- DL manuals
- Freedom9
- Firewall
- freeGuard 100
- Command Line Interface Manual
Freedom9 freeGuard 100 Command Line Interface Manual
Summary of freeGuard 100
Page 1
Freeguard 100 utm firewall cli user’s manual p/n: f0025000 rev. 1.1.
Page 2
Copyright and trademark information this document contains proprietary information that is protected by copyright. All rights reserved. No part of this document may be photocopied, reproduced, or translated into another language without express prior to written consent of freedom9 inc. © copyright 2...
Page 4
Freeguard 100 cli user manual i table of contents 1 introduction ................................................................................................................................. 1 1.1 a bout this document .................................................................................
Page 5
Ii 7.4 syslogd setting ....................................................................................................................... 97 7.5 trafficfilter ............................................................................................................................. 99 7.6 web...
Page 6
Freeguard 100 cli user manual iii 10.29 vdom ........................................................................................................................................ 238 10.30 zone ..........................................................................................................
Page 8
Freeguard 100 cli user manual 1 1 introduction the freeguard 100 unified threat management (utm) firewall supports network-based deployment of application-level services, including virus protection and full-scan content filtering. Freeguard 100s improve network security, reduce network misuse and ab...
Page 9
2 support before using these commands. 1.2 conventions this guide uses the following conventions to describe command syntax. • angle brackets to indicate variables. For example: execute restore config you enter: execute restore config myfile.Bak indicates an ascii string that does not contain new-li...
Page 10
Freeguard 100 cli user manual 3 set allowaccess ping https ssh set allowaccess https ping ssh set allowaccess snmp in most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the opti...
Page 11
4 2 using the cli this chapter explains how to connect to the command line interface (cli) and describes the basics of using the cli. You can use cli commands to view all system information and to change all system configuration settings. This chapter describes: administrator access connecting to th...
Page 12
Freeguard 100 cli user manual 5 hyperterminal software. You can use any terminal emulation program. To connect to the cli: • connect the freeguard 100 console port to the available communications port on your computer. • make sure the freeguard 100 is powered on. • start hyperterminal, enter a name ...
Page 13
6 • use the following command to configure an interface to accept ssh connections: config system interface edit set allowaccess ssh end where is the name of the freeguard 100 interface to be configured to accept ssh connections. For example, to configure the internal interface to accept ssh connecti...
Page 14
Freeguard 100 cli user manual 7 both or any of the other management access types you must include all the options you want to apply. For example to allow ping, https and ssh access to an interface, the set portion of the command is: set allowaccess ping https ssh connecting to the freeguard 100 cli ...
Page 15
8 2.3 cli structure this section describes: • cli command organization • example command sequences cli command organization the freeguard 100 cli consists of the following command branches: • config branch • get branch • show branch • execute branch • diagnose branch config branch the config branch ...
Page 16
Freeguard 100 cli user manual 9 • type purge and then yto confirm that you want to purge all the user names, • type get again to confirm that no user names are displayed. Move change the position of an entry in an ordered table. For example in the config firewall policy shell: • type move 3 after 1 ...
Page 17
10 at the (interface)# prompt, type: get the screen displays: == [ internal ] name: internal mode: static ip: 192.168.20.200 255.255.255.0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6- send-adv: disable == [ external ] name: external mode: static ip: 192.168.100.99 255.25...
Page 18
Freeguard 100 cli user manual 11 example you are working in the config system global shell and want to see information about the freeguard 100 interfaces. At the (global)# prompt, type: get system interface the screen displays: == [ internal ] name: internal mode: static ip: 192.168.20.200 255.255.2...
Page 19
12 can use show with a full path to display the configuration of the specified shell. To display the configuration of all config shells, you can use show from the root prompt. The root prompt is freeguard 100 #. Example when you type show and press enter within the internal interface shell, the chan...
Page 20
Freeguard 100 cli user manual 13 restore freeguard 100 configuration files, and to enter or leave a virtual domain. The execute commands are available only from the root prompt. The root prompt is freeguard 100 #. Example at the root prompt, type: execute reboot and press enter to restart the freegu...
Page 21
14 secondary • to set the primary dns server address to 172.16.100.100, type: set primary 172.16.100.100 and press enter. • to set the secondary dns server address to 207.104.200.1, type: set secondary 207.104.200.1 and press enter. • to restore the primary dns server address to the default address,...
Page 22
Freeguard 100 cli user manual 15 set unset get show next abort end • at the (internal)# prompt, type: config secondaryip and press enter. The prompt changes to (secondaryip)#. • at the (secondaryip)# prompt, type: ? The following options are displayed. Edit delete purge get show end • to add a secon...
Page 23
16 the following options are displayed. Allowaccess detectserver gwdetect ip • to set the secondary ip address with the id number 0 to 192.168.100.100 and the netmask to 255.255.255.0, type: set ip 192.168.100.100 255.255.255.0 and press enter. • to add another secondary ip address to the internal i...
Page 24
Freeguard 100 cli user manual 17 • line continuation • command abbreviation • environment variables • encrypted password support • using single quotes to enter tabs or spaces in strings • international characters • ip address formats • editing the configuration file • setting page length • changing ...
Page 25
18 beginning of line ctrl+a end of line ctrl+e back one character ctrl+b forward one character ctrl+f delete current character ctrl+d previous command ctrl+p next command ctrl+n abort the command ctrl+c if used at the root prompt, exit the cli ctrl+c line continuation to break a long command over mu...
Page 26
Freeguard 100 cli user manual 19 set password enc xxnfkpsv3oivk next end it is also possible to enter an already encrypted password. For example, type: config system admin and press enter. Type: edit user1 and press enter. Type: set password enc xxnfkpsv3oivk and press enter. Type: end and press ent...
Page 27
20 the ip address is displayed in the configuration file in dotted decimal format. Editing the configuration file you can change the freeguard 100 configuration by backing up the configuration file to a tftp server. Then you can make changes to the file and restore it to the freeguard 100. • use the...
Page 28
Freeguard 100 cli user manual 21 to match a special character such as '.' and ‘*’, regular expressions use the ‘\’ escape character. For example: • to match freedom9.Com, the regular expression should be freedom9\.Com. In perl regular expressions, ‘*’ means match 0 or more times of the character bef...
Page 29
22 \d\d any two decimal digits, such as 42; same as \d{2} /i makes the pattern case insensitive. For example, /bad language/iblocks any instance of “bad language” regardless of case. \w+ a "word": a nonempty sequence of alphanumeric characters and low lines(underscores), such as foo and 12bar8 and f...
Page 30
Freeguard 100 cli user manual 23 3 config alertemail filter setting 3.1 filter use this command to specify what log activity and what log severity level to send alert email for. You can configure the freeguard 100 to send alert email to multiple recipients when selected events occur. Note: if more t...
Page 33
26 examples this example shows how to configure the freeguard 100 to send alert email for administrative events, ha activity, and virus incidents, and to set a log severity level of warning. Config alertemail filter set severity warning set admin enable set ha enable set virus enable end this exampl...
Page 35
28 user@domain.Com. This address appears in thefrom header of the alert email. Warning-interval enter the number of minutes the freeguard 100 should wait before sending out alert email for warninglevel messages. 10 examples this example shows how to configure the smtp server and user name, add two e...
Page 36
Freeguard 100 cli user manual 29 4 config antivirus filepattern grayware heuristic service http service ftp service pop3 service imap service smtp 4.1 filepattern use this command to add, edit or delete the file patterns used for virus blocking and to set which protocols to check for files to block....
Page 37
30 enabledfile patterns. Block {ftp http imap pop3 smtp} block the specified file pattern in the selectedprotocols. Blocking deletes files that match the file patterns. Varies. Example this example shows how to add the *.Xyz file pattern, allow *.Xyz files in imap, smtp, and pop3 traffic, and block ...
