Freedom9 freeGuard 100 Скачать руководство пользователя страница 65 | Manualshive

Страница: 65 / 310

Freedom9 freeGuard 100 Скачать руководство пользователя страница 65

58

enabled and when the policy destination interface is
the same as the IP pool interface.

priority {high | low |
medium}

Set the priority for traffic controlled by the policy. The
available settings are high for high priority traffic,
medium for medium priority traffic, and low for low
priority traffic.

high

profile <name_str>

Enter the name of a profile to add theprotection
profile to the policy. name_str is case-sensitive.

No Default.

profile_status {disable |
enable}

Enable or disable using a protectionprofile for the
policy.

disable

schedule <name_str>

Enter the name of the one-time or recurring
schedule to use for the policy. name_str is case-
sensitive.

No default.

service <name_str>

Enter the name of the service to use for the policy.
name_str is case-sensitive.

No default.

srcaddr <name_str>

Enter the source address for the policy. name_str is
case-sensitive.

No default.

srcintf <name_str>

Enter the source interface for the policy.The
interface can be a physical interface, a VLAN
subinterface or a zone. You cannot use an interface
or VLAN subinterface for srcintf if the interface or
VLAN subinterface has been added to a zone.

No default.

status {disable |
enable}

Enable or disable the policy.

enable

trafficshaping {disable |
enable}

Enable or disable traffic shaping. If you enable traffic
shaping you can set gbandwidth, maxbandwidth,
and priority.

disable

vpntunnel <name_str> Enter the name of the AutoIKE key or manual key

tunnel for the IPSec policy. The VPN tunnel name is
case sensitive.

No default.

Example

On a freeGuard 100 use the following example to add policy number 2 that allows users on the
external network to access a web server on a DMZ network. The policy:

•

Is for connections from the external interface

(srcintf is external)

to the DMZ interface

(dstintf is

dmz)

•

Is enabled

•

Allows users from any IP address on the Internet to access the web server

(srcaddr is all)

•

Allows access to an address on the DMZ network

(dstaddr is dmz_web_server)

•

Sets the schedule to Always so that users can access the web server 24 hours a day, seven days

a week

•

Sets the service to HTTP to limit access to the web server to HTTP connections

«
...
63
64
65
66
67
...
»

Содержание freeGuard 100

Страница 1: ...freeGuard 100 UTM Firewall CLI USER S MANUAL P N F0025000 Rev 1 1...

Страница 2: ...ed or translated into another language without express prior to written consent of freedom9 inc Copyright 2006 freeGuard and the freedom9 company logo are trademarks or registered trademarks of Freedo...

Страница 3: ......

Страница 4: ...E CATEGORY NAME_STR 30 4 3 HEURISTIC 33 4 4 SERVICE HTTP 34 4 5 SERVICE FTP 36 4 6 SERVICE POP3 37 4 7 SERVICE IMAP 39 4 8 SERVICE SMTP 41 5 CONFIG FIREWALL 43 5 1 ADDRESS 43 5 2 ADDRGRP 45 5 3 DNSTRA...

Страница 5: ...77 10 1 ACCPROFILE 178 10 2 ADMIN 180 10 3 AUTOUPDATE CLIENTOVERRIDE 182 10 4 AUTOUPDATE OVERRIDE 183 10 5 AUTOUPDATE PUSH UPDATE 184 10 6 AUTOUPDATE SCHEDULE 186 10 7 AUTOUPDATE TUNNELING 187 10 8 BU...

Страница 6: ...TBLOCK 278 13 3 SCRIPT 280 13 4 URLBLOCK 281 13 5 URLEXM 283 13 6 URLPAT 285 14 EXECUTE 287 14 1 BACKUP 287 14 2 DATE 288 14 3 DHCPCLEAR 289 14 4 ENTER 289 14 5 FACTORYRESET 289 14 6 HA MANAGE 289 14...

Страница 7: ......

Страница 8: ...is an alphabetic reference to the commands used to configure firewall policies and settings CONFIG lOG is an alphabetic reference to the commands used to configure logging CONFIG IPS is an alphabetic...

Страница 9: ...by a dotted decimal IPv4 netmask xxx_ipv6 indicates an IPv6 address xxx_v6mask indicates an IPv6 netmask xxx_ipv6mask indicates an IPv6 address followed by an IPv6 netmask Vertical bar and curly brac...

Страница 10: ...al documentation You can send information about errors or omissions in this document or any Freedom9 technical documentation to support freedom9 com 1 4 Customer service and technical support For anti...

Страница 11: ...the firewall VPN IPS and antivirus features Auth Users Can access the authorized users feature Admin Users Can access the administrative users feature freeGuard Protect Update Can access the update o...

Страница 12: ...he freeGuard 100 CLI A prompt similar to the following appears FreeGuard 100 login Type a valid administrator name and press Enter Type the password for this administrator and press Enter The followin...

Страница 13: ...freeGuard 100 interface to be configured to accept Telnet connections For example to configure the internal interface to accept Telnet connections enter config system interface edit internal set allow...

Страница 14: ...press Enter Type the password for this administrator and press Enter freeGuard 100 is displayed You have connected to the freeGuard 100 CLI and you can enter CLI commands Connecting to the freeGuard 1...

Страница 15: ...r example type config system admin and press Enter to access the shell to add or edit administrator accounts end Save the changes you have made in the current shell and leave the shell Every config co...

Страница 16: ...or User1 without leaving the config user local shell Continue using the edit set and next commands to continue adding user accounts type end and press Enter to save the last configuration and leave th...

Страница 17: ...orward disable type physical ip6 address 0 ip6 send adv disable Example When you type get in the internal interface shell the configuration values for the internal interface are displayed At the inter...

Страница 18: ...atus up netbios forward disable type physical ip6 address 0 ip6 send adv disable Example You want to confirm the IP address and netmask of the internal interface from the root prompt At the prompt typ...

Страница 19: ...plays config system interface edit internal set allowaccess ssh ping https set ip 192 168 20 200 255 255 255 0 next end Example You are working in the internal interface shell and want to see the syst...

Страница 20: ...ers for displaying different levels of diagnostic information The diagnose commands are not documented in this CLI Reference Guide Caution Diagnose commands are intended for advanced users only Contac...

Страница 21: ...s shell without saving your changes type abort and press Enter To save your changes and exit the dns sub shell type end and press Enter To confirm your changes have taken effect after leaving the dns...

Страница 22: ...e prompt changes to secondaryip At the secondaryip prompt type The following options are displayed edit delete purge get show end To add a secondary IP address with the ID number 0 type edit 0 and pre...

Страница 23: ...t ip 192 168 100 90 255 255 255 0 and press Enter To restore the secondary IP address with the ID number 1 to the default type unset ip and press Enter If you want to leave the secondary IP address 1...

Страница 24: ...tion combination and a description of each option Command completion You can use the tab key or the question mark key to complete commands You can press the tab key at any prompt to scroll through the...

Страница 25: ...ables USERFROM The management access type SSH Telnet and so on and the IP address of the logged inadministrator USERNAME The user account name of the logged in administrator SerialNum The serial numbe...

Страница 26: ...ing includes tabs or spaces All special characters are valid within the single quotes Use to include a single quote in a single quoted string Use to include a backslash in a single quoted string For e...

Страница 27: ...or errors If the freeGuard 100 finds an error an error message is displayed after the command and the command is rejected Then the freeGuard 100 restarts and loads the new configuration Setting page l...

