- DL manuals
- D-Link
- Network Router
- DFL-260E
- Reference Manual
D-Link DFL-260E Reference Manual - 2.2.85. Techsupport
sysmsgs
2.2.85. techsupport
Technical Support information.
Description
Generate information useful for technical support.
Due to the large amount of output, this command might show a truncated result when execute
from the local console.
Usage
techsupport
2.2.86. time
Display current system time.
Description
Display/set the system date and time.
Usage
time
Display current system time.
time -verbose
Display current system time.
time -set
Set system local time:
time -sync [-force]
Synchronize time with timeserver(s) (specified in settings).
Options
-force
Force synchronization regardless of the MaxAdjust
setting.
-set
Set
system
local
time:
Chapter 2: Command Reference
89
Summary of DFL-260E
Page 1
Network security solution http://www.Dlink.Com netdefendos ver. 11.04.01 network security firewall cli reference guide security security.
Page 2: Cli Reference Guide
Cli reference guide dfl-260e/860e/870/1660/2560/2560g netdefendos version 11.04.01 d-link corporation no. 289, sinhu 3rd rd, neihu district, taipei city 114, taiwan r.O.C. Http://www.Dlink.Com published 2016-10-03 copyright © 2016.
Page 3: Cli Reference Guide
Cli reference guide dfl-260e/860e/870/1660/2560/2560g netdefendos version 11.04.01 published 2016-10-03 copyright © 2016 copyright notice this publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this m...
Page 4: Table Of Contents
Table of contents preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction . . . . . . . . . . . . . . . . ....
Page 5
2.2.29. Frags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.2.30. Ha . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 6
2.2.90. Vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 2.2.91. Vpnstats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....
Page 7
3.24. Dhcpserversettings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 3.25. Dhcpv6server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 8
3.64.7. Iprulefolder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 3.64.8. Iprule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 9
3.115. Serviceipproto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 3.116. Servicetcpudp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....
Page 10: List Of Examples
List of examples 1. Command option notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.1. Help for commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 11: Preface
Preface audience the target audience for this reference guide is: • administrators that are responsible for configuring and managing the d-link firewall. • administrators that are responsible for troubleshooting the d-link firewall. This guide assumes that the reader is familiar with the d-link fire...
Page 12
Is specified. The following two examples will yield the same result: gw-world:/> routes -flushl3cache=100 gw-world:/> routes -flushl3cache because the table name option is followed by ellipses it is possible to specify more than one routing table. Since table name is optional as well, the user can s...
Page 13: Chapter 1: Introduction
Chapter 1: introduction • running a command, page 13 • help, page 14 • function keys, page 15 • command line history, page 16 • tab completion, page 17 • user roles, page 20 this guide is a reference for all commands and configuration object types that are available in the command line interface for...
Page 14: 1.2. Help
1.2. Help 1.2.1. Help for commands there are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by -? Or -h . This applies to all commands and is therefore not listed in the option list for each command in this guide. Using the help command give...
Page 15: 1.3. Function Keys
1.3. Function keys in addition to the return key there are a number of function keys that are used in the cli. Backspace delete the character to the left of the cursor. Tab complete current word. Ctrl-a or home move the cursor to the beginning of the line. Ctrl-b or left arrow move the cursor one ch...
Page 16: 1.4. Command Line History
1.4. Command line history every time a command is run, the command line is added to a history list. The up and down arrow keys are used to access previous command lines (up arrow for older command lines and down arrow to move back to a newer command line). See also section 2.4.3, “history”. Example ...
Page 17: 1.5. Tab Completion
1.5. Tab completion by using the tab function key in the cli the names of commands, options, objects and object properties can be automatically completed. If the text entered before pressing tab only matches one possible item, e.G. "activate" is the only match for "acti", and a command is expected, ...
Page 18
A more detailed help text about address is displayed. 1.5.2. Autocompleting current and default value another special character that can be used together with tab completion is the period " . " character. If " . " is entered instead of a property value and tab is pressed it will be replaced by the c...
Page 19
Accessing an ip4address object without the use of categories: gw-world:/> show ip4address example_ip chapter 1: introduction 19.
Page 20: 1.6. User Roles
1.6. User roles some commands and options cannot be used unless the logged-in user has administrator privileges. This is indicated in this guide by a note following the command or admin only written next to an option. Chapter 1: introduction 20
Page 21
Chapter 1: introduction 21.
Page 22: 2.1. Configuration
Chapter 2: command reference • configuration, page 22 • runtime, page 33 • utility, page 94 • misc, page 97 2.1. Configuration 2.1.1. Activate activate changes. Description activate the latest changes. This will issue a reconfiguration, using the new configuration. If the reconfiguration is successf...
Page 23
Description create a new object and add it to the configuration. Specify the type of object you want to create and the identifier, if the type has one, unless the object is identified by an index. Set the properties of the object by writing the propertyname equals (=) and then the value. An optional...
Page 24: 2.1.3. Cancel
2.1.3. Cancel cancel ongoing commit. Description cancel commit operation immediately, without waiting for the timeout. Usage cancel note requires administrator privileges. 2.1.4. Cc change the current context. Description change the current configuration context. A context is a group of objects that...
Page 25: 2.1.5. Commit
Change the current context. Cc -print print the current context. Cc change to root context (same as "cc /"). Options -print print the current context. Category that groups object types. The property that identifies the configuration object. May not be applicable depending on the specified . Type of ...
Page 26: 2.1.7. Pskgen
Activated. See also: undelete example 2.3. Delete an object delete an unreferenced object: gw-world:/> delete address ip4address example_ip delete a referenced object: (will cause error in examplerule) gw-world:/> set iprule examplerule sourcenetwork=examplenet gw-world:/> delete address ip4address ...
Page 28: 2.1.9. Reset
Usage reject [] [] [-recursive] reject changes made to the specified object. Reject -all reject all changes in the configuration. Options -all reject all changes in the configuration. -recursive recursively reject changes. Category that groups object types. The property that identifies the configura...
Page 29: 2.1.10. Set
Note requires administrator privileges. 2.1.10. Set set property values. Description set property values of configuration objects. Specify the type of object you want to modify and the identifier, if the type has one. Set the properties of the object by writing the propertyname equals (=) and then t...
Page 30: 2.1.11. Show
Object. May not be applicable depending on the specified . One or more property-value pairs, i.E. Name>= or ="". Type of configuration object to perform operation on. Note requires administrator privileges. 2.1.11. Show show objects. Description show objects. Show the properties of a specified objec...
Page 31: 2.1.12. Undelete
Properties as well as their status: gw-world:/> show address ip4address gw-world:/> show ip4address show a table of all objects for each type in a category: gw-world:/> show address show objects with changes and errors: gw-world:/> show -changes gw-world:/> show -errors show what objects use (refer ...
Page 32
Description restore a previously deleted object. This is possible as long as the activate command has not been called. See also: delete example 2.7. Undelete an object undelete an unreferenced object: gw-world:/> delete address ip4address example_ip gw-world:/> undelete address ip4address example_ip...
Page 33: 2.2. Runtime
2.2. Runtime 2.2.1. About show copyright/build information. Description show copyright and build information. Usage about 2.2.2. Alarm show alarm information. Description show list of currently active alarms. Usage alarm [-history] [-active] options -active show the currently active alarms. -history...
Page 35: 2.2.5. Arpsnoop
The presented list can be filtered using the ip and hw options. Usage arp show all arp entries. Arp -show [] [-ip=] [-hw=] [-num=] show arp entries. Arp -hashinfo [] show information on hash table health. Arp -flush [] flush arp cache of specified interface. Arp -notify= [] [-hwsender=] send gratuit...
Page 38: 2.2.9. Avcache
2.2.9. Avcache control the anti-virus cache. Description show anti-virus cache statistics or remove all entries in it. Usage avcache -clear remove all entries in the anti-virus cache. Avcache show anti-virus cache count. Options -clear remove all entries in the anti-virus cache. 2.2.10. Blacklist bl...
Page 40: 2.2.12. Cam
Usage buffers list the 20 most recently freed buffers. Buffers -recent decode the most recently freed buffer. Buffers decode buffer number . Options -recent decode most recently freed buffer. Decode given buffer number. 2.2.12. Cam cam table information. Description show information about the cam ta...
Page 41: 2.2.13. Certcache
Interface. 2.2.13. Certcache show the contents of the certificate cache. Description show all certificates in the certificate cache. Usage certcache [-verbose] options -verbose show verbose information. 2.2.14. Cfglog display configuration log. Description display the log of the last configuration r...
Page 43: 2.2.17. Crashdump
2.2.17. Crashdump show the contents of the crash.Dmp file. Description show the contents of the crash.Dmp file, if it exists. Usage crashdump 2.2.18. Cryptostat show information about crypto accelerators. Description show information about installed crypto accelerators. Usage cryptostat [-hashinfo] ...
Page 44: 2.2.20. Dconsole
2.2.20. Dconsole displays the content of the diagnose console. Description the diagnose console is used to help troubleshooting internal problems within the firewall usage dconsole [-clean] [-flush] [-date=] [-onlyhigh] options -clean remove all diagnose entries. (admin only) -date= yyyy-mm-dd. Only...
Page 46: 2.2.24. Dhcpv6
Show content of the dhcp server ruleset. Description show the content of the dhcp server ruleset and various information about active/inactive leases. Display filter filters entries based on interface/mac/ip (example: if1 192.168.*) usage dhcpserver show dhcp server leases. Dhcpserver -show [-rules]...
Page 47: 2.2.25. Dhcpv6Server
Display information about dhcpv6-enabled interfaces or modify/update their leases. Description display information about a dhcpv6-enabled interface. Usage dhcpv6 list dhcpv6 enabled interfaces. Dhcpv6 -list list dhcpv6 enabled interfaces. Dhcpv6 -show [] show information about dhcpv6 enabled interfa...
Page 48: 2.2.26. Dns
Release an active ip6. Dhcpv6server -show [-rules] [-leases] [-num=] [-fromentry=] []... Show dhcp server ruleset. Options -fromentry= shows dhcp server lease list from offset . -leases show dhcpv6 server leases. -num= limit list to leases. -releaseip release an active ip. (admin only) -rules show d...
Page 50: 2.2.29. Frags
U route is unexported usage dynroute [-rules] [-exports] options -exports show current exports. -rules show dynamic routing, filter ruleset. 2.2.29. Frags show active fragment reassemblies. Description list active fragment reassemblies. More detailed information can optionally be obtained for specif...
