 aes128 md5 aes128 sha1 aes256 md5 aes256 sha1 The default value is automatic phase1exptime Integer The interval in minutes between IKE Phase 1 key negotiations This is the IKE Phase 1 SA lifetime A shorter interval ensures higher security but impacts heavily on performance Therefore it is recommended to keep the SA lifetime around its default value The default value is 1440 min...

Страница 387: ... algorithm to use for VPN traffic This can have the following values automatic The NetDefend firewall automatically selects the best security methods supported by the site des md5 des sha1 3des md5 3des sha1 aes128 md5 aes128 sha1 aes256 md5 aes256 sha1 The default value is automatic phase2exptime Integer The interval in seconds between IPSec SA key negotiations This is the IKE Phase 2 SA lifetime...

Страница 388: ...me The NetDefend firewall resolves the DNS name to the IP address vtilocalip IP Address or String The local virtual tunnel interface VTI IP address This can have the following values An IP address undefined The VTI IP address is not defined The default value is undefined vtiremoteip IP Address or String The VPN peer s VTI IP address This can have the following values An IP address undefined The VT...

Страница 389: ...tes table to Automatic This mode requires you to specify the user name and password for logging on to the VPN site set vpn sites 1 loginmode automatic user JohnS password EXAMPLE 3 The following command deletes VPN site 1 delete vpn sites 1 EXAMPLE 4 The following command displays the VPN network configuration mode for VPN site 1 show vpn sites 1 configmode EXAMPLE 5 The following command clears t...

Страница 390: ...variable is only relevant if OSPF is enabled and the VPN site is route based For information on configuring OSPF see ospf on page 231 For information on configuring route based VPNs see vpn sites on page 366 SYNTAX When used with set set vpn sites number ospf cost cost When used with show show vpn sites number ospf cost FIELDS number Integer The VPN site s row in the VPN Sites table cost Integer T...

Страница 391: ...XAMPLE 1 The following command sets the OSPF cost for VPN site 1 set vpn sites 1 ospf cost 10 EXAMPLE 2 The following command displays the OSPF settings for VPN site 1 show vpn sites 1 ospf Chapter 5 CLI Variables 379 ...

Страница 392: ...31 For information on configuring route based VPNs see vpn sites on page 366 SYNTAX When used with set set vpn sites number ospf md5 enabled enabled key key password password When used with show show vpn sites number ospf md5 enabled key password FIELDS number Integer The VPN site s row in the VPN Sites table enabled String Indicates whether to use the MD5 authentication scheme for OSPF connection...

Страница 393: ...he following command enables authentication for OSPF connections for VPN site 1 set vpn sites 1 ospf md5 enabled true key 1 password thepassword EXAMPLE 2 The following command displays the OSPF MD5 authentication settings for VPN site 1 show vpn sites 1 ospf md5 Chapter 5 CLI Variables 381 ...

Страница 394: ... based on Check Point Stateful Inspection and Application Intelligence technologies that performs virus scanning at the kernel level VStream Antivirus scans files for malicious content on the fly without downloading the files into intermediate storage This means minimal added latency and support for unlimited file sizes and since VStream Antivirus stores only minimal state information per connecti...

Страница 395: ...MTP connections only while VStream Antivirus supports additional protocols including incoming SMTP and outgoing POP3 connections You can use either antivirus solution or both in conjunction For information on Email Antivirus see mailfilter antivirus on page 1 64 SYNTAX When used with set set vstream mode mode When used with show show vstream mode FIELDS mode String Indicates whether VStream Antivi...

Страница 396: ...ables VStream Antivirus set vstream mode enabled EXAMPLE 2 The following command displays all VStream Antivirus settings including archive handling options advanced options and policy rules show vstream 384 D Link NetDefend CLI Reference Guide ...

Страница 397: ...g level compression ratio compression ratio archive failure action archive failure action password protected action password protected action When used with show show vstream archive options nesting level compression ratio archive failure action password protected action FIELDS nesting level Integer The maximum number of nested content levels that VStream Antivirus should scan Setting a higher num...