Страница 28: ...b Case sensitivity Regular expression pattern matching is case sensitive in the Web and Spam filters To make a word or phrase case insensitive use the regular expression i For example bad language i...

Страница 29: ...8 and foo_1 100 s mk the strings 100 and mk optionally separated by any amount of white space spaces tabs newlines abc b abc when followed by a word boundary e g in abc but not in abcd perl B perl whe...

Страница 30: ...email for administrative events such as user logins resets and configuration updates disable Anomaly disable enable Enable or disable sending an alert email when the freeGuard 100 logs an attack cove...

Страница 31: ...alert email when the freeGuard 100 logs a DHCP service event disable email disable enable Enable or disable sending an alert email when the freeGuard 100 logs an email filter event disable email_log_i...

Страница 32: ...s required critical Functionality is affected error An erroneous condition exists and functionality is probably affected warning Functionality might be affected notification Information about normal e...

Страница 33: ...email filter If the show command returns you to the prompt the settings are at default Command History Related Commands config alertemail setting config log 3 2 setting Use this command to configure t...

Страница 34: ...lert email for error level messages 5 information interval minutes_integer Enter the number of minutes the freeGuard 100 should wait before sending out alert email for information level messages 30 ma...

Страница 35: ...lertemail setting set server mail ourcompany com set username freeGuard 100 ourcompany com set mailto1 admin1 ourcompany com set mailto2 admin2 ourcompany com set alert interval 2 set critical interva...

Страница 36: ...filepattern edit filepattern_str set keyword variable end config antivirus filepattern edit filepattern_str unset keyword end config antivirus filepattern delete filepattern_str end get antivirus file...

Страница 37: ...This example shows how to display the settings for the bat file pattern get antivirus filepattern bat This example shows how to display the configuration for the entire file pattern list show antiviru...

Страница 38: ...as web browsing habits to the advertiser s web site where it may be recorded and analyzed Keylog Keylogger programs can record every keystroke made on a keyboard including passwords chat and instant...

Страница 39: ...or disable grayware scanning for the specified category disable Example This example shows how to enable grayware scanning for Adware programs config antivirus grayware Adware set status enable end Th...

Страница 40: ...ntivirus heuristic set keyword variable end config antivirus heuristic unset keyword end get antivirus heuristic show antivirus heuristic antivirus heuristic command keywords and variables Keywords Va...

Страница 41: ...ans for HTTP Command syntax pattern config antivirus service http set keyword variable end config antivirus service http unset keyword end get antivirus service http show antivirus service http antivi...

Страница 42: ...ile is passed or blocked according to the user configuration in the firewall profile The uncompsizelimit applies to the uncompressed size of the file If other files are inlcuded within the file the un...

Страница 43: ...the freeGuard 100 RAM size For example a freeGuard 100with 256 MB of RAM could have a threshold range of 1 MB to 25 MB Oversized files can be passed or blocked in a firewall protection profile Note F...

Страница 44: ...rt 20 21 end This example shows how to display the antivirus FTP traffic settings get antivirus service ftp This example shows how to display the configuration for antivirus FTP traffic show antivirus...

Страница 45: ...ta So a file may be blocked or logged as oversized even if the attachment is several megabytes less than the memfilesizelimit 10 MB port port_integer Configure antivirus scanning on a nonstandard port...

Страница 46: ...Command syntax pattern config antivirus service imap set keyword variable end config antivirus service imap unset keyword end get antivirus service imap show antivirus service imap antivirus service i...

Страница 47: ...s work See How file size limits work Example This example shows how to set the maximum file size that can be buffered to memory for scanning at 25 MB the maximum uncompressed file size that can be buf...

Страница 48: ...MB of RAM could have a threshold range of 1 MB to 25 MB Note For email scanning the memfilesizelimit refers to the final size of the email after encoding by the email client including attachments Emai...

Страница 49: ...service smtp set memfilesizelimit 100 set uncompsizelimit 1000 set port 25 set port 465 end This example shows how to display the antivirus SMTP traffic settings get antivirus service smtp This exampl...

Страница 50: ...ress range The freeGuard 100 comes configured with the default address All which represents any IP address Addresses address groups and virtual IPs must all have unique names to avoid confusion in fir...

Страница 51: ...tmask for a class A subnet should be 255 0 0 0 The netmask for a class B subnet should be 255 255 0 0 The netmask for a class C subnet should be 255 255 255 0 0 0 0 0 0 0 0 0 end_ip address_ipv4 If ty...

Страница 52: ...firewall addrgrp config firewall policy 5 2 addrgrp Add edit or delete address groups used in firewall policies You can organize related addresses into address groups to make it easier to configure po...

Страница 53: ...dd an address group named Group1 and add the addresses User_Network and User_Range to the group config firewall addrgrp edit Group1 set User_Network User_Range end This example shows how to display th...

Страница 54: ...a DNS translation source address DNS translation changes the IP address in the DNS packet to the DNS translation destination IP address and forwards the packet through the firewall to the external us...

Страница 55: ...through the FreeGuard 100 You can allow or block traffic not defined in the IP MAC binding table You can enable or disable IP MAC binding for each individual FreeGuard 100 interface using the ipmac ke...

Страница 56: ...tofw Configure how IP MAC binding handles packets with IP and MAC addresses that are not defined in the IP MAC list Setting undefinedhost configures thisbehavior for traffic going through the firewall...

Страница 57: ...sequence_integer end get firewall ipmacbinding setting sequence_integer show firewall ipmacbinding setting sequence_integer firewall ipmacbinding table command keywords and variables Keywords Variabl...

Страница 58: ...tings for the first entry id 1 in the IP MAC binding table get firewall ipmacbinding table 1 This example shows how to display the configuration for IP MAC binding table show firewall ipmacbinding tab...

Страница 59: ...escription Default endip address_ipv4 The end IP of the address range The end IP must be higher than the start IP The end IP must be onthe same subnet as the IP address of the interface for which you...

Страница 60: ...the firewall ippool command show firewall ippool This example shows how to display the configuration for the id 1 IP pool show firewall ippool 1 Command History Related Commands policy 5 7 multicast p...

Страница 61: ...ts 0 0 0 0 0 0 0 0 srcintf name_str Enter the source interface name to match against multicast NAT packets No default Example This example shows how to configure a multicast NAT policy config firewall...

Страница 62: ...firewall policy edit id_integer set keyword variable end config firewall policy edit id_integer unset keyword end config firewall policy delete id_integer end config firewall policy move id_integer a...

Страница 63: ...servcode_rev reply_binary Set the Differentiated Services Code Point DSCP value in the Diffserv field ofreply packets The value is 6 bits binary The valid range is 000000 111111 000000 dstaddr name_st...

Страница 64: ...r VPN tunnels that match this policy disable natip address_ipv4mask Configure natip for a firewall policy with action set to encrypt and with outbound NAT enabled Specify the IP address and subnet mas...

Страница 65: ...erface a VLAN subinterface or a zone You cannot use an interface or VLAN subinterface for srcintf if the interface or VLAN subinterface has been added to a zone No default status disable enable Enable...

Страница 66: ...ternal set dstintf dmz set status enable set srcaddr all set dstaddr dmz_web_server set schedule Always set service HTTP set action accept set nat enable set trafficshaping enable set gbandwidth 100 s...

