ZyXEL Communications Network Router ZLD User's Manual
Contents
1. COUNTRY COUNTRY NAME COUNTRY COUNTRY NAME 001 Afghanistan 002 Albania 003 Algeria 004 American Samoa 005 Andorra 006 Angola 007 Anguilla 008 Antarctica 009 Antigua amp Barbuda 010 Argentina 011 Armenia 012 Aruba 013 Ascension Island 014 Australia 015 Austria 016 Azerbaijan 017 Bahamas 018 Bahrain 019 Bangladesh 020 Barbados 021 Belarus 022 Belgium 023 Belize 024 Benin 025 Bermuda 026 Bhutan 027 Bolivia 028 Bosnia and Herzegovina 029 Botswana 030 Bouvet Island 031 Brazil 032 British Indian Ocean Territory 033 Brunei Darussalam 034 Bulgaria 035 Burkina Faso 036 Burundi 037 Cambodia 038 Cameroon ZyWALL ZLD CLI Reference Guide Chapter 5 Registration Table 10 Country Codes continued COUNTRY COUNTRY NAME COUNTRY COUNTRY NAME 039 Canada 040 Cape Verde 041 Cayman Islands 042 Central African Republic 043 Chad 044 Chile 045 China 046 Christmas Island 047 Cocos Keeling Islands 048 Colombia 049 Comoros 050 Congo Democratic Republic of the 051 Congo Republic of 052 Cook Islands 053 Costa Rica 054 Cote d Ivoire 055 Croatia Hrvatska 056 Cyprus 057 Czech Republic 058 Denmark 059 Djibouti 060 Dominica 061 Dominican Republic 062 East Timor 063 Ecuador 064 Egypt 065 El Salvador 066 Equatorial Guinea 067 Eritrea 068 Estonia 069 Ethi2. sss cnn cnn narran 67 A SU IUE 68 5 59 OSPF GRISE aia 68 6 2 6 Connectivity Check Ping check Commands sess ennt 70 6 2 Ehameat Intetace Specie COMME nds e 71 6 0 1 MAG Address Seting Commandg mms 71 Be Port rapi qud Commands rai ce 72 Gu Virtual nece Specie LCOMIMandOs ia docs 73 6 4 1 Virtual Interface Command Examples 1 ii a la o di FE 6 5 PPPSEIPPTP Sascha CERIIIBINIS oeste uti benet bite dr n 74 6 5 1 PPPSaE PPTP Interface Command Examples crema am orn en a a e o nt 75 6 6 Cellular Interface Specific Commands vasca citer Ead ii 76 6061 Colla Sl mm E Fetes evedacedactardn iaaa a cee a rE 78 6 ZyWALL ZLD CLI Reference Guide Table of Contents 6 6 2 Cellular Interface Command Examples ertet b nmt eo e a a ERR Re cR a 80 57 Tunnal Inteitaco CUS COITU oca de 81 9 7 1 Tunnel Interface Command Examples sons rro Rt a Poe oan i a ee eR Rep Dnus 82 be USB Dads spasiic COmma ds uiua bae era e ei ada al Garena Ma E ARE 82 6 8 1 USB Storage General Commands Example reote triti tr emen ddst ireland 83 KERN D Specie COMMANDS eT 83 Bac WLAN General COHe DOG asd uns nian A bk Ex a dan acabado 84 6 9 2 WLAN Intertabs Commande asii 85 SS WLAN MAG FED OTIO ii N RM COR RA HA i a tup lta 87 6 10 VLAN Interface Specific Commands auus eon ro li 88 G TO T VLAN Intetiace Command EXSImipleg cr its 89 E11 Bridge Specific GODS essa te 89 amp L4 Bridge Inteiace Command Ex
3. 323 x11 Repor cammands SUITE re nec piaiet eerie iie tores tue oR p tree tone OEO 323 AV AAV PRS CG s ee M 323 21 12 Pepan Comand ERAN cn a danda lun ORO cocci eo Od a i nc Ra 324 ALi Sessor dno purus de teo ana 324 311 43 Packet Slee Slaistics OIA ai 324 81 2 Emal Daly NEDOITCDIDIPIENIS ar a 325 41 2 1 Email Daily Report Exaile e MH 326 BET lan TN NE I A 328 ZyWALL ZLD CLI Reference Guide 15 Table of Contents Chapter 42 icc Dani idR yn ery eer 329 Chapter 43 E UuUVYX X X P 331 DCNMPR IH ar e M 331 12 DIOS ESI US CRT TETTE D TOL 331 AS Diagnosis CORMAN Example eee 331 Chapter 44 Packet Flow EXp OFG eia iiid ARABI KI pARAKE A AR MBIMRLSEERIBUMRUDUAER AA ARA 333 ZEN e 2822710 A ee pene ne pee ene egret err pee er ener pret Terr Ty 333 142 Packet Flow Explore Commande aaa 333 44 3 Packet Flow Explore Commands Example sinonimia rrr nk ph t pni epe ERR S Ep Rd 334 Chapter 45 ac ub ul c 337 AO P OR PIS nici mere reer rails 337 45 2 Packet Plow Filter COMINO e 337 45 3 Packet Flow Filter Commande EX3mplgg 1s a a ala 338 Chapter 46 DA TSU m 341 26 1 Maintenance Command Examples oca 343 46 1 1 Packet Gapture Command Example 5 o
4. no bwm activate Globally enables bandwidth management You must globally activate bandwidth management to have individual policy routes or application patrol policies apply bandwidth management The no command globally disables bandwidth management show app config Displays whether or not application patrol is active show app all Displays the settings for all applications show app all defaultport Displays the default port settings for all applications show app all statistics Displays statistics for all applications show app general im p2p stream Displays protocols by category show app im support action Displays the supported actions of each Instant Messenger application show app protocol name config Displays the basic configuration of this application show app protocol name defaultport Displays the default ports of this application show app protocol name statistics Display the statistics of this application show app protocol name rule rule number Displays the rule configuration of this application show app protocol name rule rule number statistics Displays the rule statistics of this application show app protocol name rule default Displays the default rule configuration of this application show app protocol name rule default statistics Displays the default rule statistics of this application show app protocol name rule all Displays the configurations of all the rules
5. M 237 IR Address US M E 237 are Address COMMAS SUMMA rat Ra 237 22 211 Address beci Commande q dai 238 2222 POIS OU COMMSOS ainoaa a e a aA 240 Chapter 28 Ea 243 SURE T vi III roo a a TEES 243 28 2 DolVipOS Commands SUMMA a ri 243 252 1 Servibs Obret is TINS scars Gu rei pas ct dar RE De bna eda ER acre eet AS 243 202 OPCS Ear nep NIS EU 244 Chapter 29 247 power epis s e UP 247 29 4 Schedule Commands SUMMA ni er ninaa riui Este de artesian ut Eco ua Ka Ee a 247 29 21 Scheda Command EXSImDIGS us ae 248 Chapter 30 BAA qd 249 CON AD AMIA Hee IUS 249 30 2 Authentication Server Command SUITIBEV isos scvaxecaetasssananseceiaicoensccaxeasetaveviaenisaeiaieaeeis 249 20 2 Sa ABRE COMEMOS sario C cR a Ua 249 0 2 21000 Server WOMANS secan ad 250 0 2 3 MOUSSE CamMandS cb 251 20 2 4 radius sarver Command Example in a i 251 90 2 o5 aaa group semer ad Coal fd cera 251 30 28 aaa group server ldap OCIS m 252 30 2 7 ada group server radius COMINO ciar inaron iaiaaeaia n Bd RS 253 30 2 5 aaa group server Command Example ssccisicseieccscssdiniecvsccsatvastesacecseanassiboostuddenaeanieccnianevaceres 254 Chapter 31 Pl jilljli ivjhes O O
6. tarse aca polio ELGG mueg aede dcbet eee ohne ees quU Rab dup qu RIA 2393 Toresesdth policy insert D 1024 daga cA x RACE E ERES dob LAC CARLA ENRERE 233 Lofpeeaubh policy Mowe Les IDEAS Eo les LIE nnd specs sa Oh Eee RSE alode POR EUR A RUE Se 233 rumor nr a raare NRE EAN EEEN REEERE PEASANT SGD ROR E E AD 60 gateway Ipro adar metio DITS Jeaehseheia AAA Se eee 58 iss ccc 144 G OUP sca Sheek CEH EERE Er DEOR Y Ro QN DSRS d ere E PEN SOMES CO Ke BOK ded Er s edd E e 144 SPU ira wb dex adu ares d ud dE Bd dde Acta uda fuiase drag eer anes x dr a uiui doi dodo tiis 144 Seo eee Lue xd Dd KE aed kd A Row GR an eee dac qd qx e v AAA AAA A 85 groupnaye rename crogpname GLOUPDE O anar es Hee O X BUR RON GR REGN AUR MOSCA OR REOR AR SEHR BREE LRL 231 enard iatereal Sherk LOGRO 4046660 needed ood eka ee a RA ia gri ance Sh 85 Buerd eruteresl Senor Lense arras RP de SE ERAN AA 84 host 1p ip adress profile name SHY sane Exe oO e SR RUE R AUR OE d E RSS Nd RR RR 342 BSL Spore C0 995299 a AER p que Ec WR Ee hee ee eee ER d E quK A P BE Cee AAA ER ER ARA 342 DE AE EREN AAA UC UR REC ORG EEE REEMA DAR SAA EERE EAR CEG ee eee Rees 34 httpesnapeocbrogw IDEED EXA Log Alert corso d pa eee ee ee PY eee A deed 186 icmp decoder truncated header truncated timestamp header truncated address header action drop feject sendet reject receiver tfeject both 2 m9 RR RR erm 186 icmp decoder truncated header truncated timestamp
7. 255 12 ZyWALL ZLD CLI Reference Guide Table of Contents 2121 Aumenisaor CC OBRAS sss roro qp nap cuba ii 255 21 2 235 agone atop COATING viso torio lso odia 255 31 2 1 aaa authentication Command Example urna 256 zac ux che CHEM nior TT 256 31 3 1 Test a User Account Command Example assistant inca 256 Chapter 32 il MM 259 el Tap eir SUTIN e ia 259 dea eri rz LEI so T OQ lasnauiines 259 320 Certificates Commands Input Valles cocina 259 224 Beri icales Commands Sana ss nen 260 320 Lemicates Commands Examples soi oli 263 Chapter 33 ISP ACCOUNTS AAA A 264 eL A lt P 264 ll ts o A nr aci taa addi dus dU EROR ae Eta 264 39 12 CBI Socount CDI allds sci eee e tp eeepc rece ent occi Eire den aeai residet Pau ate an 265 Chapter 34 wii X 266 ae do e A Kt nasci tst ard Fe tup Ea Pub 266 34 1 1 SSL Application Object Commands sarruses vidos satis ae 266 2412 SSL Application Command Examples iue retira cub rds ei aS Ne 268 Chapter 35 moral st gl E E eee ee eee ee eee re 269 85 1 ERGDCINL So VB adi 269 25 3 1 Endpoint Securty Commands SUMAR sii 270 25 1 2 Endpoint osa Object CommandS sss pecs ceiver cesiuritaora rd 270 35 1 3 Endpoint Security Object Command Example rien neonato tti erre rane ent th ads te Ense d akt 273
8. Table 99 DP Activation COMMAND DESCRIPTION no idp Enables IDP signatures anomaly detection and or system protect IDP signatures use signature anomaly system protect activate requires IDP service registration If you don t have a standard license you can register for a once off trial one Anomaly detection and the self protect feature do not require registration The no command disables the specified service idp system protect deactivate Disables system protect show idp signature system protect activation anomaly Displays IDP signature anomaly detection or system protect service status idp reload Recovers the IDP signatures You should only need to do this if instructed to do so by a support technician 22 2 1 1 Activate Deactivate IDP Example This example shows how to activate and deactivate signature based IDP on the ZyWALL Router configure terminal Router config idp signature activate Router config show idp signature activation idp signature activation Router config no idp signature activate Router config show idp signature activation idp signature activation no yes 22 3 IDP Profile Commands 22 3 1 Global Profile Commands Use these commands to rename or delete existing profiles and show IDP base profiles Table 100 Global Profile Commands COMMAND DESCRIPTION idp rename signature anomaly profilel profile
9. no fall back Set this to have the ZyWALL reconnect to the primary address when it becomes available again and stop using the secondary connection if the connection to the primary address goes down and the ZyWALL changes to using the secondary connection Users will lose their VPN connection briefly while the ZyWALL changes back to the primary connection To use this the peer device at the secondary address cannot be set to use a nailed up VPN connection fall back check interval lt 60 86400 gt Sets how often in seconds the ZyWALL checks if the primary address is available mode main aggressive Sets the negotiating mode isakmp algo lifetime lt 180 3000000 gt transform set isakmp algo isakmp algo Sets the encryption and authentication algorithms for each IKE SA proposal isakmp algo des md5 des sha 3des md5 3des sha aes128 md5 aes128 sha aes192 md5 aes192 sha aes256 md5 aes256 sha aes256 sha256 aes256 sha512 Sets the IKE SA life time to the specified value ZyWALL ZLD CLI Reference Guide Chapter 17 IPSec VPN Table 71 isakmp Commands IKE SAs continued COMMAND DESCRIPTION groupl Sets the DHx group to the specified group group2 group5 no natt Enables NAT traversal The no command disables NAT traversal local ip ip ip domain name interface interface name Sets the local gateway address to the specifie
10. ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management 38 10 4 1 Dial in Management Command Examples The following commands show you how to set up dial in management with the following parameters active port speed 57600 initial string ATDT and description I am dial in management Routerf configure terminal Router config dial in Router config dial in Router config dial in Router config dial in Router config dial in Router config dial in activate port speed 57600 initial string ATDT description I am dial in management exit 38 11 Vantage CNM Vantage CNM Centralized Network Management is a browser based global management solution that allows an administrator from any location to easily configure manage monitor and troubleshoot ZyXEL devices located worldwide See the Vantage CNM User s Guide for details If you allow your ZyWALL to be managed by the Vantage CNM server then you should not do any configurations directly to the ZyWALL using either the web configurator or commands without notifying the Vantage CNM administrator 38 11 1 Vantage CNM Commands The following table describes the commands available for dial in management You must use the configure terminal command to enter the configuration mode before you can use these commands Table 179 Command Summary Vantage CNM COMMAND DESCRIPTION no cnm agent manager url Se
11. no content filter license license Sets the license key for the external web filtering service The no command clears the setting content filter passed warning flush Clears the ZyWALL s record of sessions for which it has given the user a warning before allowing access content filter passed warning timeout 1 1440 Sets how long to keep records of sessions for which the ZyWALL has given the user a warning before allowing access no content filter policy policy number address Sets a content filtering policy The no command removes it schedule filtering profile content filter policy policy number shutdown Disables a content filtering policy content filter url server test bluecoat Enters the sub command mode for testing whether or not a web site is saved in the BlueCoat external content filter server s database of restricted web pages url server rating server timeout Tests whether or not a web site is saved in the external content query timeout filter server s database of restricted web pages exit Leaves the sub command mode content filter url server test commtouch Enters the sub command mode for testing the Commtouch external content filter server s reachability url timeout query timeout Specify the Commtouch server s URL and how long to wait for a response exit Leaves the sub command mode content filter zsb port 1 65535 Sets the port the ZyWALL uses to check if requested web
12. ZyWALL ZLD CLI Reference Guide Chapter 10 Zones ZyWALL ZLD CLI Reference Guide DDNS This chapter describes how to configure dynamic DNS DDNS services for the ZyWALL 11 1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa Similarly dynamic DNS maps a domain name to a dynamic IP address As a result anyone can use the domain name to contact you in NetMeeting CU SeeMe etc or to access your FTP server or Web site regardless of the current IP address Note You must have a public WAN IP address to use Dynamic DNS Set up a dynamic DNS account with a supported DNS service provider to be able to use Dynamic DNS services with the ZyWALL When registration is complete the DNS service provider gives you a password or key At the time of writing the ZyWALL supports the following DNS service providers See the listed websites for details about the DNS services offered by each Table 56 Network gt DDNS DDNS SERVICE SERVICE TYPES SUPPORTED WEBSITE NOTES DynDNS Dynamic DNS Static DNS and Custom DNS www dyndns com Dynu Basic Premium www dynu com No IP No IP www no ip com Peanut Hull Peanut Hull www oray cn Chinese website Note Record your DDNS account s user name password and domain name to use to configure the ZyWALL After you configure the ZyWALL it automatically sends updated IP addresses to the DDNS service provider which helps
13. security wpa wpa2 tkip aes psk key psk key Configures WPA or WPA2 security using TKIP or AES and a Pre Shared Key PSK security wpa2 tkip aes eap internal profile name tls cert certificate name Configures WPA2 enterprise security using TKIP or AES and an existing AAA authentication method object profile name Select the certificate the ZyWALL uses to authenticate itself to the wireless clients The wireless clients must use TTLS authentication protocol and PAP inside the TTLS secure tunnel security wpa2 tkip aes eap external Configures WPA2 enterprise security using TKIP or AES and an external server Use the security external command to specify the server s address security wpa2 tkip aes psk key psk key Configures WPA2 security using TKIP or AES and a Pre Shared Key PSK no security dotlx acct ip port lt 1 65535 gt Sets the IP address and port number of an external accounting server no security dotlx auth ip port 1 655355 Sets the IP address and port number of an external authentication RADIUS server no security dotix activate Enables IEEE 802 1x accounting and authentication no security external acct ip pott 1 05535 Sets the IP address and port number of an external accounting server ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 33 WLAN Interface Commands continued COMMAND DE
14. show l2tp over ipsec Displays the L2TP VPN settings show l2tp over ipsec session Displays current L2TP VPN sessions 19 5 L2TP VPN Example This example uses the following settings in creating a basic L2TP VPN tunnel See the Web Configurator User s Guide for how to configure L2TP in remote user computers using Windows XP and Windows 2000 Figure 23 L2TP VPN Example rocco LAN_SUBNET 192 168 1 1 24 1 Internet Y gt L2TP POOL 192 168 10 10 192 168 10 20 172 23 37 205 The ZyWALL has a static IP address of 172 23 37 205 for the ge3 interface The remote user has a dynamic public IP address and connects through the Internet ZyWALL ZLD CLI Reference Guide Chapter 19 L2TP VPN You configure an IP address pool object named L2TP POOL to assign the remote users IP addresses from 192 168 10 10 to 192 168 10 20 for use in the L2TP VPN tunnel e The VPN rule allows the remote user to access the LAN SUBNET which covers the 192 168 1 1 24 subnet 19 5 1 Configuring the Default L2TP VPN Gateway Example The following commands configure the Default L2TP VPN GW entry Configure the My Address setting This example uses interface ge3 with static IP address 172 23 37 205 Configure the Pre Shared Key This example uses top secret Router config f isakmp policy Default L2TP VPN GW Router config isakmp Default L2TP VPN GW local ip interface ge3
15. tunnel mode ip gre Sets this interface to use GRE tunnel mode no mtu 576 1480 Specifies the Maximum Transmission Unit which is the maximum number of bytes in each packet moving through this interface The ZyWALL divides larger packets into smaller fragments The no command resets the MTU to 1480 no downstream 0 1048576 Specifies the downstream bandwidth for the specified interface The no command sets the downstream bandwidth to 1048576 tunnel mode ipv6ip manual 6to4 111 Sets the interface to be an IPv6 over IPv4 tunnel manual Use for a point to point manual tunnel for IPv6 transition You must also configure a policy route for the tunnel 6to4 Use for a 6to4 6RD automatic tunnel ipv6 address ipv6 addr prefix Sets an IPv6 address with prefix for the interface ipv6 6to4 prefix ipv6 addr prefix destination prefix ipv4_cidr relay ipv4 For a 6to4 tunnel sets the IPv6 address with prefix remote gateway prefix or relay router IPv4 address traffic prioritize tcp ack content filter dns bandwidth lt 0 1048576 gt priority 1 7 maximize bandwidth usage Applies traffic priority when the interface sends TCP ACK traffic traffic for querying the content filter or traffic for resolving domain names It also sets how much bandwidth the traffic can use and can turn on maximize bandwidth usage traffic prioritize tcp ack content filter dns
16. Figure 12 Help Required User Input Example Router config ip telnet server port 1 65535 Router config ip telnet server port 26 ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface 1 6 3 Entering Partial Commands The CLI does not accept partial or incomplete commands You may enter a unique part of a command and press TAB to have the ZyWALL automatically display the full command For example if you enter config and press TAB the full command of configure automatically displays If you enter a partial command that is not unique and press TAB the ZyWALL displays a list of commands that start with the partial command Figure 13 Non Unique Partial Command Example Routers c TAB clear configure copy Routers co TAB configure copy 1 6 4 Entering a in a Command Typing a question mark usually displays help information However some commands allow you to input a for example as part of a string Press CTRL V on your keyboard to enter a without the ZyWALL treating it as a help query 1 6 5 Command History The ZyWALL keeps a list of commands you have entered for the current CLI session You can use any commands in the history again by pressing the up 1 or down 1 arrow key to scroll through the previously used commands and press ENTER 1 6 6 Navigation Press CTRL A to move the cursor to the beginning of the line Press CTRL E to move th
17. no inbound dscp mark lt 0 63 gt class default dscp_class This is how the ZyWALL handles the DSCP value of the outgoing packets to a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 no log alert Creates log entries and alerts for traffic that matches the rule The no command does not create any log entries no outbound dscp mark lt 0 63 gt class default dscp class This is how the ZyWALL handles the DSCP value of the outgoing packets from a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 port 0 65535 Specifies the destination port 0 means any no schedule profile name Adds the specified schedule to the rule show Displays the rule s configuration no source profile name Adds the specified source address to the rule no to zone name Specifies the destination zone no user username Adds the specified user to the rule ZyWALL ZLD CLI Reference Guide Chapter 20 Application Patrol 20 2 3 Exception Commands for Pre defined Applications This table lists the commands for exception rules for application access controls These commands are used for backwar
18. interface w x y z interface w x y z Changes an existing route s settings show ip route settings Displays static route information Use show ip route to see learned route information See Section 9 2 5 on page 110 ip6 route destv6 prefix ipv6 global address ipv6 link local interface lt 0 127 gt Sets an IPv6 static route ip6 route destv6 prefix ipv6 link local interface x0 127 Sets an IPv6 link local static route no ip6 route destv prefix gatewayv6 interface lt 0 127 gt Deletes the specified IPv6 static route ip6 route replace destv6 prefix gatewayv 6 interface lt 0 127 gt with destv6 prefix gatewayv6 interface lt 0 127 gt Changes an existing IPv6 route s settings ZyWALL ZLD CLI Reference Guide Chapter 8 Route Table 46 Command Summary Static Route continued COMMAND DESCRIPTION no ip route control virtual server rules activate Gives static routes priority over NAT virtual server rules 1 1 SNAT It also automatically gives policy routes priority over NAT virtual server rules Use the no command to give NAT virtual server rules priority over static routes show ip route control virtual server rules Displays whether or not static routes have priority over NAT virtual server rules 1 1 SNAT 8 4 1 Static Route Commands Examples The following command sets a static route with IP addres
19. no gconbtent frilter profile Irlbering profile url offline ILO0Qg prisa s ROR uw ace X ORUM 204 ho cohnrtent filter profiles filtering profile url nrate 100 s sacadea dave ee eee eed ad 204 H5 Hdevilceshe IINESNOROIDODGINQ sarret korere rd RE dee HON ee ee ew ESAS AAA 227 no dewigce hs step sbub snberfBUO L ebkidokO e hae OU RS UU eR MC debo E RR Re cR deo ee de ane wa ee 227 no d cob lessp gObienrt ABESA DEGL DS uibkgbebtededgewavgubdued eue3 OEE eee bea d ud mede RE Cae xe 277 bo dhoosg redse st obgeOct CACHE profila ri RS A ARA AA EA A AS ARE ES Z1 HO dier LU A dM pupa qu qub b he EET Ed S ER deque eds ee eee ew ea eee di 64 ote a Aces sides See eke Rub eg queque dicono x hohe dudit dus iur opua d Monde aD wee eee eae 101 HO ASUMA RIDE abia IA d eg epa da dd es ee A AA ses DEAS 102 no DELP Inspection EEC JO Aa AREAS Ra a eig sm ad qd Be EA 186 no icmp decoder truncated header truncated timestamp header truncated address header ac LN oparia bp es dtum iue d dede a CE OA O 186 no icmp decoder truncated header truncated timestamp header truncated address header log 186 no dp signature anomaly profila airada RA Xa xo AAA A a AR ed aC REOR hare 182 o tap signatures enciely f Pile Li 222 dogs sue oes Oe Se Behe ea te e PORC RE d Sud ER eee 182 ho idp obsbtonose signature QUSDOE Sid s diadema E Re RAE NE A EUR E hbo CASU de deca E RUE as 193 fp 19 E Server BULA EUA caua ede osos ee bee OU o ew E eee e bn FOROR O
20. Here are examples of the commands that display the fan speed MAC address memory usage RAM size and serial number Router config f show fan speed FAN1 F00 rpm limit hi 6500 limit 10 1400 max 6650 min 6642 avg 6644 FAN2 F01 rpm limit hi 6500 limit lo 1400 max 6809 min 6783 avg 6795 FAN3 F02 rpm limit hi 6500 limit lo 1400 max 6683 min 6666 avg 6674 FANA F03 rpm limit hi 6500 limit lo 1400 max 6633 min 6617 avg 6627 show mac Router config MAC address 28 61 32 89 37 61 28 61 32 89 37 67 Router config f show mem status memory usage 39 Router config show ram size ram size 510MB Router config show serial number serial number 8060212020460 Here is an example of the command that displays the listening ports Router config show socket listen No Proto Local Address Foreign Address State 1 tcp 0 0 0 0 2601 0 040040 LISTE 2 tcp 0 0 0 0 2602 UU U OP LISTE 3 tcp 27 0 0 1 10443 0 0 0 0 0 LISTE 4 tcp 0 0 0 0 2604 0 0 0 0 0 LISTE 5 tcp 0 0 0 0 80 0 0 0 0 0 LISTE 6 tcp 27 0 0 1 29085 0 0 0 0 0 LISTE 3 tcp cede de SS U0 0 0 0 LISTE 8 tons 12 23 31 205 53 0 0 0 0 0 LISTE 9 top 0 0 0 9 53 00 0030 LISTE 10 tcp 12 23 31 240153 0 0 0 0 0 LISTE 11 tcp 92 168 1 1 53 0 0 0 0 0 LISTE 12 tcp 21 0 0 1 253 0 0 0 0 0 LISTE ES tcp D 0 0 0 21 0 0 0 0 0 LISTE 14 tcp O0 00 22 05050030 LISTE l5 tcp 21T 0 0 1 953 040406030 LISTE 16 tcp 0 0 0 0 443 0 0 0 0 0
21. show reference object_name object isakmp policy object sslvpn policy Displays which configuration settings reference the specified VPN gateway object Displays which configuration settings reference the specified SSL VPN object ZyWALL ZLD CLI Reference Guide Chapter 3 Object Reference Table 6 show reference Commands continued COMMAND DESCRIPTION S how reference object zone object name Displays which configuration settings reference the specified zone object S object name how reference object dhcp6 lease object Displays which configuration settings reference the specified DHCPv6 lease object S how reference object dhcp6 request Displays which configuration settings reference the specified DHCPv6 group_name object object_name request object show reference object group username Displays which configuration settings reference the specified user group username object show reference object group address Displays which configuration settings reference the specified address object_name group object show reference object group address6 Displays which configuration settings reference the specified I Pv6 address object name group object show reference object group service Displays which configuration settings reference the specified service object name group object show reference object group interface Displ
22. 146 pachebesgspraxe DORESUUESC server qo ege Eoo Koo odo arde ee a e Repo pea doo dee Bhat iei Gk 341 Pacs Eloy Durter Clear m CDU Core UR paisa RRA HONOR aw CRAT AAA BUE 338 parksterlow DUEL8E WEITER rias Cede ted aue V RON CR Rad DI E IER e ER aea Rad es esed 338 pagketc rbow LIS nc Fister NUM PANE asia rr EA Pd Rak eee See eS eee ee EOS Rex SA PAGES cee beens ee eS ARAS BHR EA RARA CREER OCC MAS RC de RR CDS RRR AA 34 packet trace interface interface name ip protolipv6 protol protocol name any src host ip hostname any dst host ip hostname any port 1 65535 any file duration lt 1 3600 gt extension filter filter extension 341 peer id type any ip ip fqdn domain name mail e mail dn distinguished name 144 pesr 1p Iip domain seme ip domain namel coimas 144 Pect i S atar dana dE DADA ASA Pads BEG MEE RR 147 chu eS 34 PUTO ira we dos aliad pb Sae eet eaten ee I doa sul id Soke graria wed aba 34 ping6 ipv6 hostname source ipv6 size lt 0 65527 gt forever count lt 1 4096 gt interface interface name virtual interface name extension filter extension 342 ping check domain name ip detasult qgeteway cszbiaGeex 4 x ee cE a AA DE RR Re e e 70 ping check domain name ip default gateway fail tolerance 1 10 70 pi
23. 186 no udp decoder truncated header undersize len oversize len log 186 Wo HASTE LIADO riada o E A de Aa ed qe da ER que B Neb KLARE A AO E OL d a Cap ES Co UR d CON T2 PES BE Laud god dou dubio dcr cu see See oa aos d Cd he ed d opc Tee ook E op AN 148 ng username ESSDEASIS iran UE Ree CORRIGE QU ex C ROANOKE RR RI RC EASTER KIM BA RO 230 HOI ago Reds we AY a RP ERREUR e EER d A BR Read ado Ka aro dite dead AAA eee ea ip 34 Ree Eye nese dua Edi eee OSES Se CoO dq dE RE RENNES du RR dus dua ee ee Eco e md dois Kir object group address rename group name group DAME ioaeaeeacrcn oh ox RO eee eee ened na we ee RR CR 241 ZyWALL ZLD CLI Reference Guide 373 List of Commands Alphabetical ob ject group Servio rename Group Hane Group Had dausg adesse A Andes AAA eed 245 gesp Iactrwereldeachtwuabe ro A RO REOR RR RN RE ALAS eed eee Re ACA RE denn o 261 Dgsp srl vel 1d name password password desctivate escritores rc 261 DE AA IE ARS AREAS A pe Ke RATE RARA AAA AA NAAA AAA ARA E d 164 GE AAA ARANA DAA DA AR AAA AAA AAA ANA AAA E ea 165 Se IDRC ob Oa FRR SS OSHA RN LARA RES A ERA EERE COEUR LAA A TAS AENA LA ORES DA AA ob RC 166 DL wah AA 166 Ge tvbe qwiddssuws Jesu mee Gex GEREES aroma A was chee NCC conse ead 271 Gubpub pewer LOO SUS LaS XE ciar AAA AAA ARA A Pi A AA A 84 out snat source address name destination address name snat address name
24. Chapter 1 Command Line Interface 1 10 Logging Out Enter the exit or end command in configure mode to go to privilege mode Enter the exit command in user mode or privilege mode to log out of the CLI 32 ZyWALL ZLD CLI Reference Guide User and Privilege Modes This chapter describes how to use these two modes 2 1 User And Privilege Modes This is the mode you are in when you first log into the CLI Do not confuse user mode with types of user accounts the ZyWALL uses See Chapter 26 on page 229 for more information about the user types User type accounts can only run exit in this mode However they may need to log into the device in order to be authenticated for user aware policies for example a firewall rule that a particular user is exempt from or a VPN tunnel that only certain people may use Type enable to go to privilege mode No password is required All commands can be run from here except those marked with an asterisk Many of these commands are for trouble shooting purposes for example the htm hardware test module and debug commands Customer support may ask you to run some of these commands and send the results if you need assistance troubleshooting your device For admin logins all commands are visible in user mode but not all can be run there The following table displays which commands can be run in user mode All commands can be run in privilege mode The htm and
25. Chapter 13 HTTP Redirect ZyWALL ZLD CLI Reference Guide ALG This chapter covers how to use the ZyWALL s ALG feature to allow certain applications to pass through the ZyWALL 14 1 ALG Introduction The ZyWALL can function as an Application Layer Gateway ALG to allow certain NAT un friendly applications such as SIP to operate properly through the ZyWALL s NAT Some applications cannot operate through NAT are NAT un friendly because they embed IP addresses and port numbers in their packets data payload The ZyWALL examines and uses IP address and port number information embedded in the VoIP traffic s data stream When a device behind the ZyWALL uses an application for which the ZyWALL has VoIP pass through enabled the ZyWALL translates the device s private IP address inside the data stream to a public IP address It also records session port numbers and allows the related sessions to go through the firewall so the application s traffic can come in from the WAN to the LAN The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL s NAT The firewall allows related sessions for VoIP applications that register with a server The firewall allows or blocks peer to peer VoIP traffic based on the firewall rules You do not need to use a TURN Traversal Using Relay NAT server for VolP devices behind the ZyWALL when you enable the SIP ALG ZyWALL ZLD CLI Reference Guide 127 Chapter 14 ALG
26. Publisher ithantiniku varifiad ho Thaka Canciilkine n Warning Security x f i Do you want to accept the certificate from web site Sut ZyWALL 1050 Factory Default Certificate For the purpose of exchanging encrypted information Ao we m ue A PA Hostname Mismatch 25 The hosti accep ud Warning Security E xj 7 name of th G The se A Do you want to trust the signed applet distributed by ZyXEL En blisher authenticity t he verified Hostname Publisher authenticity can not he verified ste Securty Information Th ran This page contains both secure and nonsecure Do you wa items A Th Do you want to display the nonsecure items 1 No More Info Finally the User Name screen appears Figure 4 Web Console User Name Please Input User Name x User Name eoo 5 Enter the user name you want to use to log in to the console The console begins to connect to the ZyWALL ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Note The default login username is admin It is case sensitive Figure 5 Web Console Connecting ing to ZyWALL 1050 M O 172 23 19 244 22 Then the Password screen appears Figure 6 Web Console Password A Password Authentication xj gt User admin Password po Cancel 6 Enter the password for the user name you specified earlier and click OK If you enter the password incorrectly you get an error message and you
27. Router show system snat nat loopback Note Loopback SNAT will be only applied only when the initiator is located at the network which the server locates at No VS Name Source Destination SNAT The following example shows all activated 1 to 1 NAT rules Router show system snat nat 1 1 No VS Name Source Destination Outgoing SNAT ZyWALL ZLD CLI Reference Guide Chapter 44 Packet Flow Explore The following example shows the default WAN trunk settings Router show system snat default snat Incoming Outgoing SNAT Internal Interface External Interface Outgoing Interface IP Internal Interfaces lanl hidden lan2 dmz External Interfaces wanl wan2 wanl ppp wan2 ppp Router ZyWALL ZLD CLI Reference Guide Packet Flow Filter This chapter covers how to use the packet flow filter feature 45 1 Packet Flow Filter Use the packet flow filter to troubleshoot firewall rules and policy routes when specific packets you expect to go through the ZyWALL do not 45 2 Packet Flow Filter Commands The following table identifies some common values used in packet flow commands Other input values are discussed with the corresponding commands Table 202 Packet Flow Filter Command Input Values LABEL DESCRIPTION pf filter num range The filter number to be displayed 1 3 depending on the product pf cpu core num The CPU core number of packet buffer to
28. Router config wlan slot exit Router config 6 9 2 WLAN Interface Commands Use these commands to configure global settings that apply to all of the wireless LAN interfaces you create on the WLAN card Table 33 WLAN Interface Commands COMMAND DESCRIPTION no interface ap interface Creates the specified interface if necessary and enters sub command mode The no command deletes the specified interface ap interface The name of the WLAN Access Point interface Use wlan x y where x equals the number of the card slot and y equals the number of the individual WLAN interface For example wlan 1 1 no block intra Enables intra BSS blocking prevents wireless clients in this profile s BSS from communicating with one another group key lt 30 30000 gt Sets the WPA2 group key update timer This is the interval in seconds for how often the AP sends a new group key out to all clients no hide Obscures the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning idle lt 30 30000 gt Sets the WPA2 idle timeout The ZyWALL automatically disconnects a wireless station that has been inactive for this number of seconds The wireless station needs to enter the username and password again before access to the wired network is allowed no ip address ip Assigns the specified IP address and subnet mask to the specified interface The subnet mask no command
29. Sets the WEP encryption to use open or shared key authentication security wpa lt tkip aes gt eap internal profile name tls cert certificate name Configures WPA enterprise security using TKIP or AES and an existing AAA authentication method object profile name Set the certificate the ZyWALL uses to authenticate itself to the wireless clients The wireless clients must use TTLS authentication protocol and PAP inside the TTLS secure tunnel Security wpa tkip aes eap external Configures WPA enterprise security using TKIP or AES and an external server Use the security external command to specify the server s address security wpa tkip aes psk key psk key Configures WPA security using TKIP or AES and a Pre Shared Key PSK security wpa wpa2 tkip aes eap internal profile name tls cert certificate name This allows users to either use WPA or WPA2 enterprise security to connect to the wireless interface You have to also configure to use either TKIP or AES and an existing AAA authentication method object profile name Set the certificate the ZyWALL uses to authenticate itself to the wireless clients The wireless clients must use TTLS authentication protocol and PAP inside the TTLS secure tunnel security wpa wpa2 tkip aes eap external Configures WPA or WPA2 enterprise security using TKIP or AES and an external server Use the security external command to specify the server s address
30. You can specify colors in one of the following ways color rgb Enter red green and blue values in parenthesis and separate by commas For example use rgb 0 0 0 for black color name Enter the name of the desired color color number Enter a pound sign followed by the six digit hexadecimal number that represents the desired color For example use 000000 for black The following table describes the commands available for customizing the Web Configurator login screen and the page that displays after an access user logs into the Web Configurator to access network services like the Internet You must use the configure terminal command to enter the configuration mode before you can use these commands Table 164 Command Summary Customization COMMAND DESCRIPTION no access page color window background Sets whether or not the access page uses a colored background access page message color color rgb color name color number Sets the color of the message text on the access page no access page message text message Sets a note to display below the access page s title Use up to 64 printable ASCII characters Spaces are allowed access page title title Sets the title for the top of the access page Use up to 64 printable ASCII characters Spaces are allowed access page window color color rgb color name color number login page background color color rgb co
31. ZyWALL ZLD CLI Reference Guide Chapter 23 Content Filtering ZyWALL ZLD CLI Reference Guide Anti Spam This chapter introduces and shows you how to configure the anti spam scanner 24 1 Anti Spam Overview The anti spam feature marks or discards spam Activate the anti spam subscription service for sender IP reputation checking mail content analysis and virus outbreak detection Use the white list to identify legitimate e mail Use the black list to identify spam e mail You can also check e mail against a DNS black list DNSBL of IP addresses of servers suspected of being used by spammers 24 2 Anti Spam Commands The following table identifies the values used in some of these commands Other input values are discussed with the corresponding commands Table 116 Input Values for General Anti Spam Commands LABEL DESCRIPTION rule number The index number of an anti spam rule 1 X where X is the highest number of anti spam rules the ZyWALL model supports See the ZyWALL s User s Guide for details zone object The name of the zone The ZyWALL USG 200 and lower models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN xheader name The name part that comes before the colon of a field to add to an e mail header Use up to 16 ASCII characters xheader value The value part that comes after the colon of a field to add to an e mail header Use
32. certificate name The name of the certificate You can use up to 31 alphanumeric and M93x 96 amp _ 14 characters no ip http secure server force redirect Redirects all HTTP connection requests to a HTTPS URL The no command disables forwarding HTTP connection requests to a HTTPS URL ip http secure server table admin user rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for HTTPS service ip http secure server table admin user rule move rule_number to rule_number Changes the index number of a HTTPS service control rule ip http secure server cipher suite cipher algorithm cipher algorithm cipher algorithm cipher algorithm Sets the encryption algorithms up to four that the ZyWALL uses for the SSL in HTTPS connections and the sequence in which it uses them The cipher algorithm can be any of the following rc4 RC4 RC4 may impact the ZyWALL s CPU performance since the ZyWALL s encryption accelerator does not support it aes AES des DES 3des Triple DES no ip http secure server cipher suite cipher algorithm Has the ZyWALL not use the specified encryption algorithm for the SSL in HTTPS connections no ip http server Allows HTTP access to the ZyWALL web configurator The no command disables HTTP access to the ZyWALL web configurator ip http serve
