1. DL manuals
  2. Freedom9
  3. Firewall
  4. freeGuard Blaze 2100
  5. Cli Reference Manual

Freedom9 freeGuard Blaze 2100 Cli Reference Manual

Other manuals for freeGuard Blaze 2100: Specifications, Manual, User Manual
Manual is about: Freedom9 freeGuard Blaze 2100 Firewall Module: User Guide

Summary of freeGuard Blaze 2100

  • Page 1

    Version 3r2 freeguard blaze 2100 cli reference guide.

  • Page 2

    Copyright notice © copyright 2007 freedom9 inc. All rights reserved. Under the copyright law, this manual and the software described within can not be copied in whole or part, without written permission of the manufacturer, except in the normal use of the software to make a backup copy. The same pro...

  • Page 3

    Version 3r2 cli reference guide 3 contents 1. Preface........................................................................................................................... 5 2. Command descriptions ............................................................................................... 9...

  • Page 4

    C o n t e n t s 4 cli reference guide version 3r2 session..............................................................................................................................................85 snmp.................................................................................................

  • Page 5: Reface

    Version 3r2 cli reference guide 5 p reface 1 contents • about this guide on page 6 • cli syntax on page 6 • dependency delimiters on page 6 • object name conventions on page 6 • cli variables on page 6.

  • Page 6: About This Guide

    P r e f a c e 1 6 cli reference guide version 3r2 about this guide this guide describes the commands used to configure and manage the freeguard blaze 2100 from a management interface. Cli syntax the cli syntax may include options, switches, parameters, and other features. Some command descriptions u...

  • Page 8

    P r e f a c e 1 8 cli reference guide version 3r2.

  • Page 9: Ommand

    Version 3r2 cli reference guide 9 c ommand d escriptions 2 this chapter lists and describes the command line interface (cli) commands..

  • Page 10: Address

    C o m m a n d d e s c r i p t i o n s address 2 10 cli reference guide version 3r2 address the address command is used to define entries in the address book of a security zone. An address book is a list containing all addresses, address groups, and domain names defined for a security zone. Address b...

  • Page 11

    . . . . . C o m m a n d d e s c r i p t i o n s address version 3r2 cli reference guide 11 name name name_str the name of an individual address book entry. You can use an address group in a security policy definition to specify a single address..

  • Page 12: Admin

    C o m m a n d d e s c r i p t i o n s admin 2 12 cli reference guide version 3r2 admin the admin command is used to configure or display administrative parameters for the freeguard blaze 2100. There will be two accounts on the device: read/write administrator (admin) and read-only administrator (adm...

  • Page 13

    . . . . . C o m m a n d d e s c r i p t i o n s admin version 3r2 cli reference guide 13 example the following command configures the email address john@abc.Com to receive updates concern- ing administrative issues: set admin mail mail-addr1 john@abc.Com mail-addr2 set admin mail mail-addr2 name_str...

  • Page 14: All

    C o m m a n d d e s c r i p t i o n s all 2 14 cli reference guide version 3r2 all the all command is used to return all configuration settings and software to the factory default settings. The configuration file, which stores the saved configuration settings of the box, is re- stored to factory def...

  • Page 15: Arp

    . . . . . C o m m a n d d e s c r i p t i o n s arp version 3r2 cli reference guide 15 arp the arp command is used to create, remove, or list interface entries in the address resolution protocol (arp) table of the device. Syntax keywords and variables variable parameters set arp ip_addr mac_addr int...

  • Page 16: Clock

    C o m m a n d d e s c r i p t i o n s clock 2 16 cli reference guide version 3r2 clock the clock commands are used to get and set the system time. Syntax keywords and variables variable parameter set clock date time date time configures the correct current date and time on the device. Specify the da...

  • Page 17

    . . . . . C o m m a n d d e s c r i p t i o n s clock version 3r2 cli reference guide 17 timezone sets the time zone value. This value indicates the time difference between gmt standard time and the current local time (when dst is off). When dst is on and the clock is already set forward one hour, d...

  • Page 18: Config

    C o m m a n d d e s c r i p t i o n s config 2 18 cli reference guide version 3r2 config use the config command to display the configuration settings for the device. You can display a current configuration setting (stored in ram), or saved configurations (stored in flash memory). The config file can...