Страница 67: ...le profilename_str firewall profile command keywords and variables Keywords Variables Description Default cat_allow cat_integer cat_integer cat_integer You must subscribe to a web filtering service fr...

Страница 68: ...image_urls to block images rated by freeGuard freeGuard rates images based onthe URL of the image Images that should be bocked are replaced with a blank image on the original web page freeGuard has ra...

Страница 69: ...exempt Select the actions that this profile uses for filtering HTTP traffic for a policy Enter bannedword to enable web content blocking based on the banned word list Enter block to enable deleting fi...

Страница 70: ...s even if the files do not contain viruses Enter content archive to enable archiving ofIMAP content meta information to a Logappliance Enter fragmail to enable blocking fragmented email messages Enter...

Страница 71: ...tions that this profile uses for filtering IPS traffic for a policy Enter anomaly to enable filtering traffic based on the IPS anomaly list Enter signature to enable filtering traffic basedon the IPS...

Страница 72: ...hdrcheck to enable filtering based on the MIME header list Enter spamaddrdns to enable filtering based on the return e mail DNS check Enter spamrbl to enable checking traffic against configured DNS ba...

Страница 73: ...ubnet address Enter spamaddrdns to enable filtering based on the return e mail DNS check Enter spamrbl to enable checking traffic against configured DNS based Blackhole List DNSBL and Open Relay Datab...

Страница 74: ...A tag of more than one word a phrase must be enclosed in single quotes to be accepted bythe CLI Spam smtp_spamtagtype header subject Enter the location for the spam tag The spam tag can be added to t...

Страница 75: ...ings for the spammail profile get firewall profile spammail This example shows how to display the configuration for the firewall profile command show firewall profile This example shows how to display...

Страница 76: ...5 30 or 45 yyyy 1992 to infinity mm 01to 12 dd 01to 31 No default start hh mm yyyy mm dd The starting day and time of the schedule hh 00to 23 mm 00 15 30 or 45 yyyy 1992 to infinity mm 01to 12 dd 01to...

Страница 77: ...times of the day or on specified days of the week Note If you create a recurring schedule with a stop time that occurs before the start time the schedule starts at the start time and finishes at the...

Страница 78: ...ay Friday set start 07 45 set end 17 30 end Edit the recurring schedule named access so that it is no longer valid on Fridays config firewall schedule recurring edit access set day monday tuesday wedn...

Страница 79: ...t_integer Enter the destination port range for the service If the destination port range can be any port enter 1 65535 To specify a single port enter the same port number for lowport_integer and high...

Страница 80: ...tings for the Custom_1 service get firewall service custom Custom_1 This example shows how to display the configuration for the firewall service custom command show firewall service custom This exampl...

Страница 81: ...o add to theservice group To view the list of available services enter set member at the prompt service_str is case sensitive No default Example This example shows how to add a service group called we...

Страница 82: ...se networks you must create a mapping between an address on the source network and the real address on the destination network This mapping is called a virtual IP You can create two types of virtual I...

Страница 83: ...e For port forwarding virtual IP this address can be any IP address including the IP address of the extintf name_str If the IP address of extintf name_str is set using PPPoE or DHCP extip address_ipv4...

Страница 84: ...cnat set extintf external set extip 64 32 21 34 set mappedip 192 168 1 44 end This example shows how to edit the static NAT virtual IP named web_Server to change the real IP address of the web server...

Страница 85: ...ow to display the settings for the web_Server VIP get firewall vip web_Server This example shows how to display the configuration for the firewall vip command show firewall vip This example shows how...

Страница 86: ...mit If the number of concurrent sessions to a single destination is over a threshold the destination session limit session limit is reached You can enable or disable logging for each anomaly and you c...

Страница 87: ...80 The config ips anomaly command has 1 subcommand config limit...

Страница 88: ...and action is set to Pass the anomaly is effectively disabled pass_session The freeGuard 100 lets the packet that triggered theanomaly and all other packets in the session pass through the firewall re...

Страница 89: ...e threshold threshold_integer For the anomalies that include the threshold setting traffic over the specified threshold triggers the anomaly Varies Example This example shows how to change the tcp_lan...

Страница 90: ...o more general For example if you define thresholds for 192 168 100 0 24 and 192 168 0 0 16 the address with the 24 bit netmask is matched before the entry with the 16 bit netmask Command syntax patte...

Страница 91: ...platform you can add custom signatures based on the security alerts released by the application and platform vendors You can also use custom signatures to block or allow specific traffic Once you add...

Страница 92: ...10 config ips custom edit ICMP10 set signature F SBID protocol icmp icmp_type 10 revision 2 end This example shows how to display the list of custom signatures get ips custom This example shows how to...

Страница 93: ...type of attack By default all signature groups are enabled You can enable or disable signature groups or individual signatures Disabling unneeded signatures can improve system performance and reduce...

Страница 94: ...integer If a session is idle for longer than this number ofseconds the session is be maintained by tcp reassembly 30 min_ttl ttl_integer A packet with a higher ttl number in its IP header than the num...

Страница 95: ...the configuration for the dos signature group show ips group dos config rule rule name_str Access the rule subcommand using the ips group command Use the config rule subcommand to configure the settin...

Страница 96: ...ts in the sessionpass through the firewall reset The freeGuard 100 drops the packet that triggered the signature sends a reset to both the client and the server and removes the session from the freeGu...

Страница 97: ...config rule NAPTHA set action drop end end This example shows how to display the list of signature groups get ips group This example shows how to display the settings for the dos signature group get i...

Страница 98: ...yword variable end config log log memory syslogd webtrends filter unset keyword end get log log memory syslogd webtrends filter show log log memory syslogd webtrends filter log log memory syslogd webt...

Страница 99: ...Enable or disable archiving of HTTP content Archives can include meta data information such as file sizes source and destination addresses and status disable content_log_ima p disable enable Enable o...

Страница 100: ...elect For example if you select error the unit logs error critical alert and emergency level messages emergency The system is unusable alert Immediate action is required critical Functionality is affe...

Страница 101: ...ettings for logging to a freeGuard 100 get log memory filter This example shows how to display the configuration for logging to a syslog server show log syslogd filter If the show command returns you...

Страница 102: ...sksecret str_psk Enter the pre shared key for the IPSec VPN tunnel to a Log unit You can create anIPSec VPN tunnel if one or more freeGuard 100s are sending log messages to a unit across the Internet...

Страница 103: ...d in the memory buffer After all available memory is used by default the freeGuard 100 begins to overwrite the oldest messages All log entries are deleted when the freeGuard 100 restarts Command synta...

Страница 104: ...re at default Command History Related Commands log memory syslogd webtrends filter log setting syslogd setting trafficfilter webtrends setting 7 4 syslogd setting Use this command to configure log set...

Страница 105: ...s are alert log alert audit log audit auth security authorization messages authpriv security authorization messages private clock clock daemon cron cron daemon performing scheduled commands daemon sys...

Страница 106: ...ample shows how to display the configuration for logging to a remote syslog server show log syslogd setting If the show command returns you to the prompt the settings are at default Command History Re...

Страница 107: ...es disable Example This example shows how to display the service name and enable resolving IP addresses to host names in log messages config log trafficfilter set display name set resolve enable end T...

Страница 108: ...0 0 0 0 0 0 service name_str Enter the service for which you want to filter traffic logs You can choose from any of the predefined services listed and any custom services you haveconfigured No default...