33. idp anomaly test Router config idp anomaly profile test Router config idp anomaly profile test Router config idp anomaly profile test config idp anomaly profile test 4 no tcp decoder oversize offset activate Router config idp anomaly profile test 4 exit Router config show idp anomaly test tcp decoder oversize offset details message tcp_decoder OVERSIZE OFFSET ATTACK keyword tcp decoder oversize offset activate no tcp decoder oversize offset action drop tcp decoder oversize offset log alert tcp decoder oversize offset activate Router action drop log log alert Router config 22 3 5 Editing System Protect Use these commands to edit the system protect profiles Table 104 Editing System Protect Profiles COMMAND DESCRIPTION idp system protect Configure the system protect profile Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode no signature sid activate Activates or deactivates an IDP signature signature sid log alert Sets log or alert options for an IDP signature no signature sid log Deactivates log options for an IDP signature signature sid action drop reject Sets an action for an IDP signature sender reject receiver reject both no signature SID action Deactivates an action for an IDP signature show idp system protect all details Displays the system protect profile deta
34. interface name command you have to find out the corresponding system name first ge4 in this example This example also shows how to change the user defined name from Partner to Customer using the interface name command ge5 No System Name Router config No System Name Router config interface rename VIP Partner Router config show interface name User Defined Name Router config interface name ge4 Customer Router config show interface name User Defined Name ge2 ge3 Customer ge5 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces This example shows how to restart an interface You can check all interface names on the ZyWALL Then use either the system name or user defined name of an interface ge4 or Customer in this example to restart it Ro Ro Ro uter configure terminal uter config uter show interface name System Name User Defined Name gel gel ge2 ge2 ge3 ge3 ge4 Customer ge5 ge5 Router config interface reset ge4 Router config interface reset Customer 6 2 2 DHCP Setting Commands This table lists DHCP setting commands DHCP is based on DHCP pools Create a DHCP pool if you want to assign a static IP address to a MAC address or if you want to specify the starting IP address and pool size of a range of IP addresses that can be assigned to DHCP clients There are different commands for each configuration Afterwar
35. tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep Also sets TCP scan detection logs or alerts and blocking no deactivates TCP scan detection its logs alerts or blocking no scan detection udp xxx activate log alert block Activates or deactivates UDP scan detection options where udp xxx udp portscan udp decoy portscan udp portsweep udp distributed portscan udp filtered portscan udp filtered decoy portscan udp filtered distributed portscan udp filtered portsweep Also sets UDP scan detection logs or alerts and blocking no deactivates UDP scan detection its logs alerts or blocking no scan detection ip xxx activate log alert block Activates or deactivates IP scan detection options where ip xxx ip protocol scan ip decoy protocol scan ip protocol sweep ip distributed protocol scan ip filtered protocol scan ip filtered decoy protocol scan ip filtered distributed protocol scan ip filtered protocol sweep Also sets IP scan detection logs or alerts and blocking no deactivates IP scan detection its logs alerts or blocking no scan detection icmp sweep icmp filtered sweep activate log alert block Activates or deactivates ICMP scan detection options Also sets ICMP scan detection logs or alerts and blocking no deactivates ICMP scan detection its logs alerts or blocki
36. uintl16 lt 0 65535 gt uint32 lt 0 4294967295 gt ip ipv4 ipv4 ipv4 fadn fqdn fqdn fqdn text text hex hex vivc enterprise id hex s enterprise id hex s vivs enterprise id hex s enterprise id hex s Adds or edits a DHCP extended option for the specified DHCP pool text String of up to 250 characters hex String of up to 250 hexadecimal pairs vivc Vendor Identifying Vendor Class option A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running the software in use or an industry consortium to which the vendor belongs enterprise id Number lt 0 4294967295 gt hex s String of up to 120 hexadecimal pairs vivs Vendor Identifying Vendor Specific option DHCP clients and servers may use this option to exchange vendor specific information no dhcp option 1 254 Removes the DHCP extended option for the specified DHCP pool network IP 1 32 network ip mask no network Specifies the IP address and subnet mask of the specified DHCP pool The subnet mask can be written in w x y z format or in lt 1 32 gt format Note The DHCP pool must have the same subnet as the interface to which you plan to bind it The no command clears these fields no default router ip Specifies the default gateway DHCP clients should use The no command clears this field no description description S
37. 1 32 Sets the cluster ID number A virtual router consists of a master ZyWALL and all of its backup ZyWALLs If you have multiple ZyWALL virtual routers on your network use a different cluster ID for each virtual router device ha ap mode priority 1 254 Sets backup ZyWALL s priority The backup ZyWALL with the highest value takes over the role of the master ZyWALL if the master ZyWALL becomes unavailable The priority must be between 1 and 254 The master interface has priority 255 no device ha ap mode authentication Sets the authentication method the virtual router uses Every interface in a string key ah md5 key virtual router must use the same authentication method and password The no command disables authentication string Use a plain text password for authentication key Use up to eight characters including alphanumeric characters the underscore and some punctuation marks amp V ah md5 Use an encrypted MD5 password for authentication key Use up to eight characters including alphanumeric characters the underscore and some punctuation marks amp V ZyWALL ZLD CLI Reference Guide Chapter 25 Device HA Table 126 device ha ap mode Commands continued COMMAND DESCRIPTION no device ha ap mode interface_name manage ip ip subnet_mask Sets the management IP address for an interface authentication pass
38. 14 2 ALG Commands The following table lists the alg commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 63 alg Commands COMMAND DESCRIPTION no alg sip inactivity Turns on or configures the ALG timeout signal port Use inactivity timeout to have the ZyWALL apply SIP media and lt 1025 65535 gt signal d i i ai signaling inactivity time out limits extra port lt 1025 65535 gt media timeout Sites 863007 Use signal port with a listening port number 1025 to 65535 if you are signal timeout lt 1 86400 gt Using SIP on a port other than UDP 5060 transformation Use signal extra port with a listening port number 1025 to 65535 if you are also using SIP on an additional UDP port number enter it here Use media timeout and a number of seconds 1 86400 for how long to allow a voice session to remain idle without voice traffic before dropping it Use signal timeout and a number of seconds 1 86400 for how long to allow a SIP signaling session to remain idle without SIP packets before dropping it Use transformation to have the ZyWALL modify IP addresses and port numbers embedded in the SIP data payload You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload The no command turns off the SIP ALG or removes the settings that you spe
39. Hit enter to log in anonymously Set the transfer mode to binary type bin Transfer the firmware file from your computer to the ZyWALL Type put followed by the path and name of the firmware file This examples uses put e ftproot ZLD FW 11 01 XL 0 C0 bin Figure 40 FTP Firmware Transfer Command C2 oftp 192 168 1 1 Connected to 192 168 1 1 220 x 55 C lt Welcome to PureFTPd 1 0 11 gt gt lt gt gt 220 You are user number 1 of 58 allowed 226 Local time is now 21 33 and the load is 1 Server port 21 226 Only anonymous FTP is allowed here 226 You will be disconnected after 15 minutes of inactivity User 192 168 1 1 none gt gt 230 Anonymous user logged in ftp bi 200 TYPE is now 8 bit binary ftp put EzftprootXZLD_FWiBBRLBCAOM BBCXL BM gt CB bin ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager 7 Wait for the file transfer to complete Figure 41 FTP Firmware Transfer Complete 266 PORT command successful 158 Connecting to port 1564 226 87 0 Mbytes free disk space 226 File successfully transferred 226 3 231 seconds measured here gt 10 83 Mbytes per second 36708858 bytes sent in 3 23Seconds 11350 91Kbytes sec 8 After the transfer is complete Firmware received or ZLD current received displays Wait up to four minutes while the ZyWALL recovers the firmware Figure 42 Firmware Received and Recovery Started Firmware received Update Files
40. Key fingerprint xolor takel fipef zevit visom gydog vetan bisol lysob cuvun muxex You can get a public key s fingerprint by running ssh keygen F publickey pub on the keyfile Are you sure you want to continue connecting yes no yes Host key saved to C Documents and Settings user Application Data SSH hostkeys ey 22 192 168 1 1 pub host key for 192 168 1 1 accepted by user Tue Aug 09 2005 07 38 28 admin s password Authentication successful 1 3 How to Find Commands in this Guide You can simply look for the feature chapter to find commands In addition you can use the List of Commands Alphabetical at the end of the guide This section lists the commands in alphabetical order that they appear in this guide If you are looking at the CLI Reference Guide electronically you might have additional options for example bookmarks or Find as well ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface 1 4 How Commands Are Explained Each chapter explains the commands for one keyword The chapters are divided into the following sections 1 4 1 Background Information Optional Note See the User s Guide for background information about most features This section provides background information about features that you cannot configure in the web configurator In addition this section identifies related commands in other chapters 1 4 2 Command Input Values Optional This section list
41. List of Commands Alphabetical ip virtual server profile name interface interface name original ip any ip address object map to address object ip map type any nat loopback nat 1 1 map deactivate nat I l foeectiveatel Qati Vate 25204460 dtum 3 Reb ESA Og RE EORR E PORA re eee ee 120 ip virtual server profile name interface interface name original ip any IP address object map to address object ip map type original service service object mapped service service object nat loopback nat 1 1 map deactivate nat 1 1 map deactivate de BOTTLE ceded ake d AAA Sw AR BE SR Ee are RADA AAA 121 ip virtual server profile name interface interface name original ip any IP address object map to address object ip map type port protocol any tcp udp original port 1 65535 mapped port lt 1 65535 gt nat loopback nat 1 1 map deactivate nat 1 1 map deasgbssacel JJ deactivate ccc are aha hin eo eu hae ee Hae ae cR v RD CR SCC Robie o XR RR cR RUP ar od 120 ip virtual server profile name interface interface name original ip any IP address object map to address object ip map type ports protocol any tcp udp original port begin 1 655355 original port end 1 655535 mapped port begin 1 65535 nat loopback nat 1 1 map deactivate nat 1 1 map deactivate deactivate 120 lp wvlrtusl server renais profile hae profile
42. RADIUS authentication allows you to validate a large number of users from a central location 30 2 Authentication Server Command Summary This section describes the commands for authentication server settings 30 2 1 ad server Commands The following table lists the ad server commands you use to set the default AD server Table 147 ad server Commands COMMAND DESCRIPTION show ad server Displays the default AD server settings no ad server basedn basedn Sets a base distinguished name DN for the default AD server A base DN identifies an AD directory The no command clears this setting ZyWALL ZLD CLI Reference Guide Chapter 30 AAA Server Table 147 ad server Commands continued COMMAND DESCRIPTION no ad server binddn binddn Sets the user name the ZyWALL uses to log into the default AD server The no command clears this setting no ad server cn identifier uid Sets the unique common name cn to identify a record The no command clears this setting no ad server host ad server Sets the AD server address Enter the IP address in dotted decimal notation or the domain name The no command clears this setting no ad server password password Sets the bind password This password will be encrypted when you use the show ad server command to display The no command clears this setting no ad server password encrypted password Sets the encrypted password
43. Router coonfig packet fl Router config tpacket f1 source 1 2 3 4 destination 5 6 7 8 ow filter src port 123 ow filter 1 1 1 ow filter 1 dst port 456 1 1 1 ow filter ow filter protocol 17 ow filter ow filter ow activate This example displays whether or not the packet flow filter is activated and whether the ring buffer is enabled or disabled Router show packet flow status Packet Flow Debugger Status Activation Yes Ring Buffer Disabled ZyWALL ZLD CLI Reference Guide Chapter 45 Packet Flow Filter This example displays the packet flow filter 1 s settings Router show packet flow filter 1 Filter 1 Status Activation Yes Src IP 1 2 3 4 DSt XBE 5 627 8 Host Configured No Protocol 17 Src Port 123 This example displays the details of a captured packet flow In this case traffic matches and is dropped by firewall rule 3 Router show packet flow buffer 1 Tracking ID 1 Feature Firewall type IPTables Action Drop Pkt Info Bro 9192 168 30 1 267 DSt 2255 255 255 255 68 Protocol 17 Feature Info Matched Firewall Rule 3 2 Tracking ID 2 Feature Firewall type IPTables Action Drop Pkt Info Sre 1192 168 30 1 67 Dst 255 255 255 255 08 Protocol 17 Feature Info Matched Firewall Rule 3 3 Tracking ID 3 Feature Firewall type IPTables Action Drop Pkt Info Sro 092 168 30 33 138
44. This table lists the commands for RIP Table 49 router Commands RIP COMMAND DESCRIPTION router rip Enters sub command mode no network interface_name Enables RIP on the specified Ethernet interface The no command disables RIP on the specified interface no redistribute static ospf Enables redistribution of routing information learned from the specified source The no command disables redistribution from the specified source redistribute static ospf metric lt 0 16 gt Sets the metric when redistributing routing information learned from the specified source no version 1 2 Sets the default RIP version for all interfaces with RIP enabled If the interface RIP version is blank the interface uses the default version This is not available in the GUI The no command sets the default RIP version to 2 no passive interface interface_name Sets the direction to In Only for the specified interface The no command sets the direction to bi directional no authentication mode md5 text Sets the authentication mode for RIP The no command sets the authentication mode to none no authentication string authkey Sets the password for text authentication The no command clears the password authentication key 1 255 key string authkey Sets the MD5 ID and password for MD5 authentication no authentication key Clears the MD5 ID and password no outonly interface interf
45. characters Spaces are not allowed although you could substitute a question mark See Section 24 2 3 2 on page 216 for more details Use the white list to identify legitimate e mail and the black list to identify spam e mail The following table describes the commands for configuring the white list and black list You must use the configure terminal command to enter the configuration mode before you can use these commands Table 120 Commands for Anti spam White and Black Lists COMMAND DESCRIPTION no anti spam white list activate Turns the white list checking on or off Turn on the white list to forward e mail that matches an active white list entry without doing any more anti spam checking on that individual e mail no anti spam white list rule number ip Adds edits or removes a white list entry to check e mail for a address ip subnet mask activate deactivate specific source or relay IP address Also turns the entry on or off no anti spam white list rule number e Adds edits or removes a white list entry to check e mail for a mail email activate deactivate specific source e mail address or domain name Also turns the entry on or off no anti spam white list rule number mail Adds edits or removes a white list entry to check e mail for header mail header mail header value specific header fields and values Also turns the entry on or off activate deactivate no
46. dip fi Server D isDequiPeb AAA A A A AAA es AUR A 291 Io d DEN UE AA daba ede see Ses AS sad sen ed dip mud edes aca aid 58 ip gakeway b metric DL 15 auk x Gr e CAO KOR EDE ED RA OR E ECCE RRR ab od B2 ip hnelparea udPese IB errada ROEDER EOREE SRST OPES RSE dede d ES ROE REGS 65 ip http authentication aucnn method uk RaRUeAa EG AAA PRAY RR AA OR ERG SES 286 ip REED OTE 1 03598399 eese doux uet edo QE BOSC SORES dog qu m RE KC OVER d dore Rer Se 286 ip Hep secupPe BobL 1 099355 EQ EGO RO RC ORE AA AAA RRA Re CUR 286 ip WEEP SOOHEGeSBOLVDBP Larissa ae OARS d hu SORES Redes d pei added or pu due aided a eek 286 ip ACEP SEUS FED BULbh CLIQUE diste SOA bu dud mar dup dod au Re ER ERROR ERE 286 ip Help sepcurg szryer Gert Corti cate SMS gieda wae nen AR A eee mee ae eee 281 ip HEE BescurB serwer Str YedlEGb qusdubhegdugd do Edo Redde Ec NCBI SUR webdn Sus ai RR ae 287 Te Mee SEEFUBE ERA AAA d v BUR CER EHE DAS EORR GOERS A ARCHIE SEO Ro d Qe dis 287 ip load palancing lin k stlckrog AOC G caked dee Seeds ces RR dates EORR E E OR RC ARAS 97 ip lgad Da lancing lisk sticking timscut EJINBOUD aexdemdsekodbeackon gu e kee AA RR ia Red 97 ip osprt auLhenticallon key DAssWOENU escri Ee w4ok OR AAA A Ra a HEC 69 ip Gapi COSE 1 059359 e EX RAR GA RR NC Gd AN ARAN B RO UON RE OD COEUR Co dp MC RN 69 ip QspSZ deddl interesl USDA 6s apd ei ce dar GER TORE ESR AK AAA ON Oe OR e 69 ip ospri hello intervsl Sl DIOS sarria qe E RR KC deb UR CORR aa P R
47. forward Porward lt with cag science UR Ro 211 anti spam dnsbl dquery timeout smtp fdrep forward forward with tag i299 xxxe 217 anti spam dosbl duery timsont time 1 610 ore cm Rex dee Le OR Rp los wee duin Geo Ziq antiesdsam Seige scabies MUSA adrenal os eee wear parri BS 217 anti spam Ip reputatlonm query timeout time tzmeoUut iiieekre ke xk x44 ARRRACROR RON EGER a 213 anti spam darlescan query timeout pops forward Forward with tag eek ks OR RERO 213 anti spam mail scan query timeout smtp drop forward forward with tag n 213 anti spam mail scan guery CluebDur Time ZImNOOUL cirerers teka ER ROCA AAA z13 aElesOSSm Sule oppend was esas eee eue d x E quede dE A ROLE Nea M E Rd M RC ND ded x RD eee qo 212 anblesoam ule delete Cube SBORDOR aud xueoebpX oa oe Gee MSR ek A AA P iie OSES ARES ROE mee 212 anti spam Eule LESS PIS DUNDEE sack eru Race Qa 4 ob d Xd x ROG Ke CR dC Rd RR dod KR do EROR de d 212 anti spam rule move rule number t Hule NUMDEF preseas cord re Geena RR RO RCXCROR EUR E BONE Oe RC RR ee 2L anti span ule wal es ena hd Ss Bed So ROGERS o S xd d Re da Bd aded d edcdubdud be MUR EUR ala dnitleguam GERAIS ies ELUSA lt n edo Gui exo loro CR dod AA rende dde a a eite ep Ra p S a ae Gb 219 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical anti spam sg idsashLh desbioLumecUE DOES mintro ek opua Re eases dunes Sce io URS seen On HUE zd
48. ge2 REFERENCE 1 278 ZyWALL ZLD CLI Reference Guide 37 System This chapter provides information on the commands that correspond to what you can configure in the system screens 37 1 System Overview Use these commands to configure general ZyWALL information the system time and the console port connection speed for a terminal emulation program They also allow you to configure DNS settings and determine which services protocols can access which ZyWALL zones if any from which computers 37 2 Customizing the WWW Login Page Use these commands to customize the Web Configurator login screen You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet See Chapter 26 on page 229 for more on access user accounts The following figures identify the parts you can customize in the login and access pages Figure 25 Login Page Customization Message color of all text Background Note Message A Note last line of text 1 Turn on Javascript and Cookie setting in your web browser 2 Tum off Popup Window Blocking in your web brow n Buntime Enuronmen Bp n no E i This is the note you can configure ZyWALL ZLD CLI Reference Guide 279 Chapter 37 System Figure 26 Access Page Customization Logo Title Message color of all text Note Message last line of text Window Background
49. in those cases it must also be activated ZyWALL ZLD CLI Reference Guide Chapter 35 Endpoint Security Table 161 Endpoint Security Object Commands COMMAND DESCRIPTION no personal firewall personal firewall softwar e name detect auto protection enable disable ignore Sets a permitted personal firewall If you want to enter multiple personal firewalls use this command for each of them Usethe 1ist signature personal firewall command to view the available personal firewall software package options detect auto protection Set this to enable if the specified firewall software is not only detectable for the installation but also detectable for the activation status You can check the settings for each firewall software by using the show eps signature personal firewall command The user s computer must have one of the listed personal firewalls to pass this checking item For some personal firewalls the ZyWALL can also detect whether or not the firewall is activated in those cases it must also be activated no application forbidden process process name If you selected windows Or linux as the operating system using the os type command you can use this command to set an application that a user s computer is not permitted to have running If you want to enter multiple applications use this command for each of them The user s computer must not have any of the forbidden applications running to pass
50. ip http authentication auth_method Sets an authentication method used by the HTTP HTTPS server The no command resets the authentication method used by the HTTP HTTPS server to the factory default default auth_method The name of the authentication method You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive ip http port lt 1 65535 gt Sets the HTTP service port number The no command resets the HTTP service port number to the factory default 80 no ip http secure port lt 1 65535 gt Sets the HTTPS service port number The no command resets the HTTPS service port number to the factory default 443 no ip http secure server Enables HTTPS access to the ZyWALL web configurator The no command disables HTTPS access to the ZyWALL web configurator ip http secure server auth client Sets the client to authenticate itself to the HTTPS server The no command sets the client not to authenticate itself to the HTTPS server ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management Table 171 Command Summary HTTP HTTPS continued COMMAND DESCRIPTION no ip http secure server cert certificate name Specifies a certificate used by the HTTPS server The no command resets the certificate used by the HTTPS server to the factory default default
51. less than 32 alphanumerical characters in order to hide the real password from people behind you when you are configuring AD server password This password is displayed as what you typed when you use the show ad server command no ad server port port no Sets the AD port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no ad server search time limit time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting no ad server ssl Enables the ZyWALL to establish a secure connection to the AD server The no command disables this feature 30 2 2 Idap server Commands The following table lists the 1dap server commands you use to set the default LDAP server Table 148 Idap server Commands COMMAND DESCRIPTION show ldap server Displays current LDAP server settings no ldap server basedn basedn Sets a base distinguished name DN for the default LDAP server A base DN identifies an LDAP directory The no command clears this setting no ldap server binddn binddn Sets the user name the ZyWALL uses to log into the default LDAP server The no command clears this setting no ldap server cn identifier uid Sets the unique common name cn to identify a record The no command clears this setting no ldap server host ldap server Sets the LDAP server address Enter
52. nig dac pe LS RAS REA EE bod Boca e E d Ra E NV AE NO AU DR RN ai EON ob MR GR bas 27I dheg6 lease object dahcpe profile address ipv addr duid duid disc 94e reri OQ cen 276 dhcp6 lease object dhop6 profile address pool ipv6 addr Ipv6_ addr id kied tisa 276 dhcp6 lease object dhcp6 profile prefix delegation ipv6 addr prefix duid duid 276 dhep6 lease o0bject rename gdhepb profile dhop profile sanar cana X ELA ees 21 dhog6 reg oesb obgaecst chem PFGE LIS gaoenesescka eg a e adh E ia oe aoe harem o ed e 60 diepb raquestghge b CDA Stacie gos desk AAA AAA AA tens Gl dhcp6 request object dhcp6 profile dns server ntp server prefix delegation sip server O Runs ru duc naa qub Edd SS su RA ZTT dheg6 reguest objsct renane dhep profile dhop6 profile sexe exeo e e a 2117 dhop option lt 1 254 gt option name boolean lt 0 1 gt uint8 0 255 uintl6 lt 0 65535 gt 54 Gba qobaeead xb wm Ex ed ORME Medo s iaa d aa dic bea Eu dob d A RP awe Su bed dide RE dad d Re cdd 33 PLANS MOS SUEGRA ASAS Mog Red ok uice diat oa OR EHE o A des SIA AA NARA bore dta Ex Gags COLERE dresden rade4 kw AAA d Udo X e deu dede bol deu ER adeb RR e E e DR Rd a Ea d Sod Jlale H DADA Re PER Ri d ew ced hid aevo ew EASE due dece qe dede X pu edd e 29S DE olds A eae es eee REDS WR OCCUR CATION RU MCA ON EEE SORE Ob Qe DU RC ON Re AC OC EE CAL OU EER LE Rea P ay 33 dir ecert eont idp packet trace fscript ftp enseres oom x heme o 30
53. no ipv6 nd ra accept Sets the IPv6 interface to accept IPv6 neighbor discovery router advertisement messages The no command sets the IPv6 interface to discard IPv6 neighbor discovery router advertisement messages no ipv6 metric 0 15 Sets the interface s metric for IPv6 traffic The no command clears it no ipv6 address dhcp6 profile dhcp6 suffix 128 Has the ZyWALL obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network such as the LAN or DMZ The no command removes the specified setting for using a delegated prefix as the beginning part of the network prefix dhcp6 profile Specify the DHCPv6 request object to use dhcp6 suffix 128 Specify the ending part of the IPv6 address a slash and the prefix length The ZyWALL appends it to the delegated prefix For example you got a delegated prefix of 2003 1234 5678 48 You want to configure an IP address of 2003 1234 5678 1111 1 128 for this interface then enter 1111 0 0 0 1 128 for the dhcp6 suffix 128 ipv6 dhcp6 client Sets the IPv6 interface to be a DHCPv6 client no ipv6 dhcp6 rapid commit Shortens the DHCPv6 message exchange process from four to two steps to help reduce network traffic The no command sets the full four step DHCPv6 message exchange process no ipv6 dhcp6 address request Get this interface s IPv6 address from the DHCPv6 server The no command has the ZyWALL not get this interfac
54. no l2tp over ipsec activate Turns L2TP VPN on The no command turns it off l2tp over ipsec crypto map name Specifies the IPSec VPN connection the ZyWALL uses for L2TP VPN It must meet the requirements listed in Section 19 2 on page 157 Note Modifying this VPN connection or the VPN gateway that it uses disconnects any existing L2TP VPN sessions object l2tp over ipsec pool address Specifies the address object that defines the pool of IP addresses that the ZyWALL uses to assign to the L2TP VPN clients l2tp over ipsec authentication Specifies how the ZyWALL authenticates a remote user before allowing access to aaa authentication profile name the L2TP VPN tunnel The authentication method has the ZyWALL check a user s user name and password against the ZyWALL s local database a remote LDAP RADIUS a Active Directory server or more than one of these ZyWALL ZLD CLI Reference Guide Chapter 19 L2TP VPN Table 80 L2TP VPN Commands COMMAND DESCRIPTION certificate cert name Select the certificate to use to identify the ZyWALL for L2TP VPN connections The certificate is used with the EAP PEAP and MSCHAPv2 authentication protocols The certificate must already be configured server ip interface name 1st dns 2nd dns 3rd dns ppp interface aux 1st dns dns 2nd no 12tp over ipsec user Specifies the user or user group that can use the L2TP VPN t
55. phone number 0340508888 dialing type tone port speed 115200 initial string ATZ timeout 30 username kk password kk u2online authentication chap pap description I am aux interface exit The following commands show how to dial disconnect and stop the auxiliary interface Router interface dial Router interface disconnect aux aux ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces ZyWALL ZLD CLI Reference Guide Trunks This chapter shows you how to configure trunks on your ZyWALL 7 1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability If one interface s connection goes down the ZyWALL sends traffic through another member of the trunk For example you can use two interfaces for WAN connections You can connect one interface to one ISP or network and connect the another to a second ISP or network The ZyWALL can balance the load between multiple connections If one interface s connection goes down the ZyWALL can automatically send its traffic through another interface You can use policy routing to specify through which interface to send specific traffic types You can use trunks in combination with policy routing You can also define multiple trunks for the same physical interfaces This allows you to send specific traffic types through t
56. range subnet and link local IPv6 address objects and then deletes the subnet I Pv6 address object enable Router configu Router config Router config Router config Router config Object name Address fe80 211 85ff fe80 211 85ff B3 fe80 213 49ff gel Object name Address fe80 211 85ff fe80 211 85ff B3 fe80 213 49ff gel re terminal Router config address6 object BO fe80 211 85ff fe0e cdec address6 object Bl fe80 211 85ff fe0e 1 fe80 211 85ff fe0e ff address6 object B2 fe80 211 85ff fe0e cdec 128 address6 object B3 interface ip gel link local show address6 object fe0e 1 fe80 211 85ff fe0e ff fe0e cdec 128 feaa cb88 Router config f no address6 object B2 Router config show address6 object fe0e cdec 0 fe0e 1 fe80 211 85ff fe0e ff 0 feaa cb88 0 Type Address Type Index RANGE SUBNET INTERFACE 1P LINK LOCAL 1 Type Address Type Index RANGE INTERFACE 1P LINK LOCAL T 27 2 2 Address Group Commands This table lists the commands for address groups Table 141 object group Commands Address Groups COMMAND DESCRIPTION show object group address group name address Displays information about the specified address group or about all address groups no object group address group name no address object object name Creates the specified address group if necessary and enters sub comma
57. schedule full hourly Sets the e mail schedule for the specified e mail profile The no command clears the schedule field logging mail lt 1 2 gt schedule daily hour lt 0 23 gt minute lt 0 59 gt Sets a daily e mail schedule for the specified e mail profile logging mail 1 2 schedule weekly day day hour lt 0 23 gt minute lt 0 59 gt Sets a weekly e mail schedule for the specified e mail profile day sun mon tue wed thu fri sat ZyWALL ZLD CLI Reference Guide Chapter 40 Logs 40 1 4 1 E mail Profile Command Examples The following commands set up e mail log 1 address mail zyxel com tw authentication username lachang li password XXXXXX send log to lachang li zyxel com tw send alerts to lachang li zyxel com tw from lachang li zyxel com tw Schedule weekly day mon hour 3 minute 3 Router configure terminal Router config logging mail Router config logging mail subject AAA Router config logging mail Router config logging mail Router config logging mail Router config logging mail Router config logging mail Router config logging mail 40 1 5 Console Port Logging Commands This table lists the commands for the console port settings Table 193 logging Commands Console Port Settings COMMAND DESCRIPTION show logging status console Displays the current settings for the console log Thi
58. schedule run 1 file_name zysh daily monthly weekly time date sun mon tue wed thu ee SREY uGuedeew ew seh ds nae eR DHS ORM eRe Se Gh Sle ee RS eRe ee aa ge aE 303 security mode ingne wep wpa es paz WBaSEL session 86 security wep lt 64 12589 dersulb key LAS dera AA AS RE A A Ro A AA e dcs 86 Securely wem quis open EBALSS er AAA AENA aque EA 86 security wpa Ekap eese Gap BEESEGAL sexis RR e AR A AA OO ded 86 security wpa lt tkip aes gt eap internal profile nam tls oert Certificate Hana oce 86 security Woe tkip ass pak key DSEOREV asis RA RE A A id EROR UR AAA ob AA SES 86 security Apes Sikir 2657 ean Skerries eri ARA is PORK ORG CREE ROS CR NAR RUE dnd 86 security wpa2 lt tkip aes eap internal profile nam tls cert certificate name encino 86 security wpas eEKJD 563 psk key Por Ley sensato ARANA AAA ER E S 86 BecurliLy wBe wpas Laip ses Gap external 24 wad acdsee Sanne camas BOWES REG Sade stad 86 security wpa wpa2 lt tkip aes eap internal profile nam tls cert certificate name 86 securiloy vho rias Lalp ses pak key PeR KET sesenta Facer im 86 SONORON mr ETT TITULI TTC 326 server type file sharing owa web server url URL entry point entry point 266 Sseryer type file sharing share path SHETS pabn series d oh Eee dem oi dn GC ne RR ACA 267 server type rdp sServer address server adgdress etablingq ixzeesh eR bes R3 ere eee ee aes 267 serfrvar type vnc se
59. server dhcp6 rapid commit Has the ZyWALL use the full four step DHCPv6 message exchange process Note Make sure you also disable this option in the DHCPv 6 clients dhcp6 lease object dhcp6 profile Removes the specified profile of DHCPv6 lease settings to offer to DHCPv6 clients dhcp6 request object dhcp6 profile Removes the specified profile of DHCPv6 request settings that determine what additional information to get from the DHCPv6 server interface reset interface name virtual interface name al 1 Resets the interface statistics TxPkts transmitted packets and RxPkts received packets counts to 0 You can use the show interface summary all status command to see the interface statistics interface send statistics interval lt 15 3600 gt Sets how often the ZyWALL sends interface statistics to external servers For example syslog server and Vantage Report server show interface name Displays all PPP and Ethernet interface system name and user defined name mappings interface name ppp_interface ethernet_interface user_defined_name Specifies a name for a PPP or an Ethernet interface It can use alphanumeric characters hyphens and underscores and it can be up to 11 characters long ppp_interface ethernet_interface This must be the system name of a PPP or an Ethernet interface Use the show interface name command to see the system name of interfaces user_defined_name
60. subject CN 10 0 0 58 issuer CN 10 0 0 58 status VALID ID 10 0 0 58 type IP valid from 2006 05 29 10 26 08 valid to 2009 05 28 10 26 08 Router config no ca category local pkcsl2request ZyWALL ZLD CLI Reference Guide ISP Accounts Use ISP accounts to manage Internet Service Provider ISP account information for PPPoE PPTP and cellular interfaces 33 1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE PPTP or cellular 33 1 1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands Table 157 PPPoE and PPTP ISP Account Commands COMMAND DESCRIPTION show account pptp profile name pppoe profile name Displays information about the specified account s no account pppoe profile_name pptp Creates a new ISP account with name profile_name if necessary and enters sub command mode The no command deletes the specified ISP account profile name use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive no user username Sets the username for the specified ISP account The no command clears the username username You can use alphanumeric underscores dashes commas and S characters and it can be up to 64 characters long no password password Sets the pas
61. weep udp top any aswaa 342 PS geese Vee uqeuedeed ead A quaque RSG eGR ENE AAA Oe deside qim eed oh Sea Gem 34 oe here RRO ara ran A Makes E RAS e ed aed dae eee dE qa a t 84 es MORE WS rr ae 84 EEE SSN ee AAA 86 ZEROS AIDA PUO AUR she AA hea RUE EN E RAS QU ROCA PACA Se SEES RESELL ES C ORO b RAS 34 redial ribose PSESBLAG SSPE MEER Gsl F 24 bob Gb eee RARA Cake IE RUE ORE POR EUR SUE RUE Ro 108 A xA GRO EG UK RAE RR dap Y A SOUS TRUE REX XC RR RR RE CC ECC UR e dede E Re RC RE CRACK TU Rp RC ed ded 34 pelasee dhep IS eITIOSG DGNE 24d 4a One e SEERA EERE SSS eRe Se T Ue R A d eee eds 65 CEMSA POLLO Address Nane Lg ERR RUE Re REOS AUR CK EUR AAGE eee He WLR REE ROM CC E OR RR a EORR oda D CE e 145 LEDO ARRE ARA A PUES AAA aa Roy ORO og qo de MO dp Ir AA RRA SORE EAE ESE RARA EE Re DAA AGA 34 rename cert conf idp packet trace script tmp old file name cert conf lidp packet trace soript Jtmp new file name iaix9 X ROC weed etoag RR n 303 rename soriptlold file name soriptinew FIle_ Name lisse x amp amp da ariadna dai 303 c Rr r 34 374 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical renen HOD ea Paes ah digas dun dd ARUM dob diei e ee S Du Educ obere OOO dopo woe teas
62. you can set up a rule based on the user name only If you also apply a schedule to the firewall rule the user can only access the network at the scheduled time A user aware firewall rule is activated whenever the user logs in to the ZyWALL and will be disabled after the user logs out of the ZyWALL ZyWALL ZLD CLI Reference Guide 133 Chapter 16 Firewall 16 2 Firewall Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 65 Input Values for General Firewall Commands LABEL DESCRIPTION address object The name of the IP address or address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive address6_object The name of the IPv6 address or address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive user_name The name of a user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 200 and lower models us
63. you want to find This search is not case sensitive severity type the severity level of the signatures you want to find nigh ZyWALL ZLD CLI Reference Guide 177 Chapter 21 Anti Virus 21 2 4 1 Signature Search Example This example shows how to search for anti virus signatures with MSN in the name signature 1 41212 virus name MSN category virus virus id severity Low Router config f anti virus search signature name MSN 21 3 Update Anti virus Signatures Use these commands to update new signatures You should have already registered for anti virus service Table 96 Update Signatures COMMAND DESCRIPTION anti virus update signatures Immediately downloads signatures from an update server no anti virus update auto Enables disables automatic signature downloads at regular times and days anti virus update hourly Enables automatic signature download every hour anti virus update daily 0 23 Enables automatic signature download every day at the time specified anti virus update weekly sun mon tue wed thu fri sat 0 23 Enables automatic signature download once a week at the time and day specified show anti virus update Displays signature update schedule show anti virus update status Displays signature update status show anti virus signatures status Displays details about the current signatur
64. 0 SCHEDULE2 Once 2006 07 29 11 00 2006 07 31 12 00 0 Router config f no schedule object SCHEDULE Router config show schedule object Object name Type Start End Ref SCHEDULE2 Once 2006 07 29 11 00 2006 07 31 12 00 0 ZyWALL ZLD CLI Reference Guide AAA Server This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers 30 1 AAA Server Overview You can use an AAA Authentication Authorization Accounting server to provide access control to your network The following lists the types of authentication server the ZyWALL supports Local user database The ZyWALL uses the built in local user database to authenticate administrative users logging into the ZyWALL s web configurator or network access users logging into the network through the ZyWALL You can also use the local user database to authenticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login information on the external server RADIUS RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external or built in RADIUS server
65. 1 20 numbers or preshared key 16 64 Ox or OX 16 64 hexadecimal values alphanumeric or 0 8 _ lt gt profile name 0 30 alphanumeric or _ first character letters or _ proto name 1 16 lower case letters numbers or protocol name 0 30 alphanumeric or _ first character letters or _ quoted string less than 1 255 alphanumeric spaces or amp _ 127 chars quoted string less than 1 63 alphanumeric spaces or amp _ 63 chars quoted string O alphanumeric spaces or punctuation marks enclosed in double quotation marks must put a backslash before double quotation marks that are part of input value itself service name 0 63 alphanumeric or _ spi 2 8 hexadecimal string less than 15 1 15 alphanumeric or _ chars string less than 63 1 63 alphanumeric or G4 amp t V amp 5 chars string 1 alphanumeric or _ subject 1 61 alphanumeric spaces or S_ system type 0 2 hexadecimal timezone hh 12 through 12 with or without ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Table3 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES url 1 511 alphanumeric or 22 40 url Used in content filtering redirect http alphanumeric or amp _ https starts with http o
