- DL manuals
- D-Link
- Network Hardware
- DFL-1600 - Security Appliance
- Cli Reference Manual
D-Link DFL-1600 - Security Appliance Cli Reference Manual - 2.2.22. Httpposter
2.2.22. httpposter
Display HTTPPoster_URLx status.
Description
Display configuration and status of configured HTTPPoster_URLx targets.
Usage
httpposter [-repost] [-display]
Options
-display
Display status.
-repost
Re-post all URLs now. (Admin only)
2.2.23. hwaccel
List configured Hardware Accelerators.
Description
Display information about configured Hardware Accelarators.
Usage
hwaccel
2.2.24. ifstat
Show interface statistics.
Description
Show list of attached interfaces, or in-depth information about a specific interface.
Usage
ifstat [ [-num= Options 2.2.23. hwaccel Chapter 2. Command Reference 32 Network security solution http://www.Dlink.Com security security dfl-210/ 800/1600/ 2500 dfl-260/ 860 ver. 1.01 network security firewall cli reference guide. Cli reference guide dfl-210/260/800/860/1600/2500 netdefendos version 2.12 d-link corporation no. 289, sinhu 3rd rd, neihu district, taipei city 114, taiwan r.O.C. Http://www.Dlink.Com published 2007-04-17 copyright © 2007. Cli reference guide dfl-210/260/800/860/1600/2500 netdefendos version 2.12 published 2007-04-17 copyright © 2007 copyright notice this publication, including all photographs, illustrations and software, is protected under interna- tional copyright laws, with all rights reserved. Neither this manual,... Table of contents preface ............................................................................................................... Ix 1. Introduction ...................................................................................................... 1 1.1. Running a command .................. 2.2.28. Ipseckeepalive ...........................................................................34 2.2.29. Ipsecstats ..................................................................................35 2.2.30. Killsa ................................................................................... 3.13. Dns ...................................................................................................75 3.14. Driver ................................................................................................76 3.14.1. Ixp4npeethernetdriver ................................................. 3.39.7. Ipsectunnelsettings ................................................................. 128 3.39.8. Ipsettings ............................................................................... 129 3.39.9. L2tpserversettings .................................................................. 130 3... List of examples 1. Command option notation .................................................................................. Ix 1.1. Help for commands ......................................................................................... 2 1.2. Help for object types ............................... Preface audience the target audience for this reference guide is: • administrators that are responsible for configuring and managing the d-link firewall. • administrators that are responsible for troubleshooting the d-link firewall. This guide assumes that the reader is familiar with the d-link fire... Because the table name option is followed by ellipses it is possible to specify more than one routing table. Since table name is optional as well, the user can specify zero or more policy-based routing tables. Gw-world:/> routes virroute virroute2 notation preface x. Chapter 1. Introduction • running a command, page 1 • help, page 2 • function keys, page 3 • command line history, page 4 • tab completion, page 5 • user roles, page 7 this guide is a reference for all commands and configuration object types that are available in the command line interface for netde... 1.2. Help 1.2.1. Help for commands there are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by -? Or -h . This applies to all commands and is therefore not listed in the option list for each command in this guide. Using the help command give... 1.3. Function keys in addition to the return key there are a number of function keys that are used in the cli. Backspace delete the character to the left of the cursor. Tab complete current word. Ctrl-a or home move the cursor to the beginning of the line. Ctrl-b or left arrow move the cursor one ch... 1.4. Command line history every time a command is run, the command line is added to a history list. The up and down arrow keys are used to access previous command lines (up arrow for older command lines and down arrow to move back to a newer command line). See also section 2.4.2, “history”. Example ... 1.5. Tab completion by using the tab function key in the cli the names of commands, options, objects and object prop- erties can be automatically completed. If the text entered before pressing tab only matches one pos- sible item, e.G. "activate" is the only match for "acti" if a command is expected... Useful when editing an existing list of items or a long text value. If no value has been set yet for the property in question the default value, if one exists, will be used. Some values, such as binary data, cannot be autocompleted in this way. Example 1.6. Edit an existing property value edit the c... 1.6. User roles some commands and options cannot be used unless the logged in user has administrator priviege. This is indicated in this guide by a note following the command or "admin only" written next to an option. 1.6. User roles chapter 1. Introduction 7. 1.6. User roles chapter 1. Introduction 8. Chapter 2. Command reference • configuration, page 9 • runtime, page 20 • utility, page 50 • misc, page 51 2.1. Configuration 2.1.1. Activate activate changes. Description activate the latest changes. This will issue a reconfiguration, using the new configuration. If the reconfiguration is successfu... Example 2.1. Create a new object add objects with an identifier property (not index): gw-world:/> add address ip4address example_ip address=1.2.3.4 comments="this is an example" gw-world:/> add ip4address example_ip2 address=2.3.4.5 add an object with an index: gw-world:/main> add route interface=la... 2.1.4. Cc change the current context. Description change the current configuration context. A context is a group of objects that are dependent on and grouped by a parent object. Many objects lie in the "root" context and do not have a specific parent. Other objects, e.G. User objects lie in a sub-co... 2.1.5. Cd alias for cc. 2.1.6. Commit save new configuration to media. Description save the new configuration to media. This command can only be issued after a successful activate command. Usage commit note requires administrator privilege. 