D-Link DFL-260E Manual - 3.49.2. Route

Other manuals for DFL-260E: User Manual, Manual, Datasheet, Reference Manual, User Manual, Quick Installation Manual, Reference Manual, Log Reference Manual, Log Reference Manual, Reference Manual, Reference Manual

Manual is about: Network Security Firewall Application Control Signatures NetDefendOS

Page of 198

Download

Print this page

Bookmark us

Comments

Text describing the current object. (Optional)

Note

If no

Index

is specified when creating an instance of this type, the object will be

placed last in the list and the

Index

will be equal to the length of the list.

3.49.2. Route

Description

A route defines what interface and gateway to use in order to reach a specified network.

Properties

Name

Specifies a symbolic name for the object. (Optional)

Interface

Specifies which interface packets destined for this

route shall be sent through.

Gateway

Specifies the IP address of the next router hop used

to reach the destination network. If the network is

directly connected to the security gateway interface,

no gateway address is specified. (Optional)

LocalIP

The IP address specified here will be automatically

published on the corresponding interface. This ad-

dress will also be used as the sender address in ARP

queries. If no address is specified, the security gate-

way's interface IP address will be used. (Optional)

Network

Specifies the network address for this route.

RouteMonitor

Specifies if this route should be monitored for route

changes for route failover purposes. (Default: No)

MonitorLinkStatus

Mark the route as down if the interface link status

changes to down. (Default: No)

MonitorGateway

Mark the route as down if the next hop does not an-

swer on ARP lookups during a specified time.

(Default: No)

MonitorGatewayManualARP

Enable a manually specified ARP lookup interval.

(Default: No)

MonitorGatewayARPInterval

Specifies the ARP lookup interval in milliseconds.

(Default: 1000)

EnableHostMonitoring

Enables the Host Monitoring functionality. (Default:

No)

Reachability

Specifies the number of hosts that are required to be

reachable to consider the route to be active. (Default:

ALL)

GracePeriod

Specifies the time to wait after a reconfiguration un-

til the monitoring begins. (Default: 5)

3.49.2. Route

Chapter 3. Configuration Reference

163

« ‹ Prev 160 161 162 163 164 165 166 Next › »

