1. DL manuals
  2. D-Link
  3. Network Hardware
  4. DFL-1600 - Security Appliance
  5. Cli Reference Manual

D-Link DFL-1600 - Security Appliance Cli Reference Manual - 2.4. Misc

Manual is about: NetDefendOS Network Security Firewall

Summary of DFL-1600 - Security Appliance

  • Page 1

    Network security solution http://www.Dlink.Com security security dfl-210/ 800/1600/ 2500 dfl-260/ 860 ver. 1.01 network security firewall cli reference guide.

  • Page 2: Cli Reference Guide

    Cli reference guide dfl-210/260/800/860/1600/2500 netdefendos version 2.12 d-link corporation no. 289, sinhu 3rd rd, neihu district, taipei city 114, taiwan r.O.C. Http://www.Dlink.Com published 2007-04-17 copyright © 2007.

  • Page 3

    Cli reference guide dfl-210/260/800/860/1600/2500 netdefendos version 2.12 published 2007-04-17 copyright © 2007 copyright notice this publication, including all photographs, illustrations and software, is protected under interna- tional copyright laws, with all rights reserved. Neither this manual,...

  • Page 4: Table Of Contents

    Table of contents preface ............................................................................................................... Ix 1. Introduction ...................................................................................................... 1 1.1. Running a command ..................

  • Page 5

    2.2.28. Ipseckeepalive ...........................................................................34 2.2.29. Ipsecstats ..................................................................................35 2.2.30. Killsa ...................................................................................

  • Page 6

    3.13. Dns ...................................................................................................75 3.14. Driver ................................................................................................76 3.14.1. Ixp4npeethernetdriver .................................................

  • Page 7

    3.39.7. Ipsectunnelsettings ................................................................. 128 3.39.8. Ipsettings ............................................................................... 129 3.39.9. L2tpserversettings .................................................................. 130 3...

  • Page 8: List Of Examples

    List of examples 1. Command option notation .................................................................................. Ix 1.1. Help for commands ......................................................................................... 2 1.2. Help for object types ...............................

  • Page 9: Preface

    Preface audience the target audience for this reference guide is: • administrators that are responsible for configuring and managing the d-link firewall. • administrators that are responsible for troubleshooting the d-link firewall. This guide assumes that the reader is familiar with the d-link fire...

  • Page 10

    Because the table name option is followed by ellipses it is possible to specify more than one routing table. Since table name is optional as well, the user can specify zero or more policy-based routing tables. Gw-world:/> routes virroute virroute2 notation preface x.

  • Page 11: Chapter 1. Introduction

    Chapter 1. Introduction • running a command, page 1 • help, page 2 • function keys, page 3 • command line history, page 4 • tab completion, page 5 • user roles, page 7 this guide is a reference for all commands and configuration object types that are available in the command line interface for netde...

  • Page 12: 1.2. Help

    1.2. Help 1.2.1. Help for commands there are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by -? Or -h . This applies to all commands and is therefore not listed in the option list for each command in this guide. Using the help command give...

  • Page 13: 1.3. Function Keys

    1.3. Function keys in addition to the return key there are a number of function keys that are used in the cli. Backspace delete the character to the left of the cursor. Tab complete current word. Ctrl-a or home move the cursor to the beginning of the line. Ctrl-b or left arrow move the cursor one ch...

  • Page 14: 1.4. Command Line History

    1.4. Command line history every time a command is run, the command line is added to a history list. The up and down arrow keys are used to access previous command lines (up arrow for older command lines and down arrow to move back to a newer command line). See also section 2.4.2, “history”. Example ...

  • Page 15: 1.5. Tab Completion

    1.5. Tab completion by using the tab function key in the cli the names of commands, options, objects and object prop- erties can be automatically completed. If the text entered before pressing tab only matches one pos- sible item, e.G. "activate" is the only match for "acti" if a command is expected...

  • Page 16

    Useful when editing an existing list of items or a long text value. If no value has been set yet for the property in question the default value, if one exists, will be used. Some values, such as binary data, cannot be autocompleted in this way. Example 1.6. Edit an existing property value edit the c...

  • Page 17: 1.6. User Roles

    1.6. User roles some commands and options cannot be used unless the logged in user has administrator priviege. This is indicated in this guide by a note following the command or "admin only" written next to an option. 1.6. User roles chapter 1. Introduction 7.

  • Page 18

    1.6. User roles chapter 1. Introduction 8.

  • Page 19: 2.1. Configuration

    Chapter 2. Command reference • configuration, page 9 • runtime, page 20 • utility, page 50 • misc, page 51 2.1. Configuration 2.1.1. Activate activate changes. Description activate the latest changes. This will issue a reconfiguration, using the new configuration. If the reconfiguration is successfu...

  • Page 20: 2.1.3. Cancel

    Example 2.1. Create a new object add objects with an identifier property (not index): gw-world:/> add address ip4address example_ip address=1.2.3.4 comments="this is an example" gw-world:/> add ip4address example_ip2 address=2.3.4.5 add an object with an index: gw-world:/main> add route interface=la...

  • Page 21: 2.1.4. Cc

    2.1.4. Cc change the current context. Description change the current configuration context. A context is a group of objects that are dependent on and grouped by a parent object. Many objects lie in the "root" context and do not have a specific parent. Other objects, e.G. User objects lie in a sub-co...

