SMG-700 User's Guide V1.00 (Nov 2004)
Contents
1. inform activate TRO69 no cnm agent activate Turns management through Vantage CNM on or off cnm agent keepaliv Sets the keepalive interval interval lt 10 90 gt no cnm agent periodic Turns the periodic inform on or off cnm agent periodic inform Sets the periodic inform interval interval lt 10 86400 gt cnm agent trigger inform initiates a TRO69 connection to the server You can also specify the interval for interval the inform messages no cnm agent auth Enables or disables authentication of the server when using HTTPS activate show cnm agent Displays the Vantage CNM configuration configuration 222 ZyWALL ZLD CLI Reference Guide Chapter 33 System Remote Management 33 10 1 1 Vantage CNM Command Examples The following example turns on Vantage CNM management and sets the ZyWALL to register with a server at https 1 2 3 4 vantage TRO69 Router configure terminal Router config cnm agent activate Router config cnm agent manager https 1 2 3 4 vantage TRO69 Router config show cnm agent configuration Activate YES ACS URL https 1 2 3 4 vantage TR069 Keepalive ENABLE Keepalive Interval 60 Periodic Inform DISABLE Periodic Inform Interval 3600 Custom IP NO HTTPS Authentication NO Vantage Certificate zw1050 cer456 33 11 Language Commands Usethe language commands to display what language the web conf2. A After you log in through FTP you do not need to change directories in order to upload the firmware 34 2 Configuration Files and Shell Scripts Overview You can store multiple configuration files and shell script files on the ZyWALL When you apply a configuration file the ZyWALL uses the factory default settings for any features that the configuration file does not include Shell scripts are files of commands that you can store on the ZyWALL and run when you need them When you run a shell script the ZyWALL only applies the commands that it contains Other settings do not change You can edit configuration files or shell scripts in a text editor and upload them to the ZyWALL Configuration files use a conf extension and shell scripts use a zysh extension ZyWALL ZLD CLI Reference Guide 227 Chapter 34 File Manager These files have the same syntax which is also identical to the way you run CLI commands manually An example is shown below Figure 23 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create address objects for remote management to ZyWALL firewall rules use the address group in case we want to open up remote management later address object TW SUBNET 172 23 37 0
3. 1385 show abla Statisties SURETY sobar as ARA ARANA A 132 Shov anti virus BEBE eibar AAA AA ae ERA Ge AR p RO GR RU i qi dig 134 chewy doble bue OBSS LADOS arras ias A SA uH Pup d AAA A 134 show app general imlp2plstresH 2ecesrdke eek RR Roa RUE A RUE RE RR UR E eR Ron Aog oe eds 125 pHOW GER aL Gau6hterasuemeddnig s Rcs A aaa saad ome qd RES A 125 show app all DSTSULEDGERE qua peg4 X A CR ROC CRURA RERO SREERR SEK SERRE RC 125 show sp all Beet Shee ia AIDA REP dd PRETI PE d EE Ds 129 skow Cop OPEN LObana RA ac NER ERE ac dede Rod p OE o CELA RC AR CRGA Cee Ue diced EO oe CR 125 Show wp XN SUpport ACCION 26454008 dE EY AA AR GERNE CHE ue bd RUE dE SE a E d 125 Show SED ERASE COTAS deus hee RE EORR RM E x d e x A UA EAE RUE d adc A RC Coa Oo re Rc 126 show pp OLASE role all aae beque xbRex 4b AAA Id eS Tq eee ee 126 phow dape Gener rule all StatisbrxecH Labarca Rmus ss eed Rud AAA 126 show app pther sube AS ESUIE errata ek aee yo ir ld pn depo qe a aye aed 126 Shov app other role default StsbtusbEXORE aereas A wd Reds 126 show spp Dreher wale Alec VXawsda wee des RE WERE EAE qi e d aea Ode e Red E 126 show app Scher rule l 040 SLtaLiELELONM d2l22 4329345 3G E ER dd d bd ee Ed eem E ER xe EG 126 show app pEher SLATLSCLOS a RNA AA pe i ace RA moh dap ROB d pol vir dog 126 Shov Ep protocol name CONTIG eee xd t oa dob ur Wd pac Rae Sq Ie ud id dede ee e lag Show app protocol name gders ltpOfb eos A Ro RAS RRA RARA A R8 125 show
4. ZyWALL ZLD CLI Reference Guide Chapter 23 User Group 23 2 User Group Commands Summary The following table identify the values required for many username groupname commands Other input values are discussed with the corresponding commands Table 97 username groupname Command Input Values LABEL DESCRIPTION username value is case sensitive The name of the user account You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This groupname The name of the user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive It cannot be the same as the user name The following sections list the username groupname commands 23 2 1 User Commands The first table lists the commands for users Table 98 username groupname Commands Summary Users COMMAND DESCRIPTION show username username Displays information about the specified user or about all users set up in the ZyWALL username username nopassword user type admin Creates the specified user if necessary disables guest limited admin user the password and sets the user type for the specified user username username password password user type Creates the specified user if necessary enables admin guest limited admin user and se
5. lt gt ca_name When you have the ZyWALL enroll for a certificate immediately online you must have the certification authority s certificate already imported as a trusted certificate Specify the name of the certification authority s certificate It can be up to 31 alphanumeric and amp _ characters url When you have the ZyWALL enroll for a certificate immediately online enter the IP address or URL of the certification authority server You can use up to 511 of the following characters a zA Z0 9 HO _ 29 4 Certificates Commands Summary The following table lists the commands that you can use to display and manage the ZyWALL s summary list of certificates and certification requests You can also create certificates or certification requests Use the configure terminal command to enter the configuration mode to be able to use these commands Table 119 ca Commands Summary password ca ca name url url organization c country key type rsa dsa key len key length num lt 0 99999999 gt password COMMAND DESCRIPTION ca enroll cmp name certificate name cn typ Enrolls a certificate with a CA using Certificate ip cn cn address fqdn cn cn domain name mail Management Protocol CMP The certification cn cn email ou organizational unit o authority may want you to include a reference number and key password to identify your certification request ca
6. perten Startup StoDp OOn BELTDOZE DEL eg dbsik ieee AIR es Ces poi ue ie osos 231 corn A DDR LA aa E LARA A AREA AA A a A 123 BUD DES NAAA E AS NAAA A ERAS AE dr dod OR AAA 125 Cipro Mae EE AA 173 SHOW Gh d edid eb EOL CRE db E pure deb NASA d d iid pda ibid eui due 125 SOM RIADA SRSA od i reir ode A doo Add A We A do Peewee ADA ASS Qe IA e 30 BUD RAS AAA SSE obo e bd lc nes RP Vo pal AE og Icon dioi eee SUE dri 52 show aLL drama anaa A x a x aea AA dened AAA aeaeeew 131 show aas authentication igrcup name gsefault seirer tikri a A Ep 193 show aaa group server ad Groun Tane ailesesxaeas a AA AN A A A 190 show ass group server Ldap Grop Iane 2 464 eke ica oe ae ee A ie da XXI pow aga Group Server radius group TANE airada AAA A A E RR 192 show account pppoe profile name pptp profile name 1 2 99 o o Rn 201 shov address ob ec lob leol NOU scans REA ERA ak OR EURO ee Re OR COE OR HE RR 178 NOR ADE aia S eu A AREA A de AAA EIA AAA abe e EC e e ea Qi RON 188 Shov amp nhciculPue BGDLIVOLIOO edd c evexit bap AAA A rade dedique 1 58 SOM anti yirus elcar BODIVSCOON ant id AS RE TS dob AA A ead ASA A 139 Shov ontis VITUS Shona reS SCELUS ueste iod op X po pido dic qe dog cee eee a cnr 134 show anti virus Statistics COLLEGE Leu paqepa x E dex ARE Roble e RR UR C Fede ba c Un Rede Mode 1395 show anti virus statistics ranking destination source virus name
7. no description description Sets the description to the specified value The no command removes the description description You can use alphanumeric and _ characters and it can be up to 60 characters long object group service rename group name group name Renames the specified service group from the first group name tothe second group name 25 2 2 1 Service Group Command Examples The following commands create service ICMP ECHO create service group SGl and add ICMP ECHO to SGI Router configure terminal Router group service servic objec Router config service object ICMP ECHO icmp echo Router config object group service sGl E ICMP ECHO Router group service exit Router config show service object ICMP ECHO Object name Protocol Minmum port Maxmum port Ref ICMP ECHO ICMP 8 8 1 Router config show object group service SGl Object Group name Type Reference ICMP_ECHO Object 1 ZyWALL ZLD CLI Reference Guide Chapter 25 Services ZyWALL ZLD CLI Reference Guide Schedules Use schedules to set up one time and recurring schedules for policy routes firewall rules application patrol and content filtering 26 1 Schedule Overview The ZyWALL supports two types of schedules one time and recurring One time schedules are effective only once while recurring schedules usually rep
8. Configuration Reference Card See this handy reference card to see what prerequisites are needed to configure a feature and how to use this feature in the ZyWALL User s Guide The User s Guide explains how to use the web configurator to configure the Zy WALL BS Some features cannot be configured in both the web configurator and CLI Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information ZyXEL Web Site ZyWALL ZLD CLI Reference Guide 3 About This User s Guide Please go to http www zyxel com for product news firmware updated documents and other support materials User Guide Feedback Help us help you Send all User Guide related comments questions or suggestions for improvement to the following address or use e mail instead Thank you The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan E mail techwriters 9 zyxel com tw a ZyWALL ZLD CLI Reference Guide Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User s Guide gt Warnings tell you about things that could harm you or your device BS Notes tell you other important information for example other things you may need to configure or helpful tips or recommendations Syntax Conventions e The ZLD based ZyW
9. Table 124 Command Summary Date Time COMMAND DESCRIPTION clock date yyyy mm dd time hh mm ss Sets the new date in year month and day format manually and the new time in hour minute and second format no clock daylight saving Enables daylight saving The no command disables daylight saving no clock saving interval begin Configures the day and time when Daylight apr aug dec eb jan jul jun mar may nov oct se Saving Time starts and ends The no command p 1 213 4 last frilmon sat sun thu tue wed removes the day and time when Daylight Saving A nmemnd Time starts and ends apr augldec eb jan julljun mar may nov oct se offset a number from 1 to 5 5 by 0 5 increments p 1 2 3 4 last fril mon sat sun thu tue wed hh mm offset clock time hh mm ss Sets the new time in hour minute and second format no clock time zone hh Sets your time zone The no command removes time zone settings no ntp Saves your date and time and time zone settings and updates the data and time every 24 hours The no command stops updating the data and time every 24 hours no ntp server fgdn w x y z Sets the IP address or URL of your NTP time server The no command removes time server information ntp sync Gets the time and date from a NTP time server how clock date 0 Displays the current date of your ZyWALL how clock status 0 Displays your time
10. DESCRIPTION address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive interface_name The name of the interface Ethernet interface gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model virtual interface on top of Ethernet interface gex y x2 1 N y 1 12 VLAN interface vlanx x 2 0 15 virtual interface on top of VLAN interface vlanx y x 0 15 y2 1 12 bridge interface brx x 2 O 11 virtual interface on top of bridge interface brx y x 0 11 y2 1 12 PPPOE PPTP interface pppx x 0 11 schedule object The name of the schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive service name The name of the service group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive user name The name of a user group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This ZyWALL ZLD CLI Reference Guide value is case sensitive Chapter 7 Route The following table describes the commands available for policy route You must use the c
11. Displays the IDP zone to zone rules ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands 20 3 2 1 Example of IDP Zone to Zone Rule Commands The following example creates IDP zone to zone rule one The rule applies the LAN_IDP profile to all traffic going to the LAN zone Router configure terminal Router config idp signature rule 1 Router config idp signature 1 Router config idp signature 1 exit Router config Router config idp signature 1 Router config idp signature 1 Router config idp signature 1 Router config idp signature 1 Router config show idp signature rules Signature rules idp rule 1 from zone any to zone LAN profile LAN_IDP activate yes from zone any to zone LAN bind LAN_IDP activate 20 3 3 Editing Creating IDP Signature Profiles Use these commands to create a new IDP signature profile or edit an existing one It is recommended you use the web configurator to create edit profiles If you do not specify a base profile the default base profile is none BS You CANNOT change the base profile later Table 78 Editing Creating IDP Signature Profiles COMMAND DESCRIPTION idp signature newpro base fall lan wan dmz Creates a new IDP signature profile called none newpro newpro uses the base profile you specify Enters sub command mode All the following commands relate to the new profile Use exit to
12. Education Cultural Charitable Organization Financial Services Brokerage Trading Online Games Government Legal Military Political Activist Groups Health Computers Internet Search Engines Portals Spyware Malware Sources Spyware Effects Privacy Concerns Job Search Careers News Media Personals Dating Reference Open Image Media Search Chat Instant Messaging Email Blogs Newsgroups Religion Social Networking Online Storage Remote Access Tools Shopping Auctions Real Estate Society Lifestyle Sexuality Alternative Lifestyles Restaurants Dining Food Sports Recreation Hobbies Travel Vehicles Humor Jokes Software Downloads Pay to Surf Peer to Peer Streaming Media MP3s Proxy Avoidance For Kids Web Advertisements Web Hosting Unrated ZyWALL ZLD CLI Reference Guide Chapter 21 Content Filtering 21 6 General Content Filter Commands The following table lists the commands that you can use for general content filter configuration such as enabling content filtering viewing and ordering your list of content filtering policies creating a denial of access message or specifying a redirect URL and checking your external web filtering service registration status Use the configure terminal command to enter the configuration mode to be able to use these commands See Table 87 on page 156 for details about the values you can inp
13. Kernel debug commands debug myzyxel server Myzyxel com debug commands debug GE network arpignore Enable Display the ignoring of ARP respondes for interfaces which don t own the IP address cat proc sys net ipv4 conf arp_ignore debug 5 no myzyxel server Set the myZyXEL com registration update server to the official site debug policy route Policy route debug command debug service register Service registration debug command debug show myzyxel server Myzyxel com debug commands status debug system dmesg Shows kernel debug messages demsg debug system free Shows free and used memory in the free system debug system ip addr Shows interface IP address information gt ip addr debug system ip route get Shows IP routing to the specified IP gt ip route ip_addr address debug system ip route show Shows IP routing information table default local main num debug system ip rule Shows IP routing tables gt ip rule debug system ipcs Shows system IPC information gt ipes ZyWALL ZLD CLI Reference Guide Chapter 2 User and Privilege Modes Table 5 Debug Commands continued COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT debug system iptables list chain forward prerouting postrou ting input output pre id Shows netfilter information iptables L t nat filter mangle vpn zym ark vpnid cfilt
14. The no command removes the specified interface from the specified area no area IP stub nssa Creates the specified area and sets it to the indicated type The no command removes the area no area IP authentication Enables text authentication in the specified area The no command disables authentication in the specified area no area IP authentication message digest Enables MD5 authentication in the specified area The no command disables authentication in the specified area no area IP authentication Sets the password for text authentication in the authentication key authkey specified area The no command clears the password no area IP authentication message Sets the MD5 ID and password for MD5 digest key 1 255 md5 authkey authentication in the specified area The no command clears the MD5 ID and password 8 2 4 Virtual Link Commands This table lists the commands for virtual links in OSPF areas Table 38 router Commands Virtual Links in OSPF Areas COMMAND DESCRIPTION show ospf area IP virtual link Displays information about virtual links for the specified area router ospf no area IP virtual link IP Creates the specified virtual link in the specified area The no command removes the specified virtual link no area IP virtual link IP Enables text authentication in the specified virtual authentication link The no command disables authentication
15. isa AA AA E A hanes dri e udis Rae 159 content filter block message MESSAGES qe ense eee orc Ro eee eee a wah adc Sm 159 content ilter block redirect redirect Ur uada RGuedORSeROk Bak ba NCBOR a 159 content tilter cache tameout cache tiImeoHt iii a ao 159 content filter cache timeout cache timeout e ns ves WR OR ss RR 161 cohbtentefilter Mera Lek cres A AC EUER EAE eR RON EGRE Sw c d c 1559 pontenct rilter license JLS lau edobkgc ed RET ESOREE RESQUE NAAA 159 content tileso Ligense LICENSE gerritik A iure AAA R 160 content filter policy policy_number address schedule filtering_profile 155 content filter profile filtering profile Custom SOLLWeX Liens sa ara due 160 eontent filter profile filtering profile gustom Cookie besosss 160 content filter profile filtering profile custom forbid forbid hosts 160 eontent filterf profile filtering profile gustom Java remesa ai a 160 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no content filter profile filtering profile custom keyword keyword 160 content filter profile filtering profile CUSCOM Proy accord 160 content filter profile filtering profile custom trust trust hosts m
16. or dashes but the first character cannot be a number This value is case sensitive ip ftp server rul KU SOAS CO 1 222 mov Changes the index number of a service control rule no ip ftp server rule lt 1 32 gt Deletes a service control rule for FTP service show ip ftp server status Displays FTP settings 33 6 2 FTP Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using FTP service Router configure terminal Router config ip ftp server rul accept 4 access group Sales zone WAN action ZyWALL ZLD CLI Reference Guide 217 Chapter 33 System Remote Management This command displays FTP settings Router configure terminal Router config show ip ftp server status active yes port 21 certificate default TLS no service control No Zone Address Action 33 7 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices Your ZyWALL supports SNMP agent functionality which allows a manager station to manage and monitor the ZyWALL through the network The ZyWALL supports SNMP version one SNMPv1 and version two SNMPv2c 33 7 1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC 1213 and RFC 1215 The ZyWALL also supports
17. schedule object object name time time day day day day day day day 186 server type file sharing owa web server url URL entry point entry point 203 server Lyvpe file sharing Share Path FOLGE cr A RARA A A ER EA 204 service object object name tcp udp eq lt 1 65535 gt range lt 1 65535 gt lt 1 65535 gt 181 servicse object object name icme Lemp VALUE eiseeewes DER x ee Rem ROE xg circi 182 pervyesctmB Dbgept object neme protocol Le ce aan ARA AA AAA 182 service object rename object name object name l l x A sra 182 BpPuisSePSH BILE ONSOREGIDES uade rotu chee EUR ECCE NU qal AL Ree CR dE ORO SES T 29 service register service type standard license key key value 39 service register service type trial service all content filter idplav 39 session timeout udp connect lt 1 300 gt udp deliver lt 1 300 gt icmp lt 1 300 gt 253 set pris group groupe group DONE aser Ecke der ck qns E E ARA ARA 108 set security association lifetime seconds lt 180 3000000 gt asar al e acia 103 set session key ah lt 256 4095 gt auth key esp lt 256 4095 gt cipher enc key authenticator See Soe IN dud ers ex qua E Rd ba ada Dawes mea eub ER 105 ci je ir E T CC 30 ZyWALL ZLD CLI Reference Guide 279 List of Commands Alphabetical
18. service activ yes url match block no log url unrate block no log Service offline block no log category settings Adult Mature Content Sex Education Nudity Illegal Questionable Violence Hate Racism Abortion Phishing Business Economy Illegal Drugs Cultural Charitable Organization Brokerage Trading Government Legal Political Activist Groups Computers Internet Spyware Malware Sources Job Search Careers Personals Dating Open Image Media Search Email Religion Online Storage Shopping Real Estate Sexuality Alternativ Sports Recreation Hobbies Vehicles Software Downloads Peer to Peer Proxy Avoidance Web Advertisements Unrated custom active allow allow block block block block features to trusted hosts activex java cookie proxy No Trusted Host Lifestyles traffic to trusted hosts only no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no Pornography Intimate Apparel Swimsuit Alcohol Tobacco Gambling Weapons Hacking Arts Entertainment Alternative Spirituality Occult Education Financial Services Online Games ilitary Health Search Spyware News Media Reference Chat Instant Messaging Blogs Newsgroups Social Networking Remote Access Tools Auctions Society Lifestyle Restaurants Dining Food Travel Humor Jokes Pay to Surf
19. A common name e mail address identifies the certificate s owner The e mail address is for identification purposes only and can be any string The e mail address can be up to 63 characters You can use alphanumeric characters the hyphen the symbol periods and the underscore ZyWALL ZLD CLI Reference Guide Chapter 29 Certificates Table 118 Certificates Commands Input Values continued LABEL DESCRIPTION organizational_unit Identify the organizational unit or department to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore organization Identify the company or group to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore country Identify the nation where the certificate owner is located You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore key_length Type a number to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space password When you have the ZyWALL enroll for a certificate immediately online the certification authority may want you to include a key password to identify your certification request Use up to 31 of the following characters a zA Z0 9 1 OH 8 _ M
20. The following commands show you how to set up dial in management with the following parameters active port speed 57600 initial string ATDT and description I am dial in management Router configure terminal Router config dial in Router config dial in activate Router config dial in port speed 57600 Router config dial in initial string ATDT Router config dial in description I am dial in management Router config dial in exit 33 10 Vantage CNM 33 10 1 Vantage CNM Centralized Network Management is a browser based global management solution that allows an administrator from any location to easily configure manage monitor and troubleshoot ZyXEL devices located worldwide See the Vantage CNM User s Guide for details If you allow your ZyWALL to be managed by the Vantage CNM server then you should not do any configurations directly to the ZyWALL using either the web configurator or commands without notifying the Vantage CNM administrator Vantage CNM Commands The following table describes the commands available for dial in management You must use the configure terminal command to enter the configuration mode before you can use these commands Table 136 Command Summary Vantage CNM COMMAND DESCRIPTION no cnm agent manager url Sets up the URL of the Vantage server that the ZyWALL registers with Include the full HTTPS or HTTP URL For example https 1 2 3 4 vantage
21. cdp activate deactivate Has the ZyWALL check or not check incoming certificates that are signed by this certificate against a Certificate Revocation List CRL or an OCSP server You also need to configure the OSCP or LDAP server details ldap activate deactivate Has the ZyWALL check or not check incoming certificates that are signed by this certificate against a Certificate Revocation List CRL ona LDAP Lightweight Directory Access Protocol directory server ldap ip ip fqdn port lt 1 65535 gt password password deactivate id name Sets the validation configuration for the specified remote trusted certificate where the directory server uses LDAP ip Type the IP address in dotted decimal notation or the domain name of the directory server The domain name can use alphanumeric characters periods and hyphens Up to 255 characters port Specify the LDAP server port number You must use the same server port number that the directory server uses 389 is the default server port number for LDAP The ZyWALL may need to authenticate itself in order to access the CRL directory server Type the login name up to 31 characters from the entity maintaining the server usually a certification authority You can use alphanumeric characters the underscore and the dash Type the password up to 31 characters from the entity maintaining the CRL directory server usually a certification authority You can
22. no device ha password sync authentication password Specifies the password to use when synchronizing Every router in the virtual router should use the same password The no command resets the password to 1234 password You can use 4 63 alphanumeric characters underscores dashes and 5 Characters no device ha sync auto Specifies whether or not to automatically synchronize at regular intervals no device ha sync interval lt 1 1440 gt Specifies the number of minutes between each synchronization if the ZyWALL automatically synchronizes with the specified ZyWALL router The no command resets the interval to five minutes no device ha sync now Synchronize now ZyWALL ZLD CLI Reference Guide Chapter 22 Device HA 22 2 3 Link Monitoring Commands This table lists the commands for link monitoring Link monitoring has the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down This way the backup ZyWALL takes over all of the master ZyWALL s functions Table 95 device ha Commands Synchronization COMMAND DESCRIPTION device ha link monitoring activate Turns on device HA link monitoring no device ha link monitoring Turns off device HA link monitoring show device ha link monitoring Displays the current link monitoring setting 22 2 4 Device HA Command Example The fo
23. no scan http ftp pop3 Sets the protocols of traffic to scan for viruses no infected action destroy send win msg Sets the action to take when the ZyWALL detects a virus in a file The file can be destroyed filled with zeros from the point where the virus was found The ZyWALL can also send a message alert to the file s intended user using a Microsoft Windows computer connected to the to interface list no bypass white list black Have the ZyWALL not check files against a pattern list destroy no file decompression unsupported Enable file decompression to have the ZyWALL attempt to to decompress zipped files for further scanning You can also have it destroy the zipped files it cannot decompress due to encryption or system resource limitations show all Displays the details of the anti virus rule you are configuring or all the rules anti virus rule move lt 1 32 gt to lt 1 32 gt Moves a direction specific anti virus rule to the number that you specified anti virus rule delete lt 1 32 gt Removes a direction specific anti virus rule ZyWALL ZLD CLI Reference Guide Chapter 19 Anti Virus 19 2 2 1 Zone to Zone Anti virus Rule Example This example shows how to configure and display a WAN to LAN antivirus rule to scan HTTP traffic and destroy infected files The white and black lists are ignored and zipped files are decompressed Any
24. none Enables Perfect Forward Secrecy group local policy address_name Sets the address object for the local policy local network remote policy address_name Sets the address object for the remote policy remote network no policy enforcement Drops traffic whose source and destination IP addresses do not match the local and remote policy This makes the IPSec SA more secure The no command allows traffic whose source and destination IP addresses do not match the local and remote policy Note You must allow traffic whose source and destination IP addresses do not match the local and remote policy if you want to use the IPSec SA in a VPN concentrator no nail up Automatically re negotiates the SA as needed The no command does not no replay detection Enables replay detection The no command disables it no netbios broadcast Enables NetBIOS broadcasts through the IPSec SA The no command disables NetBIOS broadcasts through the IPSec SA no out snat activate Enables out bound traffic SNAT over IPSec The no command disables out bound traffic SNAT over IPSec out snat sourc address name snat address name address nam destination Configures out bound traffic SNAT in the IPSec SA ZyWALL ZLD CLI Reference Guide Chapter 15 IPSec VPN Table 53 crypto map Commands IPSec SAs continued COMMAND DESCRIPTION no in snat a
25. the ZyWALL restarts Subsequent chapters in this guide describe the configuration commands User privilege mode commands that are also configuration commands for example show are described in more detail in the related configuration command chapter ZyWALL ZLD CLI Reference Guide Chapter 2 User and Privilege Modes 2 1 1 Debug Commands Debug commands marked with an asterisk are not available when the debug flag is on and are for service personnel use only The debug commands follow a syntax that is Linux based so if there is a Linux equivalent it is displayed in this chapter for your reference Table 5 Debug Commands COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT debug app Application patrol debug command debug app show 17protocol Shows app patrol protocol list gt cat etc 17_protocols protocol list debug ca Certificate debug commands debug cmdexec on off ZyShell debug commands debug core file Display Flush Move system core files debug device ha Device HA debug commands debug force auth Force authentication debug commands debug gui GUI cgi related debug commands debug gui show cgidump Shows gui cgi command buffer cat tmp zysh cgi dump debug hardware Hardware debug commands debug idp IDP debug command debug interface ifconfig Shows system interfaces detail ifconfig interface interface debug kernel
26. zysh normal idp normal app patrol normal ike normal ipsec normal S firewall normal sessions limit normal policy route normal built in service normal system normal connectivity check normal device ha normal routing protocol normal nat normal pki normal interface normal interface statistics no A account normal port grouping normal force auth normal 12tp over ipsec normal anti virus normal white list normal black list normal ssl vpn normal cnm normal traffic log NO file manage normal dial in normal adp normal default all ZyWALL ZLD CLI Reference Guide Chapter 35 Logs 35 1 3 Debug Log Commands This table lists the commands for the debug log settings Table 145 logging Commands Debug Log Settings COMMAND DESCRIPTION show logging debug status Displays the current settings for the debug log show logging debug entries priority pri category module name srcip ip dstip ip service service name begin lt 1 512 gt end lt 1 512 gt keyword keyword Displays the selected entries in the debug log pri alert crit debug emerg error info notice warn keyword You can use alphanumeric and S _ characters and it can be up to 63 characters long This searches the message Source destination and notes fields show logging debug entries field field begin lt 1 1024 gt end lt 1
27. CLI Reference Guide Chapter 7 Route 7 2 1 Policy Route Command Example The following commands set a policy that routes the packets with the source IP address TW SUBNET and any destination IP address through the interface gel to the next hop router GW 1 This route uses the IP address of the outgoing interface as the matched packets source IP address Router config policy 1 Router policy route description example Router policy route destination any Router policy rout interface gel Router policy rout next hop gateway GW_1 Router policy route source TW_SUBNET Router policy route Router config show index 1 active yes description any schedule interface tunnel Router policy route snat outgoing interface exit policy route 1 example user none gel none source TW_SUBNET destination any any nexthop type nexthop GW 1 bandwidth 0 bandwidth priority 0 SNAT outgoing interface amount of port trigger O0 Router config service Gateway 7 3 IP Static Route The ZyWALL has no knowledge of the networks beyond the network that is directly connected to the ZyWALL For instance the ZyWALL knows about network N2 in the following figure through gateway R1 However the ZyWALL is unable to route a packet to network N3 because it doesn t know that there is a route through the same gateway R1 via gateway R2 The static routes are fo
28. Router config Router config L2TP over IPSec first wins server second wins server 12tp over ipsec user L2TP test 12tp over ipsec activate Router config show 12tp over ipsec Router config 12tp over ipsec authentication default activate yes crypto Default_L2TP_VPN_Connection address pool L2TP_POOL authentication default user L2TP test keepalive timer 2260 first dns server aux lst dns Second dns server aux lst dns 17 5 4 Configuring the Policy Route for L2TP Example The following commands configure and display the policy route for the L2TP VPN connection entry Set the policy route s Source Address to the address object that you want to allow the remote users to access LAN SUBNET in this example Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users L2TP POOL in this example e Set the next hop to be the Default L2TP VPN Connection tunnel ZyWALL ZLD CLI Reference Guide Chapter 17 L2TP VPN Enable the policy route Router config policy 3 Router policy route 4 source LAN SUBNET D Router policy route destination L2TP Router policy route f service any Router policy route next hop tunnel Default L2TP VPN ConnectionRouter policy route 4 no deactivate Router policy route exit Router config show policy route 3 index 3 active yes description WIZ_
29. ZyWALL ZLD CLI Reference Guide Chapter 24 Addresses ZyWALL ZLD CLI Reference Guide Services Use service objects to define TCP applications UDP applications and ICMP messages You can also create service groups to refer to multiple service objects in other features 25 1 Services Overview See the appendices in the web configurator s User Guide for a list of commonly used services 25 2 Services Commands Summary The following table describes the values required for many service object and service group commands Other values are discussed with the corresponding commands Table 106 Input Values for Service Commands LABEL DESCRIPTION group name The name of the service group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive object name The name of the service You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following sections list the service object and service group commands 25 2 1 Service Object Commands The first table lists the commands for service objects Table 107 service object Commands Service Objects COMMAND DESCRIPTION show service object obje ct name Displays information about the specified service or about all the services no service objec
30. alert all 248 Logging iets l c spesbedule Ball eer he ieee ae dee AA e RC Rae 248 begging mascl 1 29 subject subject iia we be EN AWO DR RIA A RUN ded eR 248 legging GE LOS Ali gee io x ud Ee EE SERERE deu eee ee ER Soo 247 logging syslog lt 1 4 gt disable level normal level all 247 logging syslog L 1 address 2p ABOBLHANE isis AAA 247 logging syslog lt 1 4 gt facility local Ll lo6al 2 local local_4 local 5 Docal S ROGER lE O EORR EORR OUR 247 hogging BSustel lu SUDpESSS TON ir 4a x OX RA A ER KORR A eR Rea Oe e Re 246 logging System Log suppr essld Interval L0 900 gib S EON AGE RESCUE ROR Ride 246 Manage aa UF eiii rana bbc BRA See dB da Sed hs M E x 168 MEW MIR II Mr ol ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no 270 HOS 25349 A A ANA AAA A xcd a a 221 jx tae domara Demet IIA ibe cat A A DIRE LATA CON AAA EO A CR Re ACE RES 84 ESIeBD 2250 4c ene eeh esse AA ASA Eee AA AAA p o OR Oe Re ee Sows 108 NACE X pa AER ESHER dede OE RUNG E qoa qo KC CUR CAE RD eo e Cep RR e RO UR Boe ic 101 BnecgtlJapagn SUC dg eur EY Pac me dba et Ke heed ea veles ewe ea tede d ee
31. asia AAA ea te eae hd gares do bonds 134 anti yrems dB hurl iaa iaa wee aoe A do CR olera Web we 134 aL iras Update STOLE irrita A obo a AS EC CR ERR A a Rp OR A 134 anti virus update weekly sun mon tue wed thu fri sat lt 0 23 gt 134 anti virus white list replace old av file pattern new av file pattern activate deacti VACS JaeasoragG ea b ed Face pae d REA E RACER SER Ra Rau Reda NORORAOUE Cowes NOS GnE Qu E 132 app other qforwerd drop Segect 4ndeaes Y ERGeaee a Koo s acp Re de E RE Ade ARE V s fri 124 app Other aprend gd dede EGER AA A d E RC CAO CR OR E MO RO GG ARA C ARA EUR SES 124 app other default aparecia RES EG EG OG EG ASA RRA KO OR AUG M ECRIRE AR 124 app Other Insert Alo AAA AAA AAA epe d quies 124 app other moves Ll US to I oG ono exa AAA NANA AAA RARA 125 app OLASE ALESSANDRA AR 124 app protogol_ name iorward drop PENSE Las b was EA A needed ed nee 122 app protocol name bandwidth 0 10240009 nese RR X dk Rr A A pe rs dm 122 app protocol mame mode iportless poertbBBBL cenar bob daa aa TS Oe 122 ADD Protocol name TUIS GIDOME imita eR RACE A SOROR UP RUN AREA EUROS SUR O Pee aoe 123 app pratoc l_ ware role PEISUEG sicario AA A A MU UU o s p Keg sida 123 app protocol nane ule Insert Le Gee dh cere Sx eae BRUN EPEQeuwed aqua dd RE P Ses 123 app protocol name rule move Lo BS bo 11 64 arar A A 123 app brotocol name role lt Ll GUS asis A AA cee RAR AAA RAR A ONCE GR 123 ABRI A RARA KG ee aes O
32. no ad server basedn basedn Sets a base distinguished name DN for the default AD server A base DN identifies an AD directory The no command clears this setting no ad server binddn binddn Sets the user name the ZyWALL uses to log into the default AD server The no command clears this setting no ad server cn identifier uid Sets the unique common name cn to identify a record The no command clears this setting no ad server host ad server Sets the AD server address Enter the IP address in dotted decimal notation or the domain name The no command clears this setting no ad server password password Sets the bind password The no command clears this setting no ad server port port no Sets the AD port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no ad server search time limit time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting no ad server ssl Enables the ZyWALL to establish a secure connection to the AD server The no command disables this feature 27 2 2 Idap server Commands The following table lists the 1dap server commands you use to set the default LDAP Server Table 112 Idap server Commands COMMAND DESCRIPTION show ldap server Displays current LDAP server settings n
33. no shutdown Activates the auxiliary interface The no command deactivates it ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces 5 2 10 1 Auxiliary Interface Command Examples The following commands show you how to set up the auxiliary interface aux with the following parameters phone number 0340508888 tone dialing port speed 115200 initial string ATZ timeout 10 seconds retry count 2 retry interval 100 seconds username kk password kk Q u2online chap pap authentication and description I am aux interface Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router configure terminal Router config interface aux phone number 0340508888 dialing type tone port speed 115200 initial string ATZ timeout 10 retry count 2 retry interval 100 username kk password kkftu2online authentication chap pap description I am aux interface exit The following commands show how to dial disconnect and stop the auxiliary interface Router interface dial aux Router interface disconnect aux 5 2 11 Virtual Interface Commands Virtual interfaces use many of the general interface commands discussed at the beginning of Section 5 2 on page 49 There are no a
34. oversize len log alert Sets udp decoder log or alert options no udp decoder truncated header undersize len oversize len log Deactivates udp decoder log options udp decoder truncated header undersize len oversize len action drop reject sender reject receiver reject both Sets udp decoder action no udp decoder truncated header undersize len oversize len action Deactivates udp decoder actions ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands Table 79 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION no icmp decoder truncated header truncated timestamp header truncated address header activate Activates or deactivates icmp decoder options icmp decoder truncated header truncated timestamp header truncated address header log alert Sets icmp decoder log or alert options no icmp decoder truncated header truncated timestamp header truncated address header log Deactivates icmp decoder log options icmp decoder truncated header truncated timestamp header truncated address header action drop reject sender reject receiver reject both Sets icmp decoder action no icmp decoder truncated header truncated timestamp header truncated address header action Deactivates icmp decoder actions show idp anomaly profile scan de
35. rw access The no command resets the password for read only ro or read write xw access to the default no snmp server contact description Sets the contact information of up to 60 characters for the person in charge of the ZyWALL The no command removes the contact information for the person in charge of the ZyWALL no snmp server enabl informs traps Enables all SNMP notifications informs or traps The no command disables all SNMP notifications informs or traps no snmp server host w x y z community string Sets the IP address of the host that receives the SNMP notifications The no command removes the host that receives the SNMP notifications no snmp server location description Sets the geographic location of up to 60 characters for the ZyWALL The no command removes the geographic location for the ZyWALL no snmp server port lt 1 65535 gt Sets the SNMP service port number The no command resets the SNMP service port number to the factory default 161 snmp server rule lt 1 32 gt append insert lt 1 32 gt access group ALL address object zone ALL zone object action accept deny Sets a service control rule for SNMP service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object T
36. specify a network users can access no user user name Specifies the user or user group that can use the SSL VPN access policy sslvpn policy move lt 1 16 gt to lt 1 16 gt Moves the specified SSL VPN access policy to the number that you specified sslvpn no connection username user_name Terminates the user s SSL VPN connection and deletes corresponding session information from the ZyWALL no sslvpn policy profile name Deletes the specified SSL VPN access policy sslvpn policy rename profile name profile name Renames the specified SSL VPN access policy ZyWALL ZLD CLI Reference Guide Chapter 16 SSL VPN Table 58 SSL VPN Commands COMMAND DESCRIPTION show workspace application Displays the SSLVPN resources available to each user when logged into SSLVPN show workspace cifs Displays the shared folders available to each user when logged into SSLVPN 16 2 2 SSL Command Examples Here is an example SSL VPN configuration Router config interface ge2 Router config if ge ip address 10 1 1 254 255 255 255 0 Router config if ge exit Router config interface ge3 Router config if ge ip address 172 23 10 254 255 255 255 0 Router config if ge exit Router config address object IP POOL 192 168 100 1 192 168 100 10 Router config address object DNS1 172 23 5 1 address object DNS2 168 95 1 1 address object NETW
37. tcp flood udp flood ip flood icmp flood details Shows flood detection settings for the specified IDP profile show idp anomaly profile http inspection all details Shows http inspection settings for the specified IDP profile ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands Table 79 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION show idp anomaly profile http inspection ascii encoding u encoding bare byte unicod encoding base36 encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal directory traversal apache whitespace non rfc http delimiter non rfc defined char oversize request uri directory oversize chunk encoding webroot directory traversal details Shows http inspection settings for the specified IDP profile show idp anomaly profile tcp decoder all details Shows tcp decoder settings for the specified IDP profile show idp anomaly profile tcp decoder undersiz Shows tcp decoder settings for the specified len undersize offset oversize offset bad IDP profile length options truncated options ttcp detected obsolete options experimental options details show idp anomaly profile udp decoder all details Shows udp decoder settings for the specified IDP profile show idp anoma
38. tile udp decoder all details lise ka ed REC ACE a ARE A 144 idp profile signature all c stom signature detalls k oseser9 9x xc YR 140 tdo profile Signet ws SIG details iila eee RA ERGO NACE EON EUR ROUGE RCRUM ee ede 3 140 DA own eere Creer ee eS 138 idp search signature my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action action mask 146 idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action o IX GA ub eS RUE ARCA SE RO ORE ES RE dd SOW OTR Swe Ree eae 146 ide Signatures custom sJjghnsture all details ascii A bac ans 148 idp signatures custom signature custom sid details contents non contents 148 DID Signatures GUSLON CSIGHSLUTS DUNE eva A RR Sd e PORC ORR Y OR 148 DOS SESTIBELES QOILISOL 21 2000 Sees tks ARA Edo de RA A CR A Ub aod Mcd 1583 idp statistics ranking signature name source destination 9 99 155 zd BEA sae Sey SARA ddG na ad cse AA EAS 152 igp system protect all GEARS errores Gok de e o ges o qe noli epo e 145 interface ethernet vlan bridge ppp auxiliary status uie mms 50 interface interface name ethernet vlan bridge ppp virtual ethernet wirtuak w
39. use the configure terminal command to enter the configuration mode before you can use these commands Table 69 Commandas for Zone to Zone Anti Virus Rules COMMAND DESCRIPTION anti virus rule append Enters the anti virus sub command mode to add a direction specific rule anti virus rule insert lt 1 32 gt Enters the anti virus sub command mode to add a direction specific rule anti virus rule lt 1 32 gt Enters the anti virus sub command mode to edit the specified direction specific rule no activate Turns a direction specific anti virus rule on or off ZyWALL ZLD CLI Reference Guide Chapter 19 Anti Virus Table 69 Commands for Zone to Zone Anti Virus Rules continued COMMAND DESCRIPTION no log alert Sets the ZyWALL to create a log and optionally an alert when packets match this rule and are found to be virus infected The no command sets the ZyWALL not to create a log or alert when packets match this rule no from zone_object Sets the zone on which the packets are received The no command removes the zone on which the packets are received and resets it to the default any any means all interfaces or VPN tunnels no to zone object Sets the zone to which the packets are sent The no command removes the zone to which the packets are sent and resets it to the default an y any means all interfaces or VPN tunnels imap4
40. username username no logon lease time lt 0 1440 gt e ze ak ewe wad eww aoe wn eda id username username no logon re auth time 0 14400 oscars a ob a RACER e 172 username username nopassword user type admin guest limited admin user 172 username username password password user type admin guest limited admin user 172 username username user typ EXLUSS is 172 users default setting no logon lease time lt 0 1440 gt L il nlcrrkea kk max A LPS users default setting no legonu re auth time 0 14424D0 rms rc eed eed 173 users default setting no user type guest limited admin user NUES users rorseeloqoent 2p Username 2244 doe kema deu wee se RR dE ER uude RR ee M E d eia V e Alle vpn eoncentrator rename profile name profile name cacncc ce desde riok eee anna sew aie 106 WELLES dra ap eek a bh E nh ee oat Rh a ln lp ee dlc 221 PERS ata A SAR ADS NAAA A 30 EQ DESEAS IUDA AA A IR A AA A AR 80 ZyWALL ZLD CLI Reference Guide
41. 101 BOUES Sorrerari te dd OSE EU EE Ve quad AA A ADA AAA AAA AA 201 DECIS AL RARA RU a KOC oO ATE ORE AER Ie qo P AGE OU Qo aL AC dod ACC UAE UC e CC SEO RRA 101 aroupaame cename grauprame GrOUPNAMe iia ARA ARANA AAA ARANA OR RR RR 173 HEM spewed seas A RA AR AE RU UG E doa e e b o Mae a e e de e E Ue a aA 30 hbttpermnspectios ihttpexkex Jog aberel due ear 39 x dada AUN E UP S ew d 142 icmp decoder truncated header truncated timestamp header truncated address header action drop reject sender reject receiver reject both 143 ZyWALL ZLD CLI Reference Guide 275 List of Commands Alphabetical icmp decoder truncated header truncated timestamp header truncated address header Io AD uada kA am AOKU S eer RR RAANEI QE ACORDES CS Raw PAL ROCK A CRY e de COUR AC 143 idp signature systen protect update daily 0 239 lt itckeeden sed wa ee RR SRS 151 idp etanature sSystem protect update Hourly amp zl2kewkaokRk REOR UR EORR Re RR ROSES 151 idp isxqgnabube systen protecgb update Signatures erica ba doy y Pose 153 idp signature system protect update weekly sun mon tue wed thu fri sat XU ETE eds REOR RARE QUE EG ds das hee ENE DOSER EOE ee ad emer ac E dorus 151 idp fslgnat re anemaly p rule append 1 32 insert 812 322 iiam xxn 139 idp signature anomaly rule f delete lt 1 32 gt move lt 1 32 gt to lt 1 32 gt f 139 idp anomaly menpes base Ta
42. 185 Senegal 186 Seychelles 187 Sierra Leone 188 Singapore 189 Slovak Republic 190 Slovenia 191 Solomon Islands 192 Somalia 193 South Africa 194 South Georgia and the South Sandwich Islands 185 Spain 196 Sri Lanka 197 St Pierre and Miquelon 198 St Helena 199 Suriname 200 Svalbard and Jan Mayen Islands 201 Swaziland 202 Sweden 203 Switzerland 204 Taiwan 205 Tajikistan 206 Tanzania 207 Thailand 208 Togo 209 Tokelau 210 Tonga 211 Trinidad and Tobago 212 Tunisia 213 Turkey 214 Turkmenistan 215 Turks and Caicos Islands 216 Tuvalu 217 US Minor Outlying Islands 218 Uganda 219 Ukraine 220 United Arab Emirates 221 United Kingdom 222 United States ZyWALL ZLD CLI Reference Guide Chapter 4 Registration Table 9 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 223 Uruguay 224 Uzbekistan 225 Vanuatu 226 Venezuela 227 Vietnam 228 Virgin Islands British 229 Virgin Islands USA 230 Wallis And Futuna Islands 231 Western Sahara 232 Western Samoa 233 Yemen 234 Yugoslavia 235 Zambia 236 Zimbabwe ZyWALL ZLD CLI Reference Guide Chapter 4 Registration ZyWALL ZLD CLI Reference Guide Interfaces 47 Trunks 65 Route 69 Routing Protocol 75 Zones 79 DDNS 83 Virtual Servers 85 HTTP Redirect 87 ALG 89 Interfaces This chapter shows you how to use interface related commands 5 1 Interfac
43. 200 Type set to I ftp cd conf 250 CWD command successful ftp get today conf current conf 200 PORT command successful 150 Opening BINARY mode data connection for conf today conf 20220 bytes 226 Transfer complete ftp 20220 bytes received in 0 03Seconds 652 26Kbytes sec 34 7 ZyWALL File Usage at Startup The ZyWALL uses the following files at system startup Figure 26 ZyWALL File Usage at Startup 1 Boot Module Y 2 Recovery Image Y 3 Firmware 1 The boot module performs a basic hardware test You cannot restore the boot module if it is damaged The boot module also checks and loads the recovery image The ZyWALL notifies you if the recovery image is damaged 2 The recovery image checks and loads the firmware The ZyWALL notifies you if the firmware is damaged 234 ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager 34 8 Notification of a Damaged Recovery Image or Firmware The ZyWALL s recovery image and or firmware could be damaged for example by the power going off during a firmware upgrade This section describes how the ZyWALL notifies you of a damaged recovery image or firmware file Use this section 1f your device has stopped responding for an extended period of time and you cannot access or ping it Note that the ZyWALL does not respond while starting up It takes less than five minutes to start up with the default configuration but the
44. 3 5 Editing System Protect Use these commands to edit the system protect profiles Table 80 Editing System Protect Profiles COMMAND DESCRIPTION idp system protect Configure the system protect profile Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode no signature sid activate Activates or deactivates an IDP signature Signature sid log alert Sets log or alert options for an IDP signature no signature sid log Deactivates log options for an IDP signature signature sid action drop reject sender reject receiver reject both Sets an action for an IDP signature no signature SID action Deactivates an action for an IDP signature show idp system protect all details Displays the system protect profile details 20 3 6 Signature Search Use this command to search for signatures in the named profile BS It is recommended you use the web configurator to search for signatures Table 81 Signature Search Command COMMAND DESCRIPTION idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask Service service mask activate any yes no log any no log log alert action action mask Searches for signature s in a profile by the parameters specified The quoted string is any text within the signature n