Summary of DFL-260E

Page 1
Network security solution http://www.Dlink.Com netdefendos ver. 2.40.00 network security firewall cli reference guide security security.
Page 2: Cli Reference Guide
Cli reference guide dfl-260e/860e/1660/2560/2560g netdefendos version 2.40.00 d-link corporation no. 289, sinhu 3rd rd, neihu district, taipei city 114, taiwan r.O.C. Http://www.Dlink.Com published 2011-09-06 copyright © 2011.
Page 3
Cli reference guide dfl-260e/860e/1660/2560/2560g netdefendos version 2.40.00 published 2011-09-06 copyright © 2011 copyright notice this publication, including all photographs, illustrations and software, is protected under interna- tional copyright laws, with all rights reserved. Neither this manu...
Page 4: Table Of Contents
Table of contents preface ................................................................................................................ 9 1. Introduction .....................................................................................................11 1.1. Running a command ...................
Page 5
2.2.30. Ldap .........................................................................................47 2.2.31. License .....................................................................................47 2.2.32. Linkmon ..............................................................................
Page 6
3.6. Blacklistwhitehost .................................................................................93 3.7. Certificate .............................................................................................94 3.8. Client ......................................................................
Page 7
3.37. Logreceiver ...................................................................................... 144 3.37.1. Eventreceiversnmp2c ............................................................. 144 3.37.2. Logreceivermemory ................................................................ 145 3....
Page 8: List Of Examples
List of examples 1. Command option notation ................................................................................... 9 1.1. Help for commands ........................................................................................12 1.2. Help for object types ................................
Page 9: Preface
Preface audience the target audience for this reference guide is: • administrators that are responsible for configuring and managing the d-link firewall. • administrators that are responsible for troubleshooting the d-link firewall. This guide assumes that the reader is familiar with the d-link fire...
Page 10
Because the table name option is followed by ellipses it is possible to specify more than one routing table. Since table name is optional as well, the user can specify zero or more policy-based routing tables. Gw-world:/> routes virroute virroute2 notation preface 10
Page 11: Chapter 1. Introduction
Chapter 1. Introduction • running a command, page 11 • help, page 12 • function keys, page 13 • command line history, page 14 • tab completion, page 15 • user roles, page 17 this guide is a reference for all commands and configuration object types that are available in the command line interface for...
Page 12: 1.2. Help
1.2. Help 1.2.1. Help for commands there are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by -? Or -h . This applies to all commands and is therefore not listed in the option list for each command in this guide. Using the help command give...
Page 13: 1.3. Function Keys
1.3. Function keys in addition to the return key there are a number of function keys that are used in the cli. Backspace delete the character to the left of the cursor. Tab complete current word. Ctrl-a or home move the cursor to the beginning of the line. Ctrl-b or left arrow move the cursor one ch...
Page 14: 1.4. Command Line History
1.4. Command line history every time a command is run, the command line is added to a history list. The up and down arrow keys are used to access previous command lines (up arrow for older command lines and down arrow to move back to a newer command line). See also section 2.4.3, “history”. Example ...
Page 15: 1.5. Tab Completion
1.5. Tab completion by using the tab function key in the cli the names of commands, options, objects and object prop- erties can be automatically completed. If the text entered before pressing tab only matches one pos- sible item, e.G. "activate" is the only match for "acti", and a command is expect...
Page 16
If " . " is entered instead of a property value and tab is pressed it will be replaced by the current value of that property. This is useful when editing an existing list of items or a long text value. The "" character before a tab can be used to automatically fill in the default value for a paramet...
Page 17: 1.6. User Roles
1.6. User roles some commands and options cannot be used unless the logged in user has administrator priviege. This is indicated in this guide by a note following the command or "admin only" written next to an option. 1.6. User roles chapter 1. Introduction 17.
Page 18
1.6. User roles chapter 1. Introduction 18.
Page 19: 2.1. Configuration
Chapter 2. Command reference • configuration, page 19 • runtime, page 30 • utility, page 70 • misc, page 71 2.1. Configuration 2.1.1. Activate activate changes. Description activate the latest changes. This will issue a reconfiguration, using the new configuration. If the reconfiguration is successf...
Page 20: 2.1.3. Cancel
Example 2.1. Create a new object add objects with an identifier property (not index): gw-world:/> add address ip4address example_ip address=1.2.3.4 comments="this is an example" gw-world:/> add ip4address example_ip2 address=2.3.4.5 add an object with an index: gw-world:/main> add route interface=la...
Page 21: 2.1.4. Cc
Note requires administrator privilege. 2.1.4. Cc change the current context. Description change the current configuration context. A context is a group of objects that are dependent on and grouped by a parent object. Many objects lie in the "root" context and do not have a specific parent. Other obj...
Page 22: 2.1.5. Commit
May not be applicable depending on the specified . Type of configuration object to perform operation on. 2.1.5. Commit save new configuration to media. Description save the new configuration to media. This command can only be issued after a successful activate command. Usage commit note requires adm...
Page 23: 2.1.7. Pskgen
Options -force force object to be deleted even if it's used by other objects or has children. Category that groups object types. The property that identifies the configuration object. May not be applicable depending on the specified . Type of configuration object to perform operation on. Note requir...
Page 24
Description reject the changes made to the specified object by reverting to the values of the last committed con- figuration. All changes made to the object will be lost. If the object is added after the last commit, it will be re- moved. To reject the changes in more than one object, use either the...
Page 25: 2.1.9. Reset
Type of configuration object to perform operation on. Note requires administrator privilege. 2.1.9. Reset reset unit configuration and/or binaries. Description reset configuration or binaries to factory defaults. Usage reset -configuration reset the configuration to factory defaults. Reset -unit res...
Page 26: 2.1.11. Show
See also: add example 2.5. Set property values set properties for objects that have an identifier property: gw-world:/> set address ip4address example_ip address=1.2.3.4 comments="this is an example" gw-world:/> set ip4address example_ip2 address=2.3.4.5 comments=comment_without_whitespace gw-world:...
Page 27
Context, just type show. Show a table of all objects of a type by specifying a type or a category. Use the -errors or -changes flags to show what objects have been changed or have errors in the configuration. When showing a table of all objects of a certain type, the status of each object since the ...
Page 28: 2.1.12. Undelete
Show all changes. Options -changes show all changes in the current configuration. -disabled show disabled properties. -errors show all errors in the current configuration. -references show all references to this object from other objects. -verbose show error details. Category that groups object type...