2.1.7. Copy copy object. Description make a copy of a confi... 2.1.8. Delete delete specified objects. Description delete the specified object, removing it from the configuration. Add the force flag to delete the object even if it is referenced by other objects or if it is a context that has child objects that aren't deleted. This may cause objects referring to... Gw-world:/exampledb> set user user3 comments="rejected" gw-world:/exampledb> cc .. Gw-world:/> reject localuserdatabase exampledb -recursive reject all changes: gw-world:/anycontext> reject -all all changes since the last commit will be rejected: (example_ip will be removed since it is newly added) ... See also: add example 2.5. Set property values set properties for objects that have an identifier property: gw-world:/> set address ip4address example_ip address=1.2.3.4 comments="this is an example" gw-world:/> set ip4address example_ip2 address=2.3.4.5 comments=comment_without_whitespace gw-world:... The -errors or -changes flags to show what objects have been changed or have errors in the configuration. When showing a table of all objects of a certain type, the status of each object since the last time the configuration was committed is indicated by a flag. The flags used are: - the object is d... Options -changes show all changes in the current configuration. -disabled show disabled properties. -errors show all errors in the current configuration. -references show all references to this object from other objects. -verbose show error details. Category that groups object types. The property th... The property that identifies the configuration object. May not be applicable depending on the specified . Type of configuration object to perform operation on. Note requires administrator privilege. 2.1.14. Undelete chapter 2. Command reference 19. 2.2. Runtime 2.2.1. About show copyright/build information. Description show copyright and build information. Usage about [-verbose] options -verbose verbose. 2.2.2. Arp show arp entries for given interface. Description list the arp cache entries of specified interfaces. If no interface is given the... Arp -notify= [] [-hwsender=] send gratuitous arp for ip. Options -flush flush arp cache of all specified interfaces. -hashinfo show information on hash table health. -hw= show only hardware addresses matching pattern. -hwsender= sender ethernet address. -ip= show only ip addresses matching pattern. ... -all snoop all interfaces. -disable disable all snooping. -verbose verbose. Interface name. 2.2.4. Ats show active arp transaction states. Description show active arp transaction states. Usage ats [-num=] options -num= limit list to entries. (default: 20) 2.2.5. Bigpond show bigpond information. Des... Description block and unblock hosts on the black and white list. Note: static blacklist hosts cannot be unblocked. If -force is not specified, only the exact host with the service, protocol/port and destiny specified is unblocked. Example 2.8. Block hosts blacklist -show -black -listtime -info black... Usage cam [-num=] [] [-flush] options -flush flush cam table. If interface is specified, only entries using this interface are flushed. (admin only) -num= limit list to entries per cam table. (default: 20) interface. 2.2.9. Certcache show the contents of the certificate cache. Description show all c... List current state-tracked connections. Usage connections -show [-num=] [-verbose] [-srciface=] [-destiface=] [-protocol=] [-srcport=] [-destport=] [-srcip=] [-destip=] list connections. Connections same as "connections -show". Connections -hashinfo show information on hash table health. Connections... Display info about the cpu. Description display the make and model of the machine's cpu. Usage cpuid 2.2.13. Crashdump show the contents of the crash.Dmp file. Description show the contents of the crash.Dmp file, if it exists. Usage crashdump 2.2.14. Customlog show custom configured log messages. De... 2.2.17. Dhcpserver show content of the dhcp server ruleset. Description show the content of the dhcp server ruleset and various information about active/inactive leases. Display filter filters leases based on interface/mac/ip (example: if1 192.168.*) usage dhcpserver -show [-rules] [-leases] [-mappi... Usage dns [-query=] [-list] [-remove] options -list list pending dns queries. -query= resolve domain name. -remove remove all pending dns queries. 2.2.19. Dynroute show dynamic routing policy. Description show the dynamic routing policy filter ruleset and current exports. In the "flags" field of the... 2.2.22. Httpposter display httpposter_urlx status. Description display configuration and status of configured httpposter_urlx targets. Usage httpposter [-repost] [-display] options -display display status. -repost re-post all urls now. (admin only) 2.2.23. Hwaccel list configured hardware accelerato... -allindepth show in-depth information about all interfaces. -filter= filter list of interfaces. -num= limit list to lines. (default: 20) -pbr= only list members of given pbr table(s). -restart stop and restart the interface. (admin only) name of interface. 2.2.25. Ikesnoop enable or disable ike-snoo... Usage ippool -release [] [-all] forcibly free ip assigned to subsystem. Ippool -show [-verbose] show ip pool information. Options -all free all ip addresses. -release forcibly free ip assigned to subsystem. (admin only) -show show ip pool information. -verbose verbose output. Ip address to free. 2.2... Usage ipseckeepalive [-num=] options -num= maximum number of entries to display (default: 48). 2.2.29. Ipsecstats show the sas in use. Description list the currently active ike and ipsec sas, optionally only showing sas matching the pattern giv- en for the argument "tunnel". Usage ipsecstats [-ike] ... Usage killsa delete sas belonging to provided remote sg/peer. Killsa -all delete all sas. Options -all kill all sas. Ip address of remote sg/peer. Note requires administrator privilege. 