45. 979 ms 2 172 23 02253 2 983 ms 2 964 sms 24990 ms 3 172 23 6 1 5 991 ms 5 968 ms 6 984 ms 4 kK k xk ZyWALL ZLD CLI Reference Guide Chapter 39 Maintenance Tools Here are maintenace tool commands that you can use in configure mode Table 154 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION show arp table Displays the current Address Resolution Protocol table arp IP mac_address Edits or creates an ARP table entry no arp 1p Removes an ARP table entry The following example creates an ARP table entry for IP address 192 168 1 10 and MAC address 01 02 03 04 05 06 Then it shows the ARP table and finally removes the new entry Address 192 168 1 10 17242319 254 Address 192 168 1 10 172 23 19 254 Router no arp 192 168 1 10 Routers show arp table Router arp 192 168 1 10 01 02 03 04 05 06 Router show arp table HWaddress Flags Mask 01 02 03 04 05 06 CM 00 04 80 9B 78 00 C HWaddress Flags Mask incomplete 00 04 80 9B 78 00 C Iface gel ge2 Iface gel ge2 ZyWALL ZLD CLI Reference Guide Chapter 39 Maintenance Tools ZyWALL ZLD CLI Reference Guide Watchdog Timer This chapter provides information about the ZyWALL s watchdog timers 40 1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails lt gt The hardware watchdog timer commands are f
46. AAA AUR CREER GEORG ECC I RC 95 Bo service name 2p hostname service name lekeanpanacbx eRe eR ARA 202 AS ASEVLCA OBTSCL 359700 BAN des6ebeeda ede ed ba V ARE WE EIER ITO d qud xd qud qe 182 nol servics type dyndns dyndns static dyndns custom 22 243 9 3 iad v a e 84 Pe SEE GWT ARANA EAN AAA RRE RARA AREAS A 50 BO CONEJO arar AAA da A 62 AS Signature Sid BELLVEEES a id AA A AAA AAA A ORES 140 Bol BLADES 310 Mel eee dxcauaAsedXb E AENA ARA 145 no Shek outuocing interface pool address objecti aeezecee eds o x oe ae oe Gaara 70 Bo SHIBDeBQGEUQE 2x44 349 DADES DARA d querida wr eda ee AAA d qeu vods 219 no s tmp server comm ndty community string PO WP Lisbtasawkx wk CR RACE bh wee ed wae 219 nol sp seruvebP Lon taot SesOFTIDEPLON inact odds Ponga SOAR ESR oe dpa erbe oO e dca AAA 219 Ho s tanp server enable Informs traps xixadadccad 3 FA Edoxdck koeg 3 UR OR ACE OEUR OR RR RR nee 219 ne smmp eseruesk host its y2 LEONESES SPER ses ee be bake rias 219 ho smp server TOCA TL description is RA ANA RA aE RO Kee eae 219 Be Snug ssrvesv pert 215 IIS ue gqoxce A dee abeo ate eR E Ue Ri RC Re eae aoe 219 nol Gof vare watoahdog biner SUL ADIOS asii A A NUR 261 nol courte address obJgect qEOUB Nae qosuse4e AA A A 175 Ho sre Legg rS DUIBOL ISnY acaba A E84 X ep dre debe qe ebd dub d a BU Wd 70 Re Source PREIS HET a AIR Rd ego n a a noe dioit ke Bataan aee hoe 123 HO GITOB Peer tie ENDE AAA Some eR dude dc rdc es AR
47. Allows HTTP access to the ZyWALL web configurator The no command disables HTTP access to the ZyWALL web configurator ip http server table admin user rule lt 1 32 gt append insert lt 1 32 gt access group ALL address object zone ALL zone object action accept deny Sets a service control rule for HTTP service ip http server table admin user rule move lt 1 32 gt to lt 1 32 gt Changes the number of a HTTP service control rule no ip http secure server table admin user rule lt 1 32 gt Deletes a service control rule for HTTPS service no ip http server table admin user rule SS Deletes a service control rule for HTTP service show ip http server status Displays HTTP settings show ip http server secure status Displays HTTPS settings 33 2 1 HTTP HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service Router configure terminal Marketing zone WAN action accept Router config ip http server table admin rule append access group This command sets an authentication method used by the HTTP HTTPS server to authenticate the client s Router configure terminal Router config ip http authentication Example This following example sets a certificate
48. CX QUEE EGRE dea d xx y NA A ade REN AAA AA AS Roa RN ed RE 53 a IP Sl lor E S getan ie na VADE QR Io RC ek OSE HE Ree EEE RREA 53 no address object oDTGOt NANE qaad qx Red d e qx ee dl RE KO dex RACER ROC RR ACA ee den Ts no ADD OLHGP SLDS cee ee EVA Ed pu P Pr ESE ERE Ee ES adque hoes do eee eee oe RES 128 no app protocol name Lule sI GiS pao eee nde RA REOR ALACRI PR eee ee eS 123 id ares IP wirtuale lisk IP desssoge lgest ksy Le LIO aria a AA AA 78 no arp O A weed CE M dup ao RD Bu Renee ie hee 26 db AA oxi a ac Bol ao e er wot ur diode m Rege e eS T6 no BEBE orrida dd fada hres beech tse d Se bas cadran dde qa duda d Pub p auque d BH SUR 139 no ca category ilocallremete certificate Dame evt xc e Ron d RR ok Rog a e n 198 Ho ga Valeriy SS aaar Runde e uP doe SE Ended dade ukcs derent ur Ba gd Wc Ag t ERA 198 Hb Sevicoena Jlune dhnlbofrceg rbd e EO NS a dura duc eee d Rex A d e s des 170 na BELpSLNESDOGSLION AMECEA TOG 20 vedeaeeiand eck EDEN IEEE OK MU PEE URB do dE ROC ER eee 142 no icmp decoder truncated header truncated timestamp header truncated address head GET GSOUDION ir EG X Ww eee ae aba Sh bee bee EROR E GE o E e Pc ADA LAS no icmp decoder truncated header truncated timestamp header truncated address head A 143 no idepe signatures Aamalyt profiles anida e AAA RC ACH Red en aod eee e OK 138 as ep signature anomaly Y Ule cwlol d4 iria Rok rur geen e d dO ACER EROR RR HO a da 139 no Xp Customize Signals CUSTOM EX va
49. Guide enter configure terminal The prompt should change to Router config 1 2 3 Telnet Use the following steps to Telnet into your ZyWALL ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface BS 1 If your computer is connected to the ZyWALL over the Internet skip to the next step Make sure your computer IP address and the ZyWALL IP address are on the same subnet 2 In Windows click Start usually in the bottom left corner and Run Then type telnet and the ZyWALL s IP address For example enter telnet 192 168 1 1 the default management IP address 3 Click OK A login screen displays Enter the user name and password at the prompts The default login username is admin and password is 1234 The username and password are case sensitive 1 2 4 SSH Secure SHell BS You can use an SSH client program to access the CLI The following figure shows an example using a text based SSH client program Refer to the documentation that comes with your SSH program for information on using it The default login username is admin and password is 1234 The username and password are case sensitive Figure 8 SSH Login Example C gt ssh2 admin 192 168 1 1 Host key not found from database Key fingerprint xolor takel fipef zevit visom gydog vetan bisol lysob cuvun muxex You can get a public key s fingerprint by running ssh keygen F publickey pub on the keyfile Are you sure you wan
50. If the ZyWALL has only one public IP address you can make the computers in the private network available by using ports to forward packets to the appropriate private IP address 11 2 Virtual Server Commands Summary The following table describes the values required for many virtual server commands Other values are discussed with the corresponding commands Table 44 Input Values for Virtual Server Commands LABEL DESCRIPTION profile_name The name of the virtual server You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following table lists the virtual server commands Table 45 ip virtual server Commands COMMAND DESCRIPTION show ip virtual server profile name Displays information about the specified virtual server or about all the virtual servers no ip virtual server profile name Deletes the specified virtual server ip virtual server profile name interfac Creates or modifies the specified virtual server and interface name original ip any IP maps the specified destination IP address for all address object map to IP map type any destination ports to the specified destination IP deactivate address The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address object ZyWALL ZLD CLI Refere
51. Overview A ie N mm a 3 E 7N E Ll Internet Ja al H L2TP Tunnel The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first see Chapter 15 on page 99 for information on IPSec and then an L2TP tunnel is built inside it At the time of writing the L2TP remote user must have a public IP address in order for L2TP VPN to work the remote user cannot be behind a NAT router or a firewall 17 2 IPSec Configuration You must configure an IPSec VPN connection for L2TP VPN to use see Chapter 15 on page 99 for details The IPSec VPN connection must Be enabled Use transport mode ZyWALL ZLD CLI Reference Guide E Chapter 17 L2TP VPN Not be a manual key VPN connection Use Pre Shared Key authentication Use a VPN gateway with the Secure Gateway set to 0 0 0 0 if you need to allow L2TP VPN clients to connect from more than one IP address 17 2 1 Using the Default L2TP VPN Connection Default L2TP VPN Connection is pre configured to be convenient to use for L2TP VPN If you use it edit the following Configure the local and remote policies as follows For the Local Policy create an address object that uses host type and contains the My Address IP address that you configured in the Default L2TP VPN GW Use this
52. Use address and or user group objects to define to whose web access to apply the content filtering profile Apply a content filtering profile that you have custom tailored 21 3 External Web Filtering Service When you register for and enable the external web filtering service your ZyWALL accesses an external database that has millions of web sites categorized based on content You can have the ZyWALL block block and or log access to web sites based on these categories The content filtering lookup process is described below ZyWALL ZLD CLI Reference Guide 155 Chapter 21 Content Filtering Figure 22 Content Filtering Lookup Procedure 1 2 A computer behind the ZyWALL tries to access a web site The ZyWALL looks up the web site in its cache If an attempt to access the web site was made in the past a record of that web site s category will be in the ZyWALL s cache The ZyWALL blocks blocks and logs or just logs the request based on your configuration Use the Anti X Content Filter Cache screen to configure how long a web site address remains in the cache as well as view those web site addresses All of the web site address records are also cleared from the local cache when the ZyWALL restarts If the ZyWALL has no record of the web site it queries the external content filtering database and simultaneously sends the request to the web server The external content filtering server sends the category information bac
53. a A A be AAA cedri uo eee 173 HBgcTIDL IUD description rd AA ASA id SEN ES UPA deserinio HABEAS ERA ARA AREA AAA AAA 179 description CIC LADEN AAA SR A RA deca Re DU eoo RAR one C ob cad 183 descrip ticn SESCEIOLIONR iii eS ERA E Ede y d PS ENORMES E Ge dede quis 221 description COEL ii Rd AA A e M TA oo TRAD A QUE ATARI Le ES 50 TOSTADAS DPSCELPELOR cones ia A ERN EE ac ung AAA 62 description COSES PELOS RA A DARAN AA do AS RRA AA A 70 description ZBSCIIDLION Sisa A AAA A AAA 95 destination address aber GI Sae 1 465 Veiew dad de DAA A 175 destination address ODJBOC SHY eedehecke dore saree oe tgo oe Re rli Rp dodo eo io 70 decc macion Bere Vee ds4ddgc gd ERA AAA 123 destination BIDIIJIG BSO dr A Ad Oe os AA dread 124 destinacionin SOUFESER ert aiii asa e dewice ha syne authenticstion password PassWord cese mt OR x UR mon ak RR rm ew 169 device HO SUN AUS acerco A AAA AAA AAA AA doa s 169 device ha Syno from Daosteeme ESE aia A AS AAA ASA de 169 Jevice ha Sue Interv ls TAG RADAR AA apos 169 daylpeshe S108 NOW IA E d QA E dde dea AA AA den ed EORR Ro oo N 169 davich ha SUNS Pte lo BSOS ebds Pewee DARIA 169 devyice hs wrefbp gronp vrro group NOMS 5 qoid gadexe 4X AA EUR E GC EK OR RR AA RETRO 168 Jialing type rones pulse wkcdarce epe qox awe send ow Gia de ei pom d c AI eee eie 62 Cia anise Ed lee AAA AAA A 62 domainname DmEID Mame 2 A a AS OR UE WR X ACA RU POR NOR e SSD 207 domarna 33mm D DRE aoassexddc iD 53 downsrres
54. a rode EA A 96 e e CMe Stet terdi Oe ERU Arria p a Gic OU 96 Excswall insere 1 QUID eiii A AAA AAA A dee e 96 frrewall move La SUIS CO Ele UNS AAA AAN oes Se AS 96 firewall zone object zone object SyWALL APPENG somos srt mem aie e o don we 25 firewall zone object zone object ZyWALL delete lt 1 5000 gt ee 96 firewall zone object zene cDJect AyWALL TLUSE secu wid ga ee dw hee A Aa 96 firewall zone object zene ob ect ZyWALL xnsert 1 250009 lt n 42 lt sveereeiwsaeacenee 96 firewall zone object zone_object ZyWALL move lt 1 5000 gt to lt 1 5000 gt 96 firewall Zone object zone ObJect ZyWALL 1 450009 iue EP RAC AR S EX eee ews 95 firewall A vel cht ee REA REQUE EO D dida ERs a e A Rd A EA CAE EE bea ed RA AE 94 flood deteebtion dkleck periog Sl SS noe Eon ci ee Ghee cR Re Ge p Dn Uc eii 142 EIUS isti dex dri eases Equi Hm dux ugue ANA der dcs ded erdt wd eus 66 Eee ace polcew APPENA ausos o4 nd id ous a RO NL NE NUR RO ERE Nee p adde 174 Porc pole delite Al tees SS waked wh ee RE Bx AAA AA RA UTS orcsemutir polteyr SRO eii ahem meee e nea a mh eo Ro a e oes diete erp pog ae Bh dep o dd 173 Ecos h mone anser See F desir tora eg duced urbc e rdc aes r Suid LTS force auth policy move lt L 1024 gt toe EL LUZAS arre sew eka KG A be PORA RA 175 tarso ant Dolar EL LUCI ubedqexcage d d Ud e d pP eek Se ai eee AR SAS 174 SPROUL iia RI RES GR KE X Rd x X RA E de E RR qc de REARS CER X OR Rae
55. address name 0 65535 0 65535 Creates or revises the specified rule and maps the specified IP address and port range original ip to the specified IP address and port range mapped ip ZyWALL ZLD CLI Reference Guide Chapter 15 IPSec VPN 15 2 3 IPSec SA Commands for Manual Keys This table lists the additional commands for IPSec SAs using manual keys VPN connections using manual keys Table 54 crypto map Commands IPSec SAs Manual Keys COMMAND DESCRIPTION crypto map map name set session key ah 256 4095 auth key esp lt 256 4095 gt cipher enc key authenticator auth key Sets the active protocol SPI lt 256 4095 gt authentication key and encryption key if any auth key You can use any alphanumeric characters or S amp _ The length of the key depends on the algorithm md5 16 20 characters sha 20 characters enc key You can use any alphanumeric characters or gt S 6 _ lt gt The length of the key depends on the algorithm des 8 32 characters 3des 24 32 characters aes128 16 32 characters aes192 24 32 characters aes256 32 characters If you want to enter the key in hexadecimal type Ox at the beginning of the key For example 0x0123456789ABCDEF is in hexadecimal format in 0123456789ABCDEF is in ASCII format lf you use hexadecimal you must enter twice as many char
56. an unlimited number of simultaneous logins no users simultaneous logon administration access limit lt 1 1024 gt Sets the limit for the number of simultaneous logins by users of the specified account type The no command sets the limit to one show users update lease settings Displays whether or not access users can automatically renew their lease time no users update lease automation Lets users automatically renew their lease time The no command prevents them from automatically renewing it show users idle detection settings Displays whether or not users are automatically logged out and if so how many minutes of idle time must pass before they are logged out no users idle detection Enables logging users out after a specified number of minutes of idle time The no command disables logging them out no users idle detection timeout 1 60 Sets the number of minutes of idle time before users are automatically logged out The no command sets the idle detection timeout to three minutes 23 2 3 1 User Setting Command Examples The following commands show the current settings for the number of simultaneous logins Router configure terminal Router config f show users simultaneous logon settings enable simultaneous logon limitation for administration account yes maximum simultaneous logon per administration account g xb enable simultaneous logon limit
57. block login message audio video file transfer Blocks use of a specific feature bandwidth inbound outbound lt 0 1048576 gt Limits inbound or outbound bandwidth in kilobits per second 0 disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 Set the priority for traffic that matches this rule The smaller the number the higher the priority no log alert Creates log entries and alerts for traffic that matches the rule The no command does not create any log entries show Displays the rule s configuration no app protocol name rule lt 1 64 gt Deletes the specified rule app protocol name rule move 1 64 to lt 1 64 gt Moves the specified rule first index to the specified location The process is 1 remove the specified rule from the table 2 re number 3 insert the rule at the specified location ZyWALL ZLD CLI Reference Guide Chapter 18 Application Patrol 18 2 3 Other Application Commands This table lists the commands for other applications in application patrol Table 64 app Commands Other Applications COMMAND DESCRIPTION app other forward drop reject Specifies the default action for other applications no ap
58. cakes doe E RUE d E RU doo Sods AAA 148 tib ip dne Server rule Alo MES mrina eR x R O3 Re cca gee ee AAA ARA 210 Bo Xn bm Borders due Claw kee ees ge ARA A dca A wed e ups 217 no ip http secure ssrver table faduin ussr cule Ll 925 l i a ey we s ds 213 no ip http server table admin user rule L l32 las RE OR arar RS Rode ae bee AC CR 213 HO ip mnebperedirect SGeSGCPIDUION addc kqGbRAOE Rd RA Redi dC o YR det awe de 88 td 25 ospi BULNOhLIOSLUISS Guex4dg weed REA AAA TEE 56 ho 2p OSDI HNmessade drgest EkSV ers Yu do NUR irr ARA AA AA ACC CR e e SE OR E 56 Hg 2 ms Beever cule Gler eee Eros dana bd E ER AE ROC AI A dopo 213 HO ip telnet server rile SL 3X4 AA Xa X Rx ROC ACA E RC A QR NCC CR dd c 216 Hd 25 worLusSl spPIUVbEF profile HANE serias P4 bee e a Y eee a S dese d E ie 85 no l2tp owxer ipBec session tunnel i d 40 00535 ilL gx Re db r4 RAUS S oa vied ERE dp RE 114 Mic Vias e dl C 53 DO DaOEEL VUES vu sd ex Ea dde d eu Sd AER dud S MAE Wed ad 30 np quest Kl ok edades va REGE ECH GN ete ee irr ek quede dede d e udde edes eatis 57 a BA BL EDS pautada ARA AAA ARAS RADAR 106 n9 SS tunmil nmBIne JUNIO REINES AA AAN dece A d ap A AA RR Vp tide RARA a dc Gen 106 Hd meOnedd reci Sens LEIVLEY ocre ASA ebd eq PA ue d eu v eds 141 tib gobedule obJqesr object HAMS Llg L4Ek qae a eq WC EO ead RE ON E Mae Se eee Oe ORAE CA CR dedica d 186 wEE i on p Se ke SORES TESS SR EEE SEE TOR C
59. commands Other values are discussed with the corresponding commands Table 103 Input Values for Address Commands LABEL DESCRIPTION object name The name of the address You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive group name The name of the address group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following sections list the address object and address group commands ZyWALL ZLD CLI Reference Guide Chapter 24 Addresses 24 2 1 Address Object Commands This table lists the commands for address objects Table 104 address object Commands Address Objects COMMAND DESCRIPTION show address object object name Displays information about the specified address or all the addresses ip subnet address object object name ip ip range Creates the specified address using the specified parameters ip range lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 1 255 gt lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 1 255 gt ip_subnet lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 0 255 gt lt 1 32 gt no addres s object object_nam Deletes the specified address address object rename object name object name Renames the specified address
60. config show report gel ip No IP Address User Amount Direction 1 192 168 1 4 admin 1273 bytes Outgoing 2 192 168 1 4 admin 711 bytes Incoming Router config show report gel servic No Port Service Amount Direction 1 21 ftp 1273 bytes Outgoing 2 21 ftp 711 bytes Incoming Router config show report gel url No Hit URL ch a 140 114 79 60 Router config show report status Report status on Collection period 0 days 0 hours 0 minutes 18 seconds 36 1 3 Session Commands This table lists the command to display the current sessions Table 150 session Commands COMMAND DESCRIPTION show conn user username service servic Displays information about the selected sessions name source ip destination ip begin or about all sessions You can select sessions by lt 1 128000 gt end lt 1 128000 gt user name service object source IP destination IP or session number s show conn status Displays the number of active sessions 36 2 Reboot Use this to restart the device for example if the device begins behaving erratically If you made changes in the CLI you have to use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Use the reboot command to restart the device ZyWALL ZLD CLI Reference Guide Session Timeout Use these commands to modify and display the session timeout values You must use t
61. control to your network The following lists the types of authentication server the ZyWALL supports Local user database The ZyWALL uses the built in local user database to authenticate administrative users logging into the ZyWALL s web configurator or network access users logging into the network through the ZyWALL You can also use the local user database to authenticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIUS RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external or built in RADIUS server RADIUS authentication allows you to validate a large number of users from a central location 27 2 Authentication Server Command Summary This section describes the commands for authentication server settings ZyWALL ZLD CLI Reference Guide Chapter 27 AAA Server 27 2 1 ad server Commands The following table lists the ad server commands you use to set the default AD server Table 111 ad server Commands COMMAND DESCRIPTION show ad server Displays current AD server settings
62. dac Pace X de wan de B eua ed 208 com ageant kecpalive interval SUD Lc sXzaeeado Bue A d NEN ER RUE 222 enm agente perrlodic intorm interval l10 864009 Jn deakideeGnakadae ter ek ms te aaree 222 cana Teal brigger inform LInNGEryaLl asin DA AAA AAA a 222 EOUELQUES iia AAA AAA RNA ex dede di QE 29 pontemterilber policy policy number BBULOOWIU usos Eq64 9 cen eed ee Se ded OR MCCC awe eens 159 content ler prli cache Pest BEL ii G C REOR DARA KC AUR de Re FOR a Ra E EO d dog dE Re dake 159 Dontent rr1itet DETIEBABRO SRT SEI sarita rro ARA eh bee dees op wd ees 161 content filter url server test url server rating_server timeout query_timeout 159 content filter url server test url server rating server timeout query timeout 161 o Lake sS wea mE Bue QR E qa ird X d wwe d ddp d d pa dx dd d EAR AS ON 29 copy cert conf idp packet trace script tmp file name a conf cert conf idp packet trace script tmpl file name b conf 231 eopy runnisg contig contffile Hsle DODn 2 226024 Ra a A AAA 231 copy Sinai cantElo SELSSUPUDCCODPIS Lice be taa qa A HER C den d AUR CR We eH ssl CEDER ABE dim MA pene pida aras da wha th a AMAIA AAA 102 CEVDLO MAS map namg a cd RNA RAS NE AA TIA RU eK AR RRA e RRR A 103 prunmnLo mop MAD Mone iris AAA E WAR AAN AAA 105 grypte map rename map name Map Hae iles Rea RO e RR IA RR ORE Rods LR 102 UBSASGLLVALDE ess soi ri AO AA E RR AE RI RSE ACA AAA AA RA ORR AA T0 a iuwkre
63. defaultport Displays the default ports of this application show app protocol name statistics Display the statistics of this application show app protocol name rule 1 64 Displays the rule configuration of this application ZyWALL ZLD CLI Reference Guide 125 Chapter 18 Application Patrol Table 66 app Commands Pre Defined Applications continued COMMAND DESCRIPTION show app protocol name rule lt 1 64 gt statistics Displays the rule statistics of this application show app protocol name rule default Displays the default rule configuration of this application show app protocol name rule default statistics Displays the default rule statistics of this application show app protocol name rule all Displays the configurations of all the rules for this application show app protocol name rule all statistics Displays all the rule statistics for this application show app other config Displays the basic configuration for other applications show app other statistics Displays statistics for other applications show app other rule 1 64 Displays the rule s configuration show app other rule lt 1 64 gt statistics Displays the rule s statistics show app other rule default Displays the default rule s configuration show app other rule default statistics Displays the default rule s statistics show app other rul
64. device HA VPN certificates 0 254 alphanumeric or first character alphanumeric or full file name 0 256 alphanumeric or _ hostname Used in hostname command 0 63 alphanumeric or first character alphanumeric or Used in other commands 0 252 alphanumeric or first character alphanumeric or import configuration 1 alphanumeric or 8G 2 amp file 26 cont Wicont at the end import shell script 26t zysh alphanumeric or PoveiQSRSS amp 1 0 zysh at the end initial string 1 64 alphanumeric spaces or S_ amp isp account password 0 63 alphanumeric or e Q amp N t2 V isp account username 0 30 alphanumeric or Q key length 512 768 1024 1536 2048 license key 25 S 6 upper case letters or numbers 16 upper case letters or numbers mac address aa bb cc dd ee ff hexadecimal mail server fqdn lower case letters numbers or name 1 31 alphanumeric or _ notification message 1 81 alphanumeric spaces or _ ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Table 3 Input Value Formats for Strings in CLI Commands continued TAG VALUES
65. deyicesha SUCBUUS adds eX A REO Eq E deque RAE AS A Qo ROS AAA CR 168 ALIS LOBO AAA Eee AA A ARA A A ee A 169 dexlige she SNE SPRLBS uade bacs dee a a e S Ra KC ene e E ee ee eed De de eS 169 guise wf IPOD ei A IA A d qa Ea dad eda edd qu de m e MUN ded 168 sgvIDERePEgLsLeor BLAS disnea adc ROUSE E d ad dS doa ee RAW Nd e ESSE 39 atc 2 sorient rR AAA AA AA RADAR AAA 2059 Aa a AA d Na drca hau dim fup ied eri ME dedu d eb aes we uas fe 221 QE SE T E esden X d x Boa E eR ades ea AA A A M e Rue Ue d Atri c ull d OY 33 Buc RA OA a qx 33 SOS rra Rd qe A A ACA Dee e c can AA edi A e de dosi ca a 96 Cite SUOSLUS SADA AAA AAA s d qud edd x aT 96 firewall 606 Ghject 205068 0DJOeCt ZyWALL escoria CERO A REOR CREDO RO ADAC UR 96 firewall zone object 056 ObJect ZyWALL 1 50009 seis 96 Cireno SD DUO AA AAA AS AA EO CUR KR EN AA Re ed AA 96 Laore6sg aupm policy Mas As 3X1 Fria AAA bees 178 tg secado ROA dues Ad aA NEE DAI rad ada A ed 207 grocpreame loroupnanrel sarria a Tra bardware yatehdog Eimer SENLDUR 3euxdlooeibueeaib ue eg Eu eR E UR A d wae N duiiad 261 LEE x booked sa ed P SONUS BOE e d V DARII dede dq eed d do ee OR e OP KA ICA OI GR a SC e Goo d de dde 138 ap Signature anomaly base profile e465 sed iso e 138 idp signature system protect signatures version date number 152 da signature aysrtemn protect Update tacts ee eed Rede AA towed 152 dp fstTgset re system protecr update status Lil nawuex o
66. ee aoo ONCE CR ore de S Ro S e Dg ag 131 Bol Server Singer LAGOS sca can hac Od NE d sewer tid que d E Wd 190 nel perver Hindan JOE douqemadgesmescke dee a arae cee rnc adole Aad oie doi Oeo ooo aue hoe 121 Hol drug Onde ey 3 ria r Eee naaar hee a RRA 190 HO perver n Icenti Lor LO abra AA AS ARA AAA A 121 hor SSryar Met Sl SS Ver 4 44 5566S GckGCWO amp AAA ARRE RARA RR ER RS 190 so Serter host Ldap Server era kk ek ER AS RARA OAK EC RARA E AAA RAR OE 194 nol server host Aadi ie Server arras A AAA RO M NOE GRECE CPR ESR CR RAF dc 192 AS Server 20 TP 202 Ho Servar REY SOUPE ira AAA AAA ARA AA RRA AAA CR eR AC Reg 192 ho servet pesaword password ossis etikni AR EORR XUR OR SER e ERECTA ACE RO RR Re RR 190 Heo cerror PESE PESEMIDO qase aX P RUE AAA Ad A AAA Als pl He SBEVOI POSE DONC DO 245 4456 0 56 ad pq 4EKe 243m ERR mede aded eade SERRE 180 HO BREVE PEE DOR TO lt A AAA RARA UR GRECO o RUP RED ERE RR SUR Rd Ro T Hel perver Sondoh timee lsmis Cae ing domasdkuee dep A AAA Vo rupi ier d 190 nol Server soRPCh time limib Bite Gues 4 2944 A RUNE UE NE RR OK ne op RR de Re Ep Ye 191 Heg SETE ES arar AAA a E Rd aaa dd WA Dad AE ERN 190 fed Serter SERLO rra RARAS RNA ARAS NE AA SHR EDE eae ed XC ARERR Re e Rc 191 nol Servar CLMEGUE Cine 0qugeu b eee I d en de d REV ORE Pee EPIO dede de EEE ES 192 no Service eervace mame any Jcuxseqdu exa Seid bse EROR ROCK Peewee ERA eed CC o RAS 70 hol serveioe cery es DAME quaacquee RR OX AUR CURA GRON ORC
67. for the SA monitor Table 56 sa Commands SA Monitor COMMAND DESCRIPTION show sa monitor begin lt 1 000 gt end lt 1 000 gt rsort sort order crypto map regexp policy regexp sort sort order Displays the current IPSec SAs and the status of each one You can specify a range of SA entries to display You can also control the sort order of the display and search by VPN connection or local or remote policy regexp A keyword or regular expression Use up to 30 alphanumeric and _ 4 lt gt characters A question mark lets a single character in the VPN connection or policy name vary For example use a c without the quotation marks to specify abc acc and so on Wildcards let multiple VPN connection or policy names match the pattern For example use abc without the quotation marks to specify any VPN connection or policy name that ends with abc A VPN connection named testabc would match There could be any number of any type of characters in front of the abc at the end and the VPN connection or policy name would still match A VPN connection or policy name named testacc for example would not match A in the middle of a VPN connection or policy name has the ZyWALL check the beginning and end and ignore the middle For example with abc 123 any VPN connection or policy name starting with abc and ending in 123 matches no matt
68. group name new 192 access Dbprward jours TEJECT aora AIDA SAA So we 123 excess qrorwend drop PETESES serrana dada e de n 124 acco Ma a 92 94 E Iu PESE pokes e d quce oderit garde dea ced ad eee foa 94 pig A eos sd deg ax P qmi Eee Exe id e Sq Erde E Ede nq d dq eta 101 GLISSER Edd AENA abdo c eh EE Ar NO Dal dt AAA AAA Ed ibd 109 address object object name ip ie range ip subnet lik Ry wood RR 178 adaress ob1s80tL retamue object name object name srisrnisrrrs X E EPA P AAA 178 Bigorithm wre llf SpiilegVOof 24 c9 eee ec kac AA A OOS EUR RACE RE RC RO WS 66 anti virus black list replace old av file pattern new av file pattern activate deacti SEDE ERARIO ASAS CR OE RH DUO eode RR d e ERE OR AUR GRE 133 ALFIO els Signatur eS ead ueqdo AA AR E RE Xd aJ x RUE EE ERE 130 antaras Sil ARDER rn AAA Sores ES SR Edu Re Ed RR de REIR ee P Ed x 130 afnti vdc08 cube telete La DE ia qoe qox Reg A Boi Rp bi ctp opos oi m eae ae Lr 272 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical Bnbrerr mb Pale ASS ALL dues DANA A A A AA AO 130 anti cvi rts Pale Mera Kis 48 GO AID A A A A A A A ARA 137 er NERO ME NC EAM Co Mr Prem 130 anti virus search signature all category category id id name name severity s terity IESO LN Ea ea entire ARO 134 Anti virus Statistics PIGS ur e A e MEA ARAS de EO AA 1239 anti virus update marly Sorin
69. ipsec pool address object Specifies the address object that defines the pool of IP addresses that the ZyWALL uses to assign to the L2TP VPN clients l2tp over ipsec authentication aaa authentication profile name Specifies how the ZyWALL authenticates a remote user before allowing access to the L2TP VPN tunnel The authentication method has the ZyWALL check a user s user name and password against the ZyWALL s local database a remote LDAP RADIUS a Active Directory server or more than one of these no user name l2tp over ipsec user Specifies the user or user group that can use the L2TP VPN tunnel If you do not configure this any user with a valid account and password on the ZyWALL ZLD CLI Reference Gu ide ZyWALL to log in The no command removes the user name setting Chapter 17 L2TP VPN Table 60 L2TP VPN Commands COMMAND DESCRIPTION no 12tp over ipsec The ZyWALL sends a Hello message after waiting this long without keepalive timer 1 180 receiving any traffic from the remote user The ZyWALL disconnects the VPN tunnel if the remote user does not respond The no command returns the default setting no 12tp over ipsec first Specifies the first DNS server IP address to assign to the remote users You dns server ip can specify a static IP address or a DNS server that an interface received interface name 1st from its DHCP server The no command removes the setti
70. name ranking 1 signature id 8003796 signature name ICMP L3retriever Ping type Scan severity verylow occurence 22 ranking 2 signature id 8003992 signature name ICMP Large ICMP Packet type DDOS severity verylow occurence 4 Router config show idp statistics ranking destination ranking 1 destination ip 172 23 5 19 occurence 22 ranking 2 destination ip 172 23 5 1 occurence 4 Router config show idp statistics ranking source ranking 1 source ip 192 168 1 34 occurence 26 ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands ZyWALL ZLD CLI Reference Guide Content Filtering This chapter covers how to use the content filtering feature to control web access 21 1 Content Filtering Overview Content filtering allows you to block certain web features such as cookies and or block access to specific web sites It can also block access to specific categories of web site content You can create different content filtering policies for different addresses schedules users or groups and content filtering profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and another policy that lets him access them after work 21 2 Content Filtering Policies A content filtering policy allows you to do the following Use schedule objects to define when to apply a content filtering profile
71. named MyCert used by the HTTPS server to authenticate itself to the SSL client Router configure terminal Router config ip http secure server cert MyCert ZyWALL ZLD CLI Reference Guide Chapter 33 System Remote Management 33 3 SSH Unlike Telnet or FTP which transmit data in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network 33 3 1 SSH Implementation on the ZyWALL Your Zy WALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for remote management on port 22 by default 33 3 2 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connect to the ZyWALL over SSH 33 3 3 SSH Commands The following table describes the commands available for SSH You must use the configure terminal command to enter the configuration mode before you can use these commands Table 130 Command Summary SSH COMMAND DESCRIPTION no ip ssh server Allows SSH access to the ZyWALL CLI The no command disables SSH access to the ZyWALL CLI no ip ssh server cert certificate name Sets a certificate whose corresponding private key is to be used to identify the ZyWALL fo
72. no logging console category module_name Enables logging for the specified category in the console log The no command disables logging ZyWALL ZLD CLI Reference Guide Chapter 35 Logs ZyWALL ZLD CLI Reference Guide Reports and Reboot This chapter provides information about the report associated commands and how to restart the ZyWALL using commands 36 1 Report Commands Summary The following sections list the report and session commands 36 1 1 Report Commands This table lists the commands for reports Table 149 report Commands COMMAND DESCRIPTION no report Begins data collection The no command stops data collection show report status Displays whether or not the ZyWALL is collecting data and how long it has collected data clear report interface_namel Clears the report for the specified interface or for all interfaces show report interface name ip service urlj Displays the traffic report for the specified interface and controls the format of the report Formats are ip traffic by IP address and direction service traffic by service and direction url hits by URL ZyWALL ZLD CLI Reference Guide Chapter 36 Reports and Reboot 36 1 2 Report Command Examples The following commands start collecting data display the traffic reports and stop collecting data Router configure terminal Router
73. one 21 8 Content Filter Cache Commands The following table lists the commands that you can use to view and configure your ZyWALL s URL caching You can configure how long a categorized web site address remains in the cache as well as view those web site addresses to which access has been allowed or blocked based on the responses from the external content filtering server The ZyWALL only queries the external content filtering database for sites not found in the cache Usethe configure terminal command to enter the configuration mode to be able to use these commands See Table 87 on page 156 for details about the values you can input with these commands Table 91 content filter cache Cache Commands COMMAND DESCRIPTION timeout no content filter cach cache timeout Sets how long the ZyWALL is to keep an entry in the content filtering URL cache before discarding it The no command clears the setting show content filter url cach Displays the contents of the content filtering URL cache before discarding it ZyWALL ZLD CLI Reference Guide Chapter 21 Content Filtering 21 9 Content Filtering Commands Example The following example shows how to limit the web access for a sales group 1 oo First create a sales address object This example uses a subnet that covers IP addresses 172 21 3 1 to 172 21 3 254 Then create a schedule for all day Create a filtering profile
74. path in one of the following formats lt IP address gt lt share name gt lt domain name gt lt share name gt Ai lt computer name gt lt share name gt For example if you enter my server Tmp this allows remote users to access all files and or folders in the ATmp share on the my server computer share path folder no server type Remove the type of service configuration for this SSL application no webpage encrypt Turn on web encrypt to prevent users from saving the web content 31 1 2 SSL Application Command Examples The following commands create and display a server type SSL application object named ZW5 for a web server at IP address 192 168 1 12 Router config sslvpn application ZW5 Router sslvpn application server type web server url http 192 168 1 12 Router sslvpn application exit Router config show sslvpn application SSL Application ZW5 Server Type web server URL http 192 168 1 12 Entry Point Encrypted URL aHROcDovLzE5Mi4xNjguMS4xMi8 Web Page Encryption yes Reference 1 204 ZyWALL ZLD CLI Reference Guide PART VI oystem System 207 System Remote Management 211 System This chapter provides information on the system screens 32 1 System Overview The system screens can help you configure general ZyWALL information the system time and the console port connection spe
75. private MIBs zywall mib and zyxel zywall ZLD Common mib to collect information about CPU and memory usage and VPN total throughput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the ZyWALL s MIBs from www zyxel com 33 7 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs Table 133 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1 3 6 1 6 3 1 1 5 1 This trap is sent when the ZyWALL is turned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap is sent when the Ethernet link is up authenticationFailure 1 3 6 1 6 3 1 1 5 5 This trap is sent when an SNMP request comes from non authenticated hosts ZyWALL ZLD CLI Reference Guide Chapter 33 System Remote Management 33 7 3 SNMP Commands The following table describes the commands available for SNMP You must use the configure terminal command to enter the configuration mode before you can use these commands Table 134 Command Summary SNMP COMMAND DESCRIPTION no snmp server Allows SNMP access to the ZyWALL The no command disables SNMP access to the ZyWALL no snmp server community community_string ro rw Enters up to 64 characters to set the password for read only ro or read write
76. profile that is currently in use show aaa authentication group name default Displays the specified authentication server profile settings ZyWALL ZLD CLI Reference Guide Chapter 28 Authentication Objects Table 117 aaa authentication Commands continued COMMAND DESCRIPTION no aaa authentication profile namej Sets a descriptive name for the authentication profile The no command deletes a profile aaa authentication profile name no memberl member2 member3 Sets the profile to use the authentication method s in the order specified member group ad group Idap group radius or local Note You must specify at least one member for each profile Each type of member can only be used once in a profile Use the no command to clear the authentication method settings for the profile 28 2 1 aaa authentication Command Example The following example creates an authentication profile to authentication users using the LDAP server group and then the local user database Router configure terminal Router config aaa authentication LDAPuser group ldap local Router config show aaa authentication LDAPuser No Method 0 ldap 1 local Router config ZyWALL ZLD CLI Reference Guide Certificates This chapter explains how to use the Certificates 29 1 Certificates Overview The ZyWALL can use certificates also called d
77. quit sub command mode no signature sid activate Activates or deactivates an IDP signature signature sid log alert Sets log or alert options for an IDP signature no signature sid log Deactivates log options for an IDP signature signature sid action drop reject sender reject both reject receiver Sets an action for an IDP signature no signature sid action Deactivates an action for an IDP signature show idp profile signature sid details Shows signature ID details of the specified profile show idp profile signature all custom signature details Shows the signature details of the specified profile ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands 20 3 4 Editing Creating Anomaly Profiles Use these commands to create a new anomaly profile or edit an existing one It is recommended you use the web configurator to create edit profiles If you do not specify a base profile the default base profile is none BS You CANNOT change the base profile later Table 79 Editing Creating Anomaly Profiles COMMAND DESCRIPTION idp anomaly newpro base all none Creates a new IDP anomaly profile called newpro newpro uses the base profile you specify Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode scan detection sensitivity low medium high Sets scan detec
78. remote server The no command sets the facility to local_1 35 1 4 E mail Profile Commands This table lists the commands for the e mail profile settings Table 147 logging Commands E mail Profile Settings COMMAND DESCRIPTION show logging status mail Displays the current settings for the e mail profiles no logging mail lt 1 2 gt Enables the specified e mail profile The no command disables the specified e mail profile ZyWALL ZLD CLI Reference Guide 247 Chapter 35 Logs Table 147 logging Commands E mail Profile Settings continued COMMAND DESCRIPTION no logging mail 1 2 address ip hostname Sets the URL or IP address of the mail server for the specified e mail profile The no command clears the mail server field hostname You may up to 63 alphanumeric characters dashes or periods but the first character cannot be a period logging mail 1 2 sending now Sends mail for the specified e mail profile immediately according to the current settings no logging mail 1 2 authentication Enables SMTP authentication The no command disables SMTP authentication no logging mail 1 2 authentication username username password password Sets the username and password required by the SMTP mail server The no command clears the username and password fields username You can use alphanumeric characters undersco
79. s s 160 content filter profile filtering profile custom trust allow features 160 content filter profile filtering profile custom tr SL Ohly i6 9 v o cues 160 Gohtent filter profile filtering profile CUSTOM Qnia X ek doR d Awad ede A od TAL 160 content filter profile filtering profile url category category name 160 content filter profile filtering profile url match block log block log 161 content filter profile filtering profile url offline block log block log 161 content filter profile filtering profile url unrate block log block log 161 content filter profile iltering profile url uri Sefver sec eevee ROSSO own 161 sontent filess profile fzltering DEG IIO exe REOR REX OK UR RR RCR EUR RP D Ra rp 160 content filter service timeout service timeout e ree t m nn 161 OrvUbLO MAS mam qal o lt a eX RO EGER GE Ka Rm 4X CA ARCU OR RC RAE A REAR KR BOERS 102 SEU DEO Man DANE d lgdgea Xue Sakae a qu d Pace d Edd AAA A e sudo d ed eq pP aod rk 106 QESDED POSTS INE LI dex X A qd A qe da M dd EL AC RM oC Ri KORR AAA dod EROR 80 Pes cot EE ccc hte pone AA doo iod dre edd ES DAA UR Sat doo TAS Rob OE er ee SR D a 84 UOBSCEGUSER cerda AAA AGE EO o A b SE CC od debe e E RC RC AC GER Re A 70 gerant router A dereud RET EU S ded A dr eine a RR b E e d 53 describe on AMARE BEI 2x221229 9252922285422 BG ARA Sd BK dd deed Ee dae dd Ed 108 HESCVAIPCLON description acsi e s4 x RO py EA RA AAA dol de 169 UBsOPIOSLISD MOSES
80. show cpu status Displays the CPU utilization show disk Displays the disk utilization show fan speed Displays the current fan speed show mac Displays the ZyWALL s MAC address show mem status Displays what percentage of the ZyWALL s memory is currently being used show ram size Displays the size of the ZyWALL s on board RAM show serial number Displays the serial number of this ZyWALL show socket listen Displays the ZyWALL s listening ports show socket open Displays the ports that are open on the ZyWALL show system uptime Displays how long the ZyWALL has been running since it last restarted or was turned on show version Displays the ZyWALL s model firmware and build information Here are examples of the commands that display the CPU and disk utilization Router config show cpu status CPU utilization 0 CPU utilization for 1 min 0 CPU utilization for 5 min 0 Router config show disk H Scr Router config show disk No Disk Size MB Usage 1 image 67 83 2 onboard flash 163 15 ZyWALL ZLD CLI Reference Guide Chapter 3 Status Here are examples of the commands that display the fan speed MAC address memory usage RAM size and serial number Router config show fan speed FAN1 F00 rpm limit hi 6500 limit lo 1400 max 6650 min 6642 avg 6644 M Oneal limit hi 6500 limit 10 1400 max 6809 min 6783 avg 6795 FAN3 F02 rpm limit h
81. signature contents Router config show idp signatures custom signature 9000000 contents sid 9000000 Router config show idp signatures custom signature 9000000 non contents sid 9000000 ack dport 0 dsize dsize_rel flow_direction flow_state flow_stream fragbits_reserve fragbits_dontfrag fragbits_morefrag fragoffset fragoffset rel icmp id icmp seq icode icode rel id ipopt itype itype rel sameip seq sport O0 tcp flag ack tcp flag fin tcp flag push tcp flag r1 tcp flag r2 tcp flag rst tcp flag syn tcp flag urg threshold type threshold track threshold count threshold second tos tos rel transport tcp UL ttl rel window window rel ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands This example shows you how to display all details of a custom signature Router config show idp signatures custom signature all details sid 9000000 message test policy type severity platform all no Win95 98 WinNT no WinXP 2000 Linux no FreeBSD Solaris SGI no other Unix no network device dit no no no no no service outbreak no This example shows you how to display the number of custom signatures on the ZyWALL signatures 1 Router config show idp signatures custom signature number 20 5 Update IDP Signatures Use these commands to update new signatures You register for IDP
82. start up time increases with the complexity of your configuration 1 Use a console cable and connect to the ZyWALL via a terminal emulation program such as HyperTerminal Your console session displays the Zy WALL s startup messages If you cannot see any messages check the terminal emulation program s settings see Section 1 2 1 on page 14 and restart the Zy WALL 2 The system startup messages display followed by Press any key to enter debug mode within 3 seconds BES Do not press any keys at this point Wait to see what displays next Figure 27 System Startup Stopped BootModule Version V1 08 05 05 2006 11 42 55 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version 2 4 2 KL 2006 05 29 2006 05 29 15 23 46 ZLD Version V7Z41050 180 DailyBuild New 2006 05 29 15 18 32 seconds 3 If the console session displays Invalid Firmware or Invalid Recovery Image or the console freezes at Press any key to enter debug mode within 3 seconds for more than one minute go to Section 34 9 on page 236 to restore the recovery image Figure 28 Recovery Image Damaged Press any key to enter debug mode within 3 seconds Invalid Recovery Image ERROR Enter Debug Mode gt 4 If Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen the firmware file is damaged Use the procedure in Section 34 10 ZyWALL ZLD CLI Re
83. status all content filter idp sslvpn av e n 39 session Lrimeout comp testunewerit UD due 93x 3 DECR Pb DE a E Ex y ees 253 screnw sbaPLUPR mieyra tiee ANA AAA ARA God AL ACCU AG ACA RR ACCU A ER CR 2I snp SCALE 26454 kem gd de AAA pan ET BOR CR Sr br Ere or REOR See 219 BoCbeL LICER lr ded d ed Ud ed ERG RE EQ deal qe b do RU Rp dokn p ede e dae e dees 33 BOGEGL OPEN A AA 33 sofLwesrpeWwatchdoqg temers Eod asos ek idii A CENERE A ASA eae 262 SOPEwarpewatoHddogetimer ESTOS rre eb nae hee da ee ee pes ta olg 262 slym application larmi cation weer ose ica dew s BOWES ewes Dee wow 203 SENI MONICE deoeRAOWRS EG SPACE EA RU ERA a a pde epa AAA SA A eee ds 108 Solve pulir Beata iS ME ars NAS EDESA 108 Sys ben UPLINE rra air ii AA Ai ace eho ad at cad id dit eg ei 33 username username qaamagses45 ad R3 RA E AAA OA SORGE AAA AAA 172 users Username all qQUEPGBL ascii RARAS PRO NR 175 HSQGPR dar sU e ser aquvged4du dE X A AER AAA ANA ro e of AAA DAA 173 users Tlle detecb tOResBEEUEOS cae ke X GERE ACER ACA SR ROUND GE CER RC CT ba e o eS 174 HSGrG PSOLPUSEUDINGS Elia ARAS A LS users siudltensous logon sett ihBS nde ib detas ese ke dd A doe vad AS Ve AA 174 USEYS UpdsLo laasd sOLLIUd orsetti ea eee RE ER Oe ESR SOUS IA Oe eee Se RANA 174 Very id A Ee Balhae Rew eee ke ee eee DAR de a 33 yprh poncent rator profile Pane 39299 9B x 9 AA Ad A a IRURE AR 105 SEP CODE SEE ara EAN DA AA dde Sd se RIAM xE S mE 196 WHEKSOACS curi kd
84. support PPPoE PPTP interfaces PPPoE PPTP interfaces also use many of the general interface commands discussed at the beginning of Section 5 2 on page 49 The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 25 Input Values for PPPoE PPTP Interface Commands LABEL DESCRIPTION interface name The name of the interface PPPoE PPTP interface pppx x 0 11 profile name The name of the ISP account You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive This table lists the PPPoE PPTP interface commands Table 26 interface Commands PPPoE PPTP Interfaces COMMAND DESCRIPTION interface dial interface name Connects the specified PPPoE PPTP interface interface disconnect interface name Disconnects the specified PPPoE PPTP interface ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces Table 26 interface Commands PPPoE PPTP Interfaces continued COMMAND DESCRIPTION interfac interfac gt nam Creates the specified interface if necessary and enters sub command mode no connectivity nail up demand dial on Specifies whether the specified PPPoE PPTP interface is always connected nail up or connected only when used dial on demand The no command se
85. the default system database is recovered Figure 49 Default System Database Received and Recovery Complete Default System Database received Update Filesystem Updating Database done 12 The username prompt displays after the ZyWALL starts up successfully The default system database recovery process is now complete and the ZyWALL IDP and anti virus features are ready to use again ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager Figure 50 Startup Complete nothing was mounted Hostnane localhost Setting the System Clock using the Harduare Clock as reference Systen Clock set Local tine Wed May 9 03 26 53 UTC 200 Cleaning tmp var lock var run Initializing random number generator done Initializing Debug Account Authentication Seed DAAS done Lionic device init successfully caviun nitrox device CN505 init complete INIT Entering runlevel 3 Starting zylog daemon zylogd zylog starts Starting syslog ng Starting uam daenon Starting app patrol daemon Starting periodic command scheduler cron Start ZyWALL system daemon Got LINK_CHANGE Port 11 is up gt Group 1 is up Got LINK_CHANGE Port 0 is up gt Group 0 is up Applying system configuration file please wait ZyWALL system is configured successfully with startup conf ig conf Velcone to ZyWALL 1050 Usernane ZyWALL ZLD CLI Reference Guide Logs This chapter provides information abo
86. the same way data is normally transmitted in the networks Between routers X and Y the data is protected by tunneling encryption authentication and other security features of the IPSec SA The IPSec SA is secure because routers X and Y established the IKE SA first 15 2 IPSec VPN Commands Summary The following table describes the values required for many IPSec VPN commands Other values are discussed with the corresponding commands Table 51 Input Values for IPSec VPN Commands LABEL DESCRIPTION profile name The name of a VPN concentrator You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive policy name The name of an IKE SA You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive map name The name of an IPSec SA You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive domain name Fully qualified domain name You may use up to 254 alphanumeric characters dashes or periods but the first character cannot be a period e mail An e mail address You can use up to 63 alphanumeric characters underscores dashes or characters ZyWALL ZLD CLI Reference Guide Chapter 15 IPSec VPN Table 51 Input Values fo
87. these diag info P Has the ZyWALL create a new diagnostic file dir P Lists files in a directory disable U P Goes from privilege mode to user mode enable U P Goes from user mode to privilege mode exit U P Goes to a previous mode or logs out htm U P Goes to htm hardware test module mode Note These commands are for ZyXEL s internal manufacturing process interface U P Dials or disconnects an interface no packet trace U P Turns of packet tracing nslookup U P Resolves an IP address to a host name and vice versa packet trace U P Performs a packet trace ping U P Pings an IP address or host name psm U P Goes to psm product support module mode Note These commands are for ZyXEL s internal manufacturing process reboot P Restarts the device release P Releases DHCP information from an interface rename P Renames a configuration file renew P Renews DHCP information for an interface run P Runs a script setenv U P Turns stop on error on terminates booting if an error is found in a configuration file or off ignores configuration file errors and continues booting show U P Displays command statistics See the associated command chapter in this guide shutdown P Writes all cached data to disk and stops the system processes It does not turn off the power traceroute Traces the route to the specified host name or IP address write P Saves the current configuration to the ZyWALL All unsaved changes are lost after