Page 29
Category that groups object types. The property that identifies the configuration object. May not be applicable depending on the specified . Type of configuration object to perform operation on. Note requires administrator privilege. 2.1.12. Undelete chapter 2. Command reference 29.
Page 30: 2.2. Runtime
2.2. Runtime 2.2.1. About show copyright/build information. Description show copyright and build information. Usage about 2.2.2. Alarm show alarm information. Description show list of currently active alarms. Usage alarm [-history] [-active] options -active show the currently active alarms. -history...
Page 31: 2.2.4. Arpsnoop
Arp show all arp entries. Arp -show [] [-ip=] [-hw=] [-num=] show arp entries. Arp -hashinfo [] show information on hash table health. Arp -flush [] flush arp cache of specified interface. Arp -notify= [] [-hwsender=] send gratuitous arp for ip. Options -flush flush arp cache of all specified interf...
Page 33: 2.2.7. Blacklist
Show bigpond information of specified interface. Options interface to show bigpond information. 2.2.7. Blacklist blacklist. Description block and unblock hosts on the black and white list. Note: static blacklist hosts cannot be unblocked. If -force is not specified, only the exact host with the serv...
Page 34: 2.2.8. Buffers
-creationtime show creation time. -dest= destination address to block/unblock (exceptextablished flag is set on). -dynamic show dynamic hosts only. -force unblock all services for the host that matches to op- tions. -info show detailed information. -listtime show time in list (for dynamic hosts). -p...
Page 35: 2.2.9. Cam
Decode given buffer number. 2.2.9. Cam cam table information. Description show information about the cam table(s) and their entries. Usage cam -num= show cam table information. Cam [-num=] show interface-specified cam table information. Cam [-flush] flush cam table information of specified interface...
Page 36: 2.2.11. Connections
2.2.11. Connections list current state-tracked connections. Description list current state-tracked connections. Usage connections -show [-num=] [-verbose] [-srciface=] [-destiface=] [-protocol=] [-srcport=] [-destport=] [-srcip=] [-destip=] list connections. Connections same as "connections -show". ...
Page 37: 2.2.13. Crashdump
Display info about the cpu. Description display the make and model of the machine's cpu. Usage cpuid 2.2.13. Crashdump show the contents of the crash.Dmp file. Description show the contents of the crash.Dmp file, if it exists. Usage crashdump 2.2.14. Dhcp display information about dhcp-enabled inter...
Page 39: 2.2.16. Dhcpserver
2.2.16. Dhcpserver show content of the dhcp server ruleset. Description show the content of the dhcp server ruleset and various information about active/inactive leases. Display filter filters leases based on interface/mac/ip (example: if1 192.168.*) usage dhcpserver show dhcp server leases. Dhcpser...
Page 40: 2.2.18. Dnsbl
Dns client and queries. Description show status of the dns client and manage pending dns queries. Usage dns [-query=] [-list] [-remove] options -list list pending dns queries. -query= resolve domain name. -remove remove all pending dns queries. 2.2.18. Dnsbl dnsbl. Description show status of dnsbl. ...
Page 42: 2.2.21. Hostmon
-deactivate go inactive. 2.2.21. Hostmon show host monitor statistics. Description show active host monitor sessions. Usage hostmon [-verbose] [-num=] options -num= limit list to entries. (default: 20) -verbose verbose output. 2.2.22. Httpalg commands related to the http application layer gateway. D...
Page 44: 2.2.25. Idppipes
-all show all sensors, warning: use at own risk, may take long time for highspeed ifaces to cope. -verbose show sensor number, type and limits. 2.2.25. Idppipes show and remove hosts that are piped by idp. Description show list of currently piped hosts. Usage idppipes -show [-host=] lists hosts for ...
Page 45: 2.2.27. Igmp
-allindepth show in-depth information about all interfaces. -filter= filter list of interfaces. -num= limit list to lines. (default: 20) -pbr= only list members of given pbr table(s). -restart stop and restart the interface. (admin only) name of interface. 2.2.27. Igmp igmp interfaces. Description s...
Page 46: 2.2.28. Ippool
Host ip address. Interface. Multicast address. Router ip address. 2.2.28. Ippool show ip pool information. Description show information about the current state of the configured ip pools. Usage ippool -release [] [-all] forcibly free ip assigned to subsystem. Ippool -show [-verbose] [-max=] show ip ...
Page 47: 2.2.30. Ldap
Languagefiles show all language files on disk. Languagefiles -remove= remove a language file from disk. Options -remove= specify language file to delete. 2.2.30. Ldap ldap information. Description status and statistics for the configured ldap databases. Usage ldap list all ldap databases. Ldap -list...
Page 48: 2.2.32. Linkmon
Show contents of the license file. Description show contents of the license file. Usage license 2.2.32. Linkmon display link montitoring statistics. Description . If link monitor hosts have been configured, linkmon will monitor host reachability to detect link/ nic problems. Usage linkmon 2.2.33. Lo...
Page 49: 2.2.35. Natpool
Usage memory 2.2.35. Natpool show current nat pools. Description show current nat pools and in-depth information. Usage natpool [-verbose] [ []] [-num=] options -num= maximum number of items to list (default: 20). -verbose verbose (more information). Translated ip. Nat pool name. 2.2.36. Nd show nei...
Page 50: 2.2.37. Ndsnoop
Show neighbor discovery entries. Nd -hashinfo [] show information on hash table health. Nd -flush [] flush neighbor discovery cache of specified interface. Nd -query= send neighbor solicitation for ip. Nd -del= delete nd cache entry. Options -del= delete nd cache entry . -flush flush neighbor discov...
Page 52
Pcapdump show capture status. Pcapdump -start [] [-size=] [-snaplen=] [-count=] [-out] [-out-nocap] [-eth=] [-ethsrc=] [-ethdest=] [-ip=] [-ipsrc=] [-ipdest=] [-port=] [-srcport=] [-destport=] [-proto=] [-icmp] [-tcp] [-udp] [-promisc] [-ipversion=] start capture. Pcapdump -stop [] stop capture. Pca...
Page 53: 2.2.40. Pipes
-ipdest= destination ip address filter. -ipsrc= source ip address filter. -ipversion= ip version filter. -out realtime packet brief dumped to console. -out-nocap unbuffered (not stored in memory) realtime packet brief dumped to console. -port= tcp/udp port filter. -promisc set iface in promiscuous m...
Page 54: 2.2.41. Pptpalg
Pipes list all pipes. Pipes -users [] [-expr=] list users of a given pipe. Pipes -show [] [-expr=] show pipe details. Options -expr= pipe wildcard(*) expression. -show show pipe details. -users list users of a given pipe. Show pipe details. 2.2.41. Pptpalg show pptp alg information. Description show...
Page 55: 2.2.42. Reconfigure
-verbose verbose output. Pptp alg. 2.2.42. Reconfigure initiates a configuration re-read. Description restart the security gateway using the currently active configuration. Usage reconfigure note requires administrator privilege. 2.2.43. Routemon list the currently monitored interfaces and gateways....
Page 56: 2.2.45. Rules
Show core routes also. Use the -switched switch to show only switched routes. Explanation of flags field of the routing tables: o learned via ospf x route is disabled m route is monitored a published via proxy arp d dynamic (from e.G. Dhcp relay, ipsec, l2tp/ppp servers, etc.) h ha synced from clust...
Page 58
Selftest -ping -interfaces=if1,if2 example 2.14. Start a 30 min burn-in duration test, testing ram, storage media and crypto the accelerator selftest -burnin -minutes 30 -media -memory -cryptoaccel usage selftest -memory [-num=] check the sanity of the ram. Selftest -media [-size=] check the sanity ...
Page 59: 2.2.47. Services
Options -abort abort a running self test. -burnin run burn-in tests for a selected set of sub tests. -cryptoaccel verify the correct functioning of available crypto ac- celerator cards. -hours[=] test duration in hours. (default: 48) -interfaces= ethernet interface(s). -mac check if there are mac ad...