66. 143 pel ASC any DRE RRE RR ORC RCOAC ACE EA RARAS SED NANA o ASE Op re RA A 101 ne ASE ane NES o o e 102 nol gem class PNStauie CS Cleese cerdas NA AA AAA WHO IF DE S RF OK SUE HR 101 mol deem clase deran E ASES deildokoeickc Gum dan eU a Rap FCR ROS RC ode eid nod ac ID NER d ee ew 102 no e es Aare A 998981 E bes Sande Wk e Rage mu dg aA QD S NN dd Gee ee wea ws 334 ful duplex ereli ll IUE edoeasqesuken CA Eum RRA Bie eek de og PRIOR a Red Cn Ge n Ee e AAA alae sed ee TA nel BRASS sariate onek beats RAS I ed a Somes ATA A A AAA AAA AA BES Eee oe 273 HOT enable Dina ested dba X E EA deua AS qe adn REN EG x xe db dea qe Eb wd 337 hol encrypition nomppe Hppe 20 pbe l28 22h bi week 3 o ORC EG HC AO AAA AR 265 mol Gps Slacks SPS BUSSE SQUE qaas d qox wok RAE eA DADE EEO RR TROC RR od de RAN E ea ews 234 hol cpa sloDo9 Spe DROI CPLO DAUS fonds C4 AIN he NS T Id d d qud ee exe 152 NOT eps SCODIVSEG ii ASA Rd EX Equi ARE qe SEE RN ub AE QE EE Edda E doris Bodo uri 152 Bal Spa BOLTUSES 2 eke hehe ae X RON dS A Arr diode ecc SI A RUE EMO afe ti MO OR b Mo oe A 234 nol eps PallubPe messages failure MESSAGES iibiasqax c ex RR ERODES EON RR MCA ER Ke Ed cios Re do 270 nol us perigrcsbepheck AL 108008 sasuke y AAA BURCH GRE CREASE s e TR Rus Los nol eps periogusslegheck EL LOS 22463 ba 9364323244358 4a ob NR dud SG ER de PER Xe E d Rus 234 hol epe Pere ieee SELIVACE
67. 175 Chapter 21 Anti Virus 21 2 2 1 Zone to Zone Anti virus Rule Example This example shows how to configure and display a WAN to LAN antivirus rule to scan HTTP traffic and destroy infected files The white and black lists are ignored and zipped files are decompressed Any zipped files that cannot be decompressed are destroyed Router Anti Virus Rule 1 active yes log log from zone WAN to zone LAN Scan protocols http yes ftp yes smtp yes pop3 yes imap4 yes infected action destroy yes bypass white list bypass black list file decompression Router config av rul Router config av rul Router config av rul config av rul Router config av rul Router config av rul Router config av rul Router config av rul Router config av rul yes no Router config anti virus rule 1 Router config av rul Router config show anti virus rule 1 send windows message activate from zone WAN to zone LAN scan http infected action destroy bypass white list no bypass black list file decompression no file decompression unsupported destroy exit yes yes destroy unsupported compressed file no 21 2 3 White and Black Lists The following table describes the commands for configuring the white list and black list You must use the configure terminal command to enter the configuration mode before you can use these commands Tabl
68. 23 ZyWALL ZLD CLI Reference Guide Chapter 23 Content Filtering Table 111 Content Filter Command Input Values continued LABEL DESCRIPTION forbid hosts The IP address or domain name of a forbidden web site Use a host name such as www bad site com into this text field Do not use the complete URL of the site that is do not include http All subdomains are also blocked For example entering bad site com also blocks www bad site com partner bad site com press bad site com etc Use up to 63 case insensitive characters 0 9a z You can enter a single IP address in dotted decimal notation like 192 168 2 5 You can enter a subnet by entering an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address The range is 0 to 32 To find the bit number convert the subnet mask to binary and add all of the 1 s together Take 255 255 255 0 for example 255 converts to eight 1 s in binary There are three 255 s so add three eights together and you get the bit number 24 An example is 192 168 2 1 24 You can enter an IP address range by entering the start and end IP addresses separated by a hyphen for example 192 168 2 5 192 168 2 23 keyword A keyword or a numerical IP address to search URLs for and block access to if they contain it Use up to 63 case insensitive characters 0 9a zA Z amp _ in doubl
69. 234 for the sub commands force aut n policy insert lt 1 1024 gt Creates a new condition for forcing user authentication at the specified location renumbers the other conditions accordingly and enters sub command mode See Table 137 on page 234 for the sub commands force aut n force auth policy policy delete 1 1024 flush Deletes the specified condition To modify a condition you can insert a new condition N and then delete the one N 1 that you want to modify Deletes every condition lt 1 1024 gt force auth policy move 1 1024 to Moves the specified condition to the specified location and renumbers the other conditions accordingly show force auth activation Displays whether forcing user authentication is enabled or not show force auth exceptional service Displays services that users can access without user authentication all show force auth policy lt 1 1024 gt Displays details about the policies for forcing user authentication ZyWALL ZLD CLI Reference Guide Chapter 26 User Group 26 2 4 1 force auth Sub commands The following table describes the sub commands for several force auth policy commands Note that not all rule commands use all the sub commands listed here Table 137 force auth policy Sub commands COMMAND DESCRIPTION no activate Activates the specified condition The no c
70. 332 ZyWALL ZLD CLI Reference Guide Packet Flow Explore This chapter covers how to use the packet flow explore feature 44 1 Packet Flow Explore Use this to get a clear picture on how the ZyWALL determines where to forward a packet and how to change the source IP address of the packet according to your current settings This function provides you a summary of all your routing and SNAT settings and helps troubleshoot the related problems 44 2 Packet Flow Explore Commands The following table lists the commands that you can use to have the ZyWALL display routing and SNAT related settings Table 201 Packet Flow Explore Commands COMMAND DESCRIPTION show route order Displays the order of routing related functions the ZyWALL checks for packets Once a packet matches the criteria of a routing rule the ZyWALL takes the corresponding action and does not perform any further flow checking show system snat order Displays the order of SNAT related functions the ZyWALL checks for packets Once a packet matches the criteria of an SNAT rule the ZyWALL uses the corresponding source IP address and does not perform any further flow checking show system route policy route Displays activated policy routes show system route nat 1 1 Displays activated 1 to 1 NAT rules show system route site to site vpn Displays activated site to site VPN rules show system route dynamic vpn Displays activa
71. 37 254 metric 1 exit create address objects for remote management to ZyWALL firewall rules use the address group in case we want to open up remote management later address object TW SUBNET 172 23 37 0 24 object group address TW TEAM address object TW SUBNET exit enable Telnet access not enabled by default unlike other services ip telnet server open WAN to ZyWALL firewall for TW TEAM for remote management firewall WAN ZyWALL insert 4 Sourceip TW TEAM service TELNET action allow exit write While configuration files and shell scripts have the same syntax the ZyWALL applies configuration files differently than it runs shell scripts This is explained below Table 183 Configuration Files and Shell Scripts in the ZyWALL Configuration Files conf Shell Scripts zysh e Resets to default configuration Goes into CLI Privilege mode Goesinto CLI Configuration mode Runs the commands in the shell script Runs the commands in the configuration file You have to run the example in Table 27 on page 300 as a shell script because the first command is run in Privilege mode If you remove the first command you have to run the example as a configuration file because the rest of the commands are executed in Configuration mode See Section 1 5 on page 25 for more information about CLI modes 39 2 1 Comments in Configuration Files or Shell Scripts In a configuration file or shell
72. 4095 gt authentication key and auth key esp 256 4095 cipher encryption key if any enc key authenticator auth key auth key You can use any alphanumeric characters or Lib SS E N The length of the key depends on the algorithm md5 16 20 characters sha 20 characters sha256 32 characters sha512 64 characters enc key You can use any alphanumeric characters or Hip 104SS amp g N The length of the key depends on the algorithm des 8 32 characters 3des 24 32 characters aes128 16 32 characters aes192 24 32 characters aes256 32 characters If you want to enter the key in hexadecimal type Ox at the beginning of the key For example 0x0123456789ABCDEF is in hexadecimal format in 0123456789ABCDEF is in ASCII format If you use hexadecimal you must enter twice as many characters The ZyWALL automatically ignores any characters above the minimum number of characters required by the algorithm For example if you enter 1234567890XYZ for a DES encryption key the ZyWALL only uses 12345678 The ZyWALL still stores the longer key local ip ip Sets the local gateway address to the specified IP address peer ip ip Sets the remote gateway address to the specified IP address 17 2 4 VPN Concentrator Commands This table lists the commands for the VPN concentrator Table 74 vpn concentrator Commands VPN Concentrator COMMAND DES
73. 80 characters to specify a file pattern Alphanumeric characters underscores _ dashes question marks and asterisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the pattern For example use a zip without the quotation marks to specify any file that ends with a zip A file named testa zip would match There could be any number of any type of characters in front of the a zip at the end and the file name would still match A file named test zipa for example would not match A in the middle of a pattern has the ZyWALL check the beginning and end of the file name and ignore the middle For example with abc zip any file starting with abc and ending in zip matches no matter how many characters are in between The whole file name has to match if you do not use a question mark or asterisk If you do not use a wildcard the ZyWALL checks up to the first 80 characters of a file name ZyWALL ZLD CLI Reference Guide 173 Chapter 21 Anti Virus 21 2 1 General Anti virus Commands The following table describes general anti virus commands You must use the configure terminal command to enter the configuration mode before you can use these commands Note You must register for the anti virus serv
74. A 64 noi desoription JHOSUEIDELIOR 1 4345 ru k See RO ASA ARA EC URN E AAA E AAA A A ia E 100 hol description SOSDOEIBILIQOS 2446s ew RexqTe9 ap UP EU PT eee Oe Ree SS oN eee ew exe 2102 NO ddescPbLiption description fa hie rea seed xq SS ONE GER N dub AUR AN E c Rd E OE XC dodo RC e L37 nol SeSGEIDUION ese ston any og bd ee eee eA A UR GIC RAN Ua Se eee AA doge 139 nol descbPIDLioA HOSEPIDBLION kaos ick eh eR RATED doa etd xia SEARLE ERED Cae RO qaod do ode ed 140 HI descrip inn DESCETLIPELIE AA AAA A sebew SHE A da e n Oe eoe ado Neb d Io ae 152 nor Beseribtlon dWoBOIIBLSOS sada ch Ree Ss he des Sayesies AS Sates barat a ARAN 226 hol desecerpptcooN TESTI BELO aa nd edox OE peg opo dol Up Ret rok d A dda p SC eR ae ane oe ol eoi 231 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical noel nescirdhbglobD OPORTO das osa RAE ADA able don cA AREA 234 mol description description ir RAS A A Rea A TAS RUE A A A CR o wee io 241 hl deseri ption ese IOn eue See ox ee d SEO REOR p UE e qo AA Arbol ORE cuo awe d oie doge 245 nol despcPIDLIOoM HONEEIDEFOER casita kdo X xp Re eh dox a DRADER EERE ee RATA E hee es 271 nol QeaGr ption SJOSDETIDEIOGH tisk ees Soba RAKES EEE SORE Re he Sh bos eee sed RE Ee Ee 2929 NO Cescrip ption JOSEPEIDLIORM cb oes SY xa A do eA ENE A 1 ACA EC ACRAS On Ro a Re RN dod ARR GR A 58 nal SesctriptloHn GOSOPIIT ODORE As AA he Rae E RAS dac daa e dicione d AAA dos d 64
75. AA AAA AA ARANA RRA ANNA AAA Oe Ee AAA 82 show username LUSSERINS 66s 64 MESS 443 9 9 3 9 pA ACE NARA ARA ARAN A AS RARA A AMARA RAR AA 230 show users username aLl O ftrent issi ncorrpnmsrrrirnde ira a He 235 show users default setting all user type admin user guest limited admin ext user ext CROUPANSS 2 M P aoe ai 231 glow usero Ddle dUPbegL on ESPbEINIE de hence Sense AR Qr dopo iq ic DUE we eee eee 232 Blau Users TELEYSCULIADS price AAA AAA AS AA qoa Te Sde m Eds PACE Show users grimultahdd5 LgOneseLLI FM S Jalisco Ro Ram x EA NM hand xa wed hes Shales ewe 252 show users update lssgse sSOELtIEUS arras kgexcokG Ru A ACE A cde REDE eo REDDER eR RUD RR E ACORN e A 232 Shon Vernon qu GR3CRRPPEX 4d d dbi ue Ree ee su dde SE ee REED EIE d d Rr Pe dud vet d e 41 show wpn dcahcentrator prore Hamel ua ukuuesea RA EURO EON ed cane he Ore ay A AA Ro a C wee 147 show vpn c ondiligubratiobsprovialon SCEIVALLON adededGqOERha ORA ROE GR EUCH CER RE RE ORR EO RA 148 show vpn coniiguration provision authentication exa kRGCRG ORG diktik akaa KE ROR ACE EORR ROR RO ACE 148 show vor conitiguration provision DUDES AAA Ke Ed edo PE de dd ad edd d uk 148 Bow SPH Senile Ss DESIRE Ru SR ne en ss HER ER ad QA B dad d adm ae d qi qs 149 Bhow MEDC send device Information AInEGGSWELh 2 2 dda dd we pen tego o opes odere qe m de dias 320 phow vroe pend rnberlage SESELSCIOS Inra ices acs d eR
76. AGE Mace hetOi te vet hed A AE ESS HERO A RE RA xu RN ddr Cee do es aca qus ANA CRW 34 test aaa server secure server ad ldap host hostname ipv4 address host hostname ipv4 address port lt 1 65535 gt base dn base dn string bind dn bind dn string password pass word login name attribute attribute alternative login name attribute attribute ac count account Pane AAA FECES REA ERE SOA EP qued d Eq S de d eed RE REPE Xe 256 ESOS Lagi MESES doux beau A x KO AS ARA AAA A die C QR RR dodo CN E RC RR Bea 342 EYAGEPOULS Sar See ea eee SOUS EOE SOA Oe r eevyPu ERE ROPREQER Rd d ue pEda dd iE Sd ded qe e 34 Etateroure a GSRSQERENUD GaokWQ ex ACERO e EE eub eed shea nese deen Ou hee alt bbe LAR LA E TA A 341 LEGPBEPQULDADM suo pcd SRE OS TOROS Fox ck Wok PEE VEO E OEC ue dos Oe doe poe dob eee S 34 sacereures ape JIOESEHEEPe peau due XR REC ox ac edi de BOR RC d deep o de p RO qa ER dE do RR A 341 Ltraffic prioritize top ack content filter dns bandwidth lt 0 1048576 gt priority lt 1 7 gt maxi Mira an E reamed inks 560 Sg 5d qd EAS Ed dd b deis Bede x cp argu d diu 81 Lraffic prioritize bop ack content filter dnes deactivate eenaacexeexReweechxXRex Roe A ANS 81 traffic prioritize tcp ack content filter dns ipsec vpn ssl vpn bandwidth lt 0 1048576 gt pri Grp Lilo masias Sagan LR USAGI e AA eR dr OR Nae Ges eee ide SD Seas 58 Lra
77. ARA SEER ASE ee ES ES OE RES 84 channel width auto 20m SON uua E RO E E E a4 e UA EE A de deo EO RC RR Me Co ed Oe dd 84 DEMOS iuxbssua giae eee ieri d dr ded e odo qb qai de SOA ESSE eae eee eu de ed ede 33 clear Sas Aut entiation Preteens Beh deride cates SES Qe addu Su WAS bone ROS CE RU ERE 259 clear 288 groun Server Sd loroup rane sesers oboe o e koi e p AR angle Bow iced 291 clear aaa group server liap group pane arica A A NOB A AA Sd E UR 252 Clear Sas groun server radins Qroup rane duse ROUX CENA E aer RS e dod Se RA AA A di 293 clear ip dhep binding ip 1 dauadadasgdcdddaSIAAaR2y AME d ar ed du d Rad gracdututd beue dd 4 55 clear logging debug DUES 4 2 66d banca eee are QU o Re we Relea Se ilie eril ace poe me RN dol eom d Gio a Glest legging System 1log tier weiss 6466 CREED Re due REE EERE SHES OS ee 318 Clear report Dreterrfsce Semel Asse wba Gera A eC LEN ob Rp ROM Se Seater OR Red aU oda e CR qo 323 clock date vir mudd Ce BS SOS ada ARAS A AS AA dog 282 dog Ttime DAMM SS iia A A AAA A AAA de AE e RR De eee ae AAA RN LA AAA 282 GhN Sgeur kespalive interval ELO 90 gt estaca a AA 296 enm agent pesrigdic anform interval lt 10 86400 gt cesaron RRA A DRE aA REDS 296 5nm agemt Server type vantage SEUSS qose o Us dee eoi cR RARA en eed ale Re a a aim 291 pud sO08mHb Errsges xmbPoeuh lanitervel aria AA a de xg boi ce dE wee eae Ru s 296 REALES Ames RA A See Shad deed dpe epp abies oda Sede qoi c e dera duds sea de mox its spe
78. CMP traffic going to the ZyWALL to discard or reject ICMP packets destined for the ZyWALL Configure the ICMP filter to help keep the ZyWALL hidden from probing attempts You can specify whether or not the ZyWALL is to respond to probing for unused ports You must use the configure terminal command to enter the configuration mode before you can use these commands Table 177 Command Summary ICMP Filter COMMAND DESCRIPTION no ip icmp filter activate Turns the ICMP filter on or off ip icmp filter rule lt 1 32 gt quench redirect echo request exceeded parameter problem request timestamp reply addr address mask reply action append insert lt 1 32 gt access group ALL ADDRESS OBJECT zone ALL ZONE OBJECT icmp type ALL echo reply destination unreachabl e source router advertisement router solicitation time timestamp ess mask request accept deny Sets an ICMP filter rule ADDRESS OBJECT The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive ZONE OBJECT The name of the zone You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive no ip icmp filter rule 1 64 gt Deletes an ICMP filter rule ip icmp filter rule move 1 6
79. CUAL Ae c CR a e ANA e e RC es 167 Eclued ule prore Hae dap4sud xe deans tee eee eee he ERU dE AS AN AA eed 168 sehnedule sonra e PANE eux Gr SO KO E ERE ROCK EDEN OLED KS ENE LENG HOE AES MESRERESSS 234 prhaed ule Semele OU EOE ESA be eee Oe Ree Sh eee es ae EES dos 101 schedule SEU ODJECE 260 400 d bee eee dale ob deua bed RE e don RC X RR e 102 Bohedue SERIE POJET anida OE Soe BUR RARUS KU IRURE RR Ud uo Kex RU oe ed AR d 137 second dns server ip interface name lst dns 2nd dns 3rd dns ZyWALL 55 BerpundesdhpesegrqeE IER iii di ER REY OEE Ke oc e add dai eK oops 65 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical nol BEcprlity doble aep x Dort 124099399 dara PO UR Ue pu REO AR 86 mol Security Celle activate ira dd x X RAO ACES au REN Rx AA cR Ad x ded x ak AAA 86 hl Security Selle auth Ip DOBLE les DEI OF LapigeedoPQe AS A ted Arbo ded ee A ees 86 nol Security external acet ip port XL B5935 chalet RR Coe eee deen ye kes AAA 86 hol Security extebnol Auth Xp port dle PITIDO lt a eeee eee AAA 87 hol Server alterhative pn identi ier Vid edid dha ASO EROR AA ds CARGA CE Ree ee AAA AA 2952 hol Server alternati ve pnh identi rier Uid Agel dein RSA PSR tug AAA a 253 Ho o o MESSI Bases grebati A AA AAA A A AA AAA ARA 252 nel Server Dicen PASTA 224458460 cb edit AAA Oh a Re qr ead e ado nx dad iube dad dite 253 nal serubr band DISSE eo at i
80. Chapter 36 n 276 361 DHOGPuvG Object Commands SUMMA ii 276 ABL T DHOPSS ODE GOES ii ios 276 36 12 DHUPVS Object Command EXITIBIBE ii 277 Chapter 37 e ae E E a a E a a es a eae 279 EF Cie yb DII cr tunnel E 279 37 2 Dustemizing The WWW Login Pee cies 279 ZyWALL ZLD CLI Reference Guide EM Table of Contents 2725 HostName a aec proba a adeb oer Lago ou at ura aptat ob a aola 281 ln EP 281 ee bal ee Tie COMAS epe 282 LF ey RESIS Pol apeadero A ET 282 cp OP ARUN eee Tm 283 CH NES Pid pM M 283 SON apap rota T E 283 sr 55 OMS Commana EXSImiplB cnica 284 Chapter 38 System Remote Management A t 285 38 1 Remote Management Overview sin di KE BEEAR ER ERN OL NE nT VR RE 285 38 1 1 Remote Management Limitaliona ep 285 381 2 Sygfem Una llana 285 38 2 Common System Command Input Valles uuu nai a aa 286 DOG ATIRAR IPS DONnuslb iia ia 286 2B T BETE BETPSS Command EXSIIIBE stas pri cci a aan Rel kg E RE ap ago Ep pde 288 BUG IR T A dar Gas aaO UN indes dc dO eruat npn UE FUEL RR EON EIU berg Pat DC Ra 288 28 4 1 SSH Implementation onthe ZYWALL u deest eet an eee Ps ceo EO rE 288 AB Requirements for Using SA e t ip ERES DU YR n DER MA TES ARR ant aa PLU eaten tials 288 su tue s KECI IE ES E OO EO ODIT 289 2041 4 GSH COMINGNG EXAM DIES aciei oec teate icant na eia unus Phal n Um a aa Pa cL QR E 289 ae VD eis sete ess us eas mc T T
81. Commands for Other Applications This table lists the commands for rules in other applications Table 88 app Commands Rules in Other Applications COMMAND DESCRIPTION app other insert rule number Creates a new rule at the specified row and enters sub command mode app other append Creates a new rule appends it to the end of the list and enters sub command mode app other 1 64 Enters sub command mode for editing the rule at the specified row app other default Enters sub command mode for editing the default rule for traffic of an unidentified application app other move rule number to rule number Moves the specified rule first index to the specified location The process is 1 remove the specified rule from the table 2 re number 3 insert the rule at the specified location no app other rule number Deletes the specified rule ZyWALL ZLD CLI Reference Guide 167 Chapter 20 Application Patrol 20 2 5 1 Other Rule Sub commands The following table describes the sub commands for several application patrol other rule commands Note that not all rule commands use all the sub commands listed here Table 89 app patrol other rule Sub commands COMMAND DESCRIPTION no activate Turns on this rule The no command turns off this rule no port 0 65535 Specifies the destination port 0 means any no schedule profil
82. Commands ridad 216 LS perci Mer Ir m AA AAA E N 219 24 31 Anti Spam Statistics EXE A a aA 219 Chapter 25 D vice HA sica A in A 221 251 Device FMA VOR eem 221 EHWNET C UN casas se ees carstoues I SI DD 222 258 General Davee HA Commands said id 222 do AUF assi Mode Device HA uiuos ertt no ia p decr gd dac Ra PERDU tea RE Heenan 222 25 4 Active Passive Mode Device HA Commands sss seen entrent nnns 223 25 4 1 Active Passive Mode Device HA Commands cccccecesceceeceeeeeeeececeeeeeaaeeseeeeeteaaeeeneaees 223 25 4 2 Active Passive Mode Device HA Command Example sse 225 200 Legacy Moco VIRES DORS PIN aia 225 25 6 Legacy Mode VRRP Device HA Commande siria 225 25 ET VRRP OUP CONIA iiri aeaa A sa 226 25 6 2 YRRP Synghrenization Commands asun 226 EB B Link Montong Comnmnmand S usigi S trs tr tre rrres ll ubeddde 227 Chapter 26 d llt ah a E oa sche ed a eee a ete 229 IE AGO iin tapas es cene noia saan vada du De barca enano dc db dnd ra Oud a aE 229 ZyWALL ZLD CLI Reference Guide EN Table of Contents codd ND e 229 202 Usar Groun Commands UI MINA ERR la anea 230 28 21 User COMINGS a cette aero eee ene aoe 230 zaa A a onec aa rr Tern re reer Terre ee 231 28 20 User Senno E DNI MPO E OL DO 231 26 2 4 Foros User Authentication Commande osos 233 28 5 MOMO NUS C ORTOS aso oi osi isa Kad deca ad da d 235 Chapter 27 POCAS
83. Content Filtering Table 113 content filter Filtering Profile Commands Summary continued COMMAND DESCRIPTION no content filter profile filtering profile url url server Sets a content filtering profile to use the external web filtering service The no command has the profile not use the external web filtering service no content filter service timeout service timeout Sets how many seconds the ZyWALL is to wait for a response from the external content filtering server The no command clears the setting no content filter profile filtering profile commtouch url category category name Sets a CommTouch content filtering profile to check for specific web site categories The no command has the profile not check for the specified categories content filter profile filtering profile commtouch url match unsafe block log pass Sets the action for attempted access to web pages that match the CommTouch profile s selected unsafe categories Block access log access or allow access content filter profile filtering profile commtouch url match block log warn pass Sets the action for attempted access to web pages that match the CommTouch profile s selected managed categories Block access allow and log access display a warning message before allowing access or allow access content filter profile filtering profile commtouch url offline block log warn pass Set
84. Dest 3192 168 30 2552138 Protocol 17 Feature Info Matched Firewall Rule 3 4 Tracking ID 4 Feature Firewall type IPTables Action Drop Pkt Info Src 172 23 6 248 0 Det 192 168 50 112 0 Protocol 1 Feature Info Matched Firewall Rule 3 ZyWALL ZLD CLI Reference Guide Chapter 45 Packet Flow Filter This example activates the packet flow ring buffer feature Router configure terminal Router config packet flow ring buffer activate Router config exit Router 340 ZyWALL ZLD CLI Reference Guide Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the ZyWALL The maintenance tools can help you to troubleshoot network problems Here are maintenance tool commands that you can use in privilege mode Table 204 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION packet trace interface interface name ip protolipv6 proto protocol name any src host ip hostname any dst host ip hostname any port 1 65535 any file duration lt 1 3600 gt filter extension extension filter Sniffs traffic going through the specified interface with the specified protocol source address destination address and or port number If you specify file the ZyWALL dumps the trafficto packet_trace packet_trace_interface Use FTP to retrieve the files see Section 39 6 on pa
85. E62 ARAM RE RE ERRNXIMFRLIM REA ERVRE AR id ai 33 ZyWALL ZLD CLI Reference Guide 5 Table of Contents el US And Privilege NODE uso Losssertonpbas siipra a d cusa aded Ev ua dota dun 33 EXE Nu eed on AA EE 34 10d ci 37 Chapter 3 OP REIED t 39 9l Obat Re arenoso Damme uo osea sa Y iteUt UE brss OE E RU cUE ope LES dS RE SEX DEL FCe V aa FEY YR d fs QU deae P eva 39 3 1 1 Object Reference Command Example ensisi eene enne nennen 40 Chapter 4 j f 41 Chapter 5 Li pi 45 5 1 HyWAZVXEL Com VSIVIBMW a 45 5 1 1 Subscription Services Available on the ZyWALL esssssseseeeeeeneen nentes 45 52 PSIG TERIOR COMME eH 46 Ee command EXSUNEIBR ar eer cce abb ad Idque d a oa s Fa RA 47 cci Dk Gem T 48 Chapter 6 D 53 pmi DIAS s 53 Bal UTR PD ci to o o 53 6 1 2 Relationships Between Iterfa ele cisne ci 56 6 2 Intemiace General Commands SUMME cuisse eie X pra exte c b eq Ab et aa ua Fd Horde n Rd ud 57 6 2 1 Basic Interface Properties and IP Address Commands sss 57 22 DHCP Sening CONTAMOS ec 63 6 2 3 Interface Parameter Command Examples
86. Endpoint Security checking failed Please contact your network administrator for help The no command removes the setting show eps failure messages Displays the message to display when a user s computer fails the endpoint security check no eps profile profile_name Enters the sub command mode The no command removes an endpoint security object no anti virus personal firewall activate If you set windows as the operating system using the os type command you can set whether or not the user s computer is required to have anti virus or personal firewall software installed 270 no anti virus anti virus software name detect auto protection enable disable ignore Sets a permitted anti virus software package If you want to enter multiple anti virus software packages use this command for each of them Use the list signature anti virus command to view the available anti virus software package options detect auto protection Set this to enable if the specified anti virus software is not only detectable for the installation but also detectable for the activation status You can check the settings for each anti virus software by using the show eps signature anti virus command The user s computer must have one of the listed anti virus software packages to pass this checking item For some anti virus software the ZyWALL can also detect whether or not the anti virus software is activated
87. Ga name url uri i 29 260 ca enroll scep name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type rsa dsa key len key Tengen password password Ga Ca name Url DEI cose eee Sed SEXE TY OOK 260 ca generate pkcs10 name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type rsa dsa kev lemnm REY DERE aaaqaogpex ed RA ROG EOXGUORCR E E R NEREALA EEEE AAA RE ORC CU OR 260 cs generace pkcsl2 name sam password Password olsecdeeskok 9 A CR HERR KE d s 260 ca generate x509 name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type rsaldsa Ree er ES 180959 3 uaque ux suus do C c AAA du x HEU DSO A ev iab HR Cede ee SE 260 ca rename category local remote old name now name solet Re eee eee ede ow Roh NOR OR OR AUN OR Ko ds 260 aas validat Om reno be Tertti roate LibaaeaxBdugcseecG w amp 7 8 OLDER EROS X G Rr due EE DAA DEOR dob US CE nas eed zo Goo SETS desti ACE nba edd Cx A doe VES REE Rea de CUR deae d debe R 261 Gerpirloeste Sot ORC ESAS 224 a SOREL ESL ESS ps EGOS HSE pd eS Re d ER ARA ES 143 Comite ere DEDOS nod db ota Recap Go d Ec RR dede dod ORS CR CAO QC Go MCA SOR Ro a ERG RRA UE 160 channel wireless channel JAULA A
88. IPv6 router advertisements that tells hosts to use administered stateful protocol to obtain autoconfiguration information other than addresses nd ra mtu lt 1280 1500 gt 0 Sets the Maximum Transmission Unit MTU size of IPv6 packets sent on the interface nd ra hop limit 0 255 Sets the maximum number of hops for router advertisements and all IPv6 packets originating from the interface nd ra router preference low medium high Sets the Default Router Preference DRP extension metric low medium or high in the interface s IPv6 neighbor discovery router advertisement messages nd ra prefix advertisement ipv6 addr prefix auto on off link on off preferred time 0 4294967294 infinity valid time 0 4294967294 infinity Sets the IPv6 prefix that the ZyWALL advertises to its clients whether or not to advertise it and how long before the prefix s preference and lifetime expire nd ra min rtr interval 3 1350 Sets the minimum IPv6 router advertisement transmission interval nd ra max rtr interval 4 1800 Sets the maximum IPv6 router advertisement transmission interval nd ra reachable time lt 0 3600000 gt Sets the amount of time a remote IPv6 node is considered reachable after a reachability confirmation event nd ra default lifetime 4 9000 Sets the router lifetime value is included in all IPv6 router advertisem
89. Lease Object testl Object Type address pool Object Value 2004 10 Ext Object Value 2004 40 Bind Iface REFERENCE 0 Router config dhcp6 lease object testl address pool 2004 10 2004 40 Router config show dhcp6 lease object ZyWALL ZLD CLI Reference Guide 277 Chapter 36 DHCPv6 Objects This example creates and displays a DHCPv6 pre fix delegation lease object named pfx for IPv6 address prefix 2005 64 and DUID 00 01 02 03 04 05 06 07 then renames it to pd Router config dhcp6 lease object pfx prefix delegation 2005 64 duid 00 01 02 03 04 05 06 07 Router config f show dhcp6 lease object pfx DHCP6 Lease Object pfx Object Type prefix delegation Object Value 2005 64 DUID 00 01 02 03 04 05 06 07 Bind Iface REFERENCE O0 Router config dhcp6 lease object rename pfx pd Router config show dhcp6 lease object pd DHCP6 Lease Object pd Object Type prefix delegation Object Value 2005 64 DUID 00 01 02 03 04 05 06 07 Bind Iface REFERENCE O0 This example deletes the test1 DHCPv6 lease object Router config no dhcp6 lease object testl This example creates a DHCPv6 pre fix delegation request object named pfx and displays its settings Router config dhcp6 request object pfx prefix delegation Router config show dhcp6 request object DHCP6 Request Object pfx Object Type prefix delegation Object Value 2089 3 48 Bind Iface
90. MEUS R S 65 Peport packet Sire Statistics Clear ars A ke ARDEN o ALACE esd coe Gadd ee ACE A 325 Pose CONIL r NON addupebedeohuoE AAA apr ar GE TENOR ESTE RARAS AE PARA p ROO Qe qal 326 Fingebufier senabilsjdissple nc eka dx X RR QUE Ke ee dale o eJ CR CDU dene Pe ee Cl de oboe D e AO do 342 ESTE BO Gass deed E b PER SSE qu AAA NADA da mi d pem du d erede 84 robert EPE quae Ede RMA SSR AREAL REESE REESE ERASERS RC RU MER EER NADA AAA e COR ACA RC 108 PEPOULGOPE OSPE sorie Ca SSSR AA AAA A Se REE CMOS Bek OR SE ARA DARA SUE ee eee 109 POLLO Meet caro a E RENE comme A ewes ew eee dv odia sca mare wep adi io do saw 109 CQUESE Pee ear OA AAA Gia A RA AAA AAA AAA 68 FOHULEE EIR RIADA AA AED AE AAN SEA 108 COUEGO EXP P 68 LV ERA AA A ES A doa Kar RS de AAA A A dub ted RAT A AA 34 run POTES FILS name ayen di AA A AAA A OR A AAA A AAA AA 303 scan detection Block period le DUB izeabiseg AA E te Skee hee eee RE Rd 185 sean deteckion sensitivity lor sedium Bigh uaem 4 deae Ea Xx ee ced AA AA Raw e RE 185 scenario site to site static site to site dynamic remote access server remote access cli BIB SL ae hie Eas doo EAS OR SS ON do ES dec ARR an Cie e e a E ME ACRI ee eRe eS Oe 145 schedule hour U 39 Mintle 00 999 a dee hdd eee TERE COR EH CI ES ORC ER See ea 326 schedule chiject object neme date time date time ins hohe SERA AA E X EERE EMR REOR d 248 schedule object object name time time day day day day day day day 248
91. OSPF routing protocols for the ZyWALL 9 1 Routing Protocol Overview Routing protocols give the ZyWALL routing information about the network from other routers The ZyWALL then stores this routing information in the routing table which it uses when it makes routing decisions In turn the ZyWALL can also provide routing information via routing protocols to other routers The ZyWALL supports two standards RIP and OSPF for routing protocols RIP and OSPF are compared in Table 47 on page 107 and they are discussed further in the next two sections Table 47 OSPF vs RIP OSPF RIP Network Size Large Small with up to 15 routers Metric Bandwidth hop count throughput Hop count round trip time and reliability Convergence Fast Slow 9 2 Routing Protocol Commands Summary The following table describes the values required for many routing protocol commands Other values are discussed with the corresponding commands Table 48 Input Values for Routing Protocol Commands LABEL DESCRIPTION ip The 32 bit name of the area or virtual link in IP address format authkey The password for text or MD5 authentication You may use alphanumeric characters or underscores text password 1 8 characters long MD5 password 1 16 characters long The following sections list the routing protocol commands ZyWALL ZLD CLI Reference Guide Chapter 9 Routing Protocol 9 2 1 RIP Commands
92. Re A niece Gam eee 157 DO app procos same rule Se nada eiii AAA AAA A Ade we M d S E NER SUE eee 165 no rea IE vrirtual ltuk IP message diqgest key Sl DS lle E 3 xh po ERR ORO Oy Ue SOEUR RR 109 I dq Se user he cea boca bu EcA Rub ROS E Qotus Sacdub diuirdoa d acad db do a O5 ur a Sora Bd edad diede AR dede pur wa 344 ICE v dira SR Sm OE ArrrE c 108 DIDI haw eee ake Reus ae d cs dd NN E Meis d Su Dulce aea v ares Bea Aue a ee fala Rs Be 183 no budget log SECUESTLS airis A ERG AA a AS DO a do dd T4 no bugust log percentage EII PRESSE OSS ES HEE COREE CORES EA AAA DERE S EON d E Reg 78 Bo qu category local remote certificata NANE ias na A GER EGRE AE KR ROCA RAR X OR RR Ree eA RA 261 no pa validation DAS ADA ART sent eed Bek abe pude dede d RE e QE xeu 261 no content filter profile filtering profile commtouch url match log e m nmn 205 no content filter profile filtering profile commtouch url match unsafe log 205 no content filter profile filtering profile commtouch url offline log rr n 205 fie content filter profile filteri ng profile gcommtouch url unrete log sce isos 205 no 6onrenLt frilter profile fiitering profile url match 109 sessions narran aaa 204 no content filter profile filtering profile url match unsastfe logl zeesee cesos 204 372 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical
93. Rees HE no Sa SUL AL Da AAA CARRS WSS DA e addu Rd A Add AAA 149 ne ss Eunnelname MER Dame ap AA e dt RA eA ARA E RA AS Ale e Gok RR els 149 o AGAR dS DST SENS TELAS lio IAS AENA AA a eae AE 1595 bo schaedgHle pbJjeet ODJIGeCt NE dis Sede eee drat OA RAN E RE Se RSE A EO RR ODER dedo XE RC e dod 247 o aecurity nome wep Wea wpa wpaz WDesS sessi ds EROR eed Sd ee REESE VLA OR RUE RES 87 ng DETIENE asi ARA Re ACCRUE CN e Ra COE EUER o deal ok debe e CR RR GC UP EROR P EE 267 Ho SSTVIGS GbISCh ORTO Nale elo Od ROEDER EERE er A 243 DO Signatures SI Bela AA gb daw ARS ded A A RN dodo ACR o TOSS REE QU EER ek ES RE RR ees 184 pn Sisuabere SEIT BSH ot dw ee domed A Rae Rep and pd iei RR Ra Op aah Roa eam cl oso oo wee ante 188 Do Sgumatuce Sue BE lnunbdobedeupi ad p ARA AAA ducati dob dk wee deep SS dc woes eres 184 nu sSisgcENBPS Sid JOG lend 9edesRO AA A RU os ta EUR AAA dade ane Rond A 188 no Sera Cte os UDS ah her seade du Aer Sende RA wu a ers made uM ed dedu aar au 329 no smcpesugbb WSEAS oradores RC Rog Reo eg se aac eR ar rh RR o Rede dei d pe t n Ge 325 no pmp Server tule mulB SUNDEAT Q4sWegqu xS Need qd eddie i eue ees Ee Am wea pario qu qe A 293 ho aslwvpm policy prorile Aa 22 ak tan sada ANA Sos WES A Pd RAREGEXAqIAESEd E WE 153 no TOop decoader TEGDSXUEM 160 sa Re bet eee cd cee ee wee ALBO SEE Ide OR AAA ROSE SORE A CURE 186 no udp decoder truncated header undersize len oversize len action
94. SR E ERN DE SOS A A REX X GR E Xx Ru L39 hol deer Toar MoE 66 soe he SKE SSK OAL A ACE RON RR A AA GEO di d BOR A de Adr RE 140 hol DIRE DESTE DONE AAA NAS AT AA AAA AA AAN AAA qa A E E NE NW RH EE 153 pol user VSSPHAMe SJ chee XO E KOC CR EO CN Ie GRAUE AQ RARA ESM ERED CC b S D Ra CAL Ce c RC dp OS 165 NS MSBP o 9o Pp CRUST Oe EE EE TORO ES RE ARA SORES Pee eee Tee ee Se 167 pol user MSC ecb etek seaweed ease SEN RARE EKA EBACE RU CERISE RUN READER KOE eb RR P Rd 168 hol usar DSSEREME bpirdud xq Few eee See a Sh dbs Ok ROSS S eve AAA AAA AAA Be Be 231 hol User ISLE Pekka RARE xc SARRIA QUERER AGE AAA RARA e AED EE AA ASA TEARS LADA A 264 WA TET odi vos y Pr 263 nol ucore I SPIQEDE IIA AAA A A A DA dace RA AA AA Nee ae we B nol username Username Password DRSSWOIG exar dua eee RA A A A A Gad Ad 115 por uem ASE SE LON os he Sh RAS d dria scade dor PRA E EAN dre dM e du dE Zaz ne users cdle dstectioH timeout lt 1 QUE cee eka ee dah hee eek Soke a eee sh alee ae ipee eee Zoa nol mesos lockout PEriod LN era css quce Sidera e dori d Bee we Rae Rd um ICE Hol users rStry Count L 99 9 ii A x KA E RE AREA A URGE Ge AR PORES IK e DREN RR RCACANT ode eS 232 nol neers Tate lie ari AE Ree Ae EE ANOS qui di aqui dod dome d d POE d ponga p Loe no users simultaneons Logon administration access enforce ils 4o or RR cae nuns 232 nol users asimgltaneocus Iogon fadministraticn
95. The no command clears the connection ID connection id You can use up to 31 alphanumeric characters underscores _ dashes and colons 33 1 2 Cellular Account Commands The following table lists the cellular ISP account commands Table 158 Cellular Account Commands COMMAND DESCRIPTION show account cellular profile name Displays information about the specified account no account cellular profile name Creates a new cellular ISP account with name profile name if necessary and enters sub command mode The no command deletes the specified ISP account profile name the cellular ISP account name format is cellularx where x is a number For example cellular1 no apn access point name Sets the Access Point Name APN for the cellular ISP account The no command clears the APN access point name Use up to 63 alphanumeric characters and underscores _ dashes periods and S no dial string Sets the dial string for the specified ISP account The no command clears the isp_dial_string dial string username Use up to 63 alphanumeric characters and underscores _ dashes periods and S no user username Sets the username for the specified ISP account The no command clears the username username Use up to 64 alphanumeric characters and underscores dashes periods and no password password Sets the password for the specif
96. This name cannot be one of the follows ethernet ppp vlan bridge virtual wlan cellular aux tunnel status summary all This name cannot begin with one of the follows either ge ppp vlan wlan br cellular aux tunnel interface rename old user defined name new user defined name Modifies the user defined name of a PPP or an Ethernet interface ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 2 1 1 Basic Interface Properties Command Examples The following commands make Ethernet interface gel a DHCP client Router configure terminal Router config f interface gel Router config if ip address dhcp Router config if exit This example shows how to modify the name of interface ge4 to VIP First you have to check the interface system name ge4 in this example on the ZyWALL Then change the name and display the result ge5 I gel 2 ge2 3 ge3 4 ge4 5 ge5 No System Name Router config Router show interface name User Defined Name ge3 ge4 ge5 Router gt configure terminal Router config interface name ge4 VIP Router config show interface name No System Name User Defined Name This example shows how to change the user defined name from VIP to Partner Note that you have to use the interface rename command if you do not know the system name of the interface To use the
97. WLAN AP interface 2 for slot 1 to use SSID WLAN test WPA security modes with a pre shared key of 12345678 IP address 1 1 1 1 netmask 255 255 255 0 and a gateway IP address of 1 2 3 4 with a priority of 10 Router config interface wlan 1 2 Router config if wlan ssid WLAN test Router config if wlan security wpa tkip psk key 12345678 Router config if wlan Router config if wlan Router config if wlan Router config if wlan security mode wpa ip address 1 1 1 1 255 255 255 0 ip gateway 1 2 3 4 metric 10 exit 6 9 3 WLAN MAC Filter Commands Use these commands to give specific wireless clients exclusive access to the ZyWALL allow association or block specific devices from accessing the ZyWALL deny association based on the devices MAC addresses Table 34 WLAN General Commands COMMAND DESCRIPTION no wlan mac filter mac address description description Specifies the MAC address in XX XX XX XX XX XX format of the wireless station that is to be allowed or denied access to the ZyWALL The no command removes the entry description You can use alphanumeric and _ characters and it can be up to 60 characters long no wlan mac filter activate Turns the MAC address filter on or off ZyWALL ZLD CLI Reference Guide 87 Chapter 6 Interfaces Table 34 WLAN General Commands continued COMMAND DESCRIPTION
