- DL manuals
- D-Link
- Firewall
- DFL- 2500
- Cli Reference Manual
D-Link DFL- 2500 Cli Reference Manual - 2.2.39. Languagefiles
Delete SAs belonging to provided remote SG/peer.
killsa -all
Delete all SAs.
Options
-all
Kill all SAs.
IP address of remote SG/peer.
Note
Requires Administrator privilege.
2.2.39. languagefiles
Manage language files on disk.
Description
Manage language files on disk
Usage
languagefiles
Show all language files on disk.
languagefiles -remove=
Remove a language file from disk.
Options
-remove=
Specify language file to delete.
2.2.40. ldap
LDAP information.
Description
Status and statistics for the configured LDAP databases.
Usage
2.2.39. languagefiles
Chapter 2. Command Reference
52
Summary of DFL- 2500
Page 1
Network security solution http://www.Dlink.Com security security dfl-210/ 800/1600/ 2500 dfl-260/ 860/1660/ 2560(g) ver 2.27.01 network security firewall cli reference guide.
Page 2: Cli Reference Guide
Cli reference guide dfl-210/260/800/860/1600/1660/2500/2560/2560g netdefendos version 2.27.01 d-link corporation no. 289, sinhu 3rd rd, neihu district, taipei city 114, taiwan r.O.C. Http://www.Dlink.Com published 2010-06-22 copyright © 2010
Page 3
Cli reference guide dfl-210/260/800/860/1600/1660/2500/2560/2560g netdefendos version 2.27.01 published 2010-06-22 copyright © 2010 copyright notice this publication, including all photographs, illustrations and software, is protected under interna- tional copyright laws, with all rights reserved. N...
Page 4: Table Of Contents
Table of contents preface ...............................................................................................................10 1. Introduction .....................................................................................................12 1.1. Running a command ....................
Page 5
2.2.30. Ifstat ........................................................................................47 2.2.31. Igmp ........................................................................................47 2.2.32. Ikesnoop ............................................................................
Page 6
3.3.1. Advancedscheduleoccurrence .......................................................90 3.4. Alg ....................................................................................................91 3.4.1. Alg_ftp ....................................................................................
Page 7
3.30.6. L2tpclient ............................................................................. 139 3.30.7. L2tpserver ............................................................................ 140 3.30.8. Loopbackinterface ................................................................... 141 3...
Page 8
3.55.16. Miscsettings .......................................................................... 196 3.55.17. Multicastsettings .................................................................... 197 3.55.18. Remotemgmtsettings .............................................................. 198 3.55...
Page 9: List Of Examples
List of examples 1. Command option notation ..................................................................................10 1.1. Help for commands ........................................................................................13 1.2. Help for object types .................................
Page 10: Preface
Preface audience the target audience for this reference guide is: • administrators that are responsible for configuring and managing the d-link firewall. • administrators that are responsible for troubleshooting the d-link firewall. This guide assumes that the reader is familiar with the d-link fire...
Page 11
Because the table name option is followed by ellipses it is possible to specify more than one routing table. Since table name is optional as well, the user can specify zero or more policy-based routing tables. Gw-world:/> routes virroute virroute2 notation preface 11.
Page 12: Chapter 1. Introduction
Chapter 1. Introduction • running a command, page 12 • help, page 13 • function keys, page 14 • command line history, page 15 • tab completion, page 16 • user roles, page 18 this guide is a reference for all commands and configuration object types that are available in the command line interface for...
Page 13: 1.2. Help
1.2. Help 1.2.1. Help for commands there are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by -? Or -h . This applies to all commands and is therefore not listed in the option list for each command in this guide. Using the help command give...
Page 14: 1.3. Function Keys
1.3. Function keys in addition to the return key there are a number of function keys that are used in the cli. Backspace delete the character to the left of the cursor. Tab complete current word. Ctrl-a or home move the cursor to the beginning of the line. Ctrl-b or left arrow move the cursor one ch...
Page 15: 1.4. Command Line History
1.4. Command line history every time a command is run, the command line is added to a history list. The up and down arrow keys are used to access previous command lines (up arrow for older command lines and down arrow to move back to a newer command line). See also section 2.4.3, “history”. Example ...
Page 16: 1.5. Tab Completion
1.5. Tab completion by using the tab function key in the cli the names of commands, options, objects and object prop- erties can be automatically completed. If the text entered before pressing tab only matches one pos- sible item, e.G. "activate" is the only match for "acti", and a command is expect...
Page 17
If " . " is entered instead of a property value and tab is pressed it will be replaced by the current value of that property. This is useful when editing an existing list of items or a long text value. The "" character before a tab can be used to automatically fill in the default value for a paramet...
Page 18: 1.6. User Roles
1.6. User roles some commands and options cannot be used unless the logged in user has administrator priviege. This is indicated in this guide by a note following the command or "admin only" written next to an option. 1.6. User roles chapter 1. Introduction 18.
Page 19
1.6. User roles chapter 1. Introduction 19.
Page 20: 2.1. Configuration
Chapter 2. Command reference • configuration, page 20 • runtime, page 31 • utility, page 78 • misc, page 79 2.1. Configuration 2.1.1. Activate activate changes. Description activate the latest changes. This will issue a reconfiguration, using the new configuration. If the reconfiguration is successf...
Page 21: 2.1.3. Cancel
Example 2.1. Create a new object add objects with an identifier property (not index): gw-world:/> add address ip4address example_ip address=1.2.3.4 comments="this is an example" gw-world:/> add ip4address example_ip2 address=2.3.4.5 add an object with an index: gw-world:/main> add route interface=la...
Page 22: 2.1.4. Cc
Note requires administrator privilege. 2.1.4. Cc change the current context. Description change the current configuration context. A context is a group of objects that are dependent on and grouped by a parent object. Many objects lie in the "root" context and do not have a specific parent. Other obj...
Page 23: 2.1.5. Commit
The property that identifies the configuration object. May not be applicable depending on the specified . Type of configuration object to perform operation on. 2.1.5. Commit save new configuration to media. Description save the new configuration to media. This command can only be issued after a succ...
Page 24: 2.1.7. Pskgen
Options -force force object to be deleted even if it's used by other objects or has children. Category that groups object types. The property that identifies the configuration object. May not be applicable depending on the specified . Type of configuration object to perform operation on. Note requir...
Page 25
All changes made to the object will be lost. If the object is added after the last commit, it will be re- moved. To reject the changes in more than one object, use either the -recursive flag to delete a context and all its children recursively or the -all flag to reject the changes in all objects in...
Page 26: 2.1.9. Reset
Note requires administrator privilege. 2.1.9. Reset reset unit configuration and/or binaries. Description reset configuration to the base configuration as generated by the current core or reset binaries to factory defaults. Usage reset -configuration reset the configuration to factory defaults. Rese...
Page 27: 2.1.11. Show
Example 2.5. Set property values set properties for objects that have an identifier property: gw-world:/> set address ip4address example_ip address=1.2.3.4 comments="this is an example" gw-world:/> set ip4address example_ip2 address=2.3.4.5 comments=comment_without_whitespace gw-world:/main> set rou...