  • Page 22: 2.1.5. Cd

    2.1.5. Cd alias for cc. 2.1.6. Commit save new configuration to media. Description save the new configuration to media. This command can only be issued after a successful activate command. Usage commit note requires administrator privilege. 2.1.7. Copy copy object. Description make a copy of a confi...

  • Page 23: 2.1.8. Delete

    2.1.8. Delete delete specified objects. Description delete the specified object, removing it from the configuration. Add the force flag to delete the object even if it is referenced by other objects or if it is a context that has child objects that aren't deleted. This may cause objects referring to...

  • Page 25: 2.1.12. Set

    Gw-world:/exampledb> set user user3 comments="rejected" gw-world:/exampledb> cc .. Gw-world:/> reject localuserdatabase exampledb -recursive reject all changes: gw-world:/anycontext> reject -all all changes since the last commit will be rejected: (example_ip will be removed since it is newly added) ...

  • Page 26: 2.1.13. Show

    See also: add example 2.5. Set property values set properties for objects that have an identifier property: gw-world:/> set address ip4address example_ip address=1.2.3.4 comments="this is an example" gw-world:/> set ip4address example_ip2 address=2.3.4.5 comments=comment_without_whitespace gw-world:...

  • Page 27

    The -errors or -changes flags to show what objects have been changed or have errors in the configuration. When showing a table of all objects of a certain type, the status of each object since the last time the configuration was committed is indicated by a flag. The flags used are: - the object is d...

  • Page 28: 2.1.14. Undelete

    Options -changes show all changes in the current configuration. -disabled show disabled properties. -errors show all errors in the current configuration. -references show all references to this object from other objects. -verbose show error details. Category that groups object types. The property th...

  • Page 29

    The property that identifies the configuration object. May not be applicable depending on the specified . Type of configuration object to perform operation on. Note requires administrator privilege. 2.1.14. Undelete chapter 2. Command reference 19.

  • Page 30: 2.2. Runtime

    2.2. Runtime 2.2.1. About show copyright/build information. Description show copyright and build information. Usage about [-verbose] options -verbose verbose. 2.2.2. Arp show arp entries for given interface. Description list the arp cache entries of specified interfaces. If no interface is given the...

  • Page 31: 2.2.3. Arpsnoop

    Arp -notify= [] [-hwsender=] send gratuitous arp for ip. Options -flush flush arp cache of all specified interfaces. -hashinfo show information on hash table health. -hw= show only hardware addresses matching pattern. -hwsender= sender ethernet address. -ip= show only ip addresses matching pattern. ...

  • Page 32: 2.2.4. Ats

    -all snoop all interfaces. -disable disable all snooping. -verbose verbose. Interface name. 2.2.4. Ats show active arp transaction states. Description show active arp transaction states. Usage ats [-num=] options -num= limit list to entries. (default: 20) 2.2.5. Bigpond show bigpond information. Des...

  • Page 33

    Description block and unblock hosts on the black and white list. Note: static blacklist hosts cannot be unblocked. If -force is not specified, only the exact host with the service, protocol/port and destiny specified is unblocked. Example 2.8. Block hosts blacklist -show -black -listtime -info black...

  • Page 35: 2.2.9. Certcache

    Usage cam [-num=] [] [-flush] options -flush flush cam table. If interface is specified, only entries using this interface are flushed. (admin only) -num= limit list to entries per cam table. (default: 20) interface. 2.2.9. Certcache show the contents of the certificate cache. Description show all c...

  • Page 36: 2.2.12. Cpuid

    List current state-tracked connections. Usage connections -show [-num=] [-verbose] [-srciface=] [-destiface=] [-protocol=] [-srcport=] [-destport=] [-srcip=] [-destip=] list connections. Connections same as "connections -show". Connections -hashinfo show information on hash table health. Connections...

  • Page 37: 2.2.13. Crashdump

    Display info about the cpu. Description display the make and model of the machine's cpu. Usage cpuid 2.2.13. Crashdump show the contents of the crash.Dmp file. Description show the contents of the crash.Dmp file, if it exists. Usage crashdump 2.2.14. Customlog show custom configured log messages. De...

  • Page 39: 2.2.17. Dhcpserver

    2.2.17. Dhcpserver show content of the dhcp server ruleset. Description show the content of the dhcp server ruleset and various information about active/inactive leases. Display filter filters leases based on interface/mac/ip (example: if1 192.168.*) usage dhcpserver -show [-rules] [-leases] [-mappi...

  • Page 40: 2.2.19. Dynroute

    Usage dns [-query=] [-list] [-remove] options -list list pending dns queries. -query= resolve domain name. -remove remove all pending dns queries. 2.2.19. Dynroute show dynamic routing policy. Description show the dynamic routing policy filter ruleset and current exports. In the "flags" field of the...

  • Page 42: 2.2.22. Httpposter

    2.2.22. Httpposter display httpposter_urlx status. Description display configuration and status of configured httpposter_urlx targets. Usage httpposter [-repost] [-display] options -display display status. -repost re-post all urls now. (admin only) 2.2.23. Hwaccel list configured hardware accelerato...

  • Page 43: 2.2.25. Ikesnoop

    -allindepth show in-depth information about all interfaces. -filter= filter list of interfaces. -num= limit list to lines. (default: 20) -pbr= only list members of given pbr table(s). -restart stop and restart the interface. (admin only) name of interface. 2.2.25. Ikesnoop enable or disable ike-snoo...