88. to enter the configuration mode to be able to use these commands Table 157 app watchdog Commands COMMAND DESCRIPTION no app watch dog activate Turns the application watchdog timer on or off no app watch dog console print always once Display debug messages on the console every time they occur or once The no command changes the setting back to the default no app watch dog interval lt 5 60 gt Sets how frequently in seconds the ZyWALL checks the system processes The no command changes the setting back to the default no app watch dog retry count lt 1 5 gt Set how many times the ZyWALL is to re check a process before considering it failed The no command changes the setting back to the default no app watch dog alert Has the ZyWALL send an alert the user when the system is out of memory or disk space no app watch dog disk threshold min lt 1 100 gt max lt 1 100 gt Sets the percentage thresholds for sending a disk usage alert The ZyWALL starts sending alerts when disk usage exceeds the maximum the second threshold you enter The ZyWALL stops sending alerts when the disk usage drops back below the minimum threshold the first threshold you enter The no command changes the setting back to the default no app watch dog mem threshold min threshold_min max threshold_max Sets the percentage thresholds for sending a memory usage alert The ZyWAL
89. type any deactivate ck om xw X RR RAO 85 ip virtual server profile name interface interface name original ip any IP address object map to IP map type port protocol any tcp udp original port 1 055359 mapmed port 41 0553059 deactivate uagsescE dda ia 86 ip virtual server profile name interface interface name original ip any IP address object map to IP map type ports protocol any tcp udp original port begin lt 1 65535 gt original port end lt 1 65535 gt mapped port begin lt 1 65535 gt deac LISABE geeks en e de Sedo Regg p lu ue vg ec eec ied p b ipd pede E Hp ga i E ope t 86 ip virtusl server rename profila nale profile Had cocks dowd ences Baves E RUF RR AAA 86 Ipso isakp PULIS DEDE a d KR C CPU HG BUR d A Rep ROUTE OR GR ACE de AR SR AN odo 103 Leann o le 63 0009 ondes Andani 024 949 5482 Chew RE dd eed add Bowes BRE eo TA 191 amp policy DR SER_ NONE ac RAR da i dox RA ei dio dol 101 lsakmp policy rename policy name policy Haie sexe wea ko rr 101 kevystring pr shared EB A 4d 3 9 RO qid ONERE Ro ACORN LAC OR AC Ce RO CAE CR ded n 102 l2tp over ipsec authentication aaa authentication profile name 113 Latp pyer ipsec CEPA DAD HS pebble ki ee Eas hee REDE OR ERROR AAC ba A 113 lgtpeower wpsec DOUI Sadie ODIOGE sui ri CERES SH bee bd ed ed RE ES 113 lI2tp gower apsec recover detasULb psec pOllOY sac be Soke ke 3 RACE A Eom A A A 113 language English Si
90. udp decoder truncated header undersize len oversize len activate 142 Hel upstream AU IDA arras dees Saeed Ede Ras d E B dx dd A dd dae Red sp RES FEE 51 nol user User NAME opaga aea dox RAE sa do CR Re Re Rn ACE de polo dde Bor qoe A 108 Eo MESE PSSS Cara AA Hara d dE duod arare ee cord war dod qoa 123 Ho USE SSIES uad qd EG Na E d dade UN roO dew qe RR p node ea A 124 Bo User BSOEP HQDO Gage ok a RE ARA WO dob ERR E GO ER E QM AAA OE OR PURA DOE ER OR ERS 175 feo Usor MSSPRIMCE sI EG EGUDREG REREAD EERSTE AA RADA E CR CA E NC ORC ACE ERR 201 nor User SIG DAN osc heed CaS SOE ESS ERR EOEOS ERR SORES EEEOES E EAR ER EES TL DO BOE MSS DEDE alddoaCEXUq eur O ao nol serras USCEDAMS a wed quoc xx ONE SLE EA SE IAN HR A Ee PORA Cao d a e RS 62 no username Username password Password 2 44508 44468 RURCECAORORUAR EO RON RS 84 nel users xdledere LUE eed der de ROG AY BUR KORR BOR RUE qe e be e d RR RACE RR OR UR eta 174 nol users rele detection timeout XL 009 cis RG GREC ERU Ru bases A NERA EL 174 no users lockout perigd 1 459035 error RARA RD NOE UR ECNCR RU ROS EORR E OAE i 173 ne Users Perey esis lc cided cei dares e Box wore Banco qe Wr icd SCR Ur din at cR hoes ob Dn Ree UTA Ro users Cate sed e qd de AAA Rd ere d E qe Dea dr eg ade us 173 no users simultaneous logon administration access enforce 174 no users simultaneous logon administration access limit lt 1 1024 gt 174 nol users pd
91. url server test url server er timeout query timeout Tests whether or not a web site is saved in the external content filter server s database of restricted web pages show conten t filter policy Displays the content filtering policies show conten t filter settings Displays the general content filtering settings show conten t filter url cach Displays the contents of the content filtering URL cache before discarding it ZyWALL ZLD CLI Reference Guide Chapter 21 Content Filtering 21 7 Content Filter Filtering Profile Commands The following table lists the commands that you can use to configure a content filtering policy A content filtering policy defines which content filter profile should be applied when it should be applied and to whose web access it should be applied Use the configure terminal command to enter the configuration mode to be able to use these commands See Table 87 on page 156 for details about the values you can input with these commands Table 90 content filter Filtering Profile Commands Summary COMMAND DESCRIPTION no licens content filter licens Sets the license key for the external web filtering service The no command clears the setting custom forbid forbid_hosts no content filter profile filtering profile Creates a content filtering profile The no command removes the profile no content filte
92. x limited by the maximum number of each type of interface For example Ethernet interface names are get ge2 ge3 VLAN interfaces are vlanO vlan1 vlan2 and so on The names of virtual interfaces are derived from the interfaces on which they are created For example virtual interfaces created on Ethernet interface ge1 are called ge1 1 ge1 2 and so on Virtual interfaces created on VLAN interface vlan2 are called vlan2 1 vlan2 2 and so on You cannot specify the number after the colon in the web configurator it is a sequential number You can specify the number after the colon if you use the CLI to set up a virtual Interface Parameters 5 1 2 Relationships Between Interfaces In the ZyWALL interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physical ports or port groups The relationships between interfaces are explained in the following table Table 11 Relationships Between Different Types of Interfaces INTERFACE EGRE N auxiliary interface auxiliary port port group physical port Ethernet interface physical port port group VLAN interface Ethernet interface ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces Table 11 Relationships Between Different Types of Interfaces continued REQUIRED PORT INTERFACE INTERFACE bridge interface Ethernet interface VLAN interface PPPoE PPTP interface Ethe
93. zone and daylight saving settings how clock time 0 Displays the current time of your ZyWALL 0 how ntp server Displays time server settings ZyWALL ZLD CLI Reference Guide Chapter 32 System 32 4 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program The following table describes the console port commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 125 Command Summary Console Port Speed COMMAND DESCRIPTION no console baud baud_rate Sets the speed of the console port The no command resets the console port speed to the default 115200 baud_rate 9600 19200 38400 57600 or 115200 show console Displays console port speed 32 5 DNS Overview DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it 32 5 1 DNS Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 126 Input Values for General DNS Commands LABEL DESCRIPTION address object The name of the IP address group object You may use 1 31 alph
94. 1 10 192 168 1 1 icmp echo request 19 24 44 259219 192 168 1 1 192 168 1 10 icmp echo reply 19 24 45 268839 192 168 1 10 192 168 1 1 icmp echo request 19 24 45 269238 192 168 1 1 192 168 1 10 icmp echo reply 6 packets received by filter 0 packets dropped by kernel Router packet trace interface ge2 ip proto icmp fil xtension filter s 500 n tcpdump listening on ethl 07 24 07 898639 192 168 105 133 192 168 105 40 icmp echo request DF 07 24 07 900450 192 168 105 40 192 168 105 133 icmp echo reply 07 24 08 908749 192 168 105 133 192 168 105 40 icmp echo request DF 07 24 08 910606 192 168 105 40 192 168 105 133 icmp echo reply 8 packets received by filter 0 packets dropped by kernel Router packet trace interface ge2 ip proto icmp fil xtension filter and src host 192 168 105 133 and dst host 192 168 105 40 s 500 n tcpdump listening on ethl 07 26 51 731558 192 168 105 133 192 168 105 40 icmp echo request DF 07 26 52 742666 192 168 105 133 gt 192 168 105 40 icmp echo request DF 07 26 53 752774 192 168 105 133 gt 192 168 105 40 icmp echo request DF 07 26 54 762887 192 168 105 133 192 168 105 40 icmp echo request DF 8 packets received by filter 0 packets dropped by kernel Router traceroute www zyxel com traceroute to www zyxel com 203 160 232 7 30 hops max 38 byte packets 1 172 23 37 254 3 049 ms 1 947 ms 1
95. 1024 gt Displays the selected fields in the debug log field time msg src dst note pri cat all no logging debug suppression Enables log consolidation in the debug log The no command disables log consolidation in the debug log no logging debug suppression interval lt 10 600 gt Sets the log consolidation interval for the debug log The no command sets the interval to ten clear logging debug buffer Clears the debug log This table lists the commands for the remote syslog server settings Table 146 logging Commands Remote Syslog Server Settings COMMAND DESCRIPTION show logging status syslog Displays the current settings for the remote servers no logging syslog lt 1 4 gt Enables the specified remote server The no command disables the specified remote server no logging syslog lt 1 4 gt address ip hostname Sets the URL or IP address of the specified remote server The no command clears this field hostname You may up to 63 alphanumeric characters dashes or periods but the first character cannot be a period no logging syslog lt 1 4 gt disable level normal level all Specifies what kind of information if any is logged for the specified category no logging syslog lt 1 4 gt facility local 1 local_2 local_3 local_4 local_5 local_6 local_7 Sets the log facility for the specified
96. 2 lt C lt Welcome to PureFTPd 1 0 11 gt gt lt x gt gt 226 You are user number 1 of 58 allowed VA A time is now 21 33 and the load is ES ISA 226 Only anonymous FTP is allowed here 226 You will be disconnected after 15 minutes of inactivity User 192 168 1 1 none gt gt 238 Anonymous user logged in ftp bi 266 TYPE is now 8 bit binary ftp put E ftproot ZLD_FWMBBXLOCOM BBCXL B gt CB bin 7 Wait for the file transfer to complete Figure 37 FTP Firmware Transfer Complete 266 PORT command successful 156 Connecting to port 1564 226 87 0 Mbytes free disk space 226 File successfully transferred 226 3 231 seconds measured here gt 10 83 Mbytes per second 36708858 bytes sent in 3 23Seconds 11350 91Kbytes sec ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager 8 After the transfer is complete Firmware received or ZLD current received displays Wait up to four minutes while the ZyWALL recovers the firmware Figure 38 Firmware Received and Recovery Started Firmware received Update Filesystem Updating Code 9 The console session displays done when the firmware recovery is complete Then the ZyWALL automatically restarts Figure 39 Firmware Recovery Complete and Restart Kernel Extracting Kernel Image done Writing Kernel Image done BootModulel Extracting BootModule Image done Uriting BootModule festarting system 10 The username p
97. 24 object group address TW TEAM address object TW SUBNE exit enable Telnet access not enabled by default unlike other services ip telnet server open WAN to ZyWALL firewall for TW TEAM for remote management firewall WAN ZyWALL insert 4 sourceip TW TEAM service TELNET action allow exit write While configuration files and shell scripts have the same syntax the ZyWALL applies configuration files differently than it runs shell scripts This is explained below Table 139 Configuration Files and Shell Scripts in the ZyWALL Configuration Files conf Shell Scripts zysh Resets to default configuration e Goes into CLI Privilege mode e Goes into CLI Configuration mode Runs the commands in the shell script Runs the commands in the configuration file You have to run the example in Table 23 on page 228 as a shell script because the first command is run in Privilege mode If you remove the first command you have to run the example as a configuration file because the rest of the commands are executed in Configuration mode See Section 1 5 on page 20 for more information about CLI modes 34 2 1 Comments in Configuration Files or Shell Scripts In a configuration file or shell script use or as the first character of a command line to have the ZyWALL treat the line as a comment Your configuration files or shell scripts c
98. 6 md5 aes256 sha lifetime lt 180 3000000 gt Sets the IKE SA life time to the specified value groupl Sets the DHx group to the specified group group2 group5 no natt Enables NAT traversal The no command disables NAT traversal no dpd Enables Dead Peer Detection DPD The no command disables DPD local ip ip ip domain_name Sets the local gateway address to the specified IP interface interface_name address domain name or interface ZyWALL ZLD CLI Reference Guide Chapter 15 IPSec VPN Table 52 isakmp Commands IKE SAs continued COMMAND DESCRIPTION peer ip ip domain name ip Sets the remote gateway address es to the domain name specified IP address es or domain name s authentication pre share rsa sig Specifies whether to use a pre shared key or a certificate for authentication keystring pre shared key Sets the pre shared key that can be used for authentication The PRE SHARED KEY can be 8 32 alphanumeric characters or s Q9u 96 amp AN lt gt 16 64 hexadecimal 0 9 A F characters preceded by 0x The pre shared key is case sensitive certificate certificate name Sets the certificate that can be used for authentication local id type ip ip fqdn domain name mail e mail dn distinguished name Sets the local ID type and content to the specified IP address domain name or
99. 69 escri 76 LELSISS usse opa Gd HOD aq quad ed edi nct ANA dE hee AA we eS 30 release dh INLET Hae LIA eo hee RC ded Qa ERR E RR Nara ca dp b RP DE RC RR 54 reonpbe oliev AUTORS Hane ERARIO bones Rd 153 CODO iis kg REE Ea x Y CEORHRCE A ACA SE o ORC E RUP aUa e o cea e QUAL KR e dO e Roe de KORR RR HAC 30 rename s ript old file name seript new file pame ccindcewds see inket PIE ERAS 231 rename cert conf idp packet_trace script tmp old file_name cert conf idp packet trace script tmp new file name 231 EENEN awaken qx ARRA A qd ck RAE E P ORO EAD oO de CERO WERE EE RE Ro e CO OR Oe o eae 30 fenek dhep dnceriace DanE 2 424 804 3 9b E SA AR AAA A AAA 54 ERIGE DONE SIDAD IRA E SR DA A AD ASS AA 56 TOUESE DSP a Pde OR LORE Se ROR EOP SEE PEO ee nee HG EEE Rp A 76 Totor OPPE rs AAA AAA T3 SDUDEE DEPT AAA A AA Kd dex dl we d CEN RUD ee x a dede qq Wd desde ERO ra ZEBUCSEF EIS ESE gd are AAA SEAS AER AAA wh bee Sed 55 EDUESE xi e p 76 LUI DIRE OA AA AE AAA RADA ASA 30 fun Verip ey file TANG AAA kd qb P d a E eq URN Epi ACERO ceed a COR WE XC UN dod ap 18 231 npocat doDegri Hn plock period 1 54138009 siasi dcr cp aa cede hee eee sens 141 scen detectzon sensitivity low medium High nicacadqpexac oradGgk x34 RR Rh e RR 141 sechedule object object neme date time date Lime irs 39 bx 39 nia UR ERES 186
100. 7 This table lists the general commands for application patrol Table 66 app Commands Pre Defined Applications COMMAND DESCRIPTION no app activate Turns on application patrol The no command turns off application patrol no app protocol_name bandwidth graph Sets the specified protocol to display on the bandwidth statistics graph The no command has it not display on the bandwidth statistics graph no app other protocol_name bandwidth graph Sets traffic for unidentified applications to display on the bandwidth statistics graph The no command it not display on the bandwidth statistics graph no bwm activate Globally enables bandwidth management You must globally activate bandwidth management to have individual policy routes or application patrol policies apply bandwidth management The no command globally disables bandwidth management show app config Displays whether or not application patrol is active show app all Displays the settings for all applications show app all defaultport Displays the default port settings for all applications show app all statistics Displays statistics for all applications show app general im p2p stream Displays protocols by category show app im support action Displays the supported actions of each Instant Messenger application show app protocol name config Displays the basic configuration of this application show app protocol name
101. AA AA 88 ip http redirect description interface interface name redirect to w x y z 1 65535 88 ip http redirect description interface interface name redirect to w x y z 1 65535 de HOLAS dira 295959 8 4 205 9 m4 dua 9d nis eoe Ld adioe dubie e dud 88 ip SP TE OLESOE TAS P Ree Rew Gon ch em Rm Se Oo Sih eon ee Roh RE Kaa wy em aye alee 88 ae sl a e A 93 92 tearm ea here wee Eques eR bates eed aeq ad 56 ID ospi authentication message iges dd ROO ROSA AAA 56 ip ospi Suthentication Sane ds OPO unir AR Adr quk de A AA AR RA 56 ip ospf message digest key 1 255 md5 PassWord 2 64068 sabe ee Eee SRE RSH AOD ROR ER ETE 56 ip route replace w x y z w x y z interface w x y z lt 0 127 gt with w x y z e A o cas Wiese SOI abe II REE Ree wae eed WOE oS wens 73 ip ssh server rule lt 1 32 gt append insert lt 1 32 gt access group ALL address object zone ALL zone object action accept deny ceiuw ceed ea ee eae edd ae wed aan 214 AD weh Server rule more Ll tas DO Se ete Veeck RAR Ee eRe eS wR Ra Eee e 214 ip telnet server rule lt 1 32 gt appendl insert lt 1 32 gt access group ALL address object zone ALL zone object action accepb deny lt ciccceranee ne rr RAR 216 dp telnet sirve rule move Elo Jer be Slate ari AAA AA dee ugar 216 ip virtual server activate deactivate Profile name cs ns Rr ERR 86 ip virtual server profile name interface interface name original ip any IP address object map to IP map
102. ALL See Section 23 2 on page 172 for the appropriate commands 1 5 CLI Modes You run CLI commands in one of several modes Table 2 CLI Modes USER PRIVILEGE CONFIGURATION SUB COMMAND What Guest users can do Unable to access Unable to access Unable to access Unable to access What User users Look at but not Unable to access Unable to access Unable to access complex parts such as an interface can do run available commands What Limited e Look at system e Look at system Unable to access Unable to access Admin users can information like information like do Status screen Status screen Run basic Run basic diagnostics diagnostics What Admin e Look at system e Look at system Configure simple Configure users can do information like information like features such as complex parts Status screen Status screen an address such as an Run basic Run basic object interface in the diagnostics diagnostics Create or remove ZyWALL How you enter it Log in to the ZyWALL Type enable in User mode Type configure terminal in User or Privilege mode Type the command used to create the specific part in Configuration mode What the prompt Router Router Router config varies by part looks like Router zone Router config if ge How you exit it Type exit Type disable Type exit Type exit ZyWALL ZLD CLI Reference G
103. ALL ZLD CLI Reference Guide List of Commands Alphabetical show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show COSA ula iaa re ai AA AID 208 God SgenEb CONEAUPACIOD ra AS RA AA AA RO Seka E deu HAC 222 conn user username service service name source ip destination ip begin 1 228D00 end 1 128000 errar ra A A BOS eee A 252 EQU BLEUS AR SORE 8 Oa ep a ARANA ow A ee ee equ de rdv eue 252 CONRmBLINE SoXepaRESBOBE Ls Swan eed db GSES SRM EROR RN e A 1 ACC EC AER eR CR EUR er et CR 98 culos m bee AAA AAA AAA COMER EER AAA RA AAA A 209 MOn enc ritar poll Years eaves DAA qu rp ops MOS an uova dubi 159 sontent tiless profile Zidtering PERIS eate irr ieee katar ERRAR 161 Content cer Seles a2 dd o DAA AAA 159 conbanbefrltsf UE L CISHS elaeoqenxck epo ob E qo ae he we bb oe Gaara ped bdo oboli de pibe aoi d 159 ON enpe CLA aleae aia Qus dod Eee Sd qu dc qiiid de ded ded we and 161 GOD SESDUS Far S Sad E e Vd d AAA DUM rea dead es xe y dea pl dq 33 SEVDEG map MR Namel isa AAA AAA AA ARA AAA RRS 102 gone PIOSOIIJOO wane aga pSe ex ok d A eC DARA RC ORE de dod e ORC AO oo a KO MCA 84 device ha JIiSRkeNONIDOETID 2160 seh be eee ee ETE SOR IDA op PCR d PA cde 170
104. ALL may be referred to as the ZyWALL the device the system or the product in this User s Guide Product labels screen names field labels and field choices are all in bold font A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices e A right angle bracket gt within a screen name denotes a mouse click For example Maintenance gt Log gt Log Setting means you first click Maintenance in the navigation panel then the Log sub menu and finally the Log Setting tab to get to that screen Units of measurement may denote the metric value or the scientific value For example k for kilo may denote 1000 or 1024 M for mega may denote 1000000 or 1048576 and so on e e g is a shorthand for for instance and i e means that is or in other words ZyWALL ZLD CLI Reference Guide Fs Document Conventions Icons Used in Figures Figures in this User s Guide may use the following generic icons The Zy WALL icon is not an exact representation of your device ZyWALL Computer Notebook computer vna hA Server Firewall Telephone LN RN NS zem Ga
105. AS 124 ho Source Are SS ODIODUE ias JG EXEC A GR qe RR REAGAN UAR WE ees ela ROW ded A ERR 95 no sourceport Itep udp feg 1 659535 5 r nge 1 65535 14 6055359 serranos 25 noj speed IDOS LOS spred Sk X Xue OCEORREOR E RR Re CREASES RR UC AER HR EEEE RE EROR CY DEES ke OE GF as S8lvpn application sopirication GDOODU siii SO eRe RSA SS LORE AAA 203 ho aslwvpa prore NANE qosadi edo Ex E Eq araea EN dub a ARM A ATA A AAN ded RR 80 Hol S81 tunnel RES AAA AAA Ho E hoe e e og RRA V RO OE RARA AAA AH ECC PORA CUR ARA 70 no sterting eddress ip pool sSire 1 53934399 ae ak Ra E AA A sags wea a eas S3 no tcp decoder tcp xxx action drop reject sender reject receiver reject both 142 Hol tep decodes ESPERE ACLLVALe emma e RAR NAAA poco de 142 ZyWALL ZLD CLI Reference Guide 271 List of Commands Alphabetical no third dns server ip interface names lst dns Znd dss Srd dns 2 2 53 ho e Leone STC FURL ori dex Xe 3 bd A buck AR A AAA Ad EA a S 95 Ol EO SE DONE partot 4 AOS Goa Io NR CA o E ROGER OCC RC RUE HON o SSS COR ACE Ede Les nal Co 20e Nae 6 RS KA eae o E Je a Ax QURE RACES de UE CUI be eO RC C Roa OCC OS ON 124 Bol qu Zone DISCI SAA AA NAAA NADA AA 131 a BOVE Prete A A RUE NOE ORE ALACRI SE RUN QC M o TR OR 139 no trigger 1 8 incoming service name trigger service name 70 nel tunnel tunnel BANS rss ns EIE dG KOS SO ACRCOA w OR ORC Y ROSE CN EWES KES AAA AA 24 no
106. Alert ze aG ck P Ed bees AAA IP ex REG AA 124 app other protocol name Dandyridth graph audeo AK pd XLACYOEOAOCHOE Oe ee he LAS App protocol name ASRIVILS Lasgdqac ee poe dox oec dee ooo v eoa die ek a pie o decide Sok a 122 app protocol same ALLowport La DOOR 223 9s RR AA AAA 122 app protocol same bandwuldtR gEUSON deg doe ees CeOE NG OREREHERES ERROR EOS GRD 25 app Oro rogol name BuU arcaica AAA AA AA 122 app protocol name dectaulepaze Elo 5595425 ri a O Ad n 122 app Pro coool same Jc PSEOSU serias via bees DAA AR 122 application eel Tear ton PEJISCE esa a A Aaa ae ad a OH 108 BD a Aog a on Sse Y 262 arp wateh dogg Sletb rra RA AS RRA AAA NA Re e AR Ue a d 262 app wetoh dog eonaale bei r always onte Qe ORE ire e 262 app uatcoh dog disk thrtesholgd min 1 1005 maz L 1005 vli sk Rb A 262 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no appewabtpghedog AXNLBEVAL Spro US esperara ADELA AA 262 app watch dog mem threshold min threshold min max threshold max 262 app wateh dog fOtFyecOUnE EL De ets AAA ARANA AR 262 ares IF fist Tesar Gane de X RUN AAA AR AA p t doe RR o eS T4 grca IP guthentlosb 100 Sarco ara dd RE ed Y Pu e TI area IP authenticat
107. DESCRIPTION no description description Sets a descriptive name up to 60 printable ASCII characters for a firewall rule The no command removes the descriptive name from the rule destinationip address_object Sets the destination IP address The no command resets the destination IP address es to the default any any means all IP addresses Quits the firewall sub command mode from zone_object Sets the zone on which the packets are received The no command removes the zone on which the packets are received and resets itto the default any any means all interfaces or VPN tunnels log alert Sets the ZyWALL to create a log and optionally an alert when packets match this rule The no command sets the ZyWALL not to create a log or alert when packets match this rule no schedule schedule object Sets the schedule that the rule uses The no command removes the schedule settings from the rule no service service nam Sets the service to which the rule applies The no command resets the service settings to the default any any means all services no sourceip address object Sets the source IP address es The no command resets the source IP address es to the default any any means all IP addresses no sourceport tcpludp eq lt 1 65535 gt range lt 1 65535 gt lt 1 65535 gt Sets the source port for a firewall rule The no command removes the sour
108. DESCRIPTION clear aaa group server ad group name Deletes all AD server groups or the specified AD server group Note You can NOT delete a server group that is currently in use show aaa group server ad group name Displays the specified AD server group settings no aaa group server ad group name Sets a descriptive name for an AD server group Use this command to enter the sub command mode The no command deletes the specified server group aaa group server ad rename group name group name Changes the descriptive name for an AD server group aaa group server ad group name no server basedn basedn Sets the base DN to point to the AD directory on the AD server The no command clears this setting no server binddn binddn Sets the user name the ZyWALL uses to log into the default AD server The no command clears this setting no server cn identifier uid Sets the user name the ZyWALL uses to log into the default AD server The no command clears this setting no server host ad server Sets the AD server address Enter the IP address in dotted decimal notation or the domain name of an AD server to add to this group The no command clears this setting no server password password Sets the bind password up to 15 characters The no command clears this setting no server port port no Sets the AD port number Enter a number betw
109. ECT RA eRe ORO RS Ev debug syete ID SCs caine eee Seba A AE AAA AAA d E PY zi debug Syste BID DOUES get ID BOUE di Ghats A A A RACE A ARAS A de A ol debug system ip route show table default local main nit emisora 31 debug Syete IP PULLS eri AAA eX dod EQ RU Fe ORS cR ORO o E e dci EX SD Bene IPES ua ria ARA HB EHE Sors Korea e dde d doque eee Ree de ROG de e Sl debug system iptables list chain forward prerouting postrouting input output pre id 32 274 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical debug system iptables list table nat filter mangle vpn zymark vpnid cfilter 32 debug System lengd 4 AAA AAA A AAA A UC OR AS AAA 32 lesu sa E MERC Tcr NAAA ee DAA TARA EA AAA eR SSS 32 debug system Show GODULESCR esas a A A AA A AAA BOS ORS 32 deb g system Show Gp SLOLUS caches beh eda eee dd va Ve Ew E ve dd Oa OH ERE ee dev pu ws 32 debug gysten show ESPMS agerira AR AAA Re ARS AAA SAA ASADAS 32 debug Bveten Siow SIAC tHeS dba doees dant edea eeka SHAE HOKE r o oe Eie E 22 debug System te elass Fi leee Sore Mise assi ir Obes Bowes aa NOR eee 32 debug System topqup TALSTTACE qudueq4e43 9 oo x ous Ge Rao x Ed ue AA a ao de gu 32 WD VELLE UMECHE 26254 aha dm Rs 85 PEs Ran Makes whe e madida adde dade mede Sqe eed E 32 SU Update REVES d barra AAA A oii ee Ghee RR oio dp pie deo eoe 32 debug zyinetpkt set show desitnation hooknum protocol enable priori
110. EE Oke AA AAA AAA 29 apply Contra E HIST E AA qubd eR S doge Wc ob e OR WO ed dba EORR ade d NT M dd 231 area IP virtual link IP message digest key lt 1 255 gt md5 authkey v t Rn 78 arp IP mac AITESS 4 44544 KOE AG WaG AA AS wo d ACE MC ROC dE A CRE EE Cao ede ox ROC 209 WARE uoc gdge ea Rees Ra A ADA AA qud pique ds SO RRS SOO x edem Edda pude deus eds 29 authentication Jpre share XS EIU 1445565 coke AAA ERS ac a A 102 authentication key 1 2555 key string AUCKE verse dos e gogo pee don A TO panc width fuhnsenBdbeurtbeund HD LOIS 355 asas AR ORO E 123 bandwidth xnbppunodloutbeung Q 1042485J75 9 ses A A AA AA 124 DENON OCA Pruebe Leste Aa a eX ibd REG Ee AAA A A 123 Bandgwigth Priority El a RR AR ai NRO AR 124 a A O O 139 ca enroll cmp name certificate name cn type ip cn cn_address fqdn cn cn domain name mail cn cn emailj ou organizational unit o organization c country key type rsa dsa key len key length num lt 0 99999999 gt password password ca ca name url UAT AENA WE Nd Edu AAA EA 198 ca enroll scep name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type rsal dsa key len key length password password ca ca name url psc Ere 196 ca generate pkcsl10 name certificate name cn type ip cn cn address fqgdn cn cn domain name mail cn cn email ou organizational unit o organization c country ke
111. EES OER OR ORR Ee See 204 HU SEO vice SDE SOOO Mame agua si A AS A Ax Rd A A A ARA AAA AA ee NcRCA ISl Hc signature sid ACTION uude oq 3x b AAN 140 Hs HAGA BUE ED SOLION pata die sche Serie Geis dE e A A MAA AAA CR RR CR ERA 145 UNE BNDES Sid LOJ ser at e o a de Gh eee ee dei dik a M 140 Bo SUELA II De AA ANA AAA ARA A AA 145 no Snp Server Cale ALI AAA A ARA AAA AAA A ed a eee 2 LO no Belvo policor PROTA lt 5 ids ees betes ADA SEA d edad AAA 108 re topegemsdex LOPNA RARA AAA RA AAA Rr 142 no udp decoder truncated header undersize len oversize len action 142 no udp decoder truncated header undersize len oversize len log 142 tg username ISOPIANEE up RP RA EUR RYE any OR RUE E HS HEH ORES OSE Ow BR S Ro RUP Rog KC 172 o e A ck PN eG E ERE A ER KR CARCER ERASE dee KR HER TN CR AC RC PRSE 30 BUD SIN setas DARA AAA AAA ANDA eee A 208 abJect gronp address rename group name group name esencia RE ROO 179 object group service rename group name group NARE ls is2 mr mo hy a RR 183 csp IscEPWaPBHdesSCLIMEUS usada AC ERU 4 a RO RE UO E dea Roco Kee de Red CR OR a cd 197 ocsp url url id name password password desctivate l eerkei exe4e 9 o x Rm Rh RR Ry e 198 out snat source address name destination address name snat address name 103 PARISSE ELITE C 30 278 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical packet trace interface interface na
112. El AS M Exi ED Ss em Switch Router So ss a ne vb ZyWALL ZLD CLI Reference Guide Safety Warnings Safety Warnings gt For your safety be sure to read and follow all warning notices and instructions Do NOT use this product near water for example in a wet basement or near a swimming pool Do NOT expose your device to dampness dust or corrosive liquids Do NOT store things on the device Do NOT install use or service this device during a thunderstorm There is a remote risk of electric shock from lightning Connect ONLY suitable accessories to the device Do NOT open the device or unit Opening or removing covers can expose you to dangerous high voltage points or other risks ONLY qualified service personnel should service or disassemble this device Please contact your vendor for further information Make sure to connect the cables to the correct ports Place connecting cables carefully so that no one will step on them or stumble over them Always disconnect all cables from this device before servicing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect it to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it m
113. Enters sub command mode no network interface_name Enables RIP on the specified Ethernet interface The no command disables RIP on the specified interface no redistribute static ospf Enables redistribution of routing information learned from the specified source The no command disables redistribution from the specified source redistribute static 0 16 ospf metric Sets the metric when redistributing routing information learned from the specified source no version 1 2 Sets the default RIP version for all interfaces with RIP enabled If the interface RIP version is blank the interface uses the default version This is not available in the GUI The no command sets the default RIP version to 2 no passive interface interface nam Sets the direction to In Only for the specified interface The no command sets the direction to bi directional no authentication mode md5 text Sets the authentication mode for RIP The no command sets the authentication mode to none no authentication string authkey Sets the password for text authentication The no command clears the password authentication authkey key lt 1 255 gt key string Sets the MD5 ID and password for MD5 authentication no authentication key Clears the MD5 ID and password interfac no outonly interfac gt nam Sets the direction to Out Only for the speci
114. HCP pool Use the following commands if you want to create a static DHCP entry If you do not use the host command the commands that are not in this section have no effect but you can still set them no host ip Specifies the static IP address the ZyWALL should assign Use this command along with hardware address to create a static DHCP entry Note The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool When this command is used the ZyWALL treats this DHCP pool like a static entry regardless of the network setting The no command clears this field no hardware address mac address Reserves the DHCP pool for the specified MAC address Use this command along with host to create a static DHCP entry The no command clears this field no client identifier mac address Specifies the MAC address that appears in the DHCP client list The no command clears this field no client name host name Specifies the host name that appears in the DHCP client list The no command clears this field host name You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive Use the following commands if you want to create a pool of IP addresses These commands have no effect if you use the host command You can still set them however ZyWALL ZLD CLI Reference Gu
115. IE E ME UP IE 89 FIFeWalland VPN iaa a A 91 Frowa sunaria A bemused a 93 O 99 as A scu RO 107 LEMA FN e dai 111 Application Paol amp AMPA 119 a eale a Ti AA N E N E E O E T T E 121 FE d 1 AA a E O UNE TTE 129 IP Cou B Boa vd e en PEO MEME iL Me ALME E E MDC 137 Conan PRENN psi 155 Device E Er Se ne oe eee ee a ee eee eee eee eee 165 PECS MS cos cata aico uid EHI eet MS PP SEP E ECCL M ID nlassen aa iecodsenseaccetouids 167 Pres me 171 MO v opi I oM UE ELLE IDEM E DE EM PI M LUE 177 SRL DNE EE ETE 181 o PNE aa aes cae M E D MR E E E 185 AEE A O 187 HUME ON OIEA di 193 ZyWALL ZLD CLI Reference Guide E Contents Overview e ru T P 195 Ej eel TTE LETT 201 MES p a ida fa ces he aa r e eR eee nee 203 PA A 205 IA 207 aucem Renge Mana gamei ms ciao senos drea a 211 Maint nance and Ide Luasieaankasct dita AR RR MER RALERRARAR GXARARJE MARS KR ARR RAO EATUR RAM R RARE A REA A Rain iE 225 Pile MSIE aiacnsascninqd arp n dpa re ede Ru eee XN UA CER Ae RE 227 LO m M M E o er rer rer 245 Repot ana PODON Mete 251 DESSIN DEDE E e A E E A A ET Dade eR RR nd ado 253 Bl M 255 i is TOD anan coainasny toanivaabanpadapastig doa unatidipsaya nan raRee Rin omNaRenN sauadeeRosanette eee 257 Mad MIS aaa 261 ZyWALL ZLD CLI Reference Gu
116. L starts sending alerts when memory usage exceeds the maximum the second threshold you enter The ZyWALL stops sending alerts when the memory usage drops back below the minimum threshold the first threshold you enter The no command changes the setting back to the default show app watch dog config Displays the application watchdog timer settings show app watch dog monitor list Display the list of applications that the application watchdog is monitoring ZyWALL ZLD CLI Reference Guide Chapter 40 Watchdog Timer 40 3 1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring Router configure terminal Router config show app watch dog config Application Watch Dog Setting activate yes alert yes console print retry count 3 interval 60 mem threshold disk threshold Router config app_name means unlimited uamd firewalld policyd contfltd appd classify ospfd ripd resd zyshd wd sshipsecpm zylogd syslog ng zylogger ddns_had 1 1 tpd 1 1 wdtd zebra link_updown aux_config li fauthd 5 decomp server 1 a lavd 1 sslvpn 1 1 wan 1 1 sslvpnpptp 1 1 dnsrd 1 1 signal_wrapper 1 i always 80 90 80 90 show app watch dog monitor list min_process_count awa 01 r2 nun 0 max process count negativ integer ZyWA
117. LEGAL VALUES password less than 15 1 15 alphanumeric or 6 amp _ 17 lt gt chars password less than 8 1 8 alphanumeric or amp _ chars password Used in user and ip ddns 1 63 alphanumeric or amp _ j 2 lt gt Used in e mail log profile SMTP authentication 1 63 alphanumeric or amp _ 1 j 2 lt gt Used in device HA synchronization 1 63 alphanumeric or 4 Used in registration 6 20 alphanumeric or Q8 phone number 1 20 numbers or preshared key 16 64 Ox or OX 16 64 hexadecimal values alphanumeric or Qf amp N profile name 0 30 alphanumeric or _ first character letters or proto name 1 16 lower case letters numbers or protocol name 0 30 alphanumeric or first character letters or quoted string less 1 255 alphanumeric spaces or amp S _ than 127 chars quoted string less 1 63 alphanumeric spaces or amp S _ than 63 chars quoted string O alphanumeric spaces or punctuation marks enclosed in double quotation marks must put a backslash 1 before double quotation marks that are part of input value itself service name 0 63 alphanumeric or Q spi 2 8 hexadecimal string less than 15 1 15 alphanumeric or chars string less than 63 1 63 alphanumeric or Qd4 amp N amp 7 chars string 1 alphanumeric or 6 subject 1 61 alpha
118. LL ZLD CLI Reference Guide Chapter 40 Watchdog Timer ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no This section lists the commands and sub commands in alphabetical order The commands and sub commands all appear at the same level ada BBgthenticstioN orefrle Hnami R 1 4 2 IR A A NA A A o 194 g a group Server ad grup RANE asa ERAN AAA RARA ACA RRS 190 aaa group Server LOB JOP RATS orini eme iE WORK AUR AA A 191 ams group Server radius QISOUDCMADmE spes X4 RR ra eue SOR eq se SESSA OEE e Ron 132 account Isppoe Perea POLIS 2255445 484 ERES dew as ec ROS CB eoe Bop caa e i ECC 201 accoumb BOTS De uua ii AAA db RR e e a dieaw A de dick 61 action bloock logrn messegelaeundxolvideo file trankster sese hear Re RR ned Los action block login messsgelaudio video file transfer e mw 124 Pe IVA Mae RT SOS Cee ee eee ae ES a eee ee eR es 108 o 2 bao e had peas ale ek Bie wees ali eh eel Oe A a ee ean ark eae ed ae 123 JOLLVACE PASAR ei dede VPE edad aq idee Tt sedg px 124 a Igg dd d dy a en OA EAS do acq dod ddr qe a e RE ALEX KR A OOo pe dde eder eor ia 130 BOING EE AAA A dbi SEA ANDR E alode nb uod doi de oe Sane 139 o Lows acad A dec eee Qd e
119. MAND DESCRIPTION show groupname groupname Displays information about the specified user group or about all user groups set up in the ZyWALL no groupname groupname Creates the specified user group if necessary and enters sub command mode The no command deletes the specified user group no description description Sets the description for the specified user group The no command clears the description for the specified user group no groupname groupname Adds the specified user group second groupname to the specified user group first groupname no user username Adds the specified user to the specified user group show Displays information about the specified user group groupname rename groupname groupname Renames the specified user group first groupname to the specified group name second groupname 23 2 3 User Setting Commands This table lists the commands for user settings except for forcing user authentication Table 100 username groupname Commands Summary Settings COMMAND DESCRIPTION show users default setting Displays information about the default settings for new users users default setting no logon lease time Sets the default lease time in minutes for each 0 1440 new user Set it to zero to set unlimited lease time The no command sets the default lease time to five users default setting no logon re auth time Sets the default reauth
120. N sek ek qd cred SCARE Gd Ede ELS acd d d ded es ex dco TG p ssive lnterisce Interraca NAME A UR AR KS AA RIA E BASS Re OCC Ro AS T DussupIud Passord ara NR E AX OR ADR RUE RC HERO UR ARA AAA PORC EGO ECCE OR ECC 201 password pasvord dar AAA AAA RARA RC RR EASED OR UR RC AAA 62 phong numnbssr PROMS aas seen ee oboe Edu Eom TER VES X Redes ADA NARRAR 62 anal la dxuss conde SON Soke Meas eG E duri due Ca a ed SES ded 55 puldjsyegnrgscse EHE vor pde qose popolo d qe aq sedie anb ope ae ed pibe ec 103 Durl ROCES Bae a a e dg E qu acted aa 58 pub Sogo kra Ne Ra red n aed Ke ea ed Cee eee edic qa sd 123 Pore 48D BU ixRaUPAGAu EN do S S RES BUR dq ub BEER EAS Kcd d d d du E ES 124 peortespeed 19600 19200 29490 27500 115200 sans nce dames Ron RR trn 221 Dort speeU 19600 19200 1 38400 57600 JI520D estaras eos e RR 62 DESDE A AAA OG RUE RACE CRI AE AR A ATA QC Rod ARA LACK EEE RRA 168 C gr leisure nes tee Sek ee ee Oh Ee eee ewe LETT 168 protocol TESP WS sir risas REE KS CREAMS EE ERROR ERROR RERO UC RU EROR RO 124 tadgiuseserver host radius server suth port Sven DOFL bor 4 9 9 v X donee eens 189 fordids sSHPWeP Key SSCS civic SSE ERU OR RR EON AAA ERA AA Or EO QC RN ER 189 rscdluseserwer timednb DIR Wai dnesace qo epo dedi Rd Re RR Qe odo e dae Ra ae a ele ae diode d 189 SEE eb Aenean ac BERL raras IAE RA AA woes 76 redicstripute Peconic EL airada a A CR I dU AGE V p Rede e m mre 76 redistribute static ip metrie type lasar metrt
121. ORK1 172 23 10 0 24 Router config Router config Router config f username tester password 1234 user type user Router config sslvpn policy SSL VPN TEST Router policy SSL VPN TEST activate Router policy SSL VPN TEST user tester Router policy SSL VPN TEST network extension activate Router policy SSL VPN TEST network extension ip pool IP POOL Router policy SSL VPN TEST network extension 1st dns DNS1 Router policy SSL VPN TEST network extension 2nd dns 168 95 1 1 Router policy SSL VPN TEST network extension network NETWORK1 Router policy SSL VPN TEST exit Router config show sslvpn policy SSL VPN TEST index 1 active yes name SSL VPN TEST description user rester ssl applicaiton none network extension yes ip pool IP POOL dns server 1 DNS1 dns server 2 DNS2 wins server 1 none wins server 2 none network NETWORK1 reference count 0 ZyWALL ZLD CLI Reference Guide Chapter 16 SSL VPN ZyWALL ZLD CLI Reference Guide L2TP VPN This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL 17 1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers operating systems to securely connect to the network behind the ZyWALL The remote users do not need their own IPSec gateways or VPN client software Figure 19 L2TP VPN
122. PTION show sslvpn application Displays SSL VPN application objects application object no sslvpn application Enters the sub command mode to create an SSL VPN application application object object server type file sharing Specify the type of service for this SSL application owa web server url URL file sharing create a file share application for VPN SSL entry point entry_point owa Outlook Web Access to allow users to access e mails contacts calenders via an Microsoft Outlook like interface using supported web browsers The ZyWALL supports one OWA object web server to allow access to the specified web site hosted on the local network url Enter the fully qualified domain name FQDN or IP address of the application server You must enter the http or https prefix Remote users are restricted to access only files in this directory For example if you enter remote in this field emote users can only access files in the remote directory entry point Optional Specify the name of the directory or file on the local server as the home page or home directory on the user Screen ZyWALL ZLD CLI Reference Guide Chapter 31 SSL Application Table 122 SSL Application Object Commands COMMAND DESCRIPTION server type file sharing Specifies the IP address domain name or NetBIOS name computer name of the file server and the name of the share to which you want to allow user access Enter the
123. RA A A 188 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical show show show show show show show show show show show show show show show show show 7 s O ES NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW Qo 0 0 0000000000060 show show show show show show show show show show show show show show show show show show show show show show show show show show Lec e O ed ada ERN eg SOs be eis deb e asd ed qq 175 logging debug entries priority pri category module name srcip ip dstip ip service service name begin lt 1 512 gt end lt 1 512 gt keyword keyword o AAF logging debug entries field field begin lt 1 1024 gt end lt 1 1024 gt 247 begging denua SLAT S iio 4 qd p eC FREE AAA b e EG ede 247 logging entries priority PRI category module name srcip IP dstip IP service service name begin lt 1 512 gt end lt 1 512 gt keyword keyword 245 loggrng entries freld rrela begin L 5125 end 1 9525 asis rana en 245 JIoggreng status Console 1d did RA AA RS A A A 249 INSERTAS cacas el sans ada AIDA dudes ea ne 247 loggorna status SES dqesdee sca Ra A a da e ids 247 Jr e SuBbBUETIDS Gu sdeiQeden es dr Eee ed qd e dedu id eodd pad ut add 246 HIE EE den Ra quis AAA ide quad ned DEA ee dde diae dea AO 33 Hem SLALUS abris AREA AAA AAA OUT ETT 33 network ertehsion TOCA AD qadk
124. S which helps redirect traffic accordingly ZyWALL ZLD CLI Reference Guide Chapter 10 DDNS 10 2 DDNS Commands Summary The following table describes the values required for many DDNS commands Other values are discussed with the corresponding commands Table 42 Input Values for DDNS Commands LABEL DESCRIPTION profile_name The name of the DDNS profile You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive The following table lists the DDNS commands Table 43 ip ddns Commands COMMAND DESCRIPTION show ddns profile name Displays information about the specified DDNS profile or about all DDNS profiles no ip ddns profile profile name Creates the specified DDNS profile if necessary and enters sub command mode The no command deletes it no service type dyndns dyndns static Sets the service type in the specified DDNS profile dyndns custom The no command clears it no username username password password Sets the username and password in the specified DDNS profile The no command clears these fields username You can use up to 31 alphanumeric characters and the underscore password You can use up to 64 alphanumeric characters and the underscore no host hostname Sets the domain name in the specified DDNS profile The no command clears the domain name hostname You
125. Sets the RIP direction of the specified interface to out only The no command makes RIP bi directional in the specified interface interface interface nam Enters sub command mode no ip rip send receive version Sets the send or receive version to the specified lt 1 2 gt version number The no command sets the send or received version to the current global setting for RIP See Section 8 2 on page 75 ZyWALL ZLD CLI Reference Guide 55 Chapter 5 Interfaces Table 18 interface Commands RIP Settings continued COMMAND DESCRIPTION no ip rip v2 broadcast Enables RIP 2 packets using subnet broadcasting The no command uses multi casting show rip global interface fall interface name Displays RIP settings 5 2 5 2 OSPF Commands This table lists the commands for OSPF settings Table 19 interface Commands OSPF Settings COMMAND DESCRIPTION router ospf Enters sub command mode no network interface name area ip Makes the specified interface part of the specified area The no command removes the specified interface from the specified area disabling OSPF in this interface no passive interface interface nam Sets the OSPF direction of the specified interface to in only The no command makes OSPF bi directional in the specified interface interface interface nam Enters sub command mode no ip ospf
126. Streaming Media MP3s For Kids Web Hosting Engines Portals yes no no yes yes no yes Effects Privacy Concerns no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no No Forbidden Host No Keyword ZyWALL ZLD CLI Reference Guide Chapter 21 Content Filtering ZyWALL ZLD CLI Reference Guide PART V Device HA amp Objects Device HA 167 User Group 171 Addresses 177 Services 181 Schedules 185 AAA Server 187 Authentication Objects 193 Certificates 195 ISP Accounts 201 SSL Application 203 Device HA Use device HA and Virtual Router Redundancy Protocol VRRP to increase network reliability 22 1 Device HA Overview This section provides an overview of VRRP VRRP groups and synchronization 22 1 1 Virtual Router Redundancy Protocol VRRP Overview BS Every computer on a network may send packets to a default gateway which can become a single point of failure Virtual Router Redundancy Protocol VRRP allows you to create redundant backup gateways to ensure that the default gateway is always available The ZyWALL runs VRRP v2 You can only set up device HA with other ZyWALLs of the same model running the same firmware version 22 1 2 VRRP Group Overview In the ZyWALL you should create a VRRP group to add one of its interfaces to a v
127. VPN user any schedule none interface gel tunnel none sslvpn none source PC_SUBNET destination L2TP_POOL service any nexthop type Tunnel nexthop Default_L2TP_VPN_Connection bandwidth 0 bandwidth priority 0 maximize bandwidth usage no SNAT none amount of port trigger O0 ZyWALL ZLD CLI Reference Guide 117 Chapter 17 L2TP VPN ZyWALL ZLD CLI Reference Guide PART IV Application Patrol 8 Anti X Application Patrol 121 Anti Virus 129 IDP Commands 137 Content Filtering 155 Application Patrol This chapter describes how to set up application patrol for the ZyWALL 18 1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network It manages general protocols for example http and ftp and instant messenger IM peer to peer P2P Voice over IP VoIP and streaming RSTP applications You can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers Application patrol also has powerful bandwidth management including traffic prioritization to enhance the performance of delay sensitive applications like voice and video The ZyWALL checks firewall rules before application patrol rules for traffic going through the ZyWALL To use a service make sure both the firewall and application patrol a
128. Y RA T3 I EB HEPUB AA RARA AR ARA 214 ID BE Gervyer Gert Seri ee eee SMS Auca DAA AAA woe a DE NAR E cd 214 Lp qu Server port lA di x qr a da E Nue e erue ey adum aes 214 o AMD tenedoe eh had woe grad cedcd2opE e bP BT EI edd loud esu dude m 2l ie Nb o A P P r ala ip telnet Serves pore Gle Gos soe O O 215 rpeselect Ixiftsce ute Guston euyc qo exse a Ge SEU ex ete AAA AAA EES 84 EAU Polis Palta Pane Gub xor Odd de dese ERN UE a Rd dE E dee Red mE eR ERE 101 Join Interface NAT duuappEm AA 60 lZCDeOVET IDSeC GOGLIUSQDP pee xp aei d Adde dpa A ded ede aes Ades l2tp over ipsec first dns server ip interface name 1st dns 2nd dns 3rd dns pop rIhterfesepblsuXPIlsredgma AnS ARS IA daocsk aed oem que deg AAA ARAS 114 I2bp ovar rpseec TIbSt WJNS SOFVOY XD a x43 ROG Edo on ke EORR AR ARALAR E 114 lztp over rpsec keepalire t1amer 41 1 1905 oux w2ERECRG dere staria 0 e RR RO GR eth E 114 l2tp over ipsec second dns server ip interface name 1st dns 2nd dns 3rd dns ppp Imterface asuxhilst edns Znd dmsS ixkaeeaohxs m RR m RARA amis ae de 114 l1Stp ower lBeBr BBOONO WISCOBOIUBIE ID asd AAA Vo d ap HR ACTU RR 114 lztHegVvETPeTBSdO User SOY HAE deles eR Gs ERN RC RE USA ey UR Rd AUR mE o 113 igap gerver DESEO HSSCGN 2244 abs betes RR A E Ra x RA Sd dd DS ad RR eum qr XS 188 lgapsseruer Dindan DIRAO eg kGo ex 204840 Kee UE AR A EU ea Re RR ER SEE RAD A 188 lLapseseruses gnelddntblfsor SIG etica rode
129. ZyWALL ZLD CLI Reference Guide Version 2 00 7 2007 Edition 1 DEFAULT LOGIN LAN Port 1 IP Address http 192 168 1 1 User Name admin Password 1234 ZyXEL WWW zyxel com About This User s Guide About This User s Guide This manual is designed to guide you through the configuration of your ZLD based ZyWALL for its various applications using the CLI Command Line Interface Generally it is organized by feature as outlined in the web configurator BES See the web configurator User s Guide for related information on all features Intended Audience This manual is intended for network administrators or people who have a good knowledge of TCP IP networking concepts and topology who want to want to configure the ZyWALL using the CLI 1 Read Chapter 1 on page 13 for how to access and use the CLI Command Line Interface 2 Read Chapter 2 on page 29 to learn about the CLI user and privilege modes 3 Subsequent chapters are arranged by menu item as defined in the web configurator Read each chapter carefully for detailed information on that menu item Related Documentation e Supporting Disk Refer to the included CD for support documents Quick Start Guide The Quick Start Guide is designed to help you get up and running right away It contains a detailed easy to follow connection diagram default settings handy checklists and information on setting up your network and configuring for Internet access
130. _object zone ALL zone object action accept deny Sets a service control rule for Telnet service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zone You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive ip telnet server rul X1 922 To 1 2322 mov Changes the index number of a service control rule no ip telnet server rule lt 1 32 gt Deletes a service control rule for Telnet service show ip telnet server status Displays Telnet settings 33 5 1 Telnet Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using Telnet service Router configure terminal Router config ip telnet server rul gt accept 11 access group RD zone LAN action This command displays Telnet settings Router configure terminal active yes port 22 23 service control No Zone Address Router config show ip telnet server status Action Router config 33 6 Configuring FTP You can upload and download the ZyWALL s firmware and configuration files using FTP To u
131. a 188 lgap server host Idas serye ii RR ARAS RARAS RASS OCC OCCUR EROS 188 Igap Server password DSESNWOINU 244 0 ee Shee dpa gk EROR WOREGOR NOR ARAN AAA 188 l ap server porto POLE rO aas xe C pa Xo X PACCO EROR RACK CR SOR SER AAA RR ORC 188 ldapeserverf sestch timeg Limuat Ele sirio AA ue d Rab go d dee RES 139 LESAGE Sel IDA AAA ACA DARIA 139 lesse AD ab zas SO eo Jo eS aa oS atlas 1 agus 95 ARA wanes S Une eri Gurnee dice Mare RADA 61 Los ABRES apra AAA e OD Kec et aded ced Sca ed eee eae 123 Lem tabori unicidad 35220 5 9m X420 ERAN Qa Rad d A Sad exea ds Ee qu E 124 log DP doo MI due 131 rog DSISWGd iria doe v ened 644 Eq a qup AA we ede XIX RP ARA ee AR 95 Legging QUEEN iria Ad e oe RE ooa Ea dod AC ARA ic Ro SE Deed a e E dob 249 legging Console category modula TENS tia gece SA Oe ESE SODA SCRE REE OSS EEHS 249 Logging debug SUOPPSSSIOW AA Ee qu SE dex eR ERAN dedo Ee Ree RR Gb e RUSO MR E MORS 247 Logging debug suppression interval 10 800 sortida PC EG CERRO dee d 247 begging SUELE LL RRA qeu dE RR xdg AD A ad edi iced 247 logging mall 1 4 2 issnd log toe s nd alerts toe E Mail escri sn 248 logging dall illo address Dro NOSTRANE simi A 248 LaS maik al ES Beene rra s UPC OPEN Ine SOC AG C de mda on de olt 248 logging mail 1 2 authentication username username password password 248 logging mail 1 2 category module name level