Page 38
Freeguard 100 cli user manual 31 grayware programs are unsolicited commercial software programs that get installed on computers, often without the user’s consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used...
Page 39
32 command syntax pattern config antivirus grayware set end config antivirus grayware unset end get antivirus grayware [] show antivirus grayware [] note: the freeguard 100 cli is case sensitive and the first letter of all grayware category names is uppercase. Antivirus grayware command keywords and...
Page 40
Freeguard 100 cli user manual 33 • config antivirus heuristic • config antivirus service http • config antivirus service ftp • config antivirus service pop3 • config antivirus service imap • config antivirus service smtp • config system autoupdate schedule • execute update_now 4.3 heuristic use this...
Page 41
34 this example shows how to display the settings for the antivirus heuristic command. Get antivirus heuristic this example shows how to display the configuration for the antivirus heuristic command. Show antivirus heuristic command history related commands • config antivirus filepattern • config an...
Page 42
Freeguard 100 cli user manual 35 a variety of encoding types and someencodings translate into larger file sizes than the original attachment. The most common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. So a file may be blocked or logged as oversized even if the a...
Page 43
36 • config antivirus filepattern • config antivirus heuristic • config antivirus service ftp • config antivirus service pop3 • config antivirus service imap • config antivirus service smtp 4.5 service ftp use this command to configure how the freeguard 100 handles antivirus scanning of large files ...
Page 44
Freeguard 100 cli user manual 37 megabytes between 1 and the total memory size. Enter 0 for no limit (not recommended). How file size limits work see “how file size limits work” . Example this example shows how to set the maximum file size buffered to memory for scanning at 25 mb, the maximum uncomp...
Page 45
38 unset end get antivirus service [pop3] show antivirus service [pop3] antivirus service pop3 command keywords and variables keywords & variables description default memfilesizelimit set the maximum file size that can be buffered to memory for virus scanning. The maximum file size allowed is 10% of...
Page 46
Freeguard 100 cli user manual 39 this example shows how to display the antivirus pop3 traffic settings. Get antivirus service pop3 this example shows how to display the configuration for antivirus pop3 traffic. Show antivirus service pop3 command history related commands • config antivirus filepatte...
Page 47
40 common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. So a file may be blocked or logged asoversized even if the attachment is several megabytes less than the memfilesizelimit. Port configure antivirus scanning on a nonstandard port number or multiple port number...
Page 48
Freeguard 100 cli user manual 41 4.8 service smtp use this command to configure how the freeguard 100 handles antivirus scanning of large files in smtp traffic, what ports the freeguard 100 scans for smtp, and how the freeguard 100 handles interaction with an smtp server for delivery of email with i...
Page 49
42 example this example shows how to set the maximum file size that can be buffered to memory for scanning at 100 mb, the maximum uncompressed file size that can be buffered to memory for scanning at 1 gb (1000 mb), and how to enable antivirus scanning on ports 25, and 465 for smtp traffic. Config a...
Page 50
Freeguard 100 cli user manual 43 5 config firewall address addrgrp dnstranslation ipmacbinding setting ipmacbinding table ippool multicast-policy policy profile schedule onetime schedule recurring service custom service group vip 5.1 address use this command to add and edit addresses used in firewal...
Page 51
44 end config firewall address delete end get firewall address [] show firewall address [] firewall address command keywords and variables keywords & variables description default subnet if type is set to ipmask, the ip address can be the ip address of a single computer (for example, 192.45.46.45) o...
Page 52
Freeguard 100 cli user manual 45 set type iprange set start_ip 13.1.1.10 set end_ip 13.1.1.30 end this example shows how to display the firewall address list. Get firewall address this example shows how to display the settings for the address user_range. Get firewall address user_range this example ...
Page 53
46 delete end get firewall addrgrp [] show firewall addrgrp [] firewall addrgrp command keywords and variables keywords and variables description default member [ [ ...]] the names of the addresses to add to the address group. The member addresses must already have been added. Use spaces to separate...
Page 54
Freeguard 100 cli user manual 47 dns translation translates ip addresses in packets sent by a dns server from the internal network to the external network. Use dns translation if you have a dns server on your internal network that can be accessed by users on the external network to find the ip addre...
Page 55
48 example this example shows how to add dns translation for the source and destination addresses listed. Config firewall dnstranslation edit 1 set dst 220.210.200.190 set netmask 255.255.255.0 set src 192.168.100.12 end this example shows how to display the configured dns translation settings. Get ...
Page 56
Freeguard 100 cli user manual 49 command syntax pattern config firewall ipmacbinding setting set config firewall ipmacbinding setting unset get firewall ipmacbinding setting show firewall ipmacbinding setting firewall ipmacbinding setting command keywords and variables example keywords & variables d...
Page 57
50 command history related commands • ipmacbinding table 5.5 ipmacbinding table use this command to add ip and mac address pairs to the ip/mac binding table, or to edit or delete ip and mac address pairs added to the ip/mac binding table. You can enable or disable ip/mac binding for each individual ...
Page 59
52 addresses randomly selected from the ip pool rather than being limited to the ip address of the destination interface. Ip pools are only available in nat/route mode. You can add multiple ip pools to any interface and configure the firewall policy to select the ip pool to use for that firewall pol...
Page 60
Freeguard 100 cli user manual 53 config firewall ippool edit 1 set startip 192.168.1.100 set endip 192.168.1.200 set interface internal end this example shows how to display the settings for the firewall ippool command. Get firewall ippool this example shows how to display the settings for the id 1 ...
Page 61
54 delete end get firewall multicast-policy [] show firewall multicast-policy [] firewall multicast-policy command keywords and variables keywords & variables description default dstaddr enter the destination ip address and netmask to match against multicast nat packets. 0.0.0.0 0.0.0.0 dstintf ente...
Page 62
Freeguard 100 cli user manual 55 command history related commands • config system global, set multicast-forward 5.8 policy use this command to add, edit or delete firewall policies. Firewall policies control all traffic passing through the freeguard 100. Firewall policies are instructions used by th...
Page 63
56 interface, and enable or disable fixedport so that the nat policy does not translate the packet source port. Enter deny to deny packets that match the firewall policy. Enter encrypt to configure the policy tobe an encrypt policy for ipsec tunnels. If you enter encrypt you can also enable or disab...
Page 66
Freeguard 100 cli user manual 59 • sets action to accept to allow connections • applies network address translation (nat is enabled) • applies traffic shaping to guarantee 100 kbytes/s of bandwidth is available, to limit the maximum bandwidth to 500 kbytes/second, and to set the priority for the tra...
Page 67
60 • config firewall address • config firewall profile • config firewall schedule onetime • config firewall schedule recurring • config firewall service custom • config firewall service group 5.9 profile use this command to add, edit or delete protection profiles. Use protection profiles to apply di...
Page 68
Freeguard 100 cli user manual 61 [- ]] organized into groups to make selection easier. Enter one or more integers representing thecategories or groups of web pages you want to block. Use a hyphen to separate the integers. To delete entries you must use the unset command to delete the entire list. Ca...
Page 69
62 freeguard 100 stops theupload, attempts to delete the partial file from the ftp server, and displays a replacement message for the user. To delete the file successfully, the server permissions must be set to allow deletes. When downloading files from an ftp server the freeguard 100 sends 1 byte e...
Page 70
Freeguard 100 cli user manual 63 • enter scriptfilter to enable web script filtering. • enter urlblock to enable url blocking. • enter urlexempt to enable url exempt filtering. Enter all the actions you want this profile to use. Use a space to separate the options you enter. If you want to remove an...