Страница 109: ...memory setting syslogd setting webtrends setting 7 6 webtrends setting Use this command to configure log settings for logging to a remote computer running a NetIQ WebTrends firewall reporting server f...

Страница 110: ...emote WebTrends server config log webtrends setting set status enable set server 220 210 200 190 end This example shows how to display the settings for logging to a remote WebTrends server get log web...

Страница 111: ...hether to match the prefix exactly or to match the prefix and any more specific prefix The freeGuard 100 attempts to match a packet against the rules in an access list starting at the top of the list...

Страница 112: ...eyword variable end config rule edit id_integer unset keyword variable end config rule delete id_integer end get router access list name_str show router access list name_str rule command keywords and...

Страница 113: ...le next edit 2 set prefix 192 168 0 0 255 255 0 0 set action permit set exact_match disable end end This example shows how to display the list of access lists get router access list This example shows...

Страница 114: ...e status of the freeGuard 100 interfaces and whether OSPF is enabled for each interface neighbor Show information about OSPF neighbors route Show the OSPF routing table status Show general information...

Страница 115: ...nd variables Keywords Description database Show the entries in the RIP routing database interface Show the status of the FreeGuard 100 interfaces and whether RIP is enabled for each interface Examples...

Страница 116: ...ured with the same keys A key chain is a list of one or more keys and the send and receive lifetimes for each key Keys are used for authenticating routing packets only during the specified lifetimes T...

Страница 117: ...ariables Keywords Variables Description Default accept lifetime hh mm ss day month year hh mm ss day month year duration_integer infinite Set the time period during which the key can be received The f...

Страница 118: ...e duration_integer range is from 1 to 2147483646 seconds No default Example This example shows how to add a key chain named test1 with three keys The first two keys each have send and receive lifetime...

Страница 119: ...t path first OSPF on the freeGuard 100 OSPF is an open protocol based on the shortest path first algorithm OSPF is a link state protocol capable of routing larger networks than the simpler distance ve...

Страница 120: ...outers that because of limited resources may not be able to maintain a complete link state database disable database overflow max lsas lsas_integer If you have enabled database overflow set the limit...

Страница 121: ...Enable or disable RFC 1583 compatibility RFC 1583 compatibility should be enabled only when there is another OSPF router in the network that only supports RFC 1583 When RFC 1583 compatibility is enabl...

Страница 122: ...logical groupings called areas Areas are linked together by area border routers ABRs There must be a backbone area that all areas can connect to You can use a virtual link to connect areas that do no...

Страница 123: ...erfaces the authentication configured for the area is not used Authentication passwords or keys are defined per interface See config ospf interface none default cost cost_integer Enter the metric to u...

Страница 124: ...ator if it is in a NSSA shortcut default disable enable Use this command to specify area shortcut parameters disable stub type no summary summary Enter no summary to prevent an ABR sending summary LSA...

Страница 125: ...area You can use access or prefix lists for OSPF area filter lists For more information see access list and prefixlist Command syntax pattern config filter list edit id_integer set keyword variable e...

Страница 126: ...ess list named acc_list1 to filter packets entering area 15 1 1 1 config router ospf config area edit 15 1 1 1 config filter list edit 1 set direction in set list acc_list1 end end This example shows...

Страница 127: ...id_integer end config range edit id_integer get end config range edit id_integer show end Note Only the prefix keyword is required All other keywords are optional range command Keywords Variables Keyw...

Страница 128: ...ows how to display the configuration for area 15 1 1 1 config router ospf config area edit 15 1 1 1 show end config virtual link Access the config virtual link subcommand using the config area command...

Страница 129: ...r this virtual link If you select none no authentication is used If you select text the authentication key is sent as plain text If you select md5 an authentication key isused to generate an MD5 hash...

Страница 130: ...ange for id_integer is 1 to 255 key_str is an alphanumeric string ofup to 16 characters No default peer address_ipv4 The router id of the remote ABR 0 0 0 0 is not allowed 0 0 0 0 retransmit interval...

Страница 131: ...d to use an access list to filter the networks in routing updates Routes not matched by any of the distribute lists will not be advertised You must configure the access list that you want the distribu...

Страница 132: ...hespecified protocol and that are permitted by the named access list connected Example This example shows how to configure a distribute list numbered 2 to use an access list named acc_list1 for all st...

Страница 133: ...id_integer end config neighbor edit id_integer get end config neighbor edit id_integer show end Note Only the ip keyword is required All other keywords are optional neighbor command keywords and varia...

Страница 134: ...e shows how to display the settings for neighbor 1 config router ospf config neighbor edit 1 get end This example shows how to display the configuration for neighbor 1 config router ospf config neighb...

Страница 135: ...e associated with the prefix 0 0 0 0 prefix address_ipv4mask Enter the IP address and netmask for the OSPF network 0 0 0 0 0 0 0 0 Example Use the following command to enable OSPF for the interfaces a...

Страница 136: ...ated OSPF settings Command syntax pattern Note The interface name_str variable in the syntax pattern below represents a descriptive name for this OSPF configuration To set the freeGuard 100 interface...

Страница 137: ...etwork problems that can occur if an unwanted or misconfigured router is mistakenly added to the network If you configure authentication for the interface authentication for areas is not used All rout...

Страница 138: ..._integer Change the Maximum Transmission Unit MTU size included in database descriptionpackets sent out this interface The valid range for mtu_integer is 576 to 65535 1500 mtu ignore disable enable Us...

Страница 139: ...ble Enable or disable OSPF on this interface enable transmit delay seconds_integer The estimated time in seconds required tosend a link state update packet on this interface OSPF increments the age of...

Страница 140: ...edistribute connected static rip set keyword variable end config redistribute connected static rip unset keyword end get router ospf show router ospf redistribute command keywords and variables Exampl...

Страница 141: ...ter ospf config summary address Access the config summary address subcommand using the config router ospf command Use this command to summarize external routes for redistribution into OSPF This comman...

Страница 142: ...refix 0 0 0 0 0 0 0 0 is not allowed 0 0 0 0 0 0 0 0 tag tag_integer Specify a tag for the summary route The valid range for tag_integer is 0 to 4294967295 0 Example This example shows how to summariz...

Страница 143: ...ng any number of static routes can be defined for the same destination IP mask When multiple routes for the same destination IP mask exist the freeGuard 100 chooses the route with the lowest number in...

Страница 144: ...0 start_port port_integer The start port number of a port range for apolicy route Match packets that have this destination port range You must configure both the start_port and end_port keywords for...

Страница 145: ...1 end Enter the following command to direct all HTTP traffic using port 80 to the next hop gateway at IP address 1 1 1 1 config router policy edit 1 set input_device internal set src 0 0 0 0 0 0 0 0 s...

Страница 146: ...to control the length of the prefix netmask Each rule in a prefix list consists of a prefix IP address and netmask the action to take for this prefix permit or deny and maximum and minimum prefix leng...

Страница 147: ...s Description Default action deny permit Set the action to take for this prefix permit ge length_integer Match prefix lengths that are greater than orequal to this number The setting for ge should be...

Страница 148: ...prefix list edit prf_list1 config rule edit 1 set prefix 192 168 100 0 255 255 255 0 set action permitset ge 26 set le 30 next edit 2 set prefix 10 1 0 0 255 255 0 0 set action denyset ge 20 set le 2...