2.2.31. License show contents of the license file. Description show contents of the license file. Usage license 2.... Options -off temporarily disable linkmon. (admin only) -on reenable linkmon. (admin only) 2.2.33. Lockdown enable / disable lockdown. Description during local lockdown, only traffic from admin nets to the security gateway itself is allowed. Everything else is dropped. Lockdown will not affect traffi... Logout 2.2.35. Memory show memory information. Description show core memory consumption. Also show detailed memory use of some components and lists. Usage memory 2.2.36. Ospf show runtime ospf information. Description show runtime information about the ospf router process(es). Note: -process is only... 2.2.37. Pipes show pipes information. Description show list of configured pipes / pipe details / pipe users. Note: the "pipes" command is not executed right away; it is queued until the end of the second, when pipe values are calculated. Usage pipes [-users] [] options -users list users of a given p... Routemon 2.2.40. Routes display routing lists. Description display information about the routing table(s): - contents of a (named) routing table. - the list of routing tables, along with a total count of route entries in each table, as well as how many of the entries are single-host routes. Note tha... -switched only show switched routes and l3c entries. -tables display list of named (pbr) routing tables. -verbose verbose. Name of routing table. 2.2.41. Rules show rules lists. Description show the contents of the various rulesets, i.E. Main ruleset, pipe ruleset, etc. Example 2.10. Show a range of... S session uses a timeout in its subsystem - session does not use timeout usage sessionmanager show session manager status. Sessionmanager -status show session manager status. Sessionmanager -list [-num=] list active sessions. Sessionmanager -info show in-depth information about session. Sessionmanag... Description initiate shutdown of the core. The core will normally be restarted by an external script/application. Usage shutdown [] options seconds until shutdown. (default: 5) note requires administrator privilege. 2.2.44. Sshserver ssh server. Description show ssh server status, or start/stop/rest... -b= bitsize. (default: 1024) -keygen generate ssh server private keys. This operation may take a long time to finish, up to several minutes! -restart stop and start the ssh server. -start start the ssh server. -status show server status and list all connected clients. -stop stop the ssh server. -t={... Set system local time: . Time -sync [-force] synchronize time with timeserver(s) (specified in settings). Options -force force synchronization regardless of the maxadjust setting. -set set system local time: . -sync synchronize time with timeserver(s) (specified in settings). Date yyyy-mm-dd. Time h... -num= limit list of authenticated users. (default: 20) -privilege list all known privileges (usernames and groups). -remove forcibly log out an authenticated user. (admin only) -user show all information for user(s) with this ip address. Interface. Ip address for user(s). 2.2.50. Vlan show informati... Options -blockenet= block the specified ethernet address. -blockip= block the specified ip address/net. -eraseenet= unblock the specified ethernet address. -eraseip= unblock the specified ip address/net. -save save the current zonedefense state on all switches. -show show the current block database.... 2.3. Utility 2.3.1. Ping ping host. Description sends one or more icmp echo datagrams to the specified ip address of a host. All datagrams are sent preloaded-style (all at once). The data size -length given is the icmp data size. 1472 bytes of icmp data results in a 1500-byte ip datagram (1514 bytes... 2.4. Misc 2.4.1. Help show help for selected topic. Description the help system contains information about commands and configuration object types. The fastest way to get help is to simply type help followed by the topic that you want help with. A topic can be for example a command name (e.G. Set) o... 2.4.2. History chapter 2. Command reference 52. Chapter 3. Configuration reference • access, page 54 • address, page 56 • advancedscheduleprofile, page 59 • alg, page 60 • arp, page 64 • blacklistwhitehost, page 65 • certificate, page 66 • client, page 67 • datetime, page 70 • device, page 71 • dhcprelay, page 72 • dhcpserver, page 73 • dns, page... • psk, page 113 • radiusserver, page 114 • remotemanagement, page 115 • routingrule, page 118 • routingtable, page 119 • scheduleprofile, page 121 • service, page 122 • settings, page 125 • sshclientkey, page 138 • thresholdrule, page 139 • updatecenter, page 141 • userauthrule, page 142 • zonedefen... Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.1. Access chapter 3. Configuration reference 55. 3.2. Address this is a category that groups the following object types. 3.2.1. Addressfolder description an address folder can be used to group related address objects for better overview. Properties name specifies a symbolic name for the network object. (identifier) comments text describing the cur... Members group members. Userauthgroups groups and user names that belong to this object. Objects that fil- ter on credentials can only be used as source networks and destin- ations networks in rules. (optional) nodefinedcredentials if this property is enabled the object requires user authentication, ... But has no credentials (user names or groups) defined. This means that the object only requires that a user is authenticated, but ig- nores any kind of group membership. (default: no) comments text describing the current object. (optional) 3.2.1.5. Ip4haaddress description use an ip4 ha address item... 3.3. Advancedscheduleprofile description an advanced schedule profile contains definitions of occurrences used by various policies in the system. Properties name specifies a symbolic name for the service. (identifier) comments text describing the current object. (optional) 3.3.1. Advancedscheduleocc... 3.4. Alg this is a category that groups the following object types. 3.4.1. Alg_ftp description use an ftp application layer gateway to manage ftp traffic through the system. Properties name specifies a symbolic name for the alg. (identifier) allowserverpassive allow server to use passive mode (unsaf... 