Страница 398: ...VStream Antivirus should handle files that exceed the nesting level value or the compression ratio value and files for which scanning fails This can have the following values pass Scan only the number of levels specified and skip the scanning of more deeply nested archives Furthermore skip scanning highly compressible files and skip scanning archives that cannot be extracted because they are corru...

Страница 399: ...ng command sets the VStream Antivirus nesting level to 5 set vstream archive options nesting level 5 EXAMPLE 2 The following command displays the VStream Antivirus archive handling settings show vstream archive options Chapter 5 CLI Variables 387 ...

Страница 400: ...ring VStream Antivirus advanced settings Displaying and exporting the Email Antispam advanced settings SYNTAX When used with set set vstream options unsafe attachments unsafe attachments safe filetypes safe filetypes http ranges http ranges When used with show show vstream options unsafe attachments safe filetypes http ranges 388 D Link NetDefend CLI Reference Guide ...

Страница 401: ...executables libraries and drivers Compiled HTML Help files VBScript files The following file extensions ade adp bas bat chm cmd com cpl crt exe hlp hta inf ins isp js jse lnk mdb mde msc msi msp mst pcd pif reg scr sct shs shb url vb vbe vbs wsc wsf wsh This field can have the following values scan Scan the attachment block Block the email The default value is scan Chapter 5 CLI Variables 389 ...

Страница 402: ...s RIFF Ogg Stream MP3 PDF PostScript WMA WMV ASF RealMedia JPEG only the header is scanned and the rest of the file is skipped This field can have the following values scan Scan the file pass Accept the file without scanning it This option reduces the load on the gateway by skipping safe file types The default value is pass 390 D Link NetDefend CLI Reference Guide ...

Страница 403: ...ad parts of a desired file from different sources VStream Antivirus might not detect a virus signature in a partial file This field can have the following values scan Scan partial files block Block partial files The client must re download the entire file The default value is scan EXAMPLE 1 The following command configures VStream Antivirus to skip safe file types set vstream options safe filetype...

Страница 404: ...ream Antivirus Policy Rule table VStream Antivirus includes a flexible mechanism that allows the user to define exactly which traffic should be scanned by specifying the protocol ports and source and destination IP addresses VStream Antivirus processes policy rules in the order they appear in the Vstream Antivirus Policy Rule table so that rule 1 is applied before rule 2 and so on This enables you...

Страница 405: ...cy rule number When used with show show vstream policy rule number type service src dest ports protocol index disabled direction When used with clear clear vstream policy rule FIELDS number Integer The VStream Antivirus rule s row in the VStream Antivirus Policy Rule table type String The type of rule you want to create This can have the following values pass Enables you to specify that VStream An...

Страница 406: ...tom The rule should apply to a specific non standard service You must include the protocol and ports fields 0 or any The rule should apply to any service 80 or web 21 or ftp 23 or telnet 25 or smtp 110 or pop3 137 or nbt 500 or vpn 1720 or h323 1723 or pptp The default value is 0 or any 394 D Link NetDefend CLI Reference Guide ...

Страница 407: ...have the following values An IP address An IP address range To specify a range use the following format Start IP Address End IP Address any The rule should apply to any source wan lan dmz vpn notvpn Not VPN The name of a VPN site The name of a network object The default value is any Chapter 5 CLI Variables 395 ...

Страница 408: ...apply to any destination wan lan dmz vpn notvpn Not VPN The name of a VPN site The name of a network object The default value is any ports Integer The ports to which the rule applies This can have the following values A port number The rule will apply to this port only A port range To specify a range use the following format Start Port Number End Port Number Note If you do not enter a port or port...

Страница 409: ...this field to move the rule up or down in the VStream Antivirus Policy Rules table The appliance processes rules higher up in the table lower indexes before rules lower down in the table higher indexes If you do not include this field when adding a rule the rule is automatically added to the bottom of the VStream Antivirus Policy Rules table disabled String Indicates whether the rule is disabled T...