Страница 149: ...support simple authentication and subnet masks RIP is a distance vector routing protocol intended for small relatively homogeneous networks RIP uses hop count as its routing metric Each network is usu...

Страница 150: ...le blocking broadcast updates on the specified interface No default timeout timer timer_integer The time interval in seconds after which a route is declared unreachable The route is removed from the r...

Страница 151: ...e Access the config distance subcommand using the config router rip command Configure administrative distance to set the priority of routes advertised by different routing protocols to the same destin...

Страница 152: ...0 config router rip config distance edit 1 set distance 10 end end This example shows how to display the RIP settings get router rip This example shows how to display the RIP configuration show router...

Страница 153: ...erface to apply this distribute list to If you do not specify an interface this distribute list will be used for all interfaces null listname access prefix listname_str Enter the name of the access li...

Страница 154: ...ace edit interface name_str set keyword variable end config interface edit interface name_str unset keyword end config interface delete interface name_str end get router rip show router rip interface...

Страница 155: ...2 to configure RIP to send RIP version 2 messages from an interface Enter 1 2 to configure RIP to send both RIP version 1 and RIP version 2 messages from an interface No default send version1 compatib...

Страница 156: ...nd unicast routing updates to the router at the specified address You can use the neighbor command and passive interface name_str to allow RIP to send unicast updates to the specified neighbor while b...

Страница 157: ...ip This example shows how to display the RIP configuration show router rip config network Access the config network subcommand using the config router rip command Use this command to identify the netw...

Страница 158: ...0 config router rip config network edit 2 set prefix 10 0 0 0 255 255 255 0 end end This example shows how to display the RIP settings get router rip This example shows how to display the RIP configu...

Страница 159: ...r range is from 1 to 16 0 status disable enable Enable or disable this offset list disable Example This example shows how to configure and enable offset list number 5 that adds a metric of 3 to incomi...

Страница 160: ...range is from 0 to 16 0 routemap name_str Enter the name of the route map to use for the redistributed routes For information on how to configure route maps see config router route map null status di...

Страница 161: ...map starting at the top of the list If it finds a match it makes the changes defined in the set statements and then takes the action specified for the rule If no match is found in the route map the de...

Страница 162: ...Enter deny to deny routes that match thisrule permit match interface name_str Match a route with the specified destinationinterface null match ip address access prefix listname_str Match a route if t...

Страница 163: ...utes that match a metric of 2 and changes the metric to 4 config router route map edit rtmp2 config rule edit 1 set match ip address acc_list2 set action deny next edit 2 set match metric 2 set action...

Страница 164: ...dministrative distance the greater the preferability of the route The freeGuard 100 assigns routes using a best match algorithm To select a route for a packet the freeGuard 100 searches through the ro...

Страница 165: ...e IP address of the first next hop router to which this route directs traffic 0 0 0 0 This example shows how to add a static route that has the sequence number 2 config router static edit 2 set dev in...

Страница 166: ...s of the packet If a match is not found the freeGuard 100 routes the packet using the default route Command syntax pattern config router static6 edit sequence_integer set keyword variable end config r...

Страница 167: ...to display the list of IPV6 static route numbers get router static6 This example shows how to display the settings for IPV6 static route 2 get router static6 2 This example shows how to display the I...

Страница 168: ...e final spam filter You can use Perl regular expressions or wildcards to add banned word patterns to the list See Using Perl regular expressions You can add one or more banned words to sort email cont...

Страница 169: ...Korean Simplified Chinese Thai Traditional Chinese or Western western pattern banned word_str Enter the banned word or phrase pattern You can use regular expressions or wildcards No default pattern_ty...

Страница 170: ...s how to display the settings for the fifth banned word in the list get spamfilter bword 5 This example shows how to display the configuration for the banned word list show spamfilter bword This examp...

Страница 171: ...ons or wildcards to add email address patterns to the list See Using Perl regular expressions Command syntax pattern config spamfilter emailbwl edit email address_integer set keyword variable end conf...

Страница 172: ...ewhere com next edit 11 set status enable set action clear set pattern freedom9 com set pattern_type wildcard end This example shows how to display the spamfilter email list get spamfilter emailbwl Th...

Страница 173: ...spam filter techniques in a two pass process On the first pass if spamfsip is selected in the protection profile extracts the SMTP mail server source address and sends the IP address to a server to se...

Страница 174: ...IP address or URL is deleted disable cache_ttl ttl_integer Enter a time to live in seconds for cache entries Enter from 0 to 3600 seconds 3600 hostname url_str The host name of the server The freeGua...

Страница 175: ...emailbwl config spamfilter ipbwl config spamfilter mheader config spamfilter rbl 9 4 ipbwl Use this command to filter email based on the IP or subnet address The freeGuard 100 spam filters are genera...

Страница 176: ...ter ipbwl edit address ipv4_integer unset keyword end config spamfilter ipbwl delete address ipv4_integer end get spamfilter ipbwl address ipv4_integer show spamfilter ipbwl address ipv4_integer spamf...

Страница 177: ...for the entire IP list show spamfilter ipbwl If the show command returns you to the prompt there are no IP addresses in the list This example shows how to display the configuration for the seventh ent...

Страница 178: ...t_Type image jpg The first part of the MIME header is called the header key or just header The second part is called the value Spammers often insert comments into header values or leave them blank The...

Страница 179: ...value header field name You can use wildcards or Perl regular expressions No default pattern_type regexp wildcard Enter the pattern_type for the MIME header Choose from wildcards or Perl regular expr...

Страница 180: ...show spamfilter mheader 7 Command History Related Commands config spamfilter bword config spamfilter emailbwl config spamfilter shield config spamfilter ipbwl config spamfilter rbl 9 6 rbl Use this co...

Страница 181: ...ntax pattern config spamfilter rbl edit server_integer set keyword variable end config spamfilter rbl edit server_integer unset keyword end config spamfilter rbl delete server_integer end get spamfilt...

Страница 182: ...the second entry in the spamfilter DNSBL list get spamfilter rbl 2 This example shows how to display the configuration for the entire DNSBL list show spamfilter rbl If the show command returns you to...

Страница 183: ...176...

Страница 184: ...ing bug report console dhcp exclude_range dhcp ipmacbinding dhcp server dns fm get system performance get system status global ha interface ipv6_tunnel mac address table manageip modem oobm interface...

Страница 185: ...file name_str unset keyword end config system accprofile delete profile name_str end get system accprofile profile name_str show system accprofile profile name_str accprofile command keywords and vari...

Страница 186: ...em and router settings none deny access r read only access rw read write access w write only access none sysshutdowngrp none r rw w Control administrator access to system shutdownand reboot functions...

Страница 187: ...olicy_profile access profile get system accprofile policy_profile Command History Related Commands admin 10 2 admin Use this command to add edit and delete administrator accounts Use the admin account...

Страница 188: ...ask to 0 0 0 0 0 0 0 0 0 0 0 0 trusthost2 address_ipv4mask An IP address or subnet address and netmask from which the administrator can connect to the freeGuard 100 If you want the administrator to be...

Страница 189: ...erface than that connected to This command changes the source IP address of update requests to the server causing it to send the update to the modified source address Command syntax pattern config sys...

Страница 190: ...clientoverride Command History Related Commands autoupdate override autoupdate push update autoupdate schedule autoupdate tunneling execute update_now 10 4 autoupdate override Use this command to add...