3.4.2. Alg_h323 description use an h.323 application layer gateway to manage h.323 multimedia traffic. Properties name specifies a symbolic name for the alg. (identifier) allowtcpdatachannels allow tcp data channels (t.120). (default: yes) maxtcpdatachannels maximum number of tcp data channels per c... (default: no) antivirus disabled, audit or protect. (default: disabled) scanexclude list of files to exclude from antivirus scanning. (optional) compressionratio a compression ratio higher than this value will trigger the ac- tion in compression ratio action, a value of zero will disable all compres... Verifysenderemail enable to verify sender e-mail address. (default: no) maxemailperminute specifies the maximum amount of e-mails per minute. (optional) filelisttype specifies if the file list contains files to allow or deny. (default: block) failmodebehavior standard behaviour on error: allow or de... 3.5. Arp description use an arp entry to publish additional ip addresses and/or mac addresses on a specified interface. Properties index the index of the object, starting at 1. (identifier) mode static, publish or xpublish. (default: publish) interface indicates the interface to which the arp entry ... 3.6. Blacklistwhitehost description manually configured whitelist hosts are used to prevent from blocking a host/network on either by default or based on a schedule. Properties index the index of the object, starting at 1. (identifier) addresses specifies the addresses that will be whitelisted. Serv... 3.7. Certificate description an x. 509 certificate is used to authenticate a vpn client or gateway when establishing an ipsec tunnel. Properties name specifies a symbolic name for the certificate. (identifier) type local, remote or request. Certificatedata certificate data. Privatekey private key. N... 3.8. Client this is a category that groups the following object types. 3.8.1. Dyndnsclientcjbnet description configure the parameters used to connect to the cjb.Net dyndns service. Properties username username. Password the password for the specified username. (optional) comments text describing the... Properties dnsname the dns name excluding the .Dyndns.Org suffix. Username username. Password the password for the specified username. (optional) comments text describing the current object. (optional) note this object type does not have am identifier and is identified by the name of the type only. ... Comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.8.6. Loginclientbigpond description configure the parameters used to provi... 3.9. Datetime description set the date, time and time zone information for this system. Properties timezone specifies the time zone. (default: gmt) dstenabled enable daylight saving time. (default: yes) dstoffset daylight saving time offset in minutes. (default: 60) dststartmonth what month daylight... 3.10. Device description global parameters of this device. Properties name name of the device. (default: device) configversion version number of the configuration. (default: 1) comments text describing the current object. (optional) note this object type does not have am identifier and is identified... 3.11. Dhcprelay description use a dhcp relay to dynamically alter the routing table according to relayed dhcp leases. Properties name specifies a symbolic name for the relay rule. (identifier) action ignore, relay or bootpfwd. (default: ignore) sourceinterface the source interface of the dhcp packet... 3.12. Dhcpserver description a dhcp server determines a set of ip addresses and host configuration parameters to hand out to dhcp clients attached to a given interface. Properties name specifies a symbolic name for the dhcp server rule. (identifier) interface the source interface to listen for dhcp ... Index the index of the object, starting at 1. (identifier) host ip address of the host. Macaddress the hardware address of the host. Comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed last in the lis... 3.13. Dns description configure the dns (domain name system) client settings. Properties dnsserver1 ip of the primary dns server. (optional) dnsserver2 ip of the secondary dns server. (optional) dnsserver3 ip of the tertiary dns server. (optional) comments text describing the current object. (option... 3.14. Driver this is a category that groups the following object types. 3.14.1. Ixp4npeethernetdriver description intel (ixp4xxnpe) fast ethernet adaptor. Properties comments text describing the current object. (optional) note this object type does not have am identifier and is identified by the nam... Note this object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.14.3. R8139ethernetpcidriver chapter 3. Configuration reference 77. 3.15. Dynamicroutingrule description a dynamic routing policy rule creates a filter to catch statically configured or ospf learned routes. The matched routes can be controlled by the action rules to be either exported to ospf processes or to be added to one or more routing tables. Properties index t... 3.15.1. Dynamicroutingruleexportospf description an ospf action is used to manipulate and export new or changed routes to an ospf router pro- cess. Properties index the index of the object, starting at 1. (identifier) exporttoprocess specifies to which ospf process the route change should be exporte... Limitmetricrange limits the metrics for these routes to a minimum and maximum value, if a route has a higher or lower value then specified it will be set to the specified value. (optional) proxyarpallinterfaces always select all interfaces, including new ones, for publishing routes via proxy arp. (d... 3.16. Ethernetdevice description hardware settings for an ethernet interface. Properties name specifies a symbolic name for the device. (identifier) ethernetdriver the ethernet pci driver that should be used by the interface. Pcibus pci bus number where the ethernet adapter is installed. Pcislot pci... 3.17. Highavailability description configure the high availability cluster parameters for this system. Properties enabled enable high availability. (default: no) clusterid a (locally) unique cluster id to use in identifying this group of ha se- curity gateways. (default: 0) synciface specifies the i... 3.18. Httpposter description use the http poster for dynamic dns or automatic logon to services using web-based authentica- tion. Properties url1 the first url that will be posted when the security gateway is loaded. (optional) url2 the second url that will be posted when the security gateway is loa... 3.19. Idlist description an id list contains ids, which are used within the authentication process when establishing an ipsec tunnel. Properties name specifies a symbolic name for the id list. (identifier) comments text describing the current object. (optional) 3.19.1. Id description an id is used t... 3.20. Idprule description an idp rule defines a filter for matching specific network traffic. When the filter criteria is met, the idp rule actions are evaluated and possible actions taken. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the r... Idpseverity signature severity group. (default: attack) signatures specifies what signature(s) to search for in the network traffic. (optional) zonedefense activate zonedefense. (default: no) blacklist activate blacklist. (default: no) blacklisttimetoblock the number of seconds that the dynamic blac... 3.21. Ikealgorithms description configure algorithms which are used in the ike phase of an ipsec session. Properties name specifies a symbolic name for the object. (identifier) nullenabled enable plaintext. (default: no) desenabled enable des encryption algorithm. (default: no) des3enabled enable 3d... 3.22. Interface this is a category that groups the following object types. 3.22.1. Defaultinterface description a special interface used to represent internal mechanisms in the system as well as an abstract "any" interface. Properties name specifies a symbolic name for the interface. (identifier) mt... Autointerfacenetworkroute automatically add a route for this interface using the given network. (default: yes) autodefaultgatewayroute automatically add a default route for this interface using the given default gateway. (default: yes) dhcpdns1 ip of the primary dns server. (optional) dhcpdns2 ip of... Nel will be established between the local network and this net- work. Remoteendpoint specifies the ip address of the remote endpoint. This is the address the security gateway will establish the ipsec tunnel to. It also dictates from where inbound ipsec tunnels are al- lowed. (optional) ikealgorithms... Originatorip manually specified originator ip address to use as source ip in e.G. Nat. Ikemode specifies which ike mode to use: main or aggressive. (default: main) dhgroup specifies the diffie-hellman group to use when doing key ex- changes in ike. (default: 2) pfs specifies whether pfs should be us... Network the network from which traffic should be routed into the tun- nel. Remoteendpoint the ip address of the l2tp/pptp server. Tunnelprotocol specifies if pptp or l2tp should be used for this tunnel. (default: pptp) originatoriptype specifies what ip address to use as source ip in e.G. Nat. (defa... Comments text describing the current object. (optional) 3.22.6. L2tpserver description a pptp/l2tp server interface terminates ppp (point to point protocol) tunnels set up over existing ip networks. Properties name specifies a symbolic name for the interface. (identifier) ip the ip address of the pp... Proxyarpallinterfaces always select all interfaces, including new ones, for publishing routes via proxy arp. (default: no) proxyarpinterfaces specifies the interfaces on which the security gateway should publish routes via proxy arp. (optional) comments text describing the current object. (optional)... Idletimeout idle timeout in seconds for dial-on-demand. (default: 3600) metric specifies the metric for the auto-created route. (default: 90) autointerfacenetworkroute automatically add a route for this interface using the given remote network. (default: yes) schedule the schedule defines when the p... Comments text describing the current object. (optional) 3.22.8. Vlan chapter 3. Configuration reference 96. 3.23. Iprule description an ip rule specifies what action to perform on network traffic that matches the specified filter criter- ia. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) action reject, drop, fwdfast, allow, nat... Slbmonitortcp enable monitoring using tcp packets. (default: no) slbpingusesharedip use the shared ip of a ha cluster instead of the private ip of the node. (default: yes) slbtcpusesharedip use the shared ip of a ha cluster instead of the private ip of the node. (default: yes) slbpinginterval ping i... 3.24. Iprulefolder description an ip rule folder can be used to group ip rules into logical groups for better overview and simpli- fied management. Properties index the index of the object, starting at 1. (identifier) name specifies the name of the folder. Comments text describing the current object... 3.25. Ipsecalgorithms description configure algorithms which are used in the ipsec phase of an ipsec session. Properties name specifies a symbolic name for the object. (identifier) nullenabled enable plaintext. (default: no) desenabled enable des encryption algorithm. (default: no) des3enabled enabl... 3.26. Ldapserver description an ldap server is used as a central repository of certificates and crls that the security gateway can download when necessary. Properties index the index of the object, starting at 1. (identifier) host specifies the ip address or hostname of the ldap server. Username spe... 3.27. Localuserdatabase description a local user database contains user accounts used for authentication purposes. Properties name specifies a symbolic name for the object. (identifier) comments text describing the current object. (optional) 3.27.1. User description user credentials may be used in u... 3.28. Logreceiver this is a category that groups the following object types. 3.28.1. Logreceivermemory description a memory log receiver is used to receive and keep log events in system ram. Properties name specifies a symbolic name for the log receiver. (identifier) logseverity specifies with what ... Other e-mail. (default: 600) logthreshold the number of events that have to occur within the hold time for an e-mail to be sent. (default: 2) comments text describing the current object. (optional) 3.28.3. Logreceiversyslog description a syslog receiver is used to receive log events from the system ... 