Page 60: 2.2.48. Sessionmanager
Services [] options name or pattern. 2.2.48. Sessionmanager session manager. Description show information about the session manager, and list currently active users. Explanation of timeout flags for sessions: d session is disabled s session uses a timeout in its subsystem - session does not use time...
Page 61: 2.2.49. Settings
-disconnect forcibly terminate session(s). (admin only) -info show in-depth information about session. -list list active sessions. -message send message to session. -num= list number of session. -status show session manager status. Name of user database. Ip address. Message to send. Name of session....
Page 62: 2.2.51. Sipalg
Usage shutdown [] [-normal] [-reboot] options -normal initiate core shutdown. -reboot initiate system reboot. Seconds until shutdown. (default: 5) note requires administrator privilege. 2.2.51. Sipalg sip alg. Description list running sip-alg configurations, sip registration and call information. Th...
Page 63
- 0x00004000 media - 0x00008000 contact - 0x00010000 conn - 0x00020000 ping - 0x00040000 transaction - 0x00080000 callleg - 0x00100000 registry flags can be added in the usual way. The default value is 0x00000003 (general and errors). Note: 'verbose' option outputs a lot of information on the consol...
Page 66: 2.2.56. Time
Usage techsupport 2.2.56. Time display current system time. Description display/set the system date and time. Usage time display current system time. Time -set set system local time: . Time -sync [-force] synchronize time with timeserver(s) (specified in settings). Options -force force synchronizati...
Page 67: 2.2.58. Updatecenter
Example 2.16. Show a range of rules uarules -v 1-2,4-5 usage uarules [-verbose] [] options -verbose verbose output. Range of rules to list. 2.2.58. Updatecenter show autoupdate status and manage idp/av databases. Description show autoupdate mechanism status or force an update. Usage updatecenter -up...
Page 69: 2.2.60. Vlan
2.2.60. Vlan show information about vlan. Description show list of attached virtual lan interfaces, or in-depth information about a specified vlan. Usage vlan list attached vlans. Vlan display vlans connected to physical iface . Options display vlan information about this interface. 2.2.60. Vlan cha...
Page 70: 2.3. Utility
2.3. Utility 2.3.1. Ping ping host. Description sends one or more icmp echo, tcp syn or udp datagrams to the specified ip address of a host. All datagrams are sent preloaded-style (all at once). The data size -length given is the icmp or udp data size. 1472 bytes of icmp data results in a 1500-byte ...
Page 71: 2.4. Misc
2.4. Misc 2.4.1. Echo print text. Description print text to the console. Example 2.17. Hello world echo hello world usage echo []... Options text to print. 2.4.2. Help show help for selected topic. Description the help system contains information about commands and configuration object types. The fa...
Page 73: 2.4.5. Script
Example 2.20. Upload certificate data scp certificate.Cer user@sgw-ip:certificate/certificate_name scp certificate.Key user@sgw-ip:certificate/certificate_name example 2.21. Upload ssh public key data scp sshkey.Pub user@sgw-ip:sshclientkey/sshclientkey_name usage options -long enable long listing f...
Page 74
Execute script. Script -show [-all] [-name=] show script in console window. Script -store [-all] [-name=] store a script to persistent storage. Script -remove [-all] [-name=] remove script. Script list script files. Options -all apply to all scripts. -create create configuration script from specifie...
Page 75
2.4.5. Script chapter 2. Command reference 75.
Page 76
Chapter 3. Configuration reference • access, page 77 • address, page 79 • advancedscheduleprofile, page 83 • alg, page 84 • arpnd, page 92 • blacklistwhitehost, page 93 • certificate, page 94 • client, page 95 • comportdevice, page 98 • configmodepool, page 99 • datetime, page 100 • device, page 101...
Page 77: 3.1. Access
• ipsecalgorithms, page 138 • ldapdatabase, page 140 • ldapserver, page 141 • linkmonitor, page 142 • localuserdatabase, page 143 • logreceiver, page 144 • natpool, page 147 • pipe, page 148 • piperule, page 151 • psk, page 152 • radiusaccounting, page 153 • radiusserver, page 154 • remoteidlist, pa...
Page 78
Action accept, expect or drop. (default: drop) interface the interface the packet must arrive on for this rule to be carried out. Exception: the expect rule. Network the ip span that the sender must belong to for this rule to be carried out. Logenabled enable logging. (default: yes) logseverity spec...
Page 79: 3.2. Address
3.2. Address this is a category that groups the following object types. 3.2.1. Addressfolder description an address folder can be used to group related address objects for better overview. Properties name specifies a symbolic name for the network object. (identifier) comments text describing the cur...
Page 80
3.2.1.3. Ethernetaddress description use an ethernet address item to define a symbolic name for an ethernet mac address. Properties name specifies a symbolic name for the network object. (identifier) address ethernet mac address, e.G. "12-34-56-78-ab-cd". Comments text describing the current object....
Page 81
Nodefinedcredentials if this property is enabled the object requires user authentication, but has no credentials (user names or groups) defined. This means that the object only re- quires that a user is authenticated, but ignores any kind of group membership. (default: no) comments text describing t...
Page 82: 3.2.2. Ethernetaddress
(optional) nodefinedcredentials if this property is enabled the object requires user authentication, but has no credentials (user names or groups) defined. This means that the object only re- quires that a user is authenticated, but ignores any kind of group membership. (default: no) comments text d...
Page 83
3.3. Advancedscheduleprofile description an advanced schedule profile contains definitions of occurrences used by various policies in the system. Properties name specifies a symbolic name for the service. (identifier) comments text describing the current object. (optional) 3.3.1. Advancedscheduleocc...
Page 84: 3.4. Alg
3.4. Alg this is a category that groups the following object types. 3.4.1. Alg_ftp description use an ftp application layer gateway to manage ftp traffic through the system. Properties name specifies a symbolic name for the alg. (identifier) allowserverpassive allow server to use passive mode (unsaf...
Page 85: 3.4.2. Alg_H323
Filelisttype specifies if the file list contains files to allow or deny. (default: block) failmodebehavior standard behaviour on error: allow or deny. (default: deny) file list of file types to allow or deny. (optional) verifycontentmimetype verify that file extentions correspond to the mime type. (...
Page 86
Verifyutf8url verify that urls does not contain invalid utf8 en- coding. (default: no) blackurldisplayreason message to show when there is an attempt to access a blacklisted site. (optional) httpbanners http alg html banners. (default: default) maxdownloadsize the maximal allowed file size in kb. (o...
Page 87: 3.4.4. Alg_Pop3
Words in them. Properties action whitelist or blacklist. (default: blacklist) url specifies the url to blacklist or whitelist. Comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed last in the list and ...
Page 88: 3.4.5. Alg_Pptp
Allowencryptedzip allow encrypted zip files, even though the contents can not be scanned. (default: no) zdenabled enable zonedefense block. (default: no) zdnetwork hosts within this network will be blocked at switches if a virus is found. Comments text describing the current object. (optional) 3.4.5...
Page 89: 3.4.7. Alg_Smtp
(default: 5) comments text describing the current object. (optional) 3.4.7. Alg_smtp description use an smtp application layer gateway to manage smtp traffic through the system. Properties name specifies a symbolic name for the alg. (identifier) verifysenderemail check emails for mismatching smtp co...
Page 90
Zdenabled enable zonedefense block. (default: no) zdnetwork hosts within this network will be blocked at switches if a virus is found. Dnsbl disable or enable dnsbl. (default: no) spamthreshold spam threshold defines when an email should be considered as spam. (default: 10) dropthreshold drop thresh...