  • Page 19: Console

    . . . . . C o m m a n d d e s c r i p t i o n s console version 3r2 cli reference guide 19 console use the console commands to define or list the cli console parameters. The console parameters determine the following: • whether the device displays messages in the active console window • the number o...

  • Page 20

    C o m m a n d d e s c r i p t i o n s console 2 20 cli reference guide version 3r2 resize the console size to window size. Timeout set console timeout number unset console timeout timeout determines how many minutes the device waits before closing an inactive administrator session. If you set the va...

  • Page 21: Counter

    . . . . . C o m m a n d d e s c r i p t i o n s counter version 3r2 cli reference guide 21 counter use the counter commands to clear or display the values contained in traffic counters. Traffic counters provide processing information, which you can use to monitor traffic flow. The freeguard blaze 21...

  • Page 22: Delete

    C o m m a n d d e s c r i p t i o n s delete 2 22 cli reference guide version 3r2 delete use delete to delete persistent information in flash memory. Syntax keywords and variables file delete file filename filename the filename is the file that you want to delete that was saved in the flash. Example...

  • Page 23: Dhcp

    . . . . . C o m m a n d d e s c r i p t i o n s dhcp version 3r2 cli reference guide 23 dhcp the dhcp command is used to configure the dynamic host configuration protocol. Keywords and variables interface set dhcp relay-server string interface interface unset dhcp relay-server string interface inter...

  • Page 24: Dns

    C o m m a n d d e s c r i p t i o n s dns 2 24 cli reference guide version 3r2 dns the dns command is used to configure domain name system (dns) or to display dns configu- ration information. Dns allows network devices to identify each other using domain names in- stead of ip addresses. Dns makes it...

  • Page 25

    . . . . . C o m m a n d d e s c r i p t i o n s dns version 3r2 cli reference guide 25 using the name option with set places an entry in the dns table, representing a host device with a host name and ip address. This allows you to reach a host using the host name. For example, executing set dns host...

  • Page 26: Domain

    C o m m a n d d e s c r i p t i o n s domain 2 26 cli reference guide version 3r2 domain the domain commands are used to set or get the domain name of the device. A domain name is a character string that identifies the security device. This domain name allows other devices to access the local device...

  • Page 27: Exit

    . . . . . C o m m a n d d e s c r i p t i o n s exit version 3r2 cli reference guide 27 exit the exit command is used to terminate and log out from a cli session. Syntax exit keywords and variables none..

  • Page 28: File

    C o m m a n d d e s c r i p t i o n s file 2 28 cli reference guide version 3r2 file the file command is used to clear or display information for files stored in the flash memory. Syntax keywords and variables variable parameters clear [ ... ] file dev_name:filename get file filename dev_name:filena...

  • Page 29: Group

    . . . . . C o m m a n d d e s c r i p t i o n s group version 3r2 cli reference guide 29 group the group commands are used to group multiple addresses or multiple services together in one group. A group allows to reference a group of addresses or services by a single name in a policy. This eliminate...

  • Page 30

    C o m m a n d d e s c r i p t i o n s group 2 30 cli reference guide version 3r2 address performs the operation on an address group. The zone value specifies the zone to which the address group is bound. This zone is either a default security zone or a user-defined zone. Adds an address or service n...

  • Page 31

    . . . . . C o m m a n d d e s c r i p t i o n s group version 3r2 cli reference guide 31 • from the console, you can add only one member to a group at a time. Service grp_name performs the operation on a service group..

  • Page 32

    C o m m a n d d e s c r i p t i o n s ha 2 32 cli reference guide version 3r2 ha this command is used to set high availability parameters on a node in the group. Syntax keywords and variables variable parameters config sync enables or disables synchronization between members of the group. After you ...

  • Page 33

    . . . . . C o m m a n d d e s c r i p t i o n s ha version 3r2 cli reference guide 33 link displays ha link information. Peer-ip ip-address-of-peer the ip-address (destination) of the peers. Preempt this command is permitted only the secondary and used to preempt the primary node and takeover the ro...

  • Page 34: Hostname

    C o m m a n d d e s c r i p t i o n s hostname 2 34 cli reference guide version 3r2 hostname the hostname commands are used to define the device name. This name always appears in the console command prompt. The host name is a character string that identifies the device. If you define a host name for...