Page 28
When showing a table of all objects of a certain type, the status of each object since the last time the configuration was committed is indicated by a flag. The flags used are: - the object is deleted. O the object is disabled. ! The object has errors. + the object is newly created. * the object is ...
Page 29: 2.1.12. Undelete
Show all changes. Options -changes show all changes in the current configuration. -disabled show disabled properties. -errors show all errors in the current configuration. -references show all references to this object from other objects. -verbose show error details. Category that groups object type...
Page 30
The property that identifies the configuration object. May not be applicable depending on the specified . Type of configuration object to perform operation on. Note requires administrator privilege. 2.1.12. Undelete chapter 2. Command reference 30
Page 31: 2.2. Runtime
2.2. Runtime 2.2.1. About show copyright/build information. Description show copyright and build information. Usage about 2.2.2. Alarm show alarm information. Description show list of currently active alarms. Usage alarm [-history] [-active] options -active show the currently active alarms. -history...
Page 32: 2.2.4. Arpsnoop
Arp show all arp entries. Arp -show [] [-ip=] [-hw=] [-num=] show arp entries. Arp -hashinfo [] show information on hash table health. Arp -flush [] flush arp cache of specified interface. Arp -notify= [] [-hwsender=] send gratuitous arp for ip. Options -flush flush arp cache of all specified interf...
Page 35: 2.2.8. Cam
List packet buffers or the contents of a buffer. Description lists the 20 most recently freed packet buffers, or in-depth information about a specific buffer. Usage buffers list the 20 most recently freed buffers. Buffers -recent decode the most recently freed buffer. Buffers decode buffer number . ...
Page 36: 2.2.9. Certcache
Flush cam table information. Options -flush flush cam table. If interface is specified, only entries using this interface are flushed. (admin only) -num= limit list to entries per cam table. (default: 20) interface. 2.2.9. Certcache show the contents of the certificate cache. Description show all ce...
Page 37: 2.2.12. Cpuid
Connections -show [-num=] [-verbose] [-srciface=] [-destiface=] [-protocol=] [-srcport=] [-destport=] [-srcip=] [-destip=] list connections. Connections same as "connections -show". Connections -close [-all] [-srciface=] [-destiface=] [-protocol=] [-srcport=] [-destport=] [-srcip=] [-destip=] close ...
Page 38: 2.2.13. Crashdump
2.2.13. Crashdump show the contents of the crash.Dmp file. Description show the contents of the crash.Dmp file, if it exists. Usage crashdump 2.2.14. Cryptostat show information about crypto accelerators. Description show information about installed crypto accelerators. Usage cryptostat 2.2.15. Dcon...
Page 39: 2.2.16. Dhcp
-onlyhigh only show entries with severity high. (admin only) 2.2.16. Dhcp display information about dhcp-enabled interfaces or modify/update their leases. Description display information about a dhcp-enabled interface. Usage dhcp list dhcp enabled interfaces. Dhcp -list list dhcp enabled interfaces....
Page 40: 2.2.18. Dhcpserver
Dhcprelay show the currently relayed dhcp sessions. Dhcprelay -show [-rules] [-routes] []... Show dhcp/bootp relayer ruleset. Dhcprelay -release [-interface=] terminate relayed session. Options -interface= interface. -release terminate relayed session . (admin only) -routes show the currently relaye...
Page 41: 2.2.19. Dns
Release an active ip. Options -fromentry= shows dhcp server lease list from offset . -leases show dhcp server leases. -mappings show dhcp server ip mappings. -num= limit list to leases. -release={blacklist} release specific type of ips. (admin only) -releaseip release an active ip. (admin only) -rul...
Page 42: 2.2.21. Dynroute
Description show status of dnsbl. Usage dnsbl [-show] [] [-clean] options -clean clear dnsbl statistics for alg. -show show dnsbl statistics for alg. Name of smtp alg. 2.2.21. Dynroute show dynamic routing policy. Description show the dynamic routing policy filter ruleset and current exports. In the...
Page 44: 2.2.24. Hostmon
-activate go active. -deactivate go inactive. 2.2.24. Hostmon show host monitor statistics. Description show active host monitor sessions. Usage hostmon [-verbose] [-num=] options -num= limit list to entries. (default: 20) -verbose verbose output. 2.2.25. Httpalg commands related to the http applica...
Page 46: 2.2.28. Hwm
2.2.28. Hwm show hardware monitor sensor status. Description show hardware monitor sensor status. Usage hwm [-all] [-verbose] options -all show all sensors, warning: use at own risk, may take long time for highspeed ifaces to cope. -verbose show sensor number, type and limits. 2.2.29. Idppipes show ...
Page 47: 2.2.30. Ifstat
2.2.30. Ifstat show interface statistics. Description show list of attached interfaces, or in-depth information about a specific interface. Usage ifstat [] [-filter=] [-pbr=] [-num=] [-restart] [-allindepth] options -allindepth show in-depth information about all interfaces. -filter= filter list of ...
Page 48: 2.2.32. Ikesnoop
Igmp -join [] simulate an incoming igmp join message. Igmp -leave [] simulate an incoming igmp leave message. Options -join simulate an incoming igmp join message. -leave simulate an incoming igmp leave message. -query simulate an incoming igmp query message. -state show the current igmp state. Host...
Page 49: 2.2.33. Ippool
-on turn ike snooping on. -verbose enable ike snooping with verbose output. Ip address to snoop. 2.2.33. Ippool show ip pool information. Description show information about the current state of the configured ip pools. Usage ippool -release [] [-all] forcibly free ip assigned to subsystem. Ippool -s...
Page 50: 2.2.35. Ipseckeepalive
Options -verbose show all statistics. 2.2.35. Ipseckeepalive show status of the ipsec ping keepalives. Description show status of the ipsec ping keepalives. Usage ipseckeepalive [-num=] options -num= maximum number of entries to display (default: 48). 2.2.36. Ipsecstats show the sas in use. Descript...
Page 51: 2.2.37. Ipsectunnels
-usage show detailed sa statistics information. -verbose show verbose information. Only show sas matching pattern. 2.2.37. Ipsectunnels lists the current ipsec configuration. Description lists the current ipsec configuration, usage ipsectunnels -iface= show specific interface. Ipsectunnels -num={all...
Page 52: 2.2.39. Languagefiles
Delete sas belonging to provided remote sg/peer. Killsa -all delete all sas. Options -all kill all sas. Ip address of remote sg/peer. Note requires administrator privilege. 2.2.39. Languagefiles manage language files on disk. Description manage language files on disk usage languagefiles show all lan...
Page 53: 2.2.41. License
Ldap list all ldap databases. Ldap -list list all ldap databases. Ldap -show [] show ldap database status and statistics. Ldap -reset [] reset ldap database. Options -list list all ldap databases. -reset reset status for ldap database. -show show status and statistics. Ldap database. 2.2.41. License...