Страница 191: ...ride This example shows how to display the configuration for the system autoupdate override command show system autoupdate override Command History Related Commands autoupdate push update autoupdate s...

Страница 192: ...e unset keyword end get system autoupdate push update show system autoupdate push update autoupdate push update command keywords and variables Keywords Variables Description Default address server add...

Страница 193: ...hedule set keyword variable end config system autoupdate schedule unset keyword end get system autoupdate schedule show system autoupdate schedule autoupdate schedule command keywords and variables Ke...

Страница 194: ...time 03 00 set status enable end This example shows how to display the settings for the system autoupdate schedule command get system autoupdate schedule This example shows how to display the configu...

Страница 195: ...port Command syntax pattern config system autoupdate tunneling set keyword variable end config system autoupdate tunneling unset keyword end get system autoupdate tunneling show system autoupdate tun...

Страница 196: ...autoupdate schedule 10 8 bug report Use this command to configure a custom email relay for sending problem reports to Freedom9 customer support For more information on sending problem reports see the...

Страница 197: ...system bug report set auth yes set password 123456 set server 10 0 0 1 set username User1 end This example shows how to display the settings for the bug report command get system bug report This exam...

Страница 198: ...s per page to 25 config system console set baudrate 38400 set page 25 end This example shows how to display the settings for the console command get system console This example shows how to display th...

Страница 199: ...st be in the same subnet 0 0 0 0 Example Use the following command to add an exclusion range from 192 168 20 22 to 192 168 20 25 config system dhcp exclude_range edit 1 set start ip 192 168 20 22 set...

Страница 200: ...erver mode using the dhcpserver mode keyword in the config system interface command Command syntax pattern config system dhcp ipmacbinding edit name_str set keyword variable end config system dhcp ipm...

Страница 201: ...interface 10 12 dhcp server Use this command to add one or more DHCP servers for any freeGuard 100 interface As a DHCP server the interface dynamically assigns IP addresses to hosts on a network conne...

Страница 202: ...r Domain name suffix for the IP addresses that the DHCP server assigns to DHCP clients No default end ip address_ipv4 The ending IP for the range of IP addresses that this DHCP server assigns to DHCP...

Страница 203: ...nge is defined by the start ip and the end ip 0 0 0 0 wins server1 address_ipv4 The IP address of the first WINS server that the DHCP server assigns to DHCP clients 0 0 0 0 wins server2 address_ipv4 T...

Страница 204: ...rver This example shows how to display the configuration for the new_dhcp DHCP server show system dhcp server new_dhcp Command History Related Commands dhcp exclude_range dhcp ipmacbinding interface 1...

Страница 205: ...Example This example shows how to set the primary FreeGuard 100 DNS server IP address to 45 37 121 76 and the secondary freeGuard 100 DNS server IP address to 45 37 121 77 config system dns set prima...

Страница 206: ...ard 100 to be managed by a Server config system fm set id FMServer_Gateway set ip 192 20 120 100 end Command History Related Commands config vpn ipsec manualkey config vpn ipsec phase1 config vpn ipse...

Страница 207: ...s 480 minutes 8 hours To improve security keep the idletimeout at the default value 5 allow interface subnetoverlap disable enable Enable or disable limited support for interface and VLAN subinterface...

Страница 208: ...interval Enter a number in seconds to specify how often the freeGuard 100 pingsthe target 0 disables dead gateway detection 0 ip_signature disable enable disable only TCP UDP and ICMP packets are pro...

Страница 209: ...you can use see http www ntp org disable opmode nat transparent Change the freeGuard 100 operation mode to NAT Route or Transparent mode nat phase1 rekey enable disable Enable or disable automatic rek...

Страница 210: ...ist and enter the correct number 00 Example This example shows how to change to Transparent mode config system global set opmode transparent end This example shows how to display the settings for the...

Страница 211: ...tion disable enable Enable disable HA heartbeat messageencryption Enabling HA heartbeat messageencryption prevents an attacker from sniffing HA packets to get HA cluster information disable groupid id...

Страница 212: ...ou want to remove an interface from the list or add an interface to the list you must retype the list with the interface and its priority removed or added The cluster units use the ethernet interfaces...

Страница 213: ...le monitoring freeGuard 100 interfacesand setting monitor priorities You can enter one or more interface names followed by a space and a monitor priority Use a space to separate each interface name an...

Страница 214: ...3600 seconds The time to live controls how long routes remain active in a cluster unit routing table after the cluster unit becomes a primary unit To maintain communication sessions after a cluster un...

Страница 215: ...stributed to cluster units based on the Source IP and Destination IP of the packet leastconnection least connection load balancing If the cluster units are connected using switches use leastconnection...

Страница 216: ...ht assigned to the clustet units according to their priority in the cluster Increase the weight to increase the number of connections processed by the cluster unit with that priority 1 for all 32 unit...

Страница 217: ...y Weight 0 1 1 3 2 3 config system ha set schedule weight round robin set weight 0 1 set weight 1 3 set weight 2 3 end These commands have the following results The first connection is processed by th...

Страница 218: ...cept that you can only configure VLAN subinterfaces with static IP addresses Use the edit command to add a VLAN subinterface Command syntax pattern Entering a name string for the edit keyword that is...

Страница 219: ...dress you can arrange with a DDNS service provider to use a domain name to provideredirection of traffic to your network whenever the IP address changes disable ddns domain domain name_str Enter the d...

Страница 220: ...t both In a DHCP relay configuration the freeGuard 100 forwards DHCP requests from DHCP clients through the freeGuard 100 to a DHCP server The FreeGuard 100 also returns responses from the DHCP server...

Страница 221: ...ter advertisements sent from the interface The valid range is 0 to 9000 1800 ip6 hop limit hops_integer Enter the number to be added to the Cur HopLimit field in the router advertisements sent out thi...

Страница 222: ...ission unit MTU size in bytes Ideally mtu should be the same as the smallest MTU of all the networks between this freeGuard 100 and the destination of the packets For static mode the mtu_integer range...

Страница 223: ...stinationaddres s_hex Substitute the destination MAC address in a packet No default Username Enter the user name to connect to the PPPoE server No default vdom name_str Enter the name of the virtual d...

Страница 224: ...ariable end config ip6 prefix list delete address_ipv6mask end get system interface name_str show system interface name_str ip6 prefix list command keywords and variables Keywords Variables Descriptio...

Страница 225: ...ondary IP address A ping server is usually the next hop router on the network connected to the interface If gwdetect is enabled the freeGuard 100 confirms connectivity with the server at this IP addre...

Страница 226: ...This example shows how to display the configuration for the system interface command show system interface This example shows how to display the settings for the internal interface get system interfac...

Страница 227: ...0 interface name_str The interface used to send and receive traffic for this tunnel No default ip6 address_ipv6mask The network prefix IPv6 address and netmask assigned to the interface to enable IPv6...

Страница 228: ...example shows how to display the configuration for the ipv6_tunnel named test_tunnel show system ipv6_tunnel test_tunnel Command History Related Commands interface 10 21 mac address table Use this co...

Страница 229: ...splay the configuration for the mac address table command show system mac address table This example shows how to display the settings for the MAC address 11 22 33 00 ff aa get system mac address tabl...

Страница 230: ...55 0 end This example shows how to display the settings for the manageip command get system manageip This example shows how to display the configuration for the manageip command show system manageip C...