  • Page 35: Ike

    . . . . . C o m m a n d d e s c r i p t i o n s ike version 3r2 cli reference guide 35 ike use the ike commands to define phase 1 and phase 2 proposals, the gateway for an autokey ike (internet key exchange) vpn tunnel, and to specify other ike parameters. When establishing an autokey ike ipsec tunn...

  • Page 38

    C o m m a n d d e s c r i p t i o n s ike 2 38 cli reference guide version 3r2 address defines the remote ike gateway address either as an ip address or as a hostname. Use this option to set up a site-to-site vpn. Example the following command specifies mygateway.Com as the address of a remote ike g...

  • Page 39

    . . . . . C o m m a n d d e s c r i p t i o n s ike version 3r2 cli reference guide 39 after three consecutive keep-alive-request messages are sent without getting a response, dpd will tear down the ike sa. Local-id set ike gateway name_str { ... } local-id id_str [ ... ] { ... } local-id defines th...

  • Page 41

    . . . . . C o m m a n d d e s c r i p t i o n s ike version 3r2 cli reference guide 41 the following parameters define the elapsed time between each attempt to renegotiate a security association. The minimum allowable lifetime is 180 seconds. The default lifetime is 28800 seconds. Days number hours ...

  • Page 42

    C o m m a n d d e s c r i p t i o n s ike 2 42 cli reference guide version 3r2 radius server supports chap challenge to the remote access user, ike will then forward the challenges to the remote user. Defaults • main mode is the default method for phase 1 negotiations. • the default time intervals b...

  • Page 43: Ike-Cookie

    . . . . . C o m m a n d d e s c r i p t i o n s ike-cookie version 3r2 cli reference guide 43 ike-cookie use the ike-cookie command to remove ike-related cookies from the device. Syntax keywords and variables variable parameter clear ike-cookie ip_addr ip_addr directs the device to remove cookies ba...

  • Page 44: Image

    C o m m a n d d e s c r i p t i o n s image 2 44 cli reference guide version 3r2 image use the image command to manage software images on the unit. After a software image is down- loaded onto the unit with the tftp command, the image command allows to set the downloaded image as active. When invokin...

  • Page 45: Interface

    . . . . . C o m m a n d d e s c r i p t i o n s interface version 3r2 cli reference guide 45 interface use the interface commands to define or display interface settings. Interfaces are physical or logical connections that handle network traffic..

  • Page 47

    . . . . . C o m m a n d d e s c r i p t i o n s interface version 3r2 cli reference guide 47 [note] many of these commands provide support for logical interfaces (sub interfaces) as well as physical interfaces. An example of setting an address on a physical interface is: set interface eth1 ip 10.0.0...

  • Page 48

    C o m m a n d d e s c r i p t i o n s interface 2 48 cli reference guide version 3r2 dip set interface interface dip dip_num ip_addr1 [ ip_addr2 ] unset interface interface dip dip_num dip sets a dynamic ip (dip) pool. Each dip pool consists of a range of addresses. The device can use the pool to dy...

  • Page 49

    . . . . . C o m m a n d d e s c r i p t i o n s interface version 3r2 cli reference guide 49 ip set interface interface ip ip_addr/mask unset interface interface ip ip_addr ip the ip address ip_addr and netmask mask for the specified interface or subinterface. Example the following commands create l...

  • Page 50

    C o m m a n d d e s c r i p t i o n s interface 2 50 cli reference guide version 3r2 nat set interface interface nat protocol set interface interface protocol protocol unset interface interface protocol phy set interface interface phy { ... } unset interface interface phy phy defines the physical co...

  • Page 51

    . . . . . C o m m a n d d e s c r i p t i o n s interface version 3r2 cli reference guide 51 zone set interface interfacezone zone zone binds the interface to specified security zone. Example the following command binds the interface eth1.1to the “trust” zone: set interface eth1.1 zone trust.

  • Page 52

    C o m m a n d d e s c r i p t i o n s ip 2 52 cli reference guide version 3r2 ip use the ip commands to set or display ip parameters for communication with a tftp server. The freeguard blaze 2100 can use tftp servers to save or import external files. These files can con- tain configuration settings,...