Page 54: 2.2.43. Lockdown
. If link monitor hosts have been configured, linkmon will monitor host reachability to detect link/ nic problems. Usage linkmon 2.2.43. Lockdown enable / disable lockdown. Description during local lockdown, only traffic from admin nets to the security gateway itself is allowed. Everything else is d...
Page 55: 2.2.45. Memory
Logout 2.2.45. Memory show memory information. Description show core memory consumption. Also show detailed memory use of some components and lists. Usage memory 2.2.46. Natpool show current nat pools. Description show current nat pools and in-depth information. Usage natpool [-verbose] [ []] [-num=...
Page 56: 2.2.48. Netobjects
Usage netcon 2.2.48. Netobjects show runtime values of network objects. Description displays named network objects and their contents. Example 2.10. List network objects which have names containing "net". Netobjects *net* usage netobjects [] [-num=] options -num= number of entries to show. (default:...
Page 59
Pcapdump -write [] [-filename=] write the captured packets to disk. Pcapdump -wipe remove all captured packets from memory. Pcapdump -cleanup remove all captured packets, release capture mode and delete all written capture files from disk. Options -cleanup remove all captured packets, release captur...
Page 60: 2.2.51. Pciscan
-stop stop capture. -tcp tcp filter. -udp udp filter. -wipe remove all captured packets from memory. -write write the captured packets to disk. Name of interface(s). Note requires administrator privilege. 2.2.51. Pciscan show detected pci devices. Description usage pciscan show identified ethernet d...
Page 62: 2.2.54. Reconfigure
Pptpalg show all configured pptp algs. Pptpalg -sessions [-verbose] [-num=] list all pptp sessions. Pptpalg -services list all services attached to pptp alg. Options -num= number of entries to list. -services list all services attached to pptp alg. -sessions list all session using a pptp tunnel. -ve...
Page 63: 2.2.56. Routes
Routemon 2.2.56. Routes display routing lists. Description display information about the routing table(s): - contents of a (named) routing table. - the list of routing tables, along with a total count of route entries in each table, as well as how many of the entries are single-host routes. Note tha...
Page 64: 2.2.57. Rtmonitor
-switched only show switched routes and l3c entries. -tables display list of named (pbr) routing tables. -verbose verbose. Name of routing table. 2.2.57. Rtmonitor real-time monitor information. Description show informaton about real-time monitor objects, and real-time monitor alerts. All objects ma...
Page 66
Example 2.13. Interface ping test between all interfaces selftest -ping example 2.14. Interface ping test between interfaces 'if1' and 'if2' selftest -ping -interfaces=if1,if2 example 2.15. Start a 30 min burn-in duration test, testing ram, storage media and crypto the accelerator selftest -burnin -...
Page 67: 2.2.60. Services
Run burn-in tests for a set of sub tests. If no sub tests are specified the following are included: - memory, -ping, -traffic, -cryptoaccel. Selftest -abort abort a running self test. Selftest show the status of a running test. Options -abort abort a running self test. -burnin run burn-in tests for ...
Page 68: 2.2.61. Sessionmanager
Example 2.16. List all services which names begin with "http" services http* usage services [] options name or pattern. 2.2.61. Sessionmanager session manager. Description show information about the session manager, and list currently active users. Explanation of timeout flags for sessions: d sessio...
Page 70: 2.2.63. Shutdown
Show settings in category. 2.2.63. Shutdown initiate core or system shutdown. Description initiate restart of the core/system. Usage shutdown [] [-normal] [-reboot] options -normal initiate core shutdown. -reboot initiate system reboot. Seconds until shutdown. (default: 5) note requires administrato...
Page 71
- 0x00000080 supported_changes - 0x00000100 2543compliance - 0x00000200 reception - 0x00000400 session - 0x00000800 request - 0x00001000 response - 0x00002000 topo_changes - 0x00004000 media - 0x00008000 contact - 0x00010000 conn - 0x00020000 ping - 0x00040000 transaction - 0x00080000 callleg flags ...
Page 72: 2.2.65. Sshserver
Control sip snooping. Useful for troubleshooting sip transactions. Note: 'verbose' option outputs a lot of information on the console which may lead to system instability. Use with caution. Options -calls show active calls table. -connection show sip connections. -definition show running alg configu...
Page 74: 2.2.69. Time
Description generate information useful for technical support. Due to the large amount of output, this command might show a truncated result when execute from the local console. Usage techsupport 2.2.69. Time display current system time. Description display/set the system date and time. Usage time d...
Page 75: 2.2.71. Updatecenter
Description displays the contents of the user authentication ruleset. Example 2.17. Show a range of rules uarules -v 1-2,4-5 usage uarules [-verbose] [] options -verbose verbose output. Range of rules to list. 2.2.71. Updatecenter show status and manage autoupdate information. Description show autou...
Page 77: 2.2.73. Vlan
Interface. Ip address for user(s). 2.2.73. Vlan show information about vlan. Description show list of attached virtual lan interfaces, or in-depth information about a specified vlan. Usage vlan list attached vlans. Vlan display vlans connected to physical iface . Options display vlan information abo...
Page 78: 2.3. Utility
2.3. Utility 2.3.1. Ping ping host. Description sends one or more icmp echo, tcp syn or udp datagrams to the specified ip address of a host. All datagrams are sent preloaded-style (all at once). The data size -length given is the icmp or udp data size. 1472 bytes of icmp data results in a 1500-byte ...
Page 79: 2.4. Misc
2.4. Misc 2.4.1. Echo print text. Description print text to the console. Example 2.18. Hello world echo hello world usage echo []... Options text to print. 2.4.2. Help show help for selected topic. Description the help system contains information about commands and configuration object types. The fa...
Page 81: 2.4.5. Script
Example 2.21. Upload certificate data scp certificate.Cer user@sgw-ip:certificate/certificate_name scp certificate.Key user@sgw-ip:certificate/certificate_name example 2.22. Upload ssh public key data scp sshkey.Pub user@sgw-ip:sshclientkey/sshclientkey_name usage options -long enable long listing f...
Page 82
Execute script. Script -show [-all] [-name=] show script in console window. Script -store [-all] [-name=] store a script to persistent storage. Script -remove [-all] [-name=] remove script. Script list script files. Options -all apply to all scripts. -create create configuration script from specifie...
Page 83
2.4.5. Script chapter 2. Command reference 83.
Page 84
Chapter 3. Configuration reference • access, page 85 • address, page 87 • advancedscheduleprofile, page 90 • alg, page 91 • arp, page 99 • blacklistwhitehost, page 100 • certificate, page 101 • client, page 102 • commentgroup, page 104 • comportdevice, page 105 • configmodepool, page 106 • datetime,...
Page 85: 3.1. Access
• ipruleset, page 146 • ipsecalgorithms, page 150 • ldapdatabase, page 151 • ldapserver, page 152 • linkmonitor, page 153 • localuserdatabase, page 154 • logreceiver, page 155 • natpool, page 158 • ospfprocess, page 159 • pipe, page 164 • piperule, page 167 • psk, page 168 • radiusaccounting, page 1...