98. X DN e hie ewes whew SR Rd a dcr er aen mea Rag uet rded aqaa ae Rd tug arq d 75 WES KSI PAR dod dc Ae Red oR CA EUR OP SEER Der 8 d cae OP ode Med Oe Ke oe Rec X e b ie oo ded 58 IPIE UI PX I rr P Aa Ao 81 IBN Hover SEU Guido ane denm ed dg do ac Sob qued EX Qa Rb DER Re ered eee rst a d oup Oe 58 WE See eek ethane ee ee Sob d e Sus ib o dier dp E A MARE RE Ro E NP ROC OPE OE ee So AA 86 MULS OeXg Goes goa KQORGXCR UR HK NON RECURSO EORR CN E Coa e EUROPE OUR de CR Ce C e Chee ene eae Fed RC d 295 IE op E A eee X RP SR 84 EPI SR SOS a FRI E utETR bee be eee ee eS 116 PLIU 1253493 2243624282 CARES 485 50 d 0l c Ld etu grado RU beeen owes ea S E 146 c C ga Gib 144 NETO TACI N GENDER Were rad dE Ceu ico EA SAA EIE docu dias he HECHOS DEON CSE seek e Dated A ERED CARER ORR e EP ER ud dde GREE e 146 BOLWOIX Deer ooe aioe JP gosh 256 VES SG 3499732642228 S845 d RE Ad a ESS eS Se Io wes 109 networb Interfrfscs SOS aida Wd don a REOR Rd XC Ue d ae Ge DR CR ERROR Sed a o ee Sem a 108 network In orlada DIME ccs xp ac ua kb EG EGER OE GG aW OE ARANA OOS SO AGE d NOR RC RC RR wee 68 nDetworE nbebpPfacB Mame ares ID caricia ERROR EORR A RO ALACRI ROM CEU E RES OSE WES Sew e 68 network extension activate ip pool address object 1st dns address object ip 2nd dns address object ip lst wins address object ip 2nd wins address object ip nebwark adess O
99. You can use alphanumeric characters the ZyWALL ZLD CLI Reference Guide hyphen and the underscore Chapter 32 Certificates Table 155 Certificates Commands Input Values continued LABEL DESCRIPTION organization underscore Identify the company or group to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the country Identify the nation where the certificate owner is located You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore key length Type a number to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space password When you have the ZyWALL enroll for a certificate immediately online the certification authority may want you to include a key password to identify your certification request Use up to 31 of the following characters a zA ZO 9 G 96 amp 4M lt gt ca name When you have the ZyWALL enroll for a certificate immediately online you must have the certification authority s certificate already imported as a trusted certificate Specify the name of the certification authority s certificate It can be up to 31 alphanumeric and amp _ characters url When you have the ZyWALL enroll for a certificate immediately online
100. ZyWALL A m 17 Samman da Eme WTS sarna 19 User and Pulsa Be E TTD DM 33 REIG ENOO aia TE RE 37 e A METTI ido 39 VD IT E A IAEE A A A A AE A PANE A R NU TERR E TA TNT E 41 Po UII ai LO S 45 Mita ii dia 53 D A Ad 93 O n 99 acea sanos tic 107 Eno m 111 DONS E E UU UNTER 115 Vital OES iced Gree aea NM dM AME iir EpbEE hiss 119 PTE PREON OI ERN mec 123 EE E UE RE t T UTE ei 127 AMAG BINOAN arica aii E rd en rl 181 o A UD tac 133 luck eee Nn PT RT HR 141 cec BEI c ep mp T TOROS RENTUR 151 ESTE VPN N REESE ease emer ae an 157 Applicaton Patrol soria 163 ES a adn da ias legis 173 A mmm 181 GOMA AMIA ir Sd DRE ha ps pb 199 Ces in MM RP ETT 211 Device X m 221 o eoo NE I strc rrtte rr 229 ES ETT TTD E TEE T T OTT DO LITE 237 o Std NRI MM E E EINE aL DIN Mp Mdi quU AME RR ML UE 243 PSEUD td dt 247 PAA SUIVI A A 249 ideo h es qe m 255 A RO 259 A A Dd ERU iM E eCUE 264 BL S DICT oos pep appa prasad erent on bd ana ei ene c a eon dc e aoa Kd 266 Endpoint en MNT E M M 269 Rau iB x e E 276 PR DNE D D S E TD IU LM 279 System Remote Mana MEN iaa tata alas 285 Rap sirios 299 ZyWALL ZLD CLI Reference Guide E Fo onm ang GOO sand ns Oca 323 wi lcs el mee aida 329 gw E 331 sic i E T T LES m HET 333 Packet FOW PIG siii 337 Mamenalce Talaia SETS 341 SO UI 347 ZyWALL Z
101. ZyWALL assigns to the remote users L2TP POOL in this example Set the next hop to be the Default L2TP VPN Connection tunnel Enable the policy route Router config policy 3 Router policy route source LAN SUBNET Router policy route f destination L2TP POOL Router policy route service any Router policy route next hop tunnel Default L2TP VPN ConnectionRouter policy route no deactivate Router policy route exit Router config show policy route 3 index 3 active yes description WIZ_VPN user any schedule none interface gel tunnel none sslvpn none source PC_SUBNET destination L2TP_POOL service any nexthop type Tunnel nexthop Default_L2TP_VPN_Connection bandwidth 0 bandwidth priority 0 maximize bandwidth usage no SNAT none amount of port trigger 0 ZyWALL ZLD CLI Reference Guide Application Patrol This chapter describes how to set up application patrol for the ZyWALL 20 1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network It manages general protocols for example http and ftp and instant messenger IM peer to peer P2P Voice over IP VoIP and streaming RSTP applications You can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers Application patrol also has powerful bandw
102. ZyWALL to be a master ZyWALL for active passive mode device HA There is a management IP address of 192 168 1 3 on lanl wan1 and lanl are monitored The synchronization password is set to mySyncPassword Router config f device ha ap mode lanl manage ip 192 168 1 3 255 255 255 0 Router config f device ha ap mode role master Router config device ha ap mode master sync authentication password mySyncPassword device ha ap mode wanl activate device ha ap mode lanl activate device ha activate Router config Router config Router config 25 5 Legacy Mode VRRP Device HA This section covers device HA using VRRP VRRP groups and synchronization Virtual Router Redundancy Protocol VRRP Overview Every computer on a network may send packets to a default gateway which can become a single point of failure Virtual Router Redundancy Protocol VRRP allows you to create redundant backup gateways to ensure that the default gateway is always available The ZyWALL uses a custom VRRP implementation and is not compatible with standard VRRP VRRP Group Overview In the ZyWALL you should create a VRRP group to add one of its interfaces to a virtual router You can add any Ethernet interface VLAN interface or virtual interface created on top of Ethernet interfaces or VLAN interfaces with a static IP address You can only enable one VRRP group for each interface and you can only have one active VRRP group for ea
103. a OR 226 interlace ENCSGTTACO HAMS eins a e OR AAA ARA NOR DEK ES CAO URGE OUR A 58 q bmErINquS INCOTTAC MEME Lhe he kee qaad exa de RUE RES DEES CORRES SORORE Cade Eee ERG ee Gees 76 lnbertsce IUBSBI IIS rr 9 RO tak ode Se OR oo XR CR oO a ACE See eek RR Ke dew 81 Liber aCe VIDEBIS dads IA A BS X RARE EA dened Redeem dos 94 AD andrest AAN rre doe ies de ca arae qe o deed ec died c Ros Rote dedico og Rei ide dioi 58 16 Cease te HDDETL Taek ua Gase oad aws bere d d educi b darius es coal aUe E abc dod Brem dh 58 io Aras II CUBASE IRSE Yasha da cdudcees Vanden ed e do DOM Ed P ddr den auam deba d ie dus 85 ip Mane profile profile RSE aria es coed ER E HRK AAA AA A CORE HERE REESE REE RO 116 ip dhcp pool profile DANE gd ga EG RUCG3OKA ASIA ARIAS GE e RC RS AAA eC RC I RC d 63 ip dh epepool srofile BAS serios 4 A DESEO RESELL IHRE A Yea eR RA Kc dex Ee 65 lp ans Server record BOO WERE on keh bode ba Ru RA RR Eb RK ES Sea AS RR CAELI dob X dc 283 ip des Server mevepgard domain name PX ENE aescekw dex be ede eee Re were Rew HEM 284 ip dns server zone forwarder lt 1l 32 gt append insert lt 1 32 gt domain_zone_name inter tuc IND TIagO MEMS Gub Ed Gad xc de QUE ABO UE VOX Eb PNE EORR I ORES Ee ORES OSES See 284 zo Por QUEE lx 554 4222329552593 922955 5294 B3 ORES CEM diri mu dune Rd d M d gn EEE 231 ip DEP Server part GeFLICIOADGS ABS rotor AAA 291 z 0 DEN Sewer urb Al IAS Goss bane RUSO IAE dra Bard aca bee ee wer Numa A Re 291
104. access The no command resets the password for read only ro or read write rw access to the default no snmp server contact description Sets the contact information of up to 60 characters for the person in charge of the ZyWALL The no command removes the contact information for the person in charge of the ZyWALL no snmp server enable informs traps Enables all SNMP notifications informs or traps The no command disables all SNMP notifications informs or traps no snmp server host w x y z Sets the I Pv4 or IPv6 address of the host that receives the community string SNMP notifications The no command removes the host that receives the SNMP notifications no snmp server location description Sets the geographic location of up to 60 characters for the ZyWALL The no command removes the geographic location for the ZyWALL no snmp server port lt 1 65535 gt Sets the SNMP service port number The no command resets the SNMP service port number to the factory default 161 snmp server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for SNMP service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zone For the ZyWALL US
105. access allow and log access display a warning message before allowing access or allow access content filter profile filtering profile url offline block log warn pass Sets the action for attempted access to web pages if the external content filtering database is unavailable Block access allow and log access display a warning message before allowing access or allow access content filter profile filtering profile url unrate block log warn pass Sets the action for attempted access to web pages that the external web filtering service has not categorized Block access allow and log access display a warning message before allowing access or allow access no content filter profile filtering profile url match unsafe log Has the ZyWALL not log attempted access to web pages that match the profile s selected unsafe categories no content filter profile filtering profile url match log Has the ZyWALL not log attempted access to web pages that match the profile s selected managed categories no content filter profile filtering profile url offline log no content filter profile filtering profile url unrate log Has the ZyWALL not log access to web pages if the external content filtering database is unavailable Has the ZyWALL not log access to web pages that the external web filtering service has not categorized ZyWALL ZLD CLI Reference Guide Chapter 23
106. access only web pages or files in this directory For example if you enter remote in this field emote users can only access web pages or files in the remote directory If a link contains a file that is not within this domain then SSL VPN users cannot access it no server type Remove the type of service configuration for this SSL application no webpage encrypt Turn on web encrypt to prevent users from saving the web content ZyWALL ZLD CLI Reference Guide 267 Chapter 34 SSL Application 34 1 2 SSL Application Command Examples The following commands create and display a server type SSL application object named ZW5 for a web server at IP address 192 168 1 12 Router config f sslvpn application ZW5 Router sslvpn application f exit Router config f show sslvpn application SSL Application ZW5 Server Type web server URL http 192 168 1 12 Entry Point Encrypted URL aHROcDovLzE5Mi4xNjguMS4xMi8 Web Page Encryption yes Reference 1 Router sslvpn application server type web server url http 192 168 1 12 ZyWALL ZLD CLI Reference Guide Endpoint Security This chapter describes how to configure endpoint security objects for use in authentication policy and SSL VPN 35 1 Endpoint Security Overview Use Endpoint Security EPS also known as endpoint control to make sure users computers comply with defined corporate policies before they can acce
107. anti spam tag Dmetl cdonpeut rt0s outbeesk tag 12h ei ekadeee eda ket Shaws EON A CR 213 antispam Led olack Lisb ESO audet cx RARAS AS ce 215 anti spam tag guery tineout tag uwauecaueGr cade tees ARA A ACA od A dde 213 anti virus black list replace old av file pattern new av file pattern activate deactivate VT anti virus mar l nba ern BOLINOUDD shennan Sarees eRe E pae dul ede od d P eio FER I RE d 174 nico ieee Pelee Sees glee tenes vea dde ede dci A E wee Koa de cd qan 174 Snco irns Tule Cleese pr r qM 175 ANESTESIA SAR 174 mnblemirus rule dele El ES desir aid en da te cia ah 135 Anew gs ASS Sliver EA dU KC S p ca eee qid bud nee awe ewes oo wares vob wee eae 174 Hnbpl mirus rule Mowe Ll Eo Lolo ab ceo e Rex Ax ape one d E d e ede AA de 135 anti virus search signature all category category id id name name severity severity NOTICE adea ee ae E E E E OL a eO o a e ace E E E edo qoe RR EEE ET 177 antis Viron NDSCUECIOS IIUSE air rs ronek EORR qa YARN E PE IP e aded een eed ewan See 179 anti vir s Update Bess AQUA Se 4 qd eR RAS A id TAE MA RA AS A A do A 178 anbrewlcus HE OUr a eRe osos de loge he eee ANA Ee n d Ir PORTER RUE AO 178 anbiyivUs update SGDHebUTPOS casid erased gee ARS Y RR Kok Eo ROS dob OR de Ropa eR RR E ORA o 178 anti virus update weekly sun mon tue wed thu fri sat lt 0 23 gt 178 anti virus white list replace old av file pattern new av file pattern activate de
108. anti spam upereputatios q ery timeonb CAN sed Gps AN RO A AA OES Ree oe 213 show antispam rp reputarqoN SUSELSUUDE canted ee ae RAE EU RR PURA AS A 219 Show anti span maunlescan query Cineout PODS 6126894 eek AA ANA AAA AA p RUE e ZA show anti spem meni sean qguerty ptirmegur SMEP exa ecex ARA AA A A ea eRe ewe eS ROCA e d d 213 show anti span matl se n quervetimsour EAMG lt 4 kegs eee eee Re Oe eae ado doe eee oe Za show antispam Nesll scads Statistics airis di shee ke Web AR ES ERA ole d RC SER A de UR 219 show anti span Mailsscan STATUS 2244 98 d OE ORO RH ACE Re ORE OR ERO DNE AORTA ee qr dob AAA OR p RR CP rap RE ed Ala show anti spam cule FUIS RUMBSE csi de 3x0 dex 3E de A EC Ro dod RR EA RR A A AR a dan 212 show anti span Statistics Collect riales A eae A AA A ea e 219 Show anti spam statistics ranking source maell addresBS ascensores Sound NEG NOR ROS RU Re arg Bhow anti span Statistics SUM oireena aie ated Pow A e ARA RARO om eoo Re SUR eae editas 219 376 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical suo anti span beg taps sesblepEHeOUb aedes E uod qc Eo uice ERA AA 217 show anti spam fag Imall content orus ouUtbteBEK scenic A A A LN 213 Show AntISSDOSNM tag las adas deme No dE ep dE E NSW dco Ve day d ub doleo Mop Opa dad 215 Show a nti apaem Esg query LImedt casas benwe ened Ra doe ACER CREDO ER A qo Re d Db Re AO A 213 show auplespam wuctee rst ESES
109. ar Sopa RR Da dre RA su aci CE SIE wp D gcn 6 qe ds 284 Ip EP Serer SoCs pet kat 4d RO ec eC oe d ook oa a i AeA Me ole a OR A Ge c n le AA eal ip AE Saree SeCUPS ESTAS cog di ded mea do E RARO we rs dd Rd aU aa Pas dew ea aes eet 231 is BED Ser yar EESTIS abres add eee ape ea eai 287 Eo HLcperscduresb ISS OPIO jae hee eas ra coal ede werd d dci Saeed 124 ip load balasncing link sticking Statis linia dE A ee RN 97 ip route kernel connected static espf rip D p aee mk REO RERO memo 110 ip route control wirLual sOPVer fI47l85 pda SSR ASE EEE EDR ES EERE ESLER SERRE RON e RC 106 ip toute SESLic dynan O dqueuwesquexqd REDE orpuache dew ved d bec AA EER EEE Oa Cewek 2323 ip TOMES LETS gi he HERMES PEAS UA QUERER AGE EQ RUOLO UC IN od eK RNS EORR RC C REOR CUAL Ro 105 ip As Server StAtUs sre irott ios ox ede OSA e Re REOR PUR SECURE ORE EERO EONS ACE RR See 289 ip telnet SOPVOr SLSLUS ener bed RRACK A NC ACC RM Re KE HEC CR Re RC Rap X OR RO AO A 290 ip wulrtueslessrcrwuer XIIe MANE 6 4408 kee easter eeu S RE i uc C A E a Peas 120 oe Cee Iai ALA EAS RE AG Rea eeatewh AA Sw AAA 276 fore interface rnterfasce name all esmas ceed ee o ee Rea Ren o i eon RC leg my ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show show
110. area IP virtual link IP authentication message digest Enables MD5 authentication in the specified virtual link The no command disables authentication in the specified virtual link no area IP virtual link IP authentication authentication key authkey Sets the password for text authentication in the specified virtual link The no command clears the password in the specified virtual link Same as area no area IP virtual link IP authentication Sets the MD5 ID and password for MD5 authentication in the message digest key 1 255 md5 authkey specified virtual link The no command clears the MD5 ID and password in the specified virtual link no area IP virtual link IP authentication Setsthe virtual link s authentication method to the area s default authentication no area IP virtual link IP authentication key authkey Sets the password for text authentication in the specified virtual link The no command clears the password area IP virtual link IP message digest key 1 255 md5 authkey Sets the MD5 ID and password for MD5 authentication in the specified virtual link no area IP virtual link IP message digest key lt 1 255 gt Clears the MD5 ID in the specified virtual link ZyWALL ZLD CLI Reference Guide Chapter 9 Routing Protocol 9 2 5 Learned Routing Information Commands This table lists the commands to look at learned routing information Table
111. automatic signature download once a week at the mon tue wed thu fri sat lt 0 23 gt time and day specified show idp signature system protect update Displays signature update schedule show idp signature system protect update status Displays signature update status show idp signature system protect signatures Displays signature information version date number ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands 22 5 1 Update Signature Examples These examples show how to enable disable automatic I DP downloading schedule updates display the schedule display the update status show the new updated signature version number show the total number of signatures and show the date time the signatures were created Router configure terminal Router Router config Router config Router config auto yes Router config 2003 version 1 2000 signatures 2000 date 2005 11 13 13 56 03 Router config idp signature update signatures IDP signature update in progress Please check system log for future information config idp update auto Router config no idp update auto idp update hourly idp update daily 10 idp update weekly fri 13 show idp update schedule weekly at Friday 13 o clock Router config show idp signature update status current status IDP signature download failed do 1 retry at
112. be able to use the commands that configure settings Table 163 DHCPv6 Object Commands COMMAND DESCRIPTION show ipv6 dhcp6 binding Displays the server side IPv6 DUID binding lease show dhcp6 interface Displays all DHCPv6 server client and relay interfaces show dhcp6 lease object dhcp6 profile Displays the specified DHCPv6 lease object or all of them show dhcp6 object binding interface name Displays the DHCPv6 object bound to the specified interface show dhcp6 request object dhcp6 profile Displays the specified DHCPv6 request object or all of them dhcp6 lease object dhcp6 profile address ipv6 addr duid duid Creates or edits the specified DHCP lease object with the specified IPv6 address and DHCP Unique IDentifier DUI D dhcp6 lease object dhcp6 profile prefix delegation ipv6 addr prefix duid duid Creates or edits the specified pre fix delegation DHCP lease object with the specified IPv6 address prefix and DUID dhcp6 lease object dhcp6 profile address pool ipv _addr ipv6 addr Creates or edits the specified DHCP lease object address pool with the specified IPv6 address range ZyWALL ZLD CLI Reference Guide 276 Chapter 36 DHCPv6 Objects Table 163 DHCPv6 Object Commands continued COMMAND DESCRIPTION dhcp6 lease object dhcp6 profile sip server ntp server dns server ipv6 addr dhcp6 profile Creates or edits
113. be displayed This is not necessary for single core products For multi core products the number ranges from 1 to the model s limit The following table lists the commands that you can use to have the ZyWALL display how the firewall and policy routes handle certain traffic Use the configure terminal command to be able to use the commands that configure settings Table 203 Packet Flow Filter Commands COMMAND DESCRIPTION packet flow filter pf filter num range Enters sub command mode for configuring the specified packet flow filter no enable Enables or disables the packet flow filter you are configuring no Source any ipv4 Sets the source address to any address or a specific IPv4 address destination any ipv4 Sets the destination address to any address or a specific IPv4 address host anylipv4 Sets the source address to any address or a specific IPv4 address no no protocol anyl 1 255 src port any lt 1 65535 gt Sets the filter to work on any protocol s traffic or a specific one Sets the source port to any address or a specific port number no dst port any 1 65535 Sets the destination port to any address or a specific port number ZyWALL ZLD CLI Reference Guide 337 Chapter 45 Packet Flow Filter Table 203 Packet Flow Filter Commands continued COMMAND DESCRIPTION exit Leaves the sub co
114. be equal to eq greater than gt less than 1t greater than or equal to ge less than or equal to 1e or not equal to neq the version of the file specified no file info file path file path eq gt 1t ge le neg file size lt 1 1073741824 gt eq gt re ge le neq file version file version Sets whether the size and version of the file on the user s computer has to be equal to eq greater than gt less than 1t greater than or equal to ge less than or equal to 1e or not equal to neq the size and version of the file specified os type windows linux mac osx others Select the type of operating system the user s computer must be using Use the windows version command to configure the checking items according to the set operating system If you set this to mac osx there are no other checking items others allows access for computers not using Windows Linux or Mac OSX operating systems For example you create Windows Linux and Mac OSX endpoint security objects to apply to your LAN users An others policy allows access for LAN computers using Solaris HP Android or other operating systems ZyWALL ZLD CLI Reference Guide 271 Chapter 35 Endpoint Security Table 161 Endpoint Security Object Commands COMMAND DESCRIPTION windows version windows 2000 windows xp windows 2003 windows 2008 windows vista windows 7 windows 200
115. budgeb tome SETE Leben dedo RU Re sede pec eel de ge I AN Ue RO ak T3 nob Dun Beevers es sspears werden Re Mu S eee donariis eau ao dup dc bea dca dor ose eee suia ui d ee 100 hol Dum SOI a be dhe tea x edd ds ke x Qa duds d ER EXER A EI du Ede cd des 169 nol bypass irpereputatron marl content wvirus o utbrBak ssicetbades Betas dew dene RE E RE 212 nol Bypass whute lrst Bibsckbelist Snel oaesesderGeesckedqonan dee ae RUE exo Eoo agree de a 212 nol bbs DuEDEBeIlzec LoOSLatdl248bl nscupisecokeeundsadscetawee eaves A 175 WO ceche clesn ao L INaDE Lag cued alent Soka eb AS E GER FR PR REEESJGGqdFeG a Ce EAR dedo 152 mol qQEEEBSEEBATILIVO sisi ri d e Shanes AAA AA eS ME eee boe d d AA qq 251 ni wide edeae x EB AEAEE eae Cae eRe RA EC ca Rie KC eee 253 hol CASERAS RETOS ADA PE e ee PARERE RES T ER Ede s pude de eae eee 254 Hol GhbehnpehndoeNrtlthest Mal BOE ESS aag RA 4 3 o ak ORE oO UR CR od ACD AS OAR de do RICO Ge 64 hol Glienbename SSE nana sI CE HE wd Aw REECE TAME EOE HER AAA ae RE ARA 64 not Glock SV Hht Bsu DR nike sR ERATOR EAS ed de S e RR E Ko debo oe Me Ree ee ee e d 282 no clock saving interval begin aprlaug dec feb jan jul jun mar may nov oct sep 1 2 3 4 last fri mon sat sun thu tue wed hh mm end faprlaug dec feb jan jul jun mar may nov oct sep 1 2 3 4 last ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical ifrrhaonlssbE
116. category category name 204 no content filter profile filtering profile url url SerT ver sis seadeded RRGODAGR OK X RR RA OR 205 no ceontent filter service timeout service timeout ewe woo ee eee wa OR OR Oe OE OR RR Te 205 hol sontent TiLLeP statistics Collect sin CAGE HOR PORRO A eR RO I RNs AD do c AAA 206 Hol ecntent tfiltery LimeoHt Cameowe cad kde bbadash di Rw edd Ae CR Rw UC CANCER CECI dede Reo DS 202 hol eontentefilter rimeout Timeout auewkdo xk uk He eRe BS EER SOE ae ae HR SS Sw RON CO 206 nol sereiile cory USERS errar ERED ED dox X e do RR ROOM ORE A EC OR e e CAU See eee eee 83 hal AEPWDDO iono di DIE Aude ex pau Ee bib d es ede d RES ee wd edes qe led aod del e ded qt 144 Bo crypto MEP Map HOMO is Rcx RO AORCROE EON RR A RAS OE CULA GE SES NAAA ASA RARE AAA RES SH 144 WE RR cocos PT O O e a 148 Nol Ere BEST TEN ice desea wes cee donee acad usos Modes tow decere doloe AAA 112 pol cetsmbo5b farat SARE Osa ee ede hes SEES eee eee Cee AE AURA A ERE ACERO T ROCK RC 137 Dol GLeSUE EOS LADO 2x Qa d ex RUE NODE DOR oes RUE dubai d Rar ede RUE Pop reb AAA SHOE SE CRURA S Edd 84 ud Mer s LE derredor 116 Bol Beagles ZcbREQUIGI DA IORERS GS Eq dE AAA rdc erc Edi p uad weg dope dod sae 100 Hol deactivate wb Gh A Ra Eo a Eo AE RA NC Ke WO OC COE ACA e ORC CE Oc AAA AA 102 nol BEtarlE lt COUECSE X0 GaadaeukaeiIq4e EX EGRE es ee ede HER SCORED CSREES OS PORK E YORK OP RE R
117. chon cL Ee cce E Shs Ol hE Cede wee dd dub dud as Saws E S RE dd EA 282 Show cndn ageuc DOESIguEPSEEOWS en qe ioo Ue e eo Il ode Glande iba eil pom e oo Re ck o e 296 ZyWALL ZLD CLI Reference Guide 377 List of Commands Alphabetical SHO ANDRE SENDUE Gaexutehe dede A A quaa ceeer eka eb nes Mower qa qe ibd te ret 41 show conn user username any unknown service service name any unknown source iplany destination iplany begin 1 129000 end 1 129000 cerros ia yR Rx 324 Show cohn Ip teeftim destiDOLloN Vr AS eee ERN AA AA lee shaw e RR AO E E d 324 shon conn SDSDESEDLGS BOUPOE abe 49 EPI x Ke mE ORES ECE EE ed ee de dove ee 324 SEQ conn BESUCHE 244 Hale oboe Oia ORS C RC d EE Oe OCCUR CERE CE ACC Ue e SE o Re I ACA o AL 324 show donnecLbivitvyeocheck pobntinpous log STALS Lexgiqekk AACR TOMES EGO OAR See ESE 318 Blow conhgebrwribv pDhBOt cunLonusUE lon SEmHDOUS aX fa Raus ARCU Re ORG RUE ORA ee wo hie e dd 70 phow COATING uaxeuerelOsBe Hebb 5424 94 AAA one Gat gd ee eh XU A a eps Gudea 135 Susa ao iia GASES fads ca hacigdidekoe mead A wah haw sae tas hie d e e RA 136 BOW ESASQ S ink oe 282 SES conbesL tilter ponmeb List ILtrusb forbd erario AAA go 203 show conbtent riltsr passed WAED OD aa 444949 9 x doe RUE Ge DEN uer ux e P dea dedu ade pee 203 Show GONHLODESTLUEGEP PALIET ys r
118. clears the IP address and the subnet mask no ip gateway ip metric Adds the specified gateway for the interface Sets the priority relative to every lt 0 15 gt gateway on every interface for the specified gateway The lower the number the higher the priority The no command removes the gateway ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 33 WLAN Interface Commands continued COMMAND DESCRIPTION no mtu 576 2304 Specifies the Maximum Transmission Unit which is the maximum number of bytes in each packet moving through this interface The ZyWALL divides larger packets into smaller fragments The no command resets the MTU to 1500 reauth 30 30000 Sets the WPA2 reauthentication timer This is at what interval wireless stations have to resend usernames and passwords in order to stay connected If a RADIUS server authenticates wireless stations the reauthentication timer on the RADIUS server has priority security mode none wep wpa wpa wpa2 wpa2 security wep 64 128 default key 1 4 Sets what type of security the wireless interface uses none applies no security wep WEP security extremely weak wpa WPA security wpa wpa2 WPA WPA2 Enterprise or WPA WPA2 PSK security wpa2 WPA2 security strongest option Sets WEP encryption to use a 64 or 128 bit key and selects the default key security wep mode open share gt
119. command mode to add a firewall rule Set the direction of travel of packets to which the rule applies Set the destination IP address es Set the service to which this rule applies Set the action the ZyWALL is to take on packets which match this rule Router configure terminal Router config f firewall insert 3 Router firewall from WAN Router firewall to LAN Router firewall destinationip Dest 1 firewall Router service MyService action allow Router firewall Router config service object MyService tcp eq 1234 Router config address object Dest 1 10 0 0 10 10 0 0 15 The following command displays the default IPv4 firewall rule that applies to the WAN to ZyWALL packet direction The firewall rule number is in the rule s priority number in the global rule list Router config f show firewall WAN ZyWALL firewall rule 13 description user any schedule none from WAN to ZyWALL Source IP any source port any log no action allow status yes connection match no destination IP any service Default Allow WAN To ZyWALL ZyWALL ZLD CLI Reference Guide Chapter 16 Firewall The following command displays the default IPv6 firewall rule that applies to the WAN to ZyWALL packet direction The firewall rule number is in the rule s priority number in the global rule list firewall rule description Router config f show f
120. config show anti virus activation anti virus activation yes Router config f no anti virus activate Router config show anti virus activation anti virus activation no Router config 21 2 2 Zone to Zone Anti virus Rules The following table describes the commands for configuring the zone to zone rules You must use the configure terminal command to enter the configuration mode before you can use these commands Table 93 Commands for Zone to Zone Anti Virus Rules COMMAND DESCRIPTION anti virus rule append Enters the anti virus sub command mode to add a direction specific rule anti virus rule insert 1 32 Enters the anti virus sub command mode to add a direction specific rule 174 ZyWALL ZLD CLI Reference Guide Chapter 21 Anti Virus Table 93 Commands for Zone to Zone Anti Virus Rules continued COMMAND DESCRIPTION anti virus rule 1 32 Enters the anti virus sub command mode to edit the specified direction specific rule no activate Turns a direction specific anti virus rule on or off no log alert Sets the ZyWALL to create a log and optionally an alert when packets match this rule and are found to be virus infected The no command sets the ZyWALL not to create a log or alert when packets match this rule no from zone_object Sets the zone on which the packets are received The no command removes the zone on which the packets are recei
121. custom signatures rules packet trace Packet trace results download only script Shell scripts zysh tmp Temporary system maintenance files and crash dumps for technical support use download only A After you log in through FTP you do not need to change directories in order to upload the firmware 39 2 Configuration Files and Shell Scripts Overview You can store multiple configuration files and shell script files on the ZyWALL When you apply a configuration file the ZyWALL uses the factory default settings for any features that the configuration file does not include Shell scripts are files of commands that you can store on the ZyWALL and run when you need them When you run a shell script the ZyWALL only applies the commands that it contains Other settings do not change You can edit configuration files or shell scripts in a text editor and upload them to the ZyWALL Configuration files use a conf extension and shell scripts use a zysh extension ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager These files have the same syntax which is also identical to the way you run CLI commands manually An example is shown below Figure 27 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23
122. d Eu d ed ard Zi ANCA Spal p reputerdgoh prrvste check activate 256 54 Kh4 eR cde eee ER E e eos 213 anti span merlegsnbeduc QOCIVMDUE mesma be dees SOA AERE GE dO A AA RC ee Si wa a Z3 anta 2 000 Statistics SOLESCOE ascii e ead dob dex Re RN eae Shoe be awe hae Bde Roca ed ed 219 anti spam wirdg outbresk aGUIVEDS orkiestra RU S KU REX EG ERR OREN OREO e ead 213 anti spam white list rule number e mail email activate deactivate 215 anti spam white list rule number ip address ip subnet mask activate deactivate 215 anti spam white list rule number mail header mail header mail header value activate de SPA Lak ded x eee ES aed oed eb eo ae e A dn Ua e A Wa ao olor AIC cae e y vene wp ex s 215 anti spam white list rule number subject subject activate deactivate EAE anti spam wheels activate a Sebi awed sags 432A Ed ea qo dob ko redd A e E d 215 anti spam xheader mail content virus outbreak xheader name xheader value 213 anti spam xheader white list black list mail header mail header value 215 anti spam xheader dnsbl mail header mail header val Ue sei e o rr RE RERO 218 anti spam xheader query timeout xheader name xheader value ee eee 213 ANIC PDAS GpLUMEBC epa ced See O eee ohh ew Kee e DRY eee PO ee ee eae ee eee es edd 174 anti virus anti virus software name detect auto protection enable disable ignore 270 aie ene Dlsgketsast SLUESEB cocinar errada ia da 176 a
123. deactivate Turns off traffic priority settings for when the interface sends the specified type of traffic exit Leaves the sub command mode show interface tunnel iface Displays the the specified tunnel s settings show interface tunnel status Displays the status of the tunnel interfaces ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 7 1 Tunnel Interface Command Examples This example creates a tunnel interface called tunnelO that uses wan1 as the source 168 168 168 168 as the destination and 10 0 0 100 and 255 255 0 0 as the inner source IP Router configure terminal Router config interface tunnelO tunnel source wanl tunnel destination 168 168 168 168 ip address 10 0 0 100 255 255 0 0 exit Router config if tunnel Router config if tunnel Router config if tunnel Router config if tunnel Router config show interface tunnel tunnel interface 1 interface name tunnelO ge2 local address type bind remote address 168 168 168 168 mode gre IP address 10 0 0 100 netmask 255 255 0 0 Inactive local address status active no 6 8 USB Storage Specific Commands Use these commands to configure settings that apply to the USB storage device connected to the ZyWALL Note For the ZyWALL which supports more than one USB ports these commands only apply to the USB storage device that is first attached to the ZyWALL Table 30 USB
124. detection all detaiis iiem ox carr AA 186 show idp anomaly profile scan detection icmp sweep icmp filtered sweep open port details 187 show idp anomaly profile scan detection ip protocol scan ip decoy protocol scan ip proto col sweep ip distributed protocol scan ip filtered protocol scan ip filtered de coy protocol scan ip filtered distributed protocol scan ip filtered protocol sweep sx Haa pee x cocer ETE 187 show idp anomaly profile scan detection tcp portscan tcp decoy portscan tcp portsweep tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tep filtered distributed portscan tep filtered p rtsweep details m mn 187 show idp anomaly profile scan detection udp portscan udp decoy portscan udp portsweep udp distributed portscan udp filtered portscan udp filtered decoy portscan 187 show idp anomaly profile tcp decoder undersize len undersize offset oversize offset bad length options truncated options ttcp detected obsolete options experimental SDLIOUS IMEEBOIA wh pee Se vd ee at AA Ede bd quee dui ded eie Re 1987 show igp anomaly profile tep decoder all dStalls si ccc kent eena new ee ce eee RCOR JO See R RC RR 187 show idp anomaly profile udp decoder truncated header undersize len oversize len details 187 show idp anomaly profiles qubp dscoder all details nbn etek shea Gee RC A ENCORE RO EAMES EYES TERED 187 show idp profi
125. eee tsp dq e p RE P PME EAE A qubd ee E eee ee Oe ee 326 Jorim a PANS AA IN eg CR e dc AR Kees 90 CEP bas os SERA doro xA AA rpm SEES ORE Ee LAOS AAN ae ee ame d 204 I tnesves lpser ALPES iS Oe oe A AAA DA RRA ae Beene wows 159 l2tp over ipsec first dns server ip interface name 1st dns 2nd dns 3rd dns ppe rIhnferfscelaux ilst dne xBe XIUe bl okpaeqaersdex5d 3 0 x R4 aonb AA dad en dodo WX Rd cee EK 160 I2rtossweE ipseo EIISLewiHs HSBErwer JD caricia S Kor RR dac edo RR RR RR P NR X Rr dtd 160 l2tp over zpsec keepalive timer Ll 180 gt serian 68054 NOROR OR HES BOOS SER SE DRE EEE 160 l2tp over ipsec second dns server ip interface name 1st dns 2nd dns 3rd dns pas In er oceans Lacan ends aa ud E CER A Pob ac RUE eee etg a d ee SER 160 lZLpegwer cpsee sepcndgewlnsesBIVEE IN Le b ache OPES cae eo UR ne a ER A AA dee 160 l2btpocowvpr 7pSec poer NEE MINA dencia narnia AAA aUe duae hues AUR 160 ldap server basedh LASA oedet RRA RR CALORE EDS ER EAERSRDRS DEKE RR AC AA RC Re 250 Tdapesetcvar Dindan IISdUM ax bacsRe sede SHES SSE CSS DE EP A eet 250 ludap servees gu rgentrlfber Did hase sei AAN AC ERROR EORR CR ON ede OR C 250 luapeserver host Ldap Server asocian doe Y OEC RUBORE OEC ARA ORES SE BORE ORO Fee 250 ldap server passwobud PESSUDES sas ka RARO OR XORGCX ROARACSOR ROX RR OE ORC RARA RAR EWR EE Ee 250 ldap server password onorypted Password esee 9 99A EY ORO ACE RC OR A RO EORR OR ORO E VR PR E 250 MAD Sees Pere Ie Ve web
126. enter the IP address or URL of the certification authority server You can use up to 511 of the following characters a zA Z0 9 _ 32 4 Certificates Commands Summary The following table lists the commands that you can use to display and manage the ZyWALL s summary list of certificates and certification requests You can also create certificates or certification requests Use the configure terminal command to enter the configuration mode to be able to use these commands Table 156 ca Commands Summary COMMAND ca enroll cmp name certificate_name cn type ip cn cn_address fqdn cn cn_domain_name mail cn cn_email ou organizational unit o organization c country key type rsa dsa key len key length num 0 99999999 password password ca ca name url url DESCRIPTION Enrolls a certificate with a CA using Certificate Management Protocol CMP The certification authority may want you to include a reference number and key password to identify your certification request ca enroll scep name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type rsa dsa key len key length password password ca ca name url url Enrolls a certificate with a CA using Simple Certificate Enrollment Protocol SCEP The certification authority may want you to include a key password to identify your certification request ca g
127. eru Ede Bonnet Li vey Healt ddusbessedemeud iiaxdesRce esgioRBGOsQAqd xu xA Ce S RUE Saud ome lies He ed x MUR 78 gontent tilter Gummon llisb ftrusti ftorbliO oaa ekxe o e Oe ANNA pU A ele A 202 SonbenG fi liver Pessoa Varning PIG 523054 093 AAA AAA AA cause nee A 202 content iilrer passed Warning timeoub 1 14405 caisecend a iews ae ee baaa waded 202 GOnLenL rilbg policy policy BUMPS SHUDOdOWDS isis tanta AAN ORS ESOS HER 202 content filter profile filtering profile commtouch url match block log warn pass 205 content filter profile filtering profile commtouch url match unsafe block log pass 205 content filter profile filtering profile commtouch url offline block log warn pass 205 content filter profile filtering profile commtouch url unrate block log warn pass 205 contentetilter peofile filtering nrbfrle custom list LRTI immer eR EE Oe Ge ROCK HE 203 content rilter profile filtering profile OusLom list keyword lt is ske40044 584 4h0 0 GE ERR ER es 204 content filter profile filtering profi ie euston List EEUSE eese dead ode iow eee ed vo 204 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical content filter profile filtering profile url matoh block log warn pass i9 204 content filter profile filtering profile url match unsafe block log pass 204 content filter profile filtering profile url offline block log war
128. existing account or create a new account and register the device at one time and activate a trial service subscription Routerf configure terminal Router config device register username alexctsui password 123456 Router config f service register service type trial service content filter The following command displays the account information and whether the device is registered Router configure terminal username example password 123456 device register status yes expiration self check no Router config f show device register status ZyWALL ZLD CLI Reference Guide 47 Chapter 5 Registration The following command displays the service registration status and type and how many days remain before the service expires Router configure terminal Router config f show service register status all Service Status Type Count Expiration IDP Signature Licensed Standard N A 176 Anti Virus Not Licensed None N A 0 SSLVPN Not Licensed None 5 N A Content Filter Not Licensed None N A 0 The following command displays the seller details you have entered on the ZyWALL Routerf configure terminal Router config f show service register reseller info seller s name ABC seller s e mail abc example com seller s contact number 12345678 vat number 5 3 Country Code The following table displays the number for each country Table 10 Country Codes
129. figure terminal command to enter the configuration mode before you can use Table 97 Commands for Anti virus Statistics COMMAND DESCRIPTION no anti virus statistics collect Turn the collection of anti virus statistics on or off anti virus statistics flush Clears the collected statistics show anti virus statistics summary Displays the collected statistics show anti virus statistics collect Displays whether the collection of anti virus statistics is turned on or off show anti virus statistics ranking Query and sort the anti virus statistics entries by destination IP address source destination source virus name IP address or virus name virus name lists the most common viruses detected source lists the source IP addresses of the most virus infected files destination lists the most common destination IP addresses for virus infected files ZyWALL ZLD CLI Reference Guide 179 Chapter 21 Anti Virus 21 4 1 Anti virus Statistics Example This example shows how to collect and display anti virus statistics It also shows how to sort the display by the most common destination IP addresses Router config anti virus statistics collect Router config f show anti virus statistics collect collect statistics yes Router config f show anti virus statistics summary file scanned 0 virus detected 0 Router config show anti virus statistics ranking destinat