Страница 410: ...o downloaded and uploaded data download The rule applies to downloaded data that is data flowing from the destination of the connection to the source of the connection upload The rule applies to uploaded data that is data flowing from the source of the connection to the destination of the connection The default value is any 398 D Link NetDefend CLI Reference Guide ...

Страница 411: ... that it becomes a Pass rule set vstream policy rule 1 action pass EXAMPLE 3 The following command deletes rule 1 in the VStream Antivirus Policy Rule table delete vstream policy rule 1 EXAMPLE 4 The following command displays the destination IP address for rule 1 in the VStream Antivirus Policy Rule table show vstream policy rule 1 dest EXAMPLE 5 The following command deletes all rules in the VSt...

Страница 412: ...ent is restricted according to the categories specified using the webfilter categories variable Authorized users will be able to view Web pages with no restrictions only after they have provided the administrator password via the Web Filtering pop up window Note Web Filtering is only available if you are connected to a Service Center and subscribed to this service Note If you are remotely managed ...

Страница 413: ...computers The default value is disabled EXAMPLE 1 The following command enables the Web Filtering service set webfilter mode enabled EXAMPLE 2 The following command displays all Web Filtering service settings including the service mode and the categories for which the service is enabled show webfilter See webfilter categories on page 402 for information about Web Filtering categories Chapter 5 CLI...

Страница 414: ...able the Web Filtering service for a category Web sites in that category will be blocked and will require the administrator password for viewing Note Web Filtering is only available if you are connected to a Service Center and subscribed to this service Note If you are remotely managed contact your Service Center to change these settings SYNTAX When used with set set webfilter categories gambling ...

Страница 415: ...b sites should be blocked This can have the following values allow Do not block unknown sites block Block all unknown sites The default value is allow EXAMPLE 1 If Web Filtering is enabled you can use the following command to block websites dealing with hate speech and violence set webfilter categories hate block violence block For information on enabling the Web Filtering service see webfilter EX...

Страница 416: ...gs Displaying and exporting all wireless connection settings including the WEP and WPA PSK settings For information on configuring displaying and exporting WEP settings see wireless wep on page 416 For information on configuring displaying and exporting WPA2 settings see wireless wpa on page 419 For information on configuring displaying and exporting WPA PSK settings see wireless wpapsk on page 42...

Страница 417: ...interval groupkeyupdateinterval When used with show show wireless netname hidenetname country opmode macfilter xr wmm channel xmitpower datarate fragthreshold rtsthreshold security antenna groupkeyupdateinterval FIELDS netname String The network name SSID that identifies your wireless network This name will be visible to wireless stations passing near your access point unless you enable the hidene...

Страница 418: ...such as Microsoft Windows XP and attempt to connect to your network The default value is no Note Hiding the SSID does not provide strong security because by a determined attacker can still discover your SSID Therefore it is not recommended to rely on this setting alone for security country String The country code of the country in which you are located For a list of country codes see Country Codes...

Страница 419: ...and offers a maximum theoretical rate of 54 Mbps When using this mode both 802 11b stations and 802 11g stations will be able to connect 108g static Operates in the 2 4 GHz range and offers a maximum theoretical rate of 108 Mbps When using this mode only 802 11g Super stations will be able to connect 108g dynamic Operates in the 2 4 GHz range and offers a maximum theoretical rate of 108 Mbps When ...

Страница 420: ...er to http www super ag com macfilter String Indicates whether MAC address filtering is enabled This can have the following values enabled MAC address filtering is enabled Only MAC addresses that you added as network objects can connect to your network For information on network objects see netobj on page 226 disabled MAC address filtering is disabled The default value is disabled Note MAC address...

Страница 421: ... The default value is enabled wmm String Indicates whether to use the Wireless Multimedia WMM standard to prioritize traffic from WMM compliant multimedia applications This can have the following values enabled WMM is enabled The NetDefend firewall will prioritize multimedia traffic according to four access categories Voice Video Best Effort and Background This allows for smoother streaming of voi...