3.29. Ospfprocess description an ospf router process defines a group of routers exchanging routing information via the open shortest path first routing protocol. Properties name specifies a symbolic name for the ospf process. (identifier) routerid specifies the ip address that is used to identify th... Cifies the details of the log. (default: off) debugroute enables or disabled logging of routing table manipulation events and also specifies the details of the log. (default: off) authtype specifies the authentication type for the ospf protocol exchanges. (default: null) authpassphrase specifies the... Properties interface specifies which interface in the security gateway will be used for this os- pf interface. (identifier) type auto, broadcast, point-to-point or point-to-multipoint. (default: auto) metrictype metric value or bandwidth. (default: metricvalue) metric specifies the routing metric fo... For point-to-point and point-to-multipoint networks, specify the ip addresses of directly connected routers. Properties interface specifies the ospf interface of the neighbor. (identifier) ipaddress ip address of the neighbor. Metric specifies the metric of the neighbor. (optional) comments text des... 3.30. Pipe description a pipe defines basic traffic shaping parameters. The pipe rules then determines which traffic goes through which pipes. Properties name specifies a symbolic name for the pipe. (identifier) limitkbpstotal total bandwidth limit for this pipe in kilobits per second. (optional) li... Userlimitpps0 specifies the throughput limit per group in pps for precedence 0 (the lowest precedence). (optional) userlimitkbps1 specifies the bandwidth limit per group in kbps for precedence 1. (optional) userlimitpps1 specifies the throughput limit per group in pps for precedence 1. (optional) us... (default: 7) comments text describing the current object. (optional) 3.30. Pipe chapter 3. Configuration reference 111. 3.31. Piperule description a pipe rule determines traffic shaping policy - which pipes to use - for one or more types of traffic with the same granularity as the standard ruleset. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the object. (op... 3.32. Psk description psk (pre-shared key) authentication is based on a shared secret that is known only by the parties involved. Properties name specifies a symbolic name for the pre-shared key. (identifier) type specifies the type of the shared key. Pskascii specifies the psk as a passphrase. Pskh... 3.33. Radiusserver description external radius server used to verify user names and passwords. Properties name specifies a symbolic name for the server. (identifier) ipaddress the ip address of the server. Port the udp port of the server. (default: 1812) retrytimeout the retry timeout, in seconds, u... 3.34. Remotemanagement this is a category that groups the following object types. 3.34.1. Remotemgmthttp description http/https management. Properties name specifies a symbolic name for the object. (identifier) accesslevel the access level to grant the user that logs in. (default: admin) localuserda... Secure shell (ssh) server. Properties name specifies a symbolic name for the ssh server. (identifier) port the listening port for the ssh server. (default: 22) allowauthmethodpassword allow password client authentication. (default: yes) allowauthmethodpublickey allow public key client authentication... Network specifies the network for which remote access is granted. Comments text describing the current object. (optional) 3.34.3. Remotemgmtssh chapter 3. Configuration reference 117. Description generate a pre-shared key of specified size, containing randomized key data. If a key with the spe- cified name exists, the existing key is modified. Otherwise a new key object is created. Usage pskgen [-comments=] [-size={64 3.36. Routingtable description the system has a predefined main routing table. Alternate routing tables can be defined by the user. Properties name specifies a symbolic name for the routing table. (identifier) ordering specifies how a route lookup is done in a named routing ta- ble. (default: only) ... Monitorgatewayarpinterval specifies the arp lookup interval in milliseconds. (default: 1000) network specifies the network address for this route. Metric specifies the metric for this route. (default: 0) proxyarpallinterfaces always select all interfaces, including new ones, for publish- ing routes ... 3.37. Scheduleprofile description a schedule profile defines days and dates and are then used by the various policies in the system. Properties name specifies a symbolic name for the service. (identifier) mon specifies during which intervals the schedule profile is active on mondays. (optional) tue ... 3.38. Service this is a category that groups the following object types. 3.38.1. Servicegroup description a service group is a collection of service objects, which can then be used by different policies in the system. Properties name specifies a symbolic name for the service. (identifier) members gr... Echoreplycodes specifies which echo reply message codes should be matched. (default: 0-255) sourcequenching enable matching of source quenching messages. (default: no) sourcequenchingcodes specifies which source quenching message codes should be matched. (default: 0-255) timeexceeded enable matching... Properties name specifies a symbolic name for the service. (identifier) destinationports specifies the destination port or the port ranges applicable to this ser- vice. Type specifies whether this service uses the tcp or udp protocol or both. (default: tcp) sourceports specifies the source port or t... 3.39. Settings this is a category that groups the following object types. 