Страница 231: ...tching from the modem interface to the primary interface after the primary interface has been restored 60 idle_timer minutes_integer Set the number of minutes the modem connection can be idle before i...

Страница 232: ...e ISP to restore an active connection on the modem interface Select none to allow the modem to redial without a limit No default status disable enable Enable or disable modem support disable username1...

Страница 233: ...the email and replaced with a replacement message The same applies to pages blocked by web filtering and emails blocked by spam filtering Command syntax pattern config system replacemsg alertmail cat...

Страница 234: ...s a web page text none Messages added to FTP sessions when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected ftp_dl_infected Antivirus system...

Страница 235: ...etes a file from an email messages that contains a virus text 8bit email_filesize The antivirus system blocks an email message that is too large to be virus scanned text 8bit partial The freeGuard 100...

Страница 236: ...is blocked by web filter content or URL blocking URL can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that isblocked...

Страница 237: ...se this command to configure a new session helper or to edit an existing one 1 pptp port 1723 protocol 6 2 h323 port 1720 protocol 6 3 ras port 1719 protocol 17 4 tns port 1521 protocol 6 5 ident port...

Страница 238: ...t_integer A port number to use for this session helper No default protocol protocol_integer The protocol number for this session helper No default Example Use the following commands to change the ftp...

Страница 239: ...to increase the default session timeout config system session_ttl set default 62000 end This example shows how to display the settings for the session_ttl command get system session_ttl This example s...

Страница 240: ...set 3600 end end 10 27 snmp community Use this command to configure SNMP communities Add SNMP communities so that SNMP managers can connect to the freeGuard 100 to view system information and receive...

Страница 241: ...aced with a new HA unit intf_ip The IP address of a freeGuard 100 interface changes log_full On a freeGuard 100 with a hard drive hard drive usage exceeds 90 mem_low Memory usage exceeds 90 nids_ports...

Страница 242: ...dded to this SNMP community 162 trap_v2c_status disable enable Enable or disable SNMP v2c traps for this SNMP community enable Example This example shows how to add a new SNMP community named SNMP_Com...

Страница 243: ...s command to add SNMP manager IP addresses to an SNMP community and to specify the freeGuard 100 interface that each SNMP manager connects to Command syntax pattern config hosts edit id_integer set ke...

Страница 244: ...the freeGuard 100 so that when your SNMP manager receives configuration information or traps from the freeGuard 100 you can identify the freeGuard 100 that sent the information Command syntax pattern...

Страница 245: ...o command get system snmp sysinfo This example shows how to display the configuration for the system snmp sysinfo command show system snmp sysinfo Command History Related Commands snmp community 10 29...

Страница 246: ...ou cannot delete the default root virtual domain and you cannot delete a virtual domain that is used for system management Note A virtual domain cannot have the same name as a VLAN Command syntax patt...

Страница 247: ...s zone You cannot add an interface if it belongs to another zone or if firewall policies are defined for it No default intrazone allow deny Allow or deny traffic routing between different interfaces i...

Страница 248: ...e 1 configurations Only users in the selected user group can be authenticated using XAuth The freeGuard 100 PPTP configuration Only users in the selected user group can use PPTP The freeGuard 100 L2TP...

Страница 249: ...ons required No default profile profilename_str Enter the name of the firewall protection profile to associate with this user group No default Example This example shows how to add a group named User_...

Страница 250: ...henticate the user the connection is refused by the FreeGuard 100 The freeGuard 100 supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords freeG...

Страница 251: ...the Common Name Identifier The FreeGuard 100 passes this distinguished name unchanged to the server No default port port_integer Enter the port number for communication with the LDAP server 389 server...

Страница 252: ...ple shows how to display the configuration for the LDAP server LDAP1 show user ldap LDAP1 Command History Related Commands config user group config user local config user peer config user peergrp conf...

Страница 253: ...server with which the user must authenticate You can only select a RADIUS server that has been added to the list of RADIUS servers See radius No default status disable enable Enter enable to allow the...

Страница 254: ...n7 Command History Related Commands config user group config user ldap config user peer config user peergrp config user radius 11 4 peer Use this command to add or edit peer digital certificate holder...

Страница 255: ...n certificate ca list No default cn Enter the peer certificate common name No default cn type FDQN email ipv4 string Enter the peer certificate common name type string subject Optionally enter any of...

Страница 256: ...ed Commands config user peergrp config vpn ipsec phase1 execute vpn certificate ca execute vpn certificate key execute vpn certificate local 11 5 peergrp Use this command to add or edit a peer group P...

Страница 257: ...w to add peers to the peergrp EU_branches config user peergrp edit EU_branches set member Sophia_branch Valencia_branch Cardiff_branch end This example shows how to display the list of configured peer...

Страница 258: ...et keyword end config user radius delete name_str end get user radius name_str show user radius name_str radius command keywords and variables Keywords Variables Description Default secret password_st...

Страница 259: ...is example shows how to display the configuration for all the RADIUS servers show user radius This example shows how to display the configuration for the RADIUS server RAD1 show user radius RAD1 Comma...

Страница 260: ...VPN traffic to pass from one tunnel to the other through the freeGuard 100 The freeGuard 100 functions as a concentrator or hub in a hub and spoke network Note VPN concentrators are not available in T...

Страница 261: ...VPN concentrator named Concen_1 config vpn ipsec concentrator unset member end This example shows how to display the settings for the Concen_1 concentrator get vpn ipsec concentrator Concen_1 This ex...

Страница 262: ...r ipsec manualkey command keywords and variables Keywords Variables Description Default authentication md5 null sha1 Select an authentication algorithm from the list Make sure you use the same algorit...

Страница 263: ...IP address of the remote gateway external interface 0 0 0 0 localspi spi_hex Local Security Parameter Index Enter a hexadecimal number of up to eight digits digits can be 0 to 9 a to f in the rangebb8...

Страница 264: ...ations When you add a phase 1 configuration you define how the freeGuard 100 and a remote VPN peer gateway or client authenticate themselves to each other as part of establishing an IPSec VPN tunnel T...

Страница 265: ...Enter the XAuth client password for the freeGuard 100 when xauthtype is set to client No default authusr name_str Enter the XAuth client user name for the freeGuard 100 when xauthtype is set to clien...

Страница 266: ...worry setting 300 seconds dpd idleworry seconds_integer The DPD short idle setting when dpd is set to enable Set the time in seconds that a link must remain unused before the local VPN peer considers...

Страница 267: ...e enable Enable NAT traversal if you expect the IPSec VPN traffic to go through a gateway that performs NAT If no NAT device is detected enabling NAT traversal has no effect Both ends of the VPN must...

Страница 268: ...mmetric key encryption algorithms null Do not use an encryption algorithm des Digital Encryption Standard a 64 bit block algorithm that uses a 56 bit key 3des Triple DES in which plain text is encrypt...

Страница 269: ...the domain name of the remote VPN peer Static usrgrp name_str Enter the name of the group of dialup VPN clients to authenticate when peer type is set to dialup The user group must be added to the free...

Страница 270: ...ommands config vpn ipsec phase2 config user group config user local config user peer config user peergrp config user radius vpn certificate local vpn certificate ca 12 4 ipsec phase2 Use this command...

Страница 271: ...a hub and spoke VPN configuration that has already been added to the freeGuard 100 No default dhcp ipsec disable enable If the tunnel will service remote dialup clients that broadcast a DHCP request...