  • Page 44: 2.2.27. Ipsecglobalstats

    Usage ippool -release [] [-all] forcibly free ip assigned to subsystem. Ippool -show [-verbose] show ip pool information. Options -all free all ip addresses. -release forcibly free ip assigned to subsystem. (admin only) -show show ip pool information. -verbose verbose output. Ip address to free. 2.2...

  • Page 45: 2.2.29. Ipsecstats

    Usage ipseckeepalive [-num=] options -num= maximum number of entries to display (default: 48). 2.2.29. Ipsecstats show the sas in use. Description list the currently active ike and ipsec sas, optionally only showing sas matching the pattern giv- en for the argument "tunnel". Usage ipsecstats [-ike] ...

  • Page 46: 2.2.31. License

    Usage killsa delete sas belonging to provided remote sg/peer. Killsa -all delete all sas. Options -all kill all sas. Ip address of remote sg/peer. Note requires administrator privilege. 2.2.31. License show contents of the license file. Description show contents of the license file. Usage license 2....

  • Page 47: 2.2.33. Lockdown

    Options -off temporarily disable linkmon. (admin only) -on reenable linkmon. (admin only) 2.2.33. Lockdown enable / disable lockdown. Description during local lockdown, only traffic from admin nets to the security gateway itself is allowed. Everything else is dropped. Lockdown will not affect traffi...

  • Page 48: 2.2.35. Memory

    Logout 2.2.35. Memory show memory information. Description show core memory consumption. Also show detailed memory use of some components and lists. Usage memory 2.2.36. Ospf show runtime ospf information. Description show runtime information about the ospf router process(es). Note: -process is only...

  • Page 50: 2.2.37. Pipes

    2.2.37. Pipes show pipes information. Description show list of configured pipes / pipe details / pipe users. Note: the "pipes" command is not executed right away; it is queued until the end of the second, when pipe values are calculated. Usage pipes [-users] [] options -users list users of a given p...

  • Page 51: 2.2.40. Routes

    Routemon 2.2.40. Routes display routing lists. Description display information about the routing table(s): - contents of a (named) routing table. - the list of routing tables, along with a total count of route entries in each table, as well as how many of the entries are single-host routes. Note tha...

  • Page 52: 2.2.41. Rules

    -switched only show switched routes and l3c entries. -tables display list of named (pbr) routing tables. -verbose verbose. Name of routing table. 2.2.41. Rules show rules lists. Description show the contents of the various rulesets, i.E. Main ruleset, pipe ruleset, etc. Example 2.10. Show a range of...

  • Page 53: 2.2.43. Shutdown

    S session uses a timeout in its subsystem - session does not use timeout usage sessionmanager show session manager status. Sessionmanager -status show session manager status. Sessionmanager -list [-num=] list active sessions. Sessionmanager -info show in-depth information about session. Sessionmanag...

  • Page 54: 2.2.44. Sshserver

    Description initiate shutdown of the core. The core will normally be restarted by an external script/application. Usage shutdown [] options seconds until shutdown. (default: 5) note requires administrator privilege. 2.2.44. Sshserver ssh server. Description show ssh server status, or start/stop/rest...

  • Page 55: 2.2.45. Stats

    -b= bitsize. (default: 1024) -keygen generate ssh server private keys. This operation may take a long time to finish, up to several minutes! -restart stop and start the ssh server. -start start the ssh server. -status show server status and list all connected clients. -stop stop the ssh server. -t={...

  • Page 56: 2.2.47. Updatecenter

    Set system local time: . Time -sync [-force] synchronize time with timeserver(s) (specified in settings). Options -force force synchronization regardless of the maxadjust setting. -set set system local time: . -sync synchronize time with timeserver(s) (specified in settings). Date yyyy-mm-dd. Time h...

  • Page 58: 2.2.50. Vlan

    -num= limit list of authenticated users. (default: 20) -privilege list all known privileges (usernames and groups). -remove forcibly log out an authenticated user. (admin only) -user show all information for user(s) with this ip address. Interface. Ip address for user(s). 2.2.50. Vlan show informati...

  • Page 59

    Options -blockenet= block the specified ethernet address. -blockip= block the specified ip address/net. -eraseenet= unblock the specified ethernet address. -eraseip= unblock the specified ip address/net. -save save the current zonedefense state on all switches. -show show the current block database....

  • Page 60: 2.3. Utility

    2.3. Utility 2.3.1. Ping ping host. Description sends one or more icmp echo datagrams to the specified ip address of a host. All datagrams are sent preloaded-style (all at once). The data size -length given is the icmp data size. 1472 bytes of icmp data results in a 1500-byte ip datagram (1514 bytes...

  • Page 61: 2.4. Misc

    2.4. Misc 2.4.1. Help show help for selected topic. Description the help system contains information about commands and configuration object types. The fastest way to get help is to simply type help followed by the topic that you want help with. A topic can be for example a command name (e.G. Set) o...

  • Page 62

    2.4.2. History chapter 2. Command reference 52.

  • Page 63

    Chapter 3. Configuration reference • access, page 54 • address, page 56 • advancedscheduleprofile, page 59 • alg, page 60 • arp, page 64 • blacklistwhitehost, page 65 • certificate, page 66 • client, page 67 • datetime, page 70 • device, page 71 • dhcprelay, page 72 • dhcpserver, page 73 • dns, page...