3.39.1. Arptablesettings description advanced arp-table settings. Properties arpmatchenetsender the ethernet sender address matching the hardware address in the arp data. (default: droplog) arpquerynosenderip if the ip source ... Description timeout settings for various protocols. Properties connlife_tcp_syn connection idle lifetime for tcp connections being formed. (default: 60) connlife_tcp connection idle lifetime for tcp. (default: 262144) connlife_tcp_fin connection idle lifetime for tcp connections being closed. (defau... Note this object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.4. Dhcpserversettings description advanced dhcp server settings. Properties autosaveleasepolicy policy for saving the lease database to disk. (default: ... Reasstimeout timeout of a reassembly, since previous received fragment. (default: 65) reasstimelimit maximum lifetime of a reassembly, since first received frag- ment. (default: 90) reassdonelinger how long to remember a completed reassembly (watching for old dups). (default: 20) reassillegallinger ... Ikecrlvaliditytime maximum number of seconds a crl is considered valid (0=obey the 'next update' field in the crl). (default: 86400) ikemaxcapath maximum number of ca certificates in a certificate path. (default: 15) ipseccertcachemaxcerts maximum number of entries in the certificate cache. (default... Ttlonlow what action to take on too low ttl values. (default: droplog) defaultttl the default ip time-to-live of packets originated by the se- curity gateway (32-255). (default: 255) layersizeconsistency tcp/udp/icmp/etc layer data and header sizes matching lower layer size information. (default: va... Note this object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.10. Lengthlimsettings description length limitations for various protocols. Properties maxtcplen tcp; sometimes has to be increased if tunneling protoco... Properties idletimeout number of seconds of inactivity until the local console user is automatically logged out. (default: 900) note this object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.12. Localreasssettings d... 3.39.14. Remotemgmtsettings description setup and configure methods and permissions for remote management of this system. Properties netconbidirtimeout specifies the amount of seconds to wait for the administrator to log in before reverting to the previous configuration. (default: 30) webuibeforerul... Routefailover_ifacepollinterval time (ms) between polling of interface failure. (default: 500) routefailover_arppollinterval time (ms) between arp-lookup of gateways. May be over- ridden for each route. (default: 1000) routefailover_pingpollinterval time (ms) between ping'ing of gateways. (default: ... Tls_rsa_export1024_with _rc4_56_sha1 enable cipher tls_rsa_export1024_with_rc4_56_sha1. (default: yes) tls_rsa_export512_with_ rc4_40_md5 enable cipher tls_rsa_export1024_with_rc4_40_md5. (default: no) tls_rsa_export512_with_ rc2_40_md5 enable cipher tls_rsa_export1024_with_rc2_40_md5. (default: no)... Note this object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.18. Tcpsettings description settings related to the tcp protocol. Properties tcpoptionsizes validity of tcp header option sizes. (default: validatelogba... Tcpsynurg the tcp urg flag together with syn; normally invalid (strip=strip urg). (default: droplog) tcpsynpsh the tcp psh flag together with syn; normally invalid but always used by some ip stacks (strip=strip psh). (default: stripsilent) tcpsynrst the tcp rst flag together with syn; normally inval... 3.40. Sshclientkey description the public key of the client connecting to the ssh server. Properties name specifies a symbolic name for the key. (identifier) type dsa or rsa. (default: dsa) subject value of the subject header tag of the public key file. (optional) publickey specifies the public key.... 3.41. Thresholdrule description a threshold rule defines a filter for matching specific network traffic. When the filter criteria is met, the threshold rule actions are evaluated and possible actions taken. Properties index the index of the object, starting at 1. (identifier) name specifies a symbol... Threshold specifies the threshold. Thresholdunit specifies the threshold unit. (default: connssec) zonedefense activate zonedefense. (default: no) blacklist activate blacklist. (default: no) blacklisttimetoblock the number of seconds that the dynamic black list should re- main. (optional) blacklistb... 3.42. Updatecenter description configure automatical updates. Properties avenabled automatic updates of antivirus definitions and engine. (default: no) idpenabled automatic updates of idp maintenance signatures. (default: no) advancedidpenabled automatic updates of advanced idp signatures. (default:... 3.43. Userauthrule description the user authentication ruleset specifies from where users are allowed to authenticate to the sys- tem, and how. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) agent http, https, xauth, ppp ... Sessiontimeout if a user has successfully been authenticated, he/she will auto- matically be logged out after this many seconds, regardless of if there has been activity from the user or not. (optional) useservertimeouts use timeouts received from the authentication server. If no values are received... 3.44. Zonedefenseblock description manually configured blocks are used to block a host/network on the switches either by default or based on schedule. Properties index the index of the object, starting at 1. (identifier) addresses specifies the addresses to block. Protocol all, tcp, udp or icmp. (de... 3.45. Zonedefenseexcludelist description the exclude list is used exclude certain hosts/networks from being blocked out by idp/threshold rule violations. Properties addresses specifies the addresses that should not be blocked. (optional) comments text describing the current object. (optional) note t... 3.46. Zonedefenseswitch description a zonedefense switch will have its acls controlled and hosts/networks violating the idp/ threshold rules will be blocked directly on the switch. Properties name specifies a symbolic name for the zonedefense switch. (identifier) switchmodel specifies the switch mod... 3.46. Zonedefenseswitch chapter 3. Configuration reference 147. Index commands a about, 20 activate, 9 add, 9 arp, 20 arpsnoop, 21 ats, 22 b bigpond, 22 blacklist, 22 buffers, 24 c cam, 24 cancel, 10 cc, 11 cd, 12 (see also cc) certcache, 25 cfglog, 25 commit, 12 connections, 25 copy, 12 cpuid, 26 crashdump, 27 customlog, 27 d delete, 13 dhcp, 27 dhcprelay, 28 d... Zonedefense, 48 object types a access, 54 addressfolder, 56 advancedscheduleoccurrence, 59 advancedscheduleprofile, 59 alg_ftp, 60 alg_h323, 61 alg_http, 61 alg_http_url, 62 alg_smtp, 62 alg_smtp_email, 63 arp, 64 arptablesettings, 125 b blacklistwhitehost, 65 c certificate, 66 conntimeoutsettings, ... Remotemgmtsnmp, 115 remotemgmtssh, 115 route, 119 routingrule, 118 routingsettings, 133 routingtable, 119 s scheduleprofile, 121 servicegroup, 122 serviceicmp, 122 serviceipproto, 123 servicetcpudp, 123 sshclientkey, 138 sslsettings, 134 statesettings, 135 switchroute, 120 t tcpsettings, 136 thresho...]