130. from a NTP time server show clock date Displays the current date of your ZyWALL show clock status Displays your time zone and daylight saving settings show clock time Displays the current time of your ZyWALL show ntp server Displays time server settings 37 5 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program The following table describes the console port commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 167 Command Summary Console Port Speed COMMAND DESCRIPTION no console baud baud rate Sets the speed of the console port The no command resets the console port speed to the default 115200 baud rate 9600 19200 38400 57600 or 115200 show console Displays console port speed ZyWALL ZLD CLI Reference Guide Chapter 37 System 37 6 DNS Overview DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it 37 6 1 Domain Zone Forwarder A domain zone forwarder contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain zones for features like VPN DDNS and the time
131. insert Enters the IPv6 firewall sub command mode to add a rule number direction specific through ZyWALL rule or to ZyWALL rule before the specified rule number See Table 67 on page 137 for the sub commands firewall6 zone object zone object ZyWALL move Moves a direction specific IPv6 through ZyWALL rule rule number to rule number or to ZyWALL rule to the number that you specified no firewall activate Enables the IPv6 firewall on the ZyWALL The no command disables the IPv6 firewall firewall6 append Enters the IPv6 firewall sub command mode to add a global firewall rule to the end of the global rule list See Table 67 on page 137 for the sub commands firewal16 default rule action allow deny reject Sets how the IPv6 firewall handles packets that do not no log log alert match any other firewall rule firewall6 delete rule number Removes a IPv6 firewall rule firewall6 flush Removes all IPv6 firewall rules firewall 6 insert rule number Enters the IPv6 firewall sub command mode to add a firewall rule before the specified rule number See Table 67 on page 137 for the sub commands firewall6 move rule number to rule number Moves a IPv6 firewall rule to the number that you specified show connlimit6 max per host Displays the highest number of IPv6 sessions that the ZyWALL will permit a host to have at one time show firewall6 Displays all IPv6 firewall settings show firewall6 rule number Disp
132. interface interface name Sets the OSPF direction of the specified interface to in only The no command makes OSPF bi directional in the specified interface interface interface name Enters sub command mode no ip ospf priority 0 255 Sets the priority of the specified interface to the specified value The no command sets the priority to 1 no ip ospf cost lt 1 65535 gt Sets the cost to route packets through the specified interface The no command sets the cost to 10 no ip ospf authentication Disables authentication for OSPF in the specified interface ip ospf authentication Enables text authentication for OSPF in the specified interface ip ospf authentication message digest Enables MD5 authentication for OSPF in the specified interface ip ospf authentication same as area no ip ospf authentication key password ip ospf message digest key 1 255 md5 password To exchange OSPF routing information with peer border routers you must use the same authentication method that they use This command makes OSPF authentication in the specified interface follow the settings in the corresponding area Sets the simple text password for OSPF text authentication in the specified interface The no command clears the text password password 1 8 alphanumeric characters or underscores Sets the ID and password for OSPF MD5 authentication in the specified interface password 1 16 alpha
133. interface name lst dns 2nd dns 3rd dns ZyWALL 65 era o E 2h ka wq gn he Sereda ba EUR Qe Ke Sone bee ee OSL aw SOE SSeS 65 flood detection tcp flood udp flood ip flood icmp flood activate log alert DIEI AEREA AAA A d ewe ee d abe d e eS deo e oe d dedi eno ed e QU P aed de dq ae d d 185 TOPO Mase Lgsdgeso a oe X yd dos dr a eR CR RU QU Xo redo acia acd ese Eee OOM e Sob ee pedo 203 TOP acre ad 4844 55 2020292 485 O da qd Wee A ee hes Cee ee dud God at 234 force aubh SQUAD sirri AAA A MARO EROR SOROR ARA ORS HR SUR eR ee aE 223 ELLAS ES lor Masies isa Sd ees Ed No d me Bde ud MOUS ted ar V gr du xcd naaa 84 row SONS GONE xd ee heu a ex x d x44 Axa EE SORE de qa de Ea e3KXd4q qs AsGadKG qaa ER Med xx d 165 from SONG DAME 66 sce aad AAA RR ARR RUE d RA SS OHS SO HSS E RA Rd AAA 166 LION BOUE Fe gau ed Ord doi NU en er OE abb Ae OSLER RR CLERO CDM EHE QR ROC GC UR e odo Ue de eot od 168 LEG BONS OR Tee added ed dex PO OES HE EE eed Pe dE Pd SES Dba EP Eq A x ek 131 Iron Jone o 4b bed wee Riek CRS d x V d d RV AE d Red edm dde eq dea ded ak xd ed x s Rd Lis EPONMemano GEB OD EEG sas eed haa Saws hee ee SOS PoE a Oe eee A RUE ees Fam 212 Iromezeme SEG DECI IRSA RON Qa AO NC ACQUA ORE eee CR A e KC RC 183 Grunde SEIGOUOIAM duo gos 3 9 euo qx E ta rere Ee dew VP d ERU RE do o PIPER dd S Ew q eee P Tags zd DIODENSIS Groupie L bu suc UR ARA SR S aea dE NE a Qc eau dudar DE ESSE OES ERS EES 231 ha ilaco Interlace STER e
134. ip address 1 2 3 4 255 255 255 0 ip gateway 4 6 7 8 upstream 345 downstream 123 description I am vir interface exit 6 5 PPPoE PPTP Specific Commands This section covers commands that are specific to PPPoE PPTP interfaces PPPoE PPTP interfaces also use many of the general interface commands discussed at the beginning of Section 6 2 on page 57 The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 25 Input Values for PPPoE PPTP Interface Commands LABEL DESCRIPTION interface name PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports profile name The name of the ISP account You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive This table lists the PPPoE PPTP interface commands Table 26 interface Commands PPPoE PPTP Interfaces COMMAND interface dial interface name DESCRIPTION Connects the specified PPPoE PPTP interface interface disconnect interface name Disconnects the specified PPPoE PPTP interface interface interface name Creates the specified interface if necessary and enters sub command mode no account profile name Specifies the ISP account for the specified PPPoE PPTP interface The no command clears the IS
135. lease settings to offer to DHCPv6 clients dhcp6 request object dhcp6 profile interface interface name no ipv6 For a DHCPv6 client interface specify the profile of DHCPv6 request settings that determine what additional information to get from the DHCPV6 server Enters the sub command mode for deleting the specified IPv6 address or removing it s settings enable Turns off the IPv6 interface address ipv addr prefix Removes the IPv6 interface s IPv6 prefix setting gateway Removes the Pv6 interface s gateway setting nd ra accept Sets the IPv6 interface to discard IPv6 neighbor discovery router advertisement messages nd ra advertise Has the IPv6 interface not send IPv6 neighbor discovery router advertisement messages nd ra managed config flag Turns off the flag in IPv6 router advertisements that tells hosts to use managed stateful protocol for address autoconfiguration in addition to any addresses autoconfigured using stateless address autoconfiguration nd ra other config flag Turns off the other stateful configuration flag in IPv6 router advertisements that tells hosts to use administered stateful protocol to obtain autoconfiguration information other than addresses nd ra mtu Removes the Maximum Transmission Unit MTU size setting for IPv6 packets the interface sends ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 16 inte
136. lifestyle sexuality alternative lifestyles restaurants dining food sports recreation hobbies travel vehicles humor jokes software downloads pay to surf peer to peer streaming media mp3s proxy avoidance for kids web advertisements web hosting extreme alcohol tobacco blogs personal pages web applications suspicious alternative sexuality lifestyles Igbt non viewable content servers placeholders trust hosts The IP address or domain name of a trusted web site Use a host name such as www good site com Do not use the complete URL of the site that is do not include http All subdomains are allowed For example entering zyxel com also allows www zyxel com partner zyxel com press zyxel com etc Use up to 63 case insensitive characters 0 9a z You can enter a single IP address in dotted decimal notation like 192 168 2 5 You can enter a subnet by entering an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address The range is O to 32 To find the bit number convert the subnet mask to binary and add all of the 1 s together Take 255 255 255 0 for example 255 converts to eight 1 s in binary There are three 255 s so add three eights together and you get the bit number 24 An example is 192 168 2 1 24 You can enter an IP address range by entering the start and end IP addresses separated by a hyphen for example 192 168 2 5 192 168 2
137. list trust forbid Displays the common list of trusted or forbidden web sites 23 7 Content Filter Filtering Profile Commands The following table lists the commands that you can use to configure a content filtering policy A content filtering policy defines which content filter profile should be applied when it should be applied and to whose web access it should be applied Use the configure terminal command to enter the configuration mode to be able to use these commands See Table 111 on page 200 for details about the values you can input with these commands Table 113 content filter Filtering Profile Commands Summary COMMAND DESCRIPTION no content filter license license Sets the license key for the external web filtering service The no command clears the setting no content filter profile filtering profile Creates a content filtering profile The no command removes the profile no content filter profile filtering profile custom Sets a content filtering profile to use a profile s custom settings lists of trusted web sites and forbidden web sites and blocking of certain web features The no command has the profile not use the custom settings no content filter profile filtering profile custom Sets a content filtering profile to block ActiveX controls activex The no command sets the profile to allow ActiveX no content filter profile filtering profile custom Sets a content filteri
138. log te send alefts Ctob E mall Aticaciabdvsean RO RUE OX E 321 logging mail S1 2 address Ics Hostra el asirio e AR ARA A AR 321 equino Marl x1 29 SUENE LESACION aca Siecle AAA A dp dme AA mde 321 logging mail lt 1 2 gt authentication username username password password 321 logging mail lt 1 2 gt category module name level alere all ecommerce 321 Leman marl ee DEE ANDA RAS QN de RC eR eo Kc AA edere ee eee MEG d d 321 Loggia marl lt L es schedule EuL Hoare nes 99e49 94 ir xk Re 9 CR o de et UR RO SORS O ole 321 esquina morl Lh BUD ISO BUDUIOGUL dci 333 RS AAA DARA AAA Ce RR RR di Aul Ho scale RD i ahaa nal oan Renee ORE pod A 320 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no TO no no no no no no no no no no logging syslog lt 1 4 disable level normal level all seccional nom RR ea 320 loggany syslog l dx address fip BOSTRAME Lauda Red AECX hd XO dORORC RC KORR CARA e wens OR 32D legging syslog lt 1 4 gt facility jlocal 1 le al 2 locsl 3 local 4 local 5 local o TI he ela Bae A cde de dca d hae Bde ee eee 320 equina eyslog 1 0 forat eer EDU qme xg 9 93 S CER P erbe A AA 320 leggins Susteoem logd SUDDPOSSLU Agratkxa g A RAR ROC
139. matches the rule The no command does not create any log entries no outbound dscp mark 0 63 class This is how the ZyWALL handles the DSCP value of the outgoing default dscp class packets from a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 show Displays the rule s configuration 20 2 6 General Commands for Application Patrol Note You must register for the IDP AppPatrol signature service at least the trial before you can use it See Chapter 5 on page 45 ZyWALL ZLD CLI Reference Guide Chapter 20 Application Patrol This table lists the general commands for application patrol Table 90 app Commands Pre Defined Applications COMMAND DESCRIPTION no app activate no app highest sip bandwidth priority Turns on application patrol The no command turns off application patrol Turns the option to maximize the throughput of SIP traffic on or off no app protocol name bandwidth graph Sets the specified protocol to display on the bandwidth statistics graph The no command has it not display on the bandwidth statistics graph no app other protocol name bandwidth graph Sets traffic for unidentified applications to display on the bandwidth statistics graph The no command it not display on the bandwidth statistics graph
140. may have to close the console window and open it again If you enter the password correctly the console screen appears Figure 7 Web Console O 172 23 19 244 22 7 To use most commands in this User s Guide enter configure terminal The prompt should change to Router config ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface 1 2 3 Telnet Use the following steps to Telnet into your ZyWALL 1 If your computer is connected to the ZyWALL over the Internet skip to the next step Make sure your computer IP address and the ZyWALL IP address are on the same subnet 2 n Windows click Start usually in the bottom left corner and Run Then type telnet and the ZyWALL s IP address For example enter telnet 192 168 1 1 the default management IP address 3 Click OK A login screen displays Enter the user name and password at the prompts Note The default login username is admin and password is 1234 The username and password are case sensitive 1 2 4 SSH Secure SHell You can use an SSH client program to access the CLI The following figure shows an example using a text based SSH client program Refer to the documentation that comes with your SSH program for information on using it Note The default login username is admin and password is 1234 The username and password are case sensitive Figure8 SSH Login Example C gt ssh2 admin 192 168 1 1 Host key not found from database
141. mib and zyxel zywall ZLD Common mib to collect information about CPU and memory usage and VPN total throughput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the ZyWALL s MIBs from www zyxel com 38 8 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs Table 175 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1 3 6 1 6 3 1 1 5 1 This trap is sent when the ZyWALL is turned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap is sent when the Ethernet link is up authenticationFailure 1 3 6 1 6 3 1 1 5 5 This trap is sent when an SNMP request comes from non authenticated hosts 202 ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management 38 8 3 SNMP Commands The following table describes the commands available for SNMP You must use the configure terminal command to enter the configuration mode before you can use these commands Table 176 Command Summary SNMP COMMAND DESCRIPTION no snmp server Allows SNMP access to the ZyWALL The no command disables SNMP access to the ZyWALL no snmp server community community_string Enters up to 64 characters to set the password for read only ro rw ro or read write rw
142. most printable ASCII characters You cannot use square brackets double quotation marks question marks tabs or spaces It can be up to 31 characters long isakmp policy rename policy name policy name Renames the specified IKE SA first po1icy name to the specified name second policy name 17 2 2 IPSec SA Commands except Manual Keys This table lists the commands for IPSec SAs excluding manual keys VPN connections using VPN gateways Table 72 crypto Commands IPSec SAs COMMAND DESCRIPTION no crypto ignore df bit Fragment packets larger than the MTU Maximum Transmission Unit that have the don t fragment bit in the header turned on The no command has the ZyWALL drop packets larger than the MTU that have the don t fragment bit in the header turned on show crypto map map name Shows the specified IPSec SA or all IPSec SAs crypto map dial map name Dials the specified IPSec SA manually This command does not work for IPSec SAs using manual keys or for IPSec SAs where the remote gateway address is 0 0 0 0 no crypto map map name Creates the specified IPSec SA if necessary and enters sub command mode The no command deletes the specified IPSec SA ZyWALL ZLD CLI Reference Guide Chapter 17 IPSec VPN Table 72 crypto Commands IPSec SAs continued COMMAND DESCRIPTION crypto map rename map name map name Renames the specifie
143. mreoLocol samo BULS append sario iran EI TEASE CHR RON UHR CR SORE TR ROE ARA RA 164 app proboool namo rule deia ult srira OeEAOHEGOUEG 4 Res NOR RR RR RU ee RC RASS ESS HESS EES OO C 155 app protocol pame PULG Imasprt Sule HOMEY sierra 164 app DIOLOGOI name rule modstuy default escri ORE CR OA AA TRL DR CR CROCO A do AL 165 app protocol name rule modify uls DUmbGY kerteket ew shad oe RC Ee HEURE RR deed RI RR C eR CR Rs 164 Bip ropas Tere fms Pete oer dGuagBadosedocke NA AAA A AA AAA RA y 164 SOI EIA wd de qd do dde dd e Se AAA eee ied sU p dag ecd des id ee Eje apply J eonf file name conf lgnore error rollback l espesor sacras rra as RE CAL AUR OR we 303 dor yatti dog TERODE Log TUSE aedaenkoke dee AR en bee aha ee Bebe oed edi deiode Rete Ke Gee 348 aves IP yirtual 1link IP message drigest key Xl 295 Mao AUTRES science aa 109 arp IP sd ODER RAS x EROR ORNA E SRS AGER HEN LA AR EAE PRE PERUSE ee Ro RO 344 Sse Ea Shave Son ce Sede AAA RAS don sd e dol oe ORE RA AAA eios P do EC EORR ea dE oaks 22 authentication fpre shele ESAS zbikuades C as ACE ACE KE dL RC Rc CR RC RR C RC ba D o RNC o 143 authentication key 1 205 Rey a LLO GSULHEBY u 6pdg 4e3y4e4ROCbx CAO Eri KC o E OR eR HECHO Ew 108 band b qo I BoI dene JAS A ROUCACY ee ee he NC dod REA SSK KONTO CC C de RA BSR RN 84 bandwidth inbound outbound 0 102085705 sii ON SS Ee CK ES OE OS ER RR AA RA 166 bandwidth fIdnbeusdlodgtboungl D XO ang Gk wie ge dede eae d
144. no no no service outbreak no alert tcp any any lt gt any any msg ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands This example shows you how to display custom signature details Router config show idp signatures custom signature 9000000 details sid 9000000 message test edit policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands This example shows you how to display custom signature contents Router config show idp signatures custom signature 9000000 contents sid 9000000 Router config show idp signatures custom signature 9000000 non contents sid 9000000 ack dport 0 dsize dsize rel flow direction flow state flow stream fragbits reserve fragbits dontfrag fragbits morefrag fragoffset fragoffset rel icmp id icmp seg icode icode rel id ipopt itype itype rel sameip seq sport 0 tcp flag ack tep flag fin tcp_flag_push top flagris tcp flag r2 tcp flag rst tcp flag syn tcp flag urg threshold type threshold track threshold count threshold second tos tos rel transport tcp ttl ttl rel window window rel ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands This example shows you how
145. no passive interface interface name Sets the RIP direction of the specified interface to in only The no command makes RIP bi directional in the specified interface no outonly interface interface name Sets the RIP direction of the specified interface to out only The no command makes RIP bi directional in the specified interface interface interface name Enters sub command mode no ip rip send receive version 1 2 Sets the send or receive version to the specified version number The no command sets the send or received version to the current global setting for RIP See Chapter 9 on page 107 for more information about routing protocols no ip rip v2 broadcast Enables RIP 2 packets using subnet broadcasting The no command uses multi casting show rip global interface all interface name Displays RIP settings 6 2 5 OSPF Commands This table lists the commands for OSPF settings Table 20 interface Commands OSPF Settings COMMAND DESCRIPTION router ospf Enters sub command mode no network interface name area ip Makes the specified interface part of the specified area The no command removes the specified interface from the specified area disabling OSPF in this interface ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 20 interface Commands OSPF Settings continued COMMAND DESCRIPTION no passive
146. nol destination telde Seco jane aria ghe NE RC A SORORE VR Dl CREE Ei ee DOR 102 no destination teddress obec group namer emma AA A RCRCRUR di RR dd 234 nol desclnati n Qaduross Ghbyectlanvi ivan takes Rx read x Ra ire Rd Pu wed n ed abe A Er 100 ho destination Jany 2p e porra ro oo depo denied mc oe tq Bele ea weedy ane es oa E 331 mol SeBEIDSUUPOH SU II SHE AAA E eda e Sd ducis d eerie ee DARA Sr OR 155 hol destination Prarie Meme diari RA SE ENG CRM edu DIS Ad A AAA edax Ede 166 Hal destination Brot te TAS ths pis RP POE XR AA Ed E ak di E ee deed AO eS AERE dog 168 Bol destimat lomip address ODOQGOUL S rai E Ex qax eRe Eee AR E e AA L37 nol destinationiph address ODJET wen ci dees ede ee AA NS A AAA A O 137 HOT device ha SCCIS rior RA AA AR AA A A A ECC GR OU A AA ARE dios 222 no device ha ap mode authentication string key a md5 key x rx a 223 no device ha ap mode backup sync authentication password password 224 nel device ha ap mous backup Syne SUDO Vain es e Shaws ROS Ko ora oS REE ERASER Je OR RR OY O CR 224 no device ha ap mode backup sync from master address port port ooo 224 no device ha ap mode backup syne interval cL 1440 essere RAR 224 nel dewice ha ap mods interface Mame mBOLLIWEDO isa tae OR RUE DKW SS CR ADEL RC REOR ee HRS 224 no device ha ap mode interface name manage ip ip subnet mask cerle 224 no device ha ap mode master sync authentication password p
147. obqeer adhere profile isxcexeadceBxex RACE UE RUE dares da det B Rab AAA 276 le MEenr cub 1s rana AAA Bee Rae a ee Rae kh a Gb ge Gob Ae Baie e Gem 3o SUN Cia iis psv USD Store wiegen du bees SS dde mara rar 83 SHOW Coals shy eae SEM LOW RA RaW PS EH cq EE RO a ER QUA ARN REP CR AGER RUE EA RE ROGA E CAN Re RE 295 SNOW RISE despre irie iere eee ee ee AAA AAA A AAA AA AAA RARA AA TE A 41 Show aps Panlie NOSSA LIA ASA ACE ACIES CLR eR GR C RR CR RC eRe Bs AT AA 270 shon epa profile ASES DS asses eee Shh o SR RAR PE xq 212 show eps profile profile name signature anti virus personal firewall 2732 show eps Signature snti wvirus personal fibPewall StAtUs eekxcek RIO UR tiS Enip 212 show eps warning message windows auto update windows security patch anti virus personal firewall windows registry process ZIile pasthH i226 AAA SUR EORR Re 272 Show a o Sec wea change Se eanan a EIE aaa amd dad Rv Rees SEE CARS ees 41 Show SSBRSNEBE S area qo de e armen eed nee qoo d e RU RR p bel AA AER pel t cR S ere dd 41 378 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical Show AEP 223445329 4swsibu ades AE ADA Nodo du un m dro eer E AAA 135 show farewell pany TAL 2 UE ERROR RACER E A USC do LACE CARLA C RACE CER AL RO RE 135 SHOW ELESUALL DIGS FNHIGS AAA ES NOR OE E ACCADE ACE CR OK ORC ON de Rc ROIG AA AR 135 sho STONE Se Pee soo es
148. of all them if you don t specify one 23 8 Content Filter URL Cache Commands The following table lists the commands that you can use to view and configure your ZyWALL s URL caching You can configure how long a categorized web site address remains in the as well as view those web site addresses to which access has been allowed or blocked based on the responses from the external content filtering server The ZyWALL only queries the external content filtering database for sites not found in the cache ZyWALL ZLD CLI Reference Guide Chapter 23 Content Filtering Use the configure terminal command to enter the configuration mode to be able to use these commands See Table 111 on page 200 for details about the values you can input with these commands Table 114 content filter url cache Commands COMMAND DESCRIPTION no content filter timeout timeout Sets how long to keep a content filtering URL cache entry before discarding it The no command clears the setting show content filter url cache all category begin url cache range end url cache range count Displays the contents of the content filtering URL cache You can specify a range and number of entries to display show content filter url cache Displays the contents of the content filtering URL cache content filter url cache test Enters the sub command mode for testing whether or not a web site is saved in the ZyWALL s database o
149. or IPv6 address write P Saves the current configuration to the ZyWALL All unsaved changes are lost after the ZyWALL restarts Subsequent chapters in this guide describe the configuration commands User privilege mode commands that are also configuration commands for example show are described in more detail in the related configuration command chapter 2 1 1 Debug Commands Debug commands marked with an asterisk are not available when the debug flag is on and are for ZyXEL service personnel use only The debug commands follow a Linux based syntax so if there ZyWALL ZLD CLI Reference Guide Chapter 2 User and Privilege Modes is a Linux equivalent it is displayed in this chapter for your reference You must know a command listed here well before you use it Otherwise it may cause undesired results Table 5 Debug Commands COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT debug alg FTP SIP ALG debug commands debug anti spam Anti Spam debug commands debug app Application patrol debug command debug app show l7protocol Shows app patrol protocol list cat etc 17 protocols protocol list debug ca Certificate debug commands debug content filter Content Filtering debug commands debug device ha debug eps Device HA debug commands Endpoint security debug commands debug force auth debug gui Authentication polic
150. pages pose a threat to users or their computers content filter common list trust forbid Enters the sub command for configuring a common list of trusted or forbidden web sites The content filtering profile commands let you configure trusted or forbidden URLs for individual profiles URL checking is applied in the following order profile trusted web sites common trusted web sites profile forbidden web sites common forbidden web sites and then profile keywords ZyWALL ZLD CLI Reference Guide Chapter 23 Content Filtering Table 112 content filter General Commands continued COMMAND DESCRIPTION no ipv4 ipv4 cidr ipv4 range Adds or removes a common trusted or forbidden web site entry wildcard domainname tld ipv4 IPv4 address lt W X Y Z gt ipv4 cidr IPv4 subnet in CIDR format i e 192 168 1 0 32 lt W X Y Z gt lt 1 32 gt ipv4 range Range of IPv4 addresses lt W X Y Z gt lt W X Y Z gt wildcard domainname wildcard domain name i e zyxel co a z0 9 1 63 a z0 9 1 63 tid top level domain exit Leaves the sub command mode show content filter passed warning Displays the ZyWALL s record of sessions for which it has given the user a warning before allowing access show content filter policy Displays the content filtering policies show content filter settings Displays the general content filtering settings show content filter common
151. provision rules Displays the settings of the configured VPN configuration provisioning rules ZyWALL ZLD CLI Reference Guide Chapter 17 IPSec VPN 17 2 6 SA Monitor Commands This table lists the commands for the SA monitor Table 76 sa Commands SA Monitor sort sort order COMMAND DESCRIPTION show sa monitor begin Displays the current IPSec SAs and the status of each one You can specify a range of lt 1 1000 gt end lt 1 1000 gt SA entries to display You can also control the sort order of the display and search by crypto map regexp policy VPN connection or local or remote policy regexp rsort sort order regexp A keyword or regular expression Use up to 30 alphanumeric and _ 01 lt gt characters A question mark lets a single character in the VPN connection or policy name vary For example use a c without the quotation marks to specify abc acc and SO On Wildcards let multiple VPN connection or policy names match the pattern For example use abc without the quotation marks to specify any VPN connection or policy name that ends with abc A VPN connection named testabc would match There could be any number of any type of characters in front of the abc at the end and the VPN connection or policy name would still match A VPN connection or policy name named testacc for example would not match A in the middle of a VP
152. psm commands are for ZyXEL s internal manufacturing process Table 4 User U and Privilege P Mode Commands COMMAND MODE DESCRIPTION apply P Applies a configuration file atse U P Displays the seed code clear U P Clears system or debug logs or DHCP binding configure U P Use configure terminal to enter configuration mode copy P Copies configuration files debug U P For support personnel only The device needs to have the debug flag enabled delete P Deletes configuration files details P Performs diagnostic commands diag P Provided for support personnel to collect internal system information It is not recommended that you use these diag info P Has the ZyWALL create a new diagnostic file dir P Lists files in a directory disable U P Goes from privilege mode to user mode enable U P Goes from user mode to privilege mode ZyWALL ZLD CLI Reference Guide Chapter 2 User and Privilege Modes Table 4 User U and Privilege P Mode Commands continued COMMAND MODE DESCRIPTION exit U P Goes to a previous mode or logs out htm U P Goes to htm hardware test module mode for testing hardware components You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting Note These commands are for ZyXEL s internal manufacturing process i
153. redirect traffic accordingly ZyWALL ZLD CLI Reference Guide ns Chapter 11 DDNS 11 2 DDNS Commands Summary The following table describes the values required for many DDNS commands Other values are discussed with the corresponding commands Table 57 Input Values for DDNS Commands LABEL DESCRIPTION profile name case sensitive The name of the DDNS profile You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is The following table lists the DDNS commands Table 58 ip ddns Commands COMMAND DESCRIPTION show ddns profile name Displays information about the specified DDNS profile or about all DDNS profiles no ip ddns profile profile name Creates the specified DDNS profile if necessary and enters sub command mode The no command deletes it service type dyndns dynu basic dyndns static dynu premium no dyndns custom Sets the service type in the specified DDNS profile The no command clears it no ip peanut hull 3322 dyn 3322 static no username username password password Sets the username and password in the specified DDNS profile The no command clears these fields username You can use up to 31 alphanumeric characters and the underscore password You can use up to 64 alphanumeric characters and the underscore no host hostname Sets the domain
154. regristey process ile pSth sismo E REOR RR 213 NIE ON l0 CU BASIE eee eh ded dde da enel oce a de o ai ee a i do i c dre Ol HR e Rd 102 BELL QU dede vei du ii ebd P ded AAA deer a sd eui bere 139 A A e seer SER We VR bod e d aba BE Ed E ak soa Mobi dad e I ed o DRE X ee heehee Reo SPUR b a A obs 140 EID DAA ne Sd done AAA due ostii e ded qued eae Ces xt abu de Eb AA AA dae 148 BON eh abadencras ues d Ed PE ds des Aes ee a be dictasn iudici mea arte Airdate mn ad wol Mdb eee 9n 202 ESE AAA AAA A A ga oci ago i ecd A pu exc peg A 202 Sx wWeshigecuwds wha tewasmanas SS A ES ld e d ed aad grad ome ae ee ES pur Eus 20S ch AA A AS AAA daa 203 O AN 204 ERIE PAE ERA AREA AAA AA A AAA AAA AAA 204 Pet Ego du uak doe tea sett Oke cred ees icd audeo edere dore d ER ee ee AME ak edu q Ed Y ERES dE pa 206 SNE ANA eas Var dai E E BRE QE e dM aa A OR CU A dr dae od Re Shee x dod Ra d 2733 ELLE Qududchedd wd ex d bud eG DADAS pid d ead ed mets 326 A A A A 338 BLUE AAN AAA AAA eee AA AE IRA EIA ee AR AAA 34 SUE das A A A o EUR dia a A we de eh AA AAA 58 ERDE PA AA A AAA A ga A AA AA A A AA 72 ELLE UBA Bd AAA hee SARS OS AE AAA AAA BEG AS 81 c ch rana AR AAN AAA AAA A RA PA ARAGAO 85 BOX Porra a a A SADA DR DA AAA A 94 ballebagkecheskeintervml ecole rd AAA A A AAA eaa A E es 143 filgbemu E A a e SS II O d de Eu RA 342 Tale SURLS SDEDIIJIG MANES das RS bec dE RR EE E AA RC QUU ede eO QD RACER ao eC A Ke RC e die 342 lifswall append excep EC Ss e
155. script use or as the first character of a command line to have the ZyWALL treat the line as a comment Your configuration files or shell scripts can use exit or a command line consisting of a single to have the ZyWALL exit sub command mode Note exit or must follow sub commands if it is to make the ZyWALL exit sub command mode ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager Line 3 in the following example exits sub command mode interface gel ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode interface gel this interface is a DHCP client Lines 1 and 2 are comments Line 5 exits sub command mode this is from Joe on 2006 06 05 interface gel ip address dhcp 39 2 2 Errors in Configuration Files or Shell Scripts When you apply a configuration file or run a shell script the ZyWALL processes the file line by line The ZyWALL checks the first line and applies the line if no errors are detected Then it continues with the next line If the ZyWALL finds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on error off in the configuration file or shell script The ZyWALL ignores any errors in the configuration file or shell script and applies all of the va
156. show eps signature anti virus personal firewall status Displays all the anti virus software packages personal firewall software packages or EPS signature information respectively The status command displays the EPS signature version release date and the total number of software packages for which the ZyWALL s endpoint security can check show eps warning message windows auto update windows security patch anti virus personal firewall windows registry process file path Shows the warning messages displayed when a network client s computer fails an EPS check 272 ZyWALL ZLD CLI Reference Guide Chapter 35 Endpoint Security Table 161 Endpoint Security Object Commands COMMAND DESCRIPTION eps warning message windows auto update windows security patch anti virus personal firewall windows registry process file path Enters the sub command mode for configuring the EPS warning message to show to network clients whose computers fail the related EPS check no enable Enables or disables showing the related EPS warning message to network clients whose computers fail the related EPS check exit Leaves the sub command mode no message eps warning message no eps rename profile name new profile name Specify a warning message to display when a user s computer fails the endpoint security check Use up to 1023 characters 0 9a
157. signature ID details of the specified profile show idp profile signature all signature details custom Shows the signature details of the specified profile 22 3 4 Editing Creating Anomaly Profiles Use these commands to create a new anomaly profile or edit an existing one It is recommended you use the web configurator to create edit profiles If you do not specify a base profile the default base profile is none ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands Note You CANNOT change the base profile later Table 103 Editing Creating Anomaly Profiles COMMAND DESCRIPTION idp anomaly newpro base all none Creates a new IDP anomaly profile called newpro newpro uses the base profile you specify Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode Scan detection sensitivity low medium high Sets scan detection sensitivity no scan detection sensitivity Clears scan detection sensitivity The default sensitivity is medium Scan detection block period 1 3600 Sets for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack no scan detection tcp xxx activate log alert block Activates TCP scan detection options where tcp xxx tcp portscan tcp decoy portscan tcp portsweep tcp distributed portscan
158. site static site to site dynamic remote access server remote access client Select the scenario that best describes your intended VPN connection Site to site The remote IPSec router has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel site to site dynamic The remote IPSec router has a dynamic IP address Only the remote IPSec router can initiate the VPN tunnel remote access server Allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users Only the clients can initiate the VPN tunnel remote access client Choose this to connect to an IPSec server This ZyWALL is the client dial in user and can initiate the VPN tunnel set security association lifetime seconds 180 3000000 Sets the IPSec SA life time set pfs groupl group2 group5 nonej Enables Perfect Forward Secrecy group local policy address name Sets the address object for the local policy local network remote policy address name Sets the address object for the remote policy remote network no policy enforcement Drops traffic whose source and destination IP addresses do not match the local and remote policy This makes the IPSec SA more secure The no command allows traffic whose source and destination IP addresses do not match the local and remote policy Note You must allow traffic whose source and destination IP a
159. source ipv4 Sends an ICMP ECHO REQUEST to test the reachability of a host on an size lt 0 65507 gt forever count IPv4 network and to measure the round trip time for a message sent from lt 1 4096 gt the originating host to the destination computer size specifies the number of data bytes to be sent count Stop after sending this number of ECHO_REQUEST packets forever keep sending ECHO_REQUEST packets until you use Ctrl c to stop ping6 ipv6 hostname source ipv6 Sends an ICMP ECHO REQUEST to test the reachability of a host on an IPv6 network and to measure the round trip time for a message sent from the originating host to the destination computer interface name specifies interface through which to send the ECHO REQUEST packets filter extension You can use 1 256 alphanumeric characters spaces or _ characters show packet capture status tracepath6 ipv6 hostname Displays whether a packet capture is ongoing Displays the path MTU for the target address ZyWALL ZLD CLI Reference Guide Chapter 46 Maintenance Tools Table 204 Maintenance Tools Commands in Privilege Mode continued COMMAND DESCRIPTION show ipv6 neighbor list Displays the ZyWALL s I Pv6 neighbors show packet capture config Displays current packet capture settings Here are maintenance tool commands that you can use in configuration mode Table 205 Maintenance Tools Co
160. system daemon Got LINK_CHANGE Port 1 is up gt Group 1 is up Got LINK_CHANGE Port 0 is up gt Group 0 is up Applying system configuration file please wait ZyWALL system is configured successfully with startup conf ig conf Velcone to ZyWALL 1050 Usernane ZyWALL ZLD CLI Reference Guide Logs This chapter provides information about the ZyWALL s logs Note When the system log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first See the User s Guide for the maximum number of system log messages in the ZyWALL 40 1 Log Commands Summary The following table describes the values required for many log commands Other values are discussed with the corresponding commands Table 186 Input Values for Log Commands LABEL DESCRIPTION interface name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 200 and lower models use a name such as wan1 wan2 opt lan1 ext wlan or dmz Virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example gex y x 1 NN y 2 1 4 VLAN interface vlanx x 0 4094 Virtual interface on top of VLAN interface vlanx y x 0 4094 y 1 12 Bridge int
161. that use SNAT The no command removes source NAT settings from the rule no source address object any Sets the source IP address that the matched packets must have The no command resets the source IP address to the default any any means all IP addresses no sslvpn tunnel name Sets the incoming interface to an SSL VPN tunnel The no command removes the SSL VPN tunnel through which the incoming packets are received no trigger 1 8 incoming service name trigger service name Sets a port triggering rule The no command removes port trigger settings from the rule trigger append incoming service name trigger service name Adds a new port triggering rule to the end of the list trigger delete 1 8 Removes a port triggering rule trigger insert 1 8 incoming service name trigger service name trigger move lt 1 8 gt to 1 8 Adds a new port triggering rule before the specified number Moves a port triggering rule to the number that you specified ZyWALL ZLD CLI Reference Guide Chapter 8 Route Table 44 Command Summary Policy Route continued COMMAND DESCRIPTION no tunnel tunnel name Sets the incoming interface to an IPSec VPN tunnel The no command removes the IPSec VPN tunnel through which the incoming packets are received no user user_name Sets the user name The no command resets the user name to the default a