Страница 422: ...em the networks should be assigned channels that are at least 25 MHz 5 channels apart Alternatively you can reduce the transmission power xmitpower String The transmitter power This can have the following values min The minimum power eighth One eighth of full power quarter One quarter of full power half One half of full power full Full power Setting a higher transmitter power increases the access ...

Страница 423: ...t value is auto fragthreshold Integer The smallest IP packet size in bytes that requires that the IP packet be split into smaller fragments If you are experiencing significant radio interference set the threshold to a low value around 1000 to reduce error penalty and increase overall throughput Otherwise set the threshold to a high value around 2000 to reduce overhead The default value is 2346 Cha...

Страница 424: ... they might send data to the access point simultaneously thereby causing data collisions and failures RTS ensures that the channel is clear before the each packet is sent If your network is congested and the users are distant from one another set the RTS threshold to a low value around 500 Setting a value equal to the fragmentation threshold effectively disables RTS The default value is 2346 412 D...

Страница 425: ... antenna diversity system To provide antenna diversity each wireless security appliance has two antennas This field can have the following values auto The NetDefend firewall receives signals through both antennas and automatically selects the antenna with the lowest distortion signal to use for communicating The selection is made on a per station basis left The ANT 1antenna is always used for comm...

Страница 426: ...y For information on configuring WEP settings see wireless wep on page 4 The wireless stations must be configured with the same key as well 16 421 If you choose wpapsk you must configure a passphrase For information on configuring the passphrase see wireless wpapsk on page The wireless stations must be configured with this passphrase as well groupkeyupdateint erval Integer The interval in seconds ...

Страница 427: ...ere the SSID is MyOffice the SSID is hidden and the security protocol used is WPA PSK set wireless netname MyOffice hidenetname yes security wpapsk EXAMPLE 2 The following command displays the wireless connection s operation mode show wireless opmode Chapter 5 CLI Variables 415 ...

Страница 428: ...ecurity protocol is WEP For information on enabling and configuring the WLAN network see net wlan on page 219 For information on setting the security protocol see wireless on page 404 This variable is only relevant for models supporting a wireless interface SYNTAX When used with set set wireless wep defkey defkey key1 key1 key2 key2 key3 key3 key4 key4 When used with show show wireless wep defkey ...

Страница 429: ...a key1 key4 String A WEP key The key is composed of hexadecimal characters 0 9 and A F and is not case sensitive The key length can be any of the following 64 Bits The key length is 10 characters 128 Bits The key length is 26 characters 152 Bits The key length is 32 characters Note Some wireless card vendors call these lengths 40 104 128 respectively For the highest security choose a long passphra...

Страница 430: ...two WEP keys and specifies that the second WEP key should be used for transmission set wireless wep defkey 2 key1 4FC0046169 key2 D8462C0BA9 EXAMPLE 2 The following command displays the WEP settings show wireless wep 418 D Link NetDefend CLI Reference Guide ...

Страница 431: ...you to restrict access to the WLAN network to wireless stations that support the WPA2 security method This variable is only relevant when a WLAN network is configured and the selected security protocol is WPA or WPA PSK For information on enabling and configuring the WLAN network see net wlan on page 219 For information on setting the security protocol see wireless on page 404 This variable is onl...

Страница 432: ...g WPA2 can access the WLAN network no Wireless stations using either WPA or WPA2 can access the WLAN network The default value is no EXAMPLE 1 The following command configures the WLAN to allow only wireless station using WPA2 to connect set wireless wpa wpa2only yes EXAMPLE 2 The following command displays the WPA2 settings show wireless wpa 420 D Link NetDefend CLI Reference Guide ...

Страница 433: ... WLAN network is configured and the selected security protocol is WPA PSK For information on enabling and configuring the WLAN network see net wlan on page 219 For information on setting the security protocol see wireless on page 404 This variable is only relevant for models supporting a wireless interface SYNTAX When used with set set wireless wpapsk passphrase passphrase When used with show show...