Page 51: 2.2.30. Ha
(default: all) 2.2.30. Ha show current ha status. Description show current ha status. Usage ha [-activate] [-deactivate] options -activate go active. -deactivate go inactive. 2.2.31. Hostmon show host monitor statistics. Description show active host monitor sessions. Usage hostmon [-verbose] [-num=]...
Page 53: 2.2.34. Hwm
2.2.34. Hwm show hardware monitor sensor status. Description show hardware monitor sensor status. Usage hwm [-all] [-verbose] options -all show all sensors, warning: use at own risk, may take long time for highspeed ifaces to cope. -verbose show sensor number, type and limits. 2.2.35. Idppipes show ...
Page 54: 2.2.36. Ifstat
-unpipe remove piping for the specified host. (admin only) 2.2.36. Ifstat show interface statistics. Description show list of attached interfaces, or in-depth information about a specific interface. Usage ifstat [] [-filter=] [-pbr=] [-num=] [-restart] [-allindepth] [-maclist] [-snmpnewindexes] opti...
Page 55: 2.2.38. Ihs
Prints the current igmp state. Igmp -state [] prints the current igmp state. If an interface is specified, more details are provided. Igmp -query [ []] simulate an incoming igmp query message. Igmp -join [] simulate an incoming igmp join message. Igmp -leave [] simulate an incoming igmp leave messag...
Page 57: 2.2.40. Ikesnoop
-srcif= interface used to reach the remote endpoint. -stat show verbose information. -tunnel= ipsec interface. -tunnels show information on configured tunnels. -verbose show verbose information. Ip address of remote sg/peer. Ipsec interface. 2.2.40. Ikesnoop enable or disable ike-snooping. Descripti...
Page 58: 2.2.42. Ipsec
Show ip pool information. Description show information about the current state of the configured ip pools. Usage ippool show ip pool information. Ippool -release [] [-all] forcibly free ip assigned to subsystem. Ippool -renew [] [-all] try to renew ip leases through dhcp server. Ippool -show [-verbo...
Page 60: 2.2.45. Ipsechastat
Usage ipsecglobalstats -mem [-verbose] start ike test. Ipsecglobalstats -verbose start ike test. Ipsecglobalstats show interfaces. Options -mem show memory statistics. -verbose show all statistics. Deprecated (2014-05-27) replaced by command ike -stat . Deprecated commands may be removed in future r...
Page 64: 2.2.51. Ldap
Description manage language files on disk usage languagefiles show all language files on disk. Languagefiles -remove= remove a language file from disk. Options -remove= specify language file to delete. 2.2.51. Ldap ldap information. Description status and statistics for the configured ldap databases...
Page 65: 2.2.52. License
Ldap database. 2.2.52. License license management. Description display the current license. Usage license show the contents of the current license. License -show show the contents of the current license. Options -show show current status and credentials. 2.2.53. Linkmon display link montitoring stat...
Page 66: 2.2.55. Lwhttp
Usage logout 2.2.55. Lwhttp commands related to the light-weight http inspection engine. Description the lwhttp cli command prints information about the light-weight http inspection engine aka lw-http alg. The lw-http inspection engine automatically replaces the ordinary http-alg when the policies c...
Page 67: 2.2.58. Natpool
Lists. Usage memory 2.2.58. Natpool show current nat pools. Description show current nat pools and in-depth information. Usage natpool [-verbose] [ []] [-num=] options -num= maximum number of items to list (default: 20). -verbose verbose (more information). Translated ip. Nat pool name. 2.2.59. Nd s...
Page 68: 2.2.60. Ndsnoop
Show all neighbor discovery entries. Nd -show [] [-ip=] [-hw=] [-num=] show neighbor discovery entries. Nd -hashinfo [] show information on hash table health. Nd -flush [] flush neighbor discovery cache of specified interface. Nd -query= send neighbor solicitation for ip. Nd -del= delete nd cache en...
Page 70
Show runtime ospf information. Description show runtime information about the ospf router process(es). Note: -process is only required if there are >1 ospf router processes. Usage ospf show runtime information. Ospf -iface [] [-process=] show interface information. Ospf -area [] [-process=] show are...
Page 73: 2.2.64. Pipes
-proto= ip protocol filter. -show show a captured packets brief. -size= size (kb) of buffer to store captured packets in memory (default 512kb). -snaplen= maximum length of each packet to capture. -srcport= source tcp/udp port filter. -start start capture. -status show capture status. -stop stop cap...
Page 75: 2.2.67. Reconfigure
Description shows information and statistics of the pptp algs. Usage pptpalg show all configured pptp algs. Pptpalg -sessions [-verbose] [-num=] list all pptp sessions. Pptpalg -services list all services attached to pptp alg. Options -num= number of entries to list. -services list all services atta...
Page 76: 2.2.69. Route
Description rekey ipsec or ike sas associated with a given remote ike peer, or optionally all ipsec or ike sas in the system. Usage rekeysa -ike rekey ike sas. Rekeysa -ipsec rekey ipsec sas. Rekeysa rekey ipsec sas. Options -ike rekey ike sas. -ipsec rekey ipsec sas. Ip address of remote peer. Note...
Page 77: 2.2.71. Routes
2.2.71. Routes display routing lists. Description display information about the routing table(s): - contents of a (named) routing table. - the list of routing tables, along with a total count of route entries in each table, as well as how many of the entries are single-host routes. Note that "core" ...
Page 78: 2.2.72. Rtmonitor
Name of routing table. 2.2.72. Rtmonitor real-time monitor information. Description show information about real-time monitor objects, and real-time monitor alerts. All objects matching the specified filter are displayed. The filter can be the name of an object, or the beginning of a name. If no filt...
Page 80
Selftest -ping example 2.14. Interface ping test between interfaces 'if1' and 'if2' selftest -ping -interfaces=if1,if2 example 2.15. Start 30 min burn-in, testing ram, storage media and crypto accelerator selftest -burnin -minutes 30 -media -memory -cryptoaccel usage selftest -memory [-num=] check t...
Page 81: 2.2.75. Services
Selftest show the status of a running test. Options -abort abort a running self test. -burnin run burn-in tests for a selected set of sub tests. -cryptoaccel verify the correct functioning of available crypto accelerator cards. -hours[=] test duration in hours. (default: 48) -interfaces= ethernet in...
Page 82: 2.2.76. Sessionmanager
Services http* usage services [] options name or pattern. 2.2.76. Sessionmanager session manager. Description show information about the session manager, and list currently active users. Explanation of timeout flags for sessions: d session is disabled s session uses a timeout in its subsystem - sess...
Page 83: 2.2.77. Settings
Forcibly terminate session(s). Options -disconnect forcibly terminate session(s). (admin only) -info show in-depth information about session. -list list active sessions. -message send message to session. -num= list number of session. -status show session manager status. Name of user database. Ip add...
Page 84: 2.2.79. Sipalg
Description initiate restart of the core/system. Usage shutdown [] [-normal] [-reboot] options -normal initiate core shutdown. -reboot initiate system reboot. Seconds until shutdown. (default: 5) note requires administrator privileges. 2.2.79. Sipalg sip alg. Description list running sip-alg configu...
Page 85
- 0x00001000 response - 0x00002000 topo_changes - 0x00004000 media - 0x00008000 contact - 0x00010000 conn - 0x00020000 ping - 0x00040000 transaction - 0x00080000 callleg - 0x00100000 registry flags can be added in the usual way. The default value is 0x00000003 (general and errors). Note: 'verbose' o...
Page 87: 2.2.81. Sshserver
-logreceiver= logreceiver. -message= mail message. -num[=] number of entries to list. (default: 40) -sendmail send test mail to smtp logreceiver. -stat show smtp statistics. -verbose verbose output. 2.2.81. Sshserver ssh server. Description show ssh server status, or start/stop/restart ssh server. U...
Page 88: 2.2.82. Sslvpn
Note requires administrator privileges. 2.2.82. Sslvpn sslvpn tunnels. Description list running sslvpn configurations, sslvpn active tunnels and call information. Usage sslvpn [-num=] options -num= limit display to entries. (default: 20) 2.2.83. Stats display various general firewall statistics. Des...
Page 89: 2.2.85. Techsupport
Sysmsgs 2.2.85. Techsupport technical support information. Description generate information useful for technical support. Due to the large amount of output, this command might show a truncated result when execute from the local console. Usage techsupport 2.2.86. Time display current system time. Des...
Page 90: 2.2.87. Uarules
. -sync synchronize time with timeserver(s) (specified in settings). -verbose show more information about time zone and dst. Date yyyy-mm-dd. Time hh:mm:ss. 2.2.87. Uarules show user authentication rules. Description displays the contents of the user authentication ruleset. Example 2.17. Show a rang...
Page 92: 2.2.90. Vlan
Userauth -user show all information for user(s) with this ip address. Userauth -remove forcibly log out an authenticated user. Options -blocked list all blocked users. -list list all authenticated users. -num= limit list of authenticated users. (default: 20) -privilege list all known privileges (use...
Page 93: 2.2.91. Vpnstats
-num= limit display lines to entries in page. (default: 20) -page[=] set page for lines to display. (default: 1) display vlan information about this interface. 2.2.91. Vpnstats alias for ipsecstats. 2.2.92. Zonedefense zonedefense. Description block/unblock ip addresses/net and ethernet addresses. U...
Page 94: 2.3. Utility
2.3. Utility 2.3.1. Geoip display geoip information. Description display status of geoip database and perform manual lookups. Usage geoip display statistics. Geoip -filters [-num=] display filter information. Geoip -status display statistics. Geoip -query lookup ip address to geoip location. Options...
Page 95: 2.3.3. Traceroute
Usage ping [] [-srcif=] [-srcip=] [-pbr= [-port=] [-udp] [-tcp] [-tos=] [-verbose] [-6] options -6 force ipv6. -count= number of packets to send. (default: 1) -length= packet size. (default: 4) -pbr= route using pbr table. -port= destination port of udp or tcp ping. -srcif= pass packet through the r...
Page 96
Traceroute -stop stop trace. Options -6 force ipv6 if target is a fqdn. -count= number of queries to send for each hop. (default: 3) -maxhops= maximum number of hosts to traverse in search of target. (default: 30) -nodelay send queries as fast as possible (may look like denial of service attack). -n...
Page 97: 2.4. Misc
2.4. Misc 2.4.1. Echo print text. Description print text to the console. Example 2.18. Hello world echo hello world usage echo []... Options text to print. 2.4.2. Help show help for selected topic. Description the help system contains information about commands and configuration object types. The fa...
Page 99
Example 2.20. Rate limit log flow to five logs per second :/> logsnoop -on -rate=5 example 2.21. Show logs from the memlog buffer :/> logsnoop -on -source=memlog example 2.22. Show logs having a source ip value :/> logsnoop -on -srcip=0.0.0.0/0 example 2.23. Show logs having a severity of warning or...
Page 101: 2.4.6. Script
Download: scp user@sgw-ip:script/myscript ./myscript in addition to the files listed it is possible to upload license, certificates and ssh public key files. Example 2.25. Upload license data scp licence.Lic user@sgw-ip:license.Lic certificates and ssh client key objects are created if they do not e...
Page 102
"script.Sgs": add ip4address name=$1 address=$2 comment="$0: \$100". :/> script -execute -name=script.Sgs ip_test 127.0.0.1 is executed as line: add ip4address name=ip_test address=127.0.0.1 comment="script.Sgs: $100" usage script -create [[] []] [-name=] create configuration script from specified o...
Page 103
The property that identifies the configuration object. May not be applicable depending on the specified . List of input arguments. Type of configuration object to perform operation on. Note requires administrator privileges. Chapter 2: command reference 103.
Page 104
Chapter 2: command reference 104.
Page 105
Chapter 3: configuration reference • access, page 109 • address, page 111 • advancedscheduleprofile, page 116 • alg, page 117 • antiviruspolicy, page 126 • appcontrolsettings, page 127 • applicationruleset, page 128 • arpnd, page 130 • arpndsettings, page 131 • authagent, page 134 • authenticationse...
Page 106
• dhcpserversettings, page 152 • dhcpv6server, page 153 • dhcpv6serversettings, page 155 • diagnosticssettings, page 156 • dns, page 157 • dynamicroutingrule, page 158 • dyndnsclientcjbnet, page 161 • dyndnsclientdlink, page 162 • dyndnsclientdlinkchina, page 163 • dyndnsclientdyndnsorg, page 164 • ...
Page 107
• igmpsetting, page 195 • ikealgorithms, page 196 • interfacegroup, page 198 • ip6in4tunnel, page 199 • ippolicy, page 200 • ippool, page 204 • iprule, page 205 • iprulefolder, page 208 • ipruleset, page 216 • ipsecalgorithms, page 217 • ipsectunnel, page 219 • ipsectunnelsettings, page 222 • ipsett...
Page 108
• multicastsettings, page 252 • natpool, page 253 • ospfprocess, page 254 • pipe, page 259 • piperule, page 262 • pppoetunnel, page 263 • pppsettings, page 265 • psk, page 266 • radiusaccounting, page 267 • radiusrelay, page 268 • radiusserver, page 270 • realtimemonitoralert, page 271 • remotemgmth...
Page 109: 3.1. Access
• sslvpninterface, page 301 • sslvpninterfacesettings, page 302 • statelesspolicy, page 303 • statesettings, page 304 • tcpsettings, page 305 • thresholdrule, page 307 • updatecenter, page 309 • userauthrule, page 310 • vlan, page 313 • vlansettings, page 315 • voipprofile, page 316 • webprofile, pa...
Page 110
Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. Chapter 3: configuration reference 110
Page 111: 3.2. Address
3.2. Address this is a category that groups the following object types. 3.2.1. Addressfolder description an address folder can be used to group related address objects for better overview. Properties name specifies a symbolic name for the network object. (identifier) comments text describing the cur...
Page 112: 3.2.1.3. Ethernetaddress
3.2.1.3. Ethernetaddress description use an ethernet address item to define a symbolic name for an ethernet mac address. Properties name specifies a symbolic name for the network object. (identifier) address ethernet mac address, e.G. "12-34-56-78-ab-cd". Comments text describing the current object....
Page 113: 3.2.1.7. Ip4Address
Use an ip6 address item to define a name for a specific ip6 host, network or range. Properties name specifies a symbolic name for the network object. (identifier) address ipv6 address, e.G. "2001:db8::/32". Activeaddress the dynamically set address used by e.G. Dhcpv6 enabled ethernet interfaces. (o...
Page 114: 3.2.1.9. Ip4Haaddress
Members group members. Userauthgroups groups and user names that belong to this object. Objects that filter on credentials can only be used as source networks and destinations networks in rules. (optional) nodefinedcredentials if this property is enabled the object requires user authentication, but ...
Page 115: 3.2.5. Ip4Group
3.2.5. Ip4group the definitions here are the same as in section 3.2.1.8, “ip4group” . 3.2.6. Ip4haaddress the definitions here are the same as in section 3.2.1.9, “ip4haaddress” . 3.2.7. Ip6address the definitions here are the same as in section 3.2.1.6, “ip6address” . 3.2.8. Ip6group the definition...
Page 116
3.3. Advancedscheduleprofile description an advanced schedule profile contains definitions of occurrences used by various policies in the system. Properties name specifies a symbolic name for the service. (identifier) comments text describing the current object. (optional) 3.3.1. Advancedscheduleocc...
Page 117: 3.4. Alg
3.4. Alg this is a category that groups the following object types. 3.4.1. Alg_ftp description use an ftp application layer gateway to manage ftp traffic through the system. Properties name specifies a symbolic name for the alg. (identifier) allowserverpassive allow server to use passive mode (unsaf...
Page 118: 3.4.2. Alg_H323
Zdenabled enable zonedefense block. (default: no) zdnetwork hosts within this network will be blocked at switches if a virus is found. Filelisttype specifies if the file list contains files to allow or deny. (default: block) failmodebehavior standard behaviour on error: allow or deny. (default: deny...
Page 119
Removescripts remove javascript/vbscript. (default: no) removeapplets remove java applets. (default: no) removeactivex remove activex objects (including flash). (default: no) forcesafesearch force safesearch on google, bing and yahoo! Search engines. (default: no) verifyutf8url verify that urls does...
Page 120: 3.4.3.1. Alg_Http_Url
Classified. (default: allow) allowfilteringoverride allow the user to display a blocked site. (default: no) overrideupdateonaccess restart the override timer on each new access to disallowed categories. (default: yes) overridetimetolive seconds that all disallowed categories will be allowed for the ...
Page 121: 3.4.5. Alg_Pptp
Deny. (default: block) failmodebehavior standard behaviour on error: allow or deny. (default: deny) file list of file types to allow or deny. (optional) verifycontentmimetype verify that file extentions correspond to the mime type. (default: no) antivirus disabled, audit or protect. (default: disabl...
Page 122: 3.4.7. Alg_Smtp
Description use a sip alg to manage sip based multimedia sessions. Properties name specifies a symbolic name for the alg. (identifier) maxsessionsperid maximum number of sessions per sip uri. (default: 5) maxregistrationtime the maximum allowed time in seconds between registration requests. (default...
Page 123
Filelisttype specifies if the file list contains files to allow or deny. (default: block) failmodebehavior standard behaviour on error: allow or deny. (default: deny) file list of file types to allow or deny. (optional) verifycontentmimetype verify that file extentions correspond to the mime type. (...
Page 124: 3.4.7.1. Alg_Smtp_Email
Dnsblacklists specifies the blacklist domain and its weighted value. Comments text describing the current object. (optional) 3.4.7.1. Alg_smtp_email description used to whitelist or blacklist an email sender/recipient. Properties type specifies if the email address is the sender or the recipient. (d...
Page 125: 3.4.9. Alg_Tls
Comments text describing the current object. (optional) 3.4.9. Alg_tls description tls alg properties name specifies a symbolic name for the alg. (identifier) hostcert specifies the host certificate. Rootcert specifies the root certificates. (optional) comments text describing the current object. (o...
Page 126: 3.5. Antiviruspolicy
3.5. Antiviruspolicy description an anti-virus profile can be used by one or many ip policies which has its service object configured with a protocol that supports anti-virus scanning (http, ftp, pop3 and smtp). Properties name specifies a symbolic name for the profile. (identifier) auditmode anti-v...
Page 127: 3.6. Appcontrolsettings
3.6. Appcontrolsettings description settings related to the application control functionality. Properties maxunclassifiedpackets maximum number of packets in one direction on a connection before the application will be forced to unknown. (default: 5) maxunclassifiedbytes maximum number of bytes tran...
Page 128: 3.7. Applicationruleset
Options -comments= comments for this key. -size={64
Page 129
Traffic. (optional) returnchain specifies one or more pipes to be used for return traffic. (optional) precedence specifies what precedence should be assigned to the packets before sent into a pipe. (default: frompipe) fixedprecedence specifies the fixed precedence. Comments text describing the curre...
Page 130: 3.8. Arpnd
3.8. Arpnd description use an arp/neighbor discovery entry to publish additional ip addresses and/or mac addresses on a specified interface. Properties mode static, publish or xpublish. (default: publish) interface indicates the interface to which the arp entry applies; e.G. The interface the addres...
Page 131: 3.9. Arpndsettings
3.9. Arpndsettings description advanced arp/neighbor discovery-table settings. Properties arpmatchenetsender the ethernet sender address matching the hardware address in the arp data. (default: droplog) arpquerynosenderip if the ip source address of an arp query (not response!) is "0.0.0.0". (defaul...
Page 132
Logresolvefailure specifies whether or not to log failed arp resolves. (default: yes) ndratelimit rate limit originated nd packets. (default: 1000) maxanycastdelaytime randomized time to delay proxied and anycast advertisements. (default: 100) ndmatchenetsender ignore nd packets with mismatching sen...
Page 133
Rareachabletime the value to be placed in the reachable time field in the router advertisement messages sgw. The value zero means unspecified. (default: 0s). (default: 0) raretranstimer the value to be placed in the retrans timer field in the router advertisement messages sent by the sgw. The value ...
Page 134: 3.10. Authagent
3.10. Authagent description the authentication agent collect user login and logout events on a network domain controller. Properties name specifies a symbolic name for the agent. Ipaddress the ip address of the agent. Port the listening port of the agent. (default: 9999) psk selects the pre-shared k...
Page 135
3.11. Authenticationsettings description settings related to authentication and accounting. Properties logoutaccusersatshutdown logout authenticated accounting users and send accountingstop packets prior to shutdown. (default: yes) allowauthifnoaccountingresponse allow an authenticated user to still...
Page 136: 3.12. Blacklistwhitehost
3.12. Blacklistwhitehost description hosts and networks added to this whitelist can never be blacklisted by idp or threshold rules. Properties addresses specifies the addresses that will be whitelisted. Service specifies the service that will be whitelisted. Schedule the schedule when the whitelist ...
Page 137: 3.13. Certificate
3.13. Certificate description an x. 509 certificate is used to authenticate a vpn client or gateway when establishing an ipsec tunnel. Properties name specifies a symbolic name for the certificate. (identifier) type local, remote or request. Certificatedata certificate data. Privatekey private key. ...
Page 138: 3.14. Comportdevice
3.14. Comportdevice description a serial communication port, that is used for accessing the cli. Properties port port. (identifier) bitspersecond bits per second. (default: 9600) databits data bits. (default: 8) parity parity. (default: none) stopbits stop bits. (default: 1) flowcontrol flow control...
Page 139: 3.15. Configmodepool
3.15. Configmodepool description an ike config mode pool will dynamically assign the ip address, dns server, wins server etc. To the vpn client connecting to this gateway. Properties ippooltype specifies whether a predefined ip pool or a static set of ip addresses should be used as ip address source...
Page 140: 3.16. Conntimeoutsettings
3.16. Conntimeoutsettings description timeout settings for various protocols. Properties connlife_tcp_syn connection idle lifetime for tcp connections being formed. (default: 60) connlife_tcp connection idle lifetime for tcp. (default: 262144) connlife_tcp_fin connection idle lifetime for tcp connec...
Page 141: 3.17. Crldistpointlist
3.17. Crldistpointlist description a crl distribution point list specifies one or more locations from where a certificate revocation list (crl) can be obtained. It can be used to add distribution points to a certificate that does not provide any, or to override existing ones. Listed distribution poi...
Page 142: 3.18. Datetime
3.18. Datetime description set the date, time and time zone information for this system. Properties timezone specifies the time zone. (default: gmt) location specifies the location to use its time zone. (optional) dstenabled enable daylight saving time. (default: yes) dstoffset daylight saving time ...
Page 143
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. Chapter 3: configuration reference 143.
Page 144: 3.19. Defaultinterface
3.19. Defaultinterface description a special interface used to represent internal mechanisms in the system as well as an abstract "any" interface. Properties name specifies a symbolic name for the interface. (identifier) snmpindex interface index assigned by the system when persistent interface inde...
Page 145: 3.20. Device
3.20. Device description global parameters for this device. Properties name name of the device. (default: device) localcfgversion local version number of the configuration. (default: 1) nextsnmpifindex snmp interface index assigned to the next interface created within the system. (default: 1) config...
Page 146: 3.21. Dhcprelay
3.21. Dhcprelay description use a dhcp relay to dynamically alter the routing table according to relayed dhcp leases. Properties name specifies a symbolic name for the relay rule. (identifier) action ignore, relay or bootpfwd. (default: ignore) sourceinterface the source interface of the dhcp packet...
Page 147
Logseverity specifies with what severity log events will be sent to the specified log receivers. (default: default) comments text describing the current object. (optional) chapter 3: configuration reference 147.
Page 148: 3.22. Dhcprelaysettings
3.22. Dhcprelaysettings description advanced dhcp relay settings. Properties maxtransactions maximum number of concurrent bootp/dhcp transactions. (default: 32) transactiontimeout timeout for each transaction (in seconds). (default: 10) maxppmperiface maximum packets per minute that are relayed from...
Page 149: 3.23. Dhcpserver
3.23. Dhcpserver description a dhcp server determines a set of ip addresses and host configuration parameters to hand out to dhcp clients attached to a given interface. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the dhcp server rule. (ide...
Page 150
(optional) logenabled enable logging. (default: yes) logseverity specifies with what severity log events will be sent to the specified log receivers. (default: default) comments text describing the current object. (optional) 3.23.1. Dhcpserverpoolstatichost description static dhcp server host entry ...
Page 151
Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. Chapter 3: configuration reference 151.
Page 152: 3.24. Dhcpserversettings
3.24. Dhcpserversettings description advanced dhcp server settings. Properties autosaveleasepolicy policy for saving the lease database to disk. (default: reconfshut) autosaveleaseinterval seconds between auto saving the lease database to disk. (default: 86400) note this object type does not have an...
Page 153: 3.25. Dhcpv6Server
3.25. Dhcpv6server description a dhcpv6 server determines a set of ipv6 addresses and host configuration parameters to hand out to dhcpv6 clients attached to a given interface. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the dhcpv6 server ...
Page 154
To the specified log receivers. (default: default) comments text describing the current object. (optional) 3.25.1. Dhcpv6serverpoolstatichost description static dhcpv6 server host entry properties host ipv6 address of the host. Macaddress the hardware address of the host. Comments text describing th...
Page 155: 3.26. Dhcpv6Serversettings
3.26. Dhcpv6serversettings description advanced dhcpv6 server settings. Properties autosaveleasepolicy policy for saving the lease database to disk. (default: reconfshut) autosaveleaseinterval seconds between auto saving the lease database to disk. (default: 86400) note this object type does not hav...
Page 156: 3.27. Diagnosticssettings
3.27. Diagnosticssettings description control how anonymous usage statistics are automatically shared with d-link to improve the quality of the product and the services. Sensitive information e.G. Vpn keys or certificates are not shared. All communication is encrypted and no information is shared wi...
Page 157: 3.28. Dns
3.28. Dns description configure the dns (domain name system) client settings. Properties dnsserver1 ip of the primary dns server. (optional) dnsserver2 ip of the secondary dns server. (optional) dnsserver3 ip of the tertiary dns server. (optional) ip6dnsserver1 ip of the primary ipv6 dns server. (op...
Page 158: 3.29. Dynamicroutingrule
3.29. Dynamicroutingrule description a dynamic routing policy rule creates a filter to catch statically configured or ospf learned routes. The matched routes can be controlled by the action rules to be either exported to ospf processes or to be added to one or more routing tables. Properties index t...
Page 159
Last in the list and the index will be equal to the length of the list. 3.29.1. Dynamicroutingruleexportospf description an ospf action is used to manipulate and export new or changed routes to an ospf router process. Properties exporttoprocess specifies to which ospf process the route change should...
Page 160
Offsetmetric increases the metric by this value. (optional) offsetmetrictype2 increases the for type2 routers metric by this value. (optional) limitmetricrange limits the metrics for these routes to a minimum and maximum value, if a route has a higher or lower value then specified it will be set to ...
Page 161: 3.30. Dyndnsclientcjbnet
3.30. Dyndnsclientcjbnet description configure the parameters used to connect to the cjb.Net dynamic dns service. Properties username username. Password the password for the specified username. (optional) comments text describing the current object. (optional) note if no index is specified when crea...
Page 162: 3.31. Dyndnsclientdlink
3.31. Dyndnsclientdlink description configure the parameters used to connect to the d-link dyndns service. Properties dnsname the dns name excluding the .Dlinkddns.Com suffix. Username username. Password the password for the specified username. (optional) comments text describing the current object....
Page 163
3.32. Dyndnsclientdlinkchina description configure the parameters used to connect to the d-link dyndns service (china only). Properties dnsname the dns name excluding the .Dlinkddns.Com suffix. Username username. Password the password for the specified username. (optional) comments text describing t...
Page 164: 3.33. Dyndnsclientdyndnsorg
3.33. Dyndnsclientdyndnsorg description configure the parameters used to connect to the dyn.Com dynamic dns service. Properties dnsname the dns name excluding the .Dyndns.Org suffix. Username username. Password the password for the specified username. (optional) comments text describing the current ...
Page 165: 3.34. Dyndnsclientdynscx
3.34. Dyndnsclientdynscx description configure the parameters used to connect to the dyns.Cx dynamic dns service. Properties dnsname the dns name excluding the .Dyns.Cx suffix. Username username. Password the password for the specified username. (optional) comments text describing the current object...
Page 166
3.35. Dyndnsclientpeanuthull description configure the parameters used to connect to the peanut hull dynamic dns service. Properties dnsnames specifies the dns names separated by ";". Username username. Password the password for the specified username. (optional) comments text describing the current...
Page 167: 3.36. Emailcontrolprofile
3.36. Emailcontrolprofile description an e-mail control profile can be used by one or many ip policies which has its service object configured with a protocol that supports e-mail scanning (imap, pop3, smtp). Properties name specifies a symbolic name for the profile. (identifier) antispam anti-spam ...
Page 168
For that email. (default: no) dnsbl2 ip address blacklisting using an external database. If the sender's ip address is blacklisted, the configured score value is added to the total score for that email. (default: no) dnsbl3 ip address blacklisting using an external database. If the sender's ip addre...
Page 169
Dnsbl9name specify the dns name of a dns blacklist. Dnsbl10name specify the dns name of a dns blacklist. Dnsbl1score specify a score value for dns blacklist 1. (default: 10) dnsbl2score specify a score value for dns blacklist 2. (default: 10) dnsbl3score specify a score value for dns blacklist 3. (d...
Page 170: 3.36.1. Emailfilter
Smtp_maxemailperminute specifies the maximum amount of emails per minute from the same host. (optional) smtp_maxemailsize specifies the maximum allowed email size in kb. (optional) smtp_allowstarttls allow clients to use the starttls command. Note that this allows encrypted transactions to take plac...
Page 171: 3.37. Ethernet
3.37. Ethernet description an ethernet interface represents a logical endpoint for ethernet traffic. Properties name specifies a symbolic name for the interface. (identifier) ethernetdevice hardware settings for the ethernet interface. Vlanqosinherit set whether vlans using the interface should inhe...
Page 172
Mtu specifies the size (in bytes) of the largest packet that can be passed onward. Must be 1294 or larger when ipv6 is enabled. (default: 1500) metric specifies the metric for the auto-created route. (default: 100) dhcpenabled enable dhcp client on this interface. (default: no) dhcphostname optional...
Page 173: 3.38. Ethernetdevice
3.38. Ethernetdevice description hardware settings for an ethernet interface. Properties name specifies a symbolic name for the device. (identifier) ethernetdriver the ethernet pci driver that should be used by the interface. Pcibus pci bus number where the ethernet adapter is installed. Pcislot pci...
Page 174: 3.39. Ethernetsettings
3.39. Ethernetsettings description settings for ethernet interface. Properties dhcp_minimumleasetime minimum lease time (seconds) accepted from the dhcp server. (default: 60) dhcp_validatebcast require that the assigned broadcast address is the highest address in the assigned network. (default: yes)...
Page 175
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. Chapter 3: configuration reference 175.
Page 176: 3.40. Eventreceiversnmp2C
3.40. Eventreceiversnmp2c description a snmp2c event receiver is used to receive snmp events from the system. Properties name specifies a symbolic name for the log receiver. (identifier) ipaddress destination ip address. Port destination port. (default: 162) community community string. (default: pub...
Page 177: 3.41. Filecontrolpolicy
3.41. Filecontrolpolicy description a file control profile can be used by one or many ip policies which has its service object configured with a protocol that supports file control scanning (http, ftp, pop3, smtp). Properties name specifies a symbolic name for the profile. (identifier) filelisttype ...
Page 178: 3.42. Fragsettings
3.42. Fragsettings description settings related to fragmented packets. Properties pseudoreass_maxconcurrent maximum number of concurrent fragment reassemblies. Set to 0 to drop all fragments. (default: 1024) illegalfrags illegaly constructed fragments; partial overlaps, bad sizes, etc. (default: dro...
Page 179
Logsuspect) ip6rejectbadfraglength send parameter problem error upon reception of fragments with bad data length. (default: no) ip6ignorestubfrags ignore fragments with m flag cleared and fragment offset zero. (default: no) ip6minimumfraglength minimum allowed length of non-last fragments. (default:...
Page 180: 3.43. Geolocationfilter
3.43. Geolocationfilter description the geolocation filter allows the system to filter ip addresses based on country. Properties name specifies a symbolic name for the rule. (identifier) matchprivate specify if filter should match private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fd00::/8...
Page 181: 3.44. Gotorule
3.44. Gotorule description a goto rule specifies what ip rule set to match ip rules in for traffic that matches the specified filter criteria. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) action goto action. (default: g...
Page 182: 3.45. Gretunnel
3.45. Gretunnel description a gre interface is a generic routing encapsulation (no encryption, no authentication, only encapsulation) tunnel over an existing ip network. Properties name specifies a symbolic name for the interface. (identifier) ip specifies the ip address of the gre interface. Networ...
Page 183: 3.46. Highavailability
3.46. Highavailability description configure the high availability cluster parameters for this system. Properties enabled enable high availability. (default: no) clusterid a (locally) unique cluster id to use in identifying this group of ha firewalls. (default: 0) synciface specifies the interface u...
Page 184: 3.47. Httpalgbanners
3.47. Httpalgbanners description http banner files specifies the look and feel of http alg restriction web pages. Properties name specifies a symbolic name for the http banner files. (identifier) compressionforbidden html for the compressionforbidden.Html web page. Contentforbidden html for the cont...
Page 185: 3.48. Httpauthbanners
3.48. Httpauthbanners description http banner files specifies the look and feel of html authentication web pages. Properties name specifies a symbolic name for the http banner files. (identifier) formlogin html for the formlogin.Html web page. Loginsuccess html for the loginsuccess.Html web page. Lo...
Page 186: 3.49. Httpposter
3.49. Httpposter description use the http poster for dynamic dns or automatic logon to services using web-based authentication. Properties url the url that will be posted when the firewall is loaded. Repostdelay delay in seconds until the url is refetched. (default: 1200) alwaysrepost repost on each...
Page 187: 3.50. Hwm
3.50. Hwm description hardware monitoring allows monitoring of hardware sensors. Properties name specifies a symbolic name for the object. Type type of monitoring. Sensor sensor index. Minlimit lower limit. (optional) maxlimit upper limit. (optional) enablemonitoring enable/disable monitoring. (defa...
Page 188: 3.51. Hwmsettings
3.51. Hwmsettings description general settings for hardware monitoring properties enablesensors enable/disable all hwm functionality. (default: no) sensorpollinterval sensor polling interval. (default: 500) memorypollinterval memory polling interval in minutes. (default: 15) memoryusepercent should ...
Page 189: 3.52. Icmpsettings
3.52. Icmpsettings description settings related to the icmp protocol. Properties icmpsendperseclimit maximum number of icmp responses that will be sent each second. (default: 500) silentlydropstateicmperrors silently drop icmp errors regarding statefully tracked open connections. (default: yes) icmp...
Page 190: 3.53. Idlist
3.53. Idlist description an id list contains ids, which are used within the authentication process when establishing an ipsec tunnel. Properties name specifies a symbolic name for the id list. (identifier) comments text describing the current object. (optional) 3.53.1. Id description an id is used t...
Page 191: 3.54. Idprule
3.54. Idprule description an idp rule defines a filter for matching specific network traffic. When the filter criterion is met, the idp rule actions are evaluated and possible actions taken. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the ...
Page 192
Description an idp rule action specifies what signatures to search for in the network traffic, and what action to take if those signatures are found. Properties action specifies what action to take if the given signature is found. (default: audit) signatures specifies what signature(s) to search for...
Page 193: 3.55. Igmprule
3.55. Igmprule description an igmp rule specifies how to handle inbound igmp reports and outbound igmp queries. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) type the type of igmp messages the rule applies to. (default: ...
Page 194
Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. Chapter 3: configuration reference 194.
Page 195: 3.56. Igmpsetting
3.56. Igmpsetting description igmp parameters can be tuned for one, or a group of interfaces in order to match the characteristics of a network. Properties name specifies a symbolic name for the object. (identifier) interface the interfaces that these settings should apply to. Robustnessvariable igm...
Page 196: 3.57. Ikealgorithms
3.57. Ikealgorithms description configure algorithms which are used in the ike phase of an ipsec session. Properties name specifies a symbolic name for the object. (identifier) desenabled enable des encryption algorithm. (default: no) des3enabled enable 3des encryption algorithm. (default: no) aesen...
Page 197
Xcbcenabled enable aes-xcbc integrity algorithm. (default: no) comments text describing the current object. (optional) chapter 3: configuration reference 197.
Page 198: 3.58. Interfacegroup
3.58. Interfacegroup description use an interface group to combine several interfaces for a simplified security policy. Properties name specifies a symbolic name for the interface. (identifier) equivalent specifies if the interfaces should be considered security equivalent, that means that if enable...
Page 199: 3.59. Ip6In4Tunnel
3.59. Ip6in4tunnel description a 6in4 tunnel (no encryption, no authentication, only encapsulation) allows tunneling of ipv6 packets over an existing ipv4 network. Properties name specifies a symbolic name for the interface. (identifier) ip specifies the ipv6 address of the 6in4 tunnel interface. Ne...
Page 200: 3.60. Ippolicy
3.60. Ippolicy description an ip policy specifies what action to perform on network traffic that matches the specified filter criteria. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the policy. Action allow or deny. (default: allow) reject d...
Page 201
Av_policy selects preconfigured anti-virus profile. Av_auditmode anti-virus audit mode. (default: no) av_scanexclude list of files to exclude from antivirus scanning. (optional) av_compressionratio a compression ratio higher than this value will trigger the action in compression ratio action, a valu...
Page 202
Voip voice over ip. (default: no) voip_policy selects preconfigured voip profile. Ftpcontrol enables ftp protocol specific settings. (default: no) ftpallowserverpassive allow server to use passive mode (unsafe for server). (default: yes) ftpserverports server data ports. (default: 1024-65535) ftpall...
Page 203
Tlsrootcert specifies the root certificates. (optional) httpinspection enables http protocol validation and logging of urls. (default: no) httpallowunknownprotocols allow non-http protocols to pass through without inspection. (default: no) sourceinterface specifies the name of the receiving interfac...
Page 204: 3.61. Ippool
3.61. Ippool description an ip pool is a dynamic object which consists of ip leases that are fetched from a dhcp server. The ip pool is used as an address source by subsystems that may need to distribute addresses, e.G. By ipsec in configuration mode. Properties name specifies a symbolic name for th...
Page 205: 3.62. Iprule
3.62. Iprule description an ip rule specifies what action to perform on network traffic that matches the specified filter criteria. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. (optional) action reject, drop, fwdfast, allow, nat, ...
Page 206
Slbmaxslots specifies maximum number of slots for ip and network stickiness. (default: 2048) slbnetsize specifies network size for network stickiness. (default: 24) slbnewport rewrite destination port to this port. (optional) slbmonitorroutingtable routing table used for server monitoring. (default:...
Page 207
Attempts. (default: 800) slbhttpurltype defines how the request url should be interpreted. (default: fqdn) slbhttprequesturl specifies the http url to monitor. Slbhttpexpectedresponse expected http response. (optional) slbdistribution specifies the algorithm used for the load distribution tasks. (de...
Page 208: 3.63. Iprulefolder
3.63. Iprulefolder description an ip rule folder can be used to group ip rules into logical groups for better overview and simplified management. Properties index the index of the object, starting at 1. (identifier) name specifies the name of the folder. Comments text describing the current object. ...
Page 209
Slbnewport rewrite destination port to this port. (optional) slbmonitorroutingtable routing table used for server monitoring. (default: main) slbmonitorping enable monitoring using icmp ping packets. (default: no) slbpingpollinginterval delay in milliseconds between each ping interval. (default: 500...
Page 210
Slbhttpexpectedresponse expected http response. (optional) slbdistribution specifies the algorithm used for the load distribution tasks. (default: roundrobin) slbwindowtime specifies the window time used for counting the number of seconds back in time to summarize the number of new connections for c...
Page 211: 3.63.3. Multicastpolicy
To the specified log receivers. (default: default) comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.63.3. Multicastpolicy d...
Page 212: 3.63.4. Statelesspolicy
(optional) sourceaddresstranslation action to take on source address. (default: auto) natsourceaddressaction specify method to determine which sender address to use. (default: outgoinginterfaceip) satsourceaddressaction specify method to determine which sender address to use. Sourcenewip specifies w...
Page 213
Address to use. Sourcenewip specifies which sender address will be used. Sourcebaseip specifies base address for sender address. Sourceportaction specify method to determine which port action to use. (default: none) sourcenewsingleport translate to this port. (optional) sourcebaseport transpose usin...
Page 214: 3.63.5. Gotorule
Note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.63.5. Gotorule the definitions here are the same as in section 3.44, “gotorule” . 3.63.6. Returnrule description a return rule mak...
Page 215: 3.63.7. Iprule
3.63.7. Iprule the definitions here are the same as in section 3.62, “iprule” . Chapter 3: configuration reference 215.
Page 216: 3.64. Ipruleset
3.64. Ipruleset description an ip rule set is a self-contained set of ip rules. Default action is drop. Properties name a name to uniquely identify this ipruleset. (identifier) comments text describing the current object. (optional) 3.64.1. Ippolicy the definitions here are the same as in section 3....
Page 217: 3.65. Ipsecalgorithms
3.65. Ipsecalgorithms description configure algorithms which are used in the ipsec phase of an ipsec session. Properties name specifies a symbolic name for the object. (identifier) nullenabled enable plaintext. (default: no) desenabled enable des encryption algorithm. (default: no) des3enabled enabl...
Page 218
Sha512enabled enable sha512 integrity algorithm. (default: no) xcbcenabled enable aes-xcbc integrity algorithm. (default: no) comments text describing the current object. (optional) chapter 3: configuration reference 218.
Page 219: 3.66. Ipsectunnel
3.66. Ipsectunnel description an ipsec tunnel item is used to define ipsec endpoint and will appear as a logical interface in the system. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the interface. (identifier) localnetwork the network on "...
Page 220
Authenticated peers will be authorized. (optional) enforcelocalid enable if local identity must match any identity proposed by the ike peer. (default: no) gatewaycertificate selects the certificate the firewall uses to authenticate itself to the other ipsec peer. Rootcertificates selects one or more...
Page 221
Deadpeerdetection enable dead peer detection. (default: yes) nattraversal enable or disable nat traversal. (default: onifneeded) autoestablish negotiate tunnel directly after reconfigureation. (default: no) metric specifies the metric for the auto-created route. (default: 90) autointerfacenetworkrou...
Page 222: 3.67. Ipsectunnelsettings
3.67. Ipsectunnelsettings description settings for the ipsec tunnel interfaces used for establishing ipsec vpn connections to and from this system. Properties ipsecmaxtunnels amount of ipsec tunnels allowed (0 = automatic). (default: 0) ipsecmaxrules amount of ipsec rules allowed (0 = automatic). (d...
Page 223
Ipsecdisablepkaccel disable hardware acceleration for public-key operations. (default: no) ipsecenableframedip include framed ip address in the radius access request message. (default: no) ipsecenableradiusaccountrequeststart enable sending of accounting request start message, including framed ip ad...
Page 224: 3.68. Ipsettings
3.68. Ipsettings description settings related to the ip protocol. Properties enableipv6 enable processing of ipv6 traffic. (default: no) ip6logonforwardhoplimit0 log any attempts of forwarding ipv6 packets with hoplimit=0 destined for outside the firewall; this should never happen! (default: droplog...
Page 225
Ip6opt_jumbo validate jumbogram packets. (default: validatelog) ip6opt_ra validate router alert packets. (default: ignore) ip6opt_ha validate home address option packets. (default: ignore) ip6opt_oth validate unknown option types. (default: rfc2460log) ip6_rh0 validate routing header type 0 option. ...
Page 226
Securemoteudpencapcompat allow ip data to contain eight bytes more than the udp total length field specifies -- checkpoint securemote violates nat-t drafts. (default: no) ipoptionsizes validity of ip header option sizes. (default: validatelogbad) ipopt_sr how to handle ip packets with contained sour...
Page 227: 3.69. L2Tpclient
3.69. L2tpclient description a pptp/l2tp client interface is a ppp (point-to-point protocol) tunnel over an existing ip network. Its ip address and dns servers are dynamically assigned. Properties name specifies a symbolic name for the interface. (identifier) ip the host name to store the assigned i...
Page 228
Mpperc440 use an rc4 40 bit mppe session key with ms-chap or ms-chap v2 authentication protocol. (default: yes) mpperc456 use an rc4 56 bit mppe session key with ms-chap or ms-chap v2 authentication protocol. (default: yes) mpperc4128 use an rc4 128 bit mppe session key with ms-chap or ms-chap v2 au...
Page 229: 3.70. L2Tpserver
3.70. L2tpserver description a pptp/l2tp server interface terminates ppp (point to point protocol) tunnels set up over existing ip networks. Properties name specifies a symbolic name for the interface. (identifier) ip the ip address of the pptp/l2tp server interface. Tunnelprotocol specifies if pptp...
Page 230
Servers (nbns) to assign ip addresses to netbios names. (optional) allowedroutes restricts networks for which routes may automatically be added. (default: all-nets) mppeallowstateful allow usage of stateful mppe (less secure, use only for compatibility). (default: no) snmpindex interface index assig...
Page 231: 3.71. L2Tpserversettings
3.71. L2tpserversettings description pptp/l2tp server settings. Properties l2tpbeforerules pass l2tp connections sent to the firewall directly to the l2tp engine without consulting the ruleset. (default: yes) pptpbeforerules pass pptp connections sent to the firewall directly to the pptp engine with...
Page 232: 3.72. L2Tpv3Client
3.72. L2tpv3client description a l2tpv3 client interface terminates l2 (ethernet and vlan) tunnels set up over existing ip networks. Properties name specifies a symbolic name for the interface. (identifier) ip the ip address of the l2tpv3 client interface. Localnetwork the network on "this side" of ...
Page 233
Publishing routes via proxy arp. (default: no) proxyarpinterfaces specifies the interfaces on which the firewall should publish routes via proxy arp. (optional) comments text describing the current object. (optional) chapter 3: configuration reference 233.
Page 234: 3.73. L2Tpv3Server
3.73. L2tpv3server description a l2tpv3 server interface terminates l2 (ethernet and vlan) tunnels set up over existing ip networks. Properties name specifies a symbolic name for the interface. (identifier) ip the ip address of the l2tpv3 server interface. Localnetwork the network on "this side" of ...
Page 235: 3.74. Ldapdatabase
3.74. Ldapdatabase description external ldap server used to verify user names and passwords. Properties name specifies a symbolic name for the server. (identifier) ip the ip address of the server. Port the tcp port of the server. (default: 389) sourceipselection which ip should be used as a source i...
Page 236: 3.75. Ldapserver
3.75. Ldapserver description an ldap server is used as a central repository of certificates and crls that the firewall can download when necessary. Properties host specifies the ip address or hostname of the ldap server. Username specifies the username to use when accessing the ldap server. (optiona...
Page 237: 3.76. Lengthlimsettings
3.76. Lengthlimsettings description length limitations for various protocols. Properties maxtcplen tcp; sometimes has to be increased if tunneling protocols are used. (default: 1480) maxudplen udp; many interactive applications use large udp packets, may otherwise be decreased to 1480. (default: 600...
Page 238: 3.77. Linkaggregation
3.77. Linkaggregation description a link aggregation interface combines multiple ethernet interfaces into a single logical endpoint. Properties name specifies a symbolic name for the interface. (identifier) members a set of ethernet interfaces to aggregate. (optional) distributionalgorithm specifies...
Page 239
Privateip the private ip address of this high availability node. (optional) privateip6 the private ip6 address of this high availability node. (default: localhost6) nochb this will disable sending cluster heartbeats from this interface (used by ha to detect if a node is online and working). (optiona...
Page 240
Comments text describing the current object. (optional) chapter 3: configuration reference 240
Page 241: 3.78. Linkmonitor
3.78. Linkmonitor description the link monitor allows the system to monitor one or more hosts and take action if they are unreachable. Properties action specifies what action the system should take. Addresses specifies the addresses that should be monitored. Maxloss a single host is considered unrea...
Page 242: 3.79. Localreasssettings
3.79. Localreasssettings description parameters use for local fragment reassembly. Properties localreass_maxconcurrent maximum number of concurrent local reassemblies. (default: 256) localreass_maxsize maximum size of a locally reassembled packet. (default: 10000) localreass_numlarge number of large...
Page 243: 3.80. Localuserdatabase
3.80. Localuserdatabase description a local user database contains user accounts used for authentication purposes. Properties name specifies a symbolic name for the object. (identifier) comments text describing the current object. (optional) 3.80.1. User description user credentials may be used in u...
Page 244: 3.81. Logreceivermemory
3.81. Logreceivermemory description a memory log receiver is used to receive and keep log events in system ram. Properties name specifies a symbolic name for the log receiver. (identifier) logseverity specifies with what severity log events will be sent to the specified log receivers. (optional; def...
Page 245: 3.82. Logreceiversmtp
3.82. Logreceiversmtp description mail alerting is used for sending important events via email. Properties name specifies a symbolic name for the log receiver. (identifier) ipaddress ip address or dns name of an smtp server that accepts emails for the given address(es). Port tcp port of the smtp ser...
Page 246
That did not trigger the rate threshold. The report will always be sent, even if nothing occured. (default: no) reportemailinterval how often to send report emails. (default: 24) reportemailsubject the email subject to use for report emails. Logseverity specifies with what severity log events will b...
Page 247: 3.83. Logreceiversyslog
3.83. Logreceiversyslog description a syslog receiver is used to receive log events from the system in the standard syslog format. Properties name specifies a symbolic name for the log receiver. (identifier) ipaddress specifies the ip address of the log receiver. Port specifies the port number of th...
Page 248: 3.84. Logsettings
3.84. Logsettings description advanced log settings. Properties logsendperseclimit limits how many log packets the firewall may send out per second. (default: 2000) note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of thi...
Page 249: 3.85. Loopbackinterface
3.85. Loopbackinterface description loopback interfaces will take all packets sent through them and pass them back up a different interface as newly received packets. Properties name specifies a symbolic name for the interface. (identifier) loopto loopback interface. (optional) ip interface address....
Page 250: 3.86. Miscsettings
3.86. Miscsettings description miscellaneous settings properties udpsrcport0 how to treat udp packets with source port 0. (default: droplog) port0 how to treat tcp/udp packets with destination port 0 and tcp packets with source port 0. (default: droplog) highbuffers_dynamic allocate the highbuffers ...
Page 251: 3.87. Multicastpolicy
3.87. Multicastpolicy the definitions here are the same as in section 3.63.3, “multicastpolicy” . Chapter 3: configuration reference 251.
Page 252: 3.88. Multicastsettings
3.88. Multicastsettings description advanced multicast settings. Properties autoaddmulticastcoreroute auto generate core route for "224.0.0.1-239.255.255.255". (default: yes) igmpbeforerules allows igmp traffic to enter the firewall by default. (default: yes) igmpmaxglobalrequestspersecond maximum n...
Page 253: 3.89. Natpool
3.89. Natpool description a nat pool is used for nating multiple concurrent connections to using different source ip addresses. Properties name specifies a symbolic name for the nat pool. (identifier) type specifies how nat'ed connections are assigned a nat ip address. (default: stateful) ipsource s...
Page 254: 3.90. Ospfprocess
3.90. Ospfprocess description an ospf router process defines a group of routers exchanging routing information via the open shortest path first routing protocol. Properties name specifies a symbolic name for the ospf process. (identifier) routerid specifies the ip address that is used to identify th...
Page 255: 3.90.1. Ospfarea
Debugddesc enables or disabled logging of database description packets and also specifies the details of the log. (default: off ) debugexchange enables or disabled logging of exchange packets and also specifies the details of the log. (default: off ) debuglsa enables or disabled logging of lsa event...
Page 256: 3.90.1.1. Ospfinterface
Stubmetric route metric for stub area. (optional) filterexternal specifies the network addresses allowed to be imported into this area from external routing sources. (optional) filterinterarea specifies the network addresses allowed to be imported from other routers inside the area. (optional) comme...
Page 257: 3.90.1.2. Ospfneighbor
Router will be declared to be down. (default: 40) rxmtinterval specifies the number of seconds between retransmissions of lsas to neighbors on this interface. (default: 5) rtrprio specifies the router priority, a higher number increases this routers chance of becoming dr or bdr, if 0 is specified th...
Page 258: 3.90.1.4. Ospfvlink
Description an aggregate is used to replace any number of smaller networks belonging to the local (intra) area with one contiguous network which may then be advertised or hidden. Properties network the aggregate network used to combine several small routes. Advertise advertise the aggregate. (defaul...
Page 259: 3.91. Pipe
3.91. Pipe description a pipe defines basic traffic shaping parameters. The pipe rules then determines which traffic goes through which pipes. Properties name specifies a symbolic name for the pipe. (identifier) limitkbpstotal total bandwidth limit for this pipe in kilobits per second. (optional) li...
Page 260
Precedence 7 (the highest precedence). (optional) limitpps7 specifies the packet per second limit for precedence 7 (the highest precedence). (optional) userlimitkbpstotal total bandwidth limit per group in the pipe in kilobits per second. (optional) userlimitppstotal total throughput limit per group...
Page 261
Groupingnetworksize if users are grouped according to source or destination network, the size of the network has to be specified by this setting. (default: 0) dynamic enable dynamic balancing of groups. (default: no) precedencemin specifies the lowest allowed precedence for traffic in this pipe. If ...
Page 262: 3.92. Piperule
3.92. Piperule description a pipe rule determines traffic shaping policy - which pipes to use - for one or more types of traffic with the same granularity as the standard ruleset. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the object. (op...
Page 263: 3.93. Pppoetunnel
3.93. Pppoetunnel description a pppoe interface is a ppp (point-to-point protocol) tunnel over an existing physical ethernet interface. Its ip address is dynamically assigned. Properties name specifies a symbolic name for the interface. (identifier) ethernetinterface the physical ethernet interface ...
Page 264
Metric specifies the metric for the auto-created route. (default: 90) autointerfacenetworkroute automatically add a route for this interface using the given remote network. (default: yes) schedule the schedule defines when the pppoe tunnel should be active. (optional) forceunnumbered force the pppoe...
Page 265: 3.94. Pppsettings
3.94. Pppsettings description settings related to the ppp protocol. Properties initialresendtime initial time in milliseconds to wait before sending a new configuration request if no server response is received. (default: 200) note this object type does not have an identifier and is identified by th...
Page 266: 3.95. Psk
3.95. Psk description psk (pre-shared key) authentication is based on a shared secret that is known only by the parties involved. Properties name specifies a symbolic name for the pre-shared key. (identifier) type specifies the type of the shared key. Pskascii specifies the psk as a passphrase. Pskh...
Page 267: 3.96. Radiusaccounting
3.96. Radiusaccounting description external radius server used to collect user statistics. Properties name specifies a symbolic name for the server. (identifier) ipaddress the ip address of the server. Port the udp port of the server. (default: 1813) retrytimeout the retry timeout, in seconds, used ...
Page 268: 3.97. Radiusrelay
3.97. Radiusrelay description radius relay for intercepting packets from a user endpoint and sending packets to a remote radius server. Properties name specifies a symbolic name for the relayer. (identifier) sourceinterface specifies the name of the receive interface for radius relay requests. Clien...
Page 269
Logenabled enable logging. (default: yes) logseverity specifies with what severity log events will be sent to the specified log receivers. (default: default) routingtable specifies the routing table the clients host route should be added to. (default: main) comments text describing the current objec...
Page 270: 3.98. Radiusserver
3.98. Radiusserver description external radius server used to verify user names and passwords. Properties name specifies a symbolic name for the server. (identifier) ipaddress the ip address of the server. Port the udp port of the server. (default: 1812) retrytimeout the retry timeout, in seconds, u...
Page 271: 3.99. Realtimemonitoralert
3.99. Realtimemonitoralert description monitors a statistical value. Log messages are generated if the value goes below the lower threshold or above the high threshold. Properties index the index of the object, starting at 1. (identifier) monitor statistical value. Sampletime interval in seconds bet...
Page 272: 3.100. Remotemgmthttp
3.100. Remotemgmthttp description configure http/https management to enable remote management to the system. Properties name specifies a symbolic name for the object. (identifier) interface specifies the interface for which remote access is granted. Http enable remote management via http. (default: ...
Page 273: 3.101. Remotemgmtrest
3.101. Remotemgmtrest description configure rest api management to enable api management to the system. Properties name specifies a symbolic name for the object. (identifier) interface specifies the interface for which remote access is granted. Http enable remote management via http. (default: no) h...
Page 274: 3.102. Remotemgmtsettings
3.102. Remotemgmtsettings description setup and configure methods and permissions for remote management of this system. Properties netconbidirtimeout specifies the amount of seconds to wait for the administrator to log in before reverting to the previous configuration. (default: 30) webuibeforerules...
Page 275
Reboots. Disabling and later re-enabling this setting will trigger a re-numbering of all interfaces in the system. (default: no) note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. Chapter 3: configuration ref...
Page 276: 3.103. Remotemgmtsnmp
3.103. Remotemgmtsnmp description configure snmp management to enable snmp polling. Properties name specifies a symbolic name for the object. (identifier) interface specifies the interface for which remote access is granted. Snmpversion enabled snmp version. (default: snmpv1_snmpv2c) snmp3securityle...
Page 277: 3.104. Remotemgmtssh
3.104. Remotemgmtssh description configure a secure shell (ssh) server to enable remote management access to the system. Properties name specifies a symbolic name for the ssh server. (identifier) interface specifies the interface for which remote access is granted. Port the listening port for the ss...
Page 278
Password has to be provided within this number of seconds or the session will be closed. (default: 30) authenticationretries the number of retires allowed before the session is closed. (default: 3) authsource optionally enable authentication from an external source. Note that a local user database m...
Page 279
3.105. Routebalancinginstance description a route balancing instance is associated with a routingtable and defines how to make use of multiple routes to the same destination. Properties routingtable specify routingtable to deploy route load balancing in. (identifier) algorithm specify which algorith...
Page 280
3.106. Routebalancingspilloversettings description settings associated with the spillover algorithm. Properties interface interface to threshold limit. (identifier) holdtime number of consecutive seconds over/under the threshold limit to trigger state change for the affected routes. (default: 30) ou...
Page 281: 3.107. Routeradvertisement
3.107. Routeradvertisement description enabling router advertisement will answer solicitations and periodically send out advertisements. Stateless address autoconfiguration (slaac) will only work correctly if the configured network prefix is 64 (rfc4862). Properties index the index of the object, st...
Page 282
Sent. (default: 0). (default: 0) comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to the length of the list. 3.107.1. Ra_prefixinformation description s...
Page 283: 3.108. Routingrule
3.108. Routingrule description a routing rule forces the use of a routing table in the forward and/or return direction of traffic on a connection. The ordering parameter of the routing table determines if it is consulted before or after the main routing table. Properties index the index of the objec...
Page 284: 3.109. Routingsettings
3.109. Routingsettings description configure the routing capabilities of the system. Properties routefailover_ifacepollinterval time (ms) between polling of interface failure. (default: 500) routefailover_arppollinterval time (ms) between arp-lookup of gateways. May be overridden for each route. (de...
Page 285: 3.110. Routingtable
3.110. Routingtable description the system has a predefined main routing table. Alternate routing tables can be defined by the user. Properties name specifies a symbolic name for the routing table. (identifier) ordering specifies how a route lookup is done in a named routing table. (default: only) r...
Page 286: 3.110.1.1. Monitoredhost
Monitorgateway mark the route as down if the next hop does not answer on arp lookups during a specified time. (default: no) monitorgatewayarpinterval specifies the arp lookup interval in milliseconds. (default: 1000) enablehostmonitoring enables the host monitoring functionality. (default: no) reach...
Page 287: 3.110.2. Route6
Reachabilityrequired specifies if this host is required to be reachable for monitoring to be successful. (default: no) samples specifies the number of attempts to use for statistical calculations. (default: 10) maxpollfails specifies the maximum number of failed attempts until host is considered to ...
Page 288: 3.110.3. Switchroute
Publishing routes via proxy neighbor discovery. (default: no) proxyndinterfaces specifies the interfaces on which the firewall should publish routes via proxy arp. (optional) comments text describing the current object. (optional) note if no index is specified when creating an instance of this type,...
Page 289: 3.111. Scheduleprofile
3.111. Scheduleprofile description a schedule profile defines days and dates and are then used by the various policies in the system. Properties name specifies a symbolic name for the service. (identifier) mon specifies during which intervals the schedule profile is active on mondays. (optional) tue...
Page 290: 3.112. Servicegroup
3.112. Servicegroup description a service group is a collection of service objects, which can then be used by different policies in the system. Properties name specifies a symbolic name for the service. (identifier) members group members. Comments text describing the current object. (optional) chapt...
Page 291: 3.113. Serviceicmp
3.113. Serviceicmp description an icmp service is an object definition representing icmp traffic with specific parameters. Properties name specifies a symbolic name for the service. (identifier) messagetypes specifies the icmp message types that are applicable to this service. (default: all) echoreq...
Page 292
Endpoints to negotiate optimal packet sizes. This prevents fragmentation by network equipment between the endpoints. Path mtu discovery relies on icmp message forwarding so icmp forwarding must also be enabled. (default: no) protocol protocol settings are only used by ip policies. (optional) maxsess...
Page 293: 3.114. Serviceicmpv6
3.114. Serviceicmpv6 description an ipv6-icmp service is an object definition representing ipv6-icmp traffic with specific parameters. Properties name specifies a symbolic name for the service. (identifier) messagetypes specifies the ipv6-icmp message types that are applicable to this service. (defa...
Page 294
Must also be enabled. (default: no) protocol protocol settings are only used by ip policies. (optional) maxsessionsprotocol specifies how many concurrent sessions that are permitted using this protocol. (default: 200) alg an application layer gateway (alg), capable of managing advanced protocols, ca...
Page 295: 3.115. Serviceipproto
3.115. Serviceipproto description an ip protocol service is a definition of an ip protocol with specific parameters. Properties name specifies a symbolic name for the service. (identifier) ipproto ip protocol number or range, e.G. "1-4,7" will match the protocols icmp, igmp, ggp, ip-in-ip and cbt. (...
Page 296: 3.116. Servicetcpudp
3.116. Servicetcpudp description a tcp/udp service is a definition of an tcp or udp protocol with specific parameters. Properties name specifies a symbolic name for the service. (identifier) destinationports specifies the destination port or the port ranges applicable to this service. Type specifies...
Page 297: 3.117. Slbpolicy
3.117. Slbpolicy the definitions here are the same as in section 3.63.2, “slbpolicy” . Chapter 3: configuration reference 297.
Page 298: 3.118. Sshclientkey
3.118. Sshclientkey description the public key of the client connecting to the ssh server. Properties name specifies a symbolic name for the key. (identifier) type dsa or rsa. (default: dsa) subject value of the subject header tag of the public key file. (optional) publickey specifies the public key...
Page 299: 3.119. Sslsettings
3.119. Sslsettings description settings related to ssl (secure sockets layer). Properties ssl_processingpriority the amount of cpu time that ssl processing is allowed to use. (default: normal) ssl_tlsversion minimum allowed version of the secure socket layer. Tlsv1.1 is not supported. (default: tlsv...
Page 300
Note this object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. Chapter 3: configuration reference 300
Page 301: 3.120. Sslvpninterface
3.120. Sslvpninterface description an ssl vpn interface, together with the bundled client, creates an easy to use tunnel solution for roaming users. Properties name specifies a symbolic name for the interface. (identifier) outerinterface the physical interface that the ssl vpn interface will listen ...
Page 302
3.121. Sslvpninterfacesettings description ssl vpn interface settings. Properties sslvpnbeforerules pass ssl vpn connections sent to the firewall directly to the ssl vpn engine without consulting the ruleset. (default: yes) note this object type does not have an identifier and is identified by the n...
Page 303: 3.122. Statelesspolicy
3.122. Statelesspolicy the definitions here are the same as in section 3.63.4, “statelesspolicy” . Chapter 3: configuration reference 303.
Page 304: 3.123. Statesettings
3.123. Statesettings description parameters for the state engine in the system. Properties connreplace what to do when the connection table is full. (default: replacelog) logopenfails log packets that are neither part of open connections nor valid new connections. (default: yes) logreverseopens log ...
Page 305: 3.124. Tcpsettings
3.124. Tcpsettings description settings related to the tcp protocol. Properties tcpoptionsizes validity of tcp header option sizes. (default: validatelogbad) tcpmssmin minimum allowed tcp mss (maximum segment size). (default: 100) tcpmssonlow how to handle too low mss values. (default: droplog) tcpm...
Page 306
Tcpsynurg the tcp urg flag together with syn; normally invalid (strip=strip urg). (default: droplog) tcpsynpsh the tcp psh flag together with syn; normally invalid but always used by some ip stacks (strip=strip psh). (default: stripsilent) tcpsynrst the tcp rst flag together with syn; normally inval...
Page 307: 3.125. Thresholdrule
3.125. Thresholdrule description a threshold rule defines a filter for matching specific network traffic. When the filter criterion is met, the threshold rule actions are evaluated and possible actions taken. Properties index the index of the object, starting at 1. (identifier) name specifies a symb...
Page 308
Thresholdunit specifies the threshold unit. (default: connssec) zonedefense activate zonedefense. (default: no) blacklist activate blacklist. (default: no) blacklisttimetoblock the number of seconds that the dynamic black list should remain. (optional) blacklistblockonlyservice only block the servic...
Page 309: 3.126. Updatecenter
3.126. Updatecenter description configure automatical updates. Properties avenabled automatic updates of antivirus definitions and engine. (default: no) idpenabled automatic updates of idp signatures. (default: no) updateinterval specifies the interval at which the automatic update runs. (default: d...
Page 310: 3.127. Userauthrule
3.127. Userauthrule description the user authentication ruleset specifies from where users are allowed to authenticate to the system, and how. Properties index the index of the object, starting at 1. (identifier) name specifies a symbolic name for the rule. Agent arpcache, http, https, xauth, ppp or...
Page 311
Httpbanners http authentication html banners. (default: default) realmstring the string that is presented as a part of the 401 - authentication required message. (optional) hostcertificate specifies the host certificate that the firewall sends to the client. Only rsa certificates are supported. Root...
Page 312
Received by the user. (default: yes) sessiontime enable reporting of the number of seconds the session lasted. (default: yes) supportinterimaccounting enable interim accounting messages to update the accounting server with the current status of an authenticated user. (default: no) serverinterimcontr...
Page 313: 3.128. Vlan
3.128. Vlan description use a vlan to define a virtual interface compatible with the ieee 802.1q / 802.1ad virtual lan standard. Properties name specifies a symbolic name for the interface. (identifier) vlanid the virtual lan id used for this virtual lan interface. Two virtual lans cannot have the s...
Page 314
Privateip the private ip address of this high availability node. (optional) privateip6 the private ip6 address of this high availability node. (default: localhost6) metric specifies the metric for the auto-created route. (default: 100) autoswitchroute allows traffic to be forwarded transparently acr...
Page 315: 3.129. Vlansettings
3.129. Vlansettings description settings for ieee 802.1q based virtual lan interfaces. Properties unknownvlantags vlan packets tagged with an unknown id. (default: droplog) note this object type does not have an identifier and is identified by the name of the type only. There can only be one instanc...
Page 316: 3.130. Voipprofile
3.130. Voipprofile description a voip profile can be used by one or many ip policies which has its service object configured with sip or h.323 as protocol. Properties name specifies a symbolic name for the profile. (identifier) sip enables automatic pinhole creation for sip sessions. (default: yes) ...
Page 317
Comments text describing the current object. (optional) chapter 3: configuration reference 317.
Page 318: 3.131. Webprofile
3.131. Webprofile description a web profile can be used by one or many ip policies which has its service object configured with http or https as protocol. Properties name specifies a symbolic name for the profile. (identifier) forcesafesearch force safesearch on google, bing and yahoo! Search engine...
Page 319
Action whitelist or blacklist. (default: blacklist) url specifies the url to blacklist or whitelist. Comments text describing the current object. (optional) note if no index is specified when creating an instance of this type, the object will be placed last in the list and the index will be equal to...
Page 320: 3.132. Zonedefenseblock
3.132. Zonedefenseblock description manually configured blocks are used to block a host/network on the switches either by default or based on schedule. Properties addresses specifies the addresses to block. Protocol all, tcp, udp or icmp. (default: all) port specifies which udp or tcp port to use. (...
Page 321
3.133. Zonedefenseexcludelist description the exclude list is used exclude certain hosts/networks from being blocked out by idp/threshold rule violations. Properties addresses specifies the addresses that should not be blocked. (optional) comments text describing the current object. (optional) note ...
Page 322: 3.134. Zonedefenseswitch
3.134. Zonedefenseswitch description a zonedefense switch will have its acls controlled and hosts/networks violating the idp/threshold rules will be blocked directly on the switch. Properties name specifies a symbolic name for the zonedefense switch. (identifier) switchmodel specifies the switch mod...
Page 323
3.135. Zonedefenseswitchsettings description advanced zonedefense switch settings. Properties supervisorenabled enables automatic unblocking of hosts that has been blocked a configurable period of time. A host is only unblocked if the number of times it has been blocked during a supervision period (...
Page 324
Chapter 3: configuration reference 324.
Page 325: Index
Index commands a about, 33 activate, 22 add, 22 alarm, 33 appcontrol, 33 arp, 34 arpsnoop, 35 ats, 36 authagent, 36 authagentsnoop, 37 avcache, 38 b blacklist, 38 buffers, 39 c cam, 40 cancel, 24 cc, 24 certcache, 41 cfglog, 41 commit, 25 connections, 41 cpuid, 42 crashdump, 43 cryptostat, 43 d dcc,...
Page 326: Object Types
Reset, 28 route, 76 (see also routes) routemon, 76 routes, 77 rtmonitor, 78 rules, 78 s script, 101 selftest, 79 services, 81 sessionmanager, 82 set, 29 settings, 83 show, 30 shutdown, 83 sipalg, 84 smtp, 86 sshserver, 87 sslvpn, 88 stats, 88 sysmsgs, 88 t techsupport, 89 time, 89 traceroute, 95 u u...
Page 327
H highavailability, 183 httpalgbanners, 184 httpauthbanners, 185 httpposter, 186 hwm, 187 hwmsettings, 188 i icmpsettings, 189 id, 190 idlist, 190 idprule, 191 idpruleaction, 191 igmprule, 193 igmpsetting, 195 ikealgorithms, 196 interfacegroup, 198 ip4address, 113, 114 ip4group, 113, 115 ip4haaddres...
Page 328
V vlan, 313 vlansettings, 315 voipprofile, 316 w webprofile, 318 z zonedefenseblock, 320 zonedefenseexcludelist, 321 zonedefenseswitch, 322 zonedefenseswitchsettings, 323 index 328.