162. the Tmp share on the my server computer Server type rdp server address server address starting port 1 65535 ending port lt 1 65535 gt program path program path server type vnc server address server address starting port 1 65535 ending port lt 1 65535 gt Creates an SSL application object to allow users to manage LAN computers that have Remote Desktop Protocol remote desktop server software installed Specify the listening ports of the LAN computer s running remote desktop server software The ZyWALL uses a port number from this range to send traffic to the LAN computer that is being remotely managed program path specify an application to open when a remote user logs into the remote desktop application Creates an SSL application object to allow users to manage LAN computers that have Virtual Network Computing remote desktop server software installed Specify the listening ports of the LAN computer s running remote desktop server software The ZyWALL uses a port number from this range to send traffic to the LAN computer that is being remotely managed server type weblink url url Sets this to create a link to a web site you specified that you expect the SSL VPN users to commonly use url Enter the fully qualified domain name FQDN or IP address of the application server You must enter the http or https prefix For example https 1 2 3 4 SSL VPN users are restricted to
163. the default anti virus or IDP signatures The ZyWALL can still operate if the default system database is damaged or missing but related features like anti virus or IDP may not function properly 312 ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager If the default system database file is not valid the ZyWALL displays a warning message in your console session at startup or when reloading the anti virus or IDP signatures It also generates a log Here are some examples Use this section to restore the ZyWALL s default system database Figure 45 Default System Database Console Session Warning at Startup Anti virus tmp Initializing ra INIT En Starting arting arting LL Ll Anti Vi ault Router config idp r IDP ei Figure 47 Default System Database Missing Log Anti virus iew Log Logs Show Fitter Display IDP Email Log Now Refresh Clear Log Total logging entries 8 30 v entries per page Pa 7 1 2007 05 11 11 25 00 info IDP New IDP rule has been appended 2 2007 05 11 11 24 59 info IDP New IDP rule has been appended 3 2007 05 11 11 24 59 info IDP IDP profile DMZ_IDP has been modified 4 2007 05 11 11 24 59 info IDP IDP profile DMZ IDP has been created 5 2007 05 11 11 24 59 info IDP IDP profile LAN IDP has been modified 6 2007 05 11 11 24 59 info IDP IDP profile LAN IDP has been created 24 59 info IDP Enable IDP succeeded 8 2007 05 11 11 23 42 a
164. the following tables and discussed in more detail farther on Table 11 Characteristics of Ethernet VLAN Bridge PPPoE PPTP and Virtual Interface ZyWALL USG 300 and Above CHARACTERISTICS ETHERNET VLAN BRIDGE PPPOE PPTP VIRTUAL Name gex vlanx brx pppx k IP Address Assignment static IP address Yes Yes Yes Yes Yes DHCP client Yes Yes Yes Yes No routing metric Yes Yes Yes Yes Yes Interface Parameters bandwidth restrictions Yes Yes Yes Yes Yes packet size MTU Yes Yes Yes Yes No data size MSS Yes Yes Yes Yes No traffic prioritization Yes Yes Yes Yes No DHCP DHCP server Yes Yes Yes No No DHCP relay Yes Yes Yes No No Ping Check Yes Yes Yes Yes No The format of interface names is strict Each name consists of 2 4 letters interface type followed by a number x limited by the maximum number of each type of interface For example Ethernet interface names are ge1 ge2 ge3 VLAN interfaces are vlan0 vlan1 vlan2 and so on The names of virtual interfaces are derived from the interfaces on which they are created For example virtual interfaces created on Ethernet interface ge1 are called ge1 1 ge1 2 and so on Virtual interfaces created on VLAN interface vlan2 are called vlan2 1 vlan2 2 and so on You cannot specify the number after the colon in the web configurator it is a sequential number You can specify the number after the col
165. the schedule setting to the default none none means any time no service service name any Sets the IP protocol The no command resets service settings to the default any any means all services ZyWALL ZLD CLI Reference Guide Chapter 8 Route Table 44 Command Summary Policy Route continued COMMAND DESCRIPTION no source address6_object any Sets the source IPv6 IP address that the matched packets must have The no command resets the source IP address to the default any any means all IP addresses no user user name Sets the user name The no command resets the user name to the default any any means all users no policy activate controll ipsec dynamic rules Enables the ZyWALL to use policy routes to manually specify the destination addresses of dynamic IPSec rules You must manually create these policy routes The ZyWALL automatically obtains source and destination addresses for dynamic IPSec rules that do not match any of the policy routes The no command has the ZyWALL automatically obtain source and destination addresses for all dynamic IPSec rules policy default route Enters the policy route sub command mode to set a route with the name default route policy delete policy number Removes a routing policy policy flush Clears the policy routing table policy list table Displays all policy route settings policy move policy
166. this checking item Include the filename extension for Linux operating systems no application trusted process process name If you selected windows Or linux as the operating system using the os type command you can use this command to set an application that a user s computer must be running The user s computer must have all of the trusted applications running to pass this checking item Include the filename extension for Linux operating systems no description description Type a description for this endpoint security object You can use alphanumeric and _ characters and it can be up to 60 characters long no file info file path file path If you selected windows Or linux as the operating system using the os type command you can use this command to check details of specific files on the user s computer The user s computer must pass one of the file information checks to pass this checking item no file info file path file path eq gt 1t ge le neg file size lt 1 1073741824 gt Sets whether the size of the file on the user s computer has to be equal to eq greater than gt less than 1t greater than or equal to ge less than or equal to 1e or not equal to neq the size of the file specified no file info file path file path eq gt 1t ge le neg file version file version Sets whether the version of the file on the user s computer has to
167. to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses The ZyWALL uses DHCP to assign IP addresses and records to MAC address it assigned each IP address The ZyWALL then checks incoming connection attempts against this list A user cannot manually assign another IP to his computer and use it to connect to the ZyWALL Suppose you configure access privileges for IP address 192 168 1 27 and use static DHCP to assign it to Tim s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer with another MAC address that tries to use IP address 192 168 1 27 15 2 IP MAC Binding Commands The following table lists the ip mac binding commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 64 ip mac binding Commands COMMAND DESCRIPTION activate no ip ip mac binding interface name Turns on IP MAC binding for the specified interface The no command turns IP MAC binding off for the specified interface log no ip ip mac binding interface name Turns on the IP MAC binding logs for the specified interface The no command turns IP MAC binding logs off for the specified interface end ip ip ip mac binding exempt name start ip Adds a named IP range as being exempt from IP MAC binding no ip ip mac binding exempt name Deletes the named IP range from the list of addresses
168. to display all details of a custom signature Router config show idp signatures custom signature all details sid 9000000 test edit policy type severity message platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no This example shows you how to display the number of custom signatures on the ZyWALL signatures 1 Router config show idp signatures custom signature number 22 5 Update IDP Signatures Use these commands to update new signatures You register for IDP service before you can update IDP signatures although you do not have to register in order to update system protect signatures Note You must use the web configurator to import a custom signature file Table 109 Update Signatures COMMAND DESCRIPTION idp signature system protect update signatures Immediately downloads IDP or system protect signatures from an update server no idp signature system protect update auto Enables disables automatic signature downloads at regular times and days idp signature system protect update hourly Enables automatic signature download every hour idp signature 0 23 System protect update daily Enables automatic signature download every day at the time specified idp signature system protect update weekly sun Enables
169. uU 0r QOO Quo Q QO QO Co Cx IND o00D0O0O0O00O00000000000000000000000000000000000000N 0 00 O 0 00 130 0 Q0 0 6 10 17 DO O IO E IO AO AO LO A TOO O D ox 39 97 10 1179 0 000 0 0 0 0 O O UO O O O Q GO O Q O 11 10 0 01 1 50 x 0 0 O0 UO x 0 0 0700 0 00 4 0 ESTABLISHED ZyWALL ZLD CLI Reference Guide Chapter 4 Status Here are examples of the commands that display the system uptime and model firmware and build information Router show system uptime System uptime 04 18 00 Router show version ZyXEL Communications Corp model ZyWALL USG 100 firmware version 2 20 AQQ 0 b3 BM version 1 08 build date 2009 11 21 01 18 06 This example shows the current LED states on the ZyWALL The SYS LED lights on and green The AUX and HDD LEDs are both off Router show led status SyS green aux off hdd off Router ZyWALL ZLD CLI Reference Guide Registration This chapter introduces myzyxel com and shows you how to register the ZyWALL for I DP AppPatrol anti virus content filtering and SSL VPN services using commands 5 1 myZyXEL com Overview myZyXEL com is ZyXEL s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL Note You need to create an account before you can register your device and activate the services at myZyXEL com You can directly create a myZyXEL com accou
170. uses the following settings P address 172 16 50 1 Port 389 Base dn DC ZyXEL DC com ZyWALL ZLD CLI Reference Guide Chapter 31 Authentication Objects Bind dn zyxel engineerABC Password abcdefg Login name attribute sAMAccountName The result shows the account exists on the AD server Otherwise the ZyWALL responds an error Router test aaa server ad host 172 16 50 1 port 389 base dn DC ZyXEL DC com bind dn zyxel engineerABC password abcdefg login name attribute sAMAccountName account userABC dn Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQzlaeVhFTCxEQzljb20 objectClass top objectClass person objectClass organizationalPerson objectClass user cn MTIzNzco546L5aOr56uRKQ sn User 1 2341100 ZyWALL ZLD CLI Reference Guide 257 Chapter 31 Authentication Objects ZyWALL ZLD CLI Reference Guide Certificates This chapter explains how to use the Certificates 32 1 Certificates Overview The ZyWALL can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs A certificate contains the certificate owner s identity and public key Certificates provide a way to exchange public keys for use in authentication A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and governmen
171. virtual server nat 1 1 map means the NAT type is either 1 1 NAT or many 1 1 NAT See Section 12 1 1 on page 119 for more information Using this command without nat 1 1 map means the NAT type is Virtual Server This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL like the Internet The deactivate command disables the virtual server rule ZyWALL ZLD CLI Reference Guide Chapter 12 Virtual Servers Table 60 ip virtual server Commands continued COMMAND DESCRIPTION ip virtual server profile name interface interface name original ip any IP address object map to address object ip map type original service service object mapped service service object nat loopback nat 1 1 map deactivate nat 1 1 map deactivate deactivate Creates or modifies the specified virtual server and maps the specified destination IP address protocol and service object to the specified destination IP address and service object The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address object NAT loopback allows local users to use a domain name to access this virtual server nat 1 1 map means the NAT type is either 1 1 NAT or many 1 1 NAT See Section 12 1 1 on page 119 for more information Using this command without nat 1 1 map means the NAT type is Virtual Serve
172. wlan mac filter associate Defines the filter action for the list of MAC addresses in the MAC address filter table allow deny Allow permits them to access to the ZyWALL MAC addresses not listed will be blocked Deny blocks the listed addresses from accessing the router MAC addresses not listed will be allowed to access the router show wlan mac filter status Displays the MAC filter s activation and association settings show wlan mac filter Displays the WLAN MAC filter entries 6 9 3 1 WLAN MAC Filter Commands Example This example creates a MAC filter entry for MAC address 01 02 03 04 05 06 and sets the ZyWALL to allow wireless access from that entry s MAC address only Router config wlan mac filter 01 02 03 04 05 06 description example Router config wlan mac filter associate allow Router config wlan mac filter activate Router config show wlan mac filter status Enable yes Association allow Router config show wlan mac filter No MAC Description 1 01 02 03 04 05 06 example 6 10 VLAN Interface Specific Commands This section covers commands that are specific to VLAN interfaces VLAN interfaces also use many of the general interface commands discussed at the beginning of Section 6 2 on page 57 The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Ta
173. 0 Avira Antivir Personal v2009 aspersky Anti Virus v2010 aspersky Internet Security v2010 aspersky Anti Virus v2009 aspersky Internet Security v2009 orton Anti Virus v2011 orton Internet Security v2011 orton 360 v4 Norton 360 v5 Kaspersky Anti Virus v2011 Kaspersky Anti Virus v2012 aspersky Internet Security v2011 aspersky Internet Security v2012 TrendMicro PC cillin v2011 Cloud Avira Antivir Personal v2010 Avira Antivir Premium 2009 Avira Antivir Premium v10 Router config Detection yes no yes yes no no no Then he also needs to check the personal firewall software name defined on the ZyWALL Copy and paste the name of the output item 4 for the setting later 0 0 3004 WN HE Router config show eps signature personal firewall Name Kaspersky_Internet_Security_v2009 Kaspersky_Internet_Security_v2010 Microsoft_Security_Center Windows_Firewall TrendMicro PC cillin Internet Security v2010 TrendMicro PC cillin Internet Security Pro v2010 Windows Firewall Public Kaspersky Internet Security v2011 Kaspersky Internet Security v2012 Router config Detection yes yes yes yes yes yes yes yes no ZyWALL ZLD CLI Reference Guide Chapter 35 Endpoint Security Now Peter can create the EPS object profile as the example shown next Note that he uses the matching criteria all command to make sure all users computers have the required software
174. 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive time 24 hour time hours and minutes lt 0 23 gt lt 0 59 gt The following table lists the schedule commands Table 146 schedule Commands COMMAND DESCRIPTION show schedule object Displays information about the schedules in the ZyWALL no schedule object object name Deletes the schedule object ZyWALL ZLD CLI Reference Guide 247 Chapter 29 Schedules Table 146 schedule Commands continued COMMAND DESCRIPTION schedule object object name date time date Creates or updates a one time schedule time date yyyy mm dd date format yyyy lt 01 12 gt lt 01 31 gt schedule object object name time time Creates or updates a recurring schedule day day day day day day day day 3 character day of the week sun mon tue wed thu fri sat 29 2 1 Schedule Command Examples The following commands create recurring schedule SCHEDULE1 and one time schedule SCHEDULE2 and then delete SCHEDULE1 Router configure terminal Router config schedule object SCHEDULE1 11 00 12 00 mon tue wed thu fri Router config f schedule object SCHEDULE2 2006 07 29 11 00 2006 07 31 12 00 Router config show schedule object Object name Type Start End Ref SCHEDULE1 Recurring 11 00 12 00 MonTueWedThuFri
175. 2 Rename an IDP signature or anomaly profile originally named profile to profile2 no idp signature profile3 anomaly Delete an IDP signature or system protect profile named profile3 show idp signature profile signature all details Lists the settings for all of the specified profile s signatures Use more to display the settings page by page show idp signature all details Lists the settings for all of the signatures Use more to display the settings page by page how idp signature anomaly S base profile Displays all IDP signature or system protect base profiles show idp signature base profile all none wan lan dmz settings Lists the specified signature base profile s settings Use more to display the settings page by page show idp profiles Displays all IDP signature profiles ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands 22 3 1 1 Example of Global Profile Commands In this example we rename an IDP signature profile from old profile to new profile delete the bye profile and show all base profiles available Routerf configure terminal Router config f idp rename signature old profile new profile Router config no idp signature bye profile Router config show idp signature base profile No Base Profile Name Router config 22 3 2 IDP Zone to Zone Rules Use the following rules to apply IDP profiles to specifi
176. 2 1924 192 Router packet trace interface ge2 ip proto icmp file extension filter and src host 192 168 105 133 and dst host 192 168 105 40 s 500 n listening on ethl 731558 742666 53 762887 168 168 168 168 8 packets received by filter O packets dropped by kernel 05 133 192 168 105 40 icmp echo request DF 05 133 192 168 105 40 icmp echo request DF 05 133 192 168 105 40 icmp echo request DF 05 133 192 168 105 40 icmp echo request DF ZyWALL ZLD CLI Reference Guide Chapter 46 Maintenance Tools Router traceroute www zyxel com traceroute to www zyxel com 203 160 232 7 30 hops max 38 byte packets 1 172 23 37 254 3 049 ms 1 947 ms 1 979 ms 2 172 23 6 253 2 983 ms 2 961 ms 2 980 ms 3 172 23 6 1 5 991 ms 5 968 ms 6 984 ms 4 KO Here are maintenance tool commands that you can use in configure mode Table 206 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION show arp table Displays the current Address Resolution Protocol table arp IP mac address Edits or creates an ARP table entry no arp ip Removes an ARP table entry The following example creates an ARP table entry for IP address 192 168 1 10 and MAC address 01 02 03 04 05 06 Then it shows the ARP table and finally removes the new entry Router arp 192 168 1 10 01 02 03 04 05 06 Router show arp table Address HWtype HWaddress Flags Mask Iface 19
177. 2 168 1 10 ether 01 02 03 04 05 06 CM gel 172 23 19 254 ether 00 04 80 9B 78 00 C ge2 Router no arp 192 168 1 10 Router show arp table Address HWtype HWaddress Flags Mask Iface 192 168 1510 incomplete gel 172 23 19 254 ether 00 04 80 9B 78 00 C ge2 46 1 1 Packet Capture Command Example The following examples show how to configure packet capture settings and perform a packet capture First you have to check whether a packet capture is running This example shows no other packet capture is running Then you can also check the current packet capture settings Router config show packet capture status capture status off Router config Router config show packet capture config iface None ip version any proto type any host port 0 host ip any file suffix packet capture snaplen 1500 duration O0 file size 10 split size 2 ring buffer O0 storage O0 Then configure the following settings to capture packets going through the ZyWALL s WAN1 interface only ZyWALL ZLD CLI Reference Guide Chapter 46 Maintenance Tools IP address any Host IP any Host port any then you do not need to configure this setting File suffix Example File size 10 megabytes Duration 150 seconds Save the captured packets to USB storage device Use the ring buffer no The maximum size of a packet capture file 100 megabytes Router config packet capture co
178. 2 5 interface The name of an interface it could be an Ethernet PPP VLAN or bridge interface The possible name number of each interface type and the abbreviation to use are as follows Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 200 and lower models use a name such as wanl1 wan2 opt lan1 ext wlan or dmz PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports VLAN interface vlanx x 0 4094 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports num The interface s position in the trunk s list of members 1 8 CR Carriage Return the enter key 7 4 Trunk Commands Summary The following table lists the interface group commands You must use the configure terminal command to enter the configuration mode before you can use these commands See Table 40 on page 94 for details about the values you can input with these commands Table41 interface group Commands Summary COMMAND DESCRIPTION show interface group system default user Displays pre configured system default trunks your own user define group name configuration trunks or a specified trunk s settings no interface group group name Creates a trunk name and enters the trunk sub command mode where
179. 217 US Minor Outlying Islands 218 Uganda 219 Ukraine 220 United Arab Emirates 221 United Kingdom 222 United States 223 Uruguay 224 Uzbekistan 225 Vanuatu 226 Venezuela 227 Vietnam 228 Virgin Islands British 229 Virgin Islands USA 230 Wallis And Futuna Islands 231 Western Sahara 232 Western Samoa 233 Yemen 234 Yugoslavia 235 Zambia 236 Zimbabwe ZyWALL ZLD CLI Reference Guide Chapter 5 Registration 52 ZyWALL ZLD CLI Reference Guide Interfaces This chapter shows you how to use interface related commands 6 1 Interface Overview In general an interface has the following characteristics An interface is a logical entity through which layer 3 packets pass An interface is bound to a physical port or another interface Many interfaces can share the same physical port An interface is bound to at most one zone Many interface can belong to the same zone Layer 3 virtualization IP alias for example is a kind of interface Some characteristics do not apply to some types of interfaces 6 1 1 Types of Interfaces You can create several types of interfaces in the ZyWALL The types supported vary by ZyWALL model Port groups create a hardware connection between physical ports at the layer 2 data link MAC address level Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive
180. 2Ll4daub d ern iNES ALACRI A bad edad QI eR CR Rb 320 WED LEY Elcg KEV 4644 54 RERO OS RR ORES AAA AAA A AAA AA SOR eee ES Roe Gode 87 windows version windows 2000 windows xp windows 2003 windows 2008 windows vista win gewseT7 Windowns UUSA quaes A Y AA AAA AA AAA I ROTE RU SCR ENG FX ales msc rrlbtef associate Rllow Geng asesinar AA AAA dob GRO COOMBES EORR UE RC eRe 88 wlan S OE HU 66 66 66 664 465R ET HEHEREETEECRET OE RCECROY REOR GRO AAA NORCRCROR OR REDE OR ETH ROOSTER OR RU NOR 84 Nube geie rearen we ak Eel iride esas ee haue hed qe eed ud owas udi hone out 304 Wd bs aded Cad eee dc eque aea du P ea deqeu dee deus AS gas 34 One PESTE E MSS SIA edd p A AAA a edd ig qud oec RN ad pu Lie ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical ZyWALL ZLD CLI Reference Guide
181. 3 match action smtp forward match action pop3 forward with tag log bypass white list bypass black list Sh ode dE dE db db db dt exit no no no 24 2 3 White and Black Lists The following table identifies values used in these commands Other input values are discussed with the corresponding commands Table 119 Input Values for White and Black list Anti Spam Commands LABEL DESCRIPTION mail_header The name part of an e mail header the part that comes before the colon Use up to 63 ASCII characters For example if you want the entry to check the Received header for a specific mail server s domain use Received mail_header_value The value part of an e mail header the part that comes after the colon Use up to 63 ASCII characters For example if you want the entry to check the Received header for a specific mail server s domain specify the mail server s domain See Section 24 2 3 2 on page 216 for more details ZyWALL ZLD CLI Reference Guide Chapter 24 Anti Spam Table 119 Input Values for White and Black list Anti Spam Commands continued LABEL DESCRIPTION rule number The index number of an anti spam white or black list entry 1 X where X is the highest number of entries the ZyWALL model supports See the ZyWALL s User s Guide for details subject A keyword in the content of the e mail Subject headers Use up to 63 ASCII
182. 3 Cals wise awe eee px NUN ed RS A Quad Denes aei Eq P are HE drca es Mewes wies Kop ard ag raweusadsqEWpE4S enx4 9 Es oh ad cde deh A Or oe 4 Gade Che dee d ud ee ese ems rede s det es 3e DSC MARES DIIS V adag anbdeeubcmuns A AAA AA RC RA db WA Qd sq dS dew qd Rus 101 ASCER LAS DM ro P 102 dsep sei Clase pPdeteult sspS 5ssH nd sudeedcklR ara add oa RUE 101 dscp markino class defsule l esse SISSSP sica AA AS A A A AA 102 BUIStloH xU 13009 RDA accedo C CSE SEES HER CURSE COR OS E CR DAHER E RC RON RES 341 png dauid Rok be SV rd dea Eo Te ERE KEE RA RE Rha ASE doa Rede d Re eee Rae Vnd 33 PRABLS Cideate ted bob g e4 4 ee des AAA AA AAA ADINERADA ed qs D Snel e crc T T 60 encopesularcion pinnae GESXARSEQEL E xdg AR ARA dS kee AA ORR ese 145 eps Anger 11 95 SOS Chgecl REID c64 si exc ERG OC dob deas Oe KR CC Ro RC A EO dod RC ed Meo RR dod 234 eps ingert 1 585 BLE BED HANE nace q439 ae BB XX Eod Kai Eu dues e eka HR SEEK P DD RR RR Ed los ENS move Tess ES eles Ba whies eae eee d 92 Ba slg RN XR du RA d She dad RE RE EEG dd dd mus 152 cro More lo EOS TEO UU Bhd 234 ZyWALL ZLD CLI Reference Guide 367 List of Commands Alphabetical eps warning message windows auto update windows security patch anti virus personal Prreewall waindows
183. 3 Exception Commands for Pre defined Applications sssesseseeee 166 20 2 4 Other BEER Commando nen Er o2 Fea ad tepida Fan CRI ax d Eb a ap tau d Rd 167 20 2 5 Rule Commands tor Other ApDIGATIDE coria 167 20 2 6 General Commands for Application Patrol soi tme rnnt nee 168 Chapter 21 j 173 EL ARA UU CU aana 178 ars AE IMA DOS T 173 21 2 Genera OE VIRIS CRS sus nae dedico eb o e iaa bid eat de scia DER 174 21 2 2 Zone to Zone Ant Virus RULES orsica aaia i 174 1 23 Ye Dd DIES LIBI cipere di bedpR S EpDCURNS Ma eU S MaovOON Reb RAS NPARN S AREPVAN RE TURA SRM DEEEIDAR 176 21 2 4 Signature Search Anti virus COMMA d enisi rore thao errante otn ka Res ea A EE dRD si n 177 21 3 Update Anti virus SAAT Mec 178 213 01 Upda SOM ule E XSmplgg sisirain o ai 179 e PAS SUIS TICS e Tc M T 179 2 4b Apa VIS statistics EXATIBIB b eee Pobla ea re cere nn eto bn aar c tery re S 180 Chapter 22 IDP GOMMAN S 181 EERE ior E eM TT E E 181 222 General IDP Commande surta 181 ko TDF PMI a a 181 22 RI Prats MMS E EET E O 182 ecd abal Profile OOM INNIS ra a 182 Bod DP Zone TOO ROOS a o ao oa 183 22 3 3 Editing Crealihg IDF Signature Profiles sa 184 22 94 Editing Creating Anomaly Profiles in trc A aN aaa A 184 ao osiem PHOIBOE AAA r ana e E AT m ipt Eo dida b UY dp od 188 22 545 ION ORBI id 188 AN A SEDED A AS 191 e
184. 3G device is connected but there is an error Probe device fail the ZyWALL s test of the 3G device failed Probe device ok the ZyWALL s test of the 3G device failed Init device fail the ZyWALL was not able to initialize the 3G device Init device ok the ZyWALL initialized the 3G card Check lock fail the ZyWALL s check of whether or not the 3G device is locked failed Device locked the 3G device is locked SIM error there is a SIM card error on the 3G device SIM locked PUK the PUK is locked on the 3G device s SIM card SIM locked PI N the PIN is locked on the 3G device s SIM card Unlock PUK fail Your attempt to unlock a WCDMA 3G device s PUK failed because you entered an incorrect PUK Unlock PIN fail Your attempt to unlock a WCDMA 3G device s PIN failed because you entered an incorrect PIN Unlock device fail Your attempt to unlock a CDMA2000 3G device failed because you entered an incorrect device code Device unlocked You entered the correct device code and unlocked a CDMA2000 3G device Get dev info fail The ZyWALL cannot get cellular device information Get dev info ok The ZyWALL succeeded in retrieving 3G device information Searching network The 3G device is searching for a network Get signal fail The 3G device cannot get a signal from a network Network found The 3G device found a network Appl
185. 4 to 1 64 Changes the index number of an ICMP filter rule show ip icmp filter status Displays ICMP filter settings 38 10 Dial in Management Connect an external serial modem to the DI AL BACKUP port or AUX port depending on your model to provide a remote management connection in case the ZyWALL s other WAN connections are down This is like an auxiliary interface except it is used for management connections coming into the ZyWALL instead of as a backup WAN connection ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management 38 10 1 38 10 2 38 10 3 38 10 4 AT Command Strings For regular telephone lines the default Dial string tells the modem that the line uses tone dialing ATDT is the command for a switch that requires tone dialing If your switch requires pulse dialing change the string to ATDP DTR Signal The majority of WAN devices default to hanging up the current call when the DTR Data Terminal Ready signal is dropped by the DTE When the Drop DTR When Hang Up check box is selected the ZyWALL uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH Response Strings The response strings tell the ZyWALL the tags or labels immediately preceding the various call parameters sent from the serial modem The response strings have not been standardized please consult the documentation of your serial modem to find the
186. 4 Wool SBugnature SIC SQUE ai Gic Rea a ONU RU E A A up Pad des bp E wed 188 noL Sues SSCA A d sns Sua et dub E RR Aq Ed Rex d fadus enu xara S 329 Mal SOS I RR Jr 3225 nol Bhat fouLgoing incerfacelpmol 1adaress ODJ8CL 2uiaweeedon ses Sides whe ADR dee ROCA A CUR 101 DO SnND SEPUSE ri AAA Y daexa bd RR OR REGNA NGA EAR ER ed b REP Sea qd RE 293 hol sn peserver ocomiunvEy ggoNmUnfty SCring LEGIEW sisas e send ee ena aero ue FOE 293 nol sShip server Contact description goqaakRkeqe4A429X234 WE Sd A A RC AEA A a RN 293 hol Bn pseserver erable informs t aD8 amor bees EE SE e dde xed e deer ade AA d d ek 20 3 nol smnsp ssbPver host 162 20 conWmgunty SEIN rca eA d kee ewe hea RO E bod Hee do db ee eee 293 nol Sm peserver Location deseri reion aogeabUcedgoa ER ORO AOS ESE r o Oe do OR RR oat 2923 nol sip seruer port lt 1 699997 aer REN RARE A X pA E COSA RR AC EER EE KORR ACE CK E A 293 nol Boftware watchdgogs Limer LOG GUS sade cee RR dakew RE EOS e NOR ROS GARE Je RR RR de O e 347 nol Source Isles RICE arica sai ies AAA Sor omae A dense wed 103 ne source address object SEED Nem serorari ke ue ene pea Rae ae Re aR ea dd be whew ou 234 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical noel Source address DO SO AE pajaro reia wean Leer AAA oe Ded Rd E cd EUR 101 por Sours any lipy udo back eure RR Sede edad bee E Rub AA RA
187. 44 Command Summary Policy Route COMMAND DESCRIPTION no bwm activate Globally enables bandwidth management You must globally activate bandwidth management to have individual policy routes or application patrol policies apply bandwidth management The no command globally disables bandwidth management policy policy number policy number append Enters the policy route sub command mode to configure add or insert a policy insert no auto destination When you set tunnel as the next hop type using the next hop tunnel command for this route you can use this command to have the ZyWALL use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of what you configure by using the destination command The no command disables the setting no auto disable When you set interface or trunk as the next hop type using the next hop interface Or next hop trunk command for this route you can use this command to have the ZyWALL automatically disable this policy route when the next hop s connection is down The no command disables the setting 1 bandwidth lt 1 1048576 gt priority 1024 gt maximize bandwidth usage Sets the maximum bandwidth and priority for the policy The no command removes bandwidth settings from the rule You can also turn maximize bandwidth usage on or off no deactivate D
188. 53 ip route Commands Learned Routing Information COMMAND DESCRIPTION show ip route kernel connected static ospf rip Displays learned routing and other routing bgp information 9 2 6 show ip route Command Example The following example shows learned routing information on the ZyWALL Router show ip route Flags A Activated route S Static route C directly Connected O OSPF derived R RIP derived G selected Gateway reject B Black hole L Loop IP Address Netmask Gateway IFace Metric Flags Persist 0 0 0 0 0 172 16 1 254 wanl 0 ASG 10 59 0 0 24 0 0 0 0 ext wlan 0 ACG ge 127 0 0 0 8 0 0 0 0 lo 0 ACG 172 16 1 0 24 0 0 0 0 wanl 0 ACG i 192 168 1 0 24 0 0 0 0 lanl 0 ACG c 192 168 2 0 24 020 00 lan2 0 ACG 192 168 3 0 24 0 0 0 0 dmz 0 ACG ZyWALL ZLD CLI Reference Guide Zones Set up zones to configure network security and network policies in the ZyWALL 10 1 Zones Overview A zone is a group of interfaces and VPN tunnels The ZyWALL uses zones not interfaces in many security and policy settings such as firewall rules and remote management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 16 Example Zones Inter
189. 6 see e seed ei ANA uS Ex vi aeee DAA 70 policy conproll apsec dyunammd rg les activate escoria ACE Se Pee ER RA E Ree OR eee wows 1093 polrey gonLesllevirpoaleserver Pules activate eg RIEN A etka eee eee eee 153 poliev qwerride dibeest roUDGe activate cask dank cA URGED COREE EKER ERR RSS Ree RE 103 polireys owverride dirct oute DOCIVADE es x ages Ad id DOR EES L3 bokic eni EUN ILEANA Sha hs Gd Ewa Rs BE qud AAA Se EE Shee E dude adu IR wes 145 Pore ONES CIE F0 Ccu ee reed 168 POLS SUT eee One varas dpud Qo HER dde eios dea E iura Reduced arde moe apod wie dead CQ durare 88 port spesa 9500 19200 38400 57600 115200 ak R RR RR es ceadaaGeakeeeedhe 295 port speeg 19600 19200 25200 S7600 II5200F escri dies bbe Sede ee wd Bd PEGENDE rar ead dou AUC ACA UR OR ORE E Eco XR SAC EDS dene elo o RPE RS Ree Ei d 226 oe e ilH issus Hewes E PE d exe d EUER EE eM ap ddqq mx e P eb od ae ee 226 protocol Fany ISLE a ARA ARAN RUE CROCO RC CRGA CRGO OR eR AC oe RC 337 prorespL Jer MA ofcsa68 eeu E EO EURO AE AAA ee ORES OR Cee ESE 168 PfPs Yus serwver Host radius Server auth port auth port siria RR A POR 251 radins servyer Eey SOCESE ases sO46S4 SUSE oe eRe eee ee Lees ee Ed qu e Et 25l radius Seryer LuOUL DXX aUbiASEFGSAd E O dab r adus Ei as 2l TONI CELOS rebeca OSE Tek ee ede governess aarp bp oS Ske ah ap dr o ges Gea o d pe eke ieee dici dias 108 ao ess Isbsurtt Piss hcnedtenapied ERE ON EEG eur dx p deed Bowes
190. 63 alphanumeric characters dashes or periods but the first character cannot be a period no logging syslog lt 1 4 gt disable level normal level all no logging syslog lt 1 4 gt facility local_l Specifies what kind of information if any is logged for the specified category Sets the log facility for the specified remote server The no local 2 local 3 local 4 local 5 local 6 command sets the facility to local 1 local 7 no logging syslog 1 4 format cef vrpt Sets the format of the log information cef Common Event Format syslog compatible format vrpt ZyXEL s Vantage Report syslog compatible format This table lists the commands for setting how often to send information to the VRPT ZyXEL s Vantage Report server Table 191 logging Commands VRPT Settings COMMAND DESCRIPTION vrpt send device information interval 15 3600 Sets the interval in seconds for how often the ZyWALL sends a device information log to the VRPT server vrpt send interface statistics interval lt 15 3600 gt Sets the interval in seconds for how often the ZyWALL sends an interface statistics log to the VRPT server vrpt send system status interval 15 3600 Sets the interval in seconds for how often the ZyWALL sends a system status log to the VRPT server show vrpt send device information interval Displays the interval in seconds for how often the ZyWALL sends a de
191. 68 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no COB a O E RookS Que dope tk eee qe a opas debe rae ear dci qub dob dedo uod m quus didi 146 pecket capLHPe BOLIVSDE A d x4 FE RO a qa d EAR REALE ERA AE ERR E KR AO Reales A dod p 341 pechebertblow BOLIUBDe crave ws urbe A ad RC ee ANA ee eee doe dicic IER RR Fel qa 338 psckert rlgw Pang burier SCPIVAER arc as RR SOE hoe eae eee ee de ae d dd 338 pessve Thtertece IHLOFf scb Mae arc n rr A AA x es 108 pesssve inrebfsce interface MENS ii A ANS A LAS AA Re Sw SESS 108 passiyespNLOPUGGRB 1RESLESOS MANC ia AN A AAA AAA Sows 68 passssec IntertrseoB SAECO Ce DAS Aia eee A dened A AAA As 9 DOSSWOBd EGEO ara AA doa AO AAA AA ide 264 PERSISTE PASSION E AG P ARA AED ARAS 265 poc erede T opo a T 90 personal firewall personal firewall software name detect auto protection enable dis mole LORS ua ea iex Ka Reed ui ie osx e Mog d acr obe des dee ee RR eR NP Ferd ET Nds FX phone umagegr Prone 22508 que ESSE Ed ADA CEH SORE A ESSE EROS ANA 91 pi perfe COUE onire dakini CREARE vee A E ec ECC CUR e RR e a hee oa Fd AA 78 pug check SSEIVERS
192. 8 14 41 45 Press any key to enter debug mode within 1 seconds After the initialization the login screen displays Figure 2 Login Screen Welcome to ZyWALL USG 20W Username Enter the user name and password at the prompts Note The default login username is admin and password is 1234 The username and password are case sensitive 1 2 2 Web Configurator Console Note Before you can access the CLI through the web configurator make sure your computer supports the Java Runtime Environment You will be prompted to download and install the Java plug in if it is not already installed ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface When you access the CLI using the web console your computer establishes a SSH Secure SHell connection to the ZyWALL Follow the steps below to access the web console 1 Log into the web configurator 2 Click the Console icon in the top right corner of the web configurator screen 3 If the Java plug in is already installed skip to step 4 Otherwise you will be prompted to install the Java plug in If the prompt does not display and the screen remains gray you have to download the setup program 4 The web console starts This might take a few seconds One or more security screens may display Click Yes or Always Figure 3 Web Console Security Warnings Warning Security d E Do you want to trust the signed applet distributed by 35P LTD
193. 8r2 If you set windows as the operating system using the os type command use this command to set the version of Windows matching criteria any all Select whether the user s computer has to match just one of the endpoint security object s checking criteria or all of them list signature anti Displays all the anti virus software packages personal firewall software packages or virus personal firewall EPS signature information respectively status The status command displays the EPS signature version release date and the total number of software packages for which the ZyWALL s endpoint security can check no windows auto update If you set windows as the operating system using the os type command you can enable disable use enable with this command if the user s computer must have the Windows Auto ignore Update feature installed and activated use disable if the Windows Auto Update feature must be installed but deactivated use ignore if the Windows Auto Update feature must be installed but does not matter if it is activated or not The no command does not check the Windows Auto Update feature no windows service pack If you set windows as the operating system using the os type command you can patch security patch 1 10 enter the minimum Windows service pack number the user s computer must have installed The user s computer must have this service pack or higher For example 2 me
194. A 319 logging entries priority pri category module name srcip ip srcip6 ipv6 addr dstip ip dstip6 ipv6 addr service service name begin lt 1 512 gt end lt 1 512 gt keyword key word srciface interface name dstiface interface name protocol protocol 318 loggimg entries field field begin L 512 end Le BLA iobrske ak tee dasuauw aca gee 318 Logging Status DOHSOIS soplaba did aquae kee v edad eed eda RE ER evade Rr ee RE Eae 322 logie Scare Mea iy hve uq Qd S3 d a Suena sale ed RS edd e edid pedea B d ES UE 320 loyer Scotus STEREO Li d dod RE AO EC DD e cba do Md RR RN Dd eere CROCO Read 320 isaning statis a ystemelos au4 4 e S465 SHES d HERE NOS da Pa e edes bd ps a px e d edd ee Ede 318 Icgging Status DSU SLOSSSNO wuaudxq x CO Gee Ree RA REG UR RR E RARE Eq Edd de wena dod dcs 82 lggin psoe demu LILIS antes Senedd kee RR AAA Ea ando doe Eo OPER EO BUE do zol loglsepedge ASLELDIS asis AA qa sex e C EC dae S e o uc Roe x ed d o A 281 DOS Sethe tiered seeded dex PON Eb IEEE POEM RES P Re eee ea x pude deque ei e 281 WAS aut weve sq du dp d adu Sade EES AAA REN AAA ANA hae DEE RA E Rd Ex 41 mem BEAT a ee ee ae ee ee SARA AA ee ee ee ee ee ee ee ee 41 BL Sete keer eee ee wee SOL pq pad Ned ie acad deed dedu ode dard a edad wd AAA 282 object group faddress addresses group name aeikegk3 k e xx Rh sweden Se whe eee ba daca 240 dpJect group Service GOKU DATES such is exa