Page 71
64 tag to enable tagging spam email with text configured using the imap_spamtagmsgkeywordand the location set using the imap_spamtagtype keyword. Imap_spamtagmsg enter the subject text or mime header text withwhich to tag spam messages. A tag of more thanone word (a phrase) must be enclosed in singl...
Page 72
Freeguard 100 cli user manual 65 pop3 {bannedword block content-archive fragmail no-content-summary oversize scan spamemailbwl spamfsip spamfsurl spamhdrcheck spamaddrdns spamrbl} select the actions that this profile uses for filtering pop3 traffic for a policy. • enter bannedword to enable email co...
Page 73
66 no-content-summary oversize scan spamemailbwl spamfsip spamfsurl spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrblsplice} enable email content blocking based on the banned word list. • enter block to enable deleting files with blocked file patterns even if the files do not contain viruses. ...
Page 74
Freeguard 100 cli user manual 67 tag. Tagged allows you to append a custom tag tothe subject or header of email identified as spam. If you have scan or splice enabled, the freeguard 100 can only discard spam email. Discardimmediately drops the connection. Without splice orscanning enabled, you can c...
Page 75
68 • add http category blocking to the spammail profile created above • configure category blocking to deny access to web pages categorized as games (20), personals and dating (37), shopping and auction (42) and the category group objectionable or controversial (g02) • configure category monitoring ...
Page 76
Freeguard 100 cli user manual 69 command syntax pattern config firewall schedule onetime edit set end config firewall schedule onetime edit unset end config firewall schedule onetime delete end get firewall schedule onetime [] show firewall schedule onetime [] firewall schedule onetime command keywo...
Page 77
70 this example shows how to display the configuration for the firewall schedule onetime command. Show firewall schedule onetime this example shows how to display the configuration for the holiday onetime schedule. Show firewall schedule onetime holiday command history related commands • policy • sc...
Page 78
Freeguard 100 cli user manual 71 day enter the names of one or more days of the week for which the schedule is valid. Separate names by a space. No default. End the ending time of the schedule. • hh can be 00 to 23 • mm can be 00, 15, 30, or 45 only 00:00 start the starting time of the schedule. • h...
Page 79
72 • policy • schedule onetime 5.12 service custom use this command to add, edit, or delete custom firewall services. Add a custom service if you need to create a policy for a service that is not in the predefined service list. Command syntax pattern config firewall service custom edit set end confi...
Page 81
74 config firewall service group edit set end config firewall service group edit unset end config firewall service group delete end get firewall service group [] show firewall service group [] firewall service group command keywords and variables keywords & variables description default member name_...
Page 82
Freeguard 100 cli user manual 75 get firewall service group web_services this example shows how to display the configuration for the firewall service group command. Show firewall service group this example shows how to display the configuration for the web_services service group. Show firewall servi...
Page 83
76 edit unset end config firewall vip delete end get firewall vip [] show firewall vip [] firewall vip command keywords and variables keywords & variables description default extintf the name of the interface connected to the source network that receives the packets to be forwarded to the destinatio...
Page 85
78 end this example shows how to display the settings for the firewall vip command. Get firewall vip this example shows how to display the settings for the web_server vip. Get firewall vip web_server this example shows how to display the configuration for the firewall vip command. Show firewall vip ...
Page 86
Freeguard 100 cli user manual 79 6 config ips anomaly custom group 6.1 anomaly the freeguard 100 ips uses anomalies to identify network traffic that does not fit known or preset traffic patterns. The freeguard 100 ips identifies the four statistical anomaly types for the tcp, udp, and icmp protocols...
Page 87
80 the config ips anomaly command has 1 subcommand. Config limit.
Page 89
82 • the freeguard 100 drops the packet that triggeredthe anomaly, sends a reset to the server, and removes the session from the freeguard 100 session table. Used for tcp connections only. If you set this action for non-tcp connection based attacks, the action behaves as clear_session. If the reset_...
Page 90
Freeguard 100 cli user manual 83 show ips anomaly this example shows how to display the configuration for icmp_flood. Show ips anomaly icmp_flood config limit access the config limit subcommand using the config ips anomaly command. Use this command for session control based on source and destination...
Page 91
84 edit subnet1 set ipaddress 1.1.1.0 255.255.255.0 set threshold 300 end end command history related commands • config ips custom • config ips group • config system global ips-open 6.2 custom you can create custom ips signatures. The custom signatures you create are added to a single custom signatu...
Page 92
Freeguard 100 cli user manual 85 config ips custom delete get ips custom [] show ips custom [] custom command keywords and variables keywords & variables description default signature enter the custom signature. The signature must be enclosed in single quotes. No default. Example this example shows ...
Page 93
86 6.3 group the freeguard 100 ips matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Freedom9’s infrastructure ensures the rapid identification of new threats and the development of new attack signatures. You ...
Page 94
Freeguard 100 cli user manual 87 group command keywords and variables keywords & variables description default bad_flag_list a comma separated list of bad tcp flags. Null, f, u, p, sf, pf, up, upf, uapsf, uaprsf codepoint a number from 0 to 63. Used for differentiated services tagging. When the acti...
Page 95
88 this example shows how to display the settings for the dos signature group. Get ips group dos this example shows how to display the configuration for the ips group command. Show ips group this example shows how to display the configuration for the dos signature group. Show ips group dos config ru...
Page 104
Freeguard 100 cli user manual 97 set status enable end this example shows how to display the log setting for logging to the freeguard 100 system memory. Get log memory setting this example shows how to display the configuration for logging to the freeguard 100 system memory. Show log memory setting ...
Page 106
Freeguard 100 cli user manual 99 this example shows how to enable logging to a remote syslog server, configure an ip address and port for the server, and enable logging in csv format. Config log syslogd setting set status enable set server 220.210.200.190 set port 601 set csv enable end this example...
Page 108
Freeguard 100 cli user manual 101 command syntax pattern config rule edit set end config rule edit unset end config rule delete end get log trafficfilter show log trafficfilter rule command keywords and variables keywords & variables description default dst enter the destination ip address and netma...
Page 109
102 end end this example shows how to display the settings for the log trafficfilter command. Get log trafficfilter setting this example shows how to display the configuration for the log trafficfilter command. Show log trafficfilter setting if the show command returns you to the prompt, the setting...
Page 111
104 8 config router access-list get router info ospf get router info protocols get router info rip get router info routing_table key-chain ospf policy prefix-list rip route-map static static6 8.1 access-list use this command to add, edit, or delete access lists. Access lists are filters used by free...
Page 112
Freeguard 100 cli user manual 105 delete end get router access-list [] show router access-list [] the config router access-list command has 1 subcommand. Config rule config rule access the configrule subcommand using the config router access-list command. Use the config rule command to add, edit, or...
Page 113
106 this example shows how to add an access list named acc_list1 with two rules. The first rule denies the subnet that exactly matches the prefix 192.168.50.0 255.255.255.0 and permits all other subnets that match the prefix 192.168.0.0 255.255.0.0. Config router access-list edit acc_list1 config ru...
Page 114
Freeguard 100 cli user manual 107 8.2 get router info ospf use this command to display information about ospf. Command syntax get router info ospf router info ospf command keywords and variables keywords description border-routers show ospf routing table entries that have an area border router (abr)...
Page 115
108 command history related commands • execute router restart • get router info rip • get router info routing_table • config router rip • config router ospf 8.4 get router info rip use this command to display information about rip. Command syntax get router info rip router info rip command keywords ...
Page 116
Freeguard 100 cli user manual 109 get router info routing_table command history related commands • execute router restart • execute router restart-graceful • get router info ospf • get router info protocols • get router info rip • config router policy • config router rip • config router static • con...