Page 91: 3.4.8. Alg_Tftp
Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.4.8. Alg_tftp description use an tftp application layer gateway to manage tftp traffic through the system. Properties name specifi...
Page 92: 3.5. Arpnd
3.5. Arpnd description use an arp/neighbor discovery entry to publish additional ip addresses and/or mac addresses on a specified interface. Properties mode static, publish or xpublish. (default: publish) interface indicates the interface to which the arp entry ap- plies; e.G. The interface the addr...
Page 93: 3.6. Blacklistwhitehost
3.6. Blacklistwhitehost description hosts and networks added to this whitelist can never be blacklisted by idp or threshold rules. Properties addresses specifies the addresses that will be whitelisted. Service specifies the service that will be whitelisted. Schedule the schedule when the whitelist s...
Page 94: 3.7. Certificate
3.7. Certificate description an x. 509 certificate is used to authenticate a vpn client or gateway when establishing an ipsec tunnel. Properties name specifies a symbolic name for the certificate. (identifier) type local, remote or request. Certificatedata certificate data. Privatekey private key. N...
Page 95: 3.8. Client
3.8. Client this is a category that groups the following object types. 3.8.1. Dyndnsclientcjbnet description configure the parameters used to connect to the cjb.Net dyndns service. Properties username username. Password the password for the specified username. (optional) comments text describing the...
Page 96: 3.8.5. Dyndnsclientdynscx
Properties dnsname the dns name excluding the .Dlinkddns.Com suffix. Username username. Password the password for the specified username. (optional) comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed...
Page 97: 3.8.7. Loginclientbigpond
Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.8.6. Dyndnsclientpeanuthull description configure the parameters used to connect to the peanut hull dyndns service. Properties dns...
Page 98: 3.9. Comportdevice
3.9. Comportdevice description a serial communication port, that is used for accessing the cli. Properties port port. (identifier) bitspersecond bits per second. (default: 9600) databits data bits. (default: 8) parity parity. (default: none) stopbits stop bits. (default: 1) flowcontrol flow control....
Page 99: 3.10. Configmodepool
3.10. Configmodepool description an ike config mode pool will dynamically assign the ip address, dns server, wins server etc. To the vpn client connecting to this gateway. Properties ippooltype specifies whether a predefined ip pool or a static set of ip addresses should be used as ip address source...
Page 100: 3.11. Datetime
3.11. Datetime description set the date, time and time zone information for this system. Properties timezone specifies the time zone. (default: gmt) dstenabled enable daylight saving time. (default: yes) dstoffset daylight saving time offset in minutes. (default: 60) dststartmonth what month dayligh...
Page 101: 3.12. Device
3.12. Device description global parameters for this device. Properties name name of the device. (default: device) localcfgversion local version number of the configuration. (default: 1) configuser name of the user who committed the current config- uration. (default: baseconfiguration) configsession ...
Page 102: 3.13. Dhcprelay
3.13. Dhcprelay description use a dhcp relay to dynamically alter the routing table according to relayed dhcp leases. Properties name specifies a symbolic name for the relay rule. (identifier) action ignore, relay or bootpfwd. (default: ignore) sourceinterface the source interface of the dhcp packet...
Page 103: 3.14. Dhcpserver
3.14. Dhcpserver description a dhcp server determines a set of ip addresses and host configuration parameters to hand out to dhcp clients attached to a given interface. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the dhcp server rule. (ide...
Page 104
Logseverity specifies with what severity log events will be sent to the specified log receivers. (default: default) comments text describing the current object. (optional) 3.14.1. Dhcpserverpoolstatichost description static dhcp server host entry properties host ip address of the host. Statichosttyp...
Page 105: 3.15. Dns
3.15. Dns description configure the dns (domain name system) client settings. Properties dnsserver1 ip of the primary dns server. (optional) dnsserver2 ip of the secondary dns server. (optional) dnsserver3 ip of the tertiary dns server. (optional) comments text describing the current object. (option...
Page 106: 3.16. Driver
3.16. Driver this is a category that groups the following object types. 3.16.1. E1000ethernetpcidriver description intel (e1000) gigabit ethernet adaptor. Properties rxringsize rx ringsize. (default: 64) txringsize rx ringsize. (default: 256) enablemonitoring enable monitoring. (default: no) belowcp...
Page 107: 3.16.5. Nullethernetdriver
3.16.3. Ixp4npeethernetdriver description intel (ixp4xxnpe) fast ethernet adaptor. Properties comments text describing the current object. (optional) note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.16.4....
Page 108
Description win32 packet.Dll adaptor properties comments text describing the current object. (optional) note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.16.7. R8139ethernetpcidriver description realtek (8...
Page 109
Description win32 switch.Dll adaptor. Properties comments text describing the current object. (optional) note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.16.9. Switchethernetdriver chapter 3. Configuratio...
Page 110: 3.17. Ethernetdevice
3.17. Ethernetdevice description hardware settings for an ethernet interface. Properties name specifies a symbolic name for the device. (identifier) ethernetdriver the ethernet pci driver that should be used by the interface. Pcibus pci bus number where the ethernet adapter is in- stalled. Pcislot p...
Page 111: 3.18. Highavailability
3.18. Highavailability description configure the high availability cluster parameters for this system. Properties enabled enable high availability. (default: no) clusterid a (locally) unique cluster id to use in identifying this group of ha security gateways. (default: 0) synciface specifies the int...
Page 112: 3.19. Httpalgbanners
3.19. Httpalgbanners description http banner files specifies the look and feel of http alg restriction web pages. Properties name specifies a symbolic name for the http banner files. (identifier) compressionforbidden html for the compressionforbidden.Html web page. Contentforbidden html for the cont...
Page 113: 3.20. Httpauthbanners
3.20. Httpauthbanners description http banner files specifies the look and feel of html authentication web pages. Properties name specifies a symbolic name for the http banner files. (identifier) formlogin html for the formlogin.Html web page. Loginsuccess html for the loginsuccess.Html web page. Lo...
Page 114: 3.21. Httpposter
3.21. Httpposter description use the http poster for dynamic dns or automatic logon to services using web-based authentica- tion. Properties url the url that will be posted when the security gate- way is loaded. Repostdelay delay in seconds until the url is refetched. (default: 1200) alwaysrepost re...
Page 115: 3.22. Hwm
3.22. Hwm description hardware monitoring allows monitoring of hardware sensors. Properties name specifies a symbolic name for the object. Type type of monitoring. Sensor sensor index. Minlimit lower limit. (optional) maxlimit upper limit. (optional) enablemonitoring enable/disable monitoring. (defa...
Page 116: 3.23. Idlist
3.23. Idlist description an id list contains ids, which are used within the authentication process when establishing an ipsec tunnel. Properties name specifies a symbolic name for the id list. (identifier) comments text describing the current object. (optional) 3.23.1. Id description an id is used t...
Page 117: 3.24. Idprule
3.24. Idprule description an idp rule defines a filter for matching specific network traffic. When the filter criterion is met, the idp rule actions are evaluated and possible actions taken. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the ...