  • Page 64: 3.1. Access

    • psk, page 113 • radiusserver, page 114 • remotemanagement, page 115 • routingrule, page 118 • routingtable, page 119 • scheduleprofile, page 121 • service, page 122 • settings, page 125 • sshclientkey, page 138 • thresholdrule, page 139 • updatecenter, page 141 • userauthrule, page 142 • zonedefen...

  • Page 65

    Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.1. Access chapter 3. Configuration reference 55.

  • Page 66: 3.2. Address

    3.2. Address this is a category that groups the following object types. 3.2.1. Addressfolder description an address folder can be used to group related address objects for better overview. Properties name specifies a symbolic name for the network object. (identifier) comments text describing the cur...

  • Page 67

    Members group members. Userauthgroups groups and user names that belong to this object. Objects that fil- ter on credentials can only be used as source networks and destin- ations networks in rules. (optional) nodefinedcredentials if this property is enabled the object requires user authentication, ...

  • Page 68: 3.2.2. Ethernetaddress

    But has no credentials (user names or groups) defined. This means that the object only requires that a user is authenticated, but ig- nores any kind of group membership. (default: no) comments text describing the current object. (optional) 3.2.1.5. Ip4haaddress description use an ip4 ha address item...

  • Page 69

    3.3. Advancedscheduleprofile description an advanced schedule profile contains definitions of occurrences used by various policies in the system. Properties name specifies a symbolic name for the service. (identifier) comments text describing the current object. (optional) 3.3.1. Advancedscheduleocc...

  • Page 70: 3.4. Alg

    3.4. Alg this is a category that groups the following object types. 3.4.1. Alg_ftp description use an ftp application layer gateway to manage ftp traffic through the system. Properties name specifies a symbolic name for the alg. (identifier) allowserverpassive allow server to use passive mode (unsaf...

  • Page 71: 3.4.2. Alg_H323

    3.4.2. Alg_h323 description use an h.323 application layer gateway to manage h.323 multimedia traffic. Properties name specifies a symbolic name for the alg. (identifier) allowtcpdatachannels allow tcp data channels (t.120). (default: yes) maxtcpdatachannels maximum number of tcp data channels per c...

  • Page 72: 3.4.4. Alg_Smtp

    (default: no) antivirus disabled, audit or protect. (default: disabled) scanexclude list of files to exclude from antivirus scanning. (optional) compressionratio a compression ratio higher than this value will trigger the ac- tion in compression ratio action, a value of zero will disable all compres...

  • Page 73

    Verifysenderemail enable to verify sender e-mail address. (default: no) maxemailperminute specifies the maximum amount of e-mails per minute. (optional) filelisttype specifies if the file list contains files to allow or deny. (default: block) failmodebehavior standard behaviour on error: allow or de...

  • Page 74: 3.5. Arp

    3.5. Arp description use an arp entry to publish additional ip addresses and/or mac addresses on a specified interface. Properties index the index of the object, starting at 1. (identifier) mode static, publish or xpublish. (default: publish) interface indicates the interface to which the arp entry ...

  • Page 75: 3.6. Blacklistwhitehost

    3.6. Blacklistwhitehost description manually configured whitelist hosts are used to prevent from blocking a host/network on either by default or based on a schedule. Properties index the index of the object, starting at 1. (identifier) addresses specifies the addresses that will be whitelisted. Serv...

  • Page 76: 3.7. Certificate

    3.7. Certificate description an x. 509 certificate is used to authenticate a vpn client or gateway when establishing an ipsec tunnel. Properties name specifies a symbolic name for the certificate. (identifier) type local, remote or request. Certificatedata certificate data. Privatekey private key. N...

  • Page 77: 3.8. Client

    3.8. Client this is a category that groups the following object types. 3.8.1. Dyndnsclientcjbnet description configure the parameters used to connect to the cjb.Net dyndns service. Properties username username. Password the password for the specified username. (optional) comments text describing the...

  • Page 78: 3.8.4. Dyndnsclientdynscx

    Properties dnsname the dns name excluding the .Dyndns.Org suffix. Username username. Password the password for the specified username. (optional) comments text describing the current object. (optional) note this object type does not have am identifier and is identified by the name of the type only. ...

  • Page 79: 3.8.6. Loginclientbigpond

    Comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.8.6. Loginclientbigpond description configure the parameters used to provi...

  • Page 80: 3.9. Datetime

    3.9. Datetime description set the date, time and time zone information for this system. Properties timezone specifies the time zone. (default: gmt) dstenabled enable daylight saving time. (default: yes) dstoffset daylight saving time offset in minutes. (default: 60) dststartmonth what month daylight...

  • Page 81: 3.10. Device

    3.10. Device description global parameters of this device. Properties name name of the device. (default: device) configversion version number of the configuration. (default: 1) comments text describing the current object. (optional) note this object type does not have am identifier and is identified...

  • Page 82: 3.11. Dhcprelay

    3.11. Dhcprelay description use a dhcp relay to dynamically alter the routing table according to relayed dhcp leases. Properties name specifies a symbolic name for the relay rule. (identifier) action ignore, relay or bootpfwd. (default: ignore) sourceinterface the source interface of the dhcp packet...

  • Page 83: 3.12. Dhcpserver

    3.12. Dhcpserver description a dhcp server determines a set of ip addresses and host configuration parameters to hand out to dhcp clients attached to a given interface. Properties name specifies a symbolic name for the dhcp server rule. (identifier) interface the source interface to listen for dhcp ...

  • Page 84

    Index the index of the object, starting at 1. (identifier) host ip address of the host. Macaddress the hardware address of the host. Comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed last in the lis...