132. a sub command mode to configure the specified port s settings no duplex full half Sets the port s duplex mode The no command returns the default setting exit Leaves the sub command mode no negotiation auto Sets the port to use auto negotiation to determine the port speed and duplex The no command turns off auto negotiation no speed 100 10 Sets the Ethernet port s connection speed in Mbps The no command returns the default setting show port setting Displays the Ethernet port negotation duplex and speed settings show port status Displays statistics for the Ethernet ports ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces 5 2 6 1 Port Grouping Command Examples The following commands add physical port 5 to representative interface gel Router configure terminal Router config show port grouping No Representative Name Portl Port2 Port3 Port4 Port5 1 gel yes no no no no 2 ge2 no yes no no no 3 ge3 no no yes no no 4 ge4 no no no yes no 5 ge5 no no no no yes Router config port grouping gel Router config port grouping port 5 Router config port grouping exit Router config show port grouping No Representative Name Portl Port2 Port3 Port4 Port5 1 gel yes no no no yes 2 ge2 no yes no no no 3 ge3 no no yes no no 4 ge4 no no no yes no 5 ge5 no no no no no The following commands set port 1 to use auto negotiation auto and port 2
133. able 62 app Commands Pre Defined Applications COMMAND DESCRIPTION app protocol_name forward drop reject Specifies what action the ZyWALL should take when it identifies this application no app protocol_name activate Enables application patrol for the specified application The no command disables application patrol for the specified application app protocol_name mode portless portbase Specifies how the ZyWALL identifies this application no app protocol name log alert Creates log entries and alerts for the specified application The no command does not create any log entries no app protocol name bwm Turns on bandwidth management for the specified application The no command turns off bandwidth management for the specified application app protocol name bandwidth 0 102400 Specifies the bandwidth limit in kilobits per second for the specified application no app protocol name defaultport lt 1 65535 gt For port base applications Adds the specified port to the list of ports used to identify the specified application This port number can only be included in one application s list The no command removes the specified port from the list no app protocol name allowport lt 1 65535 gt If the default action is drop or reject Adds the specified port to the list of ports that are forwarded in spite of the default action The no command removes the speci
134. access group port Router config ip telnet server Figure 12 Help Required User Input Example Router config ip telnet server port lt 1 65535 gt Router config ip telnet server port 1 6 3 Entering Partial Commands The CLI does not accept partial or incomplete commands You may enter a unique part of a command and press TAB to have the ZyWALL automatically display the full command For example if you enter config and press TAB the full command of configure automatically displays If you enter a partial command that is not unique and press TAB the ZyWALL displays a list of commands that start with the partial command Figure 13 Non Unique Partial Command Example Routerf c TAB clear configure copy Router co TAB configure copy 1 6 4 Entering a in a Command Typing a question mark usually displays help information However some commands allow you to input a for example as part of a string Press CTRL V on your keyboard to enter a without the ZyWALL treating it as a help query 1 6 5 Command History The ZyWALL keeps a list of commands you have entered for the current CLI session You can use any commands in the history again by pressing the up 4 or down Y arrow key to scroll through the previously used commands and press ENTER 1 6 6 Navigation Press CTRL A to move the cursor to the beginning of the line Press CTRL E to move the cursor to
135. ace vlanx x 0 31 bridge interface brx x 0 11 interface_name ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces This table lists the bridge interface commands Table 24 interface Commands Bridge Interfaces COMMAND DESCRIPTION interface interface name Creates the specified interface if necessary and enters sub command mode no join interface_name Adds the specified Ethernet interface or VLAN interface to the specified bridge The no command removes the specified interface from the specified bridge show bridge available member Displays the available interfaces that could be added to a bridge 5 2 8 1 Bridge Interface Command Examples The following commands show you how to set up a bridge interface named brO with the following parameters member gel IP 1 2 3 4 subnet 255 255 255 0 MTU 598 gateway 2 2 2 2 upstream bandwidth 345 downstream bandwidth 123 and description I am br0 Router Router Router Router Router Router Router Router Router configure terminal Router config interface brO config if brg join gel config if brg config if brg config if brg config if brg upstream 345 config if brg config if brg config if brg ip address 1 2 3 4 255 255 255 0 ip gateway 2 2 2 2 mtu 598 downstream 123 description I am br0 exit 5 2 9 PPPoE PPTP Commands This section identifies commands that
136. ace Commands Interface Parameters COMMAND DESCRIPTION interface interface_name Enters sub command mode no upstream lt 0 1048576 gt Specifies the upstream bandwidth for the specified interface The no command sets the upstream bandwidth to 1048576 no downstream lt 0 1048576 gt This is reserved for future use Specifies the downstream bandwidth for the specified interface The no command sets the downstream bandwidth to 1048576 no mtu 576 1500 Specifies the Maximum Transmission Unit which is the maximum number of bytes in each packet moving through this interface The ZyWALL divides larger packets into smaller fragments The no command resets the MTU to 1500 traffic prioritize tcp ack content Applies traffic priority when the interface sends filter dns ipsec vpn ssl vpn bandwidth TCP ACK traffic traffic for querying the content lt 0 1048576 gt priority 1 7 maximize filter traffic for resolving domain names or encrypted traffic for an IPSec or SSL VPN tunnel It also sets how much bandwidth the traffic can use and can turn on maximize bandwidth usage bandwidth usage traffic prioritize tcp ack content Turns off traffic priority settings for when the filter dns ipsec vpn ssl vpn deactivate interface sends the specified type of traffic 5 2 3 DHCP Setting Commands This table lists DHCP setting commands DHCP is based on DHCP pools Create a DHCP pool if yo
137. ackudk d X4 ARA eRe Chad ede A 108 DEA SSPE priori TOSS aE eae EGE TORSO REESE AAA Oa doe ADA 208 obT ect dgroDp address groun HBemel dd qxRO RE REOR RON ded LACK ON SS eR ICE OK OE eee dob 178 SS Sece O BBPEULOS Group ASA Laia A VEO RUE OE OR Se ARAS AAA 182 GST Areg E Farnals ER qox oso Re Ra E o red Re hae eee e hale eee CR 33 ping sueck 200er oce Sage ame 39 9 X RR AA Gone dp CAO eras sae keds tea ge 54 porri a A AA laderas XA a4ddG bd Led Eque SS aes Td pert SSCA rra ARA AAA A e CASES DETER ARANA AAA TERETE OBES R EAS Sa pug GERE DAA tease A eg bone Ree ames Bee Rae wee ees 57 Def wlscie8 ex 23b bg Eden 4 ad ede x qp obe ede op se EUER CO RC de Lr e ao demas ede oS 59 DUELE DEAD estesa and AAA ada dw sed 57 o sope A N 189 COMENTES iia DARA AAA Peed Oh saa eee eee eb Oe 33 report interface name jap service UEL ceros a RO CC o han 251 tepore SLSCUS uxeeedchaeuesr od ew xp ER cS dog e gd Eid AA Wu EN Md e e CR EE RRA AA 251 rip global intertac Tall Zntetfscp Dame ica AAA d CR RC 56 POMS gic cede i Eee AAA ede Pee Ee ae oh eeu s pcd dde d ese gol sa monitor begin lt 1 000 gt end lt 1 000 gt rsort sort order crypto map regexp policy regex sor S FE_UOTOSE 12 c4Giverheneweaeoeu awed eased 106 a a A dur dra ede d Wd pup uid ead api tub ed ced ud acecdtui 186 Serigi Er dr AA VY AA Rabanus dt uq AA oS de es 33 io a o la E e seme saan te rebseias bee RA EX RAdg 4 aded qe a aud E ERN 187 service register
138. acters The ZyWALL automatically ignores any characters above the minimum number of characters required by the algorithm For example if you enter 1234567890XYZ for a DES encryption key the ZyWALL only uses 12345678 The ZyWALL still stores the longer key local ip ip Sets the local gateway address to the specified IP address peer ip ip Sets the remote gateway address to the specified IP address 15 2 4 VPN Concentrator Commands This table lists the commands for the VPN concentrator Table 55 vpn concentrator Commands VPN Concentrator COMMAND DESCRIPTION show vpn concentrator profile name Shows the specified VPN concentrator or all VPN concentrators Creates the specified VPN concentrator if necessary and enters sub command mode The no command deletes the specified VPN concentrator no vpn concentrator profile name ZyWALL ZLD CLI Reference Guide Chapter 15 IPSec VPN Table 55 vpn concentrator Commands VPN Concentrator continued COMMAND DESCRIPTION no crypto map_name Adds the specified IPSec SA to the specified VPN concentrator The no command removes the specified IPSec SA from the specified VPN concentrator vpn concentrator rename profile name profile name Renames the specified VPN concentrator first profile name to the specified name second profile name 15 2 5 SA Monitor Commands This table lists the commands
139. address name 0 6055355 Su IDA dei 104 ineat move hy OS La S I SEA AN RA A Dp ad ee 104 i dnst lt 1 10 gt protocol fall tcp de original 1p address name 90 65535 0 635359 Heppen 1p address name 0 00535 WU DIO arar aida ACA ER EA MURUS EA 104 in snat source address name destination address name snat address name 104 INEP OE dlzgrkohou aaa a disi EUR S QUE op QM aeBliru e eae A 30 INESIS BEEN AAA Edu ER qv EB REP Ee DESI AA A ELI d RR EU A 62 o ne aes Ciel wie Leese eh nee IN Shes 62 Intertace dial INCOF AGS DANG anena cede dox OR evn eed Ra Bal Sek Sob Gk AAA hw ea HR CR RON eee Gok Bee 60 LACAELAGS MISAEL Bux caia oe dba Siete DAA AD A ed e 62 intertace disconect interlace BAND skh bord ACE ee baa Res ARA OGRE A DAL o ore aD 60 interface IHESETASS nal iia Re ee WR AAA AR AA RE Se a EE ae ee a A wee ae al imeri oce ANOTA MON anes Rede SAAS RARA CAE do e e CAELO Ne Ca RA n incerrace Interlace BOE 2k sae Seba NAAA AAA sux RE Eque 54 Sat Meca ee MSM aucune xU EC Aa icd Rd EO en OU Co RE QC OR RC EPICURI ORC CN CST ERR 55 interlace Interfrflacs EMS ze cdg ae ue Ae aOR A RC e A AA NA AA E GR ced qs C 56 interfaces 2r Or CO RAMS A A AA ARA AAA AAA AA 59 incer age Intsflac amp Wane II A FUR ae obo Ga RP RUE EUR C RC RR OEE ROME SEES 60 interface J0b58FfucH SODES ia AA AE GRE Se A RE NR qub de E Ae 61 ip dhep pool rename profile name profile MAME vind HLS ewe HEE Re E ia 51 dn da SEA Dar IR bg Qe Re quce S q
140. address object in the local policy For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default L2TP VPN GW gateway entry Configure the My Address setting according to your requirements Replace the default Pre Shared Key 17 3 Policy Route You must configure a policy route to let remote users access resources on a network behind the ZyWALL Set the policy route s Source Address to the address object that you want to allow the remote users to access LAN SUBNET in the following figure Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users L2TP POOL in the following figure Figure 20 Policy Route for L2TP VPN bx GG EE ee m l S n NAS i l l uw l m L2TP POOL Wee LAN SUBNET 112 ZyWALL ZLD CLI Reference Guide Chapter 17 L2TP VPN 17 4 L2TP VPN Commands The following table describes the values required for some L2TP VPN commands Other values are discussed with the corresponding commands Table 59 Input Values for L2TP VPN Commands LABEL DESCRIPTION address object The name of an IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive interface name The name of the interface Ethernet interfa
141. al remote name certificate_name certpath Displays the certification path of the specified local my certificates or remote trusted certificates certificate show ca category local remote name certificate name format text pem Displays a summary of the certificates in the specified category local for my certificates or remote for trusted certificates or the details of a specified certificate show ca validation name name Displays the validation configuration for the specified remote trusted certificate show ca spaceusage Displays the storage space in use by certificates ZyWALL ZLD CLI Reference Guide Chapter 29 Certificates 29 5 Certificates Commands Examples The following example creates a self signed X 509 certificate with IP address 10 0 0 58 as the common name It uses the RSA key type with a 512 bit key Then it displays the list of local certificates Finally it deletes the pkcs12request certification request Router configure terminal type rsa key len 512 Router config show ca category local certificate default type SELF status VALID ID ZyWALL 1050_Factory_Default_Certificate type EMAIL valid from 2003 01 01 00 38 30 valid to 2022 12 27 00 38 30 certificate test type REQ subject CN 1 1 1 1 issuer none status VALID TDi Ils type IP valid from none valid to none certificate pkcsl2request type REQ subjec
142. al string Specifies the initial string of the auxiliary interface The no command sets the initial string to ATZ initial string You can use up to 64 characters Semicolons and backslashes V are not allowed dial timeout lt 30 120 gt Specifies the number of seconds the auxiliary interface waits for an answer each time it tries to connect The no command disables the timeout idle 0 360 Specifies the number of seconds the auxiliary interface waits for activity before it automatically disconnects The no command disables the idle timeout no username usernam Specifies the username of the auxiliary interface The no command clears the username username You can use alphanumeric underscores dashes and characters and it can be up to 30 characters long password password Specifies the password of the auxiliary interface The no command clears the password password You can use up to 63 printable ASCII characters Spaces are not allowed no authentication chap pap chap pap mschap mschap v2 Specifies the authentication type of the auxiliary interface The no command sets the authentication to chap pap no description description Specifies the description for the auxiliary interface The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long
143. ame in quotes for example idp search LAN IDP name WORM sid 0 severity O platform O policytype O service 0 activate any log any action searches for all signatures in the LAN IDP profile containing the text worm within the signature name idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask Service service mask activate any yes no log any no log log alert action action mask Searches for signature s in a system protect profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN IDP name WORM sid 0 severity 0 platform 0 policytype 0 service 0 activate any log any action searches for all signatures in the LAN DP profile containing the text worm within the signature name ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands Table 81 Signature Search Command COMMAND DESCRIPTION show idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask Service service mask activate any yes no log any no log log alert action action mask Searches for signature s in a profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN IDP name WORM sid 0 severity O
144. an use exit or a command line consisting of a single to have the ZyWALL exit sub command mode 228 ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager BES exit or must follow sub commands if it is to make the ZyWALL exit sub command mode Line 3 in the following example exits sub command mode interface gel ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode interface gel this interface is a DHCP client Lines 1 and 2 are comments Line 5 exits sub command mode this is from Joe on 2006 06 05 interface gel ip address dhcp 34 2 2 Errors in Configuration Files or Shell Scripts When you apply a configuration file or run a shell script the Zy WALL processes the file line by line The ZyWALL checks the first line and applies the line if no errors are detected Then it continues with the next line If the ZyWALL finds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on error off inthe configuration file or shell script The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands The ZyWALL still generates a log for any errors 34 2 3 ZyWALL Configuration File Details You can store multiple configuration fi
145. and line equivalent BES The no command negates the action or returns it to the default value The following table Table 74 Input Val lists valid input for IDP commands ues for IDP Commands LABEL DESCRIPTION zone_profile It can consist of alphanumeric characters the underscore and the dash and it is 1 31 characters long Spaces are not allowed idp_profile It can consist of alphanumeric characters the underscore and the dash and it is 1 31 characters long Spaces are not allowed 20 2 General IDP Commands 20 2 1 IDP Activation BS You must register for the IDP AppPatrol signature service at least the trial before you can use it See Chapter 4 on page 37 ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands This table shows the IDP signature anomaly and system protect activation commands Table 75 IDP Activation COMMAND DESCRIPTION no idp Enables IDP signatures anomaly detection and or system protect IDP signatures signature anomaly use requires IDP service registration If you don t have a standard license you can system protect register for a once off trial one Anomaly detection and the self protect feature do aetiyate not require registration The no command disables the specified service idp system protect Disables system protect deactivate show idp Displays IDP signature anomaly detection or system protect serv
146. anti virus statistics collect Displays whether the collection of anti virus statistics is turned on or off show anti virus statistics ranking Query and sort the anti virus statistics entries by destination source virus name destination IP address source IP address or virus name virus name lists the most common viruses detected source lists the source IP addresses of the most virus infected files destination lists the most common destination IP addresses for virus infected files ZyWALL ZLD CLI Reference Guide Chapter 19 Anti Virus 19 4 1 Anti virus Statistics Example This example shows how to collect and display anti virus statistics It also shows how to sort the display by the most common destination IP addresses Router config anti virus statistics collect Router config show anti virus statistics collect collect statistics yes Router config show anti virus statistics summary file scanned 0 virus detected 0 Router config show anti virus statistics ranking destination 136 ZyWALL ZLD CLI Reference Guide IDP Commands This chapter introduces IDP related commands 20 1 Overview Commands mostly mirror web configurator features It is recommended you use the web configurator for IDP features such as searching for web signatures creating editing an IDP profile or creating editing a custom signature Some web configurator terms may differ from the comm
147. anumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive interface name The name of the interface Ethernet interface gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model virtual interface on top of Ethernet interface gex y x3 1 N y2 1 12 VLAN interface vlanx x 2 0 15 virtual interface on top of VLAN interface vlanx y x2 0 15 y2 1 12 bridge interface brx x 2 0 11 virtual interface on top of bridge interface brx y x20 11 y2 1 12 PPPoE PPTP interface pppx x 0 11 The following table describes the commands available for DNS You must use the configure terminal command to enter the configuration mode before you can use these commands Table 127 Command Summary DNS COMMAND DESCRIPTION no ip dns server a record fgdn w x y z Sets an A record that specifies the mapping of a fully qualified domain name FQDN to an IP address The no command deletes an A record ip dns server cache flush Clears the DNS cache ZyWALL ZLD CLI Reference Guide Chapter 32 System Table 127 Command Summary DNS continued COMMAND DESCRIPTION no ip dns server mx record domain_name w x y z fqdnj Sets a MX record that specifies a mail server that is responsible for handling the mail for a particular domain The no command deletes a MX record ip dn
148. anumeric or connection id 1 alphanumeric or contact 1 61 alphanumeric spaces or S_ country code 0 OL 2 alphanumeric custom signature file 0 30 alphanumeric or _ name first character letter description Used in keyword criteria for log entries 1 64 alphanumeric spaces or S_ Used in other commands 1 61 alphanumeric spaces or _ distinguished name 1 511 alphanumeric spaces or _ ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Table 3 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES domain name Used in content filtering 0 lower case letters numbers or Used in ip dns server 0 247 alphanumeric or first character alphanumeric or Used in domainname ip dhcp pool and ip domain 0 254 alphanumeric or T first character alphanumeric or email 1 63 alphanumeric or Q8 e mail 1 64 alphanumeric or Q8 encryption key 16 64 Ox or OX 16 64 hexadecimal values 8 32 alphanumeric or amp _4 lt gt file name 0 31 alphanumeric or _ filter extension 1 256 alphanumeric spaces or _ fqdn Used in ip dns server 0 252 alphanumeric or first character alphanumeric or and interface Used in ip dans tim ping check server
149. ation access control and auditing It is used to transport traffic over the Internet or any insecure network that uses TCP IP for communication Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is one example of a VPN tunnel Figure 17 VPN Example The VPN tunnel connects the ZyWALL X and the remote IPSec router Y These routers then connect the local network A and remote network B A VPN tunnel is usually established in two phases Each phase establishes a security association SA a contract indicating what security parameters the ZyWALL and the remote IPSec router will use The first phase establishes an Internet Key Exchange IKE SA between the ZyWALL and remote IPSec router The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network This is illustrated in the following figure ZyWALL ZLD CLI Reference Guide Chapter 15 IPSec VPN Figure 18 VPN IKE SA and IPSec SA In this example a computer in network A is exchanging data with a computer in network B Inside networks A and B the data is transmitted
150. ation lt 1 3600 gt extension filter hostname Sends traffic through the specified interface with the specified protocol source address destination address and or port number If you specify file the ZyWALL dumps the traffic to packet_trace packet_trace_interface Use FTP to retrieve the files see Section 34 6 on page 232 If you do not assign the duration the ZyWALL keeps dumping traffic until you use Ctrl C Use the extension filter to extend the use of this command protocol_name You can use the name instead of the number for some IP protocols such as tcp udp icmp and so on The names consist of 1 16 alphanumeric characters underscores _ or dashes The first character cannot be a number hostname You can use up to 252 alphanumeric characters dashes or periods The first character cannot be a period filter_extension You can use 1 256 alphanumeric characters spaces or l _ characters traceroute ip hostname Displays the route taken by packets to the specified destination Use Ct r1 c when you want to return to the prompt ZyWALL ZLD CLI Reference Guide 257 Chapter 39 Maintenance Tools Some examples are shown below Routers packet trace duration 3 tcpdump listening on eth0 19 24 43 239798 192 168 1 10 192 168 1 1 icmp echo request 19 24 43 240199 192 168 1 1 192 168 1 10 icmp echo reply 19 24 44 258823 192 168
151. ation for access account yes maximum simultaneous logon per access account 403 23 2 4 Force User Authentication Commands This table lists the commands for forcing user authentication Table 101 username groupname Commands Summary Forcing User Authentication COMMAND DESCRIPTION force auth policy lt 1 1024 gt Creates the specified condition for forcing user authentication if necessary and enters sub command mode The conditions are checked in sequence starting at 1 force auth policy append Creates a new condition for forcing user authentication at the end of the current list and enters sub command mode ZyWALL ZLD CLI Reference Guide Chapter 23 User Group Table 101 username groupname Commands Summary Forcing User Authentication continued COMMAND DESCRIPTION force auth policy insert lt 1 1024 gt Creates a new condition for forcing user authentication at the specified location renumbers the other conditions accordingly and enters sub command mode no activate Activates the specified condition The no command deactivates the specified condition no description description Sets the description for the specified condition The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long no destination address object group name Sets
152. ationip Dest 1 Router firewall service MyServic Router firewall action allow ZyWALL ZLD CLI Reference Guide Chapter 14 Firewall The following command displays the firewall rule s including the default firewall rule that applies to the packet direction from WAN to LAN The firewall rule numbers in the menu are the firewall rules priority numbers in the global rule list Router configure terminal Router config show firewall WAN LAN firewall rule 3 description user any schedule none from WAN to LAN source IP any source port any destination IP Dest 1 service MyServic log no action allow status yes firewall rule 4 description user any schedule none from WAN to LAN source IP any source port any destination IP any service any log log action deny status yes Router config show firewall WAN LAN 2 firewall rule 4 description user any schedule none from WAN to LAN source IP any source port any destination IP any service any log no action deny status yes Router config ZyWALL ZLD CLI Reference Guide IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL 15 1 IPSec VPN Overview A virtual private network VPN provides secure communications between sites without the expense of leased site to site lines A secure VPN is a combination of tunneling encryption authentic
153. bed IP addresses and port numbers in their packets data payload The ZyWALL examines and uses IP address and port number information embedded in the VoIP traffic s data stream When a device behind the ZyWALL uses an application for which the ZyWALL has VoIP pass through enabled the Zy WALL translates the device s private IP address inside the data stream to a public IP address It also records session port numbers and allows the related sessions to go through the firewall so the application s traffic can come in from the WAN to the LAN The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL s NAT The firewall allows related sessions for VoIP applications that register with a server The firewall allows or blocks peer to peer VoIP traffic based on the firewall rules You do not need to use STUN Simple Traversal of User Datagram Protocol UDP through Network Address Translators for VoIP devices behind the Zy WALL when you enable the SIP ALG ZyWALL ZLD CLI Reference Guide Chapter 13 ALG 13 2 ALG Commands The following table lists the alg commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 48 alg Commands COMMAND DESCRIPTION no alg sip signal port lt 1025 65535 gt signal extra port lt 1025 65535 gt media timeout lt 1 86400 gt signal timeout lt 1 86400 gt Turns on or conf
154. ce gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model VLAN interface vlanx x 0 31 bridge interface brx x 2 0 11 ppp interface PPPOE PPTP interface pppx x 0 11 map name The name of an IPSec SA You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive user name The name of a user group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following sections list the L2TP VPN commands 17 4 1 L2TP VPN Commands This table lists the commands for L2TP VPN You must use the configure terminal command to enter the Table 60 L2TP VPN Commands configuration mode before you can use these commands COMMAND DESCRIPTION l2tp over ipsec recover default ipsec policy If the default L2TP IPSec policy has been deleted use this command to recreate it with the default settings no 12tp over ipsec activate Turns L2TP VPN on The no command turns it off l2tp over ipsec crypto map name Specifies the IPSec VPN connection the ZyWALL uses for L2TP VPN It must meet the requirements listed in Section 17 2 on page 111 Note Modifying this VPN connection or the VPN gateway that it uses disconnects any existing L2TP VPN sessions l2tp over
155. ce port from the rule no to zone_object ZyWALL Sets the zone to which the packets are sent The no command removes the zone to which the packets are sent and resets it to the default any any means all interfaces or VPN tunnels no user user_name Sets a user aware firewall rule The rule is activated only when the specified user logs into the system The no command resets the user name to the default any any means all users firewall zone object zone object ZyWALL 1 5000 Enters the firewall sub command mode to set a direction specific through ZyWALL rule or to ZyWALL rule 1 5000 the index number in a direction specific firewall rule list firewall zone object zone object ZyWALL append Enters the firewall sub command mode to add a direction specific through ZyWALL rule or to ZyWALL rule to the end of the global rule list ZyWALL ZLD CLI Reference Guide Chapter 14 Firewall Table 50 Command Summary Firewall continued COMMAND DESCRIPTION firewall zone object zone_object ZyWALL delete 1 5000 Removes a direction specific through ZyWALL rule or to ZyWALL rule 1 5000 the index number in a direction specific firewall rule list firewall zone object zone object ZyWALL flush Removes all direction specific through ZyWALL rule or to ZyWALL rules firewall zone object zone object ZyWALL insert 1 5000 Enters th
156. ck log no url offline block Sets a content filtering profile to block allow and log or block and log access to requested web pages if the external content filtering database is unavailable The no command clears the setting content filter profile filtering profile log block log no url unrate block Sets a content filtering profile to block allow and log or block and log access to web pages that the external web filtering service has not categorized The no command clears the setting no content filter profile filtering profile url url server Sets a content filtering profile to use the external web filtering service The no command has the profile not use the external web filtering service filter service timeout no content service timeout Sets how many seconds the ZyWALL is to wait for a response from the external content filtering server The no command clears the setting content filter url cache test url Tests whether or not a web site is saved in the ZyWALL s database of restricted web pages content filter url server test url server timeout query timeout rating server Tests whether or not a web site is saved in the external content filter server s database of restricted web pages show content filter profile filtering profile Displays the specified content filtering profile s settings or the settings of all them if you don t specify
157. cp s binding interface gel binding pool DHCP_T EST HCP TEST network 192 168 1 0 24 domain name zyxel com tw first dns server 172 23 5 1 second dns server gel 1st dns third dns server 172 23 5 2 default router 192 168 1 1 lease 0 1 30 starting address 192 168 1 10 pool size 30 hardware address 00 0F 20 74 C6 88 client identifier 00 0F 20 74 C6 88 client name TW12210 xit 1 DHCP TI EST erver status 5 2 4 Ping Check Commands This table lists ping check commands Table 16 interface Commands Ping Check COMMAND DESCRIPTION show ping check interface name Displays information about ping check settings for the specified interface or for all interfaces interfac interfac gt nam Enters sub command mode ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces Table 16 interface Commands Ping Check continued COMMAND DESCRIPTION no ping check activate Enables ping check for the specified interface The no command disables ping check for the specified interface ping check domain name ip default Specifies what the ZyWALL pings for the ping gateway check you can specify a fully qualified domain name IP address or the default gateway for the interface ping check domain name ip default Specifies what the ZyWALL pings for the ping gateway period 5 30 check and sets the number o
158. ctivate Enables in bound traffic SNAT in the IPSec SA The no command disables in bound traffic SNAT in the IPSec SA in snat source address name destination address name snat address name Configures in bound traffic SNAT in the IPSec SA no in dnat activate Enables in bound traffic DNAT in the IPSec SA The no command disables in bound traffic DNAT in the IPSec SA in dnat delete 1 10 Deletes the specified rule for in bound traffic DNAT in the specified IPSec SA in dnat move lt 1 10 gt to lt 1 10 gt Moves the specified rule first rule number to the specified location second rule number for in bound traffic DNAT in dnat append protocol all tcp udp Maps the specified IP address and port range original ip address name 0 65535 original ip to the specified IP address and port 0 65535 mapped ip address name range mapped ip and appends this rule to the end lt 0 65535 gt 0 65535 of the rule list for in bound traffic DNAT in dnat insert 1 10 protocol all tcp Maps the specified IP address and port range udp original ip address name lt 0 65535 gt lt 0 65535 gt mapped ip address name 0 65535 0 65535 original ip to the specified IP address and port range mapped ip and inserts this rule before the specified rule in dnat lt 1 10 gt protocol all tcp udp original ip address name 0 65535 lt 0 65535 gt mapped ip
159. d amp u ex R4 4 acp NEIRA CRETAE E OC dea e CRECEN E EON BK OR OCURRA RR d e Re C 103 debug TF A 29 CERA A AA SAA DA ADAN S debug gps show JITRESODOESL TFL aer qoa dod e eh ge ep E oleae d ae eee 31 Debug GE TUI A E A OR AA ON 31 debut cmdexs OATES rancio IRA AAA A A ix xA IUE ARA AAA a ASIA COre Tale QU aria raid AAA Oy Ng Ede R4 SANA re md 31 Jepua neritea F arta RN A we Re ee a ARA e e 2T debug forob suL IUIS 2 seb cece ee basu AA RARA AAN eee qu Ex vere A SDE a qM A x Rm aded Gat eq ob dae de AR oe Reb aC a a od 31 sbag Oui SDON SUD DIEN QUOC oni ox REC ICE REOR CACHED AAA AA E debug Narogware F hdd aa EXC A E RC EU qox CE Re AA Rode Ep ECC RRR ERE AS DOS RRS 21 HB Ble cued ER Saree EHE Pu eV ae hh ded aq PP ed EP ew ead ER PPP RE PP TS E EH debug interface ifconfig DrntestLec8 uia deg b RUR4EKORACRRXE REOR NOR AS DEC ee ew Rha Ree wea lS oul debug kernel iF uate een dee AAA AA A Ree eke oe Ghar he een ee Rea eee eRe Ss ST CEROS Merei PUES I rra AAA AAA ees Ded E SG db bM s e 31 debug network espigHoce PL diri a eera Ge Nn ae e nox RR ed eoe qp Sd debug ne moveo SSPD Es errata a ARABIA Dd ESQ Fede se aes 31 Jepua poalicy route QU nro A ee nae aaa a a E ooi e ed eii 31 debus SELL TESIS AAA qs qudd dard qur A MAA NA 31 debug show mizyxel SEEVEr SLALUS oc hake do d SESE DREN NOE OR SRR DS A ARAS 31 debog System CHES diri A A A AAA UR ERROR CORRE HSS REE ARA EO 2d debug System reS Gnag eaXaqoagG xe ERRARE E GE AA E Oe A CR ONERE a
160. d show all base profiles available Router configure terminal No Base Profile Name Router config idp rename signature old profile new profile Router config no idp signature bye profile Router config show idp signature base profile 1 none 2 all 3 wan 4 lan 5 dmz Router config 20 3 2 IDP Zone to Zone Rules Use the following rules to apply IDP profiles to specific directions of packet travel Table 77 IDP Zone to Zone Rule Commands COMMAND DESCRIPTION idp signature anomaly rule append Create an IDP signature or anomaly rule and enter the sub 1 32 insert lt 1 32 gt command mode bind profile Binds the IDP profile to the entry s traffic direction no bind Removes the IDP profile s binding no from zone zone profile Specifies the zone the traffic is coming from The no command removes the zone specification no to zone zone profile Specifies the zone the traffic is going to The no command removes the zone specification no activate Turns on the IDP profile to traffic direction binding The no command turns it off idp signature Sd 32 gt 4 anomaly rule delete move lt 1 32 gt to lt 1 32 gt Remove or move an IDP profile to traffic direction entry no idp signature lt 1 32 gt anomaly rule Removes an IDP profile to traffic direction entry show idp signature anomaly rules
161. dditional commands for virtual interfaces 5 2 11 1 Virtual Interface Command Examples The following commands set up a virtual interface on top of Ethernet interface gel The virtual interface is named gel 1 with the following parameters IP 1 2 3 4 subnet 255 255 255 0 gateway 4 6 7 8 upstream bandwidth 345 downstream bandwidth 123 and description I am vir interface Router Router Router Router Router Router config if vir config if vir config if vir config if vir config if vir config if vir Router configure terminal Router config interface gel 1 ip address 1 2 3 4 255 255 255 0 ip gateway 4 6 7 8 upstream 345 downstream 123 description I am vir interface exit ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces ZyWALL ZLD CLI Reference Guide Trunks This chapter shows you how to configure trunks on your Zy WALL 6 1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability If one interface s connection goes down the ZyWALL sends traffic through another member of the trunk For example you can use two interfaces for WAN connections You can connect one interface to one ISP or network and connect the another to a second ISP or network The ZyWALL can balance the load between multiple connectio
162. de 13 Chapter 1 Command Line Interface BS The ZyWALL might force you to log out of your session if reauthentication time lease time or idle timeout is reached See Chapter 23 on page 171 for more information about these settings 1 2 1 Console Port The default settings for the console port are as follows Table 1 Managing the ZyWALL Console Port SETTING VALUE Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off When you turn on your ZyWALL it performs several internal tests as well as line initialization You can view the initialization information using the console port Garbled text displays if your terminal emulation program s speed is set lower than the ZyWALL s No text displays if the speed is set higher than the ZyWALL s If changing your terminal emulation program s speed does not get anything to display restart the ZyWALL If restarting the ZyWALL does not get anything to display contact your local customer support Figure 1 Console Port Power on Display Main Processor Intel Pentium R 4 2 80GHz 133x21 0 Memory Testing 346432K OK Press DEL to enter SETUP60 ESC to skip memory test After the initialization the login screen displays ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Figure 2 Login Screen Welcome to ZyWALL 1050 Username Enter the user name and passw
163. dress 172 23 37 205 and is named L2TP IFACE For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 It is named L2TP HOST in this example Router config crypto map Default L2TP VPN Connection Router config crypto Default L2TP VPN Connection policy enforcement Router config crypto Default L2TP VPN Connection local policy L2TP_IFACE Router config crypto Default L2TP VPN Connection remote policy L2TP HOST Router config crypto Default_L2TP_VPN_Connection activate Router config crypto Default_L2TP_VPN_Connection exit Router config 17 5 3 Configuring the L2TP VPN Settings Example The following commands configure and display the L2TP VPN settings e Set it to use the Default L2TP VPN Connection VPN connection Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 In this example it is already created and called LZTP POOL This example uses the default authentication method the ZyWALL s local user data base Select a user or group of users that can use the tunnel Here a user account named L2TP test has been created The other settings are left to the defaults in this example ZyWALL ZLD CLI Reference Guide 115 Chapter 17 L2TP VPN Enable the connection Router config Router config 12tp over ipsec crypto Default_L2TP_VPN_Connection 12tp over ipsec pool L2TP_POOL
164. dress object int rface interface name trunk trunk name tunnel tunnel name Sets the next hop to which the matched packets are routed The no command resets next hop settings to the default aut o no schedule schedule object Sets the schedule The no command removes the schedule setting to the default none none means any time no service service name any Sets the IP protocol The no command resets service settings to the default any any means all services no snat outgoing interface pool address object Sets the source IP address of the matched packets that use SNAT The no command removes source NAT settings from the rule no source address object any Sets the source IP address that the matched packets must have The no command resets the source IP address to the default any any means all IP addresses no sslvpn tunnel name Sets the incoming interface to an SSL VPN tunnel The no command removes the SSL VPN tunnel through which the incoming packets are received no trigger servic trigger lt 1 8 gt incoming service_name gt nam Sets a port triggering rule The no command removes port trigger settings from the rule trigger append incoming service name trigger service name Adds a new port triggering rule to the end of the list ZyWALL ZLD CLI Reference Guide Chapter 7 Route Table 31 Command Summary Pol
165. e 2 vlan5 Router if group exit Router config The following example creates a spill over trunk for Ethernet interfaces gel and ge3 The ZyWALL sends traffic through gel until it hits the limit of 1000 kbps The ZyWALL sends anything over 1000 kbps through ge3 Router configure terminal Router config interface group spill example Router if group mode trunk Router if group algorithm spill over Router if group interface 1 gel limit 1000 Router if group interface 2 ge3 limit 1000 Router if group exit Router config ZyWALL ZLD CLI Reference Guide Chapter 6 Trunks ZyWALL ZLD CLI Reference Guide Route This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL 7 1 Policy Route Traditionally routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing 7 2 Policy Route Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 30 Input Values for General Policy Route Commands LABEL
166. e Guide Chapter 18 Application Patrol index 1 activate yes port 5963 schedule none user any from zone any to zone any source address any destination address protocol tcp access forward bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no index default activate yes port 0 schedule none user any from zone any to zone any source address any destination address protocol any access forward bandwidth inbound 0 log no bandwidth outbound 0 Router configure terminal Router config show app other rule all any bandwidth excess usage no any bandwidth excess usage no bandwidth priority 1 ZyWALL ZLD CLI Reference Guide Anti Virus This chapter introduces and shows you how to configure the anti virus scanner 19 1 Anti Virus Overview A computer virus is a small program designed to corrupt and or alter the operation of other legitimate programs A worm is a self replicating virus that resides in active memory and duplicates itself The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable 19 2 Anti virus Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 67 Input Values fo
167. e Overview In general an interface has the following characteristics An interface is a logical entity through which layer 3 packets pass An interface is bound to a physical port or another interface Many interfaces can share the same physical port An interface is bound to at most one zone Many interface can belong to the same zone Layer 3 virtualization IP alias for example is a kind of interface Some characteristics do not apply to some types of interfaces 5 1 1 Types of Interfaces You can create several types of interfaces in the ZyWALL Port groups create a hardware connection between physical ports at the layer 2 data link MAC address level Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive and send tagged frames The Zy WALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Unlike port groups bridge interfaces can take advantage of some security features in the ZyWALL You can also assign an IP address and subnet mask to the bridge PPPoE PPTP interfaces support Point to Point Protocols PPP ISP accounts are required for PPPoE PPTP interfaces Virtual interfaces provide additional routing information
168. e QEODDHSO vec ook A RR RARAS GE ARA RE ROO RI SHER E ORO OCC CR AAA 173 hueifaos Interface DONNE ani AAA AA AAA A A AAA AAA 84 hardware a ldress mac addres 666s deh SA SERED RR OR SORORE RON AD ESS DRDO Ss ORB MOON UTC 52 Hardrore pyatehdog tImer Sa cole A a C2 Ob AE EC AAA 261 HOSE NOSTJO sertar dS 0S d 03 Q4 A SHRED RA E are A e E A ERA 84 A age rhe ae Rode ae athe eer we andy a bg eee 52 POSTEE MOSES 2zsgdonsa ka duy Que a ARA 207 http inspection http xxx action drop reject sender reject receiver reject DOCH AAA AAA AA ANA SOLER ER EASE AAA ERE EEE ERE ER aw 142 htboep anepectron Ihtto xxx activate secas ed OO ewe RRR ORE e Bae eee 142 icmp decoder truncated header truncated timestamp header truncated address moo ete OEN a sox alee we IA AS RARAS AA uo d kak Me e CR 143 DUIS e eh eee tees doe qo dc der a EER ee Eee eee oR a RR Shae 202 ile xD Su 8D enga NU Ree EE BOR WED hale Pe a Rw UC Ro e e e NA eaten eR AR 62 LEE A eet OA 135 idp signature system Protect Update aut 2 chica was da ces dde SERA OA dhe Saw 151 igp sbtatrasbicre EOL SCE 25 46 0422 46R EEE ORO RA pp RR CR EH MERE ROS EORR RU AA 152 MW xvid AECI A A DAS AAA A Re 104 Literate len destroy secl wiHeHEU serio a RR a ur Re ws 121 arial ella Leol Serge a EEE ARANA AAA zal IPPs rat ADELA SERING A pinti A EERE EERE SARA AAA AS 62 a AE 104 interface num append insert num interface lt cr gt weight lt 1 10 gt limit A Passiver chee ceceoe ea b
169. e all Displays the configurations of all the rules for other applications show app other rule all statistics Displays all the rule statistics for other applications show bwm activation Displays whether or not the global setting for bandwidth management on the ZyWALL is enabled 18 2 5 1 General Command Examples The following examples show the information that is displayed by some of the show commands Router configure terminal Router config show bwm activation bwm activation yes mode yes portless default access bandwidth graph yes Router configure terminal Router config show app http config application http active forward Router configure terminal Router config show app http defaultport No Port 1 80 ZyWALL ZLD CLI Reference Guide Chapter 18 Application Patrol Router configure terminal Router config show app http rule all index default activate yes port 0 schedule none user any from zone any to zone any source address any destination address any access forward action login na action message na action audio na action video na action file transfer na bandwidth excess usage no bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no Router configure terminal Router config show app other config bandwidth graph yes ZyWALL ZLD CLI Referenc
170. e factory default 443 no ip http secure server Enables HTTPS access to the ZyWALL web configurator The no command disables HTTPS access to the ZyWALL web configurator no ip http secure server auth client Sets the client to authenticate itself to the HTTPS server The no command sets the client not to authenticate itself to the HTTPS server no ip http secure server cert certificate name Specifies a certificate used by the HTTPS server The no command resets the certificate used by the HTTPS server to the factory default default certificate name The name ofthe certificate You can use up to 31 alphanumeric and amp _ characters no ip http secure server force redirect Redirects all HTTP connection requests to a HTTPS URL The no command disables forwarding HTTP connection requests to a HTTPS URL 212 ZyWALL ZLD CLI Reference Guide Chapter 33 System Remote Management Table 129 Command Summary HTTP HTTPS continued COMMAND DESCRIPTION ip http secure server table admin user rule lt 1 32 gt append insert lt 1 32 gt access group ALL address object zone ALL zone object action accept deny Sets a service control rule for HTTPS service ip http secure server table admin user rule move lt 1 32 gt to lt 1 32 gt Changes the index number of a HTTPS service control rule no ip http server
171. e firewall sub command mode to add a direction specific through ZyWALL rule or to ZyWALL rule before the specified rule number 1 5000 the index number in a direction specific firewall rule list firewall zone object zone object ZyWALL move lt 1 5000 gt to lt 1 5000 gt Moves a direction specific through ZyWALL rule or to ZyWALL rule to the number that you specified lt 1 5000 gt the index number in a direction specific firewall rule list no firewall activate Enables the firewall on the ZyWALL The no command disables the firewall firewall append Enters the firewall sub command mode to add a global firewall rule to the end of the global rule list firewall delete lt 1 5000 gt Removes a firewall rule lt 1 5000 gt the priority number of a firewall rule firewall flush Removes all firewall rules firewall insert 1 5000 Enters the firewall sub command mode to add a firewall rule before the specified rule number lt 1 5000 gt the priority number of a firewall rule firewall move lt 1 5000 gt to lt 1 5000 gt Moves a firewall rule to the number that you specified lt 1 5000 gt the priority number of a firewall rule show connlimit max per host Displays the highest number of sessions that the ZyWALL will permit a host to have at one time show firewall Displays all firewall settings show firewall lt 1 5000 gt Displays a firewa
172. e mail address peer id type any ip ip fadn domain name mail e mail dn distinguished name Sets the peer ID type and content to any value the specified IP address domain name or e mail address xauth type server xauth method username password password no client nam Enables extended authentication and specifies whether the ZyWALL is the server or client If the ZyWALL is the server it also specifies the extended authentication method aaa authentication profile name ifthe ZyWALL is the client it also specifies the username and password to provide to the remote IPSec router The no command disables extended authentication username You can use alphanumeric characters underscores and dashes and it can be up to 31 characters long password You can use most printable ASCII characters You cannot use square brackets double quotation marks question marks tabs or spaces It can be up to 31 characters long 15 2 2 IPSec SA Commands except Manual Keys This table lists the commands for IPSec SAs excluding manual keys VPN connections using VPN gateways Table 53 crypto map Commands IPSec SAs COMMAND DESCRIPTION show crypto map map name Shows the specified IPSec SA or all IPSec SAs crypto map dial map name Dials the specified IPSec SA manually This command does not work for IPSec SAs using manual keys or for IPSec SAs where the remo
173. e profile name pptp Displays information about the specified profile name account s no account pppoe pptp profile name Creates a new ISP account with name profile name if necessary and enters sub command mode The no command deletes the specified ISP account no user username Sets the username for the specified ISP account The no command clears the username username You can use alphanumeric underscores dashes and S characters and it can be up to 30 characters long no password password Sets the password for the specified ISP account The no command clears the password password You can use up to 63 printable ASCII characters Spaces are not allowed no authentication chap pap chap pap Sets the authentication for the specified ISP mschap mschap v2 account The no command sets the authentication to chap pap ZyWALL ZLD CLI Reference Guide Chapter 30 ISP Accounts Table 121 account Commands continued COMMAND DESCRIPTION Turns compression on or off for the specified ISP account The no command turns off compression Sets the idle timeout for the specified ISP account The no command sets the idle timeout to zero no compression on off no idle 0 360 no service name ip hostname service name Sets the service name for the specified PPPoE ISP account The no command clears the service name hostname You may up t
174. e stab d OR Qe dC ee ood dicia ue OO de eden Fe oe Rai e e o c 80 Du activate esi oe d dew XX Qe AA Shiba ee ew eee ees 125 SU ECARTS A AS A AS A A ATAR ALA AS A 70 bypass elites last BISGESELAEE 25054 deh AAA ERE Rog AAA eS EFI lSXespe2 861631539 MAS MU EISE Xo adea ku X o d OCA AAA ES OE ERS ARANA 52 pBlieutenmaMo NOST Tare iaa A d yu AAA Oh EAE 52 Giom dam de a O aaa dde eee Era domua 208 clock saving interval begin aprlaug dec feb jan jul jun mar may nov oct sep 1 2 13 4 last frilmon sat sun thu tue wed hh mm end faprlaug dec feb jan jul jun mar may nov oct sep 112 13 4 last fer men sat sun lEbultuelyed Ans GETEEE sesionar A 208 clock time zons SEE vis vec deeded ke oec Roe E A xe Ro M RA regn e Re de 208 pumeosBHE GCGLIVALA h e t Pope AAA AAA pube dex eS 228 CAM AG NE AER Activate Losin eed a dq oed du idea ER dod a E X AUR AE ab ded E ER or C 2227 COMSAGEHE MANAGED UFI aa NAAA TORRE ROR OER AA AAA 222 cam ag ntE pEriOOIG IUCLOEN ACEAVALS chs bk dale VHLD A id RON OR Rl A 222 polpresasion Ton p MET cavevevteidta eue d see P RE vedi dra d eq Rd Pd supe 202 conect ALO Conec l On GO ANAIS OL RC o NC A SARA ARAS RN 202 connectivity Insrbeup dial or dean o a A RR pm A re cl eid el conplit mex perenost le aL RES aaa wh a fons E dar A donatus d ioci doe v MN uo od 94 console baud Dava FSCS 245 Kae e 439 453 Bond ok Y X Rd RACE AUR E WO E OR ACACECR NOR NK REET SES 209 contener SOLIS