Страница 434: ...pecial characters and is case sensitive For the highest security choose a long passphrase that is hard to guess EXAMPLE 1 The following command configures the WPA PSK passphrase set wireless wpapsk passphrase D 34462Crf3 4 ehj EXAMPLE 2 The following command displays the WPA PSK passphrase show wireless wpapsk 422 D Link NetDefend CLI Reference Guide ...

Страница 435: ...able 3 Country Codes Country Code No country set default NA Albania AL Algeria DZ Argentina AR Australia AU Austria AT Bahrain BH Belarus BY Belgium BE Belize BZ Bolivia BO Brazil BR Brunei Darussalam BN Bulgaria BG Chapter 6 Country Codes 423 ...

Страница 436: ...China CN Colombia CO Costa Rica CR Croatia HR Cyprus CY Czech Republic CZ Denmark DK Dominican Republic DO Ecuador EC Egypt EG El Salvador SV Estonia EE Finland FI France FR France RES F2 Georgia GE Germany DE 424 D Link NetDefend CLI Reference Guide ...

Страница 437: ...de Greece GR Guatemala GT Honduras HN Hong Kong HK Hungary HU Iceland IS India IN Indonesia ID Iran IR Iraq IQ Ireland IE Israel IL Italy IT Jamaica JM Japan JP Jordan JO Kenya KE Kuwait KW Latvia LV Chapter 6 Country Codes 425 ...

Страница 438: ...LY Liechtenstein LI Lithuania LT Luxembourg LU Macau MO Macedonia MK Malaysia MY Mexico MX Monaco MC Morocco MA Netherlands NL New Zealand NZ Nicaragua NI Norway NO Oman OM Pakistan PK Panama PA Paraguay PY 426 D Link NetDefend CLI Reference Guide ...

Страница 439: ...ines PH Poland PL Portugal PT Puerto Rico PR Qatar QA Romania RO Russia RU Saudi Arabia SA Serbia SR Singapore SG Slovak Republic SK Slovenia SI South Africa ZA South Korea KR Spain ES Sweden SE Switzerland CH Syria SY Chapter 6 Country Codes 427 ...

Страница 440: ...Country Code Taiwan TW Thailand TH Trinidad Tobago TT Tunisia TN Turkey TR Ukraine UA United Kingdom GB United States US Uruguay UY Venezuela VE Viet Nam VN Yemen YE Zimbabwe ZW 428 D Link NetDefend CLI Reference Guide ...

Страница 441: ...puter to the Internet via the cable television network Cable modems offer a high speed always on connection Certificate Authority The Certificate Authority CA issues certificates to entities such as gateways users or computers The entity later uses the certificate to identify itself and provide verifiable information For instance the certificate includes the Distinguished Name DN identifying infor...

Страница 442: ...ers to the Internet domain names or easy to remember handles that are translated into IP addresses An example of a Domain Name is www sofaware com Domain Name System Domain Name System The Domain Name System DNS refers to the Internet domain names or easy to remember handles that are translated into IP addresses An example of a Domain Name is www sofaware com E Exposed Host An exposed host allows ...

Страница 443: ...ies each computer sending or receiving data packets across the Internet When you request an HTML page or send e mail the Internet Protocol part of TCP IP includes your IP address in the message and sends it to the IP address that is obtained by looking up the domain name in the Uniform Resource Locator you requested or in the e mail address you re sending a note to At the other end the recipient c...

Страница 444: ...sion MTU The Maximum Transmission Unit MTU is a parameter that determines the largest datagram than can be transmitted by an IP interface without it needing to be broken down into smaller units The MTU should be larger than the largest datagram you wish to transmit un fragmented Note This only prevents fragmentation locally Some other link in the path may have a smaller MTU the datagram will be fr...