Page 86
Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the object. Action accept, expect or drop. (default: drop) interface the interface the packet must arrive on for this rule to be carried out. Excep- tion: the expect rule. Network the ip span tha...
Page 87: 3.2. Address
3.2. Address this is a category that groups the following object types. 3.2.1. Addressfolder description an address folder can be used to group related address objects for better overview. Properties name specifies a symbolic name for the network object. (identifier) comments text describing the cur...
Page 88
Name specifies a symbolic name for the network object. (identifier) members group members. Userauthgroups groups and user names that belong to this object. Objects that fil- ter on credentials can only be used as source networks and destin- ations networks in rules. (optional) nodefinedcredentials i...
Page 89: 3.2.2. Ethernetaddress
Name specifies a symbolic name for the network object. (identifier) address ip address, e.G. "172.16.50.8", "192.168.30.7,192.168.30.11", "192.168.7.0/24" or "172.16.25.10-172.16.25.50". Activeaddress the dynamically set address used by e.G. Dhcp enabled ethernet interfaces. (optional) userauthgroup...
Page 90
3.3. Advancedscheduleprofile description an advanced schedule profile contains definitions of occurrences used by various policies in the system. Properties name specifies a symbolic name for the service. (identifier) comments text describing the current object. (optional) 3.3.1. Advancedscheduleocc...
Page 91: 3.4. Alg
3.4. Alg this is a category that groups the following object types. 3.4.1. Alg_ftp description use an ftp application layer gateway to manage ftp traffic through the system. Properties name specifies a symbolic name for the alg. (identifier) allowserverpassive allow server to use passive mode (unsaf...
Page 92: 3.4.2. Alg_H323
File list of file types to allow or deny. (optional) verifycontentmimetype verify that file extentions correspond to the mime type. (default: no) comments text describing the current object. (optional) 3.4.2. Alg_h323 description use an h.323 application layer gateway to manage h.323 multimedia traf...
Page 93
Maxdownloadsize the maximal allowed file size in kb. (optional) filelisttype specifies if the file list contains files to allow or deny. (default: block) failmodebehavior standard behaviour on error: allow or deny. (default: deny) file list of file types to allow or deny. (optional) verifycontentmim...
Page 94: 3.4.4. Alg_Pop3
Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.4.4. Alg_pop3 description use an pop3 application layer gateway to manage pop3 traffic through the system. Properties name specifi...
Page 95: 3.4.6. Alg_Sip
Description use a pptp application layer gateway to manage pptp traffic through the system. Properties name specifies a symbolic name for the alg. (identifier) echotimeout specifies idle timeout for echo messages in the pptp tunnel. (default: 0) idletimeout specifies idle timeout for user traffic in...
Page 96
Verifysenderemail check emails for mismatching smtp command from ad- dress and email header from address. (default: no) verifysenderemailaction todo. (default: deny) verifysenderemaildomainonly only check domain names in email from addresses. (default: no) maxemailperminute specifies the maximum amo...
Page 97: 3.4.8. Alg_Tftp
Cachetimeout timeout in seconds before a cached ip address is removed. (default: 600) dnsblacklists specifies the blacklist domain and its weighted value. Comments text describing the current object. (optional) 3.4.7.1. Alg_smtp_email description used to whitelist or blacklist an email sender/recipi...
Page 98: 3.4.9. Alg_Tls
3.4.9. Alg_tls description tls alg properties name specifies a symbolic name for the alg. (identifier) hostcert specifies the host certificate. Rootcert specifies the root certificate. (optional) comments text describing the current object. (optional) 3.4.9. Alg_tls chapter 3. Configuration referenc...
Page 99: 3.5. Arp
3.5. Arp description use an arp entry to publish additional ip addresses and/or mac addresses on a specified interface. Properties mode static, publish or xpublish. (default: publish) interface indicates the interface to which the arp entry applies; e.G. The interface the ad- dress shall be publishe...
Page 100: 3.6. Blacklistwhitehost
3.6. Blacklistwhitehost description hosts and networks added to this whitelist can never be blacklisted by idp or threshold rules. Properties addresses specifies the addresses that will be whitelisted. Service specifies the service that will be whitelisted. Schedule the schedule when the whitelist s...
Page 101: 3.7. Certificate
3.7. Certificate description an x. 509 certificate is used to authenticate a vpn client or gateway when establishing an ipsec tunnel. Properties name specifies a symbolic name for the certificate. (identifier) type local, remote or request. Certificatedata certificate data. Privatekey private key. N...
Page 102: 3.8. Client
3.8. Client this is a category that groups the following object types. 3.8.1. Dyndnsclientcjbnet description configure the parameters used to connect to the cjb.Net dyndns service. Properties username username. Password the password for the specified username. (optional) comments text describing the...
Page 103
Properties dnsname the dns name excluding the .Dyns.Cx suffix. Username username. Password the password for the specified username. (optional) comments text describing the current object. (optional) note this object type does not have an identifier and is identified by the name of the type only. The...
Page 104: 3.9. Commentgroup
3.9. Commentgroup description group together one or more configuration objects. Properties description todo. (default: "(new group)") color todo. (default: 9ebee7) note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be e...
Page 105: 3.10. Comportdevice
3.10. Comportdevice description a serial communication port, that is used for accessing the cli. Properties port port. (identifier) bitspersecond bits per second. (default: 9600) databits data bits. (default: 8) parity parity. (default: none) stopbits stop bits. (default: 1) flowcontrol flow control...
Page 106: 3.11. Configmodepool
3.11. Configmodepool description an ike config mode pool will dynamically assign the ip address, dns server, wins server etc. To the vpn client connecting to this gateway. Properties ippooltype specifies whether a predefined ip pool or a static set of ip addresses should be used as ip address source...
Page 107: 3.12. Datetime
3.12. Datetime description set the date, time and time zone information for this system. Properties timezone specifies the time zone. (default: gmt) dstenabled enable daylight saving time. (default: yes) dstoffset daylight saving time offset in minutes. (default: 60) dststartmonth what month dayligh...
Page 108: 3.13. Device
3.13. Device description global parameters for this device. Properties name name of the device. (default: device) localcfgversion local version number of the configuration. (default: 1) remotecfgversion remote version number of the configuration. (default: 0) configuser name of the user who committe...
Page 109: 3.14. Dhcprelay
3.14. Dhcprelay description use a dhcp relay to dynamically alter the routing table according to relayed dhcp leases. Properties name specifies a symbolic name for the relay rule. (identifier) action ignore, relay or bootpfwd. (default: ignore) sourceinterface the source interface of the dhcp packet...
Page 110: 3.15. Dhcpserver
3.15. Dhcpserver description a dhcp server determines a set of ip addresses and host configuration parameters to hand out to dhcp clients attached to a given interface. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the dhcp server rule. (ide...
Page 111
Static dhcp server host entry properties host ip address of the host. Statichosttype identifier for host. (default: macaddress) macaddress the hardware address of the host. Clientidenttype type of client identifier specified. (default: ascii) clientident the client identifier for the host. Comments ...