  • Page 85: 3.13. Dns

    3.13. Dns description configure the dns (domain name system) client settings. Properties dnsserver1 ip of the primary dns server. (optional) dnsserver2 ip of the secondary dns server. (optional) dnsserver3 ip of the tertiary dns server. (optional) comments text describing the current object. (option...

  • Page 86: 3.14. Driver

    3.14. Driver this is a category that groups the following object types. 3.14.1. Ixp4npeethernetdriver description intel (ixp4xxnpe) fast ethernet adaptor. Properties comments text describing the current object. (optional) note this object type does not have am identifier and is identified by the nam...

  • Page 87

    Note this object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.14.3. R8139ethernetpcidriver chapter 3. Configuration reference 77.

  • Page 88: 3.15. Dynamicroutingrule

    3.15. Dynamicroutingrule description a dynamic routing policy rule creates a filter to catch statically configured or ospf learned routes. The matched routes can be controlled by the action rules to be either exported to ospf processes or to be added to one or more routing tables. Properties index t...

  • Page 89

    3.15.1. Dynamicroutingruleexportospf description an ospf action is used to manipulate and export new or changed routes to an ospf router pro- cess. Properties index the index of the object, starting at 1. (identifier) exporttoprocess specifies to which ospf process the route change should be exporte...

  • Page 90

    Limitmetricrange limits the metrics for these routes to a minimum and maximum value, if a route has a higher or lower value then specified it will be set to the specified value. (optional) proxyarpallinterfaces always select all interfaces, including new ones, for publishing routes via proxy arp. (d...

  • Page 91: 3.16. Ethernetdevice

    3.16. Ethernetdevice description hardware settings for an ethernet interface. Properties name specifies a symbolic name for the device. (identifier) ethernetdriver the ethernet pci driver that should be used by the interface. Pcibus pci bus number where the ethernet adapter is installed. Pcislot pci...

  • Page 92: 3.17. Highavailability

    3.17. Highavailability description configure the high availability cluster parameters for this system. Properties enabled enable high availability. (default: no) clusterid a (locally) unique cluster id to use in identifying this group of ha se- curity gateways. (default: 0) synciface specifies the i...

  • Page 93: 3.18. Httpposter

    3.18. Httpposter description use the http poster for dynamic dns or automatic logon to services using web-based authentica- tion. Properties url1 the first url that will be posted when the security gateway is loaded. (optional) url2 the second url that will be posted when the security gateway is loa...

  • Page 94: 3.19. Idlist

    3.19. Idlist description an id list contains ids, which are used within the authentication process when establishing an ipsec tunnel. Properties name specifies a symbolic name for the id list. (identifier) comments text describing the current object. (optional) 3.19.1. Id description an id is used t...

  • Page 95: 3.20. Idprule

    3.20. Idprule description an idp rule defines a filter for matching specific network traffic. When the filter criteria is met, the idp rule actions are evaluated and possible actions taken. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the r...

  • Page 96

    Idpseverity signature severity group. (default: attack) signatures specifies what signature(s) to search for in the network traffic. (optional) zonedefense activate zonedefense. (default: no) blacklist activate blacklist. (default: no) blacklisttimetoblock the number of seconds that the dynamic blac...

  • Page 97: 3.21. Ikealgorithms

    3.21. Ikealgorithms description configure algorithms which are used in the ike phase of an ipsec session. Properties name specifies a symbolic name for the object. (identifier) nullenabled enable plaintext. (default: no) desenabled enable des encryption algorithm. (default: no) des3enabled enable 3d...

  • Page 98: 3.22. Interface

    3.22. Interface this is a category that groups the following object types. 3.22.1. Defaultinterface description a special interface used to represent internal mechanisms in the system as well as an abstract "any" interface. Properties name specifies a symbolic name for the interface. (identifier) mt...

  • Page 99: 3.22.3. Interfacegroup

    Autointerfacenetworkroute automatically add a route for this interface using the given network. (default: yes) autodefaultgatewayroute automatically add a default route for this interface using the given default gateway. (default: yes) dhcpdns1 ip of the primary dns server. (optional) dhcpdns2 ip of...

  • Page 100

    Nel will be established between the local network and this net- work. Remoteendpoint specifies the ip address of the remote endpoint. This is the address the security gateway will establish the ipsec tunnel to. It also dictates from where inbound ipsec tunnels are al- lowed. (optional) ikealgorithms...

  • Page 101: 3.22.5. L2Tpclient

    Originatorip manually specified originator ip address to use as source ip in e.G. Nat. Ikemode specifies which ike mode to use: main or aggressive. (default: main) dhgroup specifies the diffie-hellman group to use when doing key ex- changes in ike. (default: 2) pfs specifies whether pfs should be us...

  • Page 102

    Network the network from which traffic should be routed into the tun- nel. Remoteendpoint the ip address of the l2tp/pptp server. Tunnelprotocol specifies if pptp or l2tp should be used for this tunnel. (default: pptp) originatoriptype specifies what ip address to use as source ip in e.G. Nat. (defa...

  • Page 103: 3.22.6. L2Tpserver

    Comments text describing the current object. (optional) 3.22.6. L2tpserver description a pptp/l2tp server interface terminates ppp (point to point protocol) tunnels set up over existing ip networks. Properties name specifies a symbolic name for the interface. (identifier) ip the ip address of the pp...