195. A DA AAA AR dob CC T2 Pore Sat reme 89 POTESTAD teh ata doo Rd ded Ue qe a e E EQ taste los ean dope Ren ER dece e e dea x e d aed eee 72 CARAS DECIDE dx etek se Phe Rad eU E A GA BI d dx dea a ade a epe A eel eR Re A zd PSs Cada and seas es Sh SOS nS SIC RIGEN A AA dcc ee QE E dd EE 41 redondantepuwer SERRE sow cw ae eek aed oxide dodi pfe e Wve dp ap io ok e Moog argo op but eR eR bande 41 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical show reference object aaa authentication default auth method eee 39 show reference object account pppoe object name ill RERO x eek babe eeEReS a 39 show reference object account pptp object nee isc AUR dew sted ee dws AAA 39 show reference object address object name bce bale kb A KOR Ee ROCA RR AC 39 show reference object addresso obJecl name zieekertxy9 9934x793 AAA Ree i 39 show reference object ca category local remote cert name leen 39 show reference object crypto map crr rto Nael 4444554 o RUE RU ER ICE AAA AA 39 show reference object dhopb lesse object object ssme ezeseaxaz anar Danae RR 40 show reference object dhop6 regqguest object object name s ee mo OR ok Rye ROCA RR Ron 40 Show reference object eps lores name asciende A bee Rub NUS E RU E cas 39 show reference object interface interface name vir
196. A SEER EOE EERE RENEE OR SE REE A 224 show device ha ap mode Torwvarding porl interface Name siete eed Sea ee LONER AAA eM 224 shon deyice ha ap mode JNLEITRCEE Abdo xd xoa teat UREGUE RIS ORA od eer QW ra Ne E dp dE ERR 224 show devico ha apode master Syne as ce dg uses a dle ce ls e e ok o gos poe dod p te e hamo o 224 how device ha ap mode S XLC BVDCCLINDS eade bebe ubg oS RC EO RR V RB eee 2404s OR Rui SERS 224 Show deviceehd mpembumE SCHUHS 2 dbwtadede ct AAA RU Ka E ke ex eR iced deo dde ee eke bade 224 Blow Oevucecha laic mOnlbOFr BS de wena uso RA Ru A AO dew eke E a dde S DX d REG A ES d RUE 22 show geviocesbha SEGUE arar DEGRADADAS 2295 shon dewrlcgchbae sLODSatBb IBEQGELACOD deci s q43 quce o eR ORE RES X AAA dodpav ed due 227 Bhon ect Gye Gudadd ko X ivabias EHE CR d RC Re Red EUR DO 4046S AL RCR G Se CREOLE Soe O 226 show device ha SnG Packup NEXC SyG CINE aquas dq cR E ROGER REEE ee ee Se Se 226 show devuloce ha Syne SESEUS emir et d E Do de E Re do a e MR edo dede ea qe Rb D de AR wade 226 Show devices VBPDOeqUDUD Cidra AAA AA AAA dave ee Een 226 Shon qevice regdister SEST S ahaha AGORA SE E RSEN RR EN Re RES CALCARE Qe di Reed E e ul CR dod C 47 Shor OG IC m2 o ME MNNPRTPIT 215 Show CEBO ODJebcL bimdune ACES NE ouesdobeacadi s due do RN eer denies Bap ad woe JV E AA HR 216 show dhopb Lesse cbygecc ips profils incas oun Ge dtd Hee RN Rose nex e nd eu REA ERROR Re dta 276 Stow Ghopo reguest
197. A bunds d dde xac dle roa a dl otn f 127 jor ALS ser mc cece Hacc seepage a en eee ema cece 128 TAS ALG Gomimands INS A MuR aa etu b Las ah raged to eA baa KH RR 129 Chapter 15 jui 4 10 17 sici n nic cai A A AA A 131 TUPAC BID COVER ni 181 15 2 POMA BIEN Commande usd eir p HI sas tulad aortas Ese a Pc UR POR RU dd a ees 131 15 3 IPMAC Binding Commands Example ccc couscous ovum Fase a cuu a tpa Rua cunei 132 ZyWALL ZLD CLI Reference Guide Table of Contents Chapter 16 xin r X OI 9 HeH 133 ca o oui eel MU a R CODE 133 10 2 Pe Wal COMMAS Ae 134 UE A o AAA Eo 137 18 2 2 Firewall Command Emplea ici 138 ES Session LV MIMOS Ai tte 139 Chapter 17 A Meet 141 DE ze du scr s MT TET T OC 141 172 PS6 VPN Commands SUMMAI sosa reete pei a reste emen EE Ide da gels 142 Era iz D c quip TRIP E 143 17 2 2 IPSec SA Commands except Manual Keys errante reete ter bones naut rne a nen contaras 144 17 2 3 IPSec SA Commands for Manual Keys nn t rte a Rer ia era aa 147 11204 VPN Concentator CNS scada ca dz a E DN 147 17 2 5 VPN Contigurafion Provisioning Commander ee ice nmt eR eene rn eme 148 He es SA ME Comnena S aii Dua pra 149 Chapter 18 A 151 ME D oo c due see TS UU UU TEENS o
198. ADAL RA E o pd E eO UC De deci DU debe ce ee p ACC Ie D C Rolin ek aod 100 hol AULAS ALA SRL id 3x 9 eX ex AAA ese KES HOES PLE SE Ib Sd d pda acp d Ede bs ed 100 bol BSCR Seta kac UR RO A RUN A E 117 haul DSORBDSOGUSEBIN O Cara AER A A ees AA RE p dc RANA IM NE eee dg 116 nol Dbecgknp rtegce 2Acer rece HER AAA EX qu RRA E GE RE RR ACE A ARRE ex 117 hol band pautolwedsualgdsti sino E ea puc up dee wo Pee dore dea pre db ESS c PX dud ue ed A 76 no bandwidth lt 1 1048576 gt priority lt 1 1024 gt maximize bandwidth usage 100 no bandwidth 1 1048576 priority lt 1 1024 gt maximize bandwidth usage 102 nol Dewees EXA iLnesdceeuc edd Qu dopo dri edd AAA a aaa 165 nol Bendwidth excess saOGE Hines doe xeu edd eee BR NAT dd Ia du pd E ERA SRE See Se AA 166 nor petits co AA 44642923593 524 B2 5 m dd RE EUS bee Che dU 168 hol pind interlace QUE ene se UK een seer car tide aie Rr ene Reh Bk AA AA Ree wae COR A OR D de Gok RC A 74 hol BIGGS ugedSd4eAqKeR pe 44 x kieneo eee que qderpe xq eed EE e PA Y Ive ee E e 112 Nol BIOS E J SqcaaquaX4baq4dgadCckX qu V ROEURE Y X e a oA ACE Ade d EU AM LA A AUC ADR RE ERODE ee e p RS 84 DINE e Cr 85 Hol JIIPSCEVLBESSOS aria AA A de de ea SORES e o dono qe Dose dene qe e rap e i OR ea bee 85 hal Dodger SOLDIVO dpbke dq pede v b AAA d WE qb Se a Seed eee bu edv 77 no budget data active download upload download upload lt 1 100000 gt nel
199. Address Commands Summary The following table describes the values required for many address object and address group commands Other values are discussed with the corresponding commands Table 139 Input Values for Address Commands LABEL DESCRIPTION object name The name of the address You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive group name The name of the address group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive interface name The name ofthe interface This depends on the ZyWALL model For the USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model For the ZyWALL USG 200 and below use a name such as wanl1 wan2 opt lanl ext wlan or dmz ZyWALL ZLD CLI Reference Guide 237 Chapter 27 Addresses The following sections list the address object and address group commands 27 2 1 Address Object Commands This table lists the commands for address objects Table 140 address object and address6 object Commands COMMAND DESCRIPTION show address object address6 object service object schedule object object name Displays information about the specified object or all the objects of the specified type addre
200. CO QU Re eR RACE Roa ewe 318 logging eystenm log Ssuppressien interval 10 50D5 sacs ten ce E ak ced eae hd eee SORORE 318 logo UBBestoredee earainn Res ae ae a eee erates Mod a E eee dui det ean 82 loginepate SobDor DaskqrouDd dqi4xx4end egy ed Rr ous Ra cqui e deed ES id A Reg dde E dee 280 login page sglor wiongdow Dackq ecund is mx 3 Rx MU dors RU dudes seated B dade wend 280 login page Nessadge text MESSAGE serra AAN ance dc acris 280 Tae ee we he ad yee kh Gere ee EVEREST amd Sd EE d e Aw Be ed A 325 masllesubgert spend gate LINe geqeeX9 99 8 ANA PEE SE ER Pad E d dw ddp ade 325 Wollssubqect Append SUSLONC HANE sii AAA A HONS AA EE ee ds 325 marbl 07 b 8S JEDE Lade x HARI REG ER ACE OE aO CALO EE GUN LEER RE odd dc o rac P d ex 325 MALL G RALL aed eed A ee A Ede Eod Ky Ao Race ANE UR SERERE Ga aba REMO OR EC 325 MILLAS EDIL REALI ha eR ne ia aaa COR dob e DARAS od ae XE Co RC dat 326 Wedded EME ar ARA de AA ARA A ARANA AA AR A AAA do 326 Midi 3 QUU E dal a AS DARAN Oke OR UN qq e RU Up ARA A 326 tienes TE ansia aia de qae de de vada eei d eaa dudit ed a x ade mc dde oe OER Ee 226 hsteh actions pop forvard fofward with EsTd azzx amp ax eder RrdoR Rak Sones xe OS bbe MGE ROS d SUR 212 matoh actions smtp drop forward fgrward with tag Cesiones mr Oe ex eee aie Ze li ESOS Poe RETO EI messes sairip niade dea A ees BARES we diui qus dede dun eee 213 Neri CNS aa OA E dE E aug esee ada DR a d dedt ru due qoa mao ee ade SN bas 58 Woe
201. CRIPTION show vpn concentrator profile name Shows the specified VPN concentrator or all VPN concentrators no vpn concentrator profile name Creates the specified VPN concentrator if necessary and enters sub command mode The no command deletes the specified VPN concentrator ZyWALL ZLD CLI Reference Guide 147 Chapter 17 IPSec VPN Table 74 vpn concentrator Commands VPN Concentrator continued COMMAND DESCRIPTION no crypto map name Adds the specified IPSec SA to the specified VPN concentrator The no command removes the specified IPSec SA from the specified VPN concentrator profile name vpn concentrator rename profile name Renames the specified VPN concentrator first profile_name to the specified name second profile_name 17 2 5 VPN Configuration Provisioning Commands This table lists the commands for VPN configuration provisioning Table 75 vpn configuration provision Commands VPN Configuration Provisioning COMMAND DESCRIPTION vpn configuration provision rule append conf index insert conf index Enters the VPN configuration provisioning sub command mode to add or edit a rule conf index The index number of a VPN configuration provisioning rule 1 to the ZyWALL s maximum number of VPN connection rules no activate crypto map name Turns the VPN configuration provisioning rule on or off Specifies the name of the IPSec VPN conn
202. CURL ie 47 service register service type trial service av kav 28V cisco ron stada OX RO e 47 session timeout fudp connect 1 300 udp deliver lt 1 300 gt temp 1 3005 i 329 session timeout session tcp established tcp synrecv tcp close tcp finwait tcp synsent amp sp elosewarxt tep lastack bep timewait L 39005 sa scddeeee ceded hey wanes CRUS 229 Bessconelumbb DD age eve he hve wa ete ee eG oe NU pot dod ue eam yee heme rhe tci o de qoo EORUM Recreo ie ias 140 ZyWALL ZLD CLI Reference Guide 375 List of Commands Alphabetical sesscon limite delete TulB er uua EG A Roue eee le eau RN CE EUN ee Mee DOWNED Le Kop Mee ee ee ees 140 SOSA LIE SINS A RE E RUE AS EORR ACE bere Bee eae eed cee OSCAR ER AL RO 140 Bessionelimit T sert Flle BUDE aoaue3Gcoxke3cROXACE d ESA C4 OW TON OS EH OO ADR CK AA RNA A AE AA 140 Bessdonelimrt Limit DO LIZA ups X4kRG c KO A Y Noa x RA oo KR ROCCO RE RRR RRR a ee ee 139 sesslon imit move Puls number to rule Dn nbDOFX ascii Ee AE id AN c DES ORA 140 SERAN AE GUIDE ODE WD os ah is OU V SED ac NR dec ie d OE CC OUR CR o OC RN CR AC EC COR eh oe AAA A 139 senaton Iii SD DEDE isd be ou awe Atos Ao A AR A PO ur ak db AAA at 140 Session Limita delete rue DDES asia e RUE uae ARA ROW RUE AA ARA 140 Session litres LESA wed ba He A a o e eee oun Gab x M RN e edades AAA 140 sesston limita Sert fue Boner als ed 99 3 e39 3 SEG XR Y GU Rd md AAA 140 Bo
203. D 69 dip espi DEXLTOPILY Gee 200 WoudedwQv M prb des cerdEe be EN wes EERE ESTER SORE EEE Eee Bee 69 ip ospi P etrangsmit interval 1 55932595 gb FORE EUER ER AE OE COR CR RY 69 ie eip Sena Serve version 1 229 24 000 RU amended Hh ee GS hae Spo ho ee MO NUR RGB qr lide 68 1 0 Fux DIESE IA Bea eue a SEN ERIS RO rq Edd Ned heres qubd eee Datus 68 ip route freee yok E QISDOSIeCeDw xePem Se LS l2bes eseergeR Ad 1405 ip ro te Gontrol virtual server eugles activate Lesadke ks dade de see NUR CR SOROR RR ee ne RC ee 106 Te 2 coe aye am a Ripe ey a eae pO da mea we eh ae ae em Sek 289 16 ph M PRST Cere BEE TONDE Vee ina we educa 3 puce Rd percer SORa See ADA UR 209 ip sgh server pore ILLAS iuga xad REPE RR ARR EX XO REOR E NX KK ACE ROCK AG ARR EMRE RA 289 ip Sen oo oo 24a 26 hehe SS TIMOR A AAA CORES SERS AERO AA TEA 289 ip telnet SOPVOT Ags sada ch NER RES CEREDRA ROEDER SERED ACTION ERE CE ROR O EEE ASOLO OS REE KON EES 290 ip telnet Server Port SL OSITO eiii dar d ERN EUR Ad Re d MOS e Rd ped s E dup A EUR X Oa ee eee 290 lp selecgr besa aute oOCUStON cir A RA ACE lads andar A o 116 Toes Lest hackup fitace muto GUSTON ness 3 EORR A dee oe hee ee RP ORAE E 116 LOVE GOLUVOSDS aexidr bad opu a db orc RR RC UK AGREE oa E e EDEN SEED RARER EERE Rap OR ed ROC dod 298 EVO address Giro Proride iE SUITIN L20 kathy ek che AC Que XO ee SOR e UR d CS DOR CARN Kod 35 Lee dumme oa A BRL oo STRE RURR E AEE ERES RE d PRA dd OS BO TA
204. D DESCRIPTION no ip load balancing link sticking activate Turns link sticking on or off no ip load balancing link sticking timeout Sets for how many seconds 30 3600 the ZyWALL sends all of timeout each local computer s traffic through one WAN interface show ip load balancing link sticking status Displays the current link sticking settings 7 8 Link Sticking Command Example This example shows how to activate link sticking and set the timeout to 600 seconds ten minutes Router config ip load balancing link sticking activate Router config ip load balancing link sticking timeout 600 Router config show ip load balancing link sticking status active yes timeout 300 ZyWALL ZLD CLI Reference Guide Chapter 7 Trunks ZyWALL ZLD CLI Reference Guide Route This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL 8 1 Policy Route Traditionally routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing 8 2 Policy Route Commands The following table identifies the values required for many of these commands Other in
205. DJBOL idee s obe RAE 153 betworkt exbpenssom Erfofiic eHnfOorceoOU sic seach see bean AS OR e Re RA ded AL 153 nerwork selectionH fantol honei keeseen RR ga RON E e NR c c qu next hop auto gateway address object interface interface name trunk trunk name tunnel LUNDI NAME Lina rr eee CE NA ag e X dad Y X a S Yd EE waa SERRE ED OOS SE 101 next hop auto gateway gatewayv6 interface interface name trunk trunk name tunnel PUNE TIMES koe ea eww A AC n cao a we eee mcd ew Roc NOE PCR E ae de e li a Rc io 102 HEM era ra a ed E dg qud oases eee nase eae Soe eu Me rid we SAA 282 HED scrPver LGA EE WE ae wheat deka X eR AS RARAS Go XR CASE LAA RU ICE RUN do CER Oe EES 282 Qbgecp geooup address Group Heme uozgsg s sheet AA ADA Ed e onec de E Fee dog 240 pi gesb gdboup ONO Mame IEA d x doe ACE AAA LR AAA E caa A E dea E 240 ONIS HEN JOUN ABI Qugd pee vete dd REP ogee Sees Re iN P LOR Ib Ne dqud dee exe 245 pbjetct gboup Services BLVD GAME AS A Eu E RN Red ALLEN ER ME EO RE I RO AAA e oda o db dios 244 ecutbouncd dsep mnark lt 0 03 Glass default deep class senos See X OR OR UR 165 outbound dsep mark lt 0 63 gt class default dsop classi isses ee e e x REX AR 167 outboundg dscp emark 1 0 02 glass default 4sOp olsss merase riin EnA C3 168 GuLUDluy 21nbertscE JHEP rece SEN unida 9 2423 ce hea RR PB Saved Ede XR RU ees 108 Gurcnlyeinterfacs Interface DAME edad coe ded RUN Re hee dope op oko de m p op C o de ore oie CK e
206. E RAI eR aC X o x ROS Gd 337 h l SourceS Prot NDS x amp ubesedex4d dde dog AAA UE c qo dea a eral d ebd elt bir dog 165 nol SUD PESTE LE ENSE RA AOL e ARA Dedede RR RC aes a d oM deals dae TE nol Source pror le HAMS aii xq id eee hee Se ee ee ees 168 Hol SUSO Address ODICE ir do EN Rd de ArNe AA ACA Moe r E Je RON a ee A od E 137 hol sol pornDb Baltes UB UE seas tues dew hee ee XR E dod use bci new deed ee dup 137 nol Souvresport Itoplogdp teg 1 85535 ange 1 05232525 5 X3l 5909053959 na dada ER Rx ware Lay Il SESS SPO DUM cece ten eh DU ad edd eed kde eaten eta We Ob Ua adie AAA eee ies eddie A 72 nos SES POLE sary lest oo Beh hee aap AR 0k RS RICE E ewe eee hanes betas d Edd d we ws 337 nol selspa application opp lication ON FER xe wah erg amend oe Gok oen ierit tede a way aeos Rok wea 266 nul Sel prats AM yeki 43 euo i S ABRES rds eames eas addo arc d d eus ILZ TUS Sele Unne ASES respa raa OPES IAEA AAA qe d ad eee d E 101 nol SLacLimi 2dUuPess IP Dos lei Le BATIDA bebe bes ore RUE ak Ab Ee PORE CAE AU ea eee EE 65 EO SUE inris IIA qux YN EORR REOR CURRERE SEAS REASON CE AA DAA NAAA 84 nol System derddlt80BL eae v9 Quesx ER E UP queque od uy P x qi RE de EC RE eor PX que eee ee ke 95 no tcp decoder tcp xxx action drop reject sender reject receiver reject both 186 nel TOp decoder tep axy GOLINGUS does ERGO dex EURO I ROSSO AAA RA ARA 186 no third dns server ip interface name 1st dns 2nd dns 3rd dns Z
207. Edd A WES Rd eee d gras 320 Show wrpb send System Siac snterval daudeea e X A deri e P XR RO ER RES dee gr Ed 320 pow A MACETAS Jah neg whee She BOSSE SEXTA DIEM SANE COKER oda am maed d ad Edd 88 Show wlan mic E LAS Seals tk ko oe ae CHa ERROR ecd cede i gee Rad eRe mR wea do one 88 Shon worEspece aplication wid beeen ee X EE ew ed a ducet eee eRe Ree kee ee ee a ea ee LOS SROW MAPESDICS GIES tad A A qe die deo Rd ac qe ade MR Ed ACE o E AS A 153 Show mone preci 2G NANE aii A ee ee EIA AAA ea ee es ae ee ew ee 112 Show zone BRE THOSE sede dee san eee ORO ROS A A RC CONCI EUR E e e A 112 Show Sone OefaBbb BiHNdlaW dose a AAA E Eee dicm ded cde doxes Ee 112 show mone HORS DENIA ood RA EUR AR E Ae dE ORTU RADO OR ACC ERR dc RE e AL e LE 112 show SORGE SuyEDOSPMDEEGULLE ARANA oo weal elem wu OR pde io oct e b td pop dicio ec OR a s 112 pow Sone ase ELINE uaddbiisgus dq A ARA doa tes icd AA Lie SOULE OW db 5sx4 a dq eque v qa dd ne ead dede dd dep Re a dai vede ees Ronen ie xx e ee akan eee ee eee Gam 34 signature sid action drop reject sender reject receiver reject both 184 signature sid action drop reject sender reject receiver reject both 188 cronies so log steel aspbd3uspa SAU Sd d make d e ud e duce aa Boke edad wed taie ae 184 signature su Log ToleseEl LigkSA ew 9 SA Sede eee KADER DUCI EEN Re eee o RS 188 bu neasddb ess ap BOSEDRATSS Sia dee S un bee wee VAS Ea E b Pd ee Ae eee Ree 325 smbp auLt
208. G 300 and above use up to 31 characters a ZA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 200 and lower models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN snmp server rule move rule_number to rule_number Changes the index number of a service control rule no snmp server rule rule_number Deletes a service control rule for SNMP service show snmp status Displays SNMP Settings 38 8 4 SNMP Commands Examples The following command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SNMP service Router configure terminal Router config snmp server rule 11 access group Example zone WAN action accept ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management The following command sets the password secret for read write rw access Router configure terminal Router config snmp server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172 23 15 84 and the password sent with each trap to qwerty Router configure terminal Router config f snmp server host 172 23 15 84 qwerty 38 9 ICMP Filter The ip icmp filter commands are obsolete See Chapter 16 on page 133 to configure firewall rules for
209. Hae 1246 844e Fee ra ERR ee C ER ES 121 ip6 route destv6 prefix ipv6 global address ipv6_link_local interface lt 0 127 gt 105 ipb route destvo prerfix ipv6 link local interface 40 1279 zaece k b RREARC OEG RUE RURE vex 105 ip6 route replace destv6 prefix gatewayv6 interface lt 0 127 gt with destv6 prefix neateomayeb Interface ID US addeka 93 m rd Ad d 1405 SEO TEA Ree asd REARS G SA Qd ASS DES bP IRES Su aA dad TSO Res SOE dAd Ed eite S 145 ipv6 6to4 prefix ipv6 addr prefix destination prefix ipv4 cidr relay ipv4 81 LO Address Cire prota ds Gh BULLI IE wt kek ete AA E ARSE ee HE RS M een ee Rees 59 XIpub address O OPE PEREZ AO SUITE EE gee du OPER E e e edem RUE aee Ex d ves 61 ipe address PO Add POSEA EIA AA SE SAD AA AAA 81 Love Chee a Andie p X KR EUR doe 9 Ke ER RC eid deccm eU dee DR deo OR Eph aa D CA AC e o T5 Jove ieee Sud fo ANO HO Y Au ERG 9 9 IW uy ERES Sy d e RE We dE Ped m E doped e EE FASTER 79 1076 nerghbor 1ush 128 BIOL cri A A A A oie bed Oe wee KLAR CO E 343 To veretod Lala sisi rr eee AAA ARA A Eco d eee ARAS A 342 saka Eoepeliue ALLER dd A A AAA ERAN ARAS AD p RO RARAS RA RATE epi 143 isakmp policy rename pollcy namo pollcy Dame iis PER RSEEORAG SOHNE AAA OE A GR E 144 Revert pre oerodd Ler acid ber quu AIDA bed qudd Sewer dca Ex ER S dd 144 l2tp over ipsec authentication aaa authentication profile nate sooo m emm yr 159 lotpBesuer IDBBC XH VES ASE DAE Lii mug ue
210. L s received cards debug show myzyxel server status Myzyxel com debug commands debug sslvpn SSL VPN debug commands ZyWALL ZLD CLI Reference Guide Chapter 2 User and Privilege Modes Table 5 Debug Commands continued COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT debug system ipv6 IPv6 debug commands debug cmdexec corefilelip ZLD internal debug commands kernel mac id rewrite observer switch system zyinetpkt zysh ipt op debug update server Update server debug command ES ZyWALL ZLD CLI Reference Guide PART Il Reference Object Reference This chapter describes how to use object reference commands 3 1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specific object You can use this table when you want to delete an object because you have to remove references to the object first Table 6 show reference Commands object name show reference object interface interface name virtual interface name COMMAND DESCRIPTION show reference object username Displays which configuration settings reference the specified user object username show reference object address Displays which configuration settings reference the specified address object name object show reference object address6 Displays which configuration settings referen
211. LD CLI Reference Guide Table of Contents Table of Contents bro foie 0l Kem 5 cud ci 17 Chapter 1 uidi 19 DAV SNOWY M 19 dE The Deb soriano 19 Eus E ON erc e TU 19 pei c lI e 20 1 52 Wep C nigurator CONSO usua beconeruD lata alce dS Edu 20 xA 2d pea A T m m TU maaan 23 1 3 How to Fmd Commandes mihis Guide Eme 23 1 4 How Commands Mo Explained ssp its 24 1 41 Background lntormatioh Opona soci uada aon a Ea ana 24 142 Command Input Vales ponia 24 e eo STAY AA O e nO eee eA aaa 24 1244 command Examples CCIPUBPISM acometida adas 24 AFC SNA aa 24 14 Giang he Password ida 25 CRAN NIA rec E 25 USES US UTS and el M 26 161 Liston Availale LOMMA AS iss cabe ade aao a doa ad ej pet Een o PR ec D a d dte 26 1 6 2 List of Sub commands or Required User Input asnos tii racer iaa 26 163 Emenng Pania CATA tadas 27 1 54 Entennp a 7 MOMIA riada 27 VES CONTA HEO aida 27 EST INP AAA 27 157 Erea Cinan CIN secos os T 27 TES TTA NTS e E 27 panel ste RUM ST 28 Pe TE UDR e c RM O CO E E E E e ees 31 19 Saving DD IUIS CANNES NEED T I n a1 LATINA NE ep Tem az Chapter 2 User and Privilege MOGGBS uiiiieiesaskiina dad
212. LISTE T7 tcp 27 0 0 1 1723 0 0 0 0 0 LISTE ZyWALL ZLD CLI Reference Guide Chapter 4 Status Here is an example of the command that displays the open ports Router config f show socket open No Proto Local Address L ten 172 23 37 2420122 2 udp 127 0 0 1 64002 3 udp 0 0 0 0 520 4 udp 0 0 0 0 138 5 udp 0 0 0 20 7138 6 udp 0 0 0 0 138 7 udp 0 0 0 0 138 8 udp 0 0 0 0 139 9 udp 0 0 0 0 138 10 udp 0 0 0 0 138 11 udp 0 0 0 0 32779 12 udp 92 168 1 1 4500 13 udp 1 1 1 4500 14 udp 0 0 0 8 4500 15 udp 72 23 37 205 4500 16 udp 72 23 37 240 4500 T7 udp 27 0 0 1 4500 18 udp 27 0 0 1 63000 19 udp 27 0 0 1 63001 20 udp 27 0 0 1 63002 21 udp 0 0 0 01161 22 udp 27 0 0 1 63009 23 udp 92 168 1 1 1701 24 udp sdielslsl707 25 udp 0 0 0 8 1701 26 udp 72 23 37 205 1701 27 udp 4223 37424021701 28 udp Z 005 1704 29 udp 27 0 0 1 63024 30 udp 27 0 0 1 30000 31 udp ilad 13 353 32 udp 12 1023 31 2205 53 33 udp 0 0 0 8 53 34 udp 72 23 37 240 53 35 udp 92 1683154353 36 udp 21 0 0 1 253 37 udp 0 0 0 0 67 38 udp 27 0 0 1 63046 39 udp 27 0 0 1 65097 40 udp 0 0 0 0 65098 41 udp 92 168 1 1 500 42 udp 1 1 1 500 43 udp 0 0 0 8 500 44 udp 72 23 37 205 500 45 udp 72 23 37 240 500 46 udp 21 0 0 71 2500 QC 0 0 OQ Q Cr Q 00 0 170 10 0 O 4 1 0 0 XO 0 Xx OO C UU QOO 0 OO O0 D OU O0 A DO O OG O 0 0 0 QOO CO 00 Q0 X5 0 0 070 020 Q0 O0 OKO 0 07 LO
213. LL See Section 26 2 on page 230 for the appropriate commands 1 5 CLI Modes You run CLI commands in one of several modes Table2 CLI Modes USER PRIVILEGE CONFIGURATION SUB COMMAND What Guest users can do Unable to access Unable to access Unable to access Unable to access What User users can do Look at but not run available commands Unable to access Unable to access Unable to access users can do information like Status screen Run basic diagnostics information like Status screen Run basic diagnostics features such as an address object Create or remove complex parts such as an interface What Limited Look at system Look at system Unable to access Unable to access Admin users can information like information like do Status screen Status screen Run basic Run basic diagnostics diagnostics What Admin Look at system Look at system Configure simple Configure complex parts such as an interface in the ZyWALL How you enter it Log in to the ZyWALL Type enable in User mode Type configure terminal in User or Privilege mode Type the command used to create the specific part in Configuration mode What the prompt Router Router Router config varies by part looks like Router zone Router config if ge How you exit it Type exit Type disable Type exit Type exit See Chapter 26 on pa
214. LOnterrbbet Se VE sehr ibi HA be OEC RU ERE AU WAR pa C HORSE EUR RC RC EORR CR AL OI t J9 debus GN GUNEGE S eu esa e de oe e o E dia aa oed aa a e ees 32 debug show Myers Server SEHENS deep 4 A ead aco Fa ouo eddie ax oy de m Ree Ud de Decal Ro ETT debug show Myzyxel Server stats sick x Eel ica XAR Xd Ru AR dara ORE E NOR SUE E d d a5 denua SEDO ari RARA ARA A AAA te dR og an AAN A rience page me a A Ge ah egg aS ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical ASUS oyeee PAS card pd sense ees ARANA a A qot erede A eda Raa Mee uris 36 debug Update Server PUR OLLIEARAAUG RARE ARA E aw HOES WING A AAA AERTS ORC ARIS Ro ALANI HES 36 delete auae d puedes dos d PRO Od ee REO EURO DUE A ie Vor dor RC RU Se SPARSE ESE A C CN UR Ec I PO RON ARA RE d 33 delete cert conf idp packet trace script tmp file name 303 ASTATLLS asado Oe bot ed dad dde Ne eme dei ed be eee edv PAST eedem AE p dbi esee ete 33 device ha sp mode DBeckEUp GNO HOW ines esse ex RO d RO AGRO CREADO EH BAD EE SHE SHOES REESE e e CA WE RC 224 device ha epemode Glustetaid Leg ati be aioe AH ROREM e ei rb Roe E dc E OEC Stee ee 223 d victe a Apemode Ix sapit Slada ac eques sk paa A dB e Sheek wee canes eae 223 device ha ap mode Pole master backup incest ous A de SOR RE RON ace aa a Geese 22a devriss hHa Linkter Loring AECA id isis eta ERA ER dure agas pae Red AS wend 227 dewice ha made active passive Leqae
215. N AA A iiqedad aq desi em qb da Ka edd a decidi aci ak ES ei were 35 COCHA AMLSPCACS ae cw shade bud uid ed opo dedo he ded A eoe deb e dades dr icis ur ice EORR E oO d eral d 29 debug interface ifconiig interface sisi AA ds Rope d d Aa AOI GER dee 39 debug INDGELOOOCQUODD a4 bees eee hee Se hehe emp dome ye y PE v E qb dete d pda ib dede e Ed qs 29 debu UN WENN cago a edocs teas dO GR oM RC AG RA A A AAA 35 debug Xp wu rtusleseruveE agqesesxaekoedek ck woRvp SUR ORO a eS ee ne eee Meee ee eae ae oe oto oe dom Ex ASUS SINE aabxuotReed bes E nes eee Godd aca gea duc daba anes dict d awed wd qund aad ed aS debug IUSSIT 6344 4 eet A eG Ge wae ore Sad dq d dq edd eua dena died eed ETT Clowes MAULE SECS ales rn hur Rd sex Od are Suas RA Bs quU dard Gu adds sex dde dE A 39 debug Mya el server EF hae ak ae eau ARA Re et a ede HR A ci e qr Re foe eo Beg dod RN aS Cees debwosb ScpLGUDESG dU lt a su p rS E Dac E qe duca abinde oiu eases dira ee fada acd dard a debug ne dyruxel Server IT sc hace ebay soha EO S GEE RR ESE WESEER ER CORE ROSSER Sew ee WED RES 35 ded Policy route 43 airis Cece ed Rabe REO NU Gat dd A d dA aD ee eee eee eas 29 debug reset sonbPent rrlbef profLLling sierran AS age A RW E GUN ERR REC RO vase CR RU AP RO awed ees 32 debug Servlce TOQUES disgkacb dE E a tesa Sides oon seat e EqU REALE edd PX Ru ded d ewe qs E debug service reqister crase Service AS LLL CARE ERE RUEDA GN ed KL sented dee REGALE Bede eased uns 47 debcud Show SOT
216. N connection or policy name has the ZyWALL check the beginning and end and ignore the middle For example with abc 123 any VPN connection or policy name starting with abc and ending in 123 matches no matter how many characters are in between The whole VPN connection or policy name has to match if you do not use a question mark or asterisk See Table 70 on page 142 for other parameter description show isakmp sa Displays current IKE SA and the status of each one no sa spi spi Deletes the SA specified by the SPI spi 2 8 hexadecimal 0 9 A F characters no sa tunnel name map name Deletes the specified IPSec SA show vpn counters Displays VPN traffic statistics ZyWALL ZLD CLI Reference Guide Chapter 17 IPSec VPN ZyWALL ZLD CLI Reference Guide SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login 18 1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks limit user access to specific applications or files on the network allow user access to specific networks assign private IP addresses and provide DNS WINS server information to remote users to access internal networks 18 1 1 SSL Application Objects SSL application objects specify an application type and server that users are allowed to access through an SSL tunnel See Chapter 34 on page 266 for how to configure SSL applicati
217. OLI wks ke hea Epicuri ROBUR Agu QUE Ve vidi S RO aa 266 Show SUD MOLES a A E ERA Abu qox Ree ORA RACE DERE AUR AUN dob Rew eee ACD e E ROAST RR 152 show seal vpa nebusrbeexriension lesa srta ce koe ADA eee ke COR Ho ue olco BOR Se RE 152 Show Selon policy profile DAME sis o4 G4 Re 3 EO RA Ro den e Ro OS EO RE a ae Rd 154 show system gersudlt Lntetlsce QPOUD desig EP X exOEQRCASU Sew due EE voee ded Ped edo edes dope AA 95 show system gdetallb SHabk fev Kaka HORE RES NUN AH ROR CA ETEN RC CUCINA RON EERE DEER COCA CR 95 show system route detaulIE W30 ELFUAE eiii SERS HESS COAG ESE A A AAA ARIAS 333 pow Secon TOUS Hye ewe Srania Que dh dicis feo wor fequi ire dard NW Bd dre ca Baw ee wes Reuse Son 323 Show system Sorte DOLL AAA GRE a PN RUP dex M o P ee ned ROE GS 3 Siow s ben route Bollov DOULB arar aaa AE Added dud veas AAA ms 333 Show System FOULS eSrbe pO mi Lev Ari a dd a o a ma wie dha ci e dias CI EDOW Syete ens RISILE ONEE fet Gap AAA EA AAA Wo ar dn dod Sas 349 show system gnat ME lel qais GR a RA td ee dox Bon do Bb a do DONE AAA CRURA AA 304 show system shat Det loopbagE edad ks we Odo AAA SOA EE ES OO SE RR REOR RE SORA Y PUE RR EON Ee i SHOW System Shat OPS vo eh aK REDE OEE SEERA KER KAY SOE EAR ACC COR AR ORG EKER OLGA OSA ROC RR CE dog show SYSTEM Shak polDGU PONLO estocada Edom eee eS EXEC AAA dv ed mde 333 Show System UPELE tesa kates Qo dx RR E ao RR ACE cau Ra dod A ARR ALACRI Sad ac RC RA UR A 41 SHOW WSB SPOTeSe ar ERIN AA
218. ORCROE A RON ACE A ARAN RUE REE EES SERRE ER RA COCA RE ERE RES 253 nol Server sapsroch L0NG DIBGE CUDASS eRe ee ANS op 252 HI server BeBarch Limeg lqHNEE Cine pbc keene Roe X a X X OCA A AA AS r eee AAA EE 253 Hel Sarver SEL 252465 e rro IAEA GARA AAA AA AAA AAA AA vx qud bd ud e 252 Wel Seger QUEE aii AAA DAD dard du uds su vede ER EE Rd I i hol server tlmeggUEL LIS bho caw o ceed KO Eee ee AOE Re RRA alio t ep ede de dog dice rne dp pee 254 aol ESTOS eerie Deeley coxsedosd c npe E Ceca e S a uS Rd euni wes iur pd wed adore ease 101 nel service Service ane Sy sb eee eid ARA KC ds dod SUE RCRCR A T NEUE RC RU e 102 nol Series Service Sama es sanas ir A AN aA a E Aa xu 137 ho service name ip Rhostname service nale acea oe here OR x Re She eee eR aR aE Oe RR RC er 264 hol eeruvipoesgb eb0b ob lect DAME stokes oh hb eed ees d p Pac AAA A bode ded ee eee Wap 244 no service type dyndns dyndns static dyndns custom dynu basic dynu premium no ip Ppeanue hail S3szegym ESBELTA AAA cement ee hake hehe eee eee Eee 118 nol S8sSPONSDLImIE activa be Acta pa eR REGE GE REAPER EAS RRR eR eai EUR de apre dae e CO P Kd 139 hol SBSEIONHSIINILS activate Bw pq Ee bd eU PE ed Eyed x E ved x esi ee eee dee ue dq 140 Pol SHREW anna Gee AAA UN RANAS A ARA AA RAR o AAN KLAR NR LDR REA AED RAS 58 Ecol co Rc 81 nol Sime ure EDD Sees abide AA dun ee doa Sd we dup NR A M PEU 18
219. ORO d dread AA d DO douse wee si e drap du d d eu 159 lobpeuwer 2psep pool AIRES SUITES nd RE VB Y RUP REN GHEE RSE SORS A HORN P de SCORE lC 129 letp ower ipBBIO recover de efanlt ipset polioy 166442 BOS XAR E RU buRd dde AA AEG EUROS E EDS 199 language English Simplified Chinese Traditional Chinese o mon mom memo Zot ean focbarvoteldesncLrwaLe i de4e 69 Yoce ob En d eru qo S ERE Re die bu E dd ed eee ee d E d 261 ldap ip ip fqdn port lt 1 65535 gt id name password password deactivate 261 Iifertimp 1980 200000 red SE EARS SOROS EO OSS AA SEE Oe eae ES Kew AA 143 list signature Lanta virus personal tirewall STATUS 244648 chav ee dae RA x RR RARA 212 losdbaleneing igmdexw l5bupadlourbeundltoLsd sis ico WSO UES x RO PER E EYE 95 local id type ip ip fqdn domain name mail e mail dn distinguished name 144 lagal ip ip ip domain name interface interface name eieecueee ex cedudw ad ae 144 Aia E SD A du eti teme dw eg dw ee wetted ded due er Mrd e Bosna Ceres Ge nee eee 147 lopalepplcbcy AUT Hae sod kad sce adate theese es eR RU actu A E RACK ene qe mcs d One des ORAE UR aces 145 logging console category module name level alert crit debug emerg error info notice WAER dara dd dor ACE OR ee nC A ode mc bor lode olo di e Ra i ap pole acer ds 322 logging mail L 25 schedule daily hour 0 23 minube 40 4 5979 ili kx SR isken nna aneia 321 logging mail lt 1 2 gt schedule w
220. P 4096 POP2 8192 POP3 16384 RPC 32768 RSERVICES 16777216 WEB_FRONTPAGE 33554432 WEB IS 67108864 WEB_MISC 134217728 WEB_PHP 268435456 MISC_BACKDOOR 536870912 MISC_DDOS 1073741824 MISC_EXPLOIT ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands 22 3 6 2 Signature Search Example This example command searches for all signatures in the LAN IDP profile Containing the text worm within the signature name With an ID of 12345 Has a very low severity level Operates on the Windows NT platform e Is a scan policy type DNS service Is enabled Generates logs Router configure terminal Router config Router config idp search signature LAN IDP name worm sid 12345 severity 1 platform 4 policytype 4 service 1 activate yes log log action 2 22 4 IDP Custom Signatures Use these commands to create a new signature or edit an existing one Note It is recommended you use the web configurator to create edit signatures using the web configurator Anti X gt IDP gt Custom Signatures screen Note You must use the web configurator to import a custom signature file Table 108 Custom Signatures COMMAND DESCRIPTION idp customize signature quoted_string Create a new custom signature The quoted string is the signature command string enclosed in quotes for example alert tcp any any lt gt any any msg test sid 9000000 ar idp customize
221. P account field no bind interface name Specifies the base interface for the PPPoE PPTP interface The no command removes the base interface no connectivity nail up dial on demand Specifies whether the specified PPPoE PPTP interface is always connected nail up or connected only when used dial on demand The no command sets it to dial on demand no local address ip Specifies a static IP address for the specified PPPoE PPTP interface The no command makes the PPPoE PPTP interface a DHCP client the other computer assigns the IP address no remote address ip Specifies the IP address of the PPPoE PPTP server If the PPPoE PPTP server is not available at this IP address no connection is made The no command lets the ZyWALL get the IP address of the PPPoE PPTP server automatically when it establishes the connection 74 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 26 interface Commands PPPoE PPTP Interfaces continued COMMAND DESCRIPTION no mss 536 1452 Specifies the maximum segment size MSS the interface can use MSS is the largest amount of data specified in bytes that the interface can handle in a single unfragmented piece The no command has the ZyWALL use its default MSS setting mtu 576 1492 Sets the Maximum Transmission Unit in bytes no ipv6 enable Turns on the IPv6 interface The no command turns it off
222. P encodings from AF11 through AF43 The decimal equivalent is listed in brackets Table 45 Assured Forwarding AF Behavior Group CLASS 1 CLASS 2 CLASS 3 CLASS 4 Low Drop Precedence AF11 10 AF21 18 AF31 26 AF41 34 Medium Drop Precedence AF12 12 AF22 20 AF32 28 AF42 36 High Drop Precedence AF13 14 AF23 22 AF33 30 AF43 38 8 2 2 Policy Route Command Example The following commands create two address objects TW SUBNET and GW 1 and insert a policy that routes the packets with the source IP address TW SUBNET and any destination IP address through the interface gel to the next hop router GW 1 This route uses the IP address of the outgoing interface as the matched packets source IP address Router policy route Router policy route Router policy route Router policy route Router policy route Router policy route Router policy route index 1 active yes user any schedule none interface gel tunnel none sslvpn none source TW_SUBNET destination any DSCP code any service any nexthop GW 1 bandwidth 0 bandwidth priority Router config description example auto destination no Router config policy insert 1 description example destination any interface gel next hop gateway CW 1 snat outgoing interface source TW SUBNET exit Router config f show policy route 1 nexthop t
223. P of the sender or the first server that forwarded the mail backward checks the last N IP addresses Checking starts from the last IP address in the mail header This is the IP of the last server that forwarded the mail anti spam tag dnsbl dnsbl timeout tag dnsb1 configures the message or label to add to the beginning of the mail subject of e mails that have a sender or relay IP address in the header that matches a blacklist maintained by a DNSBL domain listed in the ZyWALL dnsbl timeout configures the message or label to add to the mail subject of e mails that the ZyWALL forwards if queries to the DNSBL domains time out Use up to 15 alphanumeric characters underscores colons or dashes show anti spam dnsbl status Displays the activation status of the anti spam DNSBL checking show anti spam dnsbl domain Displays the ZyWALL s configured anti spam DNSBL domain entries show anti spam dnsbl max query ip Displays how many sender and relay server IP addresses in the mail header anti spam checks against the DNSBL show anti spam dnsbl ip check order Displays the order in which anti spam checks e mail header IP addresses against the DNSBLs n how anti spam dnsbl query timeout smtp pop3 Displays how the ZyWALL handles SMTP or POP3 mail if the queries to the DNSBL domains time out show anti spam tag dnsbl dnsbl timeout dnsbl displays the anti spam tag
224. PSec SA In this example a computer in network A is exchanging data with a computer in network B Inside networks A and B the data is transmitted the same way data is normally transmitted in the networks Between routers X and Y the data is protected by tunneling encryption authentication and other security features of the IPSec SA The IPSec SA is secure because routers X and Y established the IKE SA first 17 2 IPSec VPN Commands Summary The following table describes the values required for many IPSec VPN commands Other values are discussed with the corresponding commands Table 70 Input Values for IPSec VPN Commands LABEL DESCRIPTION profile name The name of a VPN concentrator You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive policy name The name of an IKE SA You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive map name The name of an IPSec SA You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive domain name Fully qualified domain name You may use up to 254 alphanumeric characters dashes or periods but the first character cannot be a period e mail An e mail address You can use up to 63 alphanumeric characters u
225. Profile slgssLOre ull details arrancan AA AUC CR ORAA aad 182 ido signatures pustom stgnature all detalls s44 dak hoe AA ee Hd sn eoo ae T91 idp signatures custom signature custom sid details contents non contents Pss ide signatures sto signature BUNGEE 22092 4e 3 Roe UR a EOS A e eed ae SC Se OR Ree TS ap Siac ISEISE Nee asus ae Cae d oss dog deb ae ea SEER EIA AAA AA 196 id statistics ranking signature name source destination 222 x tae rues 196 dub SPLoUtl3Lbles SUNMA ge 3 ede EN A DARA bee baa eae ae Sk ea See 196 JUD SYStLem prorect All detalls uri AS b ANA ALACRES AA edo we 188 interface ethernet vlan bridge ppp auxiliary statis eecsaskee9 9 r9 e e on 57 interface interface_name ethernet vlan bridge ppp virtual ethernet virtual wlan sictual Bridge auxiliary ALL quaeaeessteSORxo Re 3 Ok a AA A 27 interface cellular corresponding slot device status support device m 78 interface cellular budget sULO SRVE eed bx RR Ue SUR ADS SERATRERAERED SE OR ETERER ESR RM SE SS 78 inber oce Cellet Corres panda S LE sara da eae E eur ee do xe doceo wee Roan ee awe 78 inberrase cellular dewipeeebADEMEES AAA Oa ese ERU CREM E EORR eee eke Wl Rol DDR RON T8 Mee aes pslbluiar Sess Cosa iee aga dates ea AEREA ESSE Ed 78 interface cellular SUDDOICGHEWIEQE sarkitott x Qe ER REOR e OUR eo Roo p Rede eR CACHE ee ae Bee ee a dead 78 ubertas interlace same Budget bud es QR d e OARS ERA HET S PCS dd
226. R RUP ir ER 284 no cp Itp server Tule Dlls DUNDEE aria RRA Seber A pode OR dod RR ed Meg ou OR can 291 o ip http secure server clipher sulte Cipher algorithm sisi x ho Rx RR krea RR od 287 no ip http secure server table admin user rule rule number eere 287 no ip http server table admin user rule rule niumbDOf 66 824 Gk RARA EER EES E DERE ROG 287 Ho gp Hbtperslenest SOSDPISLTOM dude danas eee qo rgo A y Bowes ce dirais de qaod ari 124 po Ip GspE SEEMECPLIQUEIQGE oddcQgeser egeddec pps A QN d dee d epa ias e RUP ded EAE 69 no Ip Bape MeSRBSUB CUDPUOBSLTRON acusa db dd dteGc endo Ron RS aA eere dde md has sen a dos MR UK d 69 no IP ssb Server Pula CUS ONDEE iud qr E y X AUR RE ECRANS REC Ao A RC GRO R RRS EERE Lada de 289 Ho ip telnet server cule rule DIDEHNB usted Se eG EERE ORES RUNE A See 290 ho Jp vIbbUSL SGIVOP praris Hamne A X eq E ARAS ORE AAA LAE XR A ETRE OE aC AUN od CR eo 120 no ip6 route destv6 prefix g atewayv6 interface 0 127 RR Rx RS 105 no LAto Over Ipsee session tunpnel ld D 80539 ek Add eee KS ERROR KR ERE RRA Red 160 VO ee Se ere ee A re E d ue wat quei pues dev eR xe eb bed dabuetddedb ue a qe ps no marlesusiest SEE siria ar ia RAI AAA EX eise sad edu pcc dd SORES d 325 NECI er ion P ee eA ae ee ee e a a ee ee n 64 no robe ETES eee iran Bed ARA AAA dra AAA 34 n Bore Sie ticies CA CPC KU RC RN EIS REUS ORC RE UR RD E A ROS RH ARCA CUR eee don e