  • Page 53: Log

    . . . . . C o m m a n d d e s c r i p t i o n s log version 3r2 cli reference guide 53 log use the log commands to configure the device for message logging. The log commands allow you to perform the following: • display the current log status according to severity level, policy, service, software mo...

  • Page 55

    . . . . . C o m m a n d d e s c r i p t i o n s log version 3r2 cli reference guide 55 keywords and variables destination set log module name_str level string destination string unset log module name_str level string destination string destination specifies the destination of the generated log messa...

  • Page 56

    C o m m a n d d e s c r i p t i o n s log 2 56 cli reference guide version 3r2 level set log module name_str level string destination string unset log module name_str level string destination string level specifies the urgency level of the generated log messages. Starting with the most urgent, these...

  • Page 57: Ntp

    . . . . . C o m m a n d d e s c r i p t i o n s ntp version 3r2 cli reference guide 57 ntp use the ntp commands to configure the device for simple network time protocol (sntp). Sntp is a simplified version of ntp, which is a protocol used for synchronizing computer clocks in the internet. This versi...

  • Page 58

    C o m m a n d d e s c r i p t i o n s ntp 2 58 cli reference guide version 3r2 module ip_addr the ip address of the primary ntp server with which the device can synchronize its system clock time. Dom_name the domain name of the primary ntp server with which the device can synchronize its system cloc...

  • Page 60

    C o m m a n d d e s c r i p t i o n s ping 2 60 cli reference guide version 3r2 • ping count of 4 • packet size 1000 • ping timeout of three seconds: ping 10.100.2.11 count 4 size 1000 time-out 3.

  • Page 63

    . . . . . C o m m a n d d e s c r i p t i o n s pki version 3r2 cli reference guide 63 refresh the crl refresh interval. Server-name the ldap server name. Url the url of crl storage. Cert-status, revocation-check crl uses the crl to check the certificate status. None disable crl checking. Ldap defau...

  • Page 64

    C o m m a n d d e s c r i p t i o n s pki 2 64 cli reference guide version 3r2 ip set the ip address. Local-name set the locality. Name set the name in a common name field. Org-name set the organization name. Org-unit-name set the organization unit name. State-name set the state name as the x.509 ce...

  • Page 65: Policy

    . . . . . C o m m a n d d e s c r i p t i o n s policy version 3r2 cli reference guide 65 policy use the policy commands to define policies to control network and vpn traffic. A policy is a set of rules that determines how traffic passes between security zones (interzone policy), between interfaces ...

  • Page 67

    . . . . . C o m m a n d d e s c r i p t i o n s policy version 3r2 cli reference guide 67 keywords and variables all get policy all all displays information about all security policies. Before set policy before pol_num1 { ... } before specifies the position of the policy before another policy (pol_n...

  • Page 69

    . . . . . C o m m a n d d e s c r i p t i o n s policy version 3r2 cli reference guide 69 id get policy [ global ] id pol_num set policy [ global ] id pol_num1 { ... } unset policy id pol_num [ disable ] id pol_num specifies an policy id number. (the disable switch disables the policy.) example the ...

  • Page 70

    C o m m a n d d e s c r i p t i o n s policy 2 70 cli reference guide version 3r2 src performs nat-src on traffic to which the policy applies. The device can perform nat-src using the egress interface ip address (in which case, you do not specify a dip pool) or with addresses from a dynamic ip (dip)...

  • Page 71

    . . . . . C o m m a n d d e s c r i p t i o n s policy version 3r2 cli reference guide 71 small-servers ini-killer ini-killer is a trojan horse attack that allows an attacker to destroy .Ini files on a remote computer communicating over tcp port 9989. Netbus netbus is a trojan horse attack for windo...

  • Page 72

    C o m m a n d d e s c r i p t i o n s policy 2 72 cli reference guide version 3r2 example the following command: • permits any kind of service from any address in the trust zone to any address in the untrust zone • assigns to the policy an id value of 30 • places the policy at the top of the acl set...

  • Page 74

    C o m m a n d d e s c r i p t i o n s pppoe 2 74 cli reference guide version 3r2 pap - only pap is acceptable enable enable the ppp/pppoe link. Interface set pppoe interface name name the interface to which to bind pppoe. Netmask set pppoe netmask string string netmask of protected network. Ppp set ...