Page 117
110 the config router key-chain command has 1 subcommand. Config key config key access the configkey subcommand using the config router key-chain command. Use the config key command to add, edit, or delete keys identified by the specified number. Command syntax pattern config key edit set end config...
Page 119
112 end this example shows how to display the list of key-chains. Get router key-chain this example shows how to display the settings for the key chain test1. Get router key-chain test1 this example shows how to display the configuration for the router key-chain command. Show router key-chain this e...
Page 120
Freeguard 100 cli user manual 113 the configrouter ospf command has 7 subcommands. Config area config distribute-list config neighbor config network config ospf-interface config redistribute config summary-address note: in the following table, only the router-id keyword is required. All other keywor...
Page 122
Freeguard 100 cli user manual 115 set router-id 1.1.1.1 end this example shows how to display the ospf settings. Get router ospf this example shows how to display the ospf configuration. Show router ospf config area access the config area subcommand using the config router ospf command. Use the conf...
Page 124
Freeguard 100 cli user manual 117 never} lsas used for distributing external route information to other parts of the ospf routing domain. Usually a nssa will have only one nssa border router acting as a translator for the nssa. You can set the translator role to always to ensure this freeguard 100 a...
Page 125
118 this example shows how to display the configuration for area 15.1.1.1. Config router ospf config area edit 15.1.1.1 show end config filter-list access the config filter-list subcommand using the config area subcommand. Use filter lists to control the import and export of lsas into and out of an ...
Page 127
120 use the area range command to summarize routes at an area boundary. If the network numbers in an area are contiguous, the abr advertises a summary route that includes all the networks within the area that are within the specified range. Command syntax pattern the range id_integer can be 0 to 4 2...
Page 129
122 edit set end config virtual-link edit unset end config virtual-link delete end config virtual-link edit get end config virtual-link edit show end note: only the peer keyword is required. All other keywords are optional. Virtual-link command keywords and variables keywords & variables description...
Page 130
Freeguard 100 cli user manual 123 the authentication-key is 15 characters. Dead-interval the time, in seconds, to wait for a hello packet before declaring a router down. The value of the dead-interval should be four times the value of the hello-interval. Both ends of the virtual link must use the sa...
Page 131
124 this example shows how to display the settings for area 15.1.1.1. Config router ospf config area edit 15.1.1.1 get end this example shows how to display the configuration for area 15.1.1.1. Config router ospf config area edit 15.1.1.1 show end config distribute-list access the config distribute-...
Page 133
126 show end config neighbor access the config neighbor subcommand using the config router ospf command. Use this command to manually configure an ospf neighbor on nonbroadcast networks. Ospf packets are unicast to the specified neighbor address. You can configure multiple neighbors. Command syntax ...
Page 134
Freeguard 100 cli user manual 127 seconds_integer is 1 to 65535. Priority enter a priority number for the neighbor. The validrange for priority_integer is 0 to 255. 1 example this example shows how to manually add a neighbor. Config router ospf config neighbor edit 1 set ip 192.168.21.63 end end thi...
Page 135
128 end config network edit unset end config network delete end config network edit get end config network edit show end network command keywords and variables keywords & variables description default area the id number of the area to be associated with the prefix. 0.0.0.0 prefix enter the ip addres...
Page 136
Freeguard 100 cli user manual 129 config router ospf config network edit 2 get end this example shows how to display the configuration for network 2. Config router ospf config network edit 2 show end config ospf-interface access the config ospf-interface subcommand using the config router ospf comma...
Page 138
Freeguard 100 cli user manual 131 hello-interval the time, in seconds, between hello packets. All routers on the network must use the same value for hello-interval. The valid range for seconds_integeris 1 to 65535. 10 interface enter the name of the interface to associate with this ospf configuratio...
Page 139
132 designated router (bdr). An interface with router priority set to 0 can not be elected dr or bdr. The interface with the highest router priority wins the election. If there is a tie for router priority, router id is used. Point-to-point networks do not elect a dr or bdr; therefore, this setting ...
Page 140
Freeguard 100 cli user manual 133 config ospf-interface edit test get end this example shows how to display the configuration for the ospf interface configuration named test. Config router ospf config ospf-interface edit test show end config redistribute access the config redistribute subcommand usi...
Page 141
134 tag specify a tag for redistributed routes. The valid range for tag_integer is 0 to 4294967295. 0 this example shows how to enable route redistribution from rip, using a metric of 3 and a route map named rtmp2. Config router ospf config redistribute ripset metric 3 set routemap rtmp2 set status ...
Page 143
136 • get router info routing_table 8.8 policy when you create a policy route, any packets that match the policy are forwarded to the ip address of the next hop gateway through the specified outbound interface. You can configure the freeguard 100 to route packets based on: • a source address • a pro...
Page 144
Freeguard 100 cli user manual 137 address_ipv4mask> netmask. End_port the end port number of a port range for a policy route. Match packets that have this destination port range. You must configure both the start_port and end_portkeywords for destination port range matchingto take effect. 0 gateway ...
Page 145
138 • enter the following command to route traffic from the 192.168.20.0 subnet to the 200.200.200.0 subnet. Force the packets to the next hop gateway at ip address 2.2.2.1 through the interface named external. Config router policy edit 2 set input_device internal set src 192.168.20.0 255.255.255.0 ...
Page 146
Freeguard 100 cli user manual 139 this example shows how to display the list of policy based routes. Get router policy this example shows how to display the settings for routing policy 1. Get router policy 1 this example shows how to display the configuration for the router policy command. Show rout...
Page 147
140 get router prefix-list [] show router prefix-list [] the configrouter prefix-list command has 1 subcommand. Config rule config rule access the config rule subcommand using the router prefix-list command. Use the config rule command to add, edit, or delete prefix list rules with the specified num...
Page 148
Freeguard 100 cli user manual 141 example this example shows how to add a prefix list named prf_list1 with three rules. The first rule permits subnets that match prefix lengths between 26 and 30 for the prefix 192.168.100.0 255.255.255.0. The second rule denies subnets that match the prefix lengths ...
Page 149
142 show router prefix-list prf_list1 command history related commands • config router access-list • config router rip 8.10 rip use this command to configure routing information protocol (rip) on the freeguard 100. The freeguard 100 implementation of rip supports both rip version 1 as defined by rfc...
Page 151
144 • enable advertising a default static route into rip, • enable sending and receiving rip version 1 packets, • set the default metric to 5. Config router rip set default-information-originate enable set version 1 set default-metric 5 end this example shows how to display the rip settings. Get rou...
Page 152
Freeguard 100 cli user manual 145 show router rip distance command keywords and variables example keywords & variables description default access-list enter the name of an access list. The distances associated with the routes in the access list will be modified. To create an access list, see “config...
Page 154
Freeguard 100 cli user manual 147 this example shows how to display the rip settings. Get router rip this example shows how to display the rip configuration. Show router rip config interface access the config interface subcommand using the config router rip command. Use the config interface subcomma...
Page 155
148 authenticity of the update packet, not the confidentiality of the routing information in the packet. In text mode the key is sent in clear text over the network. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added t...
Page 156
Freeguard 100 cli user manual 149 set send-version 2 set auth-mode md5 set auth-keychain test1 end end this example shows how to display the rip settings. Get router rip this example shows how to display the rip configuration. Show router rip config neighbor access the config neighbor subcommand usi...
Page 157
150 ip enter the ip address of the neighboring router to which to send unicast updates. 0.0.0.0 example this example shows how to set the router at 192.168.21.20 as a neighbor. Config router rip config neighbor edit 1 set ip 192.168.21.20 end end this example shows how to display the rip settings. G...