Page 118
An idp rule action specifies what signatures to search for in the network traffic, and what action to take if those signatures are found. Properties action specifies what action to take if the given signature is found. (default: audit) signatures specifies what signature(s) to search for in the net-...
Page 119: 3.25. Igmprule
3.25. Igmprule description an igmp rule specifies how to handle inbound igmp reports and outbound igmp queries. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) type the type of igmp messages the rule applies to. (default: ...
Page 120
Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.25. Igmprule chapter 3. Configuration reference 120
Page 121: 3.26. Igmpsetting
3.26. Igmpsetting description igmp parameters can be tuned for one, or a group of interfaces in order to match the characteristics of a network. Properties name specifies a symbolic name for the object. (identifier) interface the interfaces that these settings should apply to. Robustnessvariable igm...
Page 122: 3.27. Ikealgorithms
3.27. Ikealgorithms description configure algorithms which are used in the ike phase of an ipsec session. Properties name specifies a symbolic name for the object. (identifier) nullenabled enable plaintext. (default: no) desenabled enable des encryption algorithm. (default: no) des3enabled enable 3d...
Page 123: 3.28. Interface
3.28. Interface this is a category that groups the following object types. 3.28.1. Defaultinterface description a special interface used to represent internal mechanisms in the system as well as an abstract "any" interface. Properties name specifies a symbolic name for the interface. (identifier) co...
Page 124: 3.28.3. Gretunnel
Ipv6 is enabled. (default: 1500) metric specifies the metric for the auto-created route. (default: 100) dhcpenabled enable dhcp client on this interface. (default: no) dhcphostname optional dhcp host name. Leave blank to use de- fault name. (optional) ethernetdevice hardware settings for the etherne...
Page 125: 3.28.4. Interfacegroup
Nat. (default: localinterface) originatorip manually specified originator ip address to use as source ip in e.G. Nat. Metric specifies the metric for the auto-created route. (default: 90) autointerfacenetworkroute automatically add a route for this interface using the given remote network. (default:...
Page 126
Localnetwork the network on "this side" of the ipsec tunnel. The ipsec tunnel will be established between this net- work and the remote network. Remotenetwork the network connected to the remote gateway. The ipsec tunnel will be established between the local network and this network. Remoteendpoint ...
Page 127: 3.28.6. L2Tpclient
Nat. (default: localinterface) originatorip manually specified originator ip address to use as source ip in e.G. Nat. Originatorhaip manually specified private originator ip address for use in ha. (optional) dhgroup specifies the diffie-hellman group to use when do- ing key exchanges in ike. (defaul...
Page 128
Tunnelprotocol specifies if pptp or l2tp should be used for this tunnel. (default: pptp) originatoriptype specifies what ip address to use as source ip in e.G. Nat. (default: localinterface) originatorip manually specified originator ip address to use as source ip in e.G. Nat. Dns1 ip of the primary...
Page 129: 3.28.7. L2Tpserver
Can be passed onward. (default: 1456) autointerfacenetworkroute automatically add a route for this interface using the given remote network. (default: yes) mppeallowstateful allow usage of stateful mppe (less secure, use only for compatibility). (default: no) comments text describing the current obj...
Page 130: 3.28.8. Pppoetunnel
Nbns1 ip of the primary windows internet name service (wins) server that is used in microsoft environ- ments which uses the netbios name servers (nbns) to assign ip addresses to netbios names. (optional) nbns2 ip of the primary windows internet name service (wins) server that is used in microsoft en...
Page 131: 3.28.9. Sslvpninterface
Pppauthnoauth allow no authentication for this tunnel. (default: no) pppauthpap use pap authentication protocol for this tunnel. User name and password are sent in plaintext. (default: yes) pppauthchap use chap authentication protocol for this tunnel. (default: yes) pppauthmschap use ms-chap authent...
Page 132: 3.28.10. Vlan
Outerinterface the physical interface that the ssl vpn interface will listen on. Serverport the listening port for the ssl vpn interface. (default: 443) serverip listening ip for the ssl vpn interface. Serverfqdn optional. Fqdn of the ssl vpn server given to cli- ents, eg: (sslvpn.Example.Com). (opt...
Page 133
Interface. (optional) enableipv6 todo. (default: no) ipv6ip specifies the ip address of the virtual lan interface. Ipv6network specifies the network of the virtual lan interface. Ipv6defaultgateway the default gateway of the virtual lan interface. (optional) privateip the private ip address of this ...
Page 134: 3.29. Ippool
3.29. Ippool description an ip pool is a dynamic object which consists of ip leases that are fetched from a dhcp server. The ip pool is used as an address source by subsystems that may need to distribute addresses, e.G. By ipsec in configuration mode. Properties name specifies a symbolic name for th...
Page 135: 3.30. Iprule
3.30. Iprule description an ip rule specifies what action to perform on network traffic that matches the specified filter criter- ia. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) action reject, drop, fwdfast, allow, nat...
Page 136
Logenabled enable logging. (default: yes) logseverity specifies with what severity log events will be sent to the specified log receivers. (default: default) comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will ...
Page 137: 3.31. Iprulefolder
3.31. Iprulefolder description an ip rule folder can be used to group ip rules into logical groups for better overview and simpli- fied management. Properties index the index of the object, starting at 1. (identifier) name specifies the name of the folder. Comments text describing the current object...
Page 138: 3.32. Ipsecalgorithms
3.32. Ipsecalgorithms description configure algorithms which are used in the ipsec phase of an ipsec session. Properties name specifies a symbolic name for the object. (identifier) nullenabled enable plaintext. (default: no) desenabled enable des encryption algorithm. (default: no) des3enabled enabl...
Page 139
Comments text describing the current object. (optional) 3.32. Ipsecalgorithms chapter 3. Configuration reference 139.
Page 140: 3.33. Ldapdatabase
3.33. Ldapdatabase description external ldap server used to verify user names and passwords. Properties name specifies a symbolic name for the server. (identifier) ip the ip address of the server. Port the tcp port of the server. (default: 389) timeout the timeout, in milliseconds, used when process...
Page 141: 3.34. Ldapserver
3.34. Ldapserver description an ldap server is used as a central repository of certificates and crls that the security gateway can download when necessary. Properties host specifies the ip address or hostname of the ldap server. Username specifies the username to use when accessing the ldap server. ...
Page 142: 3.35. Linkmonitor
3.35. Linkmonitor description the link monitor allows the system to monitor one or more hosts and take action if they are un- reachable. Properties action specifies what action the system should take. Addresses specifies the addresses that should be monitored. Maxloss a single host is considered unr...
Page 143: 3.36. Localuserdatabase
3.36. Localuserdatabase description a local user database contains user accounts used for authentication purposes. Properties name specifies a symbolic name for the object. (identifier) comments text describing the current object. (optional) 3.36.1. User description user credentials may be used in u...
Page 144: 3.37. Logreceiver
3.37. Logreceiver this is a category that groups the following object types. 3.37.1. Eventreceiversnmp2c description a snmp2c event receiver is used to receive snmp events from the system. Properties name specifies a symbolic name for the log receiver. (identifier) ipaddress destination ip address. ...
Page 145: 3.37.2. Logreceivermemory