Summary of DFL-1600 - Security Appliance
Page 1
Page 2: Cli Reference Guide
Page 3
Page 4: Table Of Contents
Page 5
Page 6
Page 7
Page 8: List Of Examples
Page 9: Preface
Page 10
Page 11: Chapter 1. Introduction
Page 12: 1.2. Help
Page 13: 1.3. Function Keys
Page 14: 1.4. Command Line History
Page 15: 1.5. Tab Completion
Page 16
Page 17: 1.6. User Roles
Page 18
Page 19: 2.1. Configuration
Page 20: 2.1.3. Cancel
Page 21: 2.1.4. Cc
Page 22: 2.1.5. Cd
Page 23: 2.1.8. Delete
Page 25: 2.1.12. Set
Page 26: 2.1.13. Show
Page 27
Page 28: 2.1.14. Undelete
Page 29
Page 30: 2.2. Runtime
Page 31: 2.2.3. Arpsnoop
Page 32: 2.2.4. Ats
Page 33
Page 35: 2.2.9. Certcache
Page 36: 2.2.12. Cpuid
Page 37: 2.2.13. Crashdump
Page 39: 2.2.17. Dhcpserver
Page 40: 2.2.19. Dynroute
Page 42: 2.2.22. Httpposter
Page 43: 2.2.25. Ikesnoop
Page 44: 2.2.27. Ipsecglobalstats
Page 45: 2.2.29. Ipsecstats
Page 46: 2.2.31. License
Page 47: 2.2.33. Lockdown
Page 48: 2.2.35. Memory
Page 50: 2.2.37. Pipes
Page 51: 2.2.40. Routes
Page 52: 2.2.41. Rules
Page 53: 2.2.43. Shutdown
Page 54: 2.2.44. Sshserver
Page 55: 2.2.45. Stats
Page 56: 2.2.47. Updatecenter
Page 58: 2.2.50. Vlan
Page 59
Page 60: 2.3. Utility
Page 61: 2.4. Misc
Page 62
Page 63
Page 64: 3.1. Access
Page 65
Page 66: 3.2. Address
Page 67
Page 68: 3.2.2. Ethernetaddress
Page 69
Page 70: 3.4. Alg
Page 71: 3.4.2. Alg_H323
Page 72: 3.4.4. Alg_Smtp
Page 73
Page 74: 3.5. Arp
Page 75: 3.6. Blacklistwhitehost
Page 76: 3.7. Certificate
Page 77: 3.8. Client
Page 78: 3.8.4. Dyndnsclientdynscx
Page 79: 3.8.6. Loginclientbigpond
Page 80: 3.9. Datetime
Page 81: 3.10. Device
Page 82: 3.11. Dhcprelay
Page 83: 3.12. Dhcpserver
Page 84
Page 85: 3.13. Dns
Page 86: 3.14. Driver
Page 87
Page 88: 3.15. Dynamicroutingrule
Page 89
Page 90
Page 91: 3.16. Ethernetdevice
Page 92: 3.17. Highavailability
Page 93: 3.18. Httpposter
Page 94: 3.19. Idlist
Page 95: 3.20. Idprule
Page 96
Page 97: 3.21. Ikealgorithms
Page 98: 3.22. Interface
Page 99: 3.22.3. Interfacegroup
Page 100
Page 101: 3.22.5. L2Tpclient
Page 102
Page 103: 3.22.6. L2Tpserver
Page 104: 3.22.7. Pppoetunnel
Page 105: 3.22.8. Vlan
Page 106
Page 107: 3.23. Iprule
Page 108
Page 109: 3.24. Iprulefolder
Page 110: 3.25. Ipsecalgorithms
Page 111: 3.26. Ldapserver
Page 112: 3.27. Localuserdatabase
Page 113: 3.28. Logreceiver
Page 114: 3.28.3. Logreceiversyslog
Page 115: 3.29. Ospfprocess
Page 116: 3.29.1. Ospfarea
Page 117
Page 118
Page 119: 3.30. Pipe
Page 120
Page 121
Page 122: 3.31. Piperule
Page 123: 3.32. Psk
Page 124: 3.33. Radiusserver
Page 125: 3.34. Remotemanagement
Page 126
Page 127
Page 128: 3.35. Routingrule
Page 129: 3.36. Routingtable
Page 130: 3.36.2. Switchroute
Page 131: 3.37. Scheduleprofile
Page 132: 3.38. Service
Page 133: 3.38.3. Serviceipproto
Page 134
Page 135: 3.39. Settings
Page 136: 3.39.3. Dhcprelaysettings
Page 137: 3.39.4. Dhcpserversettings
Page 138: 3.39.6. Icmpsettings
Page 139: 3.39.8. Ipsettings
Page 140: 3.39.9. L2Tpserversettings
Page 141: 3.39.10. Lengthlimsettings
Page 142: 3.39.12. Localreasssettings
Page 143: 3.39.14. Remotemgmtsettings
Page 144: 3.39.16. Sslsettings
Page 145: 3.39.17. Statesettings
Page 146: 3.39.18. Tcpsettings
Page 147: 3.39.19. Vlansettings
Page 148: 3.40. Sshclientkey
Page 149: 3.41. Thresholdrule
Page 150
Page 151: 3.42. Updatecenter
Page 152: 3.43. Userauthrule
Page 153
Page 154: 3.44. Zonedefenseblock
Page 155
Page 156: 3.46. Zonedefenseswitch
Page 157
Page 158: Index
Page 159: Object Types
Page 160