Page 158
Freeguard 100 cli user manual 151 show router rip network command keywords and variables keywords & variables description default prefix enter the ip address and netmask for the rip network. 0.0.0.0 example use the following command to enable rip for the interfaces attached to networks specified by ...
Page 161
154 show router rip command history related commands • config router access-list • config router key-chain • config router prefix-list • config router route-map • execute router restart-graceful • get router info protocols • get router info rip • get router info routing_table 8.11 route-map use this...
Page 162
Freeguard 100 cli user manual 155 config rule access the config rule subcommand using the config router route-map command. Use the config rule subcommand to add, edit, or delete route map rules with the specified number. Command syntax pattern config rule edit set end config rule edit unset end conf...
Page 164
Freeguard 100 cli user manual 157 related commands • config router access-list • config router prefix-list • config router rip 8.12 static use this command to add, edit, or delete static routes for ipv4 traffic. Add static routes to control the destination of traffic exiting the freeguard 100. You c...
Page 165
158 administrative distance you can specify the relative priorities of different routes to the same destination. A lower administrative distance indicates a more preferred route. Distance can be an integer from 1-255. See also config system interface “distance ” on page 261. Dst the destination ip a...
Page 166
Freeguard 100 cli user manual 159 8.13 static6 use this command to add, edit, or delete static routes for ipv6 traffic. Add static routes to control the destination of traffic exiting the freeguard 100. You configure routes by adding destination ip addresses and netmasks and adding gateways for thes...
Page 167
160 example this example shows how to add an ipv6 static route that has the sequence number 2. Config router static6 edit 2 set dev internal set dst 12ab:0:0:cd30::/60 set gateway 12ab:0:0:cd30:123:4567:89ab:cdef end this example shows how to display the list of ipv6 static route numbers. Get router...
Page 168
Freeguard 100 cli user manual 161 9 config spamfilter bword emailbwl shield ipbwl mheader rbl 9.1 bword use this command to add or edit and configure options for the spam filter banned word list. The freeguard 100 spam filters are generally applied in the following order: • shield: shield antispam s...
Page 170
Freeguard 100 cli user manual 163 set language ascii set pattern bad* set pattern_type wildcard set where bodynext edit 11 set status enable set action spam set language ascii set pattern ^worse set pattern_type regexp set where body end this example shows how to display the spamfilter banned word l...
Page 171
164 freeguard 100 spam filters are generally applied in the following order: • shield: shield antispam service • ipbwl : ip address list • rbl: dnsbl & ordbl • emailbwl: email address list • mheader: mime headers • bword: banned words the freeguard 100 uses the email address list to filter incoming ...
Page 173
166 • config spamfilter bword • config spamfilter ipbwl • config spamfilter mheader • config spamfilter rbl 9.3 shield use this command to configure the settings for the antispam service. The freeguard 100 spam filters are generally applied in the following order: • shield: shield antispam service •...
Page 175
168 cache : enable cache_ttl : 1800 hostname : antispam.Freeguard 100.Com license : trial expiration : n/a this example shows how to display the shield configuration. Freeguard 100-unit-prompt # show spamfilter shield config spamfilter set status enable set cache enable set cache_ttl 1800 end comman...
Page 176
Freeguard 100 cli user manual 169 profile action is taken. If no match is found, the email is passed on to the next spam filter. You can enter an ip address and mask in two formats: • x.X.X.X/x.X.X.X, for example 62.128.69.100/255.255.255.0 • x.X.X.X/x, for example 62.128.69.100/24 you can configure...
Page 177
170 entry in the list and reject email from that subnet. Config spamfilter ipbwl edit 7 set status enable set action reject set ip/subnet 123.0.0.0/8 end this example shows how to display the spamfilter ip list. Get spamfilter ipbwl this example shows how to display the settings for the second entry...
Page 178
Freeguard 100 cli user manual 171 • emailbwl: email address list • mheader: mime headers • bword: banned words the freeguard 100 compares the mime header key-value pair of incoming email to the list pair in sequence. If a match is found, the corresponding action is taken. If no match is found, the e...
Page 180
Freeguard 100 cli user manual 173 this example shows how to display the spamfilter mime header list. Get spamfilter mheader this example shows how to display the settings for the second entry in the spamfilter mime header list. Get spamfilter mheader 2 this example shows how to display the configura...
Page 181
174 some spammers use unsecured third party smtp servers to send unsolicited bulk email. Using dnsbls and ordbls is an effective way to tag or reject spam as it enters your network. These lists act as domain name servers that match the domain of incoming email to a list of ip addresses known to send...
Page 182
Freeguard 100 cli user manual 175 config spamfilter rbl edit 2 set action reject set server bl.Spamcop.Net set status enable next edit 3 set action spam set server relays.Ordb.Org set status enable end this example shows how to display the spamfilter dnsbl list. Get spamfilter rbl this example shows...
Page 183
176.
Page 184
Freeguard 100 cli user manual 177 10 config system accprofile admin autoupdate clientoverride autoupdate override autoupdate push-update autoupdate schedule autoupdate tunneling bug-report console dhcp exclude_range dhcp ipmacbinding dhcp server dns fm get system performance get system status global...
Page 185
178 zone 10.1 accprofile use this command to add access profiles that control administrator access to freeguard 100 features. Each freeguard 100 administrator account must include an access profile. You can create access profiles that deny access to or allow read only, write only, or both read and w...
Page 187
180 edit policy_profile set secgrp rw end this example shows how to display the settings for the system accprofile command. Get system accprofile this example shows how to display the settings for the policy_profile access profile. Get system accprofile policy_profile this example shows how to displ...
Page 188
Freeguard 100 cli user manual 181 end config system admin delete end get system admin [] show system admin [] admin command keywords and variables keywords & variables description default accprofile name_str> enter the name of the access profile to assign to this administrator account. Access profil...
Page 189
182 this example shows how to display the settings for the system admin command. Get system admin this example shows how to display the settings for the new_admin administrator account. Get system admin new_admin this example shows how to display the configuration for the system admin command. Show ...
Page 190
Freeguard 100 cli user manual 183 this example shows how to add a push update client ip address 192.0.2.45. Config system autoupdate clientoverride set address 192.0.2.45 set status enable end this example shows how to display the settings for the system autoupdate clientoverride command. Get system...
Page 192
Freeguard 100 cli user manual 185 notification, the freeguard 100 requests an update from the fdn. Using this command you can enable or disable push updates. You can also configure push ip address and port override. If the fdn must connect to the freeguard 100 through a nat device, you must configur...
Page 193
186 get system autoupdate push-update this example shows how to display the configuration for the system autoupdate push-update command. Show system autoupdate push-update command history related commands • autoupdate override • autoupdate schedule • autoupdate tunneling • execute update_now 10.6 au...
Page 195
188 the freeguard 100 connects to the proxy server using the http connect method, as described in rfc 2616. The freeguard 100 sends an http connect request to the proxy server (optionally with authentication information) specifying the ip address and port required to connect to the fdn. The proxy se...
Page 196
Freeguard 100 cli user manual 189 set username proxy_user set password proxy_pwd set status enable end this example shows how to display the settings for the system autoupdate tunneling command. Get system autoupdate tunneling this example shows how to display the configuration for the system autoup...
Page 197
190 password if the smtp server requires authentication, enter the password required. No default. Server the smtp server to use for sending bug report email. The default server is freedom9virussubmit.Com see description. Username a valid user name on the specified smtp server. Thedefault user name i...
Page 199
192 set end config system dhcp exclude_range delete end get system dhcp exclude_range [] show system dhcp exclude_range [] exclude_range command keywords and variables keywords & variables description default end_ip the end ip address in the exclusion range. The start ip and end ip must be in the sa...