3.37.2. Logreceivermemory description a memory log receiver is used to receive and keep log events in system ram. Properties name specifies a symbolic name for the log receiver. (identifier) logseverity specifies with what severity log events will be sent to the specified log receivers. (optional; d...
Page 146: 3.37.4. Logreceiversyslog
Holdtime the hold time in seconds during which the log threshold must be reached for an email to be sent. (default: 120) minrepeatdelay the amount of seconds the security gateway will wait before sending another email. (default: 600) logthreshold the number of events that have to occur within the ho...
Page 147: 3.38. Natpool
3.38. Natpool description a nat pool is used for nating multiple concurrent connections to using different source ip ad- dresses. Properties name specifies a symbolic name for the nat pool. (identifier) type specifies how nat'ed connections are assigned a nat ip address. (default: stateful) ipsource...
Page 148: 3.39. Pipe
3.39. Pipe description a pipe defines basic traffic shaping parameters. The pipe rules then determines which traffic goes through which pipes. Properties name specifies a symbolic name for the pipe. (identifier) limitkbpstotal total bandwidth limit for this pipe in kilobits per second. (optional) li...
Page 149
7 (the highest precedence). (optional) limitpps7 specifies the packet per second limit for precedence 7 (the highest precedence). (optional) userlimitkbpstotal total bandwidth limit per group in the pipe in kilob- its per second. (optional) userlimitppstotal total throughput limit per group in the p...
Page 150
Tion network, the size of the network has to be spe- cified by this setting. (default: 0) dynamic enable dynamic balancing of groups. (default: no) precedencemin specifies the lowest allowed precedence for traffic in this pipe. If a packet with a lower precedence enters, its precedence is raised to ...
Page 151: 3.40. Piperule
3.40. Piperule description a pipe rule determines traffic shaping policy - which pipes to use - for one or more types of traffic with the same granularity as the standard ruleset. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the object. (op...
Page 152: 3.41. Psk
3.41. Psk description psk (pre-shared key) authentication is based on a shared secret that is known only by the parties involved. Properties name specifies a symbolic name for the pre-shared key. (identifier) type specifies the type of the shared key. Pskascii specifies the psk as a passphrase. Pskh...
Page 153: 3.42. Radiusaccounting
3.42. Radiusaccounting description external radius server used to collect user statistics. Properties name specifies a symbolic name for the server. (identifier) ipaddress the ip address of the server. Port the udp port of the server. (default: 1813) retrytimeout the retry timeout, in seconds, used ...
Page 154: 3.43. Radiusserver
3.43. Radiusserver description external radius server used to verify user names and passwords. Properties name specifies a symbolic name for the server. (identifier) ipaddress the ip address of the server. Port the udp port of the server. (default: 1812) retrytimeout the retry timeout, in seconds, u...
Page 155: 3.44. Remoteidlist
3.44. Remoteidlist description list of remote ids that are allowed access when using pre shared keys as authentication method. Properties type specifies the type of the shared key. Pskascii specifies the psk as a passphrase. Pskhex specifies the psk as a hexadecimal key. Idtype selects the type of r...
Page 156: 3.45. Remotemanagement
3.45. Remotemanagement this is a category that groups the following object types. 3.45.1. Remotemgmthttp description configure http/https management to enable remote management to the system. Properties name specifies a symbolic name for the object. (identifier) interface specifies the interface for...
Page 157: 3.45.3. Remotemgmtssh
3.45.3. Remotemgmtssh description configure a secure shell (ssh) server to enable remote management access to the system. Properties name specifies a symbolic name for the ssh server. (identifier) interface specifies the interface for which remote access is granted. Port the listening port for the s...
Page 158
Logingracetime when the user has supplied the username, the pass- word has to be provided within this number of seconds or the session will be closed. (default: 30) authenticationretries the number of retires allowed before the session is closed. (default: 3) accesslevel the access level to grant th...
Page 159
3.46. Routebalancinginstance description a route balancing instance is assoicated with a routingtable and defines how to make use of multiple routes to the same destination. Properties routingtable specify routingtable to deploy route load balancing in. (identifier) algorithm specify which algorithm...
Page 160
3.47. Routebalancingspilloversettings description settings associated with the spillover algorithm. Properties interface interface to threshold limit. (identifier) holdtime number of consecutive seconds over/under the threshold limit to trigger state change for the af- fected routes. (default: 30) o...
Page 161: 3.48. Routingrule
3.48. Routingrule description a routing rule forces the use of a routing table in the forward and/or return direction of traffic on a connection. The ordering parameter of the routing table determines if it is consulted before or after the main routing table. Properties index the index of the object...
Page 162: 3.49. Routingtable
3.49. Routingtable description the system has a predefined main routing table. Alternate routing tables can be defined by the user. Properties name specifies a symbolic name for the routing table. (identifier) ordering specifies how a route lookup is done in a named routing table. (default: only) re...
Page 163: 3.49.2. Route
Comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.49.2. Route description a route defines what interface and gateway to use ...
Page 164
Reachabilitycount minimum number of reachable hosts to consider the route to be active. Metric specifies the metric for this route. (default: 0) proxyarpallinterfaces always select all interfaces, including new ones, for publishing routes via proxy arp. (default: no) proxyarpinterfaces specifies the...
Page 165: 3.49.3. Switchroute
Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.49.3. Switchroute description a switch route defines which interfaces the specified network can be reached on. Proxy arp defines b...
Page 166: 3.50. Scheduleprofile
3.50. Scheduleprofile description a schedule profile defines days and dates and are then used by the various policies in the system. Properties name specifies a symbolic name for the service. (identifier) mon specifies during which intervals the schedule profile is active on mondays. (optional) tue ...
Page 167: 3.51. Service
3.51. Service this is a category that groups the following object types. 3.51.1. Servicegroup description a service group is a collection of service objects, which can then be used by different policies in the system. Properties name specifies a symbolic name for the service. (identifier) members gr...
Page 168: 3.51.3. Serviceicmpv6
Parameterproblemcodes specifies which parameter problem message codes should be matched. (default: 0-255) echoreply enable matching of echo reply messages. (default: no) echoreplycodes specifies which echo reply message codes should be matched. (default: 0-255) sourcequenching enable matching of sou...
Page 169: 3.51.4. Serviceipproto
Be matched. (default: 0-255) destinationunreachable enable matching of destination unreachable mes- sages. (default: no) destinationunreachablecodes specifies which destination unreachable message codes should be matched. (default: 0-255) packettoobig enable matching of packet too big messages. (def...
Page 170: 3.51.5. Servicetcpudp
Managing advanced protocols, can be specified for this service. (optional) maxsessions specifies how many concurrent sessions that are per- mitted using this service. (default: 200) comments text describing the current object. (optional) 3.51.5. Servicetcpudp description a tcp/udp service is a defin...
Page 171: 3.52. Settings