175. e te RNC C ca wees Rc 159 ACTIVSCE eerucsdendt eu hehehe add A ipud exe te eii oe be hae eade UE 175 e Xadcasassbaudone4w ue ndue arias a adcadup e doa d fd wee hanes eed muda d HRS ED EUN 221 A oieri aae gt Ii ae Gir ade tm oan ahd ech oo can Gerhart hah pg dana ee Bee baa alee 94 BOCTESS OU a 2 249 A O ows hee MC a E wd adi ERO 178 ARSSGCUES DESERT DESC ri AAA AAA AAA RARA RA AR 188 AU Or res UNTAR CAROS rai AA ANS AR 188 ad server cn idemtlibtler Ud aci A AR RARA ARA AA A RAR RA 188 adl saerver host ad sOIUBE aer S455 CSE EERE IAN Gd x d E 188 ad servert password DaSSWODO separa kde dE A AMADA RRA A AAA Re CUR 188 ag SaGbUSGT POLL DOPL PO 4264048 ox ge A RA V POR ECR WU AAA AAA 188 ad server seosrch time l mut CAM kic qa 4 cR AGUA ECOL ACE Re RR EERE EER Re de ARA 188 BUI SOGDUSTE SSL caricia 188 o a A IA RN 221 lex Ss P le cie le A E 130 Bru Pos place List SD SEDE ussdoscedrusece wee qe A SR rex Ip RV Mew og UR UR 133 anti virus black list file pattern av file pattern activate deactivate Hie ae Blige ELSE BIOQE BALI eae phe ble AAA AAA ea EU 130 ADE US gitustcetlics GONE ama ras Soie an NA EN Re Om do Bea qi dd 135 anti virus DDusbe QUUD QxpeET PERRO dede d Eyed d qu xb Ie ee eee ewes 134 anti virus Nite SOUOVEDE ise bee back qe dee kee ee eR NS dr qe RAS RAR 132 anti virus white list file pattern av file pattern activate deactivate 132 e edt deae Oe Dd ah RUE E RC dO QU Fo dii od dia e ole ade de a Ro E RO A Og Oc 125 app Other log
176. eat Both types of schedules are based on the current date and time in the ZyWALL BS Schedules are based on the current date and time in the ZyWALL One time schedules begin on a specific start date and time and end on a specific stop date and time One time schedules are useful for long holidays and vacation periods Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring schedules always begin and end in the same day Recurring schedules are useful for defining the workday and off work hours 26 2 Schedule Commands Summary The following table describes the values required for many schedule commands Other values are discussed with the corresponding commands Table 109 Input Values for Schedule Commands LABEL DESCRIPTION object_name The name of the schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive time 24 hour time hours and minutes lt 0 23 gt lt 0 59 gt ZyWALL ZLD CLI Reference Guide Chapter 26 Schedules The following table lists the schedule commands Table 110 schedule Commands COMMAND DESCRIPTION show schedule object Displays information about the schedules in the ZyWALL no schedule object object_nam Deletes the schedule ob
177. ect diagnostics information Use the configure terminal command to enter the configuration mode to be able to use these commands Table 152 diagnosis Commands COMMAND DESCRIPTION diag info collect Has the ZyWALL create a new diagnostic file show diag info diagnostic file Displays the name size and creation date in yyyy mm dd hh mm ss format of the 38 3 Diagnosis Commands Example The following example creates a diagnostic file and displays its name size and creation date Router configure terminal Router config diag info collect Please wait collecting information Router config show diag info Filename diaginfo 20070423 tar bz2 File size 1259 KB Date 2007 04 23 09 55 09 ZyWALL ZLD CLI Reference Guide Chapter 38 Diagnostics ZyWALL ZLD CLI Reference Guide Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the ZyWALL The maintenance tools can help you to troubleshoot network problems Here are maintenace tool commands that you can use in privilege mode Table 153 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION packet trac proto lt 0 255 gt filter extension traceroute ip interfac interface name protocol name any ip sre host ip hostname any dst host ip hostname any port lt 1 65535 gt any file dur
178. ed for a terminal emulation program The screens also allow you to configure DNS settings and determine which services protocols can access which ZyWALL zones if any from which computers 32 2 Host Name Commands The following table describes the commands available for the hostname and domain name You must use the configure terminal command to enter the configuration mode before you can use these commands Table 123 Command Summary Host Name COMMAND DESCRIPTION no domainname domain_name Sets the domain name The no command removes the domain name domain_name This name can be up to 254 alphanumeric characters long Spaces are not allowed but dashes and underscores are accepted no hostname hostname Sets a descriptive name to identify your ZyWALL The no command removes the host name show fqdn Displays the fully qualified domain name 32 3 Time and Date For effective scheduling and logging the ZyWALL system time must be accurate The ZyWALU s Real Time Chip RTC keeps track of the time and date There is also a software mechanism to set the time manually or get the current time and date from an external server ZyWALL ZLD CLI Reference Guide 207 Chapter 32 System 32 3 1 Date Time Commands The following table describes the commands available for date and time setup You must use the configure terminal command to enter the configuration mode before you can use these commands
179. ed onto the system show lockout users Displays users who are currently locked out unlock lockout users ip console Unlocks the specified IP address users force logout ip username Logs out the specified logins ZyWALL ZLD CLI Reference Guide Chapter 23 User Group 23 2 5 1 Additional User Command Examples The following commands display the users that are currently logged in to the ZyWALL and forces the logout of all logins from a specific IP address Router configure terminal Router config show users all No Name Type From Service Session Time Idle Time Lease Timeout Re Auth Timeout 1 admin admin 192 168 1 34 http https 00 33 27 unlimited 23 45 18 23 26 33 2 admin admin 192 168 1 34 http https 00 14 31 unlimited 23 48 38 23545529 3 admin admin 172 23 23 83 http https 00 04 07 unlimited 23 58 32 23599253 4 admin admin 223 023 9838 telnet 00 03 30 unlimited 23 7 992 59 23 56 30 Router config users force logout 192 168 1 34 Logout user admin from 192 168 1 34 OK Logout user admin from 192 168 1 34 OK Total 2 users have been forced logout Router config show users all No Name Type From Service Session Time Idle Time Lease Timeout Re Auth Timeout 1 admin admin 1424223722483 http https 00 04 31 unlimited 23 58 08 23155229 2 admin admin 172 23 23 83 telnet 00 03 54 unlimited 24 00 00 23 56 06 The following commands display the users that are currentl
180. ee ee eee SERS NER UR OPE EO Or OR SY Oe EO E 66 OPS INSI 654 40 een Pk EAD ACE ORACLE SUE CU de ab ORC De Re CHER e d E e aio 168 interface Inter cee FMS eae Sha A WORA Eque RUE cR RS E E due d abo RC ee SY 50 interlace Interface NOME sara ara AIDA se d ES 70 Tnberffasce IDLOP NCE BON e qur qo Kor A We CREATURE OG o o Kos A p OR C o e a we 80 Ep SIEG EAS errada dca E dereud e dauern A doped rice ed ub piod ced 50 To adarese II SUDIC SEU din eer URAU d Ss BPR dea des e d RR oos rog x des dos 50 ip lus profile Prete BS Quasi d44X3 603223 A dates Sones bed eta d Ka 84 ip don pool BGWuIS DS SEN dole xke qe a Et Ream end p BA c Re e de gam ay acl e Gok wie 52 lp dhep peol prerite DAME ous Bb EG EdOREQUSES eek SORE A d qudd d cux ves 53 lp due Server A record LORO MILE a eu ERR d RANA OR RO CE CROP aO A doo e FANE ip dns server i record domain name Wix v E fqdH asis 210 ip dns server zone forwarder lt 1 32 gt append insert lt 1 32 gt domain name in terface interface name user defined w x y z private 210 LO A E GQUDSOE S Ia AR AAA ENEA keto ye ane eee Kap de MA 217 ip Ep server cert SSECILEALCALO HEMOS esc hee e See He OR ee RO Ke E Ro ia ae oed 217 Ep Abs Serer DONE A QE uwogdoeeduice ape weg pedcs Saw dup E owas Baud uos ep eite 2l co Zip Server tlgeregalsed 2 4 446345 cosa 0 x eos a E NU E eR a ep eed ea heehee aL ID ALE WD AAA AAA AS SAA EAS 50 Ip e kper Ads ER eri ee gU er Gh ah EUR RE HD SI a n A di do a
181. een 1 and 65535 The default is 389 The no command clears this setting no server search time limit Sets the search timeout period in seconds Enter a time number between 1 and 300 The no command clears this setting and set this to the default setting of 5 seconds no server ssl Enables the ZyWALL to establish a secure connection to the AD server The no command disables this feature ZyWALL ZLD CLI Reference Guide Chapter 27 AAA Server 27 2 6 aaa group server Idap Commands The following table lists the aaa group server ldap commands you use to configure a group of LDAP servers Table 115 aaa group server Idap Commands COMMAND DESCRIPTION clear aaa group server ldap group name Deletes all LDAP server groups or the specified LDAP server group Note You can NOT delete a server group that is currently in use name show aaa group server ldap group Displays the specified LDAP server group settings name no aaa group server ldap group Sets a descriptive name for an LDAP server group Use this command to enter the sub command mode The no command deletes the specified server group aaa group server ldap rename group name group name Changes the descriptive name for an LDAP server group aaa group server ldap group name no server basedn basedn Sets the base DN to point to the LDAP directory on the LDAP server The no command clears this s
182. ept those marked with an asterisk Many of these commands are for trouble shooting purposes for example the htm hardware test module and debug commands Customer support may ask you to run some of these commands and send the results if you need assistance troubleshooting your device For admin logins all commands are visible in user mode but not all can be run there The following table displays which commands can be run in user mode All commands can be run in privilege mode Dd The htm and psm commands are for ZyXEL s internal manufacturing process Table 4 User U and Privilege P Mode Commands COMMAND MODE DESCRIPTION apply P Applies a configuration file atse U P Displays the seed code clear U P Clears system or debug logs or DHCP binding configure U P Use configure terminal to enter configuration mode copy P Copies configuration files debug U P For support personnel only The device needs to have the debug flag enabled delete P Deletes configuration files details P Performs diagnostic commands ZyWALL ZLD CLI Reference Guide Chapter 2 User and Privilege Modes Table 4 User U and Privilege P Mode Commands continued COMMAND MODE DESCRIPTION diag P Provided for support personnel to collect internal system information It is not recommended that you use
183. er debug system iptables list table nat filter mangle vpn zyma rk vpnid cfilter Shows system netfilter information debug system lsmod Shows system kernel modules gt lsmod debug system ps Shows system process information gt ps aux debug system show conntrack Shows system sessions list gt cat proc net ip_conntrack debug system show cpu status Shows system CPU utilization debug system show ksyms Shows kernel symbols gt cat proc ksyms debug system show slabinfo Shows kernel cache information gt cat proc slabinfo debug system tc class filter qdisc list Shows system traffic control information gt tc class filter qdisc list debug system tcpdump interface Dump traffic on a network gt tcpdump i interface debug system vmstat Shows system memory statistics gt vmstat debug update server Update server debug command debug zyinetpkt set show desitnation hooknum protoc ol lenablel priority source ZLD internal packet trace debug command ZyWALL ZLD CLI Reference Guide Status This chapter explains some commands you can use to display information about the ZyWALL s current operational state You must use the configure terminal command before you can use these commands Table 6 Status Show Commands COMMAND DESCRIPTION
184. er Figure 31 atuk Command for Restoring the Recovery Image gt atuk This command is for restoring the recovery image xxx ri se This conmand only uhen 1 the console displays Invalid Recovery Image or 2 the console freezes at Press any key to enter debug mode within 3 seconds for more than ome ninute ote Please exit this command innediateluy if you do not need to restore the recovery image Do you want to start the recovery process Y N default ME 4 Enter Y and wait for the Starting XMODEM upload message before activating XMODEM upload on your terminal Figure 32 Starting Xmodem Upload Do you want to start the recovery process Y N default N Starting XMODEM upload CRC mode C 5 This is an example Xmodem configuration upload using HyperTerminal Click Transfer then Send File to display the following screen Figure 33 Example Xmodem Upload Send File Folder C Product Filename C Product Firmware bin Type the firmware file s location or click Browse to search for it Browse Choose the 1K Xmodem protocol Protocol 1K Xmodem Cancel Then click Send 6 Wait for about three and a half minutes for the Xmodem upload to finish Figure 34 Recovery Image Upload Complete 7 Enter atgo The ZyWALL starts up If Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays o
185. er how many characters are in between The whole VPN connection or policy name has to match if you do not use a question mark or asterisk show isakmp sa Displays current IKE SA and the status of each one no sa spi spi Deletes the SA specified by the SPI spi 2 8 hexadecimal 0 9 A F characters no sa tunnel name map name Deletes the specified IPSec SA show vpn counters Displays VPN traffic statistics ZyWALL ZLD CLI Reference Guide SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login 16 1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks limit user access to specific applications or files on the network allow user access to specific networks assign private IP addresses and provide DNS WINS server information to remote users to access internal networks 16 1 1 SSL Application Objects SSL application objects specify an application type and server that users are allowed to access through an SSL tunnel See Chapter 31 on page 203 for how to configure SSL application objects 16 1 2 SSL Access Policy Limitations You cannot delete an object that is used by an SSL access policy To delete the object you must first unassociate the object from the SSL access policy 16 2 SSL VPN Commands The following table describes the values required for some SSL VPN commands Other values are discussed
186. ervice show ip ssh server status Displays SSH settings 33 3 4 SSH Command Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SSH service Router configure terminal Router config ip ssh server rule 2 access group Marketing zone WAN action accept This command sets a certificate Default to be used to identify the Zy WALL Router configure terminal Router config ip ssh server cert Default 33 4 Telnet You can configure your ZyWALL for remote Telnet access 33 5 Telnet Commands The following table describes the commands available for Telnet You must use the configure terminal command to enter the configuration mode before you can use these commands Table 131 Command Summary Telnet COMMAND DESCRIPTION no ip telnet server Allows Telnet access to the ZyWALL CLI The no command disables Telnet access to the ZyWALL CLI no ip telnet server port lt 1 65535 gt Sets the Telnet service port number The no command resets the Telnet service port number back to the factory default 23 ZyWALL ZLD CLI Reference Guide 215 Chapter 33 System Remote Management Table 131 Command Summary Telnet continued COMMAND DESCRIPTION ip telnet server rul lt 1 32 gt append insert lt 1 32 gt access group ALL address
187. es it to the lastgood conf configuration file If there is an error the ZyWALL generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the ZyWALL applies the system default conf configuration file You can change the way the startup config conf file is applied Include the setenv startup stop on error off command The ZyWALL ignores any errors in the startup config conf file and applies all of the valid commands The ZyWALL still generates a log for any errors 34 3 File Manager Commands Input Values The following table explains the values you can input with the file manager commands Table 140 File Manager Command Input Values LABEL DESCRIPTION file name The name of a file Use up to 25 characters including a zA ZO 9 amp _ ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager 34 4 File Manager Commands Summary The following table lists the commands that you can use for file management Table 141 File Manager Commands Summary COMMAND DESCRIPTION apply conf file_name conf Has the ZyWALL use a specific configuration file You must still use the write command to save your configuration changes to the flash non volatile or long term memory copy cert co
188. etting no server binddn binddn Sets the user name the ZyWALL uses to log into the default LDAP server The no command clears this setting no server cn identifier uid Sets the user name the ZyWALL uses to log into the default LDAP server The no command clears this setting no server host ldap_server Sets the LDAP server address Enter the IP address in dotted decimal notation or the domain name of an LDAP server to add to this group The no command clears this setting server password password Sets the bind password up to 15 characters The no command clears this setting server port port_no Sets the LDAP port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting server search time limit Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting and set this to the default setting of 5 seconds server ssl Enables the ZyWALL to establish a secure connection to the LDAP server The no command disables this feature ZyWALL ZLD CLI Reference Guide Chapter 27 AAA Server 27 2 7 aaa group server radius Commands The following table lists the aaa group server radius commands you use to configure a group of RADIUS servers Table 116 aaa group server radius Commands COMMAND DESCRIPTION clear aaa group server radius
189. f seconds between each ping check ping check domain name ip default Specifies what the ZyWALL pings for the ping gateway timeout 1 10 check and sets the number of seconds the ZyWALL waits for a response ping check domain name ip default Specifies what the ZyWALL pings for the ping gateway fail tolerance lt 1 10 gt check and sets the number of times the ZyWALL times out before it stops routing through the specified interface 5 2 5 Ethernet Interface Commands This section identifies commands that support Ethernet interfaces The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 17 Input Values for Ethernet Interface Commands LABEL DESCRIPTION interface name The name of the interface gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model 5 2 5 1 RIP Commands This table lists the commands for RIP settings Table 18 interface Commands RIP Settings COMMAND DESCRIPTION router rip Enters sub command mode no network interface name Enables RIP for the specified interface The no command disables RIP for the specified interface no passive interface interface nam Sets the RIP direction of the specified interface to in only The no command makes RIP bi directional in the specified interface no outonly interface interface nam
190. ference Guide 235 Chapter 34 File Manager on page 238 to restore it If the message does not display the firmware is OK and you do not need to use the firmware recovery procedure Figure 29 Firmware Damaged Building Connect a computer to port 1 and FTP to 192 168 1 1 to upload the neu file 34 9 Restoring the Recovery Image BS This procedure requires the ZyWALL s recovery image Download the firmware package from www zyxel com and upzip it The recovery image uses a ri extension for example 1 01 XL 0 CO ri Do the following after you have obtained the recovery image file You only need to use this section if you need to restore the recovery image 1 Restart the ZyWALL 2 When Press any key to enter debug mode within 3 seconds displays press a key to enter debug mode Figure 30 Enter Debug Mode BootModule Version U1 011 i 2007 03 30 12 22 57 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version V2 4 2 kernel 2006 08 21 i 2006 08 21 19 54 00 ZLD Version U1 01 XL 0 2006 09 11 17 41 56 Press any key to enter debug mode uithin 3 seconds Enter Debug Mode 3 Enter at uk to initialize the recovery process If the screen displays ERROR enter atur to initialize the recovery process You only need to use the atuk or atur command if the recovery image is damaged ZyWALL ZLD CLI Reference Guide Chapter 34 File Manag
191. fied interface The no command sets the direction to BiDir 8 2 2 General OSPF Commands This table lists the commands for general OSPF configuration Table 36 router Commands General OSPF Configuration COMMAND DESCRIPTION router ospf Enters sub command mode no redistribute static rip Enables redistribution of routing information learned from the specified non OSPF source The no command disables redistribution from the specified non OSPF source no redistribute static rip metric type lt 1 2 gt metric lt 0 16777214 gt Sets the metric for routing information learned from the specified non OSPF source The no command clears the metric ZyWALL ZLD CLI Reference Guide Chapter 8 Routing Protocol Table 36 router Commands General OSPF Configuration continued COMMAND DESCRIPTION no passive interface interface_nam Sets the direction to In Only for the specified interface The no command sets the direction to BiDir no router id IP Sets the 32 bit ID in IP address format of the ZyWALL The no command resets it to default or the highest available IP address 8 2 3 OSPF Area Commands This table lists the commands for OSPF areas Table 37 router Commands OSPF Areas COMMAND DESCRIPTION router ospf Enters sub command mode no network interface area IP Adds the specified interface to the specified area
192. fied port from the list 122 ZyWALL ZLD CLI Reference Guide Chapter 18 Application Patrol 18 2 2 Rule Commands for Pre defined Applications This table lists the commands for rules in each pre defined application Table 63 app Commands Rules in Pre Defined Applications COMMAND DESCRIPTION app protocol name rule insert lt 1 64 gt Creates a new rule at the specified row and enters sub command mode app protocol name rule append Creates a new rule appends it to the end of the list and enters sub command mode app protocol name rule 1 64 Enters sub command mode for editing the rule at the specified row app protocol name rule default Enters sub command mode for editing the default rule for the application no activate Turns on this rule The no command turns off this rule no port lt 0 65535 gt Specifies the destination port 0 means any no schedule profile name Adds the specified schedule to the rule no user username Adds the specified user to the rule no from zone name Specifies the source zone no to zone name Specifies the destination zone no source profile name Adds the specified source address to the rule no destination profile name Adds the specified destination address to the rule access forward drop reject Specifies the action when traffic matches the rule no action
193. filtered protocol scan ip filtered decoy protocol scan ip filtered distributed protocol scan ip fil ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show Lered mnrobosslesweBpl BSCAL S qumsexdes ie AA AA dew anaes 143 idp anomaly profile scan detection tcp portscan tcp decoy portscan tcp ports weep tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep details 143 idp anomaly profile scan detection udp portscan udp decoy portscan udp ports weep udp distributed portscan udp filtered portscan udp filtered decoy porpscem auamuesd px qe id re dw wen d wg eee db OS eon saws wens 143 idp anomaly profile tcp decoder undersize len undersize offset oversize offset bad length options truncated options ttcp detected obsolete options ex perumencsl opibixons Sets rosadas Kr a Rr e RCE ce Rp qd de ord die qoe des 144 idp anaustvy profile top debuder all details arriero itk 144 idp anomaly profile udp decoder truncated header undersize len oversize len ASTALLES gt adi dE AAA A AAA A AAA AAA 144 idp ancmely pr
194. first object name to the second object name 24 2 1 1 Address Object Command Examples The following commands create the three types of address objects and then delete one Router configure terminal Router config address object AO 192 168 1 1 Router config Router config show address object address object A1 192 168 1 1 Router config address object A2 192 168 1 0 24 192 168 1 20 Router config no address object A2 Router config show address object Object name Type Address Ref AQ HOST 192 168 1 1 0 A1 RANGE 192 168 1 1 192 168 1 20 0 A2 SUBNET 192 168 1 0 24 0 Object name Type Address Ref AQ HOST 192 168 1 1 0 A1 RANGE 192 168 1 1 192 168 1 20 0 24 2 2 Address Group Commands This table lists the commands for address groups Table 105 object group Commands Address Groups COMMAND DESCRIPTION show object group address group name Displays information about the specified address group or about all address groups no object group address group name Creates the specified address group if necessary and enters sub command mode The no command deletes the specified address group no address object object nam Adds the specified address to the specified address group The no command removes the specified address from the specified group ZyWALL ZLD CLI Reference Guide Chapter 24 Addresses Table 105 object group Co
195. for the group You can use the following commands to block sales from accessing adult and pornography websites Enable the external web filtering service BS You must register for the external web filtering service before you can use it see Chapter 4 on page 37 6 You can also customize the filtering profile The following commands block active X 7 Activate the customization java and proxy access Router config Router config Router config Router config content Router config Router config Router config Router config Router config Router config Router configure terminal content filter content filter content filter content filter content filter content filter content filter content filter profil profil profil profil profil profil profil profil e e 000000 Sa les CF les CF les CF les CF les CF les CF address object sales 172 21 3 0 24 schedule object all day 00 00 23 59 les CF les CF PROFILE PROFILE PROFILE PROFILE PROFILE PROFILE PROFILE PROFILE url category adult mature url category pornography url url server custom java custom activex custom proxy custom ZyWALL ZLD CLI Reference Guide Chapter 21 Content Filtering Use this command to display the settings of the profile Router config show content filter profile sales_CF_PROFILE
196. formation about the network from other routers The ZyWALL then stores this routing information in the routing table which it uses when it makes routing decisions In turn the ZyWALL can also provide routing information via routing protocols to other routers The ZyWALL supports two standards RIP and OSPF for routing protocols RIP and OSPF are compared in Table 33 on page 75 and they are discussed further in the next two sections Table 33 OSPF vs RIP OSPF RIP Network Size Large Small with up to 15 routers Metric Bandwidth hop count throughput round Hop count trip time and reliability Convergence Fast Slow 8 2 Routing Protocol Commands Summary The following table describes the values required for many routing protocol commands Other values are discussed with the corresponding commands Table 34 Input Values for Routing Protocol Commands LABEL DESCRIPTION ip The 32 bit name of the area or virtual link in IP address format authkey The password for text or MD5 authentication You may use alphanumeric characters or underscores text password 1 8 characters long MD5 password 1 16 characters long The following sections list the routing protocol commands ZyWALL ZLD CLI Reference Guide Chapter 8 Routing Protocol 8 2 1 RIP Commands Table 35 This table lists the commands for RIP router Commands RIP COMMAND DESCRIPTION router rip
197. g ZyWALL ZLD CLI Reference Guide Chapter 22 Device HA Table 93 device ha Commands VRRP Groups continued COMMAND DESCRIPTION no description description Specifies the description for the specified VRRP group The no command clears the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long no activate Turns on the specified VRRP group The no command turns off the VRRP group 22 2 2 Synchronization Commands This table lists the commands for synchronization You can synchronize with other Zy WALL s of the same model that are running the same firmware version Table 94 device ha Commands Synchronization COMMAND DESCRIPTION show device ha sync Displays the current settings for synchronization show device ha sync status Displays the current status of synchronization no device ha sync from hostname ip Specifies the fully qualified domain name FQDN or IP address of the ZyWALL router Usually this is the IP address or FQDN of the virtual router The no command clears this field hostname You may up to 254 alphanumeric characters dashes or periods but the first character cannot be a period no device ha sync port lt 1 65535 gt Specifies the port number to use to synchronize with the specified ZyWALL router The no command resets the port to 21
198. g internal IP addresses 12 2 HTTP Redirect Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 46 Input Values for HTTP Redirect Commands LABEL DESCRIPTION description The name to identify the rule You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive interface_name The name of the interface Ethernet interface gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model virtual interface on top of Ethernet interface gex y x 1 N y2 1 12 VLAN interface vlanx x 2 0 15 virtual interface on top of VLAN interface vlanx y x2 0 15 y2 1 12 bridge interface brx x 2 O 11 virtual interface on top of bridge interface brx y x20 11 y2 1 12 PPPOE PPTP interface pppx x O 11 ZyWALL ZLD CLI Reference Guide Chapter 12 HTTP Redirect The following table describes the commands available for HTTP redirection You must use the configure terminal command to enter the configuration mode before you can use these commands Table 47 Command Summary HTTP Redirect COMMAND DESCRIPTION ip http redirect description interface interface name redirect to w x y z 1 65535 Sets a HTTP redirect rule ip http redirect description in
199. group name Deletes all RADIUS server groups or the specified RADIUS server group Note You can NOT delete a server group that is currently in use show aaa group server radius group name Displays the specified RADIUS server group settings no group name aaa group server radius Sets a descriptive name for the RADIUS server group The no command deletes the specified server group aaa group server radius rename Sets the server group name group name old group name new aaa group server radius group name Sets the RADIUS server address Enter the IP address in dotted decimal notation or the domain name of a RADIUS server to add to this server group The no command clears this setting no server host radius server no server key secret Sets a password up to 15 alphanumeric characters as the key to be shared between the RADIUS server s and the ZyWALL The no command clears this setting no server timeout time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting and set this to the default setting of 5 seconds 27 2 8 aaa group server Command Example The following example creates a RADIUS server group with two members and sets the secret key to 12345678 and the timeout to 100 seconds Router configure terminal Router config aaa group server radius RADIUSGroupl Router group server radius
200. he configure terminal command before you can use these commands Table 151 Session Timeout Commands COMMAND DESCRIPTION session timeout udp connect lt 1 300 gt udp Sets the timeout for UDP sessions to connect or deliver lt 1 300 gt icmp lt 1 300 gt deliver and for ICMP sessions show session timeout icmp tcp timewait Displays ICMP TCP and UDP session timeouts udp The following example sets the UDP session connect timeout to 10 seconds the UDP deliver session timeout to 15 seconds and the ICMP timeout to 15 seconds Router config session timeout udp connect 10 Router config session timeout udp deliver 15 Router config session timeout icmp 15 Router config show session timeout udp UDP session connect timeout 10 seconds UDP session deliver timeout 15 seconds Router config show session timeout icmp ICMP session timeout 15 seconds ZyWALL ZLD CLI Reference Guide Chapter 37 Session Timeout ZyWALL ZLD CLI Reference Guide This chapter covers how to use the diagnostics feature 38 1 Diagnostics Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the ZyWALL s configuration and diagnostic information You may need to generate this file and send it to customer support during troubleshooting 38 2 Diagnosis Commands The following table lists the commands that you can use to have the ZyWALL coll
201. he MD5 ID in the specified virtual link 8 2 5 Learned Routing Information Commands This table lists the commands to look at learned routing information Table 39 ip route Commands Learned Routing Information COMMAND DESCRIPTION show ip route kernel connected static ospf rip bgp Displays learned routing and other routing information ZyWALL ZLD CLI Reference Guide Zones Set up zones to configure network security and network policies in the ZyWALL 9 1 Zones Overview A zone is a group of interfaces and VPN tunnels The ZyWALL uses zones not interfaces in many security and policy settings such as firewall rules and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 15 Example Zones WAN Internet Y ZyWALL ZLD CLI Reference Guide Chapter 9 Zones 9 2 Zone Commands Summary The following table describes the values required for many zone commands Other values are discussed with the corresponding commands s Table 40 Input Values for Zone Commands LABEL DESCRIPTION profile_name The name of a zone or the name of a VPN tunnel You may use 1 31 alphanumeric characters
202. he name of the zone You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive snmp server rule move lt 1 32 gt to lt 1 32 gt Changes the index number of a service control rule no snmp server rule lt 1 32 gt Deletes a service control rule for SNMP service show snmp status Displays SNMP Settings ZyWALL ZLD CLI Reference Guide Chapter 33 System Remote Management 33 7 4 SNMP Commands Examples The following command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SNMP service Router configure terminal Router config snmp server rule 11 access group Example zone WAN action accept The following command sets the password secret for read write rw access Router configure terminal Router config snmp server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172 23 15 84 and the password sent with each trap to qwerty Router configure terminal Router config snmp server host 172 23 15 84 qwerty 33 8 ICMP Filter The ip icmp filter commands are obsolete See Chapter 14 on page 93 to configure firewall rules for ICMP traffic going to the ZyWALL to discard or reject ICMP packets des
203. he web page to which you want to send users when their web access is blocked by content filtering The web page you specify here opens in a new frame below the denied access message Use http followed by up to 255 characters 0 9a zA Z 08 1 26 in quotes For example http 192 168 1 17 blocked access license The license key up to 15 characters for the external web filtering service service timeout The value specifies the maximum querying time in seconds lt 1 60 gt cache timeout The value specifies the maximum cache life time in hours lt 1 720 gt url The URL of a web site ZyWALL ZLD CLI Reference Guide Chapter 21 Content Filtering Table 87 Content Filter Command Input Values continued LABEL DESCRIPTION rating_server The hostname or IP address of the rating server query_timeout The value specifies the maximum querying time when rating a URL in zysh lt 1 60 gt seconds The following table lists the content filtering web category names Table 88 Content Filtering Web Category Names CATEGORY NAME CATEGORY NAME Adult Mature Content Pornography Sex Education Intimate Apparel Swimsuit Nudity Alcohol Tobacco Illegal Questionable Gambling Violence Hate Racism Weapons Abortion Hacking Phishing Arts Entertainment Business Economy Alternative Spirituality Occult Illegal Drugs
204. i 6500 limit lo 1400 max 6683 min 6666 avg 6674 FANA F03 rpm limit hi 6500 limit lo 1400 max 6633 min 6617 avg 6627 e show mac MAC address 00 13 49 82 18 28 2c Router config show mem status memory usage 39 Router config show ram size ram size 510MB Router config show serial number serial number S060212020460 Here is an example of the command that displays the listening ports Router config show socket listen No Proto Local_Address Foreign_Address State 1 tcp 0 0 0 0 2601 0 0 0 0 0 IS 2 tcp 0 0 0 0 2602 0 0 0 0 0 IS 3 tcp 127 0 0 1 10443 0 05000 IS 4 tcp 0 0 0 0 2604 0 0 0 0 0 IS 5 tcp 0 0 0 0 80 0 0 0 0 0 IS 6 tcp 127 0 0 1 8085 0 0 0 0 0 IS 7 tcp Ld aryl 59 0 0 0 0 0 IS 8 tcp 152 23423T7 2205 53 0 0 0 0 0 IS 9 tcp 10 0 0 8 53 0 0 0 0 0 IS 10 tcp 172 23 37 240 53 0 0 0 0 0 IS 11 tcp 1792 108 1 1253 0 0 0 0 0 IS 12 tcp 1270051353 0 0 0 0 0 IS 13 tcp 0 0 0 0 21 0 0 0 0 0 IS 14 tcp 0 0 0 0 22 0 0 0 0 0 IS T5 tcp PAT 020 29533 0 00 0 80 IS 16 tcp 0 0 0 0 443 0 0 0 0 0 IS 17 tcp 12720 0 121723 0 0 0 0 0 IS ZyWALL ZLD CLI Reference Guide Chapter 3 Status Here is an example of the command that displays the open ports Router config show socket open No Proto Local_Add
205. i A peda EOS E NAA MERC Se eh eee ERA 257 traceroute Iis Hostel aq x33 3x 30 Bo dede Rede 0806 AUR se Rode RU dale RR oa o o ode clc 257 traffic prioritize tcp ack content filter dns ipsec vpn ssl vpn bandwidth KOs 10485 76 priority LL 12 maxrimizs bandwiath 0sagel zzseeekrceees3 kx xx ana 5 Lraffic prioritize tcp ack content filter dns ipsec vpn ssl vpn deactivate 51 transform set ah md5 ah sha ah md5 ah sha fah md5 ah shall l 103 Lransform sset esp erypte algo esp cryptoe algo esp crypra sigoll se 99 Rx 103 Lransforun set rsskmp aloge isakmp algo isgskmp algoll aickbkbesaedoe 9 xm RAS a 101 trigger append incoming service name trigger service name eee 70 Lengger delete Lig89 PUTA AAA FI trigger insert 1 8 incoming service name trigger service name T1 Peigger move Siche LO SILJBS Gades ces ded d eR iced A GOMES Te Rede eee do dubii done ve udp decoder truncated header undersize len oversize len action drop reject send E Peject receiver PSISSE OGEN peed y tee eE ea iat A ae EACUS 142 udp decoder truncated header undersize len oversize len log alert 142 udp filtered distributed portscan udp filtered portsweep details 143 unlock Dechoeubeusere Ie Console socorrer 175 username rename Username QD SGEDGIBO diria A A Ad ARA A A RR UTA username username no description CescriptQioD iclbesR4 sd x RR da aia aa a 1 2
206. ice register status username alexctsui password 123456 device register status yes expiration self check no The following command displays the service registration status and type and how many days remain before the service expires Router configure terminal Router config show service register status all Service Status Type Count Expiration IDP Signature Licensed Standard N A 176 Anti Virus Not Licensed None N A 0 SSLVPN Not Licensed None 5 N A Content Filter Not Licensed None N A 0 ZyWALL ZLD CLI Reference Guide Chapter 4 Registration 4 3 Country Code The following table displays the number for each country Table 9 Country Codes COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 001 Afghanistan 002 Albania 003 Algeria 004 American Samoa 005 Andorra 006 Angola 007 Anguilla 008 Antarctica 009 Antigua amp Barbuda 010 Argentina 011 Armenia 012 Aruba 013 Ascension Island 014 Australia 015 Austria 016 Azerbaijan 017 Bahamas 018 Bahrain 019 Bangladesh 020 Barbados 021 Belarus 022 Belgium 023 Belize 024 Benin 025 Bermuda 026 Bhutan 027 Bolivia 028 Bosnia and Herzegovina 029 Botswana 030 Bouvet Island 031 Brazil 032 British Indian Ocean Territory 033 Brunei Darussalam 034 Bulgaria 035 Burkina Faso 036 Burundi 037 Cambodia 038 Camer
207. ice status signature anomaly system protect activation idp reload Recovers the IDP signatures You should only need to do this if instructed to do so by a support technician 20 2 1 1 Activate Deactivate IDP Example This example shows how to activate and deactivate signature based IDP on the ZyWALL Router configure terminal Router config idp signature activate Router config show idp signature activation idp signature activation yes Router config no idp signature activate Router config show idp signature activation idp signature activation no 20 3 IDP Profile Commands 20 3 1 Global Profile Commands Use these commands to rename or delete existing profiles and show IDP base profiles Table 76 Global Profile Commands COMMAND DESCRIPTION idp rename signature Rename an IDP signature or anomaly profile originally named profilel anomaly profilel profile2 to profile2 no idp signature anomaly Delete an IDP signature or system protect profile named profile3 profile3 show idp signature Displays all IDP signature or system protect base profiles anomaly base profile show idp profiles Displays all IDP signature profiles 138 ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands 20 3 1 1 Example of Global Profile Commands In this example we rename an IDP signature profile from old profile to new profile delete the bye profile an
208. icy Route continued COMMAND DESCRIPTION trigger delete 1 8 Removes a port triggering rule trigger insert 1 8 incoming service name trigger service nam Adds a new port triggering rule before the specified number trigger move lt 1 8 gt to lt 1 8 gt Moves a port triggering rule to the number that you specified no tunnel tunnel nam Sets the incoming interface to an IPSec VPN tunnel The no command removes the IPSec VPN tunnel through which the incoming packets are received no user user name Sets the user name The no command resets the user name to the default any any means all users policy default route Enters the policy route sub command mode to set a route with the name default route policy delete lt 1 5000 gt Removes a routing policy policy flush Clears the policy routing table policy move lt 1 5000 gt to lt 1 5000 gt Move a routing policy to the number that you specified show policy route 1 5000 Displays all or specified policy route settings show bwm activation Displays whether or not the global setting for bandwidth management on the ZyWALL is enabled show bwm usage policy route lt 1 5000 gt interface interface name Displays the specified policy route or interface s bandwidth allotment current bandwidth usage and bandwidth usage statistics ZyWALL ZLD
209. ide PART Introduction Command Line Interface 13 User and Privilege Modes 29 Registration 37 Command Line Interface This chapter describes how to access and use the CLI Command Line Interface 1 1 Overview gt If you have problems with your ZyWALL customer support may request that you issue some of these commands to assist them in troubleshooting Use of undocumented commands or misconfiguration can damage the ZyWALL and possibly render it unusable 1 1 1 The Configuration File BS When you configure the ZyWALL using either the CLI Command Line Interface or the web configurator the settings are saved as a series of commands in a configuration file on the ZyWALL You can store more than one configuration file on the ZyWALL However only one configuration file is used at a time You can perform the following with a configuration file Back up ZyWALL configuration once the ZyWALL is set up to work in your network Restore ZyWALL configuration Save and edit a configuration file and upload it to multiple ZyWALLs of the same model in your network to have the same settings You may also edit a configuration file using a text editor 1 2 Accessing the CLI You can access the CLI using a terminal emulation program on a computer connected to the console port from the web configurator or access the ZyWALL using Telnet or SSH Secure SHell ZyWALL ZLD CLI Reference Gui
210. ide Chapter 5 Interfaces Table 15 interface Commands DHCP Settings continued COMMAND DESCRIPTION network IP 1 32 network ip mask no network Specifies the IP address and subnet mask of the specified DHCP pool The subnet mask can be written in w x y z format or in lt 1 32 gt format Note The DHCP pool must have the same subnet as the interface to which you plan to bind it The no command clears these fields no default router ip Specifies the default gateway DHCP clients should use The no command clears this field no domain name domain name Specifies the domain name assigned to DHCP clients The no command clears this field no starting address ip pool size L 2655355 Sets the IP start address and maximum pool size of the specified DHCP pool The final pool size is limited by the subnet mask Note You must specify the network number first and the start address must be in the same subnet The no command clears the IP start address and maximum pool size no first dns server ip interface name Sets the first DNS server to the specified IP 1st dns 2nd dns 3rd dns address or the specified interface s first second or third DNS server The no command resets the first DNS server setting to its default value no second dns server ip Sets the second DNS server to the specified IP interface name lst dns 2nd dns 3rd address or the specified
211. ie 0 16777214 i 76 ESMODE AULESE LO ra ads a rand Aree A de la E 61 PESAN AAA ESA AA owes heuer eee eos ues and f 193 EODOEL rs AAA AA Y AS A RA AAA A e CR CE SE QR N 251 tole Master BACKS u 3 e IR CERRAR NAAA AAA Oe Rae eR AA 168 cs A A ied EA CER QE ee hae EHE UR d ade Ro eR CR Cede eee NE T3 san here tp imapa i smtp PARE acre 121 scan detection icmp sweep icmp filtered sweep activate log alert block 141 scan detection ip xxx activate log alert Dlock enemies 141 scan detesti n topexxx activate log alert block 29 mes 141 scan detection ludp x x x activate log alert black 222 dace 141 scarn detection open port activate log alert block m mmm 142 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical Pe Sense PST MOS deis DAA AAA REA 123 ho amp aehedule e profile HANE LIS AA AS A a EE TAR A bb a e XC LA 124 hol Schedule Schedule DAS iia RARA AA ESE aa ORC ESS C GR C 1755 Ho schedule schedula ODJISC arras A RA Eo aede Redi CR Ue ded ek m e AI oa AS 70 nol schedule sotedele GDJOeO 18s ei beth Red eee d ERR A AAA 25 no second dns server ip interface name lst dns 2nd dns 3rd dns 53 HE ASESORIAS BO AAA AA AAA AA wd gai era AA AA SS A 53 Be perver Sate SEM irradia aia dre cac wur AA qu Bur RA qoa dV Rl A 190 HO PEE PASEAR ATEO cQ Rp ace de A
212. ight cause electrocution If the power adaptor or cord is damaged remove it from the device and the power source Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make sure all the connections are indoors There is a remote risk of electric shock from lightning CAUTION RISK OF EXPLOSION IF BATTERY on the motherboard IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS Dispose them at the applicable collection point for the recycling of electrical and electronic equipment For detailed information about recycling of this product please contact your local city office your household waste disposal service or the store where you purchased the product Do NOT obstruct the device ventilation slots as insufficient airflow may harm your device This product is recyclable Dispose of it properly ZyWALL ZLD CLI Reference Guide Safety Warnings ZyWALL ZLD CLI Reference Guide Contents Overview Contents Overview Ci A A nu A 11 Command Line ABRES conde 13 Ml a i drc Dd edad Cerat ada Ord bar ke ru ERAS Ke da mA ERU DUE ER d dU 29 SC DE senate spe T D Tte 33 PREIS U MAT E E E T A lorc eri R on ia 37 HONDO oi 45 DEAL RUE Co RE ETT 47 BC C E ETUR EUER E M E 65 POUE ouaa 69 POUMO FT OCOL diee Mm 75 LINES cioa E ES 79 A A PU PRU A a A 83 MI S Bd rcc A a TA 85 aii PO Nair 87 TEN pi MD IUD
213. igital IDs to authenticate users Certificates are based on public private key pairs A certificate contains the certificate owner s identity and public key Certificates provide a way to exchange public keys for use in authentication A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities You can use the ZyWALL to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority 29 2 Certificate Commands This section describes the commands for configuring certificates 29 3 Certificates Commands Input Values The following table explains the values you can input with the certificate commands Table 118 Certificates Commands Input Values LABEL DESCRIPTION certificate name The name of a certificate You can use up to 31 alphanumeric and 104 8 0 _ KY characters cn address A common name IP address identifies the certificate s owner Type the IP address in dotted decimal notation cn domain name A common name domain name identifies the certificate s owner The domain name is for identification purposes only and can be any string The domain name can be up to 255 characters You can use alphanumeric characters the hyphen and periods cn email
214. igurator is using or change it You must use the configure terminal command to enter the configuration mode before you can use these commands Table 137 Command Summary Language COMMAND DESCRIPTION language lt English Specifies the language used in the web configurator Simplified Chinese Screens Traditional Chinese show language setting all setting displays the current display language in the web configurator screens a11 displays the available languages ZyWALL ZLD CLI Reference Guide Chapter 33 System Remote Management ZyWALL ZLD CLI Reference Guide PART VII Maintenance and Index File Manager 227 Logs 245 Reports and Reboot 251 Diagnostics 255 Maintenance Tools 257 Command Index 327 File Manager This chapter covers how to work with the ZyWALL s firmware certificates configuration files custom IDP signatures packet trace results shell scripts and temporary files 34 1 File Directories The ZyWALL stores files in the following directories Table 138 FTP File Transfer Notes DIRECTORY FILE TYPE NGN A Firmware upload only bin cert Non PKCS 12 certificates cer conf Configuration files conf idp IDP custom signatures rules packet_trace Packet trace results download only script Shell scripts zysh tmp Temporary system maintenance files and crash dumps for technical support use download only
215. igures the ALG Use signal port With a listening port number 1025 to 65535 if you are using SIP on a port other than UDP 5060 Use signal extra port With a listening port number 1025 to 65535 if you are also using SIP on an additional UDP port number enter it here Use media timeout and a number of seconds 1486400 for how long to allow a voice session to remain idle without voice traffic before dropping it Use signal timeout and a number of seconds 1786400 for how long to allow a SIP signaling session to remain idle without SIP packets before dropping it The no command turns off the SIP ALG or removes the settings that you specify no alg h323 ftp signal port lt 1025 65535 gt signal extra port lt 1025 65535 gt Turns on or configures the H 323 or FTP ALG Use signal port With a listening port number 1025 to 65535 if you are using H 323 on a TCP port other than 1720 or FTP on a TCP port other than 21 Use signal extra port With a listening port number 1025 to 65535 if you are also using H 323 or FTP on an additional TCP port number enter it here The no command turns off the H 323 or FTP ALG or removes the settings that you specify show alg sip h323 ftp Displays the specified ALG s configuration 13 3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H 323 Router configure terminal Router config alg si
216. in the specified virtual link ZyWALL ZLD CLI Reference Guide Chapter 8 Routing Protocol Table 38 router Commands Virtual Links in OSPF Areas continued COMMAND DESCRIPTION no area IP virtual link IP authentication message digest Enables MD5 authentication in the specified virtual link The no command disables authentication in the specified virtual link no area IP virtual link IP authentication authentication key authkey Sets the password for text authentication in the specified virtual link The no command clears the password in the specified virtual link no area IP virtual link IP authentication message digest key 1 255 md5 authkey Sets the MD5 ID and password for MD5 authentication in the specified virtual link The no command clears the MD5 ID and password in the specified virtual link no area IP virtual link IP authentication same as area Sets the virtual link s authentication method to the area s default authentication no area IP virtual link IP authentication key authkey Sets the password for text authentication in the specified virtual link The no command clears the password area IP virtual link IP message digest key lt 1 255 gt md5 authkey Sets the MD5 ID and password for MD5 authentication in the specified virtual link no area IP virtual link IP message digest key lt 1 255 gt Clears t
217. in the ZyWALL There are three types virtual Ethernet interfaces virtual VLAN interfaces and virtual bridge interfaces ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces The auxiliary interface along with an external modem provides an interface the ZyWALL can use to dial out This interface can be used as a backup WAN interface for example The auxiliary interface controls the DIAL BACKUP port labeled AUX on some models Trunks manage load balancing between interfaces Port groups trunks and the auxiliary interface have a lot of characteristics that are specific to each type of interface These characteristics are listed in the following table and discussed in more detail below Table 10 Characteristics of Ethernet VLAN Bridge PPPoE PPTP and Virtual Interfaces CHARACTERISTICS ETHERNET VLAN BRIDGE PPPOE PPTP VIRTUAL Name gex vlanx brx pppx e IP Address Assignment static IP address Yes Yes Yes Yes Yes DHCP client Yes Yes Yes Yes No routing metric Yes Yes Yes Yes Yes Interface Parameters bandwidth restrictions Yes Yes Yes Yes Yes packet size MTU Yes Yes Yes Yes No traffic prioritization Yes Yes Yes Yes No DHCP DHCP server Yes Yes Yes No No DHCP relay Yes Yes Yes No No Ping Check Yes Yes Yes Yes No The format of interface names is strict Each name consists of 2 4 letters interface type followed by a number
218. information A pci warning HTTPS c AN ix Hostname Mismatch d The hostne gt name of th lt gt The se Do you want to trust the signed applet distributed by ZyXEL Hostname mana na Hostname Publisher antheni v pe e ied zd ZyWALL 1 Security Information 1 Th This page contains both secure and nonsecure Do you wa SEITE AN Th Do you want to display the nonsecure items j No More Info Finally the User Name screen appears Figure 4 Web Console User Name Please Input User Name xj User Name e 5 Enter the user name you want to use to log in to the console The console begins to connect to the ZyWALL BES The default login username is admin It is case sensitive ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Figure 5 Web Console Connecting to ZyWALL 1050 Q 172 23 19 244 22 Then the Password screen appears Figure 6 Web Console Password A Password Authentication x gt User admin Password AA Cancel 6 Enter the password for the user name you specified earlier and click OK If you enter the password incorrectly you get an error message and you may have to close the console window and open it again If you enter the password correctly the console screen appears Figure 7 Web Console Z st Web Console Microsoft Internet Explorer O 172 23 19 244 22 7 To use most commands in this User s