Page 200
Freeguard 100 cli user manual 193 command history related commands • dhcp ipmacbinding • dhcp server • interface 10.11 dhcp ipmacbinding use this command to reserve an ip address for a particular device on the network according to the mac address of the device. When you add the mac address and an ip...
Page 201
194 set mac 00:09:0f:0a:01:bc end this example shows how to display the settings for the system dhcp ipmacbinding command. Get system dhcp ipmacbinding this example shows how to display the settings for the ipmac_pair ip/mac binding pair. Get system dhcp ipmacbinding ipmac_pair this example shows ho...
Page 202
Freeguard 100 cli user manual 195 set end config system dhcp server edit unset end config system dhcp server delete end get system dhcp server [] show system dhcp server [] dhcp server command keywords and variables keywords & variables description default default-router the ip address of the defaul...
Page 203
196 option2 [] the second custom dhcp option that can be sent by the dhcp server. Option_code is the dhcp option code in the range 1 to 255. Option_hex is an even number of hexadecimal characters. For detailed information about dhcp options, see rfc 2132, dhcp options and bootp vendor extensions. No...
Page 204
Freeguard 100 cli user manual 197 this example shows how to display the settings for the system dhcp server command. Get system dhcp server this example shows how to display the settings for the new_dhcp dhcp server. Get system dhcp server new_dhcp this example shows how to display the configuration...
Page 206
Freeguard 100 cli user manual 199 show system fm fm command keywords and variables keywords & variables description default id enter the name of the ipsec vpn tunnel between the freeguard 100 and the manager server. No default. Ip enter the ip address of a manager server. No default. Status {enable ...
Page 207
200 • operation mode • host name • current virtual domain • current ha status command syntax pattern get system status 10.17 global use this command to configure global settings that affect various freeguard 100 systems and configurations. Command syntax pattern config system global set end config s...
Page 210
Freeguard 100 cli user manual 203 ends the current session, but it can try to establish a new session. Restart_time enter daily restart time in hh:mm format. No default. Syncinterval enter how often, in minutes, the freeguard 100 should synchronize its time with thenetwork time protocol (ntp) server...
Page 211
204 command syntax pattern config system ha set end config system ha unset end get system ha show system ha system ha command keywords and variables keywords & variables description default arps set the number of gratuitous arp packets sent by the primary unit. Gratuitous arp packets aresent when a ...
Page 212
Freeguard 100 cli user manual 205 responds to a failure. However, you can increase the heartbeat lost threshold if repeated failovers occur because cluster unitscannot sent heartbeat packets quickly enough. Hb-interval the heartbeat interval, which is the time between sending heartbeat packets. The ...
Page 213
206 helo-holddown the hello state hold-down time, which is the number of seconds that a cluster unit waits before changing from hello state to work state. A cluster unit changes from hello state to work statewhen it starts up. The hello state hold-down time range is 5 to 300 seconds. 20 load-balance...
Page 214
Freeguard 100 cli user manual 207 that this cluster unit always becomes the primary cluster unit. Password enter a password for the ha cluster. The password must be the same for all freeguard 100s in the ha cluster. The maximum password length is 15 characters. No default priority optionally set the...
Page 215
208 primary unit routing table changes. Once a routing table update is sent, the primary unit waits the route-hold time before sending the next update. Usually routing table updates are periodic and sporadic. Subordinate units should receive these changes as soon as possible so route-wait is set to ...
Page 216
Freeguard 100 cli user manual 209 packet. Ipport: load balancing according to ip address and port. If the cluster units are connected using switches, use ipport to distribute traffic to units in a cluster based on the source ip, source port, destination ip, and destination port of the packet. Weight...
Page 217
210 set monitor external enable set monitor_priority internal 200 set monitor internal enable set monitor_priority internal 100 set monitor dmz enable set monitor_priority internal 50 end the following example shows how to configure weighted round robin weights for a cluster of three freeguard 100s....
Page 218
Freeguard 100 cli user manual 211 this example shows how to display the configuration for the system ha command. Show system ha command history related commands • execute ha manage • execute ha synchronize 10.19 interface use this command to edit the configuration of a freeguard 100 physical interfa...
Page 219
212 config ip6-prefix-list config secondaryip interface command keywords and variables keywords & variables description default allowaccess {http https ping snmp ssh telnet} allow management access to the interface. Youcan enter one or more of the management access types separated by spaces. Enter a...
Page 220
Freeguard 100 cli user manual 213 • tzo.Com supports rh.Tzo.Com. • vavic.Com supports ph001.Oray.Net. Ddns-sn enter your ddns serial number. This keyword is available instead of ddns-username and ddns-password if ddns-server is set to dipdns.Net. No default. Ddns-username enter the user name to use ...
Page 224
Freeguard 100 cli user manual 217 this example shows how to set the freeguard 100 internal interface ip address and netmask to 192.168.100.159 255.255.255.0, and the management access to ping, https, and ssh. Config system interface edit internal set allowaccess ping https ssh set ip 192.168.110.26 ...
Page 225
218 note: this command is not available in transparent mode. Command syntax pattern config secondaryip edit set end config secondaryip edit unset end config secondaryip delete get system interface show system interface secondaryip command keywords and variables keywords & variables description defau...
Page 226
Freeguard 100 cli user manual 219 example this example shows how to add a secondary ip address and netmask of 192.176.23.180 255.255.255.0 to the internal interface. Also configure ping and https management access to this secondary ip address. Config system interface edit internal config secondaryip...
Page 227
220 command syntax pattern config system ipv6_tunnel edit set end config system ipv6_tunnel edit unset end config system ipv6_tunnel delete end get system interface show system interface ipv6_tunnel command keywords and variables keywords & variables description default destination the destination i...
Page 228
Freeguard 100 cli user manual 221 end this example shows how to display the settings for the system ipv6_tunnel command. Get system ipv6_tunnel this example shows how to display the configuration for the system ipv6_tunnel command. Show system ipv6_tunnel this example shows how to display the settin...
Page 229
222 show system mac-address-table mac-address-table command keywords and variables keywords & variables description default interface enter the name of the interface for this entry in the static mac table. No default. Example use the following commands to add a static mac entry for the internal inte...
Page 230
Freeguard 100 cli user manual 223 config system manageip unset end get system manageip show system manageip manageip command keywords and variables keywords & variables description default ip set the ip address and netmask of the transparent mode management interface. 10.10.10.1 255.255.255.0 exampl...
Page 232
Freeguard 100 cli user manual 225 codes, and other functions as required by your modem to connect to your dialup account. Phone2 enter the phone number required to connect to the dialup account. Do not add spaces to the phone number. Make sure to include standard special characters for pauses, count...
Page 234
Freeguard 100 cli user manual 227 defaults name description format header alert email messages sent to system administrators. Alertmail_test email message sent when the administrator tests alert email. Text none alertmail_virus virus log is enabled for alert email and a virus is detected. None none ...
Page 235
228 http_filesize the antivirus system blocks a file that is too large to be virus scanned. Html http http_client_block the antivirus system blocks a file that matches a file pattern. Html http http_client_virus the antivirus system blocks a file that contains a virus. Html http http_client_filesize...
Page 236
Freeguard 100 cli user manual 229 smtp_spam_emailblack the spam filter email address list marked a message as spam. Text 8bit smtp_spam_mimeheader the spam mime headers list marked a message as spam. Text 8bit reversedns spam filtering return-email dns check identified a message as spam. Text 8bit s...
Page 237
230 example this example shows how to change the email message that is sent to test the alert email system. Config system replacemsg alertmail alertmail_test set buffer "a test of the freeguard 100 alert email system." end command history 10.25 session-helper a session-helper binds a service to a tc...