3.52. Settings this is a category that groups the following object types. 3.52.1. Arpndsettings description advanced arp/neighbor discovery-table settings. Properties arpmatchenetsender the ethernet sender address matching the hardware address in the arp data. (default: droplog) arpquerynosenderip i...
Page 172
Maxanycastdelaytime randomized time to delay proxied and anycast ad- vertimesements. (default: 100) proxyclearoverrideflag clear the override flag on proxy nd advertisements. (default: yes) ndmatchenetsender ignore nd packets with mismatching sender- and options mac-addresses. (default: yes) ndvalse...
Page 173: 3.52.3. Conntimeoutsettings
Allowauthifnoaccountingresponse allow an authenticated user to still have access even if no response is received by the accounting server. (default: yes) logalguser log authenticated user together with url in alg log messages. (default: yes) maxradiuscontexts maximum number of radius communication c...
Page 174: 3.52.5. Dhcpserversettings
Maxtransactions maximum number of concurrent bootp/dhcp transactions. (default: 32) transactiontimeout timeout for each transaction (in seconds). (default: 10) maxppmperiface maximum packets per minute that are relayed from clients to the server, per interface. (default: 500) maxhops requests/respon...
Page 175
Properties pseudoreass_maxconcurrent maximum number of concurrent fragment reas- semblies. Set to 0 to drop all fragments. (default: 1024) illegalfrags illegaly constructed fragments; partial overlaps, bad sizes, etc. (default: droplog) duplicatefragdata on receipt of duplicate fragments, verify mat...
Page 176: 3.52.7. Hwmsettings
(watching for old dups). (default: 20) ip6reassillegallinger how long to remember an illegal reassembly (watching for more fragments). (default: 60) note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.52.7. ...
Page 177: 3.52.9. Ipsectunnelsettings
Icmpsendperseclimit maximum number of icmp responses that will be sent each second. (default: 500) silentlydropstateicmperrors silently drop icmp errors regarding statefully tracked open connections. (default: yes) note this object type does not have an identifier and is identified by the name of th...
Page 178: 3.52.10. Ipsettings
Aliveness sign before activating ike dpd. (default: no) ipsechardwareacceleration ipsec hardware acceleration. (default: inline) ipsecdisablepkaccel disable hardware acceleration for public-key opera- tions. (default: no) note this object type does not have an identifier and is identified by the nam...
Page 179
Droplog) ip6validatesyntax validate ipv6 syntax violation. (default: validatelo- gbad) ip6opt_padn validate when ipv6 padn option data fields are non- zero. (default: striplog) ip6opt_jumbo validate jumbogram packets. (default: validatelog) ip6opt_ra validate router alert packets. (default: ignore) ...
Page 180: 3.52.11. L2Tpserversettings
Udp total length field specifies -- checkpoint se- curemote violates nat-t drafts. (default: no) ipoptionsizes validity of ip header option sizes. (default: valid- atelogbad) ipopt_sr how to handle ip packets with contained source or return routes. (default: droplog) ipopt_ts how to handle ip packet...
Page 181: 3.52.12. Lengthlimsettings
3.52.12. Lengthlimsettings description length limitations for various protocols. Properties maxtcplen tcp; sometimes has to be increased if tunneling protocols are used. (default: 1480) maxudplen udp; many interactive applications use large udp packets, may otherwise be decreased to 1480. (default: ...
Page 182: 3.52.14. Logsettings
Parameters use for local fragment reassembly. Properties localreass_maxconcurrent maximum number of concurrent local reassemblies. (default: 256) localreass_maxsize maximum size of a locally reassembled packet. (default: 10000) localreass_numlarge number of large (>2k) local reassembly buffers (of t...
Page 183: 3.52.16. Multicastsettings
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.52.16. Multicastsettings description advanced multicast settings. Properties autoaddmulticastcoreroute auto generate core route for "224.0.0.1-239.255.255....
Page 184: 3.52.17. Remotemgmtsettings
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.52.17. Remotemgmtsettings description setup and configure methods and permissions for remote management of this system. Properties netconbidirtimeout speci...
Page 185: 3.52.18. Routingsettings
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.52.18. Routingsettings description configure the routing capabilities of the system. Properties routefailover_ifacepollinterval time (ms) between polling o...
Page 186: 3.52.19. Sslsettings
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.52.19. Sslsettings description settings related to ssl (secure sockets layer). Properties ssl_processingpriority the amount of of cpu time that ssl process...
Page 187: 3.52.21. Statesettings
Properties sslvpnbeforerules pass ssl vpn connections sent to the security gate- way directly to the ssl vpn engine without con- sulting the ruleset. (default: yes) note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of thi...
Page 188
Properties tcpoptionsizes validity of tcp header option sizes. (default: valid- atelogbad) tcpmssmin minimum allowed tcp mss (maximum segment size). (default: 100) tcpmssonlow how to handle too low mss values. (default: droplog) tcpmssmax maximum allowed tcp mss (maximum segment size). (default: 146...
Page 189: 3.52.23. Vlansettings
Valid (strip=strip rst). (default: droplog) tcpsynfin the tcp fin flag together with syn; normally in- valid (strip=strip fin). (default: droplog) tcpfinurg the tcp urg flag together with fin; normally in- valid (strip=strip urg). (default: droplog) tcpurg the tcp urg flag; many operating systems ca...
Page 190: 3.53. Sshclientkey
3.53. Sshclientkey description the public key of the client connecting to the ssh server. Properties name specifies a symbolic name for the key. (identifier) type dsa or rsa. (default: dsa) subject value of the subject header tag of the public key file. (optional) publickey specifies the public key....
Page 191: 3.54. Updatecenter
3.54. Updatecenter description configure automatical updates. Properties avenabled automatic updates of antivirus definitions and en- gine. (default: no) idpenabled automatic updates of idp maintenance signatures. (default: no) advancedidpenabled automatic updates of advanced idp signatures. (defaul...
Page 192: 3.55. Userauthrule
3.55. Userauthrule description the user authentication ruleset specifies from where users are allowed to authenticate to the sys- tem, and how. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) agent http, https, xauth, ppp ...
Page 193
Way sends to the client. Only rsa certificates are supported. Rootcertificate specifies the root certificate that was used to sign the host certificate. Only rsa certificates are supported. (optional) pppauthnoauth allow no authentication. (default: no) pppauthpap use pap authentication protocol. Us...
Page 194
Yes) interimvalue the interval in seconds in which interim accounting events should be sent. (default: 600) logenabled enable logging. (default: yes) logseverity specifies with what severity log events will be sent to the specified log receivers. (default: default) comments text describing the curre...
Page 195
3.55. Userauthrule chapter 3. Configuration reference 195.
Page 196: Index
Index commands a about, 30 activate, 19 add, 19 alarm, 30 arp, 30 arpsnoop, 31 ats, 32 b bigpond, 32 blacklist, 33 buffers, 34 c cam, 35 cancel, 20 cc, 21 cfglog, 35 commit, 22 connections, 36 cpuid, 36 crashdump, 37 d delete, 22 dhcp, 37 dhcprelay, 38 dhcpserver, 39 dns, 39 dnsbl, 40 e echo, 71 f f...
Page 197: Object Types
V vlan, 69 object types a access, 77 addressfolder, 79 advancedscheduleoccurrence, 83 advancedscheduleprofile, 83 alg_ftp, 84 alg_h323, 85 alg_http, 85 alg_http_url, 86 alg_pop3, 87 alg_pptp, 88 alg_sip, 88 alg_smtp, 89 alg_smtp_email, 90 alg_tftp, 91 alg_tls, 91 arpnd, 92 arpndsettings, 171 authent...
Page 198
M marvellethernetpcidriver, 107 miscsettings, 182 monitoredhost, 164 multicastsettings, 183 n natpool, 147 nullethernetdriver, 107 p packetethernetdriver, 107 pipe, 148 piperule, 151 pppoetunnel, 130 psk, 152 r r8139ethernetpcidriver, 108 r8169ethernetpcidriver, 108 radiusaccounting, 153 radiusserve...