  • Page 104: 3.22.7. Pppoetunnel

    Proxyarpallinterfaces always select all interfaces, including new ones, for publishing routes via proxy arp. (default: no) proxyarpinterfaces specifies the interfaces on which the security gateway should publish routes via proxy arp. (optional) comments text describing the current object. (optional)...

  • Page 105: 3.22.8. Vlan

    Idletimeout idle timeout in seconds for dial-on-demand. (default: 3600) metric specifies the metric for the auto-created route. (default: 90) autointerfacenetworkroute automatically add a route for this interface using the given remote network. (default: yes) schedule the schedule defines when the p...

  • Page 106

    Comments text describing the current object. (optional) 3.22.8. Vlan chapter 3. Configuration reference 96.

  • Page 107: 3.23. Iprule

    3.23. Iprule description an ip rule specifies what action to perform on network traffic that matches the specified filter criter- ia. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) action reject, drop, fwdfast, allow, nat...

  • Page 108

    Slbmonitortcp enable monitoring using tcp packets. (default: no) slbpingusesharedip use the shared ip of a ha cluster instead of the private ip of the node. (default: yes) slbtcpusesharedip use the shared ip of a ha cluster instead of the private ip of the node. (default: yes) slbpinginterval ping i...

  • Page 109: 3.24. Iprulefolder

    3.24. Iprulefolder description an ip rule folder can be used to group ip rules into logical groups for better overview and simpli- fied management. Properties index the index of the object, starting at 1. (identifier) name specifies the name of the folder. Comments text describing the current object...

  • Page 110: 3.25. Ipsecalgorithms

    3.25. Ipsecalgorithms description configure algorithms which are used in the ipsec phase of an ipsec session. Properties name specifies a symbolic name for the object. (identifier) nullenabled enable plaintext. (default: no) desenabled enable des encryption algorithm. (default: no) des3enabled enabl...

  • Page 111: 3.26. Ldapserver

    3.26. Ldapserver description an ldap server is used as a central repository of certificates and crls that the security gateway can download when necessary. Properties index the index of the object, starting at 1. (identifier) host specifies the ip address or hostname of the ldap server. Username spe...

  • Page 112: 3.27. Localuserdatabase

    3.27. Localuserdatabase description a local user database contains user accounts used for authentication purposes. Properties name specifies a symbolic name for the object. (identifier) comments text describing the current object. (optional) 3.27.1. User description user credentials may be used in u...

  • Page 113: 3.28. Logreceiver

    3.28. Logreceiver this is a category that groups the following object types. 3.28.1. Logreceivermemory description a memory log receiver is used to receive and keep log events in system ram. Properties name specifies a symbolic name for the log receiver. (identifier) logseverity specifies with what ...

  • Page 114: 3.28.3. Logreceiversyslog

    Other e-mail. (default: 600) logthreshold the number of events that have to occur within the hold time for an e-mail to be sent. (default: 2) comments text describing the current object. (optional) 3.28.3. Logreceiversyslog description a syslog receiver is used to receive log events from the system ...

  • Page 115: 3.29. Ospfprocess

    3.29. Ospfprocess description an ospf router process defines a group of routers exchanging routing information via the open shortest path first routing protocol. Properties name specifies a symbolic name for the ospf process. (identifier) routerid specifies the ip address that is used to identify th...

  • Page 116: 3.29.1. Ospfarea

    Cifies the details of the log. (default: off) debugroute enables or disabled logging of routing table manipulation events and also specifies the details of the log. (default: off) authtype specifies the authentication type for the ospf protocol exchanges. (default: null) authpassphrase specifies the...

  • Page 117

    Properties interface specifies which interface in the security gateway will be used for this os- pf interface. (identifier) type auto, broadcast, point-to-point or point-to-multipoint. (default: auto) metrictype metric value or bandwidth. (default: metricvalue) metric specifies the routing metric fo...

  • Page 118

    For point-to-point and point-to-multipoint networks, specify the ip addresses of directly connected routers. Properties interface specifies the ospf interface of the neighbor. (identifier) ipaddress ip address of the neighbor. Metric specifies the metric of the neighbor. (optional) comments text des...

  • Page 119: 3.30. Pipe

    3.30. Pipe description a pipe defines basic traffic shaping parameters. The pipe rules then determines which traffic goes through which pipes. Properties name specifies a symbolic name for the pipe. (identifier) limitkbpstotal total bandwidth limit for this pipe in kilobits per second. (optional) li...

  • Page 120

    Userlimitpps0 specifies the throughput limit per group in pps for precedence 0 (the lowest precedence). (optional) userlimitkbps1 specifies the bandwidth limit per group in kbps for precedence 1. (optional) userlimitpps1 specifies the throughput limit per group in pps for precedence 1. (optional) us...

  • Page 121

    (default: 7) comments text describing the current object. (optional) 3.30. Pipe chapter 3. Configuration reference 111.

  • Page 122: 3.31. Piperule

    3.31. Piperule description a pipe rule determines traffic shaping policy - which pipes to use - for one or more types of traffic with the same granularity as the standard ruleset. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the object. (op...

  • Page 123: 3.32. Psk

    3.32. Psk description psk (pre-shared key) authentication is based on a shared secret that is known only by the parties involved. Properties name specifies a symbolic name for the pre-shared key. (identifier) type specifies the type of the shared key. Pskascii specifies the psk as a passphrase. Pskh...