Page 239
232 end get system session_ttl show system session_ttl the config system session_ttl command has 1 subcommand. Config port session_ttl command keywords and variables keywords & variables description default default enter a number of seconds to change the default session timeout. 3600 example use the...
Page 240
Freeguard 100 cli user manual 233 unset end config port delete end get system session_ttl show system session_ttl port command keywords and variables keywords & variables description default timeout enter the number of seconds the session can be idle for this port. 300 example use the following comm...
Page 241
234 end config system snmp community delete end get system snmp community [] show system snmp community [] the config system snmp community command has one subcommand. Config hosts snmp community command keywords and variables keywords & variables description default events {av_virus cpu_high fm_if_...
Page 243
236 this example shows how to display the settings for the snmp community with id 1. Get system snmp community 1 this example shows how to display the configuration for the snmp community command. Show system snmp community this example shows how to display the configuration for the snmp community w...
Page 244
Freeguard 100 cli user manual 237 use the following command to add an snmp manager with ip address 192.34.56.78 that connects to the external interface of the freeguard 100. Config system snmp edit 1 config hosts edit 1 set interface external set ip 192.34.56.78 end end command history related comma...
Page 246
Freeguard 100 cli user manual 239 by default all physical interfaces are in the root virtual domain. You cannot remove a physical interface from a virtual domain if firewall policies have been added for it. Delete the firewall policies or remove the interface from the firewall policies first. If the...
Page 247
240 end config system zone edit unset end config system zone delete end get system zone show system zone zone command keywords and variables keywords & variables description default interface add the specified interface to this zone. You cannot add an interface if it belongs to another zone or if fi...
Page 248
Freeguard 100 cli user manual 241 11 config user group ldap local peer peergrp radius 11.1 group use this command to add or edit user groups. To enable authentication, you must add user names, radius servers and ldap servers to one or more user groups. You can then select a user group when you requi...
Page 249
242 edit set end config user group edit unset end get user group [] show user group [] user group command keywords and variable keywords & variables description default member [ [ [ ... ]]] enter the names of users, ldap servers, or radius servers to add to the user group. Separate names by spaces. ...
Page 250
Freeguard 100 cli user manual 243 this example shows how to display the configuration for the user group user_grp_1. Show user group user_grp_1 command history related commands • config user ldap • config user local • config user peer • config user peergrp • config user radius 11.2 ldap use this com...
Page 251
244 edit unset end config user ldap delete end get user ldap [] show user ldap [] ldap command keywords and variables keywords & variables description default cnid enter the common name identifier for the ldap server. The common name identifier for most ldap servers is cn. However some servers use o...
Page 252
Freeguard 100 cli user manual 245 set dn ou=accounts,ou=marketing,dc=freedom9,dc=com end this example shows how to display the list of configured ldap servers. Get user ldap this example shows how to display the settings for the ldap server ldap1. Get user ldap ldap1 this example shows how to displa...
Page 253
246 unset end config user local delete end get user local [] show user local [] local command keywords and variables keywords & variables description default ldap_server enter the name of the ldap server with which the user must authenticate. You can only select an ldap server that has been added to...
Page 254
Freeguard 100 cli user manual 247 config user local edit admin7 set type password set passwd abc123 end this example shows how to display the list of configured local user names. Get user local this example shows how to display the settings for the local user admin7. Get user local admin7 this examp...
Page 255
248 command syntax pattern config user peer edit set end config user peer edit unset end config user peer delete end get user peer [] show user peer [] peer command keywords and variables keywords & variables description default ca enter the ca certificate name, as returned by execute vpn certificat...
Page 256
Freeguard 100 cli user manual 249 get user peer this example shows how to display the settings for the peer branch_office. Get user peer branch_office this example shows how to display the configuration for all the peers. Show user peer this example shows how to display the configuration for the pee...
Page 257
250 end get user peergrp [] show user peergrp [] peergrp command keywords and variables keywords & variables description default member [ [ [ ... ]]] enter the names of peers to add to the peer group. Separate names by spaces. To add orremove names from the group you must re- enterthe whole list wit...
Page 258
Freeguard 100 cli user manual 251 11.6 radius use this command to add or edit the information used for radius authentication. The default port for radius traffic is 1812. If your radius server is using a different port you can change the default radius port. See config system global, and set “radius...
Page 259
252 get user radius this example shows how to display the settings for the radius server rad1. Get user radius rad1 this example shows how to display the configuration for all the radius servers. Show user radius this example shows how to display the configuration for the radius server rad1. Show us...
Page 260
Freeguard 100 cli user manual 253 12 config vpn ipsec concentrator ipsec manualkey ipsec phase1 ipsec phase2 ipsec vip l2tp pinggen pptp 12.1 ipsec concentrator use this command to add ipsec phase 2 configurations (ipsec vpn tunnels) to a vpn concentrator. The vpn concentrator collects hub-and-spoke...
Page 261
254 keywords & variables description default member [] [] the names of up to three vpn tunnels to add to the concentrator. Separate the tunnel names withspaces. To add or remove tunnels from theconcentrator you must re- enter the whole list with the required additions or deletions. You can add autoi...
Page 262
Freeguard 100 cli user manual 255 when you configure the tunnel, no negotiation is required for the vpn tunnel to start. However, the vpn gateway or client that connects to this tunnel must use the same encryption and authentication algorithms and must have the same encryption and authentication key...
Page 264
Freeguard 100 cli user manual 257 set localspi 1000ff set remotespi 2000ff set gateway 206.37.33.45 set encryption 3des set enckey 003f2b01a9002f3b-004f4b0209003f01-3b00f23bff003eff set authentication md5 set authkey ff003f012ba900bb-00f402303f0100ff end this example shows how to display the setting...
Page 266
Freeguard 100 cli user manual 259 on the remote peer or client. • when the vpn peer or client has a dynamic ip address and uses aggressive mode, select up to three dh groups on the freeguard 100 and one dh group on the remote peer or dialup client. The setting on the remote peer or client must be id...
Page 267
260 keylife set the key life time in seconds. The key life is the amount of time in seconds before the phase 1 encryption key expires. When the key expires, a new key is generated without interrupting service. Seconds_integer can be from 120 to 172,800 seconds. 28800 seconds localid optionally enter...
Page 268
Freeguard 100 cli user manual 261 • enter dialup to authenticate dialup vpn clients that use unique peer ids. In this case, you must create a group of dialup users for authentication purposes. Use the usrgrp keyword to set the user group name. • enter peer to authenticate one or more certificate hol...
Page 269
262 remotegw-ddns enter the fully qualified domain name of the remote vpn peer when type is set to ddns. Use this setting when the remote peer has a static domain name and a dynamic ip address (the ip address is obtained dynamically from an isp and the remote peer subscribes to a dynamic dns service...
Page 270
Freeguard 100 cli user manual 263 config vpn ipsec phase1 edit simple_gw set type dynamic set proposal des-md5 set authmethod psk set psksecret qf2p3o93jij2bz7e set mode aggressive set dpd disable end this example shows how to display the settings for the vpn ipsec phase1 command. Get vpn ipsec phas...
Page 271
264 command syntax pattern config vpn ipsec phase2 edit set end config vpn ipsec phase2 edit unset end config vpn ipsec phase2 delete end get vpn ipsec phase2 [] show vpn ipsec phase2 [] ipsec phase2 command keywords and variables keywords & variables description default bindtoifname_str> this setti...
Page 272
Freeguard 100 cli user manual 265 dstport enter the port number that the remote vpn peer uses to transport traffic related to the specified service (see protocol). The dstport range is 1 to 65535. To specify all ports, type 0. 0 internetbrowsing select the interface through which remotevpn users usi...