Page 112: 3.16. Dns
3.16. Dns description configure the dns (domain name system) client settings. Properties dnsserver1 ip of the primary dns server. (optional) dnsserver2 ip of the secondary dns server. (optional) dnsserver3 ip of the tertiary dns server. (optional) comments text describing the current object. (option...
Page 113: 3.17. Driver
3.17. Driver this is a category that groups the following object types. 3.17.1. Bne2ethernetpcidriver description broadcom ne2 gigabit ethernet. Properties comments text describing the current object. (optional) note this object type does not have an identifier and is identified by the name of the t...
Page 114
Belowcpuload below cpu load. (default: 80) belowinterfaceload below interface load. (default: 70) mininterval minimum interval. (default: 30) rxerrorpercentage rx error percentage. (default: 20) txerrorpercentage tx error percentage. (default: 7) errortime error time. (default: 10) comments text des...
Page 115
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.17.6. Marvellethernetpcidriver description marvell (88e8001,88e8053,88e8062) fast and gigabit ethernet adaptor. Properties comments text describing the cur...
Page 116
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.17.9. St201ethernetpcidriver description d-link (st201) fast ethernet adaptor. Properties comments text describing the current object. (optional) note this...
Page 117
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.17.11. X3c905ethernetpcidriver chapter 3. Configuration reference 117.
Page 118: 3.18. Dynamicroutingrule
3.18. Dynamicroutingrule description a dynamic routing policy rule creates a filter to catch statically configured or ospf learned routes. The matched routes can be controlled by the action rules to be either exported to ospf processes or to be added to one or more routing tables. Properties index t...
Page 119
3.18.1. Dynamicroutingruleexportospf description an ospf action is used to manipulate and export new or changed routes to an ospf router pro- cess. Properties exporttoprocess specifies to which ospf process the route change should be exported. Settag specifies a tag for this route. This tag can be u...
Page 120
Proxyarpallinterfaces always select all interfaces, including new ones, for publishing routes via proxy arp. (default: no) proxyarpinterfaces specifies the interfaces on which the security gateway should publish routes via proxy arp. (optional) comments text describing the current object. (optional)...
Page 121: 3.19. Ethernetdevice
3.19. Ethernetdevice description hardware settings for an ethernet interface. Properties name specifies a symbolic name for the device. (identifier) ethernetdriver the ethernet pci driver that should be used by the interface. Pcibus pci bus number where the ethernet adapter is installed. Pcislot pci...
Page 122: 3.20. Highavailability
3.20. Highavailability description configure the high availability cluster parameters for this system. Properties enabled enable high availability. (default: no) sync specifies if cluster members are to synchronization configura- tion data. (default: yes) clusterid a (locally) unique cluster id to u...
Page 123: 3.21. Httpalgbanners
3.21. Httpalgbanners description http banner files specifies the look and feel of http alg restriction web pages. Properties name specifies a symbolic name for the http banner files. (identifier) compressionforbidden html for the compressionforbidden.Html web page. Contentforbidden html for the cont...
Page 124: 3.22. Httpauthbanners
3.22. Httpauthbanners description http banner files specifies the look and feel of html authentication web pages. Properties name specifies a symbolic name for the http banner files. (identifier) formlogin html for the formlogin.Html web page. Loginsuccess html for the loginsuccess.Html web page. Lo...
Page 125: 3.23. Httpposter
3.23. Httpposter description use the http poster for dynamic dns or automatic logon to services using web-based authentica- tion. Properties url1 the first url that will be posted when the security gateway is loaded. (optional) url2 the second url that will be posted when the security gateway is loa...
Page 126: 3.24. Hwm
3.24. Hwm description hardware monitoring allows monitoring of hardware sensors. Properties name specifies a symbolic name for the object. Type type of monitoring. Sensor sensor index. Minlimit lower limit. (optional) maxlimit upper limit. (optional) enablemonitoring enable/disable monitoring. (defa...
Page 127: 3.25. Idlist
3.25. Idlist description an id list contains ids, which are used within the authentication process when establishing an ipsec tunnel. Properties name specifies a symbolic name for the id list. (identifier) comments text describing the current object. (optional) 3.25.1. Id description an id is used t...
Page 128: 3.26. Idprule
3.26. Idprule description an idp rule defines a filter for matching specific network traffic. When the filter criterion is met, the idp rule actions are evaluated and possible actions taken. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the ...
Page 129
Properties action specifies what action to take if the given signature is found. (default: protect) signatures specifies what signature(s) to search for in the network traffic. (optional) blacklist activate blacklist. (default: no) blacklisttimetoblock the number of seconds that the dynamic black li...
Page 130: 3.27. Igmprule
3.27. Igmprule description an igmp rule specifies how to handle inbound igmp reports and outbound igmp queries. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) type the type of igmp messages the rule applies to. (default: ...
Page 131
Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.27. Igmprule chapter 3. Configuration reference 131.
Page 132: 3.28. Igmpsetting
3.28. Igmpsetting description igmp parameters can be tuned for one, or a group of interfaces in order to match the characteristics of a network. Properties name specifies a symbolic name for the object. (identifier) interface the interfaces that these settings should apply to. Robustnessvariable igm...
Page 133: 3.29. Ikealgorithms
3.29. Ikealgorithms description configure algorithms which are used in the ike phase of an ipsec session. Properties name specifies a symbolic name for the object. (identifier) nullenabled enable plaintext. (default: no) desenabled enable des encryption algorithm. (default: no) des3enabled enable 3d...
Page 134: 3.30. Interface
3.30. Interface this is a category that groups the following object types. 3.30.1. Defaultinterface description a special interface used to represent internal mechanisms in the system as well as an abstract "any" interface. Properties name specifies a symbolic name for the interface. (identifier) co...
Page 135: 3.30.3. Gretunnel
Added automatically for this interface. (default: no) autointerfacenetworkroute automatically add a route for this interface using the given network. (default: yes) autodefaultgatewayroute automatically add a default route for this interface using the given default gateway. (default: yes) dhcpdns1 i...
Page 136: 3.30.4. Interfacegroup
Network specifies the network address of the gre interface. Remoteendpoint specifies the ip address of the remote endpoint. Encapsulationchecksum add an extra level of checksum above the one provided by the ipv4 layer. (default: no) originatoriptype specifies what ip address to use as source ip in e...
Page 137
System. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the interface. (identifier) localnetwork the network on "this side" of the ipsec tunnel. The ipsec tun- nel will be established between this network and the remote network. Remotenetwork ...
Page 138
Xauth. Xauthpassword specifies the password to pass to the remote gateway vie ike xauth. Dhcpoveripsec allow dhcp over ipsec from single-host clients. (default: no) addroutetoremotenet dynamically add route to the remote networks when a tunnel is established. (default: no) plaintextmtu specifies the...