Страница 272: ...fekbs kb_integer Set the number of KBytes of data to transmit before the phase 2 key expires kbyte_integer can be 5120 to 99999 KBytes 5120 keylifeseconds seconds_integer Set the number of seconds to...

Страница 273: ...received before If packets arrive out of sequence the freeGuard 100s discards them You can configure the freeGuard 100 to send an alert email when it detects a replay packet See config alert email Di...

Страница 274: ...to add a phase 2 configuration with the following characteristics Name New_Tunnel Phase 1 name Simple_GW Encryption and authentication proposal 3des sha1 aes256 sha1 des md5 Keylife type seconds Keyl...

Страница 275: ...ual IP VIP addresses at both ends of the IPSec VPN tunnel Adding an IPSec VIP entry to the VIP table enables a freeGuard 100 to respond to ARP requests destined for remote servers and route traffic to...

Страница 276: ...ce to the destination network null Example The following commands add IPSec VIP entries for two remote hosts that can be accessed by a freeGuard 100 through an IPSec VPN tunnel on the external interfa...

Страница 277: ...em to a user group For more information see config user group config user ldap config user local and config user radius You need to define a firewall policy to control services inside the L2TP tunnel...

Страница 278: ...eGuard 100configuration before it can be specified here For more information see configuser group config user ldap config user local and config user radius null Example This example shows how to enabl...

Страница 279: ...ource and destination addresses of IP packets that are to be transported through the VPN When source and destination addresses of 0 0 0 0 are specified no ping traffic is generated between the source...

Страница 280: ...Related Commands config vpn ipsec phase2 12 8 pptp Use this command to enable PPTP and specify a local address range to reserve for remote PPTP clients When a remote PPTP client connects to the intern...

Страница 281: ...ow vpn pptp pptp command keywords and variables Keywords Variables Description Default eip address_ipv4 The ending address of the PPTP address range 0 0 0 0 sip address_ipv4 The starting address of th...

Страница 282: ...t eip 192 168 1 130 set status enable set usrgrp PPTP_users end This example shows how to display the settings for the vpn pptp command get vpn pptp This example shows how to display the configuration...

Страница 283: ...ter a phrase the freeGuard 100 blocks all Web pages containing any word in the phrase You can add exact phrases by enclosing the phrases in quotation marks If you enclose the phrase in quotation marks...

Страница 284: ...ing Perl regular expressions or wildcards wildcard status disable enable Enable or disable the banned word No default Example This example shows how to add the exact phrase free credit report to the W...

Страница 285: ...e freeGuard 100 accesses the nearest freeGuard server to determine the category of a requested web page and then follows the firewall policy configured for that user or interface freeGuard servers are...

Страница 286: ...he host name of the FreeGuard servers The FreeGuard 100 comes preconfigured with the host name Use this command only if you need to change the host name guard freedom9 com img_sink_ip image_ipv4 The I...

Страница 287: ...ilter urlexm config webfilter urlpat 13 3 script Use this command to configure the freeGuard 100 to block Java applets cookies ActiveX controls or scripts from Web pages Note Blocking any of these ite...

Страница 288: ...ss to specific URLs by adding them to the URL block list The freeGuard 100 blocks Web pages matching any specified URLs and displays a replacement message instead You can configure the freeGuard 100 t...

Страница 289: ...webfilter urlblock url_str urlblock command keywords and variables Keywords Variables Description Default status disable enable Enable or disable URL blocking for each URL disable Example This exampl...

Страница 290: ...m show webfilter urlblock www badsite com Related Commands webfilter bword webfilter catblock webfilter script webfilter urlexm webfilter urlpat 13 5 urlexm Use this command to configure specific URLs...

Страница 291: ...ple shows how to display the webfilter URL exempt list get webfilter urlexm This example shows how to display the settings for the URL www freedom9 com get webfilter urlexm www freedom9 com This examp...

Страница 292: ...100 web pattern blocking supports standard regular expressions You can add up to 20 patterns to the web pattern block list Command syntax pattern config webfilter urlpat edit url pattern_str set keyw...

Страница 293: ...for the URL pattern www badsite get webfilter urlpat www badsite This example shows how to display the configuration for the entire URL pattern block list show webfilter urlpat If the show command re...

Страница 294: ...aceful shutdown time traceroute update_now vpn certificate ca vpn certificate key vpn certificate local 14 1 backup Backup the freeGuard 100 configuration file or IPS user defined signatures file to a...

Страница 295: ...tion file from the freeGuard 100 to a TFTP server The name to give the configuration file on the TFTP sever is fgt cfg The IP address of the TFTP server is 192 168 1 23 execute backup config fgt cfg 1...

Страница 296: ...main called Client2 execute enter Client2 Related Commands config system vdom 14 5 factoryreset Reset the freeGuard 100 configuration to factory default settings Command syntax execute factoryreset Ca...

Страница 297: ...mary unit Using this command you can synchronize the following Configuration changes made to the primary unit normal system configuration firewall configuration VPN configuration and so on stored in t...

Страница 298: ...above start Start synchronizing the cluster configuration stop Stop the cluster from completing synchronizing its configuration Example From the CLI on a subordinate unit use the following commands t...

Страница 299: ...10 ping Send an ICMP echo request ping to test the network connection between the freeGuard 100 and another network device Command syntax execute ping address_ipv4 host name_str Example This example s...

Страница 300: ...e host name_str or host_ip Specifying the IP address of a freeGuard 100 interface tests connections to different network segments from the specified interface auto timeout seconds_integer Specify in s...

Страница 301: ...an IPv6 capable network device Command syntax execute ping6 address_ipv6 host name_str Example This example shows how to ping a host with the IPv6 address 12AB 0 0 CD30 123 4567 89AB CDEF execute pin...

Страница 302: ...Image Upload a firmware image from a TFTP server to the freeGuard 100 The freeGuard 100 reboots loading the new firmware Ipsuserdefsig Restore an IPS custom signature file The file will overwrite the...

Страница 303: ...ghbors that it is restarting and requests a grace period RIP can still forward traffic during the restart period This reduces disruption of the network during the restart period The duration of the gr...

Страница 304: ...example sets the system time to 15 31 03 execute time 15 31 03 14 19 traceroute Test the connection between the freeGuard 100 and another network device and display information about the network hops...

Страница 305: ...o the X 509 standard Note Digital certificates are not required for configuring the freeGuard 100 VPNs Digital certificates are an advanced feature provided for the convenience of system administrator...

Страница 306: ...Keyword Description delete certificate name_str Enter the name of the local certificate to delete Type for a list of certificates export name_str filename_str tftp_ip password_str Enter the name of t...

Страница 307: ...ate to delete Type for a list of certificates export certificate name_str file name_str tftp_ip Export or save the local certificate from the freeGuard 100 to a file on the TFTP server Type for a list...

Страница 308: ...re the freeGuard 100 is located city_name_str Enter the name of the city or town where the person or organization certifying the freeGuard 100 resides organization name_str Enter the name of the organ...

Страница 309: ...302 100 from a TFTP server with the address 192 168 21 54 set vpn certificates local import branch_cert 192 168 21 54...

Страница 310: ...ules Operation is subject to the following two conditions 1 This device may not cause harmful interference 2 This device must accept any interference received Including interference that may cause und...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды