- DL manuals
- D-Link
- Firewall
- NetDefend DFL-CP310
- Cli Reference Manual
D-Link NetDefend DFL-CP310 Cli Reference Manual
Summary of NetDefend DFL-CP310
Page 1
D-link netdefend internet security firewall cli reference guide version 1.0 revised: 01/17/06.
Page 2
Copyright & trademarks copyright © 2005 sofaware, all rights reserved. No part of this document may be reproduced in any form or by any means without written permission from sofaware. Information in this document is subject to change without notice and does not represent a commitment on part of sofa...
Page 3
Running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and tellin...
Page 4
Countries not thus excluded. In such case, this license incorporates the limitation as if written in the body of this license. 9. The free software foundation may publish revised and/or new versions of the general public license from time to time. Such new versions will be similar in spirit to the p...
Page 5: Contents
Contents contents chapter 1: introduction .......................................................................................................................1 about your d-link netdefend firewall ............................................................................................1 using ...
Page 6
Contents reset gateway.................................................................................................................................37 reset logs ..........................................................................................................................................
Page 7
Contents info statistics .................................................................................................................................96 info statistics interface ..................................................................................................................99 ...
Page 8
Contents net dmz ospf md5 ............................................................................................................................179 net lan..............................................................................................................................................
Page 9
Contents printers ............................................................................................................................................251 qos classes .................................................................................................................................
Page 10
Contents smartdefense network-security ip-icmp packet-sanity ....................................................................318 smartdefense network-security ip-icmp welchia .............................................................................321 smartdefense network-security port-scan ...
Page 11
Contents wireless wep....................................................................................................................................416 wireless wpa......................................................................................................................................
Page 13: Chapter 1
About your d-link netdefend firewall chapter 1 this chapter introduces the d-link netdefend firewall and this guide. Introduction this chapter includes the following topics: about your d-link netdefend firewall .....................................................1 using this reference ................
Page 14: Using This Reference
Using this reference using this reference this reference guide explains how to use cli commands to control your netdefend firewall. In the chapter cli commands on page 17, the cli commands are divided into groups, according to their purpose. The commands are presented in alphabetical order within th...
Page 15
Document conventions and syntax return values the values returned in the command line interface. This information is provided only when running the command results in return values other than the typical values, for example when you run informational commands. For information on the typical return v...
Page 16: Related Publications
Related publications examples appear in courier style in boxes: this is an example of a cli command. Related publications use this guide in conjunction with the user guide provided with your appliance: • netdefend secured by check point user guide 4 d-link netdefend cli reference guide.
Page 17: Chapter 2
Related publications chapter 2 you can connect a console to the netdefend firewall, and use the console to control the appliance via the command line. Using the serial console note: your terminal emulation software must be set to 57600 bps, n-8-1. To run commands using a console 1. Connect the seria...
Page 19: Chapter 3
Related publications chapter 3 this chapter explains how to use the command line interface to run a cli command and provides a list of typical return values. Using the netdefend command line interface this chapter includes the following topics: general guidelines .......................................
Page 20: General Guidelines
General guidelines general guidelines when running commands in the netdefend firewall, follow these guidelines: • netdefend cli commands, variables, and fields are case-sensitive. • it is not necessary to type a command or variable in its entirety; it is sufficient to type the shortest string that i...
Page 21: Command Line Editing
Running commands • occasionally, a field's value will be a string containing one or more spaces. In this case, enclose the string in quotation marks. For example: set dialup type " hayes accura 56k" tip: if you are unsure how to configure a particular setting via the command line, you can configure ...
Page 22: Using The Netdefend Portal
Running commands see importing cli scripts on page 13. Using the netdefend portal you can run commands using the netdefend portal. To run commands using the netdefend portal 1. Log on to the netdefend portal. For instructions, refer to the user guide. 2. Click setup in the main menu, and click the t...
Page 23: Using Ssh
Running commands using ssh netdefend users can control the firewall via the command line, using the ssh (secure shell) management protocol. By default, ssh access is allowed only from the internal networks. You can allow ssh access via the internet, by configuring remote ssh access. Note: the netdef...
Page 24
Running commands table 1: access options select this option… to allow access from… internal network the internal network only. This disables remote access capability. This is the default. Internal network and vpn the internal network and your vpn. Ip address range a particular range of ip addresses....
Page 25: Importing Cli Scripts
Running commands importing cli scripts all netdefend models enable you to import cli scripts to the appliance. To import cli scripts 1. Do one of the following: • write a cli script in a text file with the extension *.Cfg. • edit an exported netdefend configuration file. For information on exporting...
Page 26: Typical Return Values
Typical return values note: if the appliance's ip address changed as a result of the configuration import, your computer may be disconnected from the network; therefore you may not be able to see the results. Typical return values when you run a command whose purpose is to display information, the r...
Page 27
Typical return values value explanation missing value for property name the command you entered is not complete, because a field's value is missing. Complete the command, and then run the command again. Syntax error the syntax of the command you entered is incorrect. The erroneous syntax is displaye...
Page 29: Chapter 4
Typical return values chapter 4 this chapter provides a list of cli commands for controlling your netdefend firewall. The cli commands are divided into the following groups: cli commands • variable operation commands. Cli commands for working with variables • appliance operation commands. Cli comman...
Page 30: Variable Operation Commands
Variable operation commands variable operation commands the commands in this section enable you to perform the following actions on variables: • add a variable to a table • delete a variable from a table • modify a variable • display a variable's settings • display a table of variables • clear a tab...
Page 31: Add
Variable operation commands add p urpose the add command is used for adding new variables to a table. Use this command to add any of the following: • a self-signed certificate • dhcp scopes • firewall rules • network objects • ospf areas • ospf networks • qos classes • radius servers • static routes...
Page 32
Variable operation commands p arameters variable string. The type of variable you want to add. This can be any of the following: • certificate - a self-signed certificate • dhcp scopes - a dhcp scope • fw rules - a firewall rule • netobj - a network object • ospf area - an ospf area • ospf network -...
Page 33
Variable operation commands e xample the following command adds the user johnsmith and assigns him the password johns1. Add users name johnsmith password johns1 chapter 4: cli commands 21.
Page 34: Clear
Variable operation commands clear p urpose the clear command is used for deleting all the variables in a table. Use this command to clear any of the following: • a certificate • dhcp scopes • firewall rules • network objects • ospf areas • ospf networks • qos classes • radius servers • static routes...
Page 35
Variable operation commands p arameters variable string. The type of variables in the table you want to clear. This can be any of the following: • certificate - a certificate • dhcp scopes - dhcp scopes • fw rules - firewall rules • netobj - network objects • ospf area - ospf areas • ospf network - ...
Page 36
Variable operation commands e xample the following command deletes all users except the "admin" user. Clear users 24 d-link netdefend cli reference guide.
Page 37: Delete
Variable operation commands delete p urpose the delete command is used for deleting variables from a table. Use this command to delete any of the following: • dhcp scopes • firewall rules • firewall servers • network objects • ospf areas • ospf networks • qos classes • radius servers • static routes...
Page 38
Variable operation commands p arameters variable string. The type of variable you want to delete. This can be any of the following: • dhcp scopes - a dhcp scope • fw rules - a firewall rule • fw servers - a firewall server rule • netobj - a network object • ospf area - an ospf area • ospf network - ...
Page 39
Variable operation commands e xample 1 the following command deletes the second user in the users table: delete users 2 e xample 2 the following command deletes the ftp server rule in the servers table: delete fw servers ftp chapter 4: cli commands 27.
Page 40: Set
Variable operation commands set p urpose the set command is used for modifying existing variables. Note: you cannot rename the admin user (user 1), the default qos class (qos class 1), or the default static route (static route 1). S yntax set variable p arameters variable string. The type of variabl...
Page 41
Variable operation commands e xample 1 the following command sets the password for user 2 to "mysecretpassword": set users 2 password mysecretpassword e xample 2 the following command enables the internal vpn server: set vpn internalserver mode enabled e xample 3 the following command sets the ftp s...
Page 42: Show
Variable operation commands show p urpose the show command is used for displaying variables and their fields. S yntax show variable p arameters variable string. The type of variable you want to display. This can be any variable except certificate . For information on variables and how to use them wi...
Page 43
Variable operation commands the following command displays the relative weight of qos class 3: show qos classes 3 weight e xample 2 the following command displays all server rules: show fw servers the following command displays all of the ftp server rule's settings: show fw servers ftp use the follo...
Page 44: Appliance Operation Commands
Appliance operation commands appliance operation commands the commands in this section enable you to manage your netdefend firewall in the following ways: • log out of the current session, when connected to the netdefend portal via ssh or serial console • replace the installed certificate with a new...
Page 45: Quit
Appliance operation commands quit p urpose the quit command is used to log out of the current session, when connected to the netdefend portal via ssh or a serial console. E ffect after you run this command, the ssh client or serial console logs off the netdefend portal. S yntax quit p arameters none...
Page 46: Reset Certificate
Appliance operation commands reset certificate p urpose the reset certificate command is used to replace the installed certificate with a new self-signed certificate. Note: if your netdefend firewall is centrally managed, a certificate is automatically generated and downloaded to your appliance. In ...
Page 47: Reset Defaults
Appliance operation commands reset defaults p urpose the reset defaults command is used to reset the netdefend firewall to its default settings. When you reset your netdefend firewall, it reverts to the state it was originally in when you purchased it. The current firmware version is retained. For i...
Page 48: Reset Firmware
Appliance operation commands reset firmware p urpose the reset firmware command is used to reset the netdefend firewall to the firmware version that shipped with the appliance. E ffect the netdefend firewall is restarted, and the pwr/sec led flashes quickly. This may take a few minutes. S yntax rese...
Page 49: Reset Gateway
Appliance operation commands reset gateway p urpose the reset gateway command is used to reboot the netdefend firewall. If your netdefend firewall is not functioning properly, rebooting it may solve the problem. E ffect the pwr/sec led flashes quickly. This may take a few minutes. S yntax reset gate...
Page 50: Reset Logs
Appliance operation commands reset logs p urpose the reset logs command is used to clear the event log. The event log displays the most recent events, including the date and the time that each event occurred, and its type. E ffect the logs in the event log are cleared. S yntax reset logs p arameters...
Page 51: Reset Services
Appliance operation commands reset services p urpose the reset services command is used to restart the netdefend service center connection. E ffect the netdefend service center connection is restarted. S yntax reset services p arameters none. R eturn v alues see typical return values on page 14. Cha...
Page 52
Appliance operation commands reset smartdefense ai cifs file-sharing patterns p urpose the reset smartdefense ai cifs file-sharing patterns command is used to reset smartdefense's list of worm patterns to its defaults. For information on configuring this list, see smartdefense ai cifs file-sharing p...
Page 53: Reset Statistics
Appliance operation commands reset statistics p urpose the reset statistics command is used to clear the traffic monitor. The traffic monitor displays reports for incoming and outgoing traffic, for selected network interfaces and qos classes. E ffect the statistics displayed in all traffic monitor r...
Page 54: Reset Vstream-Database
Appliance operation commands reset vstream-database p urpose the reset vstream-database command is used to uninstall the vstream antivirus signature databases. This is useful for troubleshooting purposes. E ffect both the vstream antivirus main database and daily database are uninstalled, and vstrea...
Page 55: Updatenow
Appliance operation commands updatenow p urpose the updatenow command is used to check for new security and software updates, as well as vstream antivirus signature database updates. Note: software updates and vstream antivirus signature updates are only available if you are connected to a service c...
Page 56: Informational Commands
Informational commands informational commands the commands in this section enable you to display information about your netdefend firewall and its settings. You can display any of the following: • certificate details • currently active computers on your network • currently active connections to and ...
Page 57
Informational commands • currently established vpn tunnels • information about vstream antivirus signature databases • vstream antivirus virus signatures • information about the defined internet connections • information about your wireless access point • information about wireless stations in the w...
Page 58: Authenticate
Informational commands authenticate p urpose the authenticate command is used to check whether a username and password combination is valid. S yntax authenticate username password p arameters username string. The username to authenticate password string. The password to authenticate r eturn v alues ...
Page 59
Informational commands read indicates whether the user has read permissions. This can have the following values: • true - the user has read permissions. • false - the user does not have read permissions. Note: if this value is false , then the user cannot access the netdefend portal. Vpnaccess indic...
Page 60
Informational commands e xample the following command authenticates the username "johns" and the password "mysecretpassword": authenticate johns mysecretpassword running this command results in information such as the following: [700000] ok [permissions: write true read true vpnaccess true filterove...
Page 61: Export
Informational commands export p urpose the export command is used to display netdefend firewall settings. This is useful in the following cases: • you are troubleshooting a problem and need to examine the firewall settings. • you want to change the firewall configuration. After exporting the configu...
Page 62
Informational commands p arameters variable string. The type of settings you want to export. This can be any variable or a variable that represents a category of variables. For example, the variable net can be used in the command export net to display the settings for all variables in the net catego...
Page 63
Informational commands export # configuration script # license: d-link netdefend (10 nodes) # gateway mac: 00:08:da:77:70:70 # firmware version: 6.0.45x # device settings set device productkey 7a747a-a77a4a-79a8bf hostname "" behindnat undefined # clock settings set clock timezone gmt-08:00 ntp1 "" ...
Page 64
Informational commands # lower priority when not connected set ha track wan1 0 wan2 0 # effect other modules according to current status set ha effect vpn enabled # end configuration script 52 d-link netdefend cli reference guide.
Page 65: Help
Informational commands help p urpose the help command is used to display information about a command. S yntax help command [variable] p arameters command string. The command for which you want to display information. Variable string. One or more variables that follow the command and create a valid e...
Page 66
Informational commands the following information is displayed: add add an item to a table subcommands: --------------------- fw firewall settings vpn vpn settings users user database routes static routes database radius radius settings qos quality of service netobj network objects certificate certif...
Page 67
Informational commands e xample 2 you can add variables to the command, and display information about the final variable in the command: help add users the users variable's fields are listed: users user database subcommands: --------------------- name username password password for user authenticati...
Page 68: Info Certificate
Informational commands info certificate p urpose the info certificate command is used to display information about the certificate currently installed on your appliance. S yntax info certificate p arameters none. R eturn v alues the following information is displayed for your appliance's certificate...
Page 69
Informational commands validity end time the day of the week, date, and time when this certificate expires. This information is provided in the same format as validity start time . Certificate dn the distinguished name (dn) (identifying information). Fingerprint the certificate's fingerprint. E xamp...
Page 70
Informational commands ca certificate ============== gmt: gmt+02:00 validity start time: sat dec 3 08:47:39 2005 validity end time: sat nov 29 08:47:39 2025 certificate dn: /o=embeddedng/ou=localca/cn=ca- 00:07:d7:77:70:70 fingerprint: no that just sum menu slam ding guru mice hugo wok vase 58 d-lin...
Page 71: Info Computers
Informational commands info computers p urpose the info computers command is used to display information about the currently-active computers on your network. S yntax info computers p arameters none. R eturn v alues the following information is displayed for each network device in the lan, dmz, wlan...
Page 72
Informational commands in addition to the information above, the following information is displayed for each wireless station (in wireless models): rate the current transmission rate in mbps signal the signal strength in db rx rate the current reception rate in mbps tx rate the current transmission ...
Page 73
Informational commands the following statistics are divided into receive and transmit for each wireless station (in wireless models): frames ok the total number of frames that were successfully transmitted and received errors the total number of transmitted and received frames for which an error occ...
Page 74
Informational commands e xample running this command results in information such as the following: lan: 192.168.10.1: mac: 00:08:da:77:70:6e type: firewall name: gateway license: n/a 192.168.10.12: mac: 00:0c:6e:41:5d:6a type: computer name: home license: licensed wlan: 192.168.252.1: mac: 00:20:ed:...
Page 75
Informational commands 192.168.252.106: mac: 00:40:05:60:97:5a type: computer name: laptop license: n/a rx rate: 2 mbps tx rate: 11 mbps wlan mode: b signal: 22 db xr: no wpa was negotiated: no wpa2 was negotiated: no cipher: wep receive: frames ok: 159 errors: 0 discarded frames: 0 unicast frames: ...
Page 76: Info Connections
Informational commands info connections p urpose the info connections command is used to display information about currently active connections between your network and the external world. S yntax info connections p arameters none. R eturn v alues connection table the number of currently active conn...
Page 77
Informational commands options displays further details about the connection: • plain - the connection is not encrypted. • aes/3des - the connection is encrypted. • through vpn - the connection is a vpn connection. • scanned - the connection is being scanned by vstream antivirus. Qos class the qos c...
Page 79: Info Device
Informational commands info device p urpose the info device command is used to display information about your appliance, such as your current firmware version and additional details. S yntax info device p arameters none. R eturn v alues mac address the appliance's wan mac address. Bootcode version t...
Page 80
Informational commands free memory displays the amount of free memory in kilobytes: • user - the amount of free memory in the user module. • kernel - the amount of free memory in the kernel module. Running firmware the version of the firmware that is currently in use. Backup firmware the version of ...
Page 81
Informational commands e xample running this command results in information such as the following: [700000] device information: mac address: 00:08:da:77:70:70 bootcode version: 19 hardware version: 1.1 appliance type: sbox-200 product key: 747478-22234-e5d66f product name: d-link netdefend, 10 nodes...
Page 82: Info Fw
Informational commands info fw p urpose the info fw command is used to display firewall statistics for incoming and outgoing traffic. S yntax info fw p arameters none. R eturn v alues the displayed firewall statistics is divided into information on he following: inbound packets - statistics for inco...
Page 83
Informational commands e xample running this command results in information such as the following: [700000] firewall statistics: inbound packets: total: 35867 accepted: 14919 dropped: 20948 outbound packets: total: 13641 accepted: 13477 dropped: 164 chapter 4: cli commands 71.
Page 84: Info Logs
Informational commands info logs p urpose the info logs command is used to display information about the most recent events, including the date and the time that each event occurred, and its type. S yntax info logs p arameters none. R eturn v alues the event log. The following information is display...
Page 85
Informational commands the following additional information is displayed for logged connections: src the source ip address sport the source port dst the destination ip address dport the destination port ipp the ip protocol rule the rule identification number. This can be any of the following: • a po...
Page 86: Info Nat
Informational commands info nat p urpose the info nat command is used to display the nat (network address translation) rules that are currently in effect. The netdefend firewall supports the following types of nat: • hide nat - enables you to share a single public internet ip address among several c...
Page 87
Informational commands r eturn v alues nat table the number of nat rules. The following information is displayed for each nat rule: number the nat rule's number. Original source the original source. This can be the following: • an internal network • an ip address • an ip range • any - any source ori...
Page 88
Informational commands translated ports the translated ports. This can be the following: • a port • a range of ports • original - the original port type the type of nat used. This can be the following: • hide - hide nat • static - static nat source the source of the nat rule. This can be the followi...
Page 89
Informational commands 2 : original source: dmz original destination: any original ports: any translated source: 217.132.233.250 translated destination: original translated ports: original type: hide source: local chapter 4: cli commands 77.
Page 90: Info Net
Informational commands info net p urpose the info net command is used to display information about your appliance's network interfaces. S yntax info net [interface] p arameters interface integer. The network interface for which to display information. This parameter can have the following values: • ...
Page 91
Informational commands e xample running this command for all network interfaces results in information such as the following: net: 1: name wan ip 217.132.214.83 mac 00:08:da:77:70:70 2: name lan ip 192.168.10.1 mac 00:08:da:77:70:6e 3: name dmz ip 192.168.253.1 mac 00:08:da:77:70:6f 4: name wlan ip ...
Page 92: Info Ospf
Informational commands info ospf p urpose the info ospf command is used to display general information about your appliance's ospf settings. S yntax info ospf p arameters none. R eturn v alues general ospf information. E xample running this command results in information such as the following: ospf ...
Page 93: Info Ospf Database
Informational commands info ospf database p urpose the info ospf database command is used to display information about the ospf link-state database. S yntax info ospf database p arameters none. R eturn v alues information about reported link states. E xample running this command results in informati...
Page 94
Informational commands ospf router with id (62.90.32.158) router link states (area 0.0.0.0) link id adv router age seq# cksum link count 62.90.32.158 62.90.32.158 569 0x80000005 0x65da 1 192.168.10.3 192.168.10.3 630 0x80000005 0xfb66 1 192.168.10.4 192.168.10.4 631 0x80000006 0xfa62 1 192.168.10.10...
Page 95
Informational commands router link states (area 2.2.2.2) link id adv router age seq# cksum link count 62.90.32.158 62.90.32.158 590 0x80000001 0xeac9 0 as external link states link id adv router age seq# cksum route 0.0.0.0 62.90.32.131 999 0x80000001 0x0120 e1 0.0.0.0/0 [0x0] 0.0.0.0 192.168.10.3 1...
Page 96: Info Ospf Interface
Informational commands info ospf interface p urpose the info ospf interface command is used to display the status and ospf settings of each network interface and vti (virtual tunnel interface). S yntax info ospf interface p arameters none. R eturn v alues ospf information for each network interface ...
Page 97
Informational commands e xample running this command results in information such as the following: lan is up ifindex 9, mtu 1500 bytes, bw 0 kbit internet address 192.168.10.101/24, broadcast 192.168.10.255, area 0.0.0.0 mtu mismatch detection:enabled router id 192.168.10.101, network type broadcast...
Page 98: Info Ospf Neighbor
Informational commands info ospf neighbor p urpose the info ospf neighbor command is used to display information about your appliance's ospf neighbors. S yntax info ospf neighbor p arameters none. R eturn v alues a list of ospf neighbors. The information provided for each ospf neighbor includes the ...
Page 99
Informational commands e xample running this command results in information such as the following: neighbor id pri state dead time address interface rxmtl rqstl dbsml 192.168.10.3 1 full/drother 34.231s 192.168.10.3 lan:192.168.10.101 0 0 0 192.168.10.4 1 full/drother 34.234s 192.168.10.4 lan:192.16...
Page 100: Info Ospf Routes
Informational commands info ospf routes p urpose the info ospf routes command is used to display information about ospf routes. S yntax info ospf routes p arameters none. R eturn v alues a list of ospf-related routes. Each route is marked with a code that indicates its type. The netdefend firewall s...
Page 101
Informational commands e xample running this command results in information such as the following: codes: k - kernel route, c - connected, s - static, r - rip, o - ospf, i - isis, b - bgp, > - selected route, * - fib route k>* 0.0.0.0/0 via 212.143.205.164, ppp0 c>* 127.0.0.0/8 is directly connected...
Page 102: Info Ports
Informational commands info ports p urpose the info ports command is used to display the status of the netdefend firewall's ports, including each ethernet connection's duplex state. This is useful if you need to check whether the appliance's physical connections are working, and you can’t see the le...
Page 103
Informational commands e xample running this command results in information such as the following: info ports wan: speed: 100 mbps mode: full duplex lan: no link no link no link speed: 100 mbps mode: full duplex dmz: speed: 100 mbps mode: full duplex chapter 4: cli commands 91.
Page 104: Info Printers
Informational commands info printers p urpose the info printers command is used to display information about your printers, such as their statuses and the ports used, and additional details. This command is only relevant for models supporting a print server. S yntax info printers p arameters none. R...
Page 105
Informational commands e xample running this command results in information such as the following: vendor name : hewlett-packard product name : psc 2100 series serial number: my31tf62yj0f tcp port : 9100 pending jobs : 0 status : ready chapter 4: cli commands 93.
Page 106: Info Probe
Informational commands info probe p urpose the info probe command is used to display connection-probing results for the primary and secondary internet connections on specific ports. Connection probing is a way to detect internet failures that are more than one hop away. To generate information for t...
Page 107
Informational commands • the internet connection's status, as determined by the probing a specific server. This can be the following: up probing the server succeeded. Down probing the server failed for 45 seconds. If probing failed for all listed servers (all statuses are down ), then the internet c...
Page 108: Info Statistics
Informational commands info statistics p urpose the info statistics command enables you to view traffic monitor reports for incoming and outgoing traffic for all enabled network interfaces and qos classes. This enables you to identify network traffic trends and anomalies, and to fine tune traffic sh...
Page 109
Informational commands the following information is displayed in each row: time the interval's start and end time, in the format: hh:mm:ss-hh:mm:ss where hh = hours mm = minutes ss = seconds incoming the rate of incoming traffic in kilobits/second. Outgoing the rate of outgoing traffic in kilobits/s...
Page 110
Informational commands lan interface (total traffic): time incoming (kbits/seconds) outgoing (kbits/seconds) 07:59:32-08:29:32 0 1 08:29:32-08:59:32 0 4 08:59:32-09:29:32 0 2 09:29:32-09:59:32 0 2 09:59:32-10:29:32 0 11 ... Qos traffic report: class default (total traffic): time incoming (kbits/seco...
Page 111: Info Statistics Interface
Informational commands info statistics interface p urpose the info statistics interface command enables you to view traffic monitor reports for specific types of traffic on specific network interfaces. This enables you to identify network traffic trends and anomalies. Note: the firewall blocks broad...
Page 112
Informational commands r eturn v alues reports for the specified type of traffic on the specified interfaces. Each traffic report row displays traffic rates in kilobits/second for a specific interval of time. If desired, you can change this interval. For information, see statistics on page 341. The ...
Page 113
Informational commands e xample running the following command: info statistics interface lan blocked results in information such as the following: interfaces traffic report: lan interface (dropped traffic): time incoming (kbits/seconds) outgoing (kbits/seconds) 04:01:34-04:31:34 0 4 04:31:34-05:01:3...
Page 114: Info Statistics Qos
Informational commands info statistics qos p urpose the info statistics qos command enables you to view traffic monitor reports for specific qos classes, when traffic shaper is enabled. This enables you to fine tune traffic shaper qos class assignments. S yntax info statistics qos [class class] p ar...
Page 115
Informational commands e xample running the following command: info statistics qos class urgent results in information such as the following: qos traffic report: class urgent (total traffic): time incoming (kbits/seconds) outgoing (kbits/seconds) 04:09:50-04:39:50 1 10 04:39:50-05:09:50 8 0 05:09:50...
Page 116: Info Tunnels
Informational commands info tunnels p urpose the info tunnels command is used to display a list of currently established vpn tunnels. Vpn tunnels are created and closed as follows: • remote access vpn sites configured for automatic login, and site-to- site vpn gateways a tunnel is created whenever y...
Page 117
Informational commands encryption the security protocol (ipsec), the type of encryption used to secure the connection, and the type of message authentication code (mac) used to verify the integrity of the message. This information is presented in the following format: security protocol: encryption t...
Page 118
Informational commands status indicates whether the vpn tunnel is functional. This can have the following values: • ok - the tunnel is functional. • fail - the vpn peer is not responding. E xample running this command for all network interfaces results in information such as the following: site src ...
Page 119: Info Vstream
Informational commands info vstream p urpose the info vstream command is used to display information about the vstream antivirus signature databases. Vstream antivirus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signat...
Page 120
Informational commands e xample running this command results in information such as the following: main database: sep 13, 2005 02:20:30 pm gmt version: 1.1.0 daily database: dec 4, 2005 08:29:22 am gmt version: 1.1.46 next update: not subscribed for updates service status: ok 108 d-link netdefend cl...
Page 121: Info Wan
Informational commands info wan p urpose the wan command is used to display information about the defined internet connections. S yntax info wan [connection] p arameters connection integer. The internet connection for which to display information. This can have the following values: • 1 - display in...
Page 122
Informational commands r eturn v alues the following information is displayed for each internet connection number the connection's number. Name the connection's name. This can have the following values: • primary • secondary connected indicates whether the connection is currently up. This can have t...
Page 123
Informational commands e xample in the following example, a dialup internet connection is configured as the secondary connection, and information is displayed for all connections: wan: 1: name primary connected true idle_timeout 0 2: name secondary connected false idle_timeout 15 chapter 4: cli comm...
Page 124: Info Wireless Ap
Informational commands info wireless ap p urpose the info wireless ap command is used to display information about your appliance's wireless access point. This command is only relevant for models supporting a wireless interface. S yntax info wireless ap p arameters none. R eturn v alues operation mo...
Page 125
Informational commands region the region within which the netdefend firewall is certified for use. This can be any of the following: • etsi-a • etsi-b • etsi-c • fcca • world - all other regions warning: using the netdefend firewall outside of the certified region may result in the violation of gove...
Page 127: Chapter 5
Informational commands chapter 5 this chapter provides a list of cli variables that can be used with the cli commands in cli commands on page 17. Cli variables note: the syntax for using a cli variable as part of an export command is identical to the syntax for using the variable as part of a show c...
Page 128
Informational commands net wan..................................................................................................... 195 net wan ospf............................................................................................. 208 net wan ospf md5.........................................
Page 129
Informational commands smartdefense network-security dos ping-of-death ................................... 301 smartdefense network-security dos teardrop ........................................... 303 smartdefense network-security ip-icmp cisco-ios.................................... 305 smartdefen...
Page 130: Certificate
Certificate certificate p urpose the certificate variable is used for working with certificates in the following ways: • generating a self-signed certificate • clearing an installed certificate a digital certificate is a secure means of authenticating the netdefend firewall to other site-to-site vpn...
Page 131
Certificate s yntax when used with add : add certificatecountry country organization organization unit unit gatewayname gatewayname expyear expyear expmonth expmonth expday expday when used with clear : clear certificate f ields country string. The country code of the country in which you are locate...
Page 132
Certificate e xample 1 the following command generates a self-signed certificate for the gateway 00:08:da:77:70:70, where the organization is mycompany, the division is marketing, the country is great britain, and the certificate's expiration date is december 31, 2014. Add cert country gb organizati...
Page 133: Clock
Clock clock p urpose the clock variable is used for working with clock settings in the following ways: • setting the appliance time • displaying and exporting the appliance clock settings s yntax when used with set : set clock[time time] [day day] [month month] [year year] [timezone timezone] [ntp1 ...
Page 134
Clock year integer. The current year. Timezone string. The local time zone, in the format: gmthh:mm where: = + or - hh = hours mm = minutes for example, gmt+05:00 or gmt-04:00. Ntp1 string. The ip address of the primary ntp server. Ntp2 string. The ip address of the secondary ntp server. E xample 1 ...
Page 135: Device
Device device p urpose the device variable is used for working with device settings in the following ways: • setting device details • displaying and exporting device details s yntax when used with set : set device[behindnat behindnat] [hostname hostname] [productkey productkey] when used with show :...
Page 136
Device e xample 1 the following command sets the hostname to "mycomputer1" and the product key to "aaaaaa-bbbbbb-cccccc": set device hostname mycomputer1 productkey aaaaaa-bbbbbb-cccccc e xample 2 the following command displays the appliance's public ip address: show device behindnat 124 d-link netd...
Page 137: Dhcp Scopes
Dhcp scopes dhcp scopes p urpose the dhcp scopes variable is used for working with dhcp (dynamic host configuration protocol) scopes in the following ways: • adding a dhcp scope for a settings for an internal network • modifying an internal network's dhcp scope • deleting an internal network's dhcp ...
Page 138
Dhcp scopes when used with clear : clear dhcp scopes f ields number integer. The dhcp scope's row in the dhcp scopes table. Network string. The name of the network whose dhcp scope you want to affect. This can have the following values: • lan • dmz • officemode • wlan • the name of a vlan network do...
Page 139
Dhcp scopes dns1 ip address or string. The ip address of the primary dns server to pass to dhcp clients instead of the gateway. This can have the following values: • an ip address • undefined - the primary dns server is not defined. The default value is undefined . This field is only relevant if the...
Page 140
Dhcp scopes wins1 ip address or string. The ip address of the primary wins server to use instead of the gateway. This can have the following values: • an ip address • undefined - the primary wins server is not defined. The default value is undefined . This field is only relevant if the wins field is...
Page 141
Dhcp scopes ntp2 ip address or string. The ip address of the secondary ntp server to use for synchronizing the time on the dhcp clients. This can have the following values: • an ip address • undefined - the secondary ntp server is not defined. The default value is undefined . Callmgr1 ip address or ...
Page 142
Dhcp scopes tftpbootfile string. The full path of the boot file to use for booting dhcp clients via tftp. This field is only relevant if a tftp server is defined in the tftpserver field. E xample 1 the following command adds a dhcp scope for the lan network and specifies the default domain suffix "m...
Page 143: Dialup
Dialup dialup p urpose the dialup variable is used for working with dialup modem settings in the following ways: • setting up a dialup modem • displaying and exporting dialup modem settings you can use a dialup modem as a primary or secondary internet connection method. This is useful in locations w...
Page 144
Dialup f ields type string. The modem type. This can have the following values: • custom - a custom modem. If the modem type is custom , you must include the custominitstring field. • hayes accura 56k • usrobotics courier i-modem isdn/v.34 • netcruiser 56k (conexant chipset) • webexcel 56k (ambient ...
Page 145
Dialup dialmode string. The dial mode the modem uses. This can have the following values: • tone • pulse the default value is tone . Custominit string. The installation string for the custom modem type. This information is provided automatically if a standard modem type is used. E xample 1 the follo...
Page 146
Fw fw p urpose the fw variable is used for working with firewall settings in the following ways: • defining an exposed host the netdefend firewall allows you to define an exposed host, which is a computer that is not protected by the firewall. This is useful for setting up a public server. It allows...
Page 147
Fw f ields exposedhost ip address. The ip address of the computer you wish to define as an exposed host. Level string. The firewall security level. This can have the following values: • low - enforces basic control on incoming connections, while permitting all outgoing connections. All inbound traff...
Page 148
Fw e xample 1 the following command sets the firewall level to high: set fw level high e xample 2 the following command displays all firewall settings, including firewall rules and server rules: show fw 136 d-link netdefend cli reference guide.
Page 149: Fw Rules
Fw rules fw rules p urpose the fw rules variable is used for working with firewall rules in the following ways: • adding new firewall rules • modifying firewall rules • deleting firewall rules • displaying and exporting firewall rules • clearing the firewall rules table the netdefend firewall checks...
Page 150
Fw rules s yntax when used with add : add fw rulesaction action [service service] [src src] [dest dest] [ports ports] [protocol protocol] [qosclass qosclass] [redirectport redirectport] [index index] [log log] [disabled disabled] when used with set : set fw rules number [action action] [service serv...
Page 151
Fw rules service integer or string. The service to which the rule should apply. This can have the following values: • custom - the rule should apply to a specific non-standard service. You must include the protocol and ports fields. • 0 or any - the rule should apply to any service. • 80 or web • 21...
Page 152
Fw rules src ip address or string. The source of the connections you want to allow/block. This can have the following values: • an ip address • an ip address range - to specify a range, use the following format: - address> • any - the rule should apply to any source. • wan • lan • dmz • officemode •...
Page 153
Fw rules dest ip address or string. Select the destination of the connections you want to allow or block. This can have the following values: • an ip address • an ip address range - to specify a range, use the following format: - address> • any - the rule should apply to any destination. • wan • lan...
Page 154
Fw rules protocol string. The protocol for which the rule should apply. This can have the following values: • any - the rule should apply to any protocol. • tcp • icmp • udp • gre • esp the default value is any . Qosclass string. An existing qos class to which you want to assign the specified connec...
Page 155
Fw rules index integer. The firewall rule's row in the firewall rules table. Use this field to move the rule up or down in the firewall rules table. The appliance processes rules higher up in the table (lower indexes) before rules lower down in the table (higher indexes). If you do not include this ...
Page 156
Fw rules e xample 1 the following command creates an allow rule for ftp connections from the wan to the lan and assigns these connections to the important qos class: add fw rules action allow service ftp action allow src wan dest lan qosclass important e xample 2 the following command modifies rule ...
Page 157: Fw Servers
Fw servers fw servers p urpose the fw servers variable is used for working with servers in the following ways: • configuring servers • deleting servers • displaying and exporting servers you configure servers in order to selectively allow incoming network connections into your network. For example, ...
Page 158
Fw servers f ields service string. The desired service or application. This can have the following values: • web • ftp • telnet • pop3 • smtp • pptp • ipsec • nbt • h323 hostip ip address or string. The ip address of the computer that will run the service (one of your network computers). This can ha...
Page 159
Fw servers e xample 1 the following command allows ftp connections made through a vpn only: set fw servers ftp hostip 192.168.10.21 enconly true e xample 2 the following command deletes the defined ftp server: delete fw servers ftp e xample 3 the following command displays the ftp server's ip addres...
Page 160
Ha ha p urpose the ha variable is used for working with high availability settings in the following ways: • configuring high availability settings • displaying and exporting high availability network settings, including internet connection tracking settings and high availability effect settings. For...
Page 162
Ha syncinterface string. The network you want to use as the synchronization interface. The active gateway sends periodic signals, or “heartbeats”, to the network via the synchronization interface. This can have the following values: • lan - the lan network. • dmz - the dmz network. • the name of a v...
Page 163
Ha groupid integer. The id number of the cluster to which the gateway should belong. This must be an integer between 1 and 255. The default value is 55. This field is only relevant if there are multiple ha clusters on the same network segment. If only one ha cluster exists, there is no need to chang...
Page 164: Ha Effect
Ha effect ha effect p urpose the ha effect variable is used for working with high availability effect settings in the following ways: • configuring the desired effect of the gateway's high availability status • displaying and exporting this setting when high availability is enabled, you can specify ...
Page 165
Ha effect e xample 1 the following command disables the high availability effect on vpn tunnels: set ha effect vpn disabled e xample 2 the following command displays the gateway's high availability effect setting: show ha effect chapter 5: cli variables 153.
Page 166: Ha Track
Ha track ha track p urpose the ha track variable is used for working with internet connection tracking settings in the following ways: • configuring interface tracking • displaying and exporting interface tracking settings when high availability is enabled, you can configure internet connection trac...
Page 167
Ha track f ields wan1 integer. The amount to reduce the gateway's priority if the primary internet connection goes down. This must be an integer between 0 and 255. The default value is 0. Wan2 integer. The amount to reduce the gateway's priority if the secondary internet connection goes down. This m...
Page 168: Https
Https https p urpose the https variable is used for working with https in the following ways: • enabling and configuring https access to the netdefend portal • displaying and exporting https settings when https remote access is enabled, netdefend firewall users can securely access the netdefend port...
Page 169
Https f ields mode string. Indicates from where https access to the netdefend portal should be granted. This can have the following values: • internal - the internal network only. This disables remote https capability. Note: you can use https to access the netdefend portal from your internal network...
Page 170
Https e xample 1 the following command enables netdefend users to access the netdefend portal using https from any ip address: set https mode any e xample 2 the following command displays the ip address or ip address range from which https access is granted: show https iprange 158 d-link netdefend c...
Page 171: Hotspot
Hotspot hotspot p urpose the hotspot variable is used for working with secure hotspot settings in the following ways: • configuring secure hotspot settings • displaying and exporting secure hotspot settings you can enable your netdefend firewall as a public internet access hotspot for specific netwo...
Page 173
Hotspot usehttps string. Indicates whether users are required to log on to my hotspot using https. This can have the following values: • true - users must log on using https. If they connect using http, they are automatically re- directed to https. • false - users can log on using http. Https is not...
Page 174: Mailfilter Antispam
Mailfilter antispam mailfilter antispam p urpose the mailfilter antispam variable is used for working with the email antispam service in the following ways: • enabling/disabling the email antispam service • displaying and exporting the email antispam service mode when the email antispam service is e...
Page 175
Mailfilter antispam f ields mode string. The email antispam service mode. This can have the following values: • enabled - enables the service for all internal network computers. • disabled - disables the service for all internal network computers. The default value is disabled . E xample 1 the follo...
Page 176: Mailfilter Antivirus
Mailfilter antivirus mailfilter antivirus p urpose the mailfilter antivirus variable is used for working with the email antivirus service in the following ways: • enabling/disabling the email antivirus service • displaying and exporting the email antivirus service mode when the email antivirus servi...
Page 177
Mailfilter antivirus set mailfilter antivirus mode mode when used with show : show mailfilter antivirus [mode] f ields mode string. The email antivirus service mode. This can have the following values: • enabled - enables the service for all internal network computers. • disabled - disables the serv...
Page 178: Mailfilter Protocols
Mailfilter protocols mailfilter protocols p urpose the mailfilter protocols variable is used for working with email filtering protocol settings in the following ways: • defining which protocols should be scanned for viruses and spam • displaying and exporting email filtering protocol settings you ca...
Page 179
Mailfilter protocols smtp string. Indicates whether outgoing email should be scanned. This can have the following values: • enabled - scan all outgoing email. • disabled - do not scan outgoing email. The default value is enabled . E xample 1 if email filtering is enabled, you can use the following c...
Page 180: Net Dmz
Net dmz net dmz p urpose the net dmz variable is used for working with demilitarized zone (dmz) network settings in the following ways: • configuring your netdefend firewall's dmz network settings, including: • hide network address translation (nat) • the dmz network's default gateway • the dmz netw...
Page 181
Net dmz note: some appliance models have a dedicated dmz port to which you must connect all dmz computers. In these models, you must assign the dmz/wan2 port to the dmz. For information, see port. In appliance models that do not have a dedicated dmz port, the dmz is a logical second network behind t...
Page 182
Net dmz hidenat string. Indicates whether to use hide nat. Hide nat enables you to share a single public internet ip address among several computers, by “hiding” the private ip addresses of the internal dmz computers behind the dmz network's single internet ip address. This field can have the follow...
Page 183
Net dmz dhcpserver string. Indicates whether the netdefend dhcp server is enabled. This can have the following values: • enabled - the netdefend dhcp server is enabled. • disabled - the netdefend dhcp server is disabled. • relay - dhcp relay is enabled. The default value is enabled . By default, the...
Page 184
Net dmz dhcprange string. Indicates how the dhcp server should obtain the dhcp address range. The dhcp address range is the range of ip addresses that the dhcp server can assign to network devices. Ip addresses outside of the dhcp address range are reserved for statically addressed computers. This f...
Page 185
Net dmz hotspot string. Indicates whether to enable secure hotspot for the dmz network. This can have the following values: • enabled - secure hotspot is enabled for the dmz. • disabled - secure hotspot is disabled for the dmz. The default value is disabled . Chapter 5: cli variables 173.
Page 186
Net dmz e xample 1 the following command enables hide nat for the dmz network: set net dmz hidenat enabled e xample 2 the following command displays the dmz network's dhcp range: show net dmz dhcprange 174 d-link netdefend cli reference guide.
Page 187: Net Dmz Ha
Net dmz ha net dmz ha p urpose the net dmz ha variable is used for working with dmz high availability settings in the following ways: • configuring dmz high availability settings • displaying and exporting dmz high availability settings you can create a high availability cluster consisting of two or...
Page 188
Net dmz ha e xample 1 the following command sets the dmz network's virtual ip address: set net dmz ha virtualip 192.168.10.14 e xample 2 the following command displays the appliance's dmz high availability settings: show net dmz ha 176 d-link netdefend cli reference guide.
Page 189: Net Dmz Ospf
Net dmz ospf net dmz ospf p urpose the net dmz ospf variable is used for working with ospf settings for the dmz in the following ways: • configuring ospf cost for the dmz • displaying and exporting ospf settings for the dmz, including authentication settings for information on configuring, displayin...
Page 190
Net dmz ospf e xample 1 the following command sets the dmz's ospf cost: set net dmz ospf cost 10 e xample 2 the following command displays the dmz's ospf settings: show net dmz ospf 178 d-link netdefend cli reference guide.
Page 191: Net Dmz Ospf Md5
Net dmz ospf md5 net dmz ospf md5 p urpose the net dmz ospf md5 variable is used for working with ospf md5 authentication settings for the dmz in the following ways: • configuring ospf md5 authentication settings for the dmz • displaying and exporting ospf md5 authentication settings for the dmz thi...
Page 192
Net dmz ospf md5 e xample 1 the following command enables authentication for ospf connections: set net dmz ospf md5 enabled true key 1 password thepassword e xample 2 the following command displays the dmz's ospf md5 authentication settings: show net dmz ospf md5 180 d-link netdefend cli reference g...
Page 193: Net Lan
Net lan net lan p urpose the net lan variable is used for working with your local area network (lan) settings in the following ways: • configuring your netdefend firewall's lan settings, including: • hide network address translation (nat) • your netdefend firewall’s internal ip address • the range o...
Page 194
Net lan note: after changing lan settings, you must do the following: • if your computer is configured to obtain its ip address automatically (using dhcp), and either the netdefend dhcp server or another dhcp server is enabled, restart your computer. Your computer obtains an ip address in the new ra...
Page 195
Net lan f ields hidenat string. Indicates whether to use hide nat. Hide nat enables you to share a single public internet ip address among several computers, by “hiding” the private ip addresses of the internal computers behind the netdefend firewall’s single internet ip address. This field can have...
Page 196
Net lan dhcpserver string. Indicates whether the netdefend dhcp server is enabled. This can have the following values: • enabled - the netdefend dhcp server is enabled. • disabled - the netdefend dhcp server is disabled. • relay - dhcp relay is enabled. The default value is enabled . By default, the...
Page 197
Net lan dhcprange string. Indicates how the dhcp server should obtain the dhcp address range. The dhcp address range is the range of ip addresses that the dhcp server can assign to network devices. Ip addresses outside of the dhcp address range are reserved for statically addressed computers. This f...
Page 198
Net lan e xample 1 the following command enables hide nat for the lan: set net lan hidenat enabled e xample 2 the following command displays the lan dhcp range: show net lan dhcprange 186 d-link netdefend cli reference guide.
Page 199: Net Lan Ha
Net lan ha net lan ha see net dmz ha on page 175. Chapter 5: cli variables 187.
Page 200: Net Lan Ospf
Net lan ospf net lan ospf see net dmz ospf on page 177. 188 d-link netdefend cli reference guide.
Page 201: Net Lan Ospf Md5
Net lan ospf md5 net lan ospf md5 see net dmz ospf md5 on page 179. Chapter 5: cli variables 189.
Page 202: Net Officemode
Net officemode net officemode p urpose the net officemode variable is used for working with officemode network settings in the following ways: • configuring your netdefend firewall's officemode network settings, including: • hide network address translation (nat) • the officemode network's default g...
Page 203
Net officemode note: officemode requires check point secureclient to be installed on the vpn clients. It is not supported by check point securemote. When officemode is not supported by the vpn client, traditional mode will be selected used instead. Note: the dhcp server only serves computers that ar...
Page 204
Net officemode hidenat string. Indicates whether to use hide nat. Hide nat enables you to share a single public internet ip address among several computers, by “hiding” the private ip addresses of the internal officemode computers behind the officemode network's single internet ip address. This fiel...
Page 205
Net officemode dhcpserver string. Indicates whether the netdefend dhcp server is enabled. This can have the following values: • enabled - the netdefend dhcp server is enabled. • disabled - the netdefend dhcp server is disabled. • relay - dhcp relay is enabled. The default value is enabled . By defau...
Page 206
Net officemode dhcprange string. Indicates how the dhcp server should obtain the dhcp address range. The dhcp address range is the range of ip addresses that the dhcp server can assign to network devices. Ip addresses outside of the dhcp address range are reserved for statically addressed computers....
Page 207: Net Wan
Net wan net wan p urpose the net wan variable is used for doing the following: • configuring your netdefend firewall's primary internet connection • displaying and exporting the primary internet connection's settings, including ospf settings and connection probing settings. For information on config...
Page 208
Net wan f ields mode string. The internet connection type. • lan • cable • pppoe • pptp • bpa • none • dialup gateway ip address. The ip address of your isp’s default gateway. This can have the following values: • an ip address • undefined - the default gateway is not defined. The default value is u...
Page 209
Net wan netmask ip address. The subnet mask that applies to the static ip address of your netdefend firewall. This can have the following values: • an ip address • undefined - the subnet mask is not defined. The default value is undefined . This field is only relevant for lan connections with a stat...
Page 210
Net wan pptpclientmask ip address. The subnet mask that applies to the static ip address of your netdefend firewall. This can have the following values: • an ip address • undefined - the subnet mask is not defined. The default value is undefined . This field is only relevant for the pptp connection ...
Page 211
Net wan mtu integer or string. The maximum transmission unit size. This can have the following values: • a unit size • automatic - the mtu is set automatically. The default value is automatic . As a general recommendation you should leave this field set to automatic . If however you wish to modify t...
Page 212
Net wan clonedmac mac address or string. Indicates whether to clone a mac address. You must clone a mac address if your isp restricts connections to specific, recognized mac addresses. This field can have the following values: • a mac address - the mac address will be cloned. The mac address must be...
Page 213
Net wan connectonlyactive string. Indicates whether the gateway should connect to the internet only when it is the active gateway in the high availability cluster. This can have the following values: • true - the gateway will connect to the internet only when it is the active gateway. This is called...
Page 214
Net wan disabled string. Indicates whether the connection is enabled. This can have the following values: • true - the connection is disabled. • false - the connection is enabled. The default value is false . This field is useful if, for example, you are going on vacation and do not want to leave yo...
Page 215
Net wan wins ip address or string. The wins server ip address. This can have the following values: • an ip address • undefined - this server is not defined. The default value is undefined . Uprate integer or string. Indicates whether to enable traffic shaper for outgoing traffic. This can have the f...
Page 216
Net wan downrate integer or string. Indicates whether to enable traffic shaper for incoming traffic. This can have the following values: • a rate (in bytes/second) - the rate should be slightly lower than your internet connection's maximum measured downstream speed in the field provided. It is recom...
Page 217
Net wan connectondemand string. Indicates whether the dialup modem should connect to the internet on demand. • disable - the modem is constantly connected to the internet. • immediate - the dialup modem should only dial a connection if no other connection exists, and the netdefend firewall is not ac...
Page 218
Net wan avoidgateway string. This variable indicates whether to automatically create a default route when an internet connection is established. This can have the following values: • false - a default route is created automatically, meaning that the traffic to all non-internal networks will be route...
Page 219
Net wan e xample 1 the following command configures the netdefend firewall for a pptp primary internet connection: set net wan mode pptp user johnsmith.Net.Il@myisp password 123456 usedhcp disabled pptpserver 10.0.0.138 pptpservice relay_ppp1 pptpclientip 10.200.1.1 pptpclientmask 255.0.0.0 staticdn...
Page 220: Net Wan Ospf
Net wan ospf net wan ospf see net dmz ospf on page 177. 208 d-link netdefend cli reference guide.
Page 221: Net Wan Ospf Md5
Net wan ospf md5 net wan ospf md5 see net dmz ospf md5 on page 179. Chapter 5: cli variables 209.
Page 222: Net Wan Probe
Net wan probe net wan probe p urpose the net wan probe variable is used for working with connection probing settings for internet connections on the wan port in the following ways: • configuring connection probing settings • displaying and exporting connection probing settings note: both the primary...
Page 223
Net wan probe f ields probenexthop string. Indicates whether to automatically detect loss of connectivity to the default gateway. If you selected lan, this is done by sending arp requests to the default gateway. If you selected pptp, pppoe, or dialup, this is done by sending ppp echo reply (lcp) mes...
Page 224
Net wan probe d-link netdefend cli reference guide method string. Indicates whether to perform connection probing and which method to use. While the probenexthop option checks the availability of the next hop router, which is usually at your isp, connectivity to the next hop router does not always i...
Page 225
Net wan probe dest1, dest 2, dest 3 string. If you chose the icmp connection probing method, this field specifies the ip addresses or dns names of the desired servers. If you chose the rdp connection probing method, this field specifies the ip addresses or dns names of the desired vpn gateways. E xa...
Page 226: Net Wan2
Net wan2 net wan2 p urpose the net wan2 variable is used for doing the following: • configuring your netdefend firewall's secondary internet connection • displaying and exporting the secondary internet connection's settings, including ospf settings and connection probing settings. For information on...
Page 227
Net wan2 e xample 1 the following command configures the netdefend firewall for a dialup secondary internet connection: set net wan2 mode dialup username johns.Myisp.Com password 123456 phonenumber 96909111 disabled false e xample 2 the following command configures the netdefend firewall for a lan s...
Page 228: Net Wan2 Ospf
Net wan2 ospf net wan2 ospf see net dmz ospf on page 177. 216 d-link netdefend cli reference guide.
Page 229: Net Wan2 Ospf Md5
Net wan2 ospf md5 net wan2 ospf md5 see net dmz ospf md5 on page 179. Chapter 5: cli variables 217.
Page 230: Net Wan2 Probe
Net wan2 probe net wan2 probe see net wan probe on page 210. 218 d-link netdefend cli reference guide.
Page 231: Net Wlan
Net wlan net wlan p urpose the net wlan variable is used for working with wireless network (wlan) settings in the following ways: • configuring your netdefend firewall's wlan settings, including: • hide network address translation (nat) • the wlan network's default gateway • the wlan network’s inter...
Page 232
Net wlan note: the dhcp server only serves computers that are configured to obtain an ip address automatically. If a computer is not configured to obtain an ip address automatically, it is recommended to assign it an ip address outside of the dhcp address range. If you do assign it an ip address wit...
Page 233
Net wlan hidenat string. Indicates whether to use hide nat. Hide nat enables you to share a single public internet ip address among several computers, by “hiding” the private ip addresses of the internal wlan computers behind the wlan network's single internet ip address. This field can have the fol...
Page 234
Net wlan dhcpserver string. Indicates whether the netdefend dhcp server is enabled. This can have the following values: • enabled - the netdefend dhcp server is enabled. • disabled - the netdefend dhcp server is disabled. • relay - dhcp relay is enabled. The default value is enabled . By default, th...
Page 235
Net wlan dhcprange string. Indicates how the dhcp server should obtain the dhcp address range. The dhcp address range is the range of ip addresses that the dhcp server can assign to network devices. Ip addresses outside of the dhcp address range are reserved for statically addressed computers. This ...
Page 236
Net wlan e xample 1 the following command enables hide nat for the wlan network: set net wlan hidenat enabled e xample 2 the following command displays the wlan network's dhcp range: show net wlan dhcprange 224 d-link netdefend cli reference guide.
Page 237: Net Wlan Ha
Net wlan ha net wlan ha see net dmz ha on page 175. Chapter 5: cli variables 225.
Page 238: Netobj
Netobj netobj p urpose the netobj variable is used for working with network objects in the following ways: • adding network objects • modifying network object settings • deleting network objects • displaying and exporting network object settings • clearing the network objects table you can add indiv...
Page 239
Netobj s yntax when used with add : add netobjname name type type ip ip [staticnat staticnat] [mac mac] [hotspotexclude hotspotexclude] when used with set : set netobj number [name name] [type type] [ip ip] [staticnat staticnat] [mac mac] [hotspotexclude hotspotexclude] when used with delete : delet...
Page 240
Netobj ip ip address. The ip address of the network object. This can have the following values: • if the network object is a computer, this is the ip address of the local computer. • if the network object is a network, this is the network's ip address range. To specify a range, use the following for...
Page 241
Netobj mac mac address or string. Indicates whether to perform dhcp reservation. This can have the following values: • the mac address you want to assign to the network object's ip address. This must be six groups of two hexadecimal characters, with semicolons between the groups. For example: 00:08:...
Page 242
Netobj e xample 1 the following command adds a network object called "office", that represents a single computer: add netobj name office type computer ip 192.168.10.21 e xample 2 the following command modifies network object 1 in the network objects table, so that dhcp reservation is performed, and ...
Page 243: Ospf
Ospf ospf p urpose the ospf variable is used for working with ospf (open shortest path first) settings in the following ways: • setting the ospf mode • specifying the ospf router identifier • displaying and exporting the above ospf settings • displaying and exporting all ospf settings, including: • ...
Page 244
Ospf ospf can be used together with route-based vpns. For information on configuring route-based vpns, see vpn sites on page 366. Note: the netdefend ospf implementation is fully interoperable with the check point advanced routing suite, as well as with any other rfc-compliant ospf implementation. S...
Page 245
Ospf e xample 1 the following command enables ospf for all internal networks: set ospf mode internal e xample 2 the following command displays all ospf settings: show ospf chapter 5: cli variables 233.
Page 246: Ospf Area
Ospf area ospf area p urpose the ospf area variable is used for working with ospf areas in the following ways: • adding ospf areas • modifying ospf areas • deleting ospf areas • displaying and exporting ospf area settings • clearing the ospf area table an as is divided into areas, each of which cont...
Page 247
Ospf area f ields number integer. The area's row in the ospf area table. Id ip address. The ospf area's ip address. Auth-md5 string. Indicates whether to use the md5 authentication scheme for this area. This can have the following values: • true - use the md5 authentication scheme. • false - do not ...
Page 248: Ospf Network
Ospf network ospf network p urpose the ospf network variable is used for working with ospf networks in the following ways: • adding ospf networks • modifying ospf networks • deleting ospf networks • displaying and exporting ospf networks • clearing the ospf networks table to enable ospf for a specif...
Page 249
Ospf network f ields number integer. The network 's row in the ospf networks table. Address ip address. The network's ip address. Mask ip address. The network's subnet mask. Area ip address. The ospf area's ip address. E xample 1 the following command adds an ospf network: add ospf network address 1...
Page 250: Ospf Redistribute
Ospf redistribute ospf redistribute p urpose the ospf variable is used for working with ospf settings in the following ways: • displaying and exporting all ospf routing information distribution settings. For information on displaying and exporting specific routing information distribution settings, ...
Page 251: Ospf Redistribute Connected
Ospf redistribute connected ospf redistribute connected p urpose the ospf variable is used for working with ospf (open shortest path first) settings in the following ways: • configuring ospf routing information distribution settings for directly connected networks • displaying and exporting ospf rou...
Page 252
Ospf redistribute connected e xample 1 the following command enables redistributing routing information for connected networks: set ospf redistribute connected enabled true metric 10 metric-type 1 e xample 2 the following command displays all redistribution settings for connected networks: show ospf...
Page 253: Ospf Redistribute Kernel
Ospf redistribute kernel ospf redistribute kernel p urpose the ospf variable is used for working with ospf (open shortest path first) settings in the following ways: • configuring ospf routing information distribution settings for routes updated in the netdefend portal • displaying and exporting osp...
Page 254
Ospf redistribute kernel e xample 1 the following command enables redistributing routing information for for routes updated in the netdefend portal: set ospf redistribute kernel enabled true metric 10 metric-type 1 e xample 2 the following command displays all redistribution settings for for routes ...
Page 255: Port Dmz
Port dmz port dmz p urpose the port dmz variable is used for working with the appliance's dmz/wan2 port in the following ways: • modifying the dmz/wan2 port's settings • displaying and exporting the dmz/wan2 port's settings s yntax when used with set : set port dmz [network network] [hatrack hatrack...
Page 256
Port dmz link string. The dmz/wan2 port's link speed and duplex. This can have the following values: • automatic - the port automatically detects the link speed and duplex • 10/full • 10/half • 100/full • 100/half the default value is automatic . E xample 1 the following command assigns the dmz/wan2...
Page 257
Port lan1 / port lan2 / port lan3 / port lan4 port lan1 / port lan2 / port lan3 / port lan4 p urpose the port lan1 , port lan2 , port lan3 , and port lan4 variables are used for working with the appliance's lan1, lan2, lan3, and lan4 ports, respectively, in the following ways: • modifying the releva...
Page 258
Port lan1 / port lan2 / port lan3 / port lan4 hatrack integer. The amount to reduce the gateway's priority if the lan port's ethernet link is lost. The default value is 0. Link string. The lan port's link speed and duplex. This can have the following values: • automatic - the port automatically dete...
Page 259: Port Serial
Port serial port serial p urpose the port serial variable is used for working with the appliance's rs232 port in the following ways: • modifying the rs232 port's assignment • displaying and exporting the rs232 port's assignment s yntax when used with set : set port serial mode mode when used with sh...
Page 260
Port serial e xample 1 the following command assigns the rs232 port for use with a serial console: set port serial mode console e xample 2 the following command displays the rs232 port's assignment: show port serial 248 d-link netdefend cli reference guide.
Page 261: Port Wan
Port wan port wan p urpose the port dmz variable is used for working with the appliance's wan port in the following ways: • modifying the wan port's link speed and duplex • displaying and exporting the wan port's speed and duplex s yntax when used with set : set port wan link link when used with sho...
Page 262
Port wan e xample 1 the following command sets the wan port's speed and duplex to automatic: set port wan link automatic e xample 2 the following command displays the wan port's assignment: show port dmz 250 d-link netdefend cli reference guide.
Page 263: Printers
Printers printers p urpose the printers variable is used for working with network printers in the following ways: • modifying printer port numbers • displaying and exporting printer port numbers some netdefend models include a built-in print server, enabling you to connect up to four usb-based print...
Page 264
Printers f ields number the printer's row in the printers table. Port integer. The network printer's tcp port number. Note: printer port numbers may not overlap, and must be high ports. E xample 1 the following command assigns tcp port 9100 to printer 1: set printer 1 port 9100 e xample 2 the follow...
Page 265: Qos Classes
Qos classes qos classes p urpose the qos classes variable is used for working with traffic shaper settings in the following ways: • adding qos classes • modifying qos classes • deleting qos classes • displaying and exporting qos class settings • clearing the quality of service classes table traffic ...
Page 266
Qos classes note: traffic shaper must be enabled for the direction of traffic specified in the rule. For information on enabling traffic shaper, refer to theuser guide. Traffic shaper cannot control the number or type of packets it receives from the internet; it can only affect the rate of incoming ...
Page 267
Qos classes when used with clear : clear qos classes f ields number integer. The qos class's row in the traffic shaper table. Name string. The class's name. For example, if you are creating a class for high priority web connections, you can name the class "high priority web". Weight integer. A value...
Page 268
Qos classes delayclass string. The degree of precedence to give this class in the transmission queue. This can have one of the following values: • bulk - traffic that is not sensitive to long delays. For example, smtp traffic (outgoing email). • normal - normal traffic • interactive - traffic that i...
Page 269
Qos classes upguarantee integer or string. The guaranteed minimum bandwidth (in bytes/second) for outgoing traffic belonging to this class. This can have the following values: • a rate • none - the bandwidth for outgoing traffic belonging to this class is calculated according to the class's weight. ...
Page 270
Qos classes e xample 1 the following command adds a qos class named crucial, with a relative weight of 50: add qos classes name crucial weight 50 e xample 2 the following command modifies qos class 1 in the quality of service classes table, so that it is classified as interactive traffic: set qos cl...
Page 271: Radius Permissions
Radius permissions radius permissions p urpose the radius permissions variable is used for working with radius permissions in the following ways: • setting permissions for all users authenticated by the defined radius servers • displaying and exporting radius permissions you can use radius to authen...
Page 272
Radius permissions f ields adminaccess string. The level of access to the netdefend portal to assign to all users authenticated by the radius server. This can have the following values: • none - the user cannot access the netdefend portal. • readonly - the user can log on to the netdefend portal, bu...
Page 273
Radius permissions hotspotaccess string. Indicates whether to allow all users authenticated by the radius server to access the my hotspot page. This can have the following values: • true - authenticated users can access the my hotspot page. • false - authenticated users cannot access the my hotspot ...
Page 274: Radius Servers
Radius servers radius servers p urpose the radius servers variable is used for working with radius servers in the following ways: • adding radius servers • modifying radius server settings • displaying and exporting radius server settings • clearing the servers in the radius table s yntax when used ...
Page 275
Radius servers f ields number integer. The radius server's number. Address ip address. The ip address of the computer that runs the radius service (one of your network computers). Secret string. The shared secret to use for secure communication with the radius server. Port integer. The port number o...
Page 276
Radius servers e xample 1 the following command adds a radius server located at 192.168.10.21, with the shared secret "mysharedsecret" and the radius realm "mycompany": add radius servers address 192.168.10.21 secret mysharedsecret realm mycompany no port number is specified, so the default port (18...
Page 277: Routes
Routes routes p urpose the routes variable is used for working with static routes in the following ways: • adding static routes • modifying static route settings • deleting static routes • displaying and exporting static route settings • clearing the static routes table a static route is a setting t...
Page 279
Routes srcmask ip address or string. The subnet mask of the source network. This can have the following values: • an subnet mask • undefined - the route applies to all source network subnet masks. E xample 1 the following command adds the a static route with a metric of 90: add routes network 192.16...
Page 280
Smartdefense ai cifs file-sharing smartdefense ai cifs file-sharing p urpose the smartdefense ai cifs file-sharing variable is used for working with file sharing settings in the following ways: • configuring cifs file sharing defense settings • displaying and exporting cifs file sharing defense sett...
Page 281
Smartdefense ai cifs file-sharing log string. Indicates whether to log cifs worm attacks. This can have the following values: • disabled - do not log attacks. • log - log attacks the default value is disabled . Chapter 5: cli variables 269.
Page 282
Smartdefense ai cifs file-sharing e xample 1 the following command enables cifs worm blocking and logging: set smartdefense ai cifs file-sharing enforce enabled log log e xample 2 the following command displays all cifs file sharing defense settings, including worm patterns: show smartdefense ai cif...
Page 283
Smartdefense ai cifs file-sharing patterns smartdefense ai cifs file-sharing patterns p urpose the smartdefense ai cifs file-sharing patterns variable is used for working with cifs worm patterns in the following ways: • adding worm patterns • modifying worm patterns • deleting worm patterns • displa...
Page 284
Smartdefense ai cifs file-sharing patterns when used with clear : clear smartdefense ai cifs file-sharing patterns f ields number integer. The worm pattern's row in the cifs worm patterns table. Name string. The worm's name. Active string. Indicates whether smartdefense should check files for this w...
Page 285
Smartdefense ai cifs file-sharing patterns e xample 1 the following command adds a worm pattern and activates it: add smartdefense ai cifs file-sharing patterns name worm active true regexp \.Worm$ e xample 2 the following command deactivates worm pattern 1 in the cfs worm patterns table: set smartd...
Page 286: Smartdefense Ai Ftp
Smartdefense ai ftp smartdefense ai ftp p urpose the smartdefense ai ftp variable is used for working with ftp settings in the following ways: • configuring ftp settings • displaying and exporting ftp settings, including ftp bounce settings and ftp command settings for information on configuring spe...
Page 287
Smartdefense ai ftp f ields enforce-commands string. Indicates whether to block illegal ftp commands in the ftp commands list. For information on configuring and viewing the ftp commands list, see smartdefense ai ftp commands on page 279. This field can have the following values: • enabled - block i...
Page 288
Smartdefense ai ftp port-overflow string. Indicates whether block port commands that contain a number greater than 255. Ftp clients send port commands when connecting to the ftp sever. A port command consists of a series of numbers between 0 and 255, separated by commas. Blocking port commands that ...
Page 289: Smartdefense Ai Ftp Bounce
Smartdefense ai ftp bounce smartdefense ai ftp bounce p urpose the smartdefense ai ftp bounce variable is used for working with ftp bounce settings in the following ways: • configuring ftp bounce settings • displaying and exporting ftp bounce settings when connecting to an ftp server, the client sen...
Page 290
Smartdefense ai ftp bounce log string. Indicates whether to log ftp bounce attacks. This can have the following values: • enabled - log ftp bounce attacks. • disabled - do not log ftp bounce attacks. The default value is enabled . E xample 1 the following command enables blocking and logging ftp bou...
Page 291: Smartdefense Ai Ftp Commands
Smartdefense ai ftp commands smartdefense ai ftp commands p urpose the smartdefense ai ftp commands variable is used for working with ftp command settings in the following ways: • adding ftp commands • modifying ftp commands • deleting ftp commands • displaying and exporting ftp commands • clearing ...
Page 292
Smartdefense ai ftp commands f ields number integer. The ftp command's row in the ftp commands table. Command string. The ftp command. Allowed string. Indicates whether the ftp command is legal. This can have the following values: • true - the ftp command is legal. Smartdefense will allow this comma...
Page 293
Smartdefense ai ftp commands e xample 1 the following command adds an ftp command and marks it as illegal: add smartdefense ai ftp commands command arbor allowed true e xample 2 the following command marks ftp command 1 in the ftp commands table as legal: set smartdefense ai ftp commands 1 allowed f...
Page 294: Smartdefense Ai Im Icq
Smartdefense ai im icq smartdefense ai im icq p urpose the smartdefense ai im icq variable is used for working with icq instant messenger settings in the following ways: • configuring icq smartdefense settings • displaying and exporting icq smartdefense settings smartdefense can block icq connection...
Page 295
Smartdefense ai im icq log string. Indicates whether to log icq connections. This can have the following values: • enabled - log icq connections. • disabled - do not log icq connections. The default value is disabled . Block-proprietary string. Indicates whether to enable blocking proprietary protoc...
Page 296: Smartdefense Ai Im Skype
Smartdefense ai im skype smartdefense ai im skype p urpose the smartdefense ai im skype variable is used for working with skype instant messenger settings in the following ways: • configuring skype smartdefense settings • displaying and exporting skype smartdefense settings smartdefense can block sk...
Page 297: Smartdefense Ai Im Yahoo
Smartdefense ai im yahoo smartdefense ai im yahoo p urpose the smartdefense ai im yahoo variable is used for working with yahoo instant messenger settings in the following ways: • configuring yahoo smartdefense settings • displaying and exporting yahoo smartdefense settings smartdefense can block ya...
Page 298
Smartdefense ai p2p bittorrent smartdefense ai p2p bittorrent p urpose the smartdefense ai p2p bittorrent variable is used for working with bittorrent peer-to-peer settings in the following ways: • configuring bittorrent smartdefense settings • displaying and exporting bittorrent smartdefense settin...
Page 299
Smartdefense ai p2p bittorrent log string. Indicates whether to log bittorrent connections. This can have the following values: • enabled - log bittorrent connections. • disabled - do not log bittorrent connections. The default value is disabled . Block-proprietary string. Indicates whether to enabl...
Page 300: Smartdefense Ai P2P Emule
Smartdefense ai p2p emule smartdefense ai p2p emule p urpose the smartdefense ai p2p emule variable is used for working with emule peer-to-peer settings in the following ways: • configuring emule smartdefense settings • displaying and exporting emule smartdefense settings smartdefense can block emul...
Page 301
Smartdefense ai p2p emule e xample 1 the following command enables blocking and logging emule connections: set smartdefense ai p2p emule enforce enabled log enabled e xample 2 the following command displays all emule smartdefense settings: show smartdefense ai p2p emule chapter 5: cli variables 289.
Page 302: Smartdefense Ai P2P Gnutella
Smartdefense ai p2p gnutella smartdefense ai p2p gnutella p urpose the smartdefense ai p2p gnutella variable is used for working with gnutella peer-to-peer settings in the following ways: • configuring gnutella smartdefense settings • displaying and exporting gnutella smartdefense settings smartdefe...
Page 303
Smartdefense ai p2p gnutella e xample 1 the following command enables blocking and logging gnutella connections: set smartdefense ai p2p gnutella enforce enabled log enabled e xample 2 the following command displays all gnutella smartdefense settings: show smartdefense ai p2p gnutella chapter 5: cli...
Page 304: Smartdefense Ai P2P Kazaa
Smartdefense ai p2p kazaa smartdefense ai p2p kazaa p urpose the smartdefense ai p2p kazaa variable is used for working with kazaa peer-to-peer settings in the following ways: • configuring kazaa smartdefense settings • displaying and exporting kazaa smartdefense settings smartdefense can block kaza...
Page 305
Smartdefense ai p2p kazaa e xample 1 the following command enables blocking and logging kazaa connections: set smartdefense ai p2p kazaa enforce enabled log enabled e xample 2 the following command displays all kazaa smartdefense settings: show smartdefense ai p2p kazaa chapter 5: cli variables 293.
Page 306: Smartdefense Ai Routing Igmp
Smartdefense ai routing igmp smartdefense ai routing igmp p urpose the smartdefense ai routing igmp variable is used for working with igmp smartdefense settings in the following ways: • configuring igmp smartdefense settings • displaying and exporting igmp smartdefense settings igmp is used by hosts...
Page 307
Smartdefense ai routing igmp log string. Indicates whether to log igmp attacks. This can have the following values: • enabled - log igmp attacks. • disabled - do not log igmp attacks. The default value is disabled . Enforce-mcast string. Indicates whether to enable blocking igmp packets that are sen...
Page 308
Smartdefense network-security dos flooding smartdefense network-security dos flooding p urpose the smartdefense network-security dos flooding variable is used for working with non-tcp flooding settings in the following ways: • configuring non-tcp flooding settings • displaying and exporting non-tcp ...
Page 309
Smartdefense network-security dos flooding f ields enforce string. Indicates whether to enable blocking additional non- tcp connections, when the percentage of state table capacity used for non-tcp connections reaches the percent threshold. This can have the following values: • enabled - blocking ad...
Page 310
Smartdefense network-security dos flooding e xample 1 the following command enables blocking and logging non-tcp connections that exceed the 50% of the state table capacity: set smartdefense network-security dos flooding enforce enabled log enabled percent 50 e xample 2 the following command display...
Page 311
Smartdefense network-security dos land smartdefense network-security dos land p urpose the smartdefense network-security dos land variable is used for working with land settings in the following ways: • configuring land settings • displaying and exporting land settings in a land attack, the attacker...
Page 312
Smartdefense network-security dos land e xample 1 the following command enables blocking and logging land attacks: set smartdefense network-security dos land enforce enabled log enabled e xample 2 the following command displays all land settings: show smartdefense network-security dos land 300 d-lin...
Page 313
Smartdefense network-security dos ping-of-death smartdefense network-security dos ping-of-death p urpose the smartdefense network-security dos ping-of-death variable is used for working with ping of death settings in the following ways: • configuring ping of death settings • displaying and exporting...
Page 314
Smartdefense network-security dos ping-of-death log string. Indicates whether to log ping of death attacks. This can have the following values: • enabled - log ping of death attacks. • disabled - do not log ping of death attacks. The default value is enabled . E xample 1 the following command enable...
Page 315
Smartdefense network-security dos teardrop smartdefense network-security dos teardrop p urpose the smartdefense network-security dos teardrop variable is used for working with teardrop settings in the following ways: • configuring teardrop settings • displaying and exporting teardrop settings in a t...
Page 316
Smartdefense network-security dos teardrop log string. Indicates whether to log teardrop attacks. This can have the following values: • enabled - log teardrop attacks. • disabled - do not log teardrop attacks. The default value is enabled . E xample 1 the following command enables blocking and loggi...
Page 317
Smartdefense network-security ip-icmp cisco-ios smartdefense network-security ip-icmp cisco-ios p urpose the smartdefense network-security ip-icmp cisco-ios variable is used for working with cisco ios dos settings in the following ways: • configuring cisco ios dos settings • displaying and exporting...
Page 318
Smartdefense network-security ip-icmp cisco-ios log string. Indicates whether to log cisco ios dos attacks. This can have the following values: • enabled - log cisco ios dos attacks. • disabled - do not log cisco ios dos attacks. The default value is enabled . Num-hops integer. The number of hops fr...
Page 319
Smartdefense network-security ip-icmp cisco-ios proto-55 string. Indicates whether to enable dropping ipv4 packets of the ip mobility - protocol 55 type. This can have the following values: • enabled - packet dropping is enabled for this protocol type. • disabled - packet dropping is disabled for th...
Page 320
Smartdefense network-security ip-icmp fragments smartdefense network-security ip-icmp fragments p urpose the smartdefense network-security ip-icmp fragments variable is used for working with ip fragments settings in the following ways: • configuring ip fragments settings • displaying and exporting i...
Page 321
Smartdefense network-security ip-icmp fragments f ields forbid string. Indicates whether to enable dropping all fragmented packets. This can have the following values: • enabled - fragmented packet dropping is enabled. • disabled - fragmented packet dropping is disabled. The default value is disable...
Page 322
Smartdefense network-security ip-icmp fragments e xample 1 the following command enables dropping ip and logging ip fragments: set smartdefense network-security ip-icmp fragments forbid enabled log enabled e xample 2 the following command displays all ip fragments settings: show smartdefense network...
Page 323: Size
Smartdefense network-security ip-icmp max-ping-size smartdefense network-security ip-icmp max-ping- size p urpose the smartdefense network-security ip-icmp max-ping-size variable is used for working with max ping size settings in the following ways: • configuring max ping size settings • displaying ...
Page 324
Smartdefense network-security ip-icmp max-ping-size log string. Indicates whether to log icmp echo responses that exceed the size threshold. This can have the following values: • enabled - log the responses. • disabled - do not log the responses. The default value is enabled . Size integer. The maxi...
Page 325
Smartdefense network-security ip-icmp net-quota smartdefense network-security ip-icmp net-quota p urpose the smartdefense network-security ip-icmp net-quota variable is used for working with network quota settings in the following ways: • configuring network quota settings • displaying and exporting...
Page 326
Smartdefense network-security ip-icmp net-quota f ields enforce string. Indicates whether to enable blocking all new connections from a specific source, when the number of network connections from the same source reaches the max threshold. This can have the following values: • enabled - blocking new...
Page 327
Smartdefense network-security ip-icmp net-quota e xample 1 the following command enables blocking and logging connections from a specific source that exceeds 150 connections/second: set smartdefense network-security ip-icmp net-quota enforce enabled log enabled max 150 e xample 2 the following comma...
Page 328
Smartdefense network-security ip-icmp null-payload smartdefense network-security ip-icmp null-payload p urpose the smartdefense network-security ip-icmp null-payload variable is used for working with null payload settings in the following ways: • configuring null payload settings • displaying and ex...
Page 329
Smartdefense network-security ip-icmp null-payload e xample 1 the following command enables blocking and logging null payload packets: set smartdefense network-security ip-icmp null-payload enforce enabled log enabled e xample 2 the following command displays all null payload settings: show smartdef...
Page 330: Sanity
Smartdefense network-security ip-icmp packet-sanity smartdefense network-security ip-icmp packet- sanity p urpose the smartdefense network-security ip-icmp packet-sanity variable is used for working with packet sanity settings in the following ways: • configuring packet sanity settings • displaying ...
Page 331
Smartdefense network-security ip-icmp packet-sanity log string. Indicates whether to log packets that fail a sanity test. This can have the following values: • enabled - log the packets. • disabled - do not log the packets. The default value is enabled . Disable-relaxed- udp-len- verification string...
Page 332
Smartdefense network-security ip-icmp packet-sanity e xample 1 the following command enables blocking and logging packets that fail a sanity test: set smartdefense network-security ip-icmp packet-sanity enforce enabled log enabled e xample 2 the following command displays all packet sanity settings:...
Page 333
Smartdefense network-security ip-icmp welchia smartdefense network-security ip-icmp welchia p urpose the smartdefense network-security ip-icmp welchia variable is used for working with welchia worm settings in the following ways: • configuring welchia worm settings • displaying and exporting welchia...
Page 334
Smartdefense network-security ip-icmp welchia log string. Indicates whether to log welchia worm attacks. This can have the following values: • enabled - log the attack. • disabled - do not log the attack. The default value is enabled . E xample 1 the following command enables blocking and logging we...
Page 335: Scan
Smartdefense network-security port-scan host-port-scan smartdefense network-security port-scan host-port- scan p urpose the smartdefense network-security port-scan host-port-scan variable is used for working with host port scan settings in the following ways: • configuring host port scan settings • ...
Page 336
Smartdefense network-security port-scan host-port-scan f ields num integer. The minimum number of ports that must be accessed within the period period, in order for smartdefense to detect the activity as a port scan. Smartdefense detects ports scans by measuring the number of ports accessed over a p...
Page 337
Smartdefense network-security port-scan host-port-scan external-only string. Indicates whether to detect only scans originating from the internet. This can have the following values: • true - detect only scans from the internet. • false - do not detect only scans from the internet. The default value...
Page 338: Scan
Smartdefense network-security port-scan ip-sweep-scan smartdefense network-security port-scan ip-sweep- scan p urpose the smartdefense network-security port-scan ip-sweep-scan variable is used for working with sweep scan settings in the following ways: • configuring sweep scan settings • displaying ...
Page 339
Smartdefense network-security port-scan ip-sweep-scan f ields num integer. The minimum number of ports that must be accessed within the period period, in order for smartdefense to detect the activity as a port scan. Smartdefense detects ports scans by measuring the number of ports accessed over a pe...
Page 340
Smartdefense network-security port-scan ip-sweep-scan external-only string. Indicates whether to detect only scans originating from the internet. This can have the following values: • true - detect only scans from the internet. • false - do not detect only scans from the internet. The default value ...
Page 341
Smartdefense network-security tcp small-pmtu smartdefense network-security tcp small-pmtu p urpose the smartdefense network-security tcp small-pmtu variable is used for working with small pmtu settings in the following ways: • configuring small pmtu settings • displaying and exporting small pmtu set...
Page 342
Smartdefense network-security tcp small-pmtu log string. Indicates whether to log packets are smaller than the size threshold. This can have the following values: • enabled - log the packet. • disabled - do not log the packet. The default value is enabled . Size integer. The minimum value allowed fo...
Page 343
Smartdefense network-security tcp strict-tcp smartdefense network-security tcp strict-tcp p urpose the smartdefense network-security tcp strict-tcp variable is used for working with strict tcp settings in the following ways: • configuring strict tcp settings • displaying and exporting strict tcp set...
Page 344
Smartdefense network-security tcp strict-tcp log string. Indicates whether to log out-of-state tcp packets. This can have the following values: • enabled - log the packet. • disabled - do not log the packet. The default value is enabled . E xample 1 the following command enables blocking and logging...
Page 345: Smp
Smp smp p urpose the smp variable is used for doing the following: • connecting to a service center • disconnecting from a service center • displaying and exporting service center connection settings • configuring the software updates service when the appliance is locally managed note: check with yo...
Page 346
Smp connect string. Indicates whether your netdefend firewall should connect to the service center. This can have the following values: • enabled - connect to the service center • disabled - disconnect from the service center if you disconnect from the service center, the services to which you are s...
Page 347: Snmp
Snmp snmp p urpose the snmp variable is used for working with snmp in the following ways: • enabling and configuring snmp access to the netdefend portal • displaying and exporting snmp settings netdefend firewall users can monitor the netdefend firewall, using tools that support snmp (simple network...
Page 348
Snmp f ields mode string. Indicates from where snmp access to the netdefend portal should be granted. This can have the following values: • internal - the internal network only. This disables remote snmp capability. • range - a particular range of ip addresses. If you choose this mode, you must incl...
Page 349
Snmp contact string. The name of the contact person. This information will be visible to snmp agents, and is useful for administrative purposes. Port integer. The port to use for snmp. The default value is 161. E xample 1 the following command enables netdefend users to access the netdefend portal u...
Page 350: Ssh
Ssh ssh p urpose the ssh variable is used for working with ssh in the following ways: • enabling and configuring ssh access to the netdefend portal • displaying and exporting ssh settings netdefend firewall users can control the firewall via the command line, using the ssh (secure shell) management ...
Page 351
Ssh f ields mode string. Indicates from where ssh access to the netdefend portal should be granted. This can have the following values: • internal - the internal network only. This disables remote ssh capability. • range - a particular range of ip addresses. If you choose this mode, you must include...
Page 352
Ssh e xample 1 the following command enables netdefend users to access the netdefend portal using ssh from any ip address: set ssh mode any e xample 2 the following command displays the ip address or ip address range from which ssh access is granted: show ssh iprange 340 d-link netdefend cli referen...
Page 353: Statistics
Statistics statistics p urpose the statistics variable is used for working with traffic monitor settings in the following ways: • configuring traffic monitor settings • displaying and exporting traffic monitor settings the traffic monitor displays traffic rates in kilobits/second. If desired, you ca...
Page 354
Statistics e xample 2 the following command displays the traffic monitor settings: show statistics 342 d-link netdefend cli reference guide.
Page 355: Syslog
Syslog syslog p urpose the syslog variable is used for working with netdefend firewall syslog settings in the following ways: • configuring syslog settings • displaying and exporting syslog settings you can configure the netdefend firewall to send event logs to a syslog server residing in your inter...
Page 356
Syslog f ields address ip address or string. The ip address of the computer that will run the syslog service (one of your network computers). This can have the following values: • an ip address • undefined - no syslog server is defined. The default value is undefined . Port integer. The port number ...
Page 357: Users
Users users p urpose the users variable is used for working with local users in the following ways: • adding netdefend firewall users • modifying netdefend firewall users details • deleting netdefend firewall users • displaying and exporting netdefend firewall users details • clearing the users tabl...
Page 359
Users vpnaccess string. Indicates whether to allow the user to connect to this netdefend firewall using their vpn client. This can have the following values: • true - the user can remotely access your network via vpn. • false - the user cannot remotely access your network via vpn. 61 364 59 this fie...
Page 360
Users expire string. The expiration date and time for the user's account. When the user account expires, it is locked, and the user can no longer log on to the netdefend firewall. This field can have the following values: • never - the account never expires. • a specific date and time in the format:...
Page 361
Users e xample 3 the following command deletes user 2: delete users 2 e xample 4 the following command displays the details for all users: show users e xample 5 the following command clears the users table: clear users chapter 5: cli variables 349.
Page 362: Vlan
Vlan vlan p urpose the vlan variable is used for working with virtual networks (vlans) in the following ways: • adding a vlan • configuring a vlan network's settings, including: • hide network address translation (nat) • the vlan network's default gateway • the vlan network’s internal network range ...
Page 363
Vlan you can easily customize this behavior by creating firewall user rules. For information on defining rules, see fw rules on page 137. For information on the default security policy for vlans, refer to the user guide. The netdefend firewall supports the following vlan types: • tag-based in tag-ba...
Page 365
Vlan address ip address. The ip address of the vlan network's default gateway. The default value is 192.168.200.1. Note: the vlan network must not overlap the lan network. Netmask ip address. The vlan network’s internal network range. Dhcpserver string. Indicates whether the netdefend dhcp server is...
Page 366
Vlan dhcprange string. Indicates how the dhcp server should obtain the dhcp address range. The dhcp address range is the range of ip addresses that the dhcp server can assign to network devices. Ip addresses outside of the dhcp address range are reserved for statically addressed computers. This fiel...
Page 367
Vlan virtualip ip address. The default gateway ip address. This can have the following values: • an ip address - this can be any unused ip address in the vlan network, and must be the same for both gateways. • undefined - high availability is not configured for this network. The default value is und...
Page 368
Vlan hotspot string. Indicates whether to enable secure hotspot for the vlan network. This can have the following values: • enabled - secure hotspot is enabled for the vlan. • disabled - secure hotspot is disabled for the vlan. The default value is disabled . E xample 1 the following command adds a ...
Page 369: Vlan Ospf
Vlan ospf vlan ospf p urpose the vlan ospf variable is used for working with ospf (open shortest path first) settings for vlan networks in the following ways: • configuring ospf cost for the vlan • displaying and exporting ospf settings for the vlan, including authentication settings for information...
Page 370
Vlan ospf e xample 1 the following command sets the ospf cost for vlan network 1: set vlan 1 ospf cost 10 e xample 2 the following command displays the ospf settings for vlan network 1: show vlan 1 ospf 358 d-link netdefend cli reference guide.
Page 371: Vlan Ospf Md5
Vlan ospf md5 vlan ospf md5 p urpose the vlan ospf md5 variable is used for working with ospf md5 authentication settings for vlan networks in the following ways: • configuring ospf md5 authentication settings for the vlan • displaying and exporting ospf md5 authentication settings for the vlan this...
Page 372
Vlan ospf md5 password string. The password to use for authentication. Passwords need not be the identical throughout an ospf area, but they must be the same for ospf neighbors. E xample 1 the following command enables authentication for ospf connections for vlan network 1: set vlan 1 ospf md5 enabl...
Page 373: Vpn Externalserver
Vpn externalserver vpn externalserver p urpose the vpn externalserver variable is used for doing the following: • configuring the netdefend remote access vpn server • displaying and exporting netdefend remote access vpn server settings you can set up your netdefend firewall as a remote access vpn se...
Page 374
Vpn externalserver f ields mode string. The remote access vpn server mode. This can have the following values: • enabled - the netdefend remote access vpn server is enabled. • disabled - the netdefend remote access vpn server is disabled. The default value is disabled . Note: disabling the remote ac...
Page 375
Vpn externalserver e xample 1 the following command enables the remote access vpn server and specifies that authenticated users should be allowed to bypass nat, but not the firewall: set vpn externalserver mode enabled bypassnat enabled bypassfw disabled e xample 2 the following command displays the...
Page 376: Vpn Internalserver
Vpn internalserver vpn internalserver p urpose the vpn internalserver variable is used for doing the following: • configuring the netdefend internal vpn server • displaying and exporting netdefend internal vpn server settings you can make your network available to authorized users connecting from yo...
Page 377
Vpn internalserver f ields mode string. The internal vpn server mode. This can have the following values: • enabled - the netdefend internal vpn server is enabled. • disabled - the netdefend internal vpn server is disabled. The default value is disabled . Note: disabling the internal vpn server will...
Page 378: Vpn Sites
Vpn sites vpn sites p urpose the vpn sites variable is used for working with vpn sites in the following ways: • adding vpn sites • modifying vpn site settings • deleting vpn sites • displaying and exporting vpn site settings, including ospf settings for information on configuring, displaying, and ex...
Page 379
Vpn sites when used with set : set vpn sites [number] [name name] [type type] [gateway gateway] [disabled disabled] [gateway2 gateway2] [loginmode loginmode] [configmode configmode] [authmethod authmethod] [keepalive keepalive] [bypassnat bypassnat] [bypassfw bypassfw] [user user] [password password...
Page 380
Vpn sites type string. The type of vpn site to establish. This can have the following values: • remoteaccess - establishes remote access from your remote access vpn client to a remote access vpn server • sitetosite - creates a permanent bi- directional connection to another site-to-site vpn gateway....
Page 381
Vpn sites loginmode string. The mode for logging on to the remote access vpn site. This can have the following values: • manual - configures the vpn site for manual login. Manual login connects only the computer you are currently logged onto to the vpn site, and only when the appropriate user name a...
Page 382
Vpn sites configmode string. The mode for obtaining the vpn network configuration. This can have the following values: • manual - allows you to provide the network configuration manually. • automatic - obtains the network configuration by downloading it from the vpn site . This option will automatic...
Page 383
Vpn sites authmethod string. The vpn authentication mode. This can have the following values: • sharedsecret - use a shared secret to use for secure communications with the vpn site. This shared secret is a string used to identify the vpn sites to each other. The secret can contain spaces and specia...
Page 384
Vpn sites bypassnat string. Indicates whether to allow the vpn site to bypass nat when connecting to your internal network. This can have the following values: • enabled - the vpn site can bypass nat. • disabled - the vpn site cannot bypass nat. The default value is disabled. This field is only rele...
Page 385
Vpn sites topopass string. The topology user’s password. This field is only relevant for site-to-site vpns configured to automatically download the network configuration. Net1 through net3 ip address. A destination network addresses at the vpn site to which you want to connect. This field can have t...
Page 386
Vpn sites phase1ikealgs string. The encryption and integrity algorithm to use for ike negotiations. This can have the following values: • automatic - the netdefend firewall automatically selects the best security methods supported by the site. • des/md5 • des/sha1 • 3des/md5 • 3des/sha1 • aes128/md5...
Page 387
Vpn sites phase1dhgroup string. The diffie-hellman group to use for ike phase-1: • automatic - the netdefend firewall automatically selects a group. • group1 • group2 • group5 a group with more bits ensures a stronger key but lowers performance. The default value is automatic . Phase2ikealgs string....
Page 388
Vpn sites phase2dhgroup string. The diffie-hellman group to use for ike phase-2: • automatic - the netdefend firewall automatically selects a group. • group1 • group2 • group5 a group with more bits ensures a stronger key but lowers performance. The default value is automatic . Dnsname string. The g...
Page 389
Vpn sites e xample 1 the following command adds a remote access vpn site called "office". The site is enabled. Add vpn sites name office type remoteaccess gateway 1.2.3.4 disabled false e xample 2 the following command sets the login mode of vpn site 1 in the vpn sites table to automatic. This mode ...
Page 390: Vpn Sites Ospf
Vpn sites ospf vpn sites ospf p urpose the vpn sites ospf variable is used for working with ospf (open shortest path first) settings for vpn sites in the following ways: • configuring ospf cost for the vpn site • displaying and exporting ospf settings for the vpn site, including authentication setti...
Page 391
Vpn sites ospf e xample 1 the following command sets the ospf cost for vpn site 1: set vpn sites 1 ospf cost 10 e xample 2 the following command displays the ospf settings for vpn site 1: show vpn sites 1 ospf chapter 5: cli variables 379.
Page 392: Vpn Sites Ospf Md5
Vpn sites ospf md5 vpn sites ospf md5 p urpose the vpn sites ospf md5 variable is used for working with ospf md5 authentication settings for vpn sites in the following ways: • configuring ospf md5 authentication settings for the vpn site • displaying and exporting ospf md5 authentication settings fo...
Page 393
Vpn sites ospf md5 password string. The md5 password to use for authentication. E xample 1 the following command enables authentication for ospf connections for vpn site 1: set vpn sites 1 ospf md5 enabled true key 1 password thepassword e xample 2 the following command displays the ospf md5 authent...
Page 394: Vstream
Vstream vstream p urpose the vstream variable is used for working with vstream antivirus in the following ways: • enabling/disabling vstream antivirus • displaying and exporting the vstream antivirus mode • displaying and exporting all vstream antivirus settings, including archive-handling options, ...
Page 395
Vstream note: vstream antivirus differs from the email antivirus subscription service (part of the email filtering service) in the following ways: • email antivirus is centralized, redirecting traffic through the service center for scanning, while vstream antivirus scans for viruses in the netdefend...
Page 396
Vstream e xample 1 the following command enables vstream antivirus: set vstream mode enabled e xample 2 the following command displays all vstream antivirus settings, including archive-handling options, advanced options, and policy rules: show vstream 384 d-link netdefend cli reference guide.
Page 397: Vstream Archive-Options
Vstream archive-options vstream archive-options p urpose the vstream archive-options variable is used for working with vstream antivirus archive-handling settings in the following ways: • configuring vstream antivirus archive-handling settings • displaying and exporting the email antispam archive-ha...
Page 398
Vstream archive-options compression-ratio integer. The value x in 1: x , which represents the maximum compression ratio of files that vstream antivirus should scan. For example, to specify a 1:150 maximum compression ratio, set this field to 150. Setting a higher number allows the scanning of highly...
Page 399
Vstream archive-options e xample 1 the following command sets the vstream antivirus nesting level to 5: set vstream archive-options nesting-level 5 e xample 2 the following command displays the vstream antivirus archive-handling settings: show vstream archive-options chapter 5: cli variables 387.
Page 400: Vstream Options
Vstream options vstream options p urpose the vstream archive-options variable is used for working with vstream antivirus advanced settings in the following ways: • configuring vstream antivirus advanced settings • displaying and exporting the email antispam advanced settings s yntax when used with s...
Page 401
Vstream options f ields unsafe- attachments string. Indicates whether to block all emails containing potentially unsafe attachments. Unsafe file types are: • files with {clsid} in their name • dos/windows executables, libraries and drivers • compiled html help files • vbscript files • the following ...
Page 402
Vstream options safe-filetypes string. Indicates whether to accept common file types that are known to be safe, without scanning them. Safe files types are: • mpeg streams • riff ogg stream • mp3 • pdf • postscript • wma/wmv/asf • realmedia • jpeg - only the header is scanned, and the rest of the fi...
Page 403
Vstream options http-ranges string. Indicates whether to block partial files. A client might attempt to download partial files in the following situations: • the client starts downloading a file, and the download is interrupted. The client then reconnects and downloads the rest of the file. • a down...
Page 404: Vstream Policy Rule
Vstream policy rule vstream policy rule p urpose the vstream policy rule variable is used for working with vstream antivirus rules in the following ways: • adding new vstream antivirus rules • modifying vstream antivirus rules • deleting vstream antivirus rules • displaying and exporting vstream ant...
Page 405
Vstream policy rule s yntax when used with add : add vstream policy ruletype type [service service] [src src] [dest dest] [ports ports] [protocol protocol] [index index] [disabled disabled] [direction direction] when used with set : set vstream policy rule number [type type] [service service] [src s...
Page 406
Vstream policy rule service integer or string. The service to which the rule should apply. This can have the following values: • custom - the rule should apply to a specific non-standard service. You must include the protocol and ports fields. • 0 or any - the rule should apply to any service. • 80 ...
Page 407
Vstream policy rule src ip address or string. The source of the connections you want to scan or pass. This can have the following values: • an ip address • an ip address range - to specify a range, use the following format: - address> • any - the rule should apply to any source. • wan • lan • dmz • ...
Page 408
Vstream policy rule dest ip address or string. Select the destination of the connections you want to scan or pass. This can have the following values: • an ip address • an ip address range - to specify a range, use the following format: - address> • any - the rule should apply to any destination. • ...
Page 409
Vstream policy rule protocol string. The protocol for which the rule should apply. This can have the following values: • any - the rule should apply to any protocol. • true - the rule is disabled. • tcp • udp the default value is any . Index integer. The vstream antivirus rule's row in the vstream a...
Page 410
Vstream policy rule direction string. Indicates the direction of connections to which the rule should apply. This can have the following values: • any - the rule applies to downloaded and uploaded data. • download - the rule applies to downloaded data, that is, data flowing from the destination of t...
Page 411
Vstream policy rule e xample 1 the following command creates a scan rule for ftp connections from the wan to the lan: add vstream policy rule type scan service ftp action allow src wan dest lan e xample 2 the following command modifies rule 1 in the vstream antivirus policy rule table, so that it be...
Page 412: Webfilter
Webfilter webfilter p urpose the webfilter variable is used for working with the web filtering service in the following ways: • enabling/disabling the web filtering service • displaying and exporting all web filtering service settings, including: • web filtering mode • web filtering category setting...
Page 413
Webfilter f ields mode string. The web filtering service mode. This can have the following values: • enabled - enables the service for all internal network computers. • disabled - disables the service for all internal network computers. The default value is disabled . E xample 1 the following comman...
Page 414: Webfilter Categories
Webfilter categories webfilter categories p urpose the webfilter categories variable is used for working with web filtering categories in the following ways: • defining which web filtering categories should be considered appropriate for your family or office members • displaying and exporting web fi...
Page 415
Webfilter categories f ields gambling/ adult/ criminal/ hate/ violence/ drugs string. Indicates whether web sites that deal with the specified content category should be blocked. This can have the following values: • allow - do not block the sites • block - block the sites the default value is allow...
Page 416: Wireless
Wireless wireless p urpose the wireless variable is used for working with wireless connection settings in the following ways: • configuring your netdefend firewall's wireless connection settings, including: • the wlan network's ssid, country, operation mode, and channel • the security protocol • adv...
Page 417
Wireless s yntax when used with set : set wireless[netname netname] [hidenetname hidenetname] [country country] [opmode opmode] [macfilter macfilter] [xr xr] [wmm wmm] [channel channel] [xmitpower xmitpower] [datarate datarate] [fragthreshold fragthreshold] [rtsthreshold rtsthreshold] [antenna anten...
Page 418
Wireless hidenetname string. Indicates whether the network's ssid is hidden. This can have the following values: • yes - the ssid is hidden. Only devices to which your ssid is known can connect to your network. • no - the ssid is not hidden. Any device within range can detect your network name using...
Page 419
Wireless opmode string. The operation mode. This can have the following values: • 11b - operates in the 2.4 ghz range and offers a maximum theoretical rate of 11 mbps. When using this mode, only 802.11b stations will be able to connect. • 11g - operates in the 2.4 ghz range, and offers a maximum the...
Page 420
Wireless you can prevent older wireless stations from slowing down your network, by choosing an operation mode that restricts access to newer wireless stations. Note: the actual data transfer speed is usually significantly lower than the maximum theoretical bandwidth and degrades with distance. Impo...
Page 421
Wireless xr string. Indicates whether extended range (xr) mode is enabled. Xr mode allows up to three times the range of a regular 802.11g access point. This can have the following values: • enabled - xr mode is enabled. Xr will be automatically negotiated with xr-enabled wireless stations and used ...
Page 422
Wireless channel integer or string. The radio frequency to use for the wireless connection. This can have the following values: • auto - the netdefend firewall automatically selects a channel. • a specific channel between 1 and 14 the list of channels is dependent on the selected country and operati...
Page 423
Wireless datarate integer or string. The transmission rate. This can have the following values: • auto - the netdefend firewall automatically selects a rate. • a specific rate: 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54, 72, 96, or 108 the default value is auto . Fragthreshold integer. The smallest...
Page 424
Wireless rtsthreshold integer. The smallest ip packet size for which a station must send an rts (request to send) before sending the ip packet. If multiple wireless stations are in range of the access point, but not in range of each other, they might send data to the access point simultaneously, the...
Page 425
Wireless antenna string. The antenna to use for communicating with wireless stations. Multipath distortion is caused by the reflection of radio frequency (rf) signals traveling from the transmitter to the receiver along more than one path. Signals that were reflected by some surface reach the receiv...
Page 426
Wireless security string. The security protocol to use. This can have the following values: • none • wep • 802.1x • wpa • wpapsk the default value is none . For detailed information on the supported security protocols, refer to the user guide. If you choose wep, you must configure at least one wep k...
Page 427
Wireless e xample 1 the following command configures a wireless connection where the ssid is myoffice, the ssid is hidden, and the security protocol used is wpa-psk. Set wireless netname myoffice hidenetname yes security wpapsk e xample 2 the following command displays the wireless connection's oper...
Page 428: Wireless Wep
Wireless wep wireless wep p urpose the wireless wep variable is used for working with wep settings in the following ways: • configuring wep keys • displaying and exporting wep keys this variable is only relevant when a wlan network is configured, and the selected security protocol is wep. For inform...
Page 429
Wireless wep f ields defkey integer. The number of the wep key to use for transmission. The value must be between 1 and 4. The default value is 1 . The selected key must be entered in the same key slot (1-4) on the station devices, but the key need not be selected as the transmit key on the stations...
Page 430
Wireless wep e xample 1 the following command configures two wep keys, and specifies that the second wep key should be used for transmission: set wireless wep defkey 2 key1 4fc0046169 key2 d8462c0ba9 e xample 2 the following command displays the wep settings: show wireless wep 418 d-link netdefend c...
Page 431: Wireless Wpa
Wireless wpa wireless wpa p urpose the wireless wpa variable is used for working with wpa2 settings in the following ways: • configuring the wpa2 settings • displaying and exporting wpa2 settings the wpa2 security method uses the more secure advanced encryption standard (aes) cipher, instead of the ...
Page 432
Wireless wpa f ields wpa2only string. Indicates whether wireless stations should be required to connect using wpa2 only. This can have the following values: • yes - only wireless stations using wpa2 can access the wlan network. • no - wireless stations using either wpa or wpa2 can access the wlan ne...
Page 433: Wireless Wpapsk
Wireless wpapsk wireless wpapsk p urpose the wireless wpapsk variable is used for working with wpa-psk settings in the following ways: • configuring the wpa-psk passphrase • displaying and exporting the wpa-psk passphrase this variable is only relevant when a wlan network is configured, and the sele...
Page 434
Wireless wpapsk f ields passphrase string. The passphrase for accessing the network. This must be between 8 and 63 characters. It can contain spaces and special characters, and is case-sensitive. For the highest security, choose a long passphrase that is hard to guess. E xample 1 the following comma...
Page 435: Chapter 6
Wireless wpapsk chapter 6 country codes table 3: country codes country code no country set (default) na albania al algeria dz argentina ar australia au austria at bahrain bh belarus by belgium be belize bz bolivia bo brazil br brunei darussalam bn bulgaria bg chapter 6: country codes 423.
Page 436
Wireless wpapsk country code canada ca chile cl china cn colombia co costa rica cr croatia hr cyprus cy czech republic cz denmark dk dominican republic do ecuador ec egypt eg el salvador sv estonia ee finland fi france fr france res f2 georgia ge germany de 424 d-link netdefend cli reference guide.
Page 437
Wireless wpapsk country code greece gr guatemala gt honduras hn hong kong hk hungary hu iceland is india in indonesia id iran ir iraq iq ireland ie israel il italy it jamaica jm japan jp jordan jo kenya ke kuwait kw latvia lv chapter 6: country codes 425.
Page 438
Wireless wpapsk country code lebanon lb libya ly liechtenstein li lithuania lt luxembourg lu macau mo macedonia mk malaysia my mexico mx monaco mc morocco ma netherlands nl new zealand nz nicaragua ni norway no oman om pakistan pk panama pa paraguay py 426 d-link netdefend cli reference guide.
Page 439
Wireless wpapsk country code peru pe philippines ph poland pl portugal pt puerto rico pr qatar qa romania ro russia ru saudi arabia sa serbia sr singapore sg slovak republic sk slovenia si south africa za south korea kr spain es sweden se switzerland ch syria sy chapter 6: country codes 427.
Page 440
Wireless wpapsk country code taiwan tw thailand th trinidad & tobago tt tunisia tn turkey tr ukraine ua united kingdom gb united states us uruguay uy venezuela ve viet nam vn yemen ye zimbabwe zw 428 d-link netdefend cli reference guide.
Page 441: Glossary of Terms
Glossary of terms glossary of terms a adsl modem a device connecting a computer to the internet via an existing phone line. Adsl (asymmetric digital subscriber line) modems offer a high-speed 'always-on' connection. C ca the certificate authority (ca) issues certificates to entities such as gateways...
Page 442
Glossary of terms anyone knowing about it. Sometimes, tiny programs are 'planted' on the computer that are designed to watch out for, seize and then transmit to another computer, specific types of data. D dhcp any machine requires a unique ip address to connect to the internet using internet protoco...
Page 443
Glossary of terms other ways intentionally breaches computer security. The end result is that whatever resides on the computer can be viewed and sensitive data can be stolen without anyone knowing about it. Sometimes, tiny programs are 'planted' on the computer that are designed to watch out for, se...
Page 444
Glossary of terms ipsec ipsec is the leading virtual private networking (vpn) standard. Ipsec enables individuals or offices to establish secure communication channels ('tunnels') over the internet. Isp an isp (internet service provider) is a company that provides access to the internet and other re...
Page 445
Glossary of terms netbios netbios is the networking protocol used by dos and windows machines. P packet a packet is the basic unit of data that flows from one source on the internet to another destination on the internet. When any file (e-mail message, html file, gif file etc.) is sent from one plac...
Page 446
Glossary of terms level of security by examining every layer within a packet, unlike other systems of inspection. Stateful inspection extracts information required for security decisions from all application layers and retains this information in dynamic state tables for evaluating subsequent connec...
Page 447
Glossary of terms tcp, however, udp does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. Udp is often used for applications such as streaming data. Url a url (uniform resource locator) is the address of a file (resource) accessible on the ...
Page 449: Index
Index index 8 802.1x • 404 a active computers, viewing • 59 blocked ftp commands • 279 active connections, viewing • 64 appliance operation commands • 17, 32 b backup connection • 131, 214 block known ports • 274 block port overflow • 274 c ca, explained • 429 cable modem connection • 195 explained ...
Page 450
Index dialup modem, setting up • 131 dmz configuring • 168 configuring high availability for • 175 explained • 430 dns • 430 e email antispam, see email filtering • 162 email antivirus, see email filtering • 164 email filtering selecting protocols for • 166 event log resetting • 38 viewing • 72 expo...
Page 451
Index informational commands • 17, 44 internal vpn server configuring • 364 internet connection configuring • 195, 226 configuring backup • 131, 214 enabling/disabling • 195, 214 viewing information • 78, 94, 109 internet connection tracking • 154 ip address changing • 181 explained • 431 hiding • 1...
Page 452
Index configuring dhcp options • 125 configuring high availability • 175, 187, 225, 350 configuring the officemode network • 190 enabling dhcp server on • 168, 181, 219, 350 enabling hide nat • 168, 181, 219, 350 objects • 226 using static nat • 226 viewing information • 74, 78 network objects • 226...
Page 453
Index using • 259, 262 rebooting • 37 remote access vpn servers configuring • 361 remote access vpn sites • 366 reports secure hotspot • 159 active computers • 59 active connections • 64 event log • 72 traffic • 96, 99, 102 vstream antivirus • 107 wireless statistics • 112 return values • 14 routers...
Page 454
Index subnet masks, explained • 434 subscription services starting • 333 sweep scan • 326 syslog logging • 343 t tag-based vlan • 350 tcp, explained • 434 tcp/ip explained • 434 teardrop • 303 telstra • 195 time, setting • 121 traffic monitor configuring • 341 resetting • 41 viewing reports • 96, 99...
Page 455
Index using • 366 vpn tunnels explained • 435 viewing • 104 vstream antivirus configuring • 382 configuring advanced settings • 385, 388 configuring policy • 392 resetting database • 42 rules • 392 viewing database information • 107 vstream antivirus rules • 392 w wan • 195, 214 connections • 195, 2...