219. interface s first second or dns third DNS server The no command resets the second DNS server setting to its default value no third dns server ip interface name Setsthe third DNS server to the specified IP lst dns 2nd dns 3rd dns address or the specified interface s first second or third DNS server The no command resets the third DNS server setting to its default value no first wins server ip Specifies the first WINS server IP address to assign to the remote users The no command removes the setting no second wins server ip Specifies the second WINS server IP address to assign to the remote users The no command removes the setting no lease lt 0 365 gt infinite lt 0 23 gt lt 0 59 gt Sets the lease time to the specified number of days hours and minutes or makes the lease time infinite The no command resets the first DNS server setting to its default value interfac interface nam Enters sub command mode no ip dhcp pool profile name Binds the specified interface to the specified DHCP pool You have to remove any DHCP relays first The no command removes the binding ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces Table 15 interface Commands DHCP Settings continued COMMAND DESCRIPTION no ip helper address ip Creates the specified DHCP relay You have to remove the DHCP pool first if the DHCP p
220. inued LABEL DESCRIPTION category_name The name of a web category see Table 88 on page 158 trust_hosts The IP address or domain name of a trusted web site Use a host name such as www good site com Do not use the complete URL of the site that is do not include http All subdomains are allowed For example entering zyxel com also allows www zyxel com partner zyxel com press zyxel com etc Use up to 63 case insensitive characters 0 9a z You can enter a single IP address in dotted decimal notation like 192 168 2 5 You can enter a subnet by entering an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address The range is 0 to 32 To find the bit number convert the subnet mask to binary and add all of the 1 s together Take 255 255 255 0 for example 255 converts to eight 1 s in binary There are three 255 s so add three eights together and you get the bit number 24 An example is 192 168 2 1 24 You can enter an IP address range by entering the start and end IP addresses separated by a hyphen for example 192 168 2 5 192 168 2 23 forbid hosts The IP address or domain name of a forbidden web site Use a host name such as www bad site com into this text field Do not use the complete URL of the site that is do not include http All subdomains are also blocked For example entering bad site com also blocks www bad si
221. ion Specifies the description for the specified interface The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long no ip address dhcp Makes the specified interface a DHCP client the DHCP server gives the specified interface its IP address subnet mask and gateway The no command makes the IP address static IP address for the specified interface See the next command to set this IP address ip address ip subnet mask Assigns the specified IP address and subnet mask to the specified interface The no command clears the IP address and the subnet mask ip gateway ip Adds the specified gateway using the specified interface The no command removes the gateway ip gateway ip metric lt 0 15 gt Sets the priority relative to every gateway on every interface for the specified gateway The lower the number the higher the priority 5 2 1 1 Basic Interface Properties Command Examples The following commands make Ethernet interface gel a DHCP client Router configure terminal Router config interface gel Router config 1f exit Router config i1f ip address dhcp ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces 5 2 2 Interface Parameter Commands This table lists the commands for interface parameters summarized in Table 10 on page 48 Table 14 interf
222. ion authenticatioh key authkeY Lilli RACE AA 77 arca IP authentloation messqqge OIlgesL leases ra dE d Con A ARA AAA EX area IP authentication message digest key lt 1 255 gt md5 authkey TE ares IP uwrectusdelume IP Ldqe4ed4c AA E A a CR I d dee de dt EE area IP virtua iLook XP Bar hene ication 23213424224 3 4B d pd dC oos ud deus wa Shae E Fy area IP virtual link IP authentication authentication key authkey 78 aves IP vistusl link IP authentication mussage gduigesBb sisi iaa Sox ce 8 area IP virtual link IP authentication message digest key 1 255 md5 authkey 78 area IP virtuslelink IP suthenticostioN same HdSs aU6O secciones ees 8 area IP virt sli link IP authentication key authkey asciriracnnas aaa an as 78 authentication chap pap chap pap mechap mschap w 2 i943 xw 201 authentication ohap pap chap pap mschap mschap v2 z llaker9emkee Rs 62 authentication string password sumas Password assess ir RA 168 acbhenticsriom mode do SKE uua qx RANA NARA Bg are eal ens 76 AveEherticaci n SEring SURREY hera qo UR d Ee eue wees Ree cec Sox KS pO e Ros 76 a ug 14359850 SO E arce E B du RS GE Rd Ep ESAME a dau dud E memes SEES SE 84 bandwidth SREESE USADE errata x9 9 UY ARA RARA RR DARA ROROR ROR OEE 123 Dene Ere SSE orritan ari SAA a 124 bandwidth lt 1 1048576 gt priority 1 1024 maximize bandwidth usage 70 hund inber ceS DOS ulliauersda4d danced an a A mr DIGOR O dc ea eode q
223. ion when traffic matches the rule no action block login message audio video file transfer Blocks use of a specific feature bandwidth inbound outbound lt 0 1048576 gt Limits inbound or outbound bandwidth in kilobits per second 0 disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 Set the priority for traffic that matches this rule The smaller the number the higher the priority no log alert Creates log entries and alerts for traffic that matches the rule The no command does not create any log entries ZyWALL ZLD CLI Reference Guide Chapter 18 Application Patrol Table 65 app Commands Rules in Other Applications continued COMMAND DESCRIPTION show Displays the rule s configuration no app other 1 64 Deletes the specified rule app other move 1 64 to 1 64 Moves the specified rule first index to the specified location The process is 1 remove the specified rule from the table 2 re number 3 insert the rule at the specified location 18 2 5 General Commands for Application Patrol BS You must register for the IDP AppPatrol signature service at least the trial before you can use it See Chapter 4 on page 3
224. irtual router You can add any Ethernet interface VLAN interface or virtual interface created on top of Ethernet interfaces or VLAN interfaces with a static IP address You can only enable one VRRP group for each interface and you can only have one active VRRP group for each virtual router 22 1 3 Synchronization Overview In a virtual router backup routers do not automatically get configuration updates from the master router In this case the master ZyWALL router can send backup ZyWALL routers these updates This is called synchronization ZyWALL ZLD CLI Reference Guide Chapter 22 Device HA 22 2 Device HA Commands Summary The following table identify the values required for many device ha commands Other input values are discussed with the corresponding commands Table 92 Input Values for device ha Commands LABEL DESCRIPTION vrrp group name The name of the VRRP group The name can consist of alohanumeric characters the underscore and the dash and may be up to fifteen alphanumeric characters long The following sections list the device ha commands 22 2 1 VRRP Group Commands This table lists the commands for VRRP groups Table 93 device ha Commands VRRP Groups COMMAND DESCRIPTION show device ha vrrp group Displays information about all VRRP groups show device ha status Displays the status of active VRRP groups no device ha vrrp group vrrp group name Creates
225. isable automatic IDP downloading schedule updates display the schedule display the update status show the new updated signature version number show the total number of signatures and show the date time the signatures were created Router config Router config Router config Router config Router config Router config Router config auto yes Router configure terminal IDP signature update in progress Please check system log for future information schedule weekl Router config current status 22 47 47 2003 idp signature update signatures idp update auto no idp update auto idp update hourly idp update daily 10 idp update weekly fri 13 show idp update y at Friday 13 o clock show idp signature update status IDP signature download failed do 1 retry at Sat Jan 4 2003 01 01 01 34 39 last update tim Router config show idp signature signatures version version 1 2000 Router config show idp signature signatures number signatures 2000 Router config show idp signature signatures date date 2005 11 13 13 56 03 20 6 IDP Statistics The following table describes the commands for collecting and displaying IDP statistics You must use the configure terminal command to enter the configuration mode before you can use these commands Table 86 Commands for IDP Statistics COMMAND DESCRIPTION no idp statistics collect Turn the collection of IDP s
226. ist file pattern anti virus white list file pattern exe activate anti virus black list activate anti virus black list file pattern exe deactivate show anti virus white list status show anti virus white list 1 yes exe No Status File Pattern Router config show anti virus black list status anti virus black list status yes Router config show anti virus black list 1 no exe ZyWALL ZLD CLI Reference Guide Chapter 19 Anti Virus 19 2 4 Signature Search Anti virus Command The following table describes the command for searching for signatures You must use the configure terminal command to enter the configuration mode before you can use this command Table 71 Command for Anti virus Signature Search COMMAND DESCRIPTION anti virus search signature all Search for signatures by their ID name severity or category category id id name name category severity severity from id to id all displays all signatures category select whether you want to see virus signatures or spyware signatures id type the ID or part of the ID of the signature you want to find name type the name or part of the name of the signature s you want to find This search is not case sensitive severity type the severity level of the signatures you want to find high medium or low 19 2 4 1 Signature Search Example This example shows how to search for anti virus signa
227. ject schedule object object_name date time dat Creates or updates a one time schedule time date yyyy mm dd date format yyyy lt 01 12 gt lt 01 31 gt schedule object object_name time time day Creates or updates a recurring schedule day day day day day day day 3 character day of the week sun mon tue wed thu fri sat 26 2 1 Schedule Command Examples The following commands create recurring schedule SCHEDULE and one time schedule SCHEDULE2 and then delete SCHEDULEI Router configure terminal Router config schedule object SCHEDULE1 11 00 12 00 mon tue wed thu fri Router config schedule object SCHEDULE2 2006 07 29 11 00 2006 07 31 12 00 Router config show schedule object Object name Type Start End Ref SCHE SCHE DULE1 DULE2 Recurring 11 00 12 00 Once MonTueWedThuFri 2006 07 29 11 00 2006 07 31 12 00 0 Router config no schedule object SCHEDULE1 Router config show schedule object Object name Type Start End Ref SCHEDULE2 Once 2006 07 29 11 00 2006 07 31 12 00 0 ZyWALL ZLD CLI Reference Guide AAA Server This chapter introduces and shows you how to configure the Zy WALL to use external authentication servers 27 1 AAA Server Overview You can use an AAA Authentication Authorization Accounting server to provide access
228. k rec A 192 tap TeaegstHre emohelv Y ENIES auucud dee A HR AR A AAA 139 idp anomaly profile flood detection all details sescirrrnsornras sara nes 143 idp anomaly profile flood detection tcp flood udp flood ip flood icmp flood deca uaa AS A A A d x dd dra RAE M REOR QU Rea 143 idp anomaly profile http inspection ascii encoding u encoding bare byte uni code encoding base36 encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal di rectory traversal apache whitespace non rfc http delimiter non rfc defined char oversize request uri directory oversize chunk encoding webroot direc pory e a Mo e siecdeudreee Eee weg exe tae dump babes cain stir dique 144 idp anomaly profile http inspection all details iiis n RR REO OAOR OR RR a 143 idp anomaly profile icmp decoder truncated header truncated timestamp header tt uncated addross heador detalls iii EA REX GER RO OHOR OR ROCK RARA RA 144 ide anomaly profile im p decodsr all details serra KORR RO BR EC pO eee RS 144 dp anomaly profilo scan detection all details i a RR rca 143 idp anomaly profile scan detection icmp sweep icmp filtered sweep open port a e xs ku Rack essa eS be dd ed qoa e pde E WC ACRES OR RA D Ob d aca Roa 143 idp anomaly profile scan detection ip protocol scan ip decoy protocol scan ip protocol sweep ip distributed protocol scan ip
229. k to the ZyWALL which then blocks and or logs access to the web site based on the settings in the content filtering profile The web site s address and category are then stored in the ZyWALL s content filtering cache 21 4 Content Filtering Reports See the web configurator User s Guide to see how to view content filtering reports after you have activated the category based content filtering subscription service 21 5 Content Filter Command Input Values The following table explains the values you can input with the content filter commands Table 87 Content Filter Command Input Values LABEL DESCRIPTION policy number The number of the policy lt 0 15 gt to define the searching sequence of the filtering policies address The name up to 63 characters of an existing address object or group to which the policy should be applied schedule The name up to 63 characters of an existing schedule to control when the policy should be applied filtering profile The filtering profile defines how to filter web URLs or content You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive category number The number of a web category lt 0 60 gt Each number corresponds to a category name ZyWALL ZLD CLI Reference Guide Chapter 21 Content Filtering Table 87 Content Filter Command Input Values cont
230. ke precedence and override the ZyWALL s default settings The ZyWALL checks the schedule user name user s login name on the ZyWALL source IP address destination IP address and IP protocol type of network traffic against the firewall rules in the order you list them When the traffic matches a rule the ZyWALL takes the action specified in the rule For example if you want to allow a specific user from any computer to access one zone by logging in to the ZyWALL you can set up a rule based on the user name only If you also apply a schedule to the firewall rule the user can only access the network at the scheduled time A user aware firewall rule is activated whenever the user logs in to the ZyWALL and will be disabled after the user logs out of the Zy WALL 14 2 Firewall Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 49 Input Values for General Firewall Commands LABEL DESCRIPTION address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive user name The name of a user group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zo
231. kee dev oie xd he bros ESL b upeaa A A A A A RA ANS Qe Ree UR o A 103 de LWGEbE AMertade aros DE ria RA A A AAA 74 netvor k rberfure Naro ara a a a adv op ie Ro dic 55 HOTWDER IuterfuscEB Mame 5343 x44o nd E RUE A a AAA AA e aa 76 RECWORK inter ite xem area 18 sucre AREA AA EA 56 network extension activate ip pool address object lst dns address object ip 2nd dns address object ip lst wins address object ip 2nd wins eddress object 2p network address object od t yr ER 108 next hop auto gateway address object interface interface name trunk founb Haus lcURnAQl PDuBDRI DONE S a varias RSH E Ed X da d or RE Ad EON AAA 70 PES saborea ROAD ADA xeu reed RADAR dapi dud dd ee 208 NEP server ffgus uE QuX a RRA IE ARAS TARA RA A CC CR Re CR 208 GbJIBOLCOQPSDD address GODDESS YO Oe ESE ea V Ara OR rd do AA 178 AS TSE CPSU BOSE i656 ee dos x xd OR ex e RR E oH RM ADA EE RO qood ede A 179 pogsecbegqroup groun DAMS qiue yx Gi XI FU RE e qx eec e nC OR hawk dco e Ged 193 ObJjeOb gtoDE Service oun DOS Linder sakes ieee cea uw Ra dd ic A 182 Gutonly rnterface Interface HUNE orrera RARAS NA SOR RON CR CR xU RES SEED 55 gutonly interi noe ALOE ke ct ee IDEADA AAA AA qoe Rn edd T6 put ACELE eibar FR RYE E ey welded qa RN EP ERE EIE y qu e eee bud 1853 pessscve isterfase ADLSTESCOO DOMO aia ARE RU dr EC Se oU AA eae 55 pass lvesirntebilasce interfaca DADO uana eke Ee EC EUR RNA Red XC CRUCE RP ARS 56 passrve incerLsoc JISteffSDe DI
232. l scan ip filtered decoy protocol scan ip filtered distributed protocol scan ip filtered protocol sweep Also sets IP scan detection logs or alerts and blocking no deactivates IP scan detection its logs alerts or blocking no scan detection icmp sweep icmp filtered sweep activate log alert block Activates or deactivates ICMP scan detection options Also sets ICMP scan detection logs or alerts and blocking no deactivates ICMP scan ZyWALL ZLD CLI Reference Guide detection its logs alerts or blocking Chapter 20 IDP Commands Table 79 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION no alert Scan detection open port activate log block Activates or deactivates open port scan detection options Also sets open port scan detection logs or alerts and blocking no deactivates open port scan detection its logs alerts or blocking flood detection block period 1 3600 Sets for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack no flood detection tcp flood udp flood Activates or deactivates TCP UDP IP or ICMP ip flood icmp flood activate log flood detection Also sets flood detection logs alert block or alerts and blocking no deactivates flood detection its logs alerts or blocking no http inspection http xxx activate Activate
233. lan vartval bridges auxiliary wil washened Seanad hawad 256 58 XO 50 interface summary all adorna ds a a AAA AAA Re pes 50 intertape SDUNENEEY all SCALIS tir ARANA AAA 50 to ec DIO A X34 perdu sete ken qd a E ex ara Nd Xe deb ame 54 ip chee peel profile Fane rss sek ob ORR OE ESE Ew REM SO ARR OC Cu AAA Sl lp gne server cacho aaa kade4 d Rex RA A RAR AAN IO AA he RAR 210 ip das Server database ante cob r4 bd ek or ed IER ERA IRE OG ERR AAA ZI Ap gus Server SDBEUE ok See ee ES RRA ARA CRUCE OR Qc et 210 DID SL Server Beas gosgesmescka de dox cogo pom dor ok Reh deo qoe iecit e ARA p eO M ret oi dg 217 lp MES EE VEL SEIO SEARS Dura IA A AA AAA A 213 lp ABE AULIEL SERES QS hes deb RR A ea dc AAA EU eR DEUS Je mont dep ei eda dE 213 ip HLtaercdareectc Meses DL aria 88 ip route kernel connected statie spi F1B bsp cem 78 e a A O e inS dried E eg qi Sabe dcn e bate IRR a d arid T3 ip ssh sODVOE SDNLUE Conca a HEY qd Ra Ju RA EO COR KOC EO KG ARE EERE ER eat AS 215 ip telnet Server SALUS arco rasa ARENA AAA ARANA 216 ip uirtusl serwver profile Name iria a RA AA de 3 de C CR ER ea AA A AS 85 SA NRegpal lv i cotee toes AAA ARA EE d depu Pe dd ads 101 Leake policy policy name asc AAA NA ARRE A AAA a Lot DEA SO act she ek ADA ee I Oe eee AAA RE eS 106 lZbpeovers IpSOHE erp RA AA AA REECE E ERE TR e Y OR C Ee AA 114 LACRA CSS IRA AAA AS AAA RARA AA ARA RAR 114 Langues serca Jl dais iaa AAA xU 223 LOPES erat AAA AA A NN AAN AA ARA A
234. les on the ZyWALL You can also have the ZyWALL use a different configuration file without the ZyWALL restarting When you first receive the Zy WALL it uses the system default conf configuration file of default settings ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager When you change the configuration the ZyWALL creates a startup config conf file of the current configuration The ZyWALL checks the startup config conf file for errors when it restarts If there is an error in the startup config conf file the ZyWALL copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file When the ZyWALL reboots if the startup config conf file passes the error check the ZyWALL keeps a copy of the startup config conf file as the lastgood conf configuration file for you as a back up file If you upload and apply a configuration file with an error you can apply lastgood conf to return to a valid configuration 34 2 4 Configuration File Flow at Restart If there is not a startup config conf when you restart the ZyWALL whether through a management interface or by physically turning the power off and back on the Zy WALL uses the system default conf configuration file with the ZyWALL s default settings If there is a startup config conf the ZyWALL checks it for errors and applies it If there are no errors the ZyWALL uses it and copi
235. ll ponesel assi bbeebidater dened Sanat RA RR E ORG 141 idp customize slomabure elt quobteH SEEINQ scsi eS Men Kod ol to e i i iran o 148 idp custanza Signature quoted ELLOS ADA AA AA AR 148 DO DELS dag dex ADA A ee ved a id AAA AAA ade AAA Gee 138 Lap rename signature anomaly profrlel profile serian A AARAAS 138 idp search signature my profile name quoted string sid SID severity severity mask plat form platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action action mask 145 idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action action mask 145 idp signature newore base all dan wan dmz nonel i2siim eecesx hom DER 140 idp stacistits EUS sees cae eke CER SR eR DERE Rae Se Ede ee eRe Rae RUP ERROR ae Raw de 152 Rp Seer eee AAA AA A A a 145 4i Sy Stone peewee MEAG VAS acid A do AAA dd Wurde de Ne ea E 138 in dnat append protocol all tcp udp original ip address name lt 0 65535 gt lt 0 65535 gt mapped 1p address name 0 0853559 0 0553359 Lada E ERR RAR 104 Sng delete EL VS AAA AIRIS 104 in dnat insert lt 1 10 gt protocol all tcp udp original ip address name lt 0 65535 gt 0 0535359 mapped tp
236. ll rule s settings lt 1 5000 gt the priority number of a firewall rule show firewall zone object zone_object ZyWALL Displays all firewall rules settings for the specified packet direction show firewall zone object zone_object ZyWALL lt 1 5000 gt Displays a specified firewall rule s settings for the specified packet direction lt 1 5000 gt the index number in a direction specific firewall rule list show firewall status Displays whether the firewall is active or not ZyWALL ZLD CLI Reference Guide Chapter 14 Firewall 14 2 1 Firewall Command Examples The following example shows you how to add a firewall rule to allow a MyService connection from the WAN zone to the IP addresses Dest_1 in the LAN zone Enter configuration command mode Create an IP address object Create a service object Enter the firewall sub command mode to add a firewall rule Set the direction of travel of packets to which the rule applies Set the destination IP address es e Set the service to which this rule applies Set the action the ZyWALL is to take on packets which match this rule Router configure terminal Router config f service object MyService tcp eq 1234 Router config address object Dest 1 10 0 0 10 10 0 0 15 Router config firewall insert 3 Router firewall from WAN Router firewall to LAN Router firewall destin
237. llow the service s packets to go through the ZyWALL Application patrol examines every TCP and UDP connection passing through the ZyWALL and identifies what application is using the connection Then you can specify by application whether or not the ZyWALL continues to route the connection ZyWALL ZLD CLI Reference Guide Chapter 18 Application Patrol 18 2 Application Patrol Commands Summary The following table describes the values required for many application patrol commands Other values are discussed with the corresponding commands Table 61 Input Values for Application Patrol Commands LABEL DESCRIPTION protocol_name h323 sip soulseek stream rtsp The name of a pre defined application These are listed by category general ftp smtp pop3 irc http im msn aol icq yahoo qq p2p bittorrent eDonkey fasttrack gnutella napster zone_name value is case sensitive The name of a zone You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This schedule_name value is case sensitive The name of a schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This The following sections list the application patrol commands 18 2 1 Pre defined Application Commands This table lists the commands for each pre defined application T
238. llowing command displays whether or note link monitoring is enabled for device HA Router configure terminal Router config show device ha link monitoring link monitoring active no ZyWALL ZLD CLI Reference Guide User Group This chapter describes how to set up user accounts user groups and user settings for the ZyWALL You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them 23 1 User Account Overview A user account defines the privileges of a user logged into the ZyWALL User accounts are used in firewall rules and application patrol in addition to controlling access to configuration and services in the ZyWALL 23 1 1 User Types There are the types of user accounts the ZyWALL uses Table 96 Types of User Accounts Perform basic diagnostics CLI TYPE ABILITIES LOGIN METHOD S Admin Users Admin Change ZyWALL configuration web CLI WWW TELNET SSH FTP Limited Admin Look at ZyWALL configuration web CLI WWW TELNET SSH Access Users User Access network services WWW TELNET SSH Browse user mode commands CLI Guest Access network services WWW Ext User See Section 23 2 on page 172 WWW BES The default admin account is always authenticated locally regardless of the authentication method setting See Chapter 28 on page 193 for more information about authentication methods
239. log Here are some examples Use this section to restore the ZyWALL s default system database ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager Figure 41 Default System Database Console Session Warning at Startup Anti virus ck using the Hardwe al time Fri May eaning Initializing Initializi INIT Ent Starting ting tarting cumentati user documentation to re Figure 43 Default System Database Missing Log Anti virus View Log Logs Show Fitter Display IDP v Email Log Now Refresh Clear Log Total logging entries 8 30 Y entries per page Pa 1 2007 05 11 11 25 00 info IDP New IDP rule has been appended 2 2007 05 11 11 24 59 info IDP New IDP rule has been appended 3 2007 05 11 11 24 59 info IDP IDP profile DMZ_IDP has been modified 4 2007 05 11 11 24 59 info IDP IDP profile DMZ_IDP has been created 5 2007 05 11 11 24 59 info IDP IDP profile LAN_IDP has been modified 6 2007 05 11 11 24 59 info IDP IDP profile LAN_IDP has been created 2007 05 24 59 info IDP Enable IDP succeeded 8 2007 05 11 11 23 42 alert IDP IDP signatures misssing please refer to your user documentation to recover the default datab ee This procedure requires the ZyWALL s default system database file Download the firmware package from www zyxel com and upzip it The default system database file uses a db extension for example 1 01 XL 0 CO db Do the following after you have
240. ly profile udp decoder truncated Shows specified udp decoder settings for the header undersize len oversize len details specified IDP profile show idp anomaly profile icmp decoder all details Shows all icmp decoder settings for the specified IDP profile show idp anomaly profile icmp decoder truncated header truncated timestamp header truncated address header details Shows specified icmp decoder settings for the specified IDP profile 20 3 4 1 Creating an Anomaly Profile Example In this example we create a profile named test configure some settings display them and then return to global command mode Router configure terminal Router config idp anomaly test Router config Router config idp anomaly profile test tcp decoder oversize offset action drop Router config idp anomaly profile test tcp decoder oversize offset log alert Router config idp anomaly profile test tcp decoder oversize offset activate Router config idp anomaly profile test no tcp decoder oversize offset activate Router config idp anomaly profile test xit Router config show idp anomaly test tcp decoder oversize offset details message tcp decoder OVERSIZE OFFSET ATTACK keyword tcp decoder oversize offset activate no action drop log log alert ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands 20
241. m 0 UASD IA qaos dose ken Rica Bode de reo arde ctor ah a quld pol op Ren cire od QD Gerad oes Mewes paras O wee 101 duplss SEULL NSS cakie bias 689 kk x EE RA x EORR X hE RU RC OD RC RU ERAS ee aed ale nd encryption nomppe mepe 10 sppe L28 siosi stance RARA E ORC HORROR 456 202 lile decompressiou unsupported destroy aeexaaGueka kd x RA ORG RRA AC 131 LAEGWABII SOLDVSDE ii edu debe sete PEE ed Rd a A d qd aoa ed 95 first dns server ip interface name lst dns 2nd dns 3rd dns 53 ELE ELSA DEM AE o ues ed d rdc EO EE MGE de dann neo A AAA 5 flood detection tcp flood udp flood ip flood icmp flood activate log alertei ALOE L3 3 3 e A a ARAN A AAA A RR OR AUR CR RR 142 o lox 5e4d 4 Rada E REA IqE deu RA dpud PG e ROE SEEMS MS ales Prom TORES NOME hc tbh kh DAS se HRODS OATES AAA OT AA DAA OETA Eee ER 123 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no Ero a E NI O b OR ORS 124 ss Ms DLLxXGXG O RR aC ON OA 131 Crom 20e AUD A O 95 TLOMS ESOO moe DEOTIJD AAA E UR dra X QUE RA DORE Re ae ee RC d ew 139 Hnto pneme GIONE BEEN ausu sO eos be ESSN ROE d Yu ved ex Xx que bd ee PP de dd x ed ex Yu e ATS gro pram
242. may up to 254 alphanumeric characters dashes or periods but the first character must be alphanumeric no ip select iface auto custom Sets the IP address update policy in the specified DDNS profile The no command clears the policy no custom IP Sets the static IP address in the specified DDNS profile The no command clears it no mx ip domain name Enables the mail exchanger and sets the fully qualified domain name of the mail server to which mail from this domain name is forwarded The no command disables the mail exchanger domain name You may up to 254 alphanumeric characters dashes or periods but the first character must be alphanumeric no wan iface interface nam Sets the WAN interface in the specified DDNS profile The no command clears it no ha iface interface nam Sets the HA interface in the specified DDNS profile The no command clears it no backmx Enables the backup mail exchanger The no command disables it no wildcard Enables the wildcard feature The no command disables it ZyWALL ZLD CLI Reference Guide Virtual Servers This chapter describes how to set up manage and remove virtual servers 11 1 Virtual Server Overview Virtual server is also known as port forwarding or port translation Virtual servers are computers on a private network behind the ZyWALL that you want to make available outside the private network
243. me ip proto lt 0 255 gt protocol name any src host ip hostname any dst host ip hostname any port lt 1 65535 gt any file duration lt 1 3600 gt extension filter filter extension cone d peer id type any ip ip fqdn domain name mail e mail dn distinguished name DU pser ip ip domain name 2p domain mame asirscir ER een o OR eae DR RON CNRC o mae 102 POSES d A AAA dos qd P lc RERO Eoi dt aeg eo oic onere eee duo 103 PLN pits AO dust qui eise wba AA a maul ale Cer odu d 30 ping check domain name zp default qgatewsy eoxcRegee k OR Eon OR da ce 55 ping check domain name ip default gateway fail tolerance lt 1 10 gt 55 ping check domain name ap default gateway period 5 30 e n mm 55 ping check domain name ap default gateway timeout 1 10 LLiils bex aaa 55 policy i1 1 5000 2 appendcl1 590D rznsertel 50DQP pex 4 e AR 70 paliar Germe route lt A Enc OE d ARA AAA DAA pi policy delete lt 1 UDS iuda kg d E de EE A AR OR E RR Ke CR C Shade edd RN 31 alice LLUSI asidero AAA ee Reta eh iedieda ue ded eue FI policy move qU 950000 CO Le DOGS A AA AA AA dl A CR 7I pore Cacus Portola ES AAA ERA NARRAR AA AAA RAS AAA S e pore grouping de Uso port lias a 4 0 eai Yo d Re Ra Eo eod Re RC ACC es RA A E E Rae 57 DEV EIA AER Au Foy SUE S OU qo dade d A AAA AAA ed AAA E Oe 30 a E EN A ER ER A 30 redistribute Istetice sspr metris U l
244. mmands Address Groups continued COMMAND DESCRIPTION no object group group_name Adds the specified address group second group_name to the specified address group first group_name The no command removes the specified address group from the specified address group no description description Sets the description to the specified value The no command clears the description description You can use alphanumeric and 4 S_ characters and it can be up to 60 characters long object group address rename group name group name Renames the specified address group from the first group name to the second group name 24 2 2 1 Address Group Command Examples The following commands create three address objects AO Al and A2 and add Al and A2 to address group RD Router configure terminal Router config address object A2 192 168 Router config object group address RD Router group address address object Al Router group address address object A2 Router group address exit Router config show object group address Router config address object AO 192 168 Router config address object Al 192 168 we Oonrp 192 168 2 20 24 Group name Reference Description TW_TEAM 5 RD 0 Router config show object group address RD Object Group name Type Reference Al Object 1 A2 Object 1
245. mmon input values for the commands for the feature in one or more tables 1 4 3 Command Summary This section lists the commands for the feature in one or more tables 1 4 4 Command Examples Optional This section contains any examples for the commands in this feature 1 4 5 Command Syntax The following conventions are used in this User s Guide A command or keyword in courier new must be entered literally as shown Do not abbreviate Values that you need to provide are in italics Required fields that have multiple choices are enclosed in curly brackets A range of numbers is enclosed in angle brackets lt gt Optional fields are enclosed in square brackets The symbol means OR ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface For example look at the following command to create a TCP UDP service object service object object name tcp udp eq lt 1 65535 gt range lt 1 65535 gt lt 1 65535 gt 1 Enter service object exactly as it appears 2 Enter the name of the object where you see ob ject name 3 Enter tcp or udp depending on the service object you want to create 4 Finally do one of the following Enter eq exactly as it appears followed by a number between 1 and 65535 Enter range exactly as it appears followed by two numbers between 1 and 65535 1 4 6 Changing the Password It is highly recommended that you change the password for accessing the ZyW
246. mplified Chinese Traditional CHInGSe gt e 223 ldan fmacGLISDSBeActgabed yerno AA gt EE d Eq qd p da 197 ldap ip iplfgdn port 1 65535 id name password password deactivate I3 alcoi DUUM 4a bead ane kd bearer cewad eda ei EE d Rd ded dd dp Sp aed Ep aq aoe DT local id type ip ip fqdn domain name mail e mail dn distinguished name 102 local ip ip ip domain same interface interface Dame os canes cow wa wea worn 101 load eX A Gad Ei Re Td RR GA CR CEE VE EO d dq ademas T qd ip E iugi RR EA Sd 105 Local poliey Adrere DANE EAS A NR AA po oe AA ENE 103 logging console category module_name level alert crit debug emerg r tor into xornnee WEAR escaso ka xS deo Mu e d x AR ODER doe be ba dt E rv 249 logging mail lt 1 2 gt schedule daily hour 0 23 min te 0 59 gt ii skr ez wr xke n3 248 logging mail 1 2 schedule weekly day day hour 0 23 minute lt 0 59 gt 248 Legging mall HL e Sending DOW sar ees KE Kp RARA PARES RC ORARE A A 248 logging system log category module name disable level normal level all 246 fede tman ASPE area abria d S GRE deu Re dU ud add mes Ra a ELS LOJ mode normal ExSE desees htoxxk oh ACE AA KR Re e medo e AAA A A eee wee ds 66 ZyWALL ZLD CLI Reference Guide 271 List of Commands Alphabetical MS S qur dag ELO ADAL AAA AAA ORAR AAA A A adaes 66 ROtcWOIE ip MESE LARA
247. n the screen the firmware file is damaged and you need to use the procedure in to recover the firmware ZyWALL ZLD CLI Reference Guide 237 Chapter 34 File Manager Figure 35 atgo Debug Command 34 10 Restoring the Firmware BS This procedure requires the ZyWALL s firmware Download the firmware package from www zyxel com and upzip it The firmware file uses a bin extension for example 1 01 XL 0 CO bin Do the following after you have obtained the firmware file This section is not for normal firmware uploads You only need to use this section if you need to recover the firmware 1 Connect your computer to the ZyWALL s port 1 only port 1 can be used 2 The ZyWALL s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 3 Use an FTP client on your computer to connect to the ZyWALL For example in the Windows command prompt type ftp 192 168 1 1 Keep the console session connected in order to see when the firmware recovery finishes 4 Hit enter to log in anonymously al Set the transfer mode to binary type bin 6 Transfer the firmware file from your computer to the ZyWALL Type put followed by the path and name of the firmware file This examples uses put e N tprootNZLD FW N1 01 XL 0 CO0 bin Figure 36 FTP Firmware Transfer Command C gt ftp 192 168 1 1 Connected to 192 168 1 1 220 lt x gt gt
248. name url url key len key length password password ca ca enroll scep name certificate name cn type Enrolls a certificate with a CA using Simple ip cn cn address fqdn cn cn domain name mail Certificate Enrollment Protocol SCEP The cn cn email ou organizational unit o certification authority may want you to include a organization c country key type rsaldsa key password to identify your certification request ZyWALL ZLD CLI Reference Guide Chapter 29 Certificates Table 119 ca Commands Summary continued COMMAND DESCRIPTION ca generate pkcs10 name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn emailj ou organizational unit o organization c country key type rsa dsa key len key length Generates a PKCS 10 certification request ca generate pkcs12 name name password password Generates a PKCS 12 certificate ca generate x509 name certificate name cn typ ip cn cn address fqdn cn cn domain name mail cn cn emailj ou organizational unit o organization c country key type rsa dsa key len key length Generates a self signed x509 certificate ca rename category local remote old name new name Renames a local my certificates or remote trusted certificates certificate ca validation remote certificate Enters the sub command mode for validation of certificates signed by the specified remote trusted certificates
249. nce Guide Chapter 11 Virtual Servers Table 45 ip virtual server Commands continued COMMAND DESCRIPTION ip virtual server profil interfac interface name original ip any IP address object map to IP map type port protocol any tcp udp original port lt 1 65535 gt mapped port lt 1 65535 gt deactivate nam Creates or modifies the specified virtual port and maps the specified destination IP address protocol and destination port to the specified destination IP address and destination port The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address ob ject interfac ip virtual server profile nam interface name original ip any IP address object map to IP map type ports protocol any tcp udp original port begin 1 65535 original port end 1 65535 mapped port begin lt 1 65535 gt deactivate Creates or modifies the specified virtual port and maps the specified destination IP address protocol and range of destination ports to the specified destination IP address and range of destination ports The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address object ip virtual server activate deactivate profile_name Activates or deactivates the specified virtual server ip
250. ne You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive schedule object The name of the schedule You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive service name The name of the service group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following table describes the commands available for the firewall You must use the configure terminal command to enter the configuration mode before you can use these commands Table 50 Command Summary Firewall COMMAND DESCRIPTION no connlimit max per host lt 1 8192 gt Sets he highest number of sessions that the ZyWALL will permit a host to have at one time The no command removes the settings firewall 1 5000 Enters the firewall sub command mode to set a firewall rule lt 1 5000 gt the priority number of a firewall rule action lt allow deny reject gt Sets the action the ZyWALL takes when packets match this rule no activate Enables a firewall rule The no command disables the firewall rule ZyWALL ZLD CLI Reference Guide Chapter 14 Firewall Table 50 Command Summary Firewall continued COMMAND
251. ne gue Gok ok 54 ip Heke abdentqicateon auch Bb EG cesa 212 bx Het PLE Sle ISS e ieee AAA e d dodi ded RA 212 ap TEEN AROS POLE Ls UDI qaad bed EYED ONERE ee eee ee eee do ord 212 Ip HEE SSCURe Server a ARRASATE A Qe ce Rc 212 ip MELO Secpre server alinea sisi a pude de ded Erde 212 ip http sec re server cert Certificate name Lil ilke4 a ad A we 212 ip MELO secyre cerver POTES LEIDEN api SHAS Eee NOR RARA 212 In HEE SEES vs hia kee SHREDDER MEK qe o dob dea ela E o deni pole olea eae ke o On ed MR 213 io sspr SubhMemtlcatios kew PESSWDE severities EE qe RO Rue R a A AR 56 ISE mE Sache AIDA GR P du Rd bach dd es Ed dd Pd Ex Rd 56 ip sep odedd erpcerwel Xa eo RSF genu does A A boi oo e Rx else e on dre deed pes DF ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no ap Sept hells intecrnadl 1 200093 9 ese a ud HR Noui 57 lp Gopi BPROGEItV DI A A hae REN A AA Ee AR DA ee UR ate 56 ip Caer Sotrsnamrp einbtgeeusl Ale DIS ii AN ES ANA ER aes 57 ip qx send receive VSrsion lt la ES aii ioiei E RE AC eee RE Ao eda kame 55 Lp PUN EDESA 2644540 2894 eed bd e cdd V edd A c ded eee 56 ip route e y2 wx yee interface w x v r 0 142
252. nf idp packet trace script tmp file name a conf cert conf idp packet trace script tmp file name b conf Saves a duplicate of a file on the ZyWALL from the source file name to the target file name Specify the directory and file name of the file that you want to copy and the directory and file name to use for the duplicate Always copy the file into the same directory copy running config startup config Saves your configuration changes to the flash non volatile or long term memory The ZyWALL immediately uses configuration changes made via commands but if you do not use this command or the write command the changes will be lost when the ZyWALL restarts copy running config conf file name conf Saves a duplicate of the configuration file that the ZyWALL is currently using You specify the file name to which to copy delete cert conf idp packet trace Removes a file Specify the directory and file name of tmp new file name script tmp file name the file that you want to delete dir cert conf idp packet trace Displays the list of files saved in the specified directory script tmp rename cert conf idp packet trace Changes the name of a file script tmp old file name cert Specify the directory and file name of the file that you conf idp packet trace script want to rename Then specify the direct
253. ng dns 2nd dns 3rd dns ppp_interface aux lst dns 2nd dns no 12tp over ipsec second Specifies the second DNS server IP address to assign to the remote users dns server ip You can specify a static IP address or a DNS server that an interface interface name 1st received from its DHCP server The no command removes the setting dns 2nd dns 3rd dns ppp_interface aux lst dns 2nd dns no 12tp over ipsec first Specifies the first WINS server IP address to assign to the remote users wins server ip The no command removes the setting no 12tp over ipsec second Specifies the second WINS server IP address to assign to the remote users wins server ip The no command removes the setting no l2tp over ipsec session Deletes the specified L2TP VPN tunnel tunnel id lt 0 65535 gt show l2tp over ipsec Displays the L2TP VPN settings show l2tp over ipsec session Displays current L2TP VPN sessions 17 5 L2TP VPN Example This example uses the following settings in creating a basic L2TP VPN tunnel See the Web Configurator User s Guide for how to configure L2TP in remote user computers using Windows XP and Windows 2000 Figure 21 L2TP VPN Example HATE L2TP_POOL 192 168 10 10 192 168 10 20 LAN_SUBNET 192 168 1 1 24 The ZyWALL has a static IP address of 172 23 37 205 for the ge3 interface The remote user has a dynamic public IP addre
254. ng up the SSL VPN show sslvpn monitor Displays a list of the users who are currently logged into the VPN SSL client portal sslvpn network extension local ip ip Sets the IP address that the ZyWALL uses in setting up the SSL VPN sslvpn policy profile name profile name append profile name insert lt 1 16 gt Enters the SSL VPN sub command mode to add or edit an SSL VPN access policy no activate Turns the SSL VPN access policy on or off no application application object Adds the SSL application object to the SSL VPN access policy no description description Adds information about the SSL VPN access policy Use up to 60 characters 0 9 a z A Z and _ no network extension activate ip pool address object 1st dns address object ip 2nd dns address object ip lst wins address object ip 2nd wins address object ip network address object Use this to configure for a VPN tunnel between the authenticated users and the internal network This allows the users to access the resources on the network as if they were on the same local network ip pool specify the name of the pool of IP addresses to assign to the user computers for the VPN connection Specify the names of the DNS or WINS servers to assign to the remote users This allows them to access devices on the local network using domain names instead of IP addresses network
255. ns If one interface s connection goes down the ZyWALL can automatically send its traffic through another interface You can use policy routing to specify through which interface to send specific traffic types You can use trunks in combination with policy routing You can also define multiple trunks for the same physical interfaces This allows you to send specific traffic types through the interface that works best for that type of traffic and if that interface s connection goes down the ZyWALL can still send its traffic through another interface 6 2 Trunk Scenario Examples Suppose one of the ZyWALL s interfaces is connected to an ISP that is also your Voice over IP VoIP service provider You may want to set that interface as active and set another interface connected to another ISP to passive This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface s connection is up Another example would be if you use multiple ISPs that provide different levels of service to different places Suppose ISP A has better connections to Europe while ISP B has better connections to Australia You could use policy routing and trunks to send traffic for your European branch offices primarily through ISP A and traffic for your Australian branch offices primarily through ISP B ZyWALL ZLD CLI Reference Guide Chapter 6 Trunks 6 3 Trunk Commands Input Values The following table explains the val
256. nterface s number It also sets the interface s weight 1 10 limit weight and spillover limit or sets it to be passive The lt 1 1048576 gt passive no command removes an interface from a trunk mode normal trunk Sets the mode for a trunk Do this first in the trunk s sub command mode algorithm wrr 11f spill Sets the trunk s load balancing algorithm over move 1 8 to 1 8 Changes a the interface order in a trunk flush Deletes a trunk s interface settings ZyWALL ZLD CLI Reference Guide Chapter 6 Trunks 6 5 Trunk Command Examples The following example creates a weighted round robin trunk for Ethernet interfaces gel and ge2 The ZyWALL sends twice as much traffic through gel Router configure terminal Router config interface group wrr example Router if group mode trunk Router if group algorithm wrr Router if group interface 1 gel weight 2 Router if group interface 2 ge2 weight 1 Router if group exit Router config The following example creates a least load first trunk for Ethernet interface ge3 and VLAN 5 The ZyWALL sends new session traffic through the least utilized of these interfaces Router configure terminal Router config interface group llf example Router if group mode trunk Router if group algorithm llf Router if group interface 1 ge3 Router if group interfac
257. nterfaces available depends on the Zy WALL model For example the ZyWALL 1050 has 5 Ethernet interfaces and the Zy WALL USG 300 has 7 1 9 Saving Configuration Changes Use the write command to save the current configuration to the ZyWALL BS Always save the changes before you log out after each management session All unsaved changes will be lost after the system restarts ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface 1 10 Logging Out Enter the exit or end command in configure mode to go to privilege mode Enter the exit command in user mode or privilege mode to log out of the CLI ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface ZyWALL ZLD CLI Reference Guide User and Privilege Modes This chapter describes how to use these two modes 2 1 User And Privilege Modes This is the mode you are in when you first log into the CLI Do not confuse user mode with types of user accounts the ZyWALL uses See Chapter 23 on page 171 for more information about the user types User type accounts can only run exit in this mode However they may need to log into the device in order to be authenticated for user aware policies for example a firewall rule that a particular user is exempt from or a VPN tunnel that only certain people may use Type enable to go to privilege mode No password is required All commands can be run from here exc
258. numeric spaces or S_ system type 0 2 hexadecimal timezone hh 12 through 12 with or without url 1 511 alphanumeric or 2 4Q0 ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Table 3 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES url Used in content filtering redirect SEEP Lit alphanumeric or amp _ https starts with http or https may contain one pound sign Used in other content filtering commands http alphanumeric or amp _ starts with http may contain one pound sign 4 user name Used in VPN extended authentication 1 31 alphanumeric or Used in other commands 0 30 alphanumeric or _ first character letters or username 6 20 alphanumeric or Q8 registration user name 1 alphanumeric or _ logging commands user domainname 1 80 alphanumeric or _ vrrp group name less 1 15 alphanumeric or _ than 15 chars week day sequence 1 4 i e 1 first 2 second xauth method 1 31 alphanumeric or _ xauth password 1 31 alphanumeric or G4 amp tN mac address 0 12 even hexadecimal number for example aa aabbcc aabbccddeeff 1 8 Ethernet Interfaces When you need to specify an Ethernet interface remember that the number of i
259. o ldap server basedn basedn Sets a base distinguished name DN for the default LDAP server A base DN identifies an LDAP directory The no command clears this setting no ldap server binddn binddn Sets the user name the ZyWALL uses to log into the default LDAP server The no command clears this setting no ldap server cn identifier Sets the unique common name cn to identify a record uid The no command clears this setting no ldap server host Sets the LDAP server address Enter the IP address in dotted decimal ldap server notation or the domain name The no command clears this setting no ldap server password Sets the bind password The no command clears this setting password no ldap server port port no Sets the LDAP port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting ZyWALL ZLD CLI Reference Guide Chapter 27 AAA Server Table 112 Idap server Commands continued COMMAND DESCRIPTION no ldap server search time Sets the search timeout period in seconds Enter a number between 1 limit time and 300 The no command clears this setting no ldap server ssl Enables the ZyWALL to establish a secure connection to the LDAP server The no command disables this feature 27 2 3 radius server Commands The following table lists the radius server commands you use to set the default RADIUS server Table 113 radius server Command
260. o 63 alphanumeric characters dashes or periods but the first character cannot be a period service name You can use 1 253 alphanumeric characters underscores dashes and R characters no server ip Sets the PPTP server for the specified PPTP ISP account The no command clears the server name no encryption nomppe 128 mppe 40 mppe Sets the encryption for the specified PPTP ISP account The no command sets the encryption to nomppe no connection id connection_id Sets the connection ID for the specified PPTP ISP account The no command clears the connection ID connection_id You can use up to 31 alphanumeric characters underscores _ dashes and colons ZyWALL ZLD CLI Reference Guide SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN 31 1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network You can apply one or more SSL application objects in the VPN gt SSL VPN screen for a user account user group 31 1 1 SSL Application Object Commands This table lists the commands for creating SSL application objects You must use the configure terminal command to enter the configuration mode before you can use these commands Table 122 SSL Application Object Commands COMMAND DESCRI
261. o a content filtering profile s trusted list The no command removes a web site from the trusted list no content fi l ter pro file custom trust all low features filtering profile Sets a content filtering profile to permit Java ActiveX and Cookies from sites on the trusted list The no command has the content filtering profile not permit Java ActiveX and Cookies from sites on the trusted list no content filter profile custom trust only filtering profile Sets a content filtering profile to only allow access to web sites that are on the trusted list The no command has the profile allow access to web sites that are not on the trusted list no content filter profile filtering profile url category category name Sets a content filtering profile to check for specific web site categories The no command has the profile not check for the specified categories ZyWALL ZLD CLI Reference Guide Chapter 21 Content Filtering Table 90 content filter Filtering Profile Commands Summary continued COMMAND DESCRIPTION no url match block content filter profile filtering profile log block 1log Sets a content filtering profile to block allow and log or block and log access to web pages that match the categories that you select for the profile The no command clears the setting content filter profile filtering profile log blo