  • Page 124: 3.33. Radiusserver

    3.33. Radiusserver description external radius server used to verify user names and passwords. Properties name specifies a symbolic name for the server. (identifier) ipaddress the ip address of the server. Port the udp port of the server. (default: 1812) retrytimeout the retry timeout, in seconds, u...

  • Page 125: 3.34. Remotemanagement

    3.34. Remotemanagement this is a category that groups the following object types. 3.34.1. Remotemgmthttp description http/https management. Properties name specifies a symbolic name for the object. (identifier) accesslevel the access level to grant the user that logs in. (default: admin) localuserda...

  • Page 126

    Secure shell (ssh) server. Properties name specifies a symbolic name for the ssh server. (identifier) port the listening port for the ssh server. (default: 22) allowauthmethodpassword allow password client authentication. (default: yes) allowauthmethodpublickey allow public key client authentication...

  • Page 127

    Network specifies the network for which remote access is granted. Comments text describing the current object. (optional) 3.34.3. Remotemgmtssh chapter 3. Configuration reference 117.

  • Page 128: 3.35. Routingrule

    Description generate a pre-shared key of specified size, containing randomized key data. If a key with the spe- cified name exists, the existing key is modified. Otherwise a new key object is created. Usage pskgen [-comments=] [-size={64

  • Page 129: 3.36. Routingtable

    3.36. Routingtable description the system has a predefined main routing table. Alternate routing tables can be defined by the user. Properties name specifies a symbolic name for the routing table. (identifier) ordering specifies how a route lookup is done in a named routing ta- ble. (default: only) ...

  • Page 130: 3.36.2. Switchroute

    Monitorgatewayarpinterval specifies the arp lookup interval in milliseconds. (default: 1000) network specifies the network address for this route. Metric specifies the metric for this route. (default: 0) proxyarpallinterfaces always select all interfaces, including new ones, for publish- ing routes ...

  • Page 131: 3.37. Scheduleprofile

    3.37. Scheduleprofile description a schedule profile defines days and dates and are then used by the various policies in the system. Properties name specifies a symbolic name for the service. (identifier) mon specifies during which intervals the schedule profile is active on mondays. (optional) tue ...

  • Page 132: 3.38. Service

    3.38. Service this is a category that groups the following object types. 3.38.1. Servicegroup description a service group is a collection of service objects, which can then be used by different policies in the system. Properties name specifies a symbolic name for the service. (identifier) members gr...

  • Page 133: 3.38.3. Serviceipproto

    Echoreplycodes specifies which echo reply message codes should be matched. (default: 0-255) sourcequenching enable matching of source quenching messages. (default: no) sourcequenchingcodes specifies which source quenching message codes should be matched. (default: 0-255) timeexceeded enable matching...

  • Page 134

    Properties name specifies a symbolic name for the service. (identifier) destinationports specifies the destination port or the port ranges applicable to this ser- vice. Type specifies whether this service uses the tcp or udp protocol or both. (default: tcp) sourceports specifies the source port or t...

  • Page 135: 3.39. Settings

    3.39. Settings this is a category that groups the following object types. 3.39.1. Arptablesettings description advanced arp-table settings. Properties arpmatchenetsender the ethernet sender address matching the hardware address in the arp data. (default: droplog) arpquerynosenderip if the ip source ...

  • Page 136: 3.39.3. Dhcprelaysettings

    Description timeout settings for various protocols. Properties connlife_tcp_syn connection idle lifetime for tcp connections being formed. (default: 60) connlife_tcp connection idle lifetime for tcp. (default: 262144) connlife_tcp_fin connection idle lifetime for tcp connections being closed. (defau...

  • Page 137: 3.39.4. Dhcpserversettings

    Note this object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.4. Dhcpserversettings description advanced dhcp server settings. Properties autosaveleasepolicy policy for saving the lease database to disk. (default: ...

  • Page 138: 3.39.6. Icmpsettings

    Reasstimeout timeout of a reassembly, since previous received fragment. (default: 65) reasstimelimit maximum lifetime of a reassembly, since first received frag- ment. (default: 90) reassdonelinger how long to remember a completed reassembly (watching for old dups). (default: 20) reassillegallinger ...

  • Page 139: 3.39.8. Ipsettings

    Ikecrlvaliditytime maximum number of seconds a crl is considered valid (0=obey the 'next update' field in the crl). (default: 86400) ikemaxcapath maximum number of ca certificates in a certificate path. (default: 15) ipseccertcachemaxcerts maximum number of entries in the certificate cache. (default...

  • Page 140: 3.39.9. L2Tpserversettings

    Ttlonlow what action to take on too low ttl values. (default: droplog) defaultttl the default ip time-to-live of packets originated by the se- curity gateway (32-255). (default: 255) layersizeconsistency tcp/udp/icmp/etc layer data and header sizes matching lower layer size information. (default: va...

  • Page 141: 3.39.10. Lengthlimsettings

    Note this object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.10. Lengthlimsettings description length limitations for various protocols. Properties maxtcplen tcp; sometimes has to be increased if tunneling protoco...

  • Page 142: 3.39.12. Localreasssettings

    Properties idletimeout number of seconds of inactivity until the local console user is automatically logged out. (default: 900) note this object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.12. Localreasssettings d...

  • Page 143: 3.39.14. Remotemgmtsettings

    3.39.14. Remotemgmtsettings description setup and configure methods and permissions for remote management of this system. Properties netconbidirtimeout specifies the amount of seconds to wait for the administrator to log in before reverting to the previous configuration. (default: 30) webuibeforerul...