Страница 445: ... an Ethernet local area network to a remote site or ISP through common customer premises equipment e g modem PPTP The Point to Point Tunneling Protocol PPTP allows extending a local network by establishing private tunnels over the Internet This protocol it is also used by some DSL providers as an alternative for PPPoE R RJ 45 The RJ 45 is a connector for digital transmission over ordinary phone wi...

Страница 446: ...en an HTML file is sent to you from a Web server the Transmission Control Protocol TCP program layer in that server divides the file into one or more packets numbers the packets and then forwards them individually to the IP program layer Although each packet has the same destination IP address it may get routed differently through the network At the other end the client program in your computer TC...

Страница 447: ...rnet The type of resource depends on the Internet application protocol On the Web which uses the Hypertext Transfer Protocol an example of a URL is http www sofaware com V VPN A virtual private network VPN is a private data network that makes use of the public telecommunication infrastructure maintaining privacy through the use of a tunneling protocol and security procedures VPN tunnel A secure co...

Страница 448: ......

Страница 449: ...66 resetting 34 viewing 56 Cisco IOS DOS 305 command line interface commands 2 17 controlling the appliance via 7 9 guidelines for using 8 syntax 3 variables 2 115 commands about 2 17 Appliance Operation 32 guidelines for using 8 Informational 44 return values commands 14 running 9 syntax 3 types 17 Variable Operation 18 viewing information 53 D DHCP configuring 168 181 219 350 explained 430 scope...

Страница 450: ...nd Print Sharing 268 271 firewall levels 134 rule types 145 servers 156 setting security level 134 viewing information 70 firmware explained 430 resetting 36 viewing status 67 FTP Bounce 277 G gateways backup 175 187 225 default 168 175 187 225 265 explained 430 ID 333 master 175 187 225 resetting 37 H Hide NAT enabling disabling 168 181 219 350 explained 432 high availability configuring 154 175 ...

Страница 451: ... for 187 connection 195 214 explained 432 LAND 299 licenses 67 logs viewing 72 M MAC address 432 Manual Login 366 MTU explained 195 432 N NetBIOS explained 432 NetDefend Firewall about 1 backing up 49 changing internal IP address of 181 configuring Internet connection 195 214 exporting configuration 49 importing configuration 49 models 2 rebooting 37 resetting to factory defaults 35 36 setting the...

Страница 452: ... O OfficeMode about 190 configuring 190 OSPF about 231 areas 234 configuring 231 networks 236 redistribution 239 241 viewing database 81 viewing information 80 viewing interfaces 84 viewing neighbors 86 viewing routes 88 P packet 431 433 Packet Sanity 318 Ping of Death 301 Port based VLAN 350 ports managing 243 245 247 249 viewing statuses 90 PPTP connection 214 explained 433 print server 251 prin...

Страница 453: ...omputer as an exposed host 137 firewall 134 security rules 137 serial console controlling appliance via 5 servers configuring 145 explained 433 Remote Access VPN 361 rules 145 Service Center connecting to 333 disconnecting from 333 services resetting 39 software updates 43 Web Filtering 400 Site to Site VPN gateways 366 PPPoE tunnels 366 Small PMTU 329 SmartDefense resetting worm patterns 40 SNMP ...

Страница 454: ...typographical conventions 3 U UDP explained 434 URL explained 435 users authenticating 46 managing 345 setting up remote VPN access for 345 V Variable Operation Commands 17 18 variables about 2 115 adding 19 deleting 25 deleting all 22 displaying 30 exporting 49 guidelines for using 8 modifying 28 syntax 3 viewing information 53 VLAN adding and editing 350 deleting 350 port based 350 tag based 350...

Страница 455: ... viewing database information 107 VStream Antivirus rules 392 W WAN 195 214 connections 195 214 ports 249 Web Filtering enabling disabling 400 selecting categories for 402 temporarily disabling 400 Welchia 321 WEP 404 416 wireless LAN see WLAN 219 wireless protocols 404 wireless stations viewing 112 WLAN configuring 219 225 416 421 viewing statistics for 112 WPA PSK 421 Index 443 ...

Отзывы:

Нет отзывов