Page 139: 3.30.6. L2Tpclient
3.30.6. L2tpclient description a pptp/l2tp client interface is a ppp (point-to-point protocol) tunnel over an existing ip network. Its ip address and dns servers are dynamically assigned. Properties name specifies a symbolic name for the interface. (identifier) ip the host name to store the assigned...
Page 140: 3.30.7. L2Tpserver
Mpperc4128 use an rc4 128 bit mppe session key with ms-chap or ms-chap v2 authentication protocol. (default: yes) dialondemand enable dial-on-demand which means that the l2tp/pptp tunnel will not be setup until traffic is sent on the interface. (default: no) activitysensing specifies if the dial-on-...
Page 141: 3.30.8. Loopbackinterface
Chap v2 authentication protocol. (default: yes) mpperc456 use an rc4 56 bit mppe session key with ms-chap or ms- chap v2 authentication protocol. (default: yes) mpperc4128 use an rc4 128 bit mppe session key with ms-chap or ms- chap v2 authentication protocol. (default: yes) ippool a range, group or...
Page 142: 3.30.9. Pppoetunnel
Ip interface address. Network the network of the interface. Broadcast the broadcast address of the connected network. (optional) metric specifies the metric for the auto-created route. (default: 100) autointerfacenetworkroute automatically add a route for this virtual lan interface using the given n...
Page 143: 3.30.10. Vlan
Pppauthmschap use ms-chap authentication protocol for this tunnel. (default: yes) pppauthmschapv2 use ms-chap v2 authentication protocol for this tunnel. (default: yes) dialondemand enable dial-on-demand which means that the pppoe tunnel will not be setup until traffic is sent on the interface. (def...
Page 144
Network specifies the network address of the virtual lan interface. Defaultgateway the default gateway of the virtual lan interface. (optional) broadcast specifies the broadcast address of the virtual lan interface. (optional) privateip the private ip address of this high availability node. (optiona...
Page 145: 3.31. Ippool
3.31. Ippool description an ip pool is a dynamic object which consists of ip leases that are fetched from a dhcp server. The ip pool is used as an address source by subsystems that may need to distribute addresses, e.G. By ipsec in configuration mode. Properties name specifies a symbolic name for th...
Page 146: 3.32. Ipruleset
3.32. Ipruleset description an ip rule set is a self-contained set of ip rules. Default action is drop. Properties name a name to uniquely identify this ipruleset. (identifier) comments text describing the current object. (optional) 3.32.1. Iprule description an ip rule specifies what action to perf...
Page 147
Sattranslatetoport translate to this port. (optional) satalltoone rewrite all destination ips to a single ip. (default: no) slbaddresses the ip addresses of the servers in the server farm. Slbstickiness specifies stickiness mode. (default: none) slbidletimeout new connections that arrive within the ...
Page 148: 3.32.2. Iprulefolder
Slbhttpmaxaveragelatency specifies the max average latency for the sample attempts. (default: 800) slbhttpurltype defines how the request url should be interpreted. (default: fqdn) slbhttprequesturl specifies the http url to monitor. Slbhttpexpectedresponse expected http response. Slbdistribution sp...
Page 149
3.32.2.1. Iprule the definitions here are the same as in section 3.32.1, “iprule” . 3.32.2. Iprulefolder chapter 3. Configuration reference 149.
Page 150: 3.33. Ipsecalgorithms
3.33. Ipsecalgorithms description configure algorithms which are used in the ipsec phase of an ipsec session. Properties name specifies a symbolic name for the object. (identifier) nullenabled enable plaintext. (default: no) desenabled enable des encryption algorithm. (default: no) des3enabled enabl...
Page 151: 3.34. Ldapdatabase
3.34. Ldapdatabase description external ldap server used to verify user names and passwords. Properties name specifies a symbolic name for the server. (identifier) ip the ip address of the server. Port the tcp port of the server. (default: 389) timeout the timeout, in milliseconds, used when process...
Page 152: 3.35. Ldapserver
3.35. Ldapserver description an ldap server is used as a central repository of certificates and crls that the security gateway can download when necessary. Properties host specifies the ip address or hostname of the ldap server. Username specifies the username to use when accessing the ldap server. ...
Page 153: 3.36. Linkmonitor
3.36. Linkmonitor description the link monitor allows the system to monitor one or more hosts and take action if they are un- reachable. Properties action specifies what action the system should take. Addresses specifies the addresses that should be monitored. Maxloss a single host is considered unr...
Page 154: 3.37. Localuserdatabase
3.37. Localuserdatabase description a local user database contains user accounts used for authentication purposes. Properties name specifies a symbolic name for the object. (identifier) comments text describing the current object. (optional) 3.37.1. User description user credentials may be used in u...
Page 155: 3.38. Logreceiver
3.38. Logreceiver this is a category that groups the following object types. 3.38.1. Eventreceiversnmp2c description a snmp2c event receiver is used to receive snmp events from the system. Properties name specifies a symbolic name for the log receiver. (identifier) ipaddress destination ip address. ...
Page 156: 3.38.2. Logreceivermemory
3.38.2. Logreceivermemory description a memory log receiver is used to receive and keep log events in system ram. Properties name specifies a symbolic name for the log receiver. (identifier) logseverity specifies with what severity log events will be sent to the specified log receiv- ers. (optional;...
Page 157: 3.38.4. Logreceiversyslog
Comments text describing the current object. (optional) 3.38.4. Logreceiversyslog description a syslog receiver is used to receive log events from the system in the standard syslog format. Properties name specifies a symbolic name for the log receiver. (identifier) ipaddress specifies the ip address...
Page 158: 3.39. Natpool
3.39. Natpool description a nat pool is used for nating multiple concurrent connections to using different source ip ad- dresses. Properties name specifies a symbolic name for the nat pool. (identifier) type specifies how nat'ed connections are assigned a nat ip ad- dress. (default: stateful) ipsour...
Page 159: 3.40. Ospfprocess
3.40. Ospfprocess description an ospf router process defines a group of routers exchanging routing information via the open shortest path first routing protocol. Properties name specifies a symbolic name for the ospf process. (identifier) routerid specifies the ip address that is used to identify th...
Page 160: 3.40.1. Ospfarea
Cifies the details of the log. (default: off) debugroute enables or disabled logging of routing table manipulation events and also specifies the details of the log. (default: off) authtype specifies the authentication type for the ospf protocol exchanges. (default: none) authpassphrase specifies the...
Page 161
Properties interface specifies which interface in the security gateway will be used for this os- pf interface. (identifier) type auto, broadcast, point-to-point or point-to-multipoint. (default: auto) network specifies the network related to the configured ospf interface. (optional) metrictype metri...
Page 162
Description for point-to-point and point-to-multipoint networks, specify the ip addresses of directly connected routers. Properties interface specifies the ospf interface of the neighbor. Ipaddress ip address of the neighbor. Metric specifies the metric of the neighbor. (optional) comments text desc...
Page 163
Routerid the id of the router on the other side of the virtual link. Usedefaultauth use the authentication configuration specified in the ospf process. (default: yes) authtype specifies the authentication type for the ospf protocol exchanges. (default: none) authpassphrase specifies the passphrase u...