262. obtained the default system database file ZyWALL ZLD CLI Reference Guide 241 Chapter 34 File Manager 34 11 1 Using the atkz u Debug Command BS You only need to use the atkz u command if the default system database is damaged 1 Restart the ZyWALL 2 When Press any key to enter debug mode within 3 seconds displays press a key to enter debug mode Figure 44 Enter Debug Mode BootModule Version U1 011 i 2007 03 30 12 22 57 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version U2 4 27 kernel 2006 08 21 i 2006 08 21 19 54 00 ZLD Version U1 01 XL 0 2006 09 11 17 41 56 Press any key to enter debug mode within 3 seconds Enter Debug Mode gt E 3 Enteratkz u to start the recovery process Figure 45 atkz u Command for Restoring the Default System Database gt atkz u 4 Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen Connect your computer to the ZyWALL s port 1 only port 1 can be used Figure 46 Use FTP with Port 1 and IP 192 168 1 1 to Upload File Done Connect a computer to port 1 and FTP to 192 168 1 1 to upload the neu file 5 The ZyWALL s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 6 Use an FTP client on your computer to connect to the ZyWALL For example in the Windows command p
263. ocols can access which ZyWALL zones if any from which computers BS To allow the ZyWALL to be accessed from a specified computer using a service make sure you do not have a service control rule or to ZyWALL rule to block that traffic 33 1 Remote Management Overview You may manage your ZyWALL from a remote location via Internet WAN only ALL LAN amp WAN amp DMZ LAN only DMZ only To disable remote management of a service deselect Enable in the corresponding service screen 33 1 1 Remote Management Limitations Remote management will not work when 1 You have disabled that service in the corresponding screen 2 The accepted IP address in the Service Control table does not match the client IP address If it does not match the ZyWALL will disconnect the session immediately 3 There is a firewall rule that blocks it 33 1 2 System Timeout There is a lease timeout for administrators The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires ZyWALL ZLD CLI Reference Guide 211 Chapter 33 System Remote Management 33 2 HTTP HTTPS Commands The following table identifies the values required for many of these commands Other input values are discussed with
264. of signatures and show the date time the signatures were created Router configure terminal Router config anti virus update signatures ANTI VIRUS signature update in progress Please check system log for future information Router config anti virus update auto Router config no anti virus update auto Router config anti virus update hourly Router config anti virus update daily 10 anti virus update weekly fri 13 show anti virus update Router config Router config auto yes schedule weekly at Friday 13 o clock Router config show anti virus update status current status Anti Virus Current signature version 1 046 on device is latest at Tue Apr 17 10 18 00 2007 last update time 2007 04 07 10 41 01 Router config show anti virus signatures status current version 1 046 release date 2007 04 06 10 41 29 signature number 4124 19 4 Anti virus Statistics The following table describes the commands for collecting and displaying anti virus statistics You must use the configure terminal command to enter the configuration mode before you can use these commands Table 73 Commands for Anti virus Statistics COMMAND DESCRIPTION no anti virus statistics collect Turn the collection of anti virus statistics on or off anti virus statistics flush Clears the collected statistics show anti virus statistics summary Displays the collected statistics show
265. olicy type DNS service Router config Router configure terminal Router config idp search signature LAN IDP name worm sid 12345 severity 1 platform 4 policytype 4 service 1 activate yes log log action 2 20 4 IDP Custom Signatures Use these commands to create a new signature or edit an existing one BES It is recommended you use the web configurator to create edit signatures using the web configurator Anti X gt IDP gt Custom Signatures screen ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands BES You must use the web configurator to import a custom signature file Table 84 Custom Signatures COMMAND DESCRIPTION idp customize signature quoted_string Create a new custom signature The quoted string is the signature command string enclosed in quotes for example alert tcp any any lt gt any any msg test sid 9000000 idp customize signature edit quoted_string Edits an existing custom signature no idp customize signature custom_sid Deletes a custom signature show idp signatures custom signature custom_sid Displays custom signature information details contents non contents show idp signatures custom signature all details Displays all custom signatures information show idp signatures custom signature number Displays the total number of custom signatures 20 4 1 Custom Signature Examples These examples
266. onfigure terminal command to enter the configuration mode before you can use these commands Table 31 Command Summary Policy Route COMMAND DESCRIPTION no bwm activate Globally enables bandwidth management You must globally activate bandwidth management to have individual policy routes or application patrol policies apply bandwidth management The no command globally disables bandwidth management policy Enters the policy route sub command mode to lt 1 5000 gt append lt 1 5000 gt insert lt 1 5000 gt configure add or insert a policy no bandwidth lt 1 1048576 gt priority Sets the maximum bandwidth and priority for the lt 1 1024 gt maximize bandwidth usage policy The no command removes bandwidth settings from the rule You can also turn maximize bandwidth usage on or off no deactivate Disables the specified policy The no command enables the specified policy no description description Sets a descriptive name for the policy The no command removes the name for the policy destination address object any Sets the destination IP address the matched packets must have The no command resets the destination IP address to the default any any means all IP addresses interface interface name Sets the interface on which the incoming packets are received The no command resets the incoming interface to the default any any means all interfaces no next hop auto gateway ad
267. ool is bound to the specified interface The no command removes the specified DHCP relay release dhcp interface name Releases the TCP IP configuration of the specified interface The interface must be a DHCP client This command is available in privilege mode not configuration mode renew dhcp interface name Renews the TCP IP configuration of the specified interface The interface must be a DHCP client This command is available in privilege mode not configuration mode show ip dhcp binding ip Displays information about DHCP bindings for the specified IP address or for all IP addresses clear ip dhcp binding ip Removes the DHCP bindings for the specified IP address or for all IP addresses 5 2 3 1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP TEST terminal dhcp pool hcp pool hcp pool hcp pool hcp pool hcp pool hcp pool hcp pool hcp pool hcp pool hcp pool Router configure Router config ip Router config ip d Router config ip d Router config ip d Router config ip d Router config ip d Router config ip d Router config ip d Router config ip d D Router config ip d Router config ip d Router config ip dhcp pool Router config ip dhcp pool interface g e Router config el Router config if ip dhcp poo Router config if exit Router config show ip dh
268. oon 039 Canada 040 Cape Verde 041 Cayman Islands 042 Central African Republic 043 Chad 044 Chile 045 China 046 Christmas Island 047 Cocos Keeling Islands 048 Colombia 049 Comoros 050 Congo Democratic Republic of the 051 Congo Republic of 052 Cook Islands 053 Costa Rica 054 Cote d lvoire 055 Croatia Hrvatska 056 Cyprus 057 Czech Republic 058 Denmark 059 Djibouti 060 Dominica 061 Dominican Republic 062 East Timor 063 Ecuador 064 Egypt 065 El Salvador 066 Equatorial Guinea 067 Eritrea 068 Estonia 069 Ethiopia 070 Falkland Islands Malvina ZyWALL ZLD CLI Reference Guide Chapter 4 Registration Table 9 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 071 Faroe Islands 072 Fiji 073 Finland 074 France 075 France Metropolitan 076 French Guiana 077 French Polynesia 078 French Southern Territories 079 Gabon 080 Gambia 081 Georgia 082 Germany 083 Ghana 084 Gibraltar 085 Great Britain 086 Greece 087 Greenland 088 Grenada 089 Guadeloupe 090 Guam 091 Guatemala 092 Guernsey 093 Guinea 094 Guinea Bissau 095 Guyana 096 Haiti 097 Heard and McDonald Islands 098 Holy See City Vatican State 099 Honduras 100 Hong Kong 101 Hungary 102 Iceland 103 India 104 Indonesia 105 Ireland 106 Isle of Man 107 Italy 108 Jamaica 109 Japan 110 Jersey 111 Jordan 112 Kazakhstan 113 Ken
269. or support engineers It is recommended that you not modify the hardware watchdog timer settings Table 155 hardware watchdog timer Commands COMMAND DESCRIPTION no hardware watchdog timer lt 4 37 gt Sets how long the system s hardware can be unresponsive before resetting The no command turns the timer off show hardware watchdog timer status Displays the settings of the hardware watchdog timer 40 2 Software Watchdog Timer The software watchdog has the system restart if the core firmware fails D gt The software watchdog timer commands are for support engineers It is recommended that you not modify the software watchdog timer settings Table 156 software watchdog timer Commands COMMAND DESCRIPTION no software watchdog timer lt 10 600 gt Sets how long the system s core firmware can be unresponsive before resetting The no command turns the timer off ZyWALL ZLD CLI Reference Guide Chapter 40 Watchdog Timer Table 156 software watchdog timer Commands continued COMMAND DESCRIPTION show software watchdog timer status Displays the settings of the software watchdog timer show software watchdog timer log Displays a log of when the software watchdog timer took effect 40 3 Application Watchdog The application watchdog has the system restart a process that fails These are the app watchdog commands Use the configure terminal command
270. ord at the prompts BES The default login username is admin and password is 1234 The username and password are case sensitive 1 2 2 Web Configurator Console BES Before you can access the CLI through the web configurator make sure your computer supports the Java Runtime Environment You will be prompted to download and install the Java plug in if it is not already installed When you access the CLI using the web console your computer establishes a SSH Secure SHell connection to the ZyWALL Follow the steps below to access the web console 1 Log into the web configurator 2 Click the Console icon in the top right corner of the web configurator screen 3 Ifthe Java plug in is already installed skip to step 4 Otherwise you will be prompted to install the Java plug in If the prompt does not display and the screen remains gray you have to download the setup program 4 The web console starts This might take a few seconds One or more security screens may display Click Yes or Always ZyWALL ZLD CLI Reference Guide 15 Chapter 1 Command Line Interface Figure 3 Web Console Security Warnings Warning Security I x Do you want to trust the signed applet distributed by 35P LTD Publisher anithantiriku verified bu Thauike Fanenltinn cc Warning Security xj O Do you want to accept the certificate from web site fi ZyWALL 1050_Factory_Default_Certificate For the purpose of exchanging encrypted
271. orization time in minutes 0 1440 for each new user Set it to zero to set unlimited reauthorization time The no command sets the default reauthorization time to thirty users default setting no user type guest Sets the default user type for each new user The limited admin user no command sets the default user type to user Show users retry settings Displays the current retry limit settings for users no users retry limit Enables the retry limit for users The no command disables the retry limit no users retry count 1 99 Sets the number of failed login attempts a user can have before the account or IP address is locked out for lockout period minutes The no command sets the retry count to five no users lockout period lt 1 65535 gt Sets the amount of time in minutes a user or IP address is locked out after retry count number of failed login attempts The no command sets the lockout period to thirty minutes ZyWALL ZLD CLI Reference Guide Chapter 23 User Group Table 100 username groupname Commands Summary Settings continued COMMAND DESCRIPTION show users simultaneous logon settings Displays the current settings for simultaneous logins by users no users simultaneous logon administration access enforce Enables the limit on the number of simultaneous logins by users of the specified account type The no command disables the limit or allows
272. ory again followed by the new file name rename script old file name script new file name Changes the name of a shell script run script file name zysh Has the ZyWALL execute a specific shell script file You must still use the write command to save your configuration changes to the flash non volatile or long term memory show running config Displays the settings of the configuration file that the system is using setenv startup stop on error off Has the ZyWALL ignore any errors in the startup config conf file and apply all of the valid commands show setenv startup Displays whether or not the ZyWALL is set to ignore any errors in the startup config conf file and apply all of the valid commands write Saves your configuration changes to the flash non volatile or long term memory The ZyWALL immediately uses configuration changes made via commands but if you do not use the write command the changes will be lost when the ZyWALL restarts ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager 34 5 File Manager Command Example This example saves a back up of the current configuration before applying a shell script file Router config copy running config conf backup conf Router config run script vpn setup zysh 34 6 FTP File Transfer You can use FTP to transfer files to and from the ZyWALL for advanced maintenance and suppor
273. p Router config no alg h323 ZyWALL ZLD CLI Reference Guide PART Ill Firewall and VPN Firewall 93 IPSec VPN 99 SSL VPN 107 L2TP VPN 111 Firewall This chapter introduces the ZyWALL s firewall and shows you how to configure your ZyWALL s firewall 14 1 Firewall Overview The ZyWALL s firewall is a stateful inspection firewall The ZyWALL restricts access by screening data packets against defined access rules It can also inspect sessions For example traffic from one zone is not allowed unless it is initiated by a computer in another zone first A zone is a group of interfaces or VPN tunnels Group the Zy WALL S interfaces into different zones based on your needs You can configure firewall rules for data passing between zones or even between interfaces and or VPN tunnels in a zone The following figure shows the ZyWALL s default firewall rules in action as well as demonstrates how stateful inspection works User 1 can initiate a Telnet session from within the LAN zone and responses to this request are allowed However other Telnet traffic initiated from the WAN or DMZ zone and destined for the LAN zone is blocked Communications between the WAN and the DMZ zones are allowed The firewall allows VPN traffic between any of the networks Figure 16 Default Firewall Action WAN m m Internet ZyWALL ZLD CLI Reference Guide Chapter 14 Firewall Your customized rules ta
274. p other log alert Creates log entries and alerts for other applications The no command does not create any log entries 18 2 4 Rule Commands for Other Applications This table lists the commands for rules in other applications Table 65 app Commands Rules in Other Applications COMMAND DESCRIPTION app other insert lt 1 64 gt Creates a new rule at the specified row and enters sub command mode app other append Creates a new rule appends it to the end of the list and enters sub command mode app other lt 1 64 gt Enters sub command mode for editing the rule at the specified row app other default Enters sub command mode for editing the default rule for traffic of an unidentified application no activate Turns on this rule The no command turns off this rule no port lt 0 65535 gt Specifies the destination port 0 means any no schedule profile name Adds the specified schedule to the rule no user username Adds the specified user to the rule no from zone name Specifies the source zone no to zone name Specifies the destination zone no source profile name Adds the specified source address to the rule no destination profile name Adds the specified destination address to the rule no protocol tcp udp Adds the specified protocol to the rule access forward drop reject Specifies the act
275. pattern Adds or removes a white list file pattern Turns a file pattern av file pattern activate deactivate on or off anti virus white list replac Replaces the specified white list file pattern with a new file old av file pattern new av file pattern pattern factivate deactivate ZyWALL ZLD CLI Reference Guide Chapter 19 Anti Virus Table 70 Commands for Anti virus White and Black Lists continued COMMAND DESCRIPTION no anti virus black list activate Turn on the black list to log and delete files with names that match the black list patterns no anti virus black list file pattern Adds or removes a black list file pattern Turns a file pattern av file pattern activate deactivate on or off factivate deactivate anti virus black list replace Replaces the specified black list file pattern with a new file old av file pattern new av file pattern pattern 19 2 3 1 White and Black Lists Example This example shows how to enable the white list and configure an active white list entry for files with a exe extension It also enables the black list and configure an inactive black list entry for files with a exe extension Router config Router config Router config Router config Router config Router config Router config No Status File Pattern anti virus white list status yes anti virus white list activate anti virus white l
276. platform O policytype O service 0 activate any log any action searches for all signatures in the LAN IDP profile containing the text worm within the signature name show idp search system protect my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask Service service mask activate any yes no log any no log log alert action action mask Searches for signature s in a system protect profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN IDP name WORM sid 0 severity 0 platform O policytype 0 service 0 activate any log any action searches for all signatures in the LAN_IDP profile containing the text worm within the signature name 20 3 6 1 Search Parameter Tables The following table displays the command line severity platform and policy type equivalent values If you want to combine platforms in a search then add their respective numbers together For example to search for signatures for Windows NT Windows XP and Windows 2000 computers then type 12 as the platform parameter Table 82 Severity Platform and Policy Type Command Values SEVERITY PLATFORM POLICY TYPE 1 Very Low 1 All 1 DoS 2 Low 2 Win95 98 2 Buffer Overflow 3 Medium 4 WinNT 3 Access Control 4 High 8 WinXP 2000 4 Scan 5 Severe 16 Linux 5 Backdoor T
277. priority lt 0 255 gt Sets the priority of the specified interface to the specified value The no command sets the priority to 1 no ip ospf cost 1 65535 Sets the cost of the specified interface to the specified value The no command sets the cost to 10 no ip ospf authentication Disables authentication for OSPF in the specified interface ip ospf authentication Enables text authentication for OSPF in the specified interface ip ospf authentication message digest Enables MD5 authentication for OSPF in the specified interface ip ospf authentication same as area Makes OSPF authentication in the specified interface follow the settings in the corresponding area no ip ospf authentication key password Sets the simple text password for OSPF text authentication in the specified interface The no command clears the text password password 1 8 alphanumeric characters or underscores ip ospf message digest key 1 255 md5 password Sets the ID and password for OSPF MD5 authentication in the specified interface password 1 16 alphanumeric characters or underscores no ip ospf message digest key Clears the ID and password for OSPF MD5 authentication in the specified interface ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces Table 19 interface Commands OSPF Settings continued COMMAND DESCRIPTION no ip ospf hello interval lt 1 65535 g
278. r config interface pppO config if ppp config if ppp account Hinet bind gel local address 1 1 1 1 remote address 2 2 2 2 mtu 1200 upstream 345 downstream 123 connectivity dial on demand description I am pppO exit The following commands show you how to connect and disconnect pppO Router interface dial pppO Router interface disconnect pppO ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces 5 2 10 Auxiliary Interface Commands The first table below lists the auxiliary interface commands and the second table explains the values you can input with these commands Table 27 interface Commands Auxiliary Interface COMMAND DESCRIPTION interface dial aux Dials or disconnects the auxiliary interface interface disconnect aux interface aux Enters sub command mode no phone number phon Specifies the phone number of the auxiliary interface You can use 1 20 numbers commas or plus signs 4 Use a comma to pause during dialing Use a plus sign to tell the external modem to make an international call The no command clears the phone number 57600 115200 no dialing type tone pulse Specifies the dial type of the auxiliary interface The no command sets the dial type to tone no port speed 9600 19200 38400 Specifies the baud rate of the auxiliary interface The no command sets the baud rate to 115200 no initial string initi
279. r General Anti Virus Commands LABEL DESCRIPTION zone_object The name of the zone You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive av file pattern Use up to 80 characters to specify a file pattern Alphanumeric characters underscores dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the pattern For example use a zip without the quotation marks to specify any file that ends with a zip A file named testa zip would match There could be any number of any type of characters in front of the a zip at the end and the file name would still match A file named test zipa for example would not match A in the middle of a pattern has the ZyWALL check the beginning and end of the file name and ignore the middle For example with abc zip any file starting with abc and ending in zip matches no matter how many characters are in between The whole file name has to match if you do not use a question mark or asterisk If you do not use a wildcard the ZyWALL checks up to the first 80 characters of a file name ZyWALL ZLD CLI Reference Guide Chapter 19 Anti Virus 19 2 1 Gene
280. r IPSec VPN Commands continued LABEL DESCRIPTION distinguished name A domain name You can use up to 511 alphanumeric characters spaces or _ characters sort_order Sort the list of currently connected SAs by one of the following classifications algorithm inbound outbound timeout encapsulation name policy The following sections list the IPSec VPN commands 15 2 1 IKE SA Commands This table lists the commands for IKE SAs VPN gateways Table 52 isakmp Commands IKE SAs COMMAND DESCRIPTION show isakmp keepalive Displays the Dead Peer Detection period show isakmp policy policy_name Shows the specified IKE SA or all IKE SAs isakmp keepalive lt 2 60 gt Sets the Dead Peer Detection period no isakmp policy policy_name Creates the specified IKE SA if necessary and enters sub command mode The no command deletes the specified IKE SA isakmp policy rename policy_name policy_name Renames the specified IKE SA first policy_name to the specified name second policy_name isakmp policy policy_name activate Activates or deactivates the specified IKE SA deactivate mode main aggressive Sets the negotiating mode transform set isakmp algo isakmp_algo Sets the encryption and authentication algorithms isakmp algo for each proposal ISAKMP ALGO des md5 des sha 3des md5 3des sha aes128 md5 aes128 sha aes192 md5 aes192 sha aes25
281. r SSH connections The no command resets the certificate used by the SSH server to the factory default default certificate_name The name of the certificate You can use up to 31 alphanumeric and amp _ characters no ip ssh server port lt 1 65535 gt Sets the SSH service port number The no command resets the SSH service port number to the factory default 22 ip ssh server rule lt 1 32 gt append insert Sets a service control rule for SSH service lt 1 32 gt access group ALL address_object zone address_object The name of the IP address ALL zone object action accept deny group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zone You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive ip ssh server rule move lt 1 32 gt to lt 1 32 gt Changes the index number of a SSH service control rule ZyWALL ZLD CLI Reference Guide Chapter 33 System Remote Management Table 130 Command Summary SSH continued COMMAND DESCRIPTION no ip ssh server vl Enables remote management using SSH v1 The no command stops the ZyWALL from using SSH v1 no ip ssh server rule lt 1 32 gt Deletes a service control rule for SSH s
282. r profile filtering profile Setsa content filtering profile to use a profile s custom custom settings lists of trusted web sites and forbidden web sites and blocking of certain web features The no command has the profile not use the custom settings no content filter profile filtering profile Sets a content filtering profile to block ActiveX custom activex controls The no command sets the profile to allow ActiveX no content filter profile filtering profile Sets a content filtering profile to block Cookies The custom cookie no command sets the profile to allow Cookies no content filter profile filtering profile Adds a web site to a content filtering profile s forbidden list The no command removes a web site from the forbidden list custom keyword keyword no content filter profile filtering profile Setsa content filtering profile to block Java The custom java no command sets the profile to allow Java no content filter profile filtering profile Has a content filtering profile block access to Web sites with URLs that contain the specified keyword or IP address in the URL The no command removes the keyword custom trust trust hosts no content filter profile filtering profile Sets a content filtering profile to block access to custom proxy web proxy servers The no command sets the profile to allow access to proxy servers no content filter profile filtering profile Adds a web site t
283. r the specified e mail profile day sun mon tue wed thu fri sat ZyWALL ZLD CLI Reference Guide Chapter 35 Logs 35 1 4 1 E mail Profile Command Examples The following commands set up e mail log 1 address mail zyxel com tw subject AAA authentication username lachang li password send log to lachang liGzyxel com tw send alerts to lachang litzyxel com tw from lachang 1i zyxel com tw schedule weekly day mon hour 3 minute 3 Router configure terminal Router config logging mail 1 Router config logging mail 1 Router config logging mail 1 XXXXXX Router config logging mail 1 Router config logging mail 1 Router config logging mail 1 Router config logging mail 1 Router config logging mail 1 35 1 5 Console Port Logging Commands This table lists the commands for the console port settings Table 148 logging Commands Console Port Settings COMMAND DESCRIPTION show logging status console Displays the current settings for the console log This log is not discussed above no logging console Enables the console log The no command disables the console log logging console category module_name level Controls whether or not debugging information for alert crit debug emerg error info the specified priority is displayed in the console log notice warn if logging for this category is enabled
284. r you to tell the ZyWALL about the networks beyond the network connected to the ZyWALL directly ZyWALL ZLD CLI Reference Guide Chapter 7 Route Figure 14 Example of Static Routing Topology N1 N2 N3 os a E ii y LIT T iW 7 4 Static Route Commands The following table describes the commands available for static route You must use the configure terminal command to enter the configuration mode before you can use these commands Table 32 Command Summary Static Route COMMAND DESCRIPTION no ip route w x y z w x y z Sets a static route The no command disables a interface w x y z lt 0 127 gt static route ip route replace w x y z w x y z Changes an existing route s settings interface w x y z 0 127 with w x y z w x y z interface w x y z lt 0 127 gt show ip route settings Displays static route information 7 4 1 Static Route Commands Example The following command sets a static route with IP address 10 10 10 1 and subnet mask 255 255 255 0 and with the next hop interface gel Router config ip route 10 10 10 1 255 255 255 0 gel ZyWALL ZLD CLI Reference Guide Chapter 7 Route ZyWALL ZLD CLI Reference Guide Routing Protocol This chapter describes how to set up RIP and OSPF routing protocols for the Zy WALL 8 1 Routing Protocol Overview Routing protocols give the ZyWALL routing in
285. ral Anti virus Commands BS Table 68 General Anti virus Commands The following table describes general anti virus commands You must use the configure terminal command to enter the configuration mode before you can use these commands 19 on page 129 You must register for the ant virus service before you can use it see Chapter COMMAND DESCRIPTION no anti virus activate Enables anti virus service anti virus service also depends on anti virus service registration show anti virus activation Displays anti virus service status no anti virus eicar activate Turns detection of the EICAR test file on or off show anti virus eicar activation Displays whether or not detection of the EICAR test file is turned on anti virus reload signatures Recovers the anti virus signatures You should only need to do this if instructed to do so by a support technician 19 2 1 1 Activate Deactivate Anti Virus Example This example shows how to activate and deactivate anti virus on the ZyWALL Router configure terminal Router config anti virus activate Router config show anti virus activation anti virus activation yes Router config no anti virus activate Router config show anti virus activation anti virus activation Router config no 19 2 2 Zone to Zone Anti virus Rules The following table describes the commands for configuring the zone to zone rules You must
286. range 20 21 Router config service object ICMP ECHO icmp echo Router config f service object MULTICAST protocol 2 Router config show service object Object name Protocol Minmum port Maxmum port Ref TELNET TCP 23 23 0 FTP TCP 20 21 0 ICMP ECHO ICMP 0 0 0 MULTICAST 2 0 0 0 Router config no service object ICMP ECHO Router config show service object Object name Protocol Minmum port Maxmum port Ref TELNET TCP 23 23 0 FTP TCP 20 21 0 MULTICAST 2 0 0 0 25 2 2 Service Group Commands The first table lists the commands for service groups Table 108 object group Commands Service Groups COMMAND DESCRIPTION show object group service group name Displays information about the specified service group no object group service group name Creates the specified service group if necessary and enters sub command mode The no command removes the specified service group no service object object nam Adds the specified service to the specified service group The no command removes the specified service from the specified group ZyWALL ZLD CLI Reference Guide Chapter 25 Services Table 108 object group Commands Service Groups continued COMMAND DESCRIPTION no object group group name Adds the specified service group second group name to the specified service group first group name The no command removes the specified service group from the specified service group
287. rd e mail user domainname country code creates a new account and registers the device at country code one time country code see Table 9 on page 40 ZyWALL ZLD CLI Reference Guide Chapter 4 Registration Table 8 Command Summary Registration continued COMMAND DESCRIPTION service register checkexpir Gets information of all service subscriptions from myZyXEL com and updates the status table service register service type standard license Activates a standard service subscription with the key key_value license key service register service type trial service Activates the trial service subscription s fal1l content filterlidplav show device register status Displays whether the device is registered and account information show service register status all content Displays service license information filter idp sslvpn av 4 2 1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time and activate a trial service subscription Router configure terminal Router config device register username alexctsui password 123456 Router config service register service type trial service content filter The following command displays the account information and whether the device is registered Router configure terminal Router config show dev
288. res and dashes and it can be up to 31 characters long password You can use most printable ASCII characters You cannot use square brackets double quotation marks question marks tabs or spaces It can be up to 31 characters long no logging mail lt 1 2 gt send alerts to e mail send log to Sets the e mail address for logs or alerts The no command clears the specified field e mail You can use up to 63 alphanumeric characters underscores or dashes and you must use the 9 character no logging mail 1 2 subject subject Sets the subject line when the ZyWALL mails to the specified e mail profile The no command clears this field subject You can use up to 60 alphanumeric characters underscores dashes or QXS 2 characters no logging mail 1 2 category module name level alert all Specifies what kind of information is logged for the specified category The no command disables logging for the specified category no logging mail 1 2 schedule full hourly Sets the e mail schedule for the specified e mail profile The no command clears the schedule field logging mail 1 2 schedule daily hour 0 23 minute 0 59 Sets a daily e mail schedule for the specified e mail profile logging mail 1 2 schedule weekly day day hour 0 23 minute 0 59 Sets a weekly e mail schedule fo
289. ress Foreign_Address State 1 tcp 112 234 371 4240 3 2 2 172 23 37 10 1179 ESTABLISHED 2 udp 127 0 0 1 64002 0 0 031030 3 udp 0 0 0 0 520 0 0 0 0 0 4 udp 0 0 0 0 138 0 0 0 0 0 5 udp 0 0 0 0 138 0 0 0 0 0 6 udp 0 0 0 0 138 0 0 0 0 0 7 udp 0 0 0 0 138 0 0 0 0 0 8 udp 0 0 0 0 138 0 0 0 0 0 9 udp 0 0 0 0 138 0 0 0 0 0 10 udp 0 0 0 0 138 0 0 0 0 0 11 udp 0 0 0 0 32779 0 0 0 0 0 12 udp 192 168 1 1 4500 0 0 0 0 0 13 udp 1 1 1 124500 0 0 0 0 0 14 udp 10 0 0 8 4500 0 0 0 0 0 15 udp 172 23 37 205 4500 0 0 0 0 0 16 udp 172 23 37 240 4500 0 0 0 0 0 17 udp 127 0 0 1 4500 0 0 0 0 0 18 udp 127 0 0 1 63000 0 0 0 0 0 19 udp 127003 1 630 01 00 00 50 20 udp 127 0 0 1 63002 0 0 0 0 0 21 udp 0 0 0 0 161 0 0 0 0 0 22 udp 127 0 0 1 63009 0 0 0 0 0 23 udp 192 168 1 1 1701 0 0 0 0 0 24 udp LohlolsT701 00 00 00 25 udp 10 0 0 8 1701 0 0 0 0 0 26 udp LI2 23 337 42001104 0 0 0 0 0 27 udp 172 23 37 240 1701 0 0 0 0 0 28 udp 1277 0 0 1 170T 0 0 0 0 0 29 udp 127 0 0 1 63024 0 0 0 0 0 30 udp 127 0 0 1 30000 0 0 0 0 0 31 udp dry Tel 53 0 0 0 0 0 32 udp 175 2 52 3 31 2205253 0 0 0 0 0 33 udp 10 0 0 8 53 0 0 0 0 0 34 udp 172 23 37 240 53 0 0 0 0 0 35 udp 192 168 1 1 53 0 0 0 0 0 36 udp 127 00 51853 0 0 0 0 0 37 udp 0 0 0 0 67 0 0 0 0 0 38 udp 127 0 0 1 63046 0 0 0 0 0 39 udp 127 0 0 1 65097 0 0 0 0 0 40 udp 0 0 0 0 65098 0 0 0 0 0 41 udp 1923168 D 13000 0 0 0 0 0 42 udp Toda 31 500 0 0 0 0 0 43 udp 10 0 0 8 500 0 0 0 0 0 44 udp 132 23 377205 500 0 0 0 0 0 45
290. rnet interface VLAN interface bridge interface virtual interface virtual Ethernet interface Ethernet interface virtual VLAN interface VLAN interface virtual bridge interface bridge interface trunk Ethernet interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface You cannot set up a PPPoE PPTP interface virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPPoE PPTP interface on top of it 5 2 Interface Commands Summary The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 12 Input Values for General Interface Commands LABEL DESCRIPTION interface name The name of the interface Ethernet interface gex x 1 5 virtual interface on top of Ethernet interface gex y x2 1 5 y2 1 4 VLAN interface vlanx x 2 0 31 virtual interface on top of VLAN interface vlanx y x30 31 y21 4 bridge interface brx x 0 11 virtual interface on top of bridge interface brx y x20 11 y2 1 4 PPPoE PPTP interface pppx x 2 0 11 profile name The name of the DHCP pool You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensiti
291. rojan 32 FreeBSD 6 Others 64 Solaris 7 P2P 128 SGI 8 IM 256 Other Unix 9 Virtus Worm 512 Network Device 10 Porn 11 Web Attack 12 Spam ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands The following table displays the command line service and action equivalent values If you want to combine services in a search then add their respective numbers together For example to search for signatures for DNS Finger and FTP services then type 7 as the service parameter Table 83 Service and Action Command Values SERVICE SERVICE ACTION 12 DNS 65536 SMTP 1 None 2 FINGER 131072 SNMP 2 Drop 4 FTP 262144 SQL 4 Reject sender 8 MYSQL 524288 TELNET 8 Reject receiver 16 ICMP 1048576 TFTP 16 Reject both 32 IM 2097152 n a 64 IMAP 4194304 WEB_ATTACKS 128 MISC 8388608 WEB CGI 256 NETBIOS 16777216 WEB_FRONTPAGE 512 NNTP 33554432 WEB IS 1024 ORACLE 67108864 WEB MISC 2048 P2P 134217728 WEB_PHP 4096 POP2 268435456 MISC_BACKDOOR 8192 POP3 536870912 MISC_DDOS 16384 RPC 1073741824 MISC_EXPLOIT 32768 RSERVICES 20 3 6 2 Signature Search Example This example command searches for all signatures in the LAN_IDP profile Containing the text worm within the signature name With an ID of 12345 Has a very low severity level Is enabled Generates logs Operates on the Windows NT platform Is a scan p
292. rompt type ftp 192 168 1 1 Keep the console session connected in order to see when the default system database recovery finishes 7 Hit enter to log in anonymously ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager 8 Set the transfer mode to binary type bin 9 Transfer the firmware file from your computer to the ZyWALL Type put followed by the path and name of the firmware file This examples uses put e N tprootNZLD FW 11 01 XL 0 C0 db Figure 47 FTP Default System Database Transfer Command C2 gt ftp 192 168 1 1 Connected to 192 168 1 1 2298 lt x gt gt 2 CC Welcome to PureFTPd 1 0 11 gt gt lt x gt gt 226 You are user number 1 of 58 allowed 220 Local time is now 03 56 and the load is 0 00 Server port 21 226 Only anonymous FTP is allowed here 226 You will be disconnected after 15 minutes of inactivity User lt 192 168 1 1 none gt gt 238 Anonymous user logged in ftp gt bin 206 TYPE is now 8 bit binary ftp put E ftproot ZLD_FW 1G1XL 161XLGCOM1 B1 lt XL B gt CB db 10 Wait for the file transfer to complete Figure 48 FTP Default System Database Transfer Complete 206 PORT command successful 158 Connecting to port 3789 226 248 5 Mbytes free disk space 226 File successfully transferred 226 6 6068 seconds measured here gt 13 31 Mbytes per second ftp 112398 bytes sent in 02Seconds 7624 88Kbytes sec iiA 11 The console session displays done after
293. rompt displays after the ZyWALL starts up successfully The firmware recovery process is now complete and the ZyWALL is ready to use ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager Figure 40 Restart Complete setting the System Clock using the Harduare Clock as reference System Clock set Local time Sun Jan 26 21 40 24 UTC 2003 Cleaning tmp vary lock varvrun Initializing random number generator done Initializing Debug Account Authentication Seed DAAS done Lionic device init successfully cavium nitrox device CN1005 init complete INIT Entering runlevel 3 i zylog daemon zulogd zylog starts suslog ng uam daemon app patrol daemon periodic command scheduler cron Start ZyWALL system daemon Got LINK CHARMGE Port 01 is up gt Group 0 is up Applying system configuration file please wait ZUWALL system is configured successfully with startup conf ig conf Welcome to ZyWALL 1050 Usernane 34 11 Restoring the Default System Database The default system database stores information such as the default anti virus or IDP signatures The ZyWALL can still operate if the default system database is damaged or missing but related features like anti virus or IDP may not function properly If the default system database file is not valid the ZyWALL displays a warning message in your console session at startup or when reloading the anti virus or IDP signatures It also generates a
294. s COMMAND DESCRIPTION show radius server Displays the default RADIUS server settings no radius server host Sets the RADIUS server address and service port radius server auth port auth port number Enter the IP address in dotted decimal notation or the domain name of a RADIUS server The no command clears the settings no radius server key secret Sets a password up to 15 alphanumeric characters as the key to be shared between the RADIUS server and the ZyWALL The no command clears this setting no radius server timeout time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting 27 2 4 radius server Command Example The following example sets the secret key and timeout period of the default RADIUS server 172 23 10 100 to 87643210 and 80 seconds Router configure terminal Router config radius server host 172 23 10 100 auth port 1812 Router config radius server key 876543210 Router config radius server timeout 80 Router config show radius server host 172 23 10 100 authentication port 1812 key 876543210 timeout 80 Router config ZyWALL ZLD CLI Reference Guide Chapter 27 AAA Server 27 2 5 aaa group server ad Commands The following table lists the aaa group server ad commands you use to configure a group of AD servers Table 114 aaa group server ad Commands COMMAND
295. s or deactivates http inspection options where http xxx ascii encoding u encoding bare byte unicode encoding base36 encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal directory traversal apache whitespace non rfc http delimiter non rfc defined char oversize request uri directory oversize chunk encoding webroot directory traversal http inspection http xxx log alert Sets http inspection log or alert no http inspection http xxx log Deactivates http inspection logs no http inspection http xxx action drop Sets http inspection action reject sender reject receiver reject both no tcp decoder tcp xxx activate Activates or deactivates tcp decoder options where tcp xxx undersize len undersize offset oversize offset bad length options truncated options ttcp detected obsolete options experimental options tcp decoder tcp xxx log alert Sets tcp decoder log or alert options no tcp decoder tcp xxx log Deactivates tcp decoder log or alert options undersize len oversize len activate no tcp decoder tcp xxx action drop Sets tcp decoder action reject sender reject receiver reject both no udp decoder truncated header Activates or deactivates udp decoder options udp decoder truncated header undersize len
296. s server rule lt 1 32 gt append insert lt 1 32 gt access group ALL address object zone ALL address object action accept deny Sets a service control rule for DNS requests ip dns server rule move 1 32 to 1 32 Changes the number of a service control rule no ip dns server zone forwarder lt 1 32 gt append insert 1 32 domain name interface interface name user defined w X y Z private Sets a zone forwarder record that specifies a DNS server s IP address Use private if the ZyWALL connects to the DNS server through a VPN tunnel The no command deletes a zone forwarder record ip dns server zone forwarder move lt 1 32 gt to S1 325 Changes the index number of a zone forwarder record no ip dns server rule lt 1 32 gt Deletes a service control rule show ip dns server cache Displays all DNS cache entries show ip dns server database Displays all configured records show ip dns server status Displays whether this service is enabled or not 32 5 2 DNS Command Example This command sets an A record that specifies the mapping of a fully qualified domain name www abc com to an IP address 210 17 2 13 Router configure terminal Router config ip dns server a record www abc com 210 17 2 13 ZyWALL ZLD CLI Reference Guide System Remote Management This chapter shows you how to determine which services prot
297. se the configure terminal command to enter the configuration mode before you can use these commands Table 135 Command Summary Dial in Management COMMAND DESCRIPTION dial in Enters sub command mode no activate Turns dial in management on The no command turns it off no answer rings Sets how many times the ZyWALL lets the incoming dial in management session ring before processing it The no command sets it to one no description description Specifies the description for the dial in management connection The no command clears the description description You can use alphanumeric and 405 characters and it can be up to 60 characters long no initial string initial string Specifies the initial string of the auxiliary interface The no command removes the initial string initial string You can use up to 64 characters Semicolons and backslashes 1 are not allowed no mute Stops the external serial modem from making audible sounds during a dial in management session The no command turns the sounds back on no port speed 9600 19200 38400 57600 115200 Specifies the baud rate of the auxiliary interface The no command sets the baud rate to 115200 show dial in Displays dial in management settings ZyWALL ZLD CLI Reference Guide Chapter 33 System Remote Management 33 9 4 1 Dial in Management Command Examples
298. se this feature your computer must have an FTP client ZyWALL ZLD CLI Reference Guide Chapter 33 System Remote Management 33 6 1 FTP Commands The following table describes the commands available for FTP You must use the configure terminal command to enter the configuration mode before you can use these commands Table 132 Command Summary FTP COMMAND DESCRIPTION no ip ftp server Allows FTP access to the ZyWALL The no command disables FTP access to the ZyWALL no ip ftp server cert certificate name Sets a certificate to be used to identify the ZyWALL The no command resets the certificate used by the FTP server to the factory default no ip ftp server port lt 1 65535 gt Sets the FTP service port number The no command resets the FTP service port number to the factory default 21 no ip ftp server tls required Allows FTP access over TLS The no command disables FTP access over TLS ip ftp server rule 1 32 append insert lt 1 32 gt access group ALL address object zone ALL zone object action accept deny Sets a service control rule for FTP service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zone You may use 1 31 alphanumeric characters underscores
299. server host 192 168 1 100 auth port 1812 Router group server radius server host 172 23 22 100 auth port 1812 Router group server radius server key 12345678 Router group server radius server timeout 100 Router group server radius exit Router config show aaa group server radius No Name Reference 1 RADIUSGroupl Router config ZyWALL ZLD CLI Reference Guide Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database 28 1 Authentication Objects Overview After you have created the AAA server objects you can specify the authentication objects containing the AAA server information that the ZyWALL uses to authenticate users using VPN or managing through HTTP HTTPS 28 2 aaa authentication Commands The following table lists the aaa authentication commands you use to configure an authentication profile Table 117 aaa authentication Commands COMMAND DESCRIPTION aaa authentication rename profile name old profile name new Changes the profile name profile name You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive clear aaa authentication profile name Deletes all authentication profiles or the specified authentication profile Note You can NOT delete a
300. service before you can update IDP signatures although you do not have to register in order to update system protect signatures BS You must use the web configurator to import a custom signature file Table 85 Update Signatures DESCRIPTION Immediately downloads IDP or system protect signatures from an update server COMMAND idp signature system protect update signatures no idp signature system protect update auto Enables disables automatic signature downloads at regular times and days idp signature system protect update hourly Enables automatic signature download every hour idp signature lt 0 23 gt system protect update daily Enables automatic signature download every day at the time specified idp signature system protect update weekly sun mon tue wed thu fri sat 0 23 Enables automatic signature download once a week at the time and day specified ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands Table 85 Update Signatures COMMAND DESCRIPTION show idp signature system protect update Displays signature update schedule show idp signature system protect update Displays signature update status status show idp signature system protect Displays signature information signatures version date number 20 5 1 Update Signature Examples These examples show how to enable d
301. show how to create a custom signature edit one display details of one all and show the total number of custom signatures Router configure terminal Router config idp customize signature alert tcp any any lt gt any any msg test sid 9000000 sid 9000000 message test policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands This example shows you how to edit a custom signature Router config idp customize signature edit alert tcp any any lt gt any any msg test edit sid 9000000 y sid 9000000 message test edit policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no This example shows you how to display custom signature details Router config show idp signatures custom signature 9000000 details sid 9000000 message test edit policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands This example shows you how to display custom
302. so snis MEM Fm 109 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical pou Wer eres GIES ir AAA A A A A 199 show Sone profile Bene urraca AA hams 80 SRUCAON eE AAA AAA ed d eK Md AA RARA RUE REOS 30 signature sid action drop reject sender reject receiver reject both 140 signature sid action drop reject sender reject receiver reject both 145 signature sad log aleve aacsegexueea x X 4 RU AGGERE RN d RE A doe dd EORR CERCA 140 signatos 22S loo DESQGEL sintio EA AAA dra c EORR RE dopo Shas 145 snmp server rule lt 1 32 gt append insert lt 1 32 gt access group ALL address object zone ALB zo e object action accept deny eeeseskokRe9qi x een RR RR Rc RR 219 pump sserver rule moye Lo ses Eg SUE IDA NA CADRE ad eee ARS UR towed NCC RC aw 219 SEDE iebwork sxLbenelon Llecal i GE versan rt cea ede NOR i good ge dde erae oss 108 Silvan no Connection usernane Meer Fee visa d dou old eoe dees Bankes da 108 sslvpn policy profile name profile name append profile name insert lt 1 16 gt 108 aa policy Hove Kilo DO Ela US EA RUE AC ANA do d REC AA 108 sslvpn policy rename profile name profile DAME oe eee se ee eesbesned ee ned ede eae LOS tep decoder Ltep xxx Log alert e224 6c eb dSee so OREO RE RS EO Eo RO EO a eRe eee 142 LEROGEEOHES cs Gh SSE RRA LERNER EMEA UE COLE LAR TAN A Cee AS 30 Lracgtonbe ip il Ree Ceete an
303. spp protocol home rule alL oros MOS RR C OE AER ANA AAA 126 show app protocol name rule gll Statisties eins Edo eRe ee ae eee ee 126 show app protocol hame rule default 26454 ORG OR ee OR DRoR GR EO RR EEO REE eee Ee ES 126 show app protocol same rule default statistics si28204ssb XR OX E Kok RR a A ee 126 show app mBrobcccOI seme Pole lt L B dira ee eee eed ee hae dece pe Ree ee eae oi 125 Shov app Protocol seme cole SL SEStLISTLES Geadquemk eue dr wot po ae E RR 126 show app Protocol ame SUSLISUUOE ibi pM RE a Oe X e x E I Reden debes a bad 125 pucw ope oecon OT COL ps ASADA EAN ARA 262 Show appewabto gog Mem I ena ccr Fede Roi dcn re oko io pde qol debe ig 262 Shey ALPES Lkw dod AAA qp dani RAR 299 show bridge available Memes corista iddn A A A A EG AE E KW AS DR 60 shov QU activation dorri eren korinna AN AAA um edd m ed eem d hd 126 Show Dit ACC vation 1 AR A AGE RO RO OR o AS Pe Me EORR de e RU RE pes whe RC 7L show bwm usage lt policy route lt 1 5000 gt interface interface name 71 show ca category local remote name certificate name format text pem 198 show ca category local remote name certificate name certpath 198 show C8 SPACSUBAGS sica ed a Ro RC aee d EX XAR ARA TARA KC RC REDE A ES AA IRA 198 show qa maltaat lo nene Jum ci A A e A AA A 198 piu Clock Jare adea kae A AA E RA RE AA A KA Eu dd Pax e BOWES EG xd RU 208 soov Glock icr lo al AA A RN NR ARA RN A NARA RA mn 208 ZyW
304. ss and connects through the Internet e You configure an IP address pool object named L2TP POOL to assign the remote users IP addresses from 192 168 10 10 to 192 168 10 20 for use in the L2TP VPN tunnel ZyWALL ZLD CLI Reference Guide Chapter 17 L2TP VPN The VPN rule allows the remote user to access the LAN_SUBNET which covers the 192 168 1 1 24 subnet 17 5 1 Configuring the Default L2TP VPN Gateway Example The following commands configure the Default L2TP VPN GW entry Configure the My Address setting This example uses interface ge3 with static IP address 172 23 37 205 Configure the Pre Shared Key This example uses top secret Router config f isakmp policy Default L2TP VPN GW Router config isakmp Default L2TP VPN GW 4 local ip interface ge3 Router config isakmp Default L2TP VPN GW 4 authentication pre share Router config isakmp Default L2TP VPN GW keystring top secret Router config isakmp Default_L2TP_VPN_GW activate Router config isakmp Default_L2TP_VPN_GW exit Router config 17 5 2 Configuring the Default L2TP VPN Connection Example The following commands configure the Default_L2TP_VPN_Connection entry Enforce and configure the local and remote policies For the Local Policy create an address object that uses host type and contains the My Address IP address that you configured in the Default_L2TP_VPN_GW The address object in this example uses IP ad
305. ste lsase AUTOMATION setas ride 174 ho Vereen EL oi ch dw DA XR MEC EX UY XQ odd Qa d Me wee eke hae dada A A 76 he viaria AE OI esas Fee dom a bcd be d EUR AAN UE a AS A Scd dob AAA AAA 59 Ho wph soncentrotor prof MEMS aaa kxr4aXqa xe A A ERE RUNE HUE RO ERA RR ee Re A 105 Hel TELA ELSE AAA s Ot Pb d Eee PERIERE Ree added apu ded ede 168 nol wanerfac Inter ooe naf chk ds Se dk Sw X AO SORORE X ROACRO X RU dob ASSES CESS OR RUPEE AUR 84 He We BPE CREI erbedi re ek ARRE Ule e Re e Re de OUR eae ond Rc 204 Pe MEMES LA um acne parade A qeu urina qd adc eed roa rbd du opu dE vdd qu 84 no xauth type server xauth method client name username password password 102 Bo sone Pror LIe IIS AREA 273 ALE A AD Tq Sas xara 80 signature anomaly systesm protect activate escri rre ROM x EORR R9 ECRIRE eed 138 signature anomaly system protest SOGCLIVSLIONR sic raras ERA E osas av de 138 aaa authentication profile name no memberl member2 member3 194 aaa authentication rename profile name old profile name new e 193 Bas group server ad JEDUD NAME asirio AAA AA A AAA de RA 190 aaa group server ad rename group name QPOUD RAlNO srcorrmaiac ave AAA 190 ssa Group server ldap group name arca ARA ARAS ARNES RA AAA ES ES 191 aaa group server ldap rename group name group name e nmm kon Rr Ih n m RU nn 121 ana Grouse Server Ada SAS arre debeas A gar doa AA A E A 92 aaa group server radius rename group name old