  • Page 76: Route

    C o m m a n d d e s c r i p t i o n s route 2 76 cli reference guide version 3r2 route use the route commands to display entries in the static route table and add entries to the static route table. The get route command displays: the ip address, netmask, interface, gateway, protocol, pref- erence, m...

  • Page 77

    . . . . . C o m m a n d d e s c r i p t i o n s route version 3r2 cli reference guide 77 route set route ip_addr/mask [ ...] unset route ip_addr/mask [ ... ] route configures routes for the routing table. Ip_addr/mask specifies the ip address that appears in the routing table. Gateway ip_addr specif...

  • Page 78

    C o m m a n d d e s c r i p t i o n s sa 2 78 cli reference guide version 3r2 sa use the sa commands to display active or inactive security associations (sas) or to clear a spec- ified sa. A security association (sa) is a unidirectional agreement between vpn participants regarding the methods and pa...

  • Page 79: Save

    . . . . . C o m m a n d d e s c r i p t i o n s save version 3r2 cli reference guide 79 save use the save commands to save images to the device, and configuration settings to or from the device. Syntax keywords and variables flash save config from { ... } to flash save config from flash to { ... } f...

  • Page 80

    C o m m a n d d e s c r i p t i o n s save 2 80 cli reference guide version 3r2 on a tftp server (192.168.0.3): save config from flash to tftp 192.168.0.3 output.Txt tftp save config from tftp ip_addr filename to { ... } save software from tftp ip_addr filename to { ... } tftp saves from (or to) a f...

  • Page 81: Scheduler

    . . . . . C o m m a n d d e s c r i p t i o n s scheduler version 3r2 cli reference guide 81 scheduler applies the policy only at times defined in the specified schedule. Syntax example create a schedule named “mkt_sched.” set schedule mkt_sched get get scheduler name name_string get scheduler once ...

  • Page 82: Service

    C o m m a n d d e s c r i p t i o n s service 2 82 cli reference guide version 3r2 service the service commands are used to create custom service definitions, modify existing service def- initions, or display the current entries in the service definition list. Use service definitions in pol- icies t...

  • Page 83

    . . . . . C o m m a n d d e s c r i p t i o n s service version 3r2 cli reference guide 83 protocol - defines the service by ip protocol. - defines a protocol for the specified service. Ptcl_num specifies the protocol by protocol number. Tcp specifies a tcp-based service. Udp specifies a udp-based s...

  • Page 84

    C o m m a n d d e s c r i p t i o n s service 2 84 cli reference guide version 3r2 user displays all user-defined services. Defaults the default timeout for tcp connections is 30 minutes. The default timeout for udp connections is 1 minute. Using the get service command without any arguments display...

  • Page 85: Session

    . . . . . C o m m a n d d e s c r i p t i o n s session version 3r2 cli reference guide 85 session use the session commands to clear or display entries in the session table. The session table contains information about individual sessions between hosts that communicate through the device. Every time...

  • Page 86: Snmp

    C o m m a n d d e s c r i p t i o n s snmp 2 86 cli reference guide version 3r2 snmp use the snmp command to manage snmp network settings. Syntax keywords and variables community get snmp community name_str set snmp community name_str { ... } unset snmp community name_str community defines the name ...

  • Page 87

    . . . . . C o m m a n d d e s c r i p t i o n s snmp version 3r2 cli reference guide 87 host set snmp community comm_string host hostname_string host defines the community name string and the name of the snmp management host. The mask value defines a snmp community member as a subnet. Location set s...

  • Page 88: Ssh

    C o m m a n d d e s c r i p t i o n s ssh 2 88 cli reference guide version 3r2 ssh use the ssh commands to configure the secure shell (ssh) server task. The ssh server task is an ssh-compatible server application that resides on the device. When you enable the ssh server task, ssh client application...

  • Page 89

    . . . . . C o m m a n d d e s c r i p t i o n s ssh version 3r2 cli reference guide 89 report get ssh report report displays sshv2 key and session information for the device on which ssh is currently enabled..

  • Page 90: Syslog

    C o m m a n d d e s c r i p t i o n s syslog 2 90 cli reference guide version 3r2 syslog use the syslog commands to configure the device to send traffic and event messages to up to four syslog hosts, or to display the current syslog configuration. [note] the syslog host must be enabled before you ca...