Page 164: 3.41. Pipe
3.41. Pipe description a pipe defines basic traffic shaping parameters. The pipe rules then determines which traffic goes through which pipes. Properties name specifies a symbolic name for the pipe. (identifier) limitkbpstotal total bandwidth limit for this pipe in kilobits per second. (optional) li...
Page 165
Userlimitpps0 specifies the throughput limit per group in pps for precedence 0 (the lowest precedence). (optional) userlimitkbps1 specifies the bandwidth limit per group in kbps for precedence 1. (optional) userlimitpps1 specifies the throughput limit per group in pps for precedence 1. (optional) us...
Page 166
(default: 7) comments text describing the current object. (optional) 3.41. Pipe chapter 3. Configuration reference 166.
Page 167: 3.42. Piperule
3.42. Piperule description a pipe rule determines traffic shaping policy - which pipes to use - for one or more types of traffic with the same granularity as the standard ruleset. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the object. (op...
Page 168: 3.43. Psk
3.43. Psk description psk (pre-shared key) authentication is based on a shared secret that is known only by the parties involved. Properties name specifies a symbolic name for the pre-shared key. (identifier) type specifies the type of the shared key. Pskascii specifies the psk as a passphrase. Pskh...
Page 169: 3.44. Radiusaccounting
3.44. Radiusaccounting description external radius server used to collect user statistics. Properties name specifies a symbolic name for the server. (identifier) ipaddress the ip address of the server. Port the udp port of the server. (default: 1813) retrytimeout the retry timeout, in seconds, used ...
Page 170: 3.45. Radiusserver
3.45. Radiusserver description external radius server used to verify user names and passwords. Properties name specifies a symbolic name for the server. (identifier) ipaddress the ip address of the server. Port the udp port of the server. (default: 1812) retrytimeout the retry timeout, in seconds, u...
Page 171: 3.46. Realtimemonitoralert
3.46. Realtimemonitoralert description monitors a statistical value. Log messages are generated if the value goes below the lower threshold or above the high threshold. Properties index the index of the object, starting at 1. (identifier) monitor statistical value. Sampletime interval in seconds bet...
Page 172: 3.47. Remoteidlist
3.47. Remoteidlist description list of remote ids that are allowed access when using pre shared keys as authentication method. Properties type specifies the type of the shared key. Pskascii specifies the psk as a passphrase. Pskhex specifies the psk as a hexadecimal key. Idtype selects the type of r...
Page 173: 3.48. Remotemanagement
3.48. Remotemanagement this is a category that groups the following object types. 3.48.1. Remotemgmthttp description configure http/https management to enable remote management to the system. Properties name specifies a symbolic name for the object. (identifier) interface specifies the interface for...
Page 174: 3.48.3. Remotemgmtsnmp
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.48.3. Remotemgmtsnmp description configure snmp management to enable snmp polling. Properties name specifies a symbolic name for the object. (identifier) i...
Page 175
Allowaes256 allow aes-256 encryption algorithm. (default: yes) allowblowfish allow blowfish encryption algorithm. (default: yes) allow3des allow 3des encryption algorithm. (default: yes) allowmacsha1 allow sha1 integrity algorithm. (default: yes) allowmacmd5 allow md5 integrity algorithm. (default: ...
Page 176
3.49. Routebalancinginstance description a route balancing instance is assoicated with a routingtable and defines how to make use of multiple routes to the same destination. Properties routingtable specify routingtable to deploy route load balancing in. (identifier) algorithm specify which algorithm...
Page 177
3.50. Routebalancingspilloversettings description settings associated with the spillover algorithm. Properties interface interface to threshold limit. (identifier) holdtime number of consecutive seconds over/under the threshold limit to trig- ger state change for the affected routes. (default: 30) o...
Page 178: 3.51. Routingrule
3.51. Routingrule description a routing rule forces the use of a routing table in the forward and/or return direction of traffic on a connection. The ordering parameter of the routing table determines if it is consulted before or after the main routing table. Properties index the index of the object...
Page 179: 3.52. Routingtable
3.52. Routingtable description the system has a predefined main routing table. Alternate routing tables can be defined by the user. Properties name specifies a symbolic name for the routing table. (identifier) ordering specifies how a route lookup is done in a named routing ta- ble. (default: only) ...
Page 180
1000) enablehostmonitoring enables the host monitoring functionality. (default: no) reachability specifies the number of hosts that are required to be reach- able to consider the route to be active. (default: all) graceperiod specifies the time to wait after a reconfiguration until the monitoring be...
Page 181: 3.52.2. Switchroute
Requesturl specifies the http url to monitor. Expectedresponse expected http response. Comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of...
Page 182: 3.53. Scheduleprofile
3.53. Scheduleprofile description a schedule profile defines days and dates and are then used by the various policies in the system. Properties name specifies a symbolic name for the service. (identifier) mon specifies during which intervals the schedule profile is active on mondays. (optional) tue ...
Page 183: 3.54. Service
3.54. Service this is a category that groups the following object types. 3.54.1. Servicegroup description a service group is a collection of service objects, which can then be used by different policies in the system. Properties name specifies a symbolic name for the service. (identifier) members gr...
Page 184: 3.54.3. Serviceipproto
Echoreplycodes specifies which echo reply message codes should be matched. (default: 0-255) sourcequenching enable matching of source quenching messages. (default: no) sourcequenchingcodes specifies which source quenching message codes should be matched. (default: 0-255) timeexceeded enable matching...
Page 185
Properties name specifies a symbolic name for the service. (identifier) destinationports specifies the destination port or the port ranges applicable to this ser- vice. Type specifies whether this service uses the tcp or udp protocol or both. (default: tcp) sourceports specifies the source port or t...
Page 186: 3.55. Settings
3.55. Settings this is a category that groups the following object types. 3.55.1. Arptablesettings description advanced arp-table settings. Properties arpmatchenetsender the ethernet sender address matching the hardware address in the arp data. (default: droplog) arpquerynosenderip if the ip source ...
Page 187: 3.55.3. Conntimeoutsettings
3.55.2. Authenticationsettings description settings related to authentication and accounting. Properties logoutaccusersatshutdown logout authenticated accounting users and send accounting- stop packets prior to shutdown. (default: yes) allowauthifnoaccountingre- sponse allow an authenticated user to...
Page 188: 3.55.4. Dhcprelaysettings
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.55.4. Dhcprelaysettings description advanced dhcp relay settings. Properties maxtransactions maximum number of concurrent bootp/dhcp transactions. (default...
Page 189: 3.55.6. Ethernetsettings
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.55.6. Ethernetsettings description settings for ethernet interface. Properties dhcp_minimumleasetime minimum lease time (seconds) accepted from the dhcp se...
Page 190: 3.55.7. Fragsettings
Above this percentage. (default: 80) ifacemon_belowifaceload temporarily disable interface monitor on an interface if net- work load on the interface goes above this percentage. (default: 70) ifacemon_mininterval minimum interval between two resets of the same interface. (default: 30) ifacemon_rxerr...