Page 273
266 sha1} • 3des-triple-des, in which plain text is encrypted three times by three keys. • aes128-a 128-bit block algorithm that uses a 128-bit key. • aes192-a 128-bit block algorithm that uses a 192-bit key. • aes256-a 128-bit block algorithm that uses a 256-bit key. You can select either of the fo...
Page 274
Freeguard 100 cli user manual 267 local vpn peer. You must create the firewall address using the config firewall address command before you can select it here. For more information, see “config firewall address”. Srcport enter the port number that the local vpn peer uses to transport traffic related...
Page 275
268 this example shows how to display the settings for the new_tunnel phase 2 configuration. Get vpn ipsec phase2 new_tunnel this example shows how to display the configuration for the vpn ipsec phase2 command. Show vpn ipsec phase2 related commands config vpn ipsec phase1 config alertemail filter c...
Page 276
Freeguard 100 cli user manual 269 config vpn ipsec vip edit unset end config vpn ipsec vip delete end get vpn ipsec vip [] show vpn ipsec vip [] ipsec vip command keywords and variables keywords & variables description default ip the ip address of the destination host on the destination network. 0.0...
Page 277
270 this example shows how to display the settings for the vip entry named 1. Get vpn ipsec vip 1 this example shows how to display the current configuration of all existing vip entries. Show vpn ipsec vip related commands config vpn ipsec phase1 config vpn ipsec phase2 12.6 l2tp use this command to...
Page 279
272 related commands config user group config firewall policy 12.7 pinggen use this command to generate periodic traffic on one or two vpn tunnels. The ping generator generates traffic in an ipsec vpn tunnel to keep the tunnel connection open at times when no traffic is being generated inside the tu...
Page 281
274 set the destination address to reflect the private address range of the internal network behind the local freeguard 100. Set the policy service(s) to match the type(s) of traffic that pptp users may generate. Set the policy action to accept. Enable nat if required. Note: the first time you confi...
Page 282
Freeguard 100 cli user manual 275 users named pptp_users: config vpn pptp set sip 192.168.1.100 set eip 192.168.1.130 set status enable set usrgrp pptp_users end this example shows how to display the settings for the vpn pptp command. Get vpn pptp this example shows how to display the configuration ...
Page 283
276 13 config webfilter bword catblock script urlblock urlexm urlpat 13.1 bword use this command to add or edit and configure options for the web content block list. You can add one or more banned words to block web pages containing those words. Banned words can be one word or a text string up to 80...
Page 285
278 this example shows how to display the configuration for the banned word badword. Show webfilter bword badword related commands webfilter catblock webfilter script webfilter urlblock webfilter urlexm webfilter urlpat 13.2 catblock use this command to configure web filtering by specific categories...
Page 287
280 this example shows how to display the configuration for the catblock settings. Show webfilter catblock if the show command returns you to the prompt, the settings are at default. Related commands config firewall profile config webfilter bword config webfilter script config webfilter urlblock con...
Page 288
Freeguard 100 cli user manual 281 filter {activex cookie java} enter activex, cookie, and java as required to block web pages containing these items. No default. Example this example shows how to configure the freeguard 100 to block web pages containing activex controls and java applets. Config webf...
Page 289
282 www.Finance.Badsite.Com, and so on. Command syntax pattern config webfilter urlblock edit set end config webfilter urlblock edit unset end config webfilter urlblock delete end get webfilter urlblock [] show webfilter urlblock [] urlblock command keywords and variables keywords & variables descri...
Page 290
Freeguard 100 cli user manual 283 this example shows how to display the settings for the url www.Badsite.Com . Get webfilter urlblock www.Badsite.Com this example shows how to display the configuration for the entire url block list. Show webfilter urlblock if the show command returns you to the prom...
Page 292
Freeguard 100 cli user manual 285 13.6 urlpat use this command to block all urls that match patterns you create using text and regular expressions (or wildcard characters). For example, badsite.* matches badsite.Com, badsite.Org, badsite.Net and so on. The freeguard 100 blocks web pages that match a...
Page 293
286 this example shows how to enable and add the pattern badsite.* to the url block list. Config webfilter urlpat edit badsite.* set status enable end this example shows how to display the webfilter url pattern block list. Get webfilter urlpat this example shows how to display the settings for the u...
Page 294
Freeguard 100 cli user manual 287 14 execute backup date dhcpclear enter factoryreset ha manage ha synchronize modem dial modem hangup ping ping-options ping6 reboot restore router restart router restart-graceful shutdown time traceroute update_now vpn certificate ca vpn certificate key vpn certific...
Page 295
288 backup command keywords and variables keywords & variables description allconfig back up all configuration files. Config back up system configuration files. Ipsuserdefsig back up the ips custom signatures file. The name to give the file that is copied to the tftp server. The tftp server ip addre...
Page 296
Freeguard 100 cli user manual 289 14.3 dhcpclear clear the dhcp ip/mac binding table. Command syntax execute dhcpclear related commands config system dhcp server config system dhcp ipmacbinding 14.4 enter use this command to switch to the named virtual domain. Command syntax execute enter example th...
Page 297
290 command syntax execute ha manage example this example shows how to connect to a subordinate unit in a cluster of three freeguard 100s. Execute ha manage ? Subsidary unit fps3012803021709 subsidary unit fps3082103021989 type 2 and press enter to connect to the second unit in the list. The cli pro...
Page 299
292 command syntax execute modem dial related commands config system modem execute modem hangup 14.9 modem hangup hang up the modem. This command is effective only if the modem is in standalone mode. Command syntax execute modem hangup related commands config system modem execute modem dial 14.10 pi...
Page 302
Freeguard 100 cli user manual 295 14.14 restore use this command to restore a backup configuration, to change the freeguard 100 firmware, or to restore an ips custom signature file. Command syntax execute restore allconfig execute restore config execute restore image execute restore ipsuserdefsig re...
Page 303
296 execute router restart related commands config router ospf config router rip config router static config router static6 get router info ospf get router info protocols get router info rip get router info routing_table 14.16 router restart-graceful use this command to restart the rip daemon withou...
Page 304
Freeguard 100 cli user manual 297 execute shutdown 14.18 time get or set the system time. Command syntax execute time [] time_str has the form hh:mm:ss, where hh is the hour and can be 00 to 23 mm is the minutes and can be 00 to 59 • ss is the seconds and can be 00 to 59 if you do not specify a time...
Page 305
298 command syntax execute update_now related commands config system autoupdate override config system autoupdate push-update config system autoupdate schedule config system autoupdate tunneling 14.21 vpn certificate ca use this command to import a ca certificate from a tftp server to the freeguard ...
Page 306
Freeguard 100 cli user manual 299 execute vpn certificate local config vpn ipsec phase1 14.22 vpn certificate key export or import a local certificate and private key as a password protected pkcs12 file. When you backup a freeguard 100 configuration that includes ipsec vpn tunnels using certificates...
Page 307
300 14.23 vpn certificate local use this command to generate a local certificate, to download a local certificate from the freeguard 100 to a tftp server, and to import a local certificate from a tftp server to the freeguard 100. Digital certificates are used to ensure that both participants in an i...
Page 308
Freeguard 100 cli user manual 301 list of optional information variables. You must enter the optional variables in order that they are listed in the table. To enter any optional variable you must enter all ofthe variables that come before it in the list. For example, toenter the organization_name_st...
Page 309
302 100 from a tftp server with the address 192.168.21.54. Set vpn certificates local import branch_cert 192.168.21.54.
Page 310
Freeguard 100 cli user manual 303 15 certifications fcc this equipment has been tested and found to comply with part 15 of the fcc rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference (2) this device must accept any interference received. In...