  • Page 144: 3.39.16. Sslsettings

    Routefailover_ifacepollinterval time (ms) between polling of interface failure. (default: 500) routefailover_arppollinterval time (ms) between arp-lookup of gateways. May be over- ridden for each route. (default: 1000) routefailover_pingpollinterval time (ms) between ping'ing of gateways. (default: ...

  • Page 145: 3.39.17. Statesettings

    Tls_rsa_export1024_with _rc4_56_sha1 enable cipher tls_rsa_export1024_with_rc4_56_sha1. (default: yes) tls_rsa_export512_with_ rc4_40_md5 enable cipher tls_rsa_export1024_with_rc4_40_md5. (default: no) tls_rsa_export512_with_ rc2_40_md5 enable cipher tls_rsa_export1024_with_rc2_40_md5. (default: no)...

  • Page 146: 3.39.18. Tcpsettings

    Note this object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.18. Tcpsettings description settings related to the tcp protocol. Properties tcpoptionsizes validity of tcp header option sizes. (default: validatelogba...

  • Page 147: 3.39.19. Vlansettings

    Tcpsynurg the tcp urg flag together with syn; normally invalid (strip=strip urg). (default: droplog) tcpsynpsh the tcp psh flag together with syn; normally invalid but always used by some ip stacks (strip=strip psh). (default: stripsilent) tcpsynrst the tcp rst flag together with syn; normally inval...

  • Page 148: 3.40. Sshclientkey

    3.40. Sshclientkey description the public key of the client connecting to the ssh server. Properties name specifies a symbolic name for the key. (identifier) type dsa or rsa. (default: dsa) subject value of the subject header tag of the public key file. (optional) publickey specifies the public key....

  • Page 149: 3.41. Thresholdrule

    3.41. Thresholdrule description a threshold rule defines a filter for matching specific network traffic. When the filter criteria is met, the threshold rule actions are evaluated and possible actions taken. Properties index the index of the object, starting at 1. (identifier) name specifies a symbol...

  • Page 150

    Threshold specifies the threshold. Thresholdunit specifies the threshold unit. (default: connssec) zonedefense activate zonedefense. (default: no) blacklist activate blacklist. (default: no) blacklisttimetoblock the number of seconds that the dynamic black list should re- main. (optional) blacklistb...

  • Page 151: 3.42. Updatecenter

    3.42. Updatecenter description configure automatical updates. Properties avenabled automatic updates of antivirus definitions and engine. (default: no) idpenabled automatic updates of idp maintenance signatures. (default: no) advancedidpenabled automatic updates of advanced idp signatures. (default:...

  • Page 152: 3.43. Userauthrule

    3.43. Userauthrule description the user authentication ruleset specifies from where users are allowed to authenticate to the sys- tem, and how. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) agent http, https, xauth, ppp ...

  • Page 153

    Sessiontimeout if a user has successfully been authenticated, he/she will auto- matically be logged out after this many seconds, regardless of if there has been activity from the user or not. (optional) useservertimeouts use timeouts received from the authentication server. If no values are received...

  • Page 154: 3.44. Zonedefenseblock

    3.44. Zonedefenseblock description manually configured blocks are used to block a host/network on the switches either by default or based on schedule. Properties index the index of the object, starting at 1. (identifier) addresses specifies the addresses to block. Protocol all, tcp, udp or icmp. (de...

  • Page 155

    3.45. Zonedefenseexcludelist description the exclude list is used exclude certain hosts/networks from being blocked out by idp/threshold rule violations. Properties addresses specifies the addresses that should not be blocked. (optional) comments text describing the current object. (optional) note t...

  • Page 156: 3.46. Zonedefenseswitch

    3.46. Zonedefenseswitch description a zonedefense switch will have its acls controlled and hosts/networks violating the idp/ threshold rules will be blocked directly on the switch. Properties name specifies a symbolic name for the zonedefense switch. (identifier) switchmodel specifies the switch mod...

  • Page 157

    3.46. Zonedefenseswitch chapter 3. Configuration reference 147.

  • Page 158: Index

    Index commands a about, 20 activate, 9 add, 9 arp, 20 arpsnoop, 21 ats, 22 b bigpond, 22 blacklist, 22 buffers, 24 c cam, 24 cancel, 10 cc, 11 cd, 12 (see also cc) certcache, 25 cfglog, 25 commit, 12 connections, 25 copy, 12 cpuid, 26 crashdump, 27 customlog, 27 d delete, 13 dhcp, 27 dhcprelay, 28 d...

  • Page 159: Object Types

    Zonedefense, 48 object types a access, 54 addressfolder, 56 advancedscheduleoccurrence, 59 advancedscheduleprofile, 59 alg_ftp, 60 alg_h323, 61 alg_http, 61 alg_http_url, 62 alg_smtp, 62 alg_smtp_email, 63 arp, 64 arptablesettings, 125 b blacklistwhitehost, 65 c certificate, 66 conntimeoutsettings, ...

  • Page 160

    Remotemgmtsnmp, 115 remotemgmtssh, 115 route, 119 routingrule, 118 routingsettings, 133 routingtable, 119 s scheduleprofile, 121 servicegroup, 122 serviceicmp, 122 serviceipproto, 123 servicetcpudp, 123 sshclientkey, 138 sslsettings, 134 statesettings, 135 switchroute, 120 t tcpsettings, 136 thresho...