  • Page 92: System

    C o m m a n d d e s c r i p t i o n s system 2 92 cli reference guide version 3r2 system use the get system command to display general system information. The information displayed by the get system command includes: • descriptive indices of the operating system, including serial number, control num...

  • Page 95: Transparent

    . . . . . C o m m a n d d e s c r i p t i o n s transparent version 3r2 cli reference guide 95 transparent the transparent command is used to enable or disable transparent mode configuration param- eters. The transparent mode feature enables a vpn-firewall device to function as a simple 2-port layer...

  • Page 96

    C o m m a n d d e s c r i p t i o n s transparent 2 96 cli reference guide version 3r2 bmcast enable/disable bridging of non-ip (neither arp nor mpls) broadcast and multicast packets. The default setting is to not to bypass (allow) the bridging of non-ip broadcast and multicast packets. Ddos enable/...

  • Page 97: Vpn

    . . . . . C o m m a n d d e s c r i p t i o n s vpn version 3r2 cli reference guide 97 vpn the vpn command is used to create and delete a virtual private network (vpn) tunnel, or to show vpn tunnel already configured. A vpn tunnel is a way to secure network traffic across a public network. A vpn tun...

  • Page 98

    C o m m a n d d e s c r i p t i o n s vpn 2 98 cli reference guide version 3r2 example the following command displays a vpn tunnel named “tunnela”: get vpn tunnnela ah set vpn tunn_str manual spi_num1 spi_num2 gateway ip_addr [ ... ] ah { ... } ah specifies authentication header (ah) protocol to aut...

  • Page 99

    . . . . . C o m m a n d d e s c r i p t i o n s vpn version 3r2 cli reference guide 99 or sha-1. The key key_str value defines a 16-byte (md5) or 20-byte (sha-1) hexidecimal key. Example the following command creates a manual key vpn tunnel named “mkt_vpn”. • specifies local and remote spi values 20...

  • Page 100

    C o m m a n d d e s c r i p t i o n s vpn 2 100 cli reference guide version 3r2 • the phase 2 proposal consists of the following components: diffie-hellman group 2 to protect the keying information during phase 2 key exchanges encapsulating security payload (esp) to provide both confidentiality thro...

  • Page 101: Vrouter

    . . . . . C o m m a n d d e s c r i p t i o n s vrouter version 3r2 cli reference guide 101 vrouter use the vrouter commands to control the virtual interface. Rip use the rip commands to specify and control the routing information protocol (rip). Syntax keywords and variables rip set vrouter default...

  • Page 102

    C o m m a n d d e s c r i p t i o n s vrouter 2 102 cli reference guide version 3r2 set vrouter-id number to disable rip instance: unset vrouter rip enabling rip on interfaces by default, rip is disabled on all interfaces and you must explicitly enable it on an interface. When you disable rip at the...

  • Page 103

    . . . . . C o m m a n d d e s c r i p t i o n s vrouter version 3r2 cli reference guide 103 queries if a rip-2 router receives a rip-1 request, it should respond with a rip-1 response. If the router is configured to send only rip-2 messages, it should not respond to a rip-1 request. Get/show command...

  • Page 104: Zone

    C o m m a n d d e s c r i p t i o n s zone 2 104 cli reference guide version 3r2 zone use the zone commands to create, remove, or display a security zone, and to set screen options. A security zone is a method for sectioning the network into segments to which you can apply se- curity options. It is ...

  • Page 106

    C o m m a n d d e s c r i p t i o n s zone 2 106 cli reference guide version 3r2 all get zone all [ ... ] all displays information on all existing zones. Block set zone zoneblock unset zone zoneblock block imposes intra-zone traffic blocking. Name set zone name zone { ... } name creates a new zone w...

  • Page 107

    . . . . . C o m m a n d d e s c r i p t i o n s zone version 3r2 cli reference guide 107 example the following command enables the icmp-fragments firewall service for the trust zone: set zone trust screen icmp-fragments creating interfaces example the following example shows how to: • create a new z...

  • Page 108

    C o m m a n d d e s c r i p t i o n s zone 2 108 cli reference guide version 3r2.