306. t 34 6 1 Command Line FTP File Upload 1 Connect to the ZyWALL 2 Enter bin to set the transfer mode to binary 3 You can upload the firmware after you log in through FTP To upload other files use cd to change to the corresponding directory 4 Use put to transfer files from the computer to the ZyWALL For example In the conf directory use put config conf today conf to upload the configuration file config conf to the ZyWALL and rename it today conf put 1 00 XL 0 bin transfers the firmware 1 00 XL 0 bin to the ZyWALL The firmware update can take up to five minutes Do not turn off or reset the ZyWALL while the firmware update is in progress If you lose power during the firmware upload you may need to refer to Section 34 8 on page 235 to recover the firmware 34 6 2 Command Line FTP Configuration File Upload Example The following example transfers a configuration file named tomorrow conf from the computer and saves it on the ZyWALL as next conf BES Uploading a custom signature file named custom rules overwrites all custom signatures on the ZyWALL 1 When you upload a custom signature the ZyWALL appends it to the existing custom signatures stored in the custom rules file 232 ZyWALL ZLD CLI Reference Guide Chapter 34 File Manager Figure 24 FTP Configuration File Upload Example C gt ftp 192 168 1 1 Connected to 192 168 1 1 220 FTP Ser
307. t CN 1 1 1 2 issuer none status VALID IDs des diets 2 type IP valid from none valid to none certificate test_x509 type SELF subject CN 10 0 0 58 issuer CN 10 0 0 58 status VALID EDs 100350259 type IP valid from 2006 05 29 10 26 08 valid to 2009 05 28 10 26 08 Router config no ca category local pkcsl2request Router config ca generate x509 name test x509 cn type ip cn 10 0 0 58 key subject CN ZyWALL 1050_Factory_Default_Certificate issuer CN ZyWALL 1050_Factory_Default_Certificate ZyWALL ZLD CLI Reference Guide Chapter 29 Certificates ZyWALL ZLD CLI Reference Guide ISP Accounts Use ISP accounts to manage Internet Service Provider ISP account information for PPPoE PPTP interfaces 30 1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE or PPTP 30 2 ISP Account Commands Summary The following table describes the values required for many ISP account commands Other values are discussed with the corresponding commands Table 120 Input Values for ISP Account Commands LABEL DESCRIPTION profile name The name of the ISP account You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive The following table lists the ISP account commands Table 121 account Commands COMMAND DESCRIPTION show account pppo
308. t Sets the number of seconds between hello messages to peer routers These messages let peer routers know the ZyWALL is available The no command sets the number of seconds to 10 See ip ospf dead interval for more information no ip ospf dead interval lt 1 65535 gt Sets the number of seconds the ZyWALL waits for hello messages from peer routers before it assumes the peer router is not available and deletes associated routing information The no command sets the number of seconds to 40 See ip ospf hello interval for more information no ip ospf retransmit interval Sets the number of seconds the ZyWALL waits for lt 1 65535 gt an acknowledgment to a link state announcement before it re sends the link state announcement 5 2 6 Basic Interface Setting Commands This section identifies commands that support port grouping BES In CLI representative interfaces are called representative ports Table 20 Basic Interface Setting Commands COMMAND DESCRIPTION show port grouping Displays which physical ports are assigned to each representative interface port grouping ge 1 5 port 1 5 Adds the specified physical port to the specified representative interface no port 1 5 Removes the specified physical port from its current representative interface and adds it to its default representative interface port x gt gex port status Port 1 5 Enters
309. t 1 512 gt end lt 1 512 gt begin Displays the selected fields in the system log field time msg src dst note pri cat all ZyWALL ZLD CLI Reference Guide Chapter 35 Logs 35 1 2 System Log Commands This table lists the commands for the system log settings Table 144 logging Commands System Log Settings COMMAND DESCRIPTION show logging status system log Displays the current settings for the system log logging system log category module name disable level normal level all Specifies what kind of information if any is logged in the system log and debugging log for the specified category no logging system log suppression interval 10 600 Sets the log consolidation interval for the system log The no command sets the interval to ten no logging system log suppression Enables log consolidation in the system log The no command disables log consolidation in the System log clear logging system log buffer Clears the system log 35 1 2 1 System Log Command Examples The following command displays the current status of the system log Router configure terminal Router config show logging status system log 512 events logged suppression active yes suppression interval 10 category settings content filter normal forward web sites no 7 blocked web sites normal user normal myZyXEL com normal
310. t object name Deletes the specified service service object object nam lt 1 65535 gt range lt 1 65 tcp udp eq Creates the specified TCP service or UDP service 535 lt 1 65535 gt using the specified parameters ZyWALL ZLD CLI Reference Guide Chapter 25 Services Table 107 service object Commands Service Objects continued COMMAND DESCRIPTION service object object name icmp icmp value Creates the specified ICMP message using the specified parameters icmp value lt 0 255 gt alternate address conversion error echo echo reply information reply information request mask reply mask request mobile redirect parameter problem redirect router advertisement router solicitation source quench time exceeded timestamp reply timestamp request unreachable service object object name protocol 1 255 Creates the specified user defined service using the specified parameters service object rename object name object nam Renames the specified service from the first object name to the second object name 25 2 1 1 Service Object Command Examples The following commands create four services displays them and then removes one of them Router configure terminal Router config service object TELNET tcp eq 23 Router config service object FTP tcp
311. t to continue connecting yes no yes Host key saved to C Documents and Settings user Application Data SSH hostkeys ey 22 192 168 1 1 pub host key for 192 168 1 1 accepted by user Tue Aug 09 2005 07 38 28 admin s password Authentication successful 1 3 How to Find Commands in this Guide You can simply look for the feature chapter to find commands In addition you can use one of the following to look up specific commands ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Commands in Order of Appearance right after this chapter This section lists the commands in the order that they appear in this guide List of Commands Alphabetical at the end of the guide This section lists the commands in alphabetical order that they appear in this guide If you are looking at the CLI Reference Guide electronically you might have additional options for example bookmarks or Find as well 1 4 How Commands Are Explained Each chapter explains the commands for one keyword The chapters are divided into the following sections 1 4 1 Background Information Optional BS See the User s Guide for background information about most features This section provides background information about features that you cannot configure in the web configurator In addition this section identifies related commands in other chapters 1 4 2 Command Input Values Optional This section lists co
312. tatistics on or off idp statistics flush Clears the collected statistics show idp statistics summary Displays the collected statistics ZyWALL ZLD CLI Reference Guide Chapter 20 IDP Commands Table 86 Commands for IDP Statistics continued COMMAND DESCRIPTION show idp statistics collect Displays whether the collection of IDP statistics is turned on or off show idp statistics ranking signature Query and sort the IDP statistics entries by signature name source destination name source IP address or destination IP address signature name lists the most commonly detected signatures source lists the source IP addresses from which the ZyWALL has detected the most intrusion attempts destination lists the most common destination IP addresses for detected intrusion attempts 20 6 1 IDP Statistics Example This example shows how to collect and display IDP statistics It also shows how to sort the display by the most common signature name source IP address or destination IP address Router configure terminal Router config idp statistics collect Router config no idp statistics activate Router config idp statistics flush Router config show idp statistics collect status IDP collect statistics status yes Router config show idp statistics summary scanned session 268 packet dropped 0 packet reset 0 Router config show idp statistics ranking signature
313. te gateway address is 0 0 0 0 no crypto map map name Creates the specified IPSec SA if necessary and enters sub command mode The no command deletes the specified IPSec SA crypto map rename map name map name Renames the specified IPSec SA first map_name to the specified name second map name ZyWALL ZLD CLI Reference Guide Chapter 15 IPSec VPN Table 53 crypto map Commands IPSec SAs continued COMMAND DESCRIPTION crypto map map name activate deactivate Activates or deactivates the specified IPSec SA ipsec isakmp policy name Specifies the IKE SA for this IPSec SA and disables manual key encapsulation tunnel transport Sets the encapsulation mode transform set esp crypto algo esp crypto algo esp crypto algo Sets the active protocol to ESP and sets the encryption and authentication algorithms for each proposal esp crypto algo esp 3des md5 esp 3des sha esp aes128 md5 esp aes128 sha esp aes192 md5 esp aes192 sha esp aes256 mab esp aes256 sha esp des md5 esp des sha esp null md5 esp null sha transform set ah md5 ah sha ah md5 ah sha ah sha ah md5 Sets the active protocol to AH and sets the encryption and authentication algorithms for each proposal lt 180 3000000 gt set security association lifetime seconds Sets the IPSec SA life time set pfs groupl group2 group
314. te com partner bad site com press bad site com etc Use up to 63 case insensitive characters 0 9a z You can enter a single IP address in dotted decimal notation like 192 168 2 5 You can enter a subnet by entering an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address The range is 0 to 32 To find the bit number convert the subnet mask to binary and add all of the 1 s together Take 255 255 255 0 for example 255 converts to eight 1 s in binary There are three 255 s so add three eights together and you get the bit number 24 An example is 192 168 2 1 24 You can enter an IP address range by entering the start and end IP addresses separated by a hyphen for example 192 168 2 5 192 168 2 23 keyword A keyword or a numerical IP address to search URLs for and block access to if they contain it Use up to 63 case insensitive characters 0 9a zA Z 2 08 1 _ in double quotes For example enter Bad Site to block access to any web page that includes the exact phrase Bad Site This does not block access to web pages that only include part of the phrase such as Bad in this example message The message to display when a web site is blocked Use up to 255 characters 0 9a zA Z amp _ in quotes For example Access to this web page is not allowed Please contact the network administrator redirect url The URL of t
315. tection all details Shows all scan detection settings of the specified IDP profile show idp anomaly profile scan detection tcp portscan tcp decoy portscan tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep details tcp portsweep Shows selected TCP scan detection settings for the specified IDP profile show idp anomaly profile scan detection udp portscan udp decoy portscan udp portsweep udp distributed portscan udp filtered portscan udp filtered decoy portscan udp filtered distributed portscan filtered portsweep details udp Shows UDP scan detection settings for the specified IDP profile show idp anomaly profile scan detection ip protocol scan ip decoy protocol scan ip protocol sweep ip distributed protocol scan ip filtered protocol scan ip filtered decoy protocol scan ip filtered distributed protocol scan ip filtered protocol sweep details Shows IP scan detection settings for the specified IDP profile show idp anomaly profile scan detection icmp weep icmp filtered sweep open port details o Shows ICMP scan detection settings for the specified IDP profile how idp anomaly profile flood detection all S details Shows all flood detection settings for the specified IDP profile show idp anomaly profile flood detection
316. terface interface name redirect to w x y z 1 65535 deactivate Disables a HTTP redirect rule ip http redirect activate description Enables a rule with the specified rule name ip http redirect deactivate description Disables a rule with the specified rule name no ip http redirect description Removes a rule with the specified rule name ip http redirect flush Clears all HTTP redirect rules o how ip http redirect description Displays HTTP redirect settings 12 2 1 HTTP Redirect Command Examples The following commands create a HTTP redirect rule disable it and display the settings Router configure terminal Router config ip http redirect 10 10 2 3 80 xamplel interfac gel redirect to Router config ip http redirect 10 10 2 3 80 deactivate xamplel interfac Router config show ip http redirect Name Interface gel redirect to Proxy Server Port Active examplel gel 10 10 2 3 80 no 88 ZyWALL ZLD CLI Reference Guide ALG This chapter covers how to use the ZyWALL s ALG feature to allow certain applications to pass through the ZyWALL 13 1 ALG Introduction The ZyWALL can function as an Application Layer Gateway ALG to allow certain NAT un friendly applications such as SIP to operate properly through the ZyWALL s NAT Some applications cannot operate through NAT are NAT un friendly because they em
317. the VLAN The no command clears the VLAN ID show port vlanid Displays the Ethernet interface VLAN settings 5 2 7 1 VLAN Interface Command Examples The following commands show you how to set up VLAN vlan100 with the following parameters VLAN ID 100 interface gel IP 1 2 3 4 subnet 255 255 255 0 MTU 598 gateway 2 2 2 2 description I am vlan100 upstream bandwidth 345 and downstream bandwidth 123 Router config if vlan Router config if vl Router config if vl Router config if vl Router config if vl Router config if vl Router config if vl Router config if vl Router config if vl Router configure terminal Router config interface vlan100 vlan id 100 port gel ip address 1 2 3 ip gateway 2 2 2 mtu 598 upstream 345 downstream 123 description I am vlan100 exit 4 255 255 255 0 2 5 2 8 Bridge Commands This section identifies commands that support bridge interfaces Bridge interfaces also use many of the general interface commands discussed at the beginning of Section 5 2 on page 49 The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 23 LABEL Input Values for Bridge Interface Commands DESCRIPTION The name of the interface Ethernet interface gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model VLAN interf
318. the corresponding commands Table 128 Input Values for General HTTP HTTPS Commands LABEL DESCRIPTION address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive The following table describes the commands available for HTTP HTTPS You must use the configure terminal command to enter the configuration mode before you can use these commands Table 129 Command Summary HTTP HTTPS COMMAND DESCRIPTION no ip http authentication auth method Sets an authentication method used by the HTTP HTTPS server The no command resets the authentication method used by the HTTP HTTPS server to the factory default default auth method The name of the authentication method You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive no ip http port lt 1 65535 gt Sets the HTTP service port number The no command resets the HTTP service port number to the factory default 80 no ip http secure port 1 65535 Sets the HTTPS service port number The no command resets the HTTPS service port number to th
319. the destination criteria for the specified condition The no command removes the destination criteria making the condition effective for all destinations no force Forces users to log in to the ZyWALL if the specified condition is satisfied The no command means that users do not log in to the ZyWALL no schedule schedule nam Sets the time criteria for the specified condition The no command removes the time criteria making the condition effective all the time no source address object group name Sets the source criteria for the specified condition The no command removes the source criteria making the condition effective for all sources show Displays information about the specified condition force auth policy delete lt 1 1024 gt Deletes the specified condition force auth policy flush Deletes every condition force auth policy move lt 1 1024 gt to lt 1 1024 gt Moves the specified condition to the specified location and renumbers the other conditions accordingly show force auth policy lt 1 1024 gt all Displays details about the policies for forcing user authentication 23 2 5 Additional User Commands This table lists additional commands for users Table 102 username groupname Commands Summary Additional COMMAND DESCRIPTION show users username all current Displays information about the users logg
320. the end of the line 22 ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface 1 6 7 Erase Current Command Press CTRL U to erase whatever you have currently typed at the prompt before pressing ENTER 1 7 Input Values You can use the or TAB to get more information about the next input value that is required for a command In some cases the next input value is a string whose length and allowable characters may not be displayed in the screen For example in the following example the next input value is a string called description Router configure terminal description Router config interface gel Router config if ge description The following table provides more information about input values like description Table3 Input Value Formats for Strings in CLI Commands TAG VALUES LEGAL VALUES T all ALL authentication key Used in IPSec SA 32 40 Ox or OX 32 40 hexadecimal values 16 20 alphanumeric or gt 3 amp _ lt gt Used in MD5 authentication keys for RIP OSPF and text authentication key for RIP 0 16 alphanumeric or Used in text authentication keys for OSPF 0 8 alphanumeric or _ certificate name 1 31 alphanumeric or 8G 2 amp N community string 0 63 alphanumeric or first character alph
321. the specified VRRP group if necessary and enters sub command mode The no command deletes the specified VRRP group no Vrid 1 522545 Sets the specified VRRP group s ID to the specified VR ID The no command clears the VR ID no interface interfac gt nam Specifies the interface that is part of the specified VRRP group The no command removes the specified interface from the specified VRRP group no role master backup Specifies the role of the specified VRRP group in the virtual router The no command clears the role which makes the configuration incomplete no priority 1 254 Sets the priority of the specified VRRP group in the virtual router The no command resets the priority to 100 no preempt Lets the ZyWALL preempt lower priority routers in the virtual router The no command prevents the ZyWALL from preempting lower priority routers no manage ip IP Specifies the IP address of the specified VRRP group when it is not the master The no command clears the IP address no md5 authentication string password ah password Specifies the authentication method and password for the specified VRRP group The no command means that the specified VRRP group does not use authentication password You may use alphanumeric characters the underscore and some punctuation marks 5 1 amp V and it can be up to eight characters lon
322. tined for the ZyWALL 33 9 Dial in Management Connect an external serial modem to the DIAL BACKUP port or AUX port depending on your model to provide a remote management connection in case the ZyWALL s other WAN connections are down This is like an auxiliary interface except it is used for management connections coming into the ZyWALL instead of as a backup WAN connection 33 9 1 AT Command Strings For regular telephone lines the default Dial string tells the modem that the line uses tone dialing ATDT is the command for a switch that requires tone dialing If your switch requires pulse dialing change the string to ATDP ZyWALL ZLD CLI Reference Guide Chapter 33 System Remote Management 33 9 2 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR Data Terminal Ready signal is dropped by the DTE When the Drop DTR When Hang Up check box is selected the ZyWALL uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH 33 9 3 Response Strings The response strings tell the ZyWALL the tags or labels immediately preceding the various call parameters sent from the serial modem The response strings have not been standardized please consult the documentation of your serial modem to find the correct tags 33 9 4 Dial in Management Commands The following table describes the commands available for dial in management You must u
323. tion sensitivity no scan detection sensitivity Clears scan detection sensitivity The default sensitivity is medium scan detection block period lt 1 3600 gt Sets for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack no scan detection tcp xxx activate log alert block Activates TCP scan detection options where tcp xxx tcp portscan tcp decoy portscan tcp portsweep tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep Also sets TCP scan detection logs or alerts and blocking no deactivates TCP scan detection its logs alerts or blocking no scan detection udp xxx activate log alert block Activates or deactivates UDP scan detection options where udp xxx udp portscan udp decoy portscan udp portsweep udp distributed portscan udp filtered portscan udp filtered decoy portscan udp filtered distributed portscan udp filtered portsweep Also sets UDP scan detection logs or alerts and blocking no deactivates UDP scan detection its logs alerts or blocking no scan detection ip xxx activate log alert block Activates or deactivates IP scan detection options where ip xxx ip protocol scan ip decoy protocol scan ip protocol sweep ip distributed protocol scan ip filtered protoco
324. to use a 10 Mbps conenction speed and half duplex Router Router Router Router Router Router Router Router config port status Portl config port status negotiation auto config port status exit config port status Port2 config port status duplex half config port status speed 10 config port status exit config exit 5 2 7 VLAN interface Commands This section identifies commands that support VLAN interfaces VLAN interfaces also use many of the general interface commands discussed at the beginning of Section 5 2 on page 49 The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 21 Input Values for VLAN Interface Commands LABEL DESCRIPTION interface_name VLAN interface vlanx x 0 31 Ethernet interface gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces This table lists the VLAN interface commands Table 22 interface Commands VLAN Interfaces COMMAND DESCRIPTION interface interface_name Creates the specified interface if necessary and enters sub command mode no port interface_name Specifies the Ethernet interface on which the VLAN interface runs The no command clears the port no vlan id lt 1 4094 gt Specifies the VLAN ID used to identify
325. ts it to dial on demand no account profile name Specifies the ISP account for the specified PPPoE PPTP interface The no command clears the ISP account field no bind interface name Specifies the base interface for the PPPoE PPTP interface The no command removes the base interface no local address ip Specifies a static IP address for the specified PPPOE PPTP interface The no command makes the PPPoE PPTP interface a DHCP client the other computer assigns the IP address remote address ip Specifies the IP address of the PPPoE PPTP server If the PPPoE PPTP server is not available at this IP address no connection is made The no command lets the ZyWALL get the IP address of the PPPoE PPTP server automatically when it establishes the connection 5 2 9 1 PPPoE PPTP Interface Command Examples The following commands show you how to configure PPPoE PPTP interface pppO with the following characteristics base interface gel ISP account Hinet local address 1 1 1 1 remote address 2 2 2 2 MTU 1200 upstream bandwidth 345 downstream bandwidth 123 description I am ppp0 and dialed only when used Router Router Router Router Router Router Router Router Router Router config if ppp config if ppp config if ppp config if pp config if pp config if pp config if ppp config if ppp O O O Router configure terminal Route
326. ts the password and sets the user type for the specified user password You can use 1 63 printable ASCII characters except double quotation marks and question marks username username user typ xt user Creates the specified user if necessary and sets the user type to Ext User no username usernam Deletes the specified user username rename username usernam Renames the specified user first username to the specified username second username username username no description description Sets the description for the specified user The no command clears the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long username username no logon lease time Sets the lease time for the specified user Set it to 0 1440 zero to set unlimited lease time The no command sets the lease time to five minutes regardless of the current default setting for new users username username no logon re auth time Sets the reauthorization time for the specified user 0 1440 Set it to zero to set unlimited reauthorization time The no command sets the reauthorization time to thirty minutes regardless of the current default setting for new users ZyWALL ZLD CLI Reference Guide Chapter 23 User Group 23 2 2 User Group Commands This table lists the commands for groups Table 99 username groupname Commands Summary Groups COM
327. tures with MSN in the name Router config anti virus search signature name MSN Signature 1 virus id 41212 virus name MSN category virus severity Low 19 3 Update Anti virus Signatures Use these commands to update new signatures You should have already registered for anti virus service Table 72 Update Signatures COMMAND DESCRIPTION anti virus update signatures Immediately downloads signatures from an update server no anti virus update auto Enables disables automatic signature downloads at regular times and days anti virus update hourly Enables automatic signature download every hour anti virus update daily 0 23 Enables automatic signature download every day at the time specified anti virus update weekly sun mon tue Enables automatic signature download once a week wed thu fri sat 0 23 at the time and day specified show anti virus update Displays signature update schedule show anti virus update status Displays signature update status show anti virus signatures status Displays details about the current signature set 134 ZyWALL ZLD CLI Reference Guide Chapter 19 Anti Virus 19 3 1 Update Signature Examples These examples show how to enable disable automatic anti virus downloading schedule updates display the schedule display the update status show the new updated signature version number show the total number
328. ty source 32 Obi DE xax eue qd RP SES EE qq e dde ea m qd Qa qae V Eee ned Se Ree ee GOS 29 delete cert conf idp packet trace script tmp file name 231 SOTOLLS ira dd A b Sad DAA ae dade Ra Edd ak x pa E E rU d Rod d 29 Hewlosshe link monitoring Activate s24 cba ka ceed oes Oe Se x ede Ed Sh Se eee e d rui ds 178 dewlce PegiSter checkuser USEF Hane cer ERR RERO EURO e RACER AS OR RR DR ACA Reo RR 38 device register username user name password password e mail user domainname country de pount EOS nh abe ce SSE REREAD EREARSSADREREDER CREAR AIR SEGRE OEE RRS 38 pud dex cae HRE x aea Scd ape RAPER CSG ROADS Bd eaa edite aid Spam ede OS 30 RALES e AAA RA DANA ASADA ASA AN 30 pudu inbo COLLEGE errar RARA A ARA AAA A E A ROR SE ee 205 pslera Surreal Aa A dace upra AA we fa ioa 221 BEES adu tetra ots e qb CUP Borea dod ecd toii de A ao da dos i e ob opea CR EO KR QE Kad oic ebd deu dE 30 aie cert seen tap packet trace Seript JEDD scab devdinevad dea wade oot ISBNS ards the SAA CRE RR OS E d ACE ARE d d a SRE eee Eee bee p eda eae eee a 30 ENS rro aia ia AAA A ANA Pea dI ee eee Ores 20 encapsulation tunel ESSASPOTDER asa Yd dq dp AA A A ARA A A AA 103 EIG ERASE DER A A AA AA ARA d eh AAA AAN AAA AAA ARA AA 30 SETE ABEL Ru ka Rd qq eg du P EE al E d db qd du bid xd ER ora x e Re RE EY Pete qaeqdeea AAA AA AAA AAA Sh e P du d dei d 95 Ernon Il SpDOnO ARAS AAA AA 96 firewall Jelets sler 59000 Sar ES
329. u want to assign a static IP address to a MAC address or if you want to specify the starting IP address and pool size of a range of IP addresses that can be assigned to DHCP clients There are different commands for each configuration Afterwards in either case you have to bind the DHCP pool to the interface Table 15 interface Commands DHCP Settings COMMAND DESCRIPTION show ip dhcp pool profile_name Shows information about the specified DHCP pool or about all DHCP pools ip dhcp pool rename profile name profile name Renames the specified DHCP pool from the first profile_name to the second profile_name ZyWALL ZLD CLI Reference Guide EJ Chapter 5 Interfaces Table 15 interface Commands DHCP Settings continued COMMAND DESCRIPTION no ip dhcp pool profile name Creates a DHCP pool if necessary and enters sub command mode You can use the DHCP pool to create a static entry or to set up a range of IP addresses to assign dynamically e If you use the host command the ZyWALL treats this DHCP pool as a static DHCP entry If you do not use the host command and use the network command the ZyWALL treats this DHCP pool as a pool of IP addresses e If you do not use the host command or the network command the DHCP pool is not properly configured and cannot be bound to any interface The no command removes the specified DHCP pool show Shows information about the specified D
330. u will get automatic e mail notification of new signature releases from mySecurityZone after you activate the IDP AppPatrol service You can also check for new signatures at http mysecurity zyxel com See the respective chapters for more information about these features To update the signature file or use a subscription service you have to register the ZyWALL and activate the corresponding service at myZyXEL com through the ZyWALL 4 2 Registration Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 7 Input Values for General Registration Commands LABEL DESCRIPTION user_name The user name of your myZyXEL com account You may use six to 20 alphanumeric characters and the underscore Spaces are not allowed password The password for the myZyXEL com account You may use six to 20 alphanumeric characters and the underscore Spaces are not allowed The following table describes the commands available for registration You must use the configure terminal command to enter the configuration mode before you can use these commands Table 8 Command Summary Registration COMMAND DESCRIPTION device register checkuser user_nam Checks if the user name exists in the myZyXEL com database device register username user name password Registers the device with an existing account or passwo
331. udp 172 23 37 240 500 0 0 0 0 0 46 udp 127 0 0 1 500 0 0 0 0 0 ZyWALL ZLD CLI Reference Guide Chapter 3 Status Here are examples of the commands that display the system uptime and model firmware and build information Router config show system uptime system uptime 13 days 21 01 17 Router config show version ZyXEL Communications Corp model ZyWALL 1050 firmware version 2 00 XL 0 b3 BM version 1 08 build date 2007 03 30 17 42 56 ZyWALL ZLD CLI Reference Guide Registration This chapter introduces myzyxel com and shows you how to register the ZyWALL for IDPIDP AppPatrol anti virus and content filtering services using commands 4 1 myZyXEL com overview BS BS myZyXEL com is ZyXEL s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL You need to create an account before you can register your device and activate the services at myZyXEL com You can directly create a myZyXEL com account register your ZyWALL and activate a service using the Licensing gt Registration screens Alternatively go to http www myZyXEL com with the ZyWALL s serial number and LAN MAC address to register it Refer to the web site s on line help for details To activate a service on a ZyWALL you need to access myZyXEL com via that ZyWALL 4 1 1 Subscription Services Available on the ZyWALL The Z
332. ues you can input with the interface group commands Table 28 interface group Command Input Values LABEL DESCRIPTION group name A descriptive name for the trunk Use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive interface The name of an interface it could be an Ethernet PPP VLAN or bridge interface The possible number of each interface type and the abbreviation to use are as follows Ethernet interface gex x 21 5 ppp interface pppx x 0 11 VLAN interface vlanx x 0 31 bridge interface brx x 0 11 num The interface s position in the trunk s list of members lt 1 8 gt CR Carriage Return the enter key 6 4 Trunk Commands Summary The following table lists the interface group commands You must use the configure terminal command to enter the configuration mode before you can use these commands See Table 28 on page 66 for details about the values you can input with these commands Table 29 interface group Commands Summary COMMAND DESCRIPTION show interface group group name Displays a trunk s settings no interface group group name Creates a trunk name and enters the trunk sub command mode where you can configure the trunk The no command removes the trunk no interface num append This subcommand adds an interface to a trunk Sets insert num interface cr the i
333. uide Chapter 1 Command Line Interface See Chapter 23 on page 171 for more information about the user types User users can only log in look at but not run the available commands in User mode and log out Limited Admin users can look at the configuration in the web configurator and CLI and they can run basic diagnostics in the CLI Admin users can configure the ZyWALL in the web configurator or CLI At the time of writing there is not much difference between User and Privilege mode for admin users This is reserved for future use 1 6 Shortcuts and Help 1 6 1 List of Available Commands A list of valid commands can be found by typing or TAB at the command prompt To view a list of available commands within a command group enter command or command TAB Figure 9 Help Available Commands Example 1 Router apply clear configure copy delete Snip run setenv show traceroute write Router gt Figure 10 Help Available Command Example 2 Router gt show aaa account address object alg Snip username users version vrrp zone Router show 1 6 2 List of Sub commands or Required User Input To view detailed help information for a command enter command sub command ZyWALL ZLD CLI Reference Guide EN Chapter 1 Command Line Interface Figure 11 Help Sub command Information Example Router config ip telnet server cr
334. underscores _ or dashes but the first character cannot be a number This value is case sensitive This table lists the zone commands Table 41 zone Commands COMMAND DESCRIPTION show zone profile name Displays information about the specified zone or about all zones no zone profile name Creates the zone if necessary and enters sub command mode The no command deletes the zone zone profile name no block Blocks intra zone traffic The no command allows intra zone traffic no interface interface nam Adds the specified interface to the specified zone The no command removes the specified interface from the specified zone See Section 5 2 on page 49 for information about interface names no crypto profile name Adds the specified IPSec VPN tunnel to the specified zone The no command removes the specified IPSec VPN tunnel from the specified zone no sslvpn profile name Adds the specified SSL VPN tunnel to the specified zone The no command removes the specified SSL VPN tunnel from the specified zone ZyWALL ZLD CLI Reference Guide Chapter 9 Zones 9 2 1 Zone Command Examples The following commands add Ethernet interfaces gel and ge2 to zone A and block intra zone traffic Router configure terminal Router config zone A Router zone interface gel Router zone interface ge2 Router zone block Router zone e
335. ure AA 210 ip dns server rule lt 1 32 gt append insert lt 1 32 gt access group ALL address object zone ALL address object action acoept dehv ces RC YO OE OK 210 ip dis server rule move 1 225 LO SL DA ch pe eee ri XR RARE EOE ROR RR 210 ip des server zohe Iorwarder move 1 223 La 14 325 srry E saka iTek ROC E EK Y E eta 210 ip ftp server rule lt 1 32 gt append insert lt 1 32 gt access group ALL address object zone ALL zone object action aococept deng i406 cuo eR E SPERO OR RADO see ean 217 ip ftp Server rule move 1 225 LO 1 29 criar RAR ARA AAA ZI Ip Gateway Sp mebrise 60 glee 4 5 ced dde ir p Ee Wade dei doe SC RC dee ad Ub e eS 50 ip http secure server table admin user rule 1 32 5 append insert lt 1 32 gt access group ALL address object zone ALL zone object action accept deny Box ala 276 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical ip http secure server table admin user rule move 1 32 to lt 1 32 gt 213 ip http server table admin user rule 1 32 append insert lt 1 32 gt access group ALL address object zone ALL zone object action accept deny 213 ip http server table admin user rule move 1 32 to 1 325 ca penceneaveenaeas 213 zip hLLperedlrecu activate GSOEIIDCUIUM asar rei 88 ip http rsdirect deactivate description 1244 ha RrREORGCRORGROX XR KOCH A RAI A
336. use the following characters a zA Z0 9 amp _ lt gt ocsp activate deactivate Has the ZyWALL check or not check incoming certificates that are signed by this certificate against a directory server that uses OCSP Online Certificate Status Protocol ZyWALL ZLD CLI Reference Guide Chapter 29 Certificates Table 119 ca Commands Summary continued COMMAND DESCRIPTION ocsp url url id name password password deactivate Sets the validation configuration for the specified remote trusted certificate where the directory server uses OCSP url Type the protocol IP address and pathname of the OCSP server name The ZyWALL may need to authenticate itself in order to access the OCSP server Type the login name up to 31 characters from the entity maintaining the server usually a certification authority You can use alphanumeric characters the underscore and the dash password Type the password up to 31 characters from the entity maintaining the OCSP server usually a certification authority You can use the following characters a zA Z0 9 amp _ lt gt no ca category local remote certificate_name Deletes the specified local my certificates or remote trusted certificates certificate no ca validation name Removes the validation configuration for the specified remote trusted certificate show ca category loc
337. ut the ZyWALL s logs When the system log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first See the User s Guide for the maximum number of system log messages in the ZyWALL 35 1 Log Commands Summary The following table describes the values required for many log commands Other values are discussed with the corresponding commands Table 142 Input Values for Log Commands LABEL DESCRIPTION module_name The name of the category kernel syslog category includes all messages in all categories The default category includes debugging messages generated by open source software The al 1 The following sessions list the logging commands 35 1 1 Log Entries Commands This table lists the commands to look at log entries Table 143 logging Commands Log Entries COMMAND DESCRIPTION show logging entries priority PRI category module_name srcip IP dstip IP service service_name begin lt 1 512 gt end lt 1 512 gt keyword keyword Displays the selected entries in the system log PRI alert crit debug emerg error info notice warn keyword You can use alphanumeric and S _ characters and it can be up to 63 characters long This searches the message Source destination and notes fields show logging entries field field l
338. ut with these commands Table 89 content filter General Commands COMMAND DESCRIPTION no content filter active Turns on content filtering The no command turns it off no content filter block message message Sets the message to display when content filtering blocks access to a web page The no command clears the setting no content filter block redirect Sets the URL of the web page to which to send redirect url users when their web access is blocked by content filtering The no command clears the setting no content filter cache timeout Sets how long the ZyWALL is to keep an entry in cache timeout the content filtering URL cache before discarding it The no command clears the setting no content filter default block Has the ZyWALL block sessions that do not match a content filtering policy The no command allows sessions that do not match a content filtering policy no content filter license licens Sets the license key for the external web filtering service The no command clears the setting no content filter policy policy number Sets a content filtering policy The no command address schedule filtering profile removes it content fil ter policy policy number shutdown Disables a content filtering policy content fil ter url cache test url Tests whether or not a web site is saved in the ZyWALL s database of restricted web pages content fil rating serv ter
339. ve domain name Fully qualified domain name You may up to 254 alphanumeric characters dashes or periods but the first character cannot be a period The initial sections introduce commands that are supported by several types of interfaces The remaining sections then introduce the unique commands for each type of interface ZyWALL ZLD CLI Reference Guide Chapter 5 Interfaces 5 2 1 Basic Interface Properties and IP Address Commands This table lists basic properties and IP address commands Table 13 interface Commands Basic Properties and IP Address Assignment COMMAND DESCRIPTION show interface ethernet vlan bridge ppp Displays the connection status of the specified type auxiliary status of interfaces show interface interface name ethernet Displays information about the specified interface specified type of interfaces or all interfaces vlan bridge ppp virtual ethernet virtual vlan virtual bridge auxiliary all show interface summary all Displays basic information about the interfaces show interface summary all status Displays the connection status of the interfaces no interface interface name Creates the specified interface if necessary and enters sub command mode The no command deletes the specified interface shutdown Deactivates the specified interface The no command activates it description descript
340. ver ZyWALL 192 168 1 1 User 192 168 1 1 none admin 331 Password required for admin Password 230 User admin logged in ftp cd conf 250 CWD command successful ftp bin 200 Type set to I ftp put tomorrow conf next conf 200 PORT command successful 150 Opening BINARY mode data connection for next conf 226 Post action ok 226 Transfer complete ftp 20231 bytes sent in 0 00Seconds 20231000 00Kbytes sec 34 6 3 Command Line FTP File Download Connect to the ZyWALL Enter bin to set the transfer mode to binary Use cd to change to the directory that contains the files you want to download Use dir or Is if you need to display a list of the files in the directory Use get to download files For example a frond set vpn_setup zysh vpn zysh transfers the vpn_setup zysh configuration file on the ZyWALL to your computer and renames it vpn zysh 34 6 4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today conf from the ZyWALL and saves it on the computer as current conf ZyWALL ZLD CLI Reference Guide 233 Chapter 34 File Manager Figure 25 FTP Configuration File Download Example C gt ftp 192 168 1 1 Connected to 192 168 1 1 220 FTP Server ZyWALL 192 168 1 1 User 192 168 1 1 none admin 331 Password required for admin Password 230 User admin logged in ftp bin
341. virtual server rename profile_name profile_name Renames the specified virtual server from the first profile_name to the second profile_name 11 2 1 Virtual Server Command Examples The following command shows information about all the virtual servers in the ZyWALL Router configure terminal original start port mapped start port none none Router config show ip virtual server virtual server VR1 active yes interface gel original IP any mapped IP 192 168 3 2 mapping type any protocol type any original end port mapped end port none none The following command creates virtual server VR1 on interface gel that maps gel IP addresses to 192 168 3 2 Router configure terminal 192 168 3 2 map type any Router config ip virtual server VR1 interface gel original ip any map to ZyWALL ZLD CLI Reference Guide HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL 12 1 HTTP Redirect Overview HTTP redirect forwards the client s HTTP request except HTTP traffic destined for the ZyWALL to a web proxy server 12 1 1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources services A proxy server can act as a firewall or an ALG application layer gateway between the private network and the Internet or other networks It also keeps hackers from knowin
342. with the corresponding commands Table 57 Input Values for SSL VPN Commands LABEL DESCRIPTION profile name The descriptive name of an SSL VPN access policy You may use up to 31 characters a z A Z 0 9 with no spaces allowed address object The name of an IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive ZyWALL ZLD CLI Reference Guide Chapter 16 SSL VPN Table 57 Input Values for SSL VPN Commands continued LABEL DESCRIPTION application_object The name of an SSL application object You may use up to 31 characters 0 9 a z A Z and No spaces are allowed user name The name of a user group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following sections list the SSL VPN commands 16 2 1 SSL VPN Commands This table lists the commands for SSL VPN You must use the configure terminal command to enter the configuration mode before you can use these commands Table 58 SSL VPN Commands COMMAND DESCRIPTION show sslvpn policy profile name Displays the settings of the specified SSL VPN access policy show network extension local ip Displays the IP address that the ZyWALL uses in setti
343. xit Router config show zone No Name Block Member 1 A yes gel ge2 Router config f show zone A blocking intra zone traffic yes No Type Member 1 interface gel 2 interface ge2 ZyWALL ZLD CLI Reference Guide Chapter 9 Zones ZyWALL ZLD CLI Reference Guide DDNS This chapter describes how to configure dynamic DNS DDNS services for the ZyWALL 10 1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa Similarly dynamic DNS maps a domain name to a dynamic IP address As a result anyone can use the domain name to contact you in NetMeeting CU SeeMe etc or to access your FTP server or Web site regardless of the current IP address If you have a private WAN IP address then you cannot use Dynamic DNS Before you can use Dynamic DNS services with the ZyWALL you first need to set up a dynamic DNS account with www dyndns org This is the only DNS service provider the ZyWALL supports at the time of writing DynDNS offers several DNS services Please see www dyndns org for more information about each of them When registration is complete DynDNS gives you a password or key You must go to DynDNS s Web site to set up a user account and a domain name before you can use the Dynamic DNS service with the ZyWALL After this you configure the ZyWALL Once the ZyWALL is configured it automatically sends updated IP addresses to DynDN
344. y locked out and then unlocks the user who is displayed Router configure terminal Router config show lockout users No Username Tried From Lockout Time Remaining No From Failed Login Attempt Record Expired Timer 1 172 23 23 60 2 User from 172 23 23 60 is unlocked Router config show lockout users No Username Tried From 46 Router config unlock lockout users 172 23 23 60 Lockout Time Remaining No From Failed Login Attempt Record Expired Timer ZyWALL ZLD CLI Reference Guide Addresses This chapter describes how to set up addresses and address groups for the ZyWALL 24 1 Address Overview Address objects can represent a single IP address or a range of IP addresses Address groups are composed of address objects and other address groups Address objects and address groups are used in dynamic routes firewall rules application patrol content filtering and VPN connection policies For example addresses are used to specify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important 24 2 Address Commands Summary The following table describes the values required for many address object and address group
345. y type irsa dsa key len key length aciei ex sanas nad aaa 1S ca generate pkesi2 name name password password cis eck tues skews eee hae eee eee eee ews 197 ca generate x509 name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key Lypo rsa dsa key len key length i94 93 9x oy eee eed oe ees 197 ca rename category local remote old name new name celere 197 ca val dation verore COPLRITIOHES inci OX eR AGKOCOEON EROR ACROE UK OO SEM EO CA ORO CHOKE ORAL CR 197 com fscrtsweateldesctuvetel alar EK REN dx me AA Mo A De bode heed bane ea ae 197 PORTILLO SSRs Leelee Li4sdueqed 39 xx PX RR REN Sq RING Ke dus direc RR A A RR 102 SUECO lanar DRA a EDESA AA AS A 29 glear gada authentication pEOFrle Hame deis Re oe ai pae A dd RO Ce ci dicc 13 ZyWALL ZLD CLI Reference Guide 273 List of Commands Alphabetical clegar aada group Server ac OLOR mace ara AEREA A AAA 190 plear aaa group server lda p group namo l acosa RA AA AA Ro UAR 191 plear daa group server CACTUS group NANE bis AS ARE 192 lear ip diep binding fib SF criar pily AR ICA deb e a A AS 54 plear logging debug DULTESE evoca reido dae 247 plear Jogging suvsten lag butfeb ns E AS dd A AAA EN RA AS 246 plear tent Linteriace Tams sra a AAA EA 251 clock gabe Suppor Tine dE EE ira RA ed d deme ud 208 glock pine PEORES A IA ARA A e t OH
346. yWALL can use anti virus IDP AppPatrol Intrusion Detection and Prevention and application patrol SSL VPN and content filtering subscription services The ZyWALL s anti virus packet scanner uses the signature files on the ZyWALL to detect virus files your ZyWALL scans files transmitting through the enabled interfaces into the network After the service is activated the ZyWALL can download the up to date signature files from the update server http myupdate zywall zyxel com ZyWALL ZLD CLI Reference Guide Chapter 4 Registration The IDP and application patrol features use the IDP AppPatrol signature files on the ZyWALL IDP detects malicious or suspicious packets and responds immediately Application patrol conveniently manages the use of various applications on the network After the service is activated the ZyWALL can download the up to date signature files from the update server http myupdate zywall zyxel com SSL VPN tunnels provide secure network access to remote users You can purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels The content filter allows or blocks access to web sites Subscribe to category based content filtering to block access to categories of web sites based on content Your ZyWALL accesses an external database that has millions of web sites categorized based on content You can have the ZyWALL block block and or log access to web sites based on these categories Yo
347. ya 114 Kiribati 115 Korea Republic of 116 Kuwait 117 Kyrgyzstan 118 Lao People s Democratic Republic 119 Latvia 120 Lebanon 121 Lesotho 122 Liberia 123 Liechtenstein 124 Lithuania 125 Luxembourg 126 Macau 127 Macedonia Former Yugoslav 128 Madagascar Republic 129 Malawi 130 Malaysia 131 Maldives 132 Mali 133 Malta 134 Marshall Islands 135 Martinique 136 Mauritania 137 Mauritius 138 Mayotte 139 Mexico 140 Micronesia Federal State of 141 Moldova Republic of 142 Monaco 143 Mongolia 144 Montserrat 145 Morocco 146 Mozambique ZyWALL ZLD CLI Reference Guide Chapter 4 Registration Table 9 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 147 Namibia 148 Nauru 149 Nepal 150 Netherlands 151 Netherlands Antilles 152 New Caledonia 153 New Zealand 154 Nicaragua 155 Niger 156 Nigeria 157 Niue 158 Norfolk Island 159 Northern Mariana Islands 160 Norway 161 Not Determined 162 Oman 163 Pakistan 164 Palau 165 Panama 166 Papua New Guinea 167 Paraguay 168 Peru 169 Philippines 170 Pitcairn Island 171 Poland 172 Portugal 173 Puerto Rico 174 Qatar 175 Reunion Island 176 Romania 177 Russian Federation 178 Rwanda 179 Saint Kitts and Nevis 180 Saint Lucia 181 Saint Vincent and the Grenadines 182 San Marino 183 Sao Tome and Principe 184 Saudi Arabia
348. zipped files that cannot be decompressed are destroyed Router config av rule 1 Router config av rule 1 Router config f anti virus rule 1 activate from zone WAN Router config av rul Router config av rule 1 Router config av rule 1 Router config av rule 1 Router config av rule 1 Router config av rule 1 Router config av rule 1 destroy Router config av rule 1 Anti Virus Rule 1 active yes log log from zone WAN to zone LAN scan protocols http yes ftp yes smtp Yes pop3 yes imap4 yes infected action destroy yes bypass white list yes bypass black list no Router config show anti virus rule 1 send windows message file decompression yes destroy unsupported compressed file no to zone LAN scan http infected action destroy bypass white list no bypass black list file decompression no file decompression unsupported exit yes 19 2 3 White and Black Lists The following table describes the commands for configuring the white list and black list You must use the configure terminal command to enter the configuration mode before you can use these commands Table 70 Commands for Anti virus White and Black Lists COMMAND DESCRIPTION no anti virus white list activate Turn on the white list to have the ZyWALL not perform the anti virus check on files with names that match the white list patterns no anti virus white list file
Download Pdf Manuals
Related Search