Page 191: 3.55.8. Hwmsettings
Reassdonelinger how long to remember a completed reassembly (watching for old dups). (default: 20) reassillegallinger how long to remember an illegal reassembly (watching for more fragments). (default: 60) note this object type does not have an identifier and is identified by the name of the type on...
Page 192
Icmpsendperseclimit maximum number of icmp responses that will be sent each second. (default: 500) silentlydropstateicmperrors silently drop icmp errors regarding statefully tracked open connections. (default: yes) note this object type does not have an identifier and is identified by the name of th...
Page 193: 3.55.11. Ipsettings
(default: no) note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.55.11. Ipsettings description settings related to the ip protocol. Properties logchecksumerrors log ip packets with bad checksums. (default: ...
Page 194: 3.55.12. L2Tpserversettings
Ipopt_ts how to handle ip packets with contained timestamps. (default: droplog) ipopt_rtralt how to handle ip packets with contained route alert. (default: validatelogbad) ipopt_other how to handle ip options not specified above. (default: droplog) directedbroadcasts how to handle directed broadcast...
Page 195: 3.55.14. Localreasssettings
Description length limitations for various protocols. Properties maxtcplen tcp; sometimes has to be increased if tunneling protocols are used. (default: 1480) maxudplen udp; many interactive applications use large udp packets, may otherwise be decreased to 1480. (default: 60000) maxicmplen icmp; may...
Page 196: 3.55.15. Logsettings
Localreass_numlarge number of large (>2k) local reassembly buffers (of the above size). (default: 32) note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.55.15. Logsettings description advanced log settings....
Page 197: 3.55.17. Multicastsettings
Highbuffers_dynamic allocate the highbuffers value dynamically. (default: yes) highbuffers number of packet buffers to allocate in addition to the ~200 initial buffers. (default: 1024) localundelivered how to treat (allowed) packets to the security gateway that do not match open ports (snmp, scp, ne...
Page 198: 3.55.18. Remotemgmtsettings
Igmpstartupquerycount the number of startup queries to send during the startup phase. (default: 2) igmplastmemberqueryinter- val the maximum time (ms) until a host/client has to send an an- swer to a group and group-and-source specific query. (default: 5000) igmpunsolicatedreportinterval the time be...
Page 199: 3.55.19. Routingsettings
Each second. (default: 100) snmpsyscontact the contact person for this managed node. (default: n/a) snmpsysname the name for this managed node. (default: n/a) snmpsyslocation the physical location of this node. (default: n/a) snmpifdescription what to display in the snmp mib-ii ifdescr variables. (d...
Page 200: 3.55.20. Sslsettings
Transp_camsize_dynamic allocate the cam size value dynamically. (default: yes) transp_camsize maximum number of entries in each cam table. (default: 8192) transp_l3csize_dynamic allocate the l3 cache size value dynamically. (default: yes) transp_l3csize maximum number of entries in each layer 3 cach...
Page 201: 3.55.21. Statesettings
_rc4_56_sha1 enable cipher tls_rsa_export1024_with_rc4_56_sha1. (default: yes) tls_rsa_export512_with_ rc4_40_md5 enable cipher tls_rsa_export1024_with_rc4_40_md5. (default: no) tls_rsa_export512_with_ rc2_40_md5 enable cipher tls_rsa_export1024_with_rc2_40_md5. (default: no) tls_rsa_export_with_nu ...
Page 202: 3.55.22. Tcpsettings
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.55.22. Tcpsettings description settings related to the tcp protocol. Properties tcpoptionsizes validity of tcp header option sizes. (default: validatelogba...
Page 203: 3.55.23. Vlansettings
Tcpsynurg the tcp urg flag together with syn; normally invalid (strip=strip urg). (default: droplog) tcpsynpsh the tcp psh flag together with syn; normally invalid but always used by some ip stacks (strip=strip psh). (default: stripsilent) tcpsynrst the tcp rst flag together with syn; normally inval...
Page 204: 3.56. Sshclientkey
3.56. Sshclientkey description the public key of the client connecting to the ssh server. Properties name specifies a symbolic name for the key. (identifier) type dsa or rsa. (default: dsa) subject value of the subject header tag of the public key file. (optional) publickey specifies the public key....
Page 205: 3.57. Thresholdrule
3.57. Thresholdrule description a threshold rule defines a filter for matching specific network traffic. When the filter criterion is met, the threshold rule actions are evaluated and possible actions taken. Properties index the index of the object, starting at 1. (identifier) name specifies a symbo...
Page 206
Thresholdunit specifies the threshold unit. (default: connssec) blacklist activate blacklist. (default: no) blacklisttimetoblock the number of seconds that the dynamic black list should re- main. (optional) blacklistblockonlyservice only block the service that triggered the blacklisting. (default: n...
Page 207: 3.58. Updatecenter
3.58. Updatecenter description configure automatical updates. Properties avenabled automatic updates of antivirus definitions and engine. (default: no) idpenabled automatic updates of idp maintenance signatures. (default: no) advancedidpenabled automatic updates of advanced idp signatures. (default:...
Page 208: 3.59. Userauthrule
3.59. Userauthrule description the user authentication ruleset specifies from where users are allowed to authenticate to the sys- tem, and how. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) agent http, https, xauth, ppp ...
Page 209
Pppauthmschap use ms-chap authentication protocol. (default: yes) pppauthmschapv2 use ms-chap v2 authentication protocol. (default: yes) idletimeout if a user has successfully been authenticated, and no traffic has been seen from his ip address for this number of seconds, he/she will automatically b...
Page 210
3.59. Userauthrule chapter 3. Configuration reference 210
Page 211: Index
Index commands a about, 31 activate, 20 add, 20 alarm, 31 arp, 31 arpsnoop, 32 ats, 33 b blacklist, 33 buffers, 34 c cam, 35 cancel, 21 cc, 22 certcache, 36 cfglog, 36 commit, 23 connections, 36 cpuid, 37 crashdump, 38 cryptostat, 38 d dconsole, 38 delete, 23 dhcp, 39 dhcprelay, 39 dhcpserver, 40 dn...
Page 212: Object Types
Settings, 69 show, 27 shutdown, 70 sipalg, 70 sshserver, 72 stats, 73 sysmsgs, 73 t techsupport, 73 time, 74 u uarules, 74 undelete, 29 updatecenter, 75 userauth, 76 v vlan, 77 vpnstats, 77 (see also ipsecstats) object types a access, 85 addressfolder, 87 advancedscheduleoccurrence, 90 advancedsched...
Page 213
Ipsectunnel, 136 ipsectunnelsettings, 192 ipsettings, 193 ixp4npeethernetdriver, 114 l l2tpclient, 139 l2tpserver, 140 l2tpserversettings, 194 ldapdatabase, 151 ldapserver, 152 lengthlimsettings, 194 linkmonitor, 153 localreasssettings, 195 localuserdatabase, 154 logreceivermemory, 156 logreceiverme...