227. RERO CERCLE Ue RHEE SA AS 143 mode SNBOPDALDDILPUBE oundesed od ROO ACAD ROADS GR OR ROC RUD e OEC EOS HERES Oe S A n EC ew 95 e IA Re Plo uwibuenaupdqqXQavad A 35 meg Co S o Cee eR 3 aed edd od exp doe ae oe dac Paci a dee qi ee qq eae ee eee ere x 15 Me Reed O ems S A dq d a NA 78 cH HM lul o c en a 59 nO ES MERE aes ERG une ea edd a qund is dae deiade wd s dubai naa 60 NO Xu GNEDESEG chee head SR E MD S Ned E eed EA DESDE Seed eee ee ERE a ad A 59 na TONO 0 040 5 MATT TP 60 mg Wa WdebsuplbelitebtiNe asl odd XE EAE GE QC RON EU NC KR E A ACE E MC SR eee Ro e C Rea E REC RUBRO M d M Ke 61 ng Za dertaule 11 tano le UQE Sos riera 4 ERG EX qi Cb XI IRE bu d Pd d ed d ede a qi 29 ME ML e nr CPI 61 Dee Naam 42 5039 deeded a ede hes RARA A A COE e Nd e Ma demi o ASA Uhr ec EORR we terae d 59 ngd La mahagono ilag Adon ssa Uk ee qe GE EUR doa D oe Re E o dede OR de E a e Re ae A 58 Wig su d dHsqged CONIIGeRELeq Sitio dr Rhee ERs RR ford Kd Vai de EROS d epa dm A RUE eed O EE 60 Dno xa dx Lreirnperval ceased sd equ du ASS Ned Rd Rd RE dd a ad d Rada eR Edd Ea RS id pad 61 a a maxertr unt amp erwal lt A LODOS 9 enlace REO CREE ARANA RU NAAA AAA RARA BS D mag Muere ESTA aria AAA ERRE AAA a 61 Wd ra mrnertr interwal 65 350 x4 X449 x9 A A AA A ARA AA A AA s 59 EO Sa MEUS A uada dem mai x Rd eur A a amat Ra RA ei er awe dade me Mae SABRAS 60 ne La ME Ss USOS SS acu wkd EE o E
228. ROR DDISOL Bie Rt ASSES TRS OER NAAA Exe 152 application fosbidde n procbess nbgDbEES NANS rar RENEE AE SORE Rw OEE OE EE ee o 27 application tristead proress PROCESS NOSE e sete bead eR rol e dob ae eee og 271 aBpp ewabdhedag BOTE NAL dau bu p RARE Bae Re d equ edel REE do p Cp edid eg eee Kd 348 dpewateesdes SILSTE PA AE de dE Ro d xia do d i dX I dob era Sen M Eddie Hb parie 348 app watech doec BUROKSSCOVEr 92ziskeudqdesdsGeaesimk amp e SR d mud s Ru due RUE RUE CAE RUE GU NUS A ERS 348 spp watehegeg ponscle print always ONCE oae gu oko dene oe OR S gb x CR Rise e eo a ele dog ae a 348 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical so app wabch deg cpu threshnslg mis l 100 tax lob00 asddewesa Rura E deen dar nane Rd on 348 no appewerch dog disk threshola man lt T 1005 max 1 1D09 eisaxa b X EX RR ACRCONOACE ARA 348 hol A amp pp wSLOhedog XINDOGrUSD 201 200 ea edo RUE OR ee Ee CON dee ra dci ee IER a OP duh 348 no app wartch dog mem threshold min 1 1005 max lt 1 100 gt siege KK ORROCEUR EORR eau bees 348 hal aoppewabtohsdog PGLIY GOUUDE Sls aoiebado uox qub Reo O P RR Eee PX qucd d ES p PE CE d E v b eed 348 hol maepp watch dog SUS PSObOUE yes aria E RA A RARAS SAREES AENEA OMENS Rc AAA A NA 348 hol ares Ge stos ese sacarnos AR AAA OS OOS AAA DAR AA 109 nol arer IPSNDDEMPESNELUN miserias DAA qus v dri ds ios a eos Konee tae 109 no area IP authentic
229. RUCE ede oed cR ORC RR o OA IC M e CA IG ede Roc aC SRR RE dco T6 nol actlon block legin messige sudia video ELle E Fania te qe4b seb dered Oh dee Stee eee 165 nol aectron block iloginimessage asodio vrideo fzle transfer s iccacae dew ae wae ale ao Ree Re 166 no actaon block flogiun message audio video file transfer o a m a Rs 168 MOL np eSATA A Mewes E dE iut d dat decade dud Ed uM 137 Hl ALIAS MP ee 139 Del SL INDE or DAS ac dri Qiii ESA dod di Bees e d anf dera 140 TUS a ctec selec e p dE NN Edd dea ey x eI ee eRe Reed e xdi ade aad e sexu 148 Bul SBELIQELBe wie danske P Db dob AEN PEDIR AAA ERN E DEDE PX MEHR RENE ERE Eq 152 MO gg ONSE wns chao ke des e aw qa ER RUE PO ER e Ex qui eR DOES USAGE UR e OR RC REC oa X OR AC o 155 a Gabe ede a Cao e es 64 Papi Eee eee Oe eee ed Ede x pde doi Sud Rd qu 166 NOD bMS baud E dd b x EXE o E FREQ ES Id qi dA qo qe d qe dida dri E KNEE See Soe ood 168 BON ALIAS Tre 175 HO on on MR 183 Hl GLOBE ldexQusden ax SU por Rd Vea A 212 Hob bcp wis ees Seda Soe es BARES eS Lees anes A 2x4 QSREP dS E AK duda ee S dde ES dE E RE M 226 ue E os o o METTI dee 234 Hol arca ermano eos ee dh pa wes duda Maud eee eee es lobo welt Ree etus 295 Mol a A RR 325 fol ALIAS aaa AAA editas needs eee snc Amat doubd ca has sea se dra qr wah 84 nol address Address ODIBOS eri quo due d RR x cea de dU ERE Ro Qe OC Re eee eee d 140
230. Re DARA ER de eR RR CCCo RA c etd 146 in snat source address name destination address name snat address name 146 LCase Gul dere wd add dd ax qe esq x RW Qd de ER do M da dbi ARAS 34 interface num append insert num interface name weight lt 1 10 gt limit lt 1 2097152 gt passive 94 a BUS Lede ksGmSqX QU e bees s Cad STU PES Rm BECK aed E Ree Edd xad RAE e RR DENM 90 Jnbterfacs cellular pudget auto save eU TORO 22442 Be Sede C AU Ad OE doe QUE Bas UR EHE SR Ed 78 ope rs 02 Tlel FUS NP PT v m 90 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical interlace dial Interlace Rae ugue AAA AE A Bow OA NL KW PO ee ON aC dre eee 74 Miter ince OLlSCOSNOCb BUE AA ie catia A UE EON Rb ADAC C ASAS XL Rc 90 interface disconnect Interface BIB se deena wa nd RSE SOA OR RAS AAA EE CRURA IO COR 74 Sater fece SC St ees HAS AAA ER ade ded de ARRE nb e ee poe Oe a deae ook eae e ac 65 INTECTAGO Inter rco DAE Gasse Xacbdd oe d d EA x ew dde d wg d vues A E OY dC Wed ed ASDA EE EOE ENS 68 Tiberias TUCASA Greg XR OR CIC de d Red E COEUR CN o RC OE QC ANS Oh RC e CR 69 interrate interi Ce FMS sida ROSS OE RR Ed ESR RE SOMOS ESE OS ERED A REOR ACA CAO OS TES TCS 70 ALETAS In er oco DADO ria rra ranee Rd Nom de Rok A A Saw ale AAA TL 1in
231. Router config interface pppO Router config if ppp account Hinet bind gel local address 1 1 1 1 remote address 2 2 2 2 mtu 1200 upstream 345 downstream 123 connectivity dial on demand description I am pppO exit The following commands show you how to connect and disconnect pppO Router interface dial pppO Router interface disconnect ppp0 6 6 Cellular Interface Specific Commands Use a 3G Third Generation cellular device with the ZyWALL for wireless broadband Internet access Use these commands to add edit dial disconnect or delete cellular interfaces When you add a new cellular interface make sure you enter the account You must use the configure terminal command to enter the configuration mode before you can use these commands Table 27 Cellular Interface Commands COMMAND DESCRIPTION no interface interface name Creates the specified interface if necessary and enters sub command mode The no command deletes the specified interface no account profile name Specifies the ISP account for the specified cellular interface The no command clears the ISP account field no band auto wcdma gsm Sets or clears the cellular band that the cellular interface uses auto has the ZyWALL always use the fastest network that is in range gsm has this interface only use a 2 5G or 2 75G network respectively If you only have a GSM network available to you you may want to use
232. Router config isakmp Default L2TP VPN GW authentication pre share Router config isakmp Default L2TP VPN GW keystring top secret activate exit Router config isakmp Default L2TP VPN GW Router config isakmp Default L2TP VPN GW Router config 19 5 2 Configuring the Default L2TP VPN Connection Example The following commands configure the Default_L2TP_VPN_ Connection entry Enforce and configure the local and remote policies For the Local Policy create an address object that uses host type and contains the My Address IP address that you configured in the Default L2TP VPN GW The address object in this example uses IP address 172 23 37 205 and is named L2TP I FACE For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 It is named L2TP HOST in this example Router config crypto map Default L2TP VPN Connection Router config crypto Default L2TP VPN Connection 4 policy enforcement Router config crypto Default L2TP VPN Connection 4 local policy L2TP IFACE Router config crypto Default L2TP VPN Connection 4 remote policy L2TP HOST Router config crypto Default L2TP VPN Connection activate Router config crypto Default L2TP VPN Connection Router config exit 19 5 3 Configuring the L2TP VPN Settings Example The following commands configure and display the L2TP VPN settings Set it to use the Default L2TP VPN Connection VPN con
233. S AES KEARSE ERS T3 Tyo AROS BARC AAA qp de Rue nde ete bale ec S B icit ole ae cade Run Ni ra dedii 7S ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no ieee dhcopb rsauesc obgesL Biers Pres Ge245ee33 940 A Bop RUE Sce tob d RR C KO d qp OR T9 Love Grable L2245x441dhda Gd XA EU SERO EE ARR AO abe qe a A cd T2 TOM NE iO DU INS ja doa tek wie a aos dod e dr ed SEO E Ip Usa qubd ie qe dod icti OE rabo dad d 79 1076 0 ta BECSNE aw tiataci tne d REO a qo do RS ORE Re dee Docente eeu e dae e de M oe dea TS Tea Pau Deli DONDE senora ed eueE Pd deed dede A ded ee qae Ee 143 DEM MESSE ad bes X XAR COE VR ao E ara Mab de RU EO e OUR E CRGA RC OR qe de RR EO a alt OD TRA 326 Tie SS DE Jia bases eed p E td be du or e ERE RISE RAE Rp M Ren sea ee ewe do Ep eee 326 LEPE ESPE bhi Meese oa acia rs chu ale wee dubi iode eam 326 TES e qelde ako SERO A eh adh ee ea Reged s eee es 326 Jod a o Ee auucebezueuesd Rd e Bod hoes Sakae aC xu qa dua edid osque SR dei we KA 326 iben im ol ara eee me A a peg gt de ad er ae rv ae te ales esac ied 326 Iren QS E rea aaa 326 LESH SORSLEMCUEREUE uuqgo ied x x rd A aded ed a EE d ROS sd RE Ra 326 TESI ESSE pO 2s kaw
234. SCRIPTION ip port lt 1 65535 gt no security external auth Sets the IP address and port number of an external authentication RADIUS server wpa wpa2 wpa2 no security none wep wpa Disables the specified security mode for the wireless interface ssid ssid Sets the Service Set IDentity This identifies the Service Set with which a wireless station is associated Wireless stations associating to the ZyWALL must have the same SSID ssid Use up to 32 printable 7 bit ASCII characters as a name for the wireless LAN station limit 1 255 Sets the highest number of wireless clients that are allowed to connect to the wireless interface at the same time wep key 1 4 key There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users The values for the keys must be set up exactly the same on the access points as they are on the wireless stations If you set WEP encryption to use a 64 bit key using the security mode and security wep 64 commands type any 5 characters ASCII string or 5 pairs of hexadecimal characters 0 9 A F preceded by Ox for each key If you set WEP encryption to use a 128 bit key using the security mode and security wep 128 commands type 13 characters ASCII string or 13 pairs of hexadecimal characters 0 9 A F preceded by Ox for each key 6 9 2 1 WLAN Interface Commands Example This example configures
235. SCRIPTION no eps periodical check Sets the number of minutes to have the ZyWALL repeat the endpoint lt 1 1440 gt security check at a regular interval The no command disables this setting no network extension activate Use this to configure for a VPN tunnel between the authenticated users and ip pool address_object 1st dns the internal network This allows the users to access the resources on the address object ip 2nd dns network as if they were on the same local network ip E ip pool specify the name of the pool of IP addresses to assign to the user computers for the VPN connection 1st wins 2nd wins address_object ip network Address object Specify the names of the DNS or WINS servers to assign to the remote users This allows them to access devices on the local network using domain names instead of IP addresses network specify a network users can access no network extension traffic Forces all SSL VPN client traffic to be sent through the SSL VPN tunnel The enforcement no command disables this setting no user user name Specifies the user or user group that can use the SSL VPN access policy sslvpn policy move 1 16 to 1 16 Moves the specified SSL VPN access policy to the number that you specified sslvpn no connection username user name Terminates the user s SSL VPN connection and deletes corresponding session information from the ZyWALL no sslv
236. Sat Jan 4 22 47 47 last update time 2003 01 01 01 34 39 Router config show idp signature signatures version Router config show idp signature signatures number Router config show idp signature signatures date 22 6 IDP Statistics The following table describes the commands for collecting and displaying I DP statistics You must use the configure terminal command to enter the configuration mode before you can use these commands Table 110 Commands for IDP Statistics COMMAND DESCRIPTION no idp statistics collect Turn the collection of IDP statistics on or off idp statistics flush Clears the collected statistics show idp statistics summary Displays the collected statistics show idp statistics collect Displays whether the collection of IDP statistics is turned on or off show idp statistics ranking signature name source destination Query and sort the IDP statistics entries by signature name source IP address or destination IP address signature name lists the most commonly detected signatures source lists the source IP addresses from which the ZyWALL has detected the most intrusion attempts destination lists the most common destination IP addresses for detected intrusion attempts ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands 22 6 1 IDP Statistics Example This example shows how to collect and display IDP statistics It
237. Sec SA 32 40 Ox or 0X 32 40 hexadecimal values 16 20 alphanumeric or G amp NN Used in MD5 authentication keys for RIP OSPF and text authentication key for RIP 0 16 alphanumeric or Used in text authentication keys for OSPF 0 8 alphanumeric or certificate name 1 31 alphanumeric or G4 amp N 1 community string 0 63 alphanumeric or first character alphanumeric or connection id 1 alphanumeric or _ contact 1 61 alphanumeric spaces or S_ country code 0 or 2 alphanumeric custom signature file 0 30 alphanumeric or name first character letter description Used in keyword criteria for log entries 1 64 alphanumeric spaces or S_ Used in other commands 1 61 alphanumeric spaces or S _ distinguished name 1 511 alphanumeric spaces or Q ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Table3 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES domain name Used in content filtering 0 lower case letters numbers or Used in ip dns server 0 247 alphanumeric or first character alphanumeric or Used in domainname ip dhcp pool and ip domain 0 254 alphanumeric or first character alphanumeric or email 1 63 alphanumeric or _ e mail 1 64 alphanumeric o
238. Storage General Commands COMMAND DESCRIPTION show usb storage Displays the status of the connected USB storage device no usb storage activate Enables or disables the connected USB storage service usb storage warn number lt percentage megabyte gt Sets a number and the unit percentage or megabyte to have the ZyWALL send a warning message when the remaining USB storage space is less than the set value usb storage mount Mounts the connected USB storage device usb storage umount Unmounts the connected USB storage device no logging usb storage Sets to have the ZyWALL log or not log any information about the connected USB storage device s for the system log show logging status usb storage Displays the logging settings for the connected USB storage device logging usb storage category category level lt all normal gt Configures the logging settings for the specified category for the connected USB storage device logging usb storage category category disable Stops logging for the specified category to the connected USB storage device logging usb storage flushThreshold lt 1 100 gt Configures the maximum storage space in percentage for storing system logs on the connected USB storage device ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 30 USB Storage General Commands continued COMMAND DESCRIPTION no
239. T TR 290 amo Tabe LOT dB aa 290 25 5 1 Telnet commands EXaImbles a teen RM bep eae bird p e cde E eas ened 290 Era esu v Ip ga RR T T NM MUT 291 CNN een e M 291 e PP oe EUS uso bc 292 E ll dece o o arene Cer a fe trnre te tren era trorr re meer eer errr re trate eererrerrte 292 30 31 eiecit duvet wettapatdy r irertmeremieip 292 nunc ON Was auos teats ro da 292 el etes E CR OO E au OE 293 55 9 4 SNMP Goimands EXai les sana ence dnas 293 SE IGMP FEE arar a a 294 28 10 Dialan Uaec I A 294 AR EN mo DES ERU S E I 295 Pt CCT Fe SA TEE 295 20 103 PS SENS Neil e 295 39 104 Dalia Management COnmanda voi das 295 a ih atada e Meer aid 296 2B 14 1 Vantage CNET Comins aa edd recidit c i qu aru Da ir da 296 Sols LAU CHUTE een eC Dao ete ene Rd quac Fast ren a o oH neon etn Fo DOR RU arent S 297 SOMMA E COMNEN cM 298 ZyWALL ZLD CLI Reference Guide Table of Contents Chapter 39 File Manage O 299 do P EID DEDOS deuten cobi te obit ea Up arr Merny T Toure E Stau bul utu rey ere etd 299 39 2 Config ration Files and Shell Soripis DVOIVIBMW coincida iaae 299 39 2 1 Comments in Configuration Files or Shell Scripts seesessseseeee 300 39 2 2 Errors in Configuration Files or Shell Scripts risate intet teret tita dil eb n ds eS atu d ines 301 392 9 ZYWALL Copfiguiaton File Details Lac
240. TION zone name The name of a zone You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive schedule name The name of a schedule You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following sections list the application patrol commands 20 2 1 Pre defined Application Commands This table lists the commands for each pre defined application Table 82 app Commands Pre Defined Applications COMMAND DESCRIPTION no app protocol name activate Enables application patrol for the specified application The no command disables application patrol for the specified application no app protocol name allowport lt 1 65535 gt If the default action is drop or reject Adds the specified port to the list of ports that are forwarded in spite of the default action The no command removes the specified port from the list app protocol name bandwidth lt 0 102400 gt Specifies the bandwidth limit in kilobits per second for the specified application bandwidth graph no app protocol name bwm Turns on bandwidth management for the specified application The no command turns off bandwidth management for the specified application no app protocol name defaultport For port base applications Adds the specified port to the lis
241. The management session does not time out when a statistics screen is polling Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management 38 2 Common System Command Input Values 38 3 HTTP HTTPS Commands Table 171 Command Summary HTTP HTTPS The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 170 Input Values for General System Commands LABEL DESCRIPTION address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive rule number The number of a service control rule 1 X where X is the highest number of rules the ZyWALL model supports zone object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 200 and lower models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN The following table describes the commands available for HTTP HTTPS You must use the configure terminal command to enter the configuration mode before you can use these commands COMMAND DESCRIPTION no
242. This chapter describes how to set up user accounts user groups and user settings for the ZyWALL You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them 26 1 User Account Overview A user account defines the privileges of a user logged into the ZyWALL User accounts are used in firewall rules and application patrol in addition to controlling access to configuration and services in the ZyWALL 26 1 1 User Types There are the types of user accounts the ZyWALL uses Table 131 Types of User Accounts TYPE ABILITIES LOGIN METHOD S Admin Users Admin Change ZyWALL configuration web CLI WWW TELNET SSH FTP Limited Admin Look at ZyWALL configuration web CLI WWW TELNET SSH Perform basic diagnostics CLI Access Users User Access network services WWW TELNET SSH Browse user mode commands CLI Guest Access network services WWW Ext User External user account WWW ext group user External group user account WWW Note The default admin account is always authenticated locally regardless of the authentication method setting See Chapter 31 on page 255 for more information about authentication methods ZyWALL ZLD CLI Reference Guide Chapter 26 User Group 26 2 User Group Commands Summary The following table identifies the values required for many username groupname commands Other input values are discusse
243. UCUAT wey bette EET ee V UOS Eid AAA d RO e d ee Ede etie 24 5 show anti spam xheader mall ocontent wvxrns o utbreaBE Likes Xr tany iti A A CU AL 213 show anti span Xxhesdeab Duhite list Glask l18Ut 2be cc tsae i Fou AAA A GU 215 pow aie leper Reader dus u2s 9452 49 ux Robe dic AA Bawa wol gi duci e bad 218 Show anti span xHesdex quBCy tINeDUEL 444 dda ago eon x RO erm a Rx Rx evi EX eee a EP RARE SE s VARG pow anette OLAN GION AAA ASE AAA A eu deu as 174 phow anti virus Gitar GOLDDVSLION cia anak akin Per e aes deere Boke ka eg pU eie deg dha kc aea dns 174 Sow EDO ALIUS dg ESTU S BxsqbQaddqa beata ue gd uude RE ari Rd eed we asd utu 178 Bhow anti virus skip unknow file tvpe amp OLavetriefi 1445 ose A AUR ROTE RE Rd 174 shon AE ITESO SETAS Geller scr AAA E Pee AAA RE qe 179 show anti virus statistics ranking destination source virus naeme i 9 x 179 Show Antleusroy SLAC SEIS GQOBN S V xo bid Edo VR V ER E Red EE I Ed edo vue dv edd md ek 179 show antli wpibs HOD whith ti Meee ARES UA deo de ded DR AA dob ACC p Kee deed RC SER A e 178 Shon ANDICUITUNM Goce GLEN awe sees Foro OC Ar Re EE n EBORE AK US dicat a ee aieo SE ee oe 178 show app general ml peo SEDEAME cesar e 4 Reden m de S ERE doa dede Dhaene RACE RR dex E RR AUR A AL 169 Sor sre A A 169 Show ape all ASES ariba SAREE DAA AAA dd S RA Dd A A AAA 169 Show App all SESENSTLIOS iade RO rra A AAA A ARA E AAA A AA AAA AA 159 enon aP a abd hanh endet 9h od dc Onus Que oi a ee
244. ZyXEL ZyWALL ZLD Series Security Firewalls Versions 3 10 Edition 2 12 2013 CLI Reference Guide Default Login Details LAN Port IP Address http 192 168 1 1 User Name admin Password 1234 Copyright 2013 ZyXEL Communications Corporation This is a Reference Guide for a series of products intended for people who want to configure ZLD based ZyWALLs via Command Line Interface CLI BS Some commands or command options in this guide may not be available in your product See your product s User s Guide for a list of supported features Every effort has been made to ensure that the information in this guide is accurate Please refer to www zyxel com for product specific User Guides and product certifications gt Do not use commands not documented in this guide How To Use This Guide Read Chapter 1 on page 19 for how to access and use the CLI Command Line Interface Read Chapter 2 on page 33 to learn about the CLI user and privilege modes Related Documentation Quick Start Guide The Quick Start Guide shows how to connect the Zy WALL and access the Web Configurator wizards See the wizard real time help for information on configuring each screen It also contains a connection diagram and package contents list User s Guide The User s Guide explains how to use the Web Configurator to configure the ZyWALL BS It is recommended you use the Web Configurator to configure the
245. a global firewall rule to the end of the global rule list See Table 67 on page 137 for the sub commands firewall default rule action allow deny reject no log log alert Sets how the firewall handles packets that do not match any other firewall rule firewall delete rule number Removes a firewall rule firewall flush Removes all firewall rules firewall insert rule number Enters the firewall sub command mode to add a firewall rule before the specified rule number See Table 67 on page 137 for the sub commands firewall move rule number to rule number Moves a firewall rule to the number that you specified show connlimit max per host Displays the highest number of sessions that the ZyWALL will permit a host to have at one time show firewall Displays all firewall settings show firewall rule number Displays a firewall rule s settings show firewall zone object zone object ZyWALL Displays all firewall rules settings for the specified packet direction how firewall ho ule_number zone_object zone_object ZyWALL Displays a specified firewall rule s settings for the specified packet direction show firewall status Displays whether or not the firewall is active whether or not asymmetrical route topology is allowed and the default firewall rule s configuration show firewall block_rules Displays all the firewal
246. aac or static IPv6 address The no command removes the specified address object no address6 object object name interface Creates the specified IPv6 address object based on the specified interface subnet object Specify whether it is a DHCPv6 server SLAAC or static IPv6 address The no command removes the specified address object no adderss6 object object name interface gateway interface slaac static addr index Creates the specified IPv6 address object based on the specified interface gateway object Specify whether it is a SLAAC or static IPv6 address The no command removes the specified address object ZyWALL ZLD CLI Reference Guide Chapter 27 Addresses 27 2 1 1 Address Object Command Examples The following example creates three IPv4 address objects and then deletes one Router configure terminal Router config address object AO 192 168 1 1 Router config address object Al 192 168 1 1 192 168 1 20 Router config address object A2 192 168 1 0 24 Router config show address object Object name Type Address Ref AQ HOST 192 168 1 1 0 A1 RANGE 192 168 1 1 192 168 1 20 0 A2 SUBNET 192 168 1 0 24 0 Router config f no address object A2 Router config f show address object Object name Type Address Ref AQ HOST 192 T168 1 1 0 A1 RANGE 192 168 1 1 192 168 1 20 0 ZyWALL ZLD CLI Reference Guide Chapter 27 Addresses The following example creates host
247. access limit 1 10245 9 2 26 9999 9 eR 232 no users updabte ledgse automation a d X E cRORuE A AAA A ORS Cea RE Soe woe 232 Hel Gerson lice errem 108 BOT Vlan Le GUIAS ci eked ce Ree Re Ede Xe edi EO KASSAB OR SEES Feo qe hae Bde Ra ea ees 89 he vgaegoneenLrsUoO POLLS HAMS cheese R9 PRA e AUS ARA REE UE RC RR IRURE PDT EKER RR ig 147 nol apu ooniiqurstion HEOWVisi0H GOELIWHDS gudoaxdhag see RS ERA d Robo BUR dus SUP SSUES NEUE MUR SERA 148 ME C II NE UEM s MMC C 226 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical pol w merfsue intori oce MOGNO asin dopo OE CX ACROR wae dence kaw ables NOE LAUR CE MIROR NO MCCC ee ERR 116 fol webbags QHOGEVDE uda RA RAR ATUS E A RARA REDRESS RON OES RR OED RES BARES RR 267 BD MUECA CADA DANS IRE ASA eee SI OS dei ERA ee wo 11417 no windows asuto update enable disable 16MGrS cronica A Eee Owe 22 no windows registry registry key eq gt lt ge le neg registry value 212 nol aindows secuPIEV DaLch ecurit pateh tek hades Roe iNe AREEN DAA A ARAS AREA 272 nol Mindewa service puck Als LS ap og IDE REOS POE EA GROW Equi Ks AA du de OUR Ed A OEC AA aps 212 nol wba Mee ee Ae Lyo bO ear do SERERE wd opaca iced eke ee ees aoa a E ip dod di RR PUR 87 nol wlan mac ftlter muc address description descrzptlo8 asirio dd RR eg 87 no xauth ty
248. ace continued COMMAND DESCRIPTION no phone number phone Specifies the phone number of the auxiliary interface You can use 1 20 numbers commas or plus signs Use a comma to pause during dialing Use a plus sign to tell the external modem to make an international call The no command clears the phone number no port speed 9600 19200 38400 57600 115200 Specifies the baud rate of the auxiliary interface The no command sets the baud rate to 115200 no username username Specifies the username of the auxiliary interface The no command clears the username username You can use alphanumeric underscores dashes periods and S characters and it can be up to 64 characters long 6 12 1 Auxiliary Interface Command Examples The following commands show you how to set up the auxiliary interface aux with the following parameters phone number 0340508888 tone dialing port speed 115200 initial string ATZ timeout 30 seconds username kk password kk u2online chap pap authentication and description I am aux interface Router configure terminal Router config interface aux Router config if aux Router config 1f aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux Router config if aux
249. ace name Sets the direction to Out Only for the specified interface The no command sets the direction to BiDir 9 2 2 General OSPF Commands This table lists the commands for general OSPF configuration Table 50 router Commands General OSPF Configuration COMMAND DESCRIPTION router ospf Enters sub command mode no redistribute static rip Enables redistribution of routing information learned from the specified non OSPF source The no command disables redistribution from the specified non OSPF source no redistribute static rip metric Sets the metric for routing information learned from the specified type 1 2 metric lt 0 16777214 gt non OSPF source The no command clears the metric no passive interface interface name Sets the direction to In Only for the specified interface The no command sets the direction to BiDir no router id IP Sets the 32 bit ID in IP address format of the ZyWALL The no command resets it to default or the highest available IP address ZyWALL ZLD CLI Reference Guide Chapter 9 Routing Protocol 9 2 3 OSPF Area Commands This table lists the commands for OSPF areas Table 51 COMMAND router ospf router Commands OSPF Areas DESCRIPTION Enters sub command mode no network interface area IP Adds the specified interface to the specified area The no command removes the specified interface from the sp
250. activate 176 ape pier Adel Forvard atar ESCE esas tenes MA CER odes Ru dus 167 BOB Behe ABS dir A REESE E ed agis vada ERI cd ee Hee eee eee ee ee edd ae 167 AEREO PEEN ia rar RRE m Ra AER AAA AI 167 apo other dSESSULE scr RAS AAA AC UU GC RA AR A AAA RAN ARANA DARAS RARA Re d 167 app other Insert Ille HOMES sisas ceed Cheba a NAAA a d a edd REESE AES 167 app other move rule number to rule nN MDEF vrai RN SAREE EES FREES DOA OREN ES OR ER 1657 app protocol Rare Corvara drop ESTOCGE irse Ee eu po AAA AA EHE OR RUE 164 app protocol name bandwigth 0 102400 lt 4 cdc eed ea RO XR e EMER SDRAM ASA eR RR 164 app protocol name ercer ion SUDO 4 hast dea SoP amp 3 Rd 4 Ed eek Sh be NE ded Ree 166 app protocol mass axcepDLron delsulb aaqubrlad ikea xx sanen EEL Dre DAWES DRS Se dc ERR 166 app protocol name exception insert LOIS MUMDEK ogg dee hho dne ao ce Ree eoo A ele ge eS a RC cus 166 ape protocol cane exception modify default ascos kes Bou RUE WC hee eee Rari a ce 166 app protocol name exception modify rule numDB ane and ees uk AA SOR AA ROUES OEE EE GER 166 app protocol ame exception move rule number to rule number l 2252 9 ARR RO RR eas 166 app protocol Hane exception Hule SUME it du dee Rue hae oe RC S RUP ERR A EUR RR eG oa doe RC Rs 166 app protocol name exception Ele Number Lieu cases ARA LORS o dE Ho COR E VeL XE E 166 app protocol name mode portless portbase Lies DRE G nine A RAS WAP EERE RO RE RC 164 Gpp
251. adeR a maios er aefo d a e BRA A BUR UR d dati bunt ares et iu d bod a Jm Nd see esas 325 CALETA onda x4 pado ee Pes SHAS Ud AAA AAA fedes oe hes Eg Ed nd d d mu 143 deactivate ga ig hehe ASADA AAA A AA AAA AA RARA AAA ARA 145 rl de o O OA aee 33 debug cmdexec corefilelip kernel mac id rewrite observer switch system zyinetpkt zysh ipt CIR RV cet TET uro mw cr PI ECRIRE E 36 denig SO wupaackdemq ue Qe X pg asa ei Osea ee SERRA ACE EC CAL RR CE es dee e AH CN e GR Re URGE e ROR e d KCN 35 SGU ONLICBDS EIA Chee dex Yeu eee dd Se Ree P eq v ed eS X qb dpi id pd dE mde etg e 39 mebusd Sp 646 Ghose eae NCC AR CEN CR RORG RUE EC A A RS 35 Gebpug spp SIGA LIpPfOLOSQL T sentaron RIA AA PRUEL I ORC CURRO Se OR EEO AAA 39 PES Ca T e dS bee 9 AX ap ox GROG NH KDE OR RCECORONCRUREOK RON E CN Rea AENEA A RR EAEE d 35 HEDUG TCORCSOD ELLESE ad heed Su E ue AA AAA dE id PE du d eie adu s 29 debug lo le XibwedeaqbswY3Qd4UPS SE RERO O S aA a9 ASEDIO EDS ee ee eee Ei eee oue nod LL MMC rcr ror rrrer pc Een debuu Bux QD shee keen seva mac edd chee ee eee Ok daa eee Reb dd shee eR Ke sod deer S 35 debug Gua Uy wheeedtende nee atade 3 ARS 52244926592 mm 38 5 ced dd Od duae m ees id aU dd Rd QU UST AIO OA MMC P r rr MT 35 JEDE ED Shee tad es pP Ed d Id ode de qeu i eb eeu Sees da E dobu GODS viene deel she DEA
252. also set how often from 1 to 65535 minutes to send the log or alert no budget log percentage Sets the ZyWALL to not create a log when the set percentage of time budget or data limit is exceeded You can configure the percentage using the budget percentage command connectivity nail up dial on demand Sets the connection to be always on or only when there is traffic no local address ip Sets or clears the cellular interface s local own IP address mtu 576 1492 Sets the Maximum Transmission Unit in bytes no pin pin code no remote address ip Sets or clears the PIN code for the cellular device s 3G card Use 1 4 alphanumeric characters underscores or dashes Sets or clears the IP address of the cellular interface s peer like a gateway or PPPoE server interface cellular budget auto save 5 1440 Sets how often in minutes the ZyWALL saves time and data usage records for a connection using the 3G card show interface cellular corresponding slot device status support device Shows the status of the specified cellular interface show interface cellular corresponding slot Shows which cellular interface is on which slot and whether which cellular interface has been configured profile show interface cellular device status Displays the installed SIM card and 3G card status show interface cellular support
253. also shows how to sort the display by the most common signature name source IP address or destination IP address Router configure terminal Router config idp statistics collect Router config no idp statistics activate Router config idp statistics flush Router config show idp statistics collect status IDP collect statistics status yes Router config show idp statistics summary scanned session 268 packet dropped 0 packet reset 0 Router config show idp statistics ranking signature name ranking 1 signature id 8003796 signature name ICMP L3retriever Ping type Scan severity verylow occurence 22 ranking 2 signature id 8003992 signature name ICMP Large ICMP Packet type DDOS severity verylow occurence 4 Router config show idp statistics ranking destination ranking 1 destination ip 172 23 5 19 occurence 22 ranking 2 destination ip 172 23 5 1 occurence 4 Router config show idp statistics ranking source ranking 1 source ip 192 168 1 34 occurence 26 ZyWALL ZLD CLI Reference Guide 197 Chapter 22 IDP Commands ZyWALL ZLD CLI Reference Guide Content Filtering This chapter covers how to use the content filtering feature to control web access 23 1 Content Filtering Overview Content filtering allows you to block certain web features such as cookies and or block access to specific web sites It can also block access to specific categories of web site c
254. amples 352555 meds be vU deen sesidloceapaestaaned cli 90 6 12 Auxiliary Interface Specific COMM ANNE ii 90 6 12 1 Auxiliary Interface Command Examples sssssssssssssseseeee senten nennt nennen 91 Chapter 7 TURKS wHO 0 7 2s M 93 ET TUS OSO asiahan a e aa a aE ances 93 FEED E DRIN CC D AA A A A 93 Ta Munk commands RUE YANES IPP AAPP aEa Post cito odi ca o pe TU MERE UE dE Ub eben 94 TA TUK COMINO SUMAN TRE LU UE 94 Te THU omma EXONTIBIOA cra aa o li 95 A AI ea 96 7 Link Sicko Commands Sly isi oc etr te tere tree Te RS Dou efte errr PO ada trc ER cH DIRE dE 97 58 Link Siieking Command EXemple uu ease Fette desta od 97 Chapter 8 o 99 21 POY ROUTE t 99 gg Pol Pe ANS sath sss cranes dro AS 99 8 2 1 Assured Forwarding AF PHB for DiffSerk cccisccscicccsccctesccausssscescossostesnesecceteenssasaanssenvadsstets 104 82 27 Polley Route Command EXamplp iussisse erri echa ira 104 8 24 ie A paa is tun A O 105 34 aus Route CVA M m 105 22 1 Statie Route Commands Examples sonia 106 Chapter 9 riii O A 107 gas le io Pe o Fort di A re ttes bee Lu Ed bebe tausend Pe ee Poor MM QUA 107 92 Routing Protocol Commands Sla 2s dois ete e da ia 107 EAT RIP CONT NET ii 108 922 cora
255. and send tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Unlike port groups bridge interfaces can take advantage of some security features in the ZyWALL You can also assign an IP address and subnet mask to the bridge PPPoE PPTP interfaces support Point to Point Protocols PPP ISP accounts are required for PPPoE PPTP interfaces Cellular interfaces are for 3G WAN connections via a connected 3G device WLAN interfaces are for wireless LAN IEEE 802 11b g connections via an installed wireless LAN card Virtual interfaces IP alias provide additional routing information in the ZyWALL There are three types virtual Ethernet interfaces virtual VLAN interfaces and virtual bridge interfaces ZyWALL ZLD CLI Reference Guide EN Chapter 6 Interfaces The auxiliary interface along with an external modem provides an interface the ZyWALL can use to dial out This interface can be used as a backup WAN interface for example The auxiliary interface controls the DIAL BACKUP port labeled AUX on some models Trunks manage load balancing between interfaces Port groups trunks and the auxiliary interface have a lot of characteristics that are specific to each type of interface These characteristics are listed in
256. ans service pack 2 The no command means to have the ZyWALL ignore the Windows service pack number no windows security If you set windows as the operating system using the os type command you can use this command to set a Windows security patch that the user s computer must have installed If you want to enter multiple security patches use this command for each of them The user s computer must have all of the set Windows security patches installed to pass the checking item no windows registry registry key eq gt lt ge le neq registry value If you set windows as the operating system using the os type command you can use this command to set a Windows registry value to check on the user s computer If you want to enter multiple registry values use this command for each of them Set whether the value for the registry item in the user s computer has to be equal to eq greater than gt less than 1t greater than or equal to ge less than or equal to 1e or not equal to neq the value specified The user s computer must pass all of the set Windows registry value checks to pass the checking item show eps profile profile name Displays the settings of all or the specified endpoint security object show eps profile profile name signature anti virus personal firewall Displays Anti Virus or personal firewall signatures that have been added to the specified endpoint security object
257. anti spam white list rule_number Adds edits or removes a white list entry to check e mail for subject subject activate deactivate specific content in the subject line Also turns the entry on or off no anti spam black list activate Turns the black list checking on or off Turn on the black list to treat e mail that matches an active black list entry as spam no anti spam black list rule_number ip Adds edits or removes a black list entry to check e mail for a address ip subnet_mask activate deactivate specific source or relay IP address Also turns the entry on or off no anti spam black list rule_number e Adds edits or removes a black list entry to check e mail for a mail email activate deactivate specific source e mail address or domain name Also turns the entry on or off no anti spam black list rule_number mail Adds edits or removes a black list entry to check e mail for header mail header mail header value specific header fields and values Also turns the entry on or off activate deactivate no anti spam black list rule_number Adds edits or removes a black list entry to check e mail for subject subject activate deactivate specific content in the subject line Also turns the entry on or off anti spam tag black list tag Configures a message or label up to 15 ASCII characters to add to the mail subject of e mails that match an anti spam black list entry
258. assword ees 224 nol devige ha ap made precept oie dba kde uk d Rd xe A RR OA eC Re OR ds Re ROR OCA CR UN E 223 nol device ha syne authentication password password airis px EUR i kit eed d e REO Y A Ed 227 nol Sth SUDC BUND Laie ta die ride SOUTER COEDS E DREN EEE E qe aa Cee Oe 227 Hol dewlpeeehe syne Teen IBOSL ESSE Zire AAA A ANA RRA Rope 226 no devige hs 83900 interval Br LAS geek tn pax qux 3A REALE COR CE ee have RCRCACN OR kaw RR 227 nal Teviss ha SUDO BONO cies ee Ee RO pd Peu cmt P Wd d SX SHES ECS DORR LON eee ud ice px 227 nol dextes ha Syna Pore AL DEIA sb be biuvneeretiaa AAA AAA ds zed ho devics ha wirgegroup VEB GEguph EME cr A AN Oe rc RC ees 226 al Gaga Cony HebeBEE Y ANE AA ADA AR a dori 83 nel gSralinagcbywpe fees Bulls trad AAA E S HR I HP RR EA ERE Sce o RE RS 90 Hol duele cd Serra SED one ced SG dS RSS boy x 5S Rd doo OU sawed DAA 265 nel draslepomeout CID ceed doa tear UR EOSTE o RS Ro Rt RR eR gare Ske R p iri NOR WR poe d RR HE m vl ag adl dd 90 nol doleicname ANITA DIME coca c adu A EO WU GN EO a OR ed Se SCR ANA AAA A ee 281 Hal Bamana name OBSS Jone ode dora E E A OA e RAS dede A Noob 0 ACCU ARAS OCDE CR do RE e d 64 hol BHOSUBSESBAN TO LUESALES Hwee QR oe AN dci e dose RECO DRE OR Oe Fol e dA AAA ar ER CIR OR SOR ne ees 58 NG dswnsLteesu ED LIS TG uendere x doe ac A AS do e E COORD RODE ERK e ANA Ree 81 hol WO ueudeccaedcER EO US Cede xcd SRS CROSS SHEE OH REDE ee Oke Pe ea ead Se cA dde bu edd e
259. ation second rule number for in bound traffic DNAT in dnat append protocol all tcp udp original ip address name 0 65535 0 65535 mapped ip address name 0 655355 0 55535 Maps the specified IP address and port range original ip to the specified IP address and port range mapped ip and appends this rule to the end of the rule list for in bound traffic DNAT in dnat insert 1 10 protocol all tcp udp original ip address name lt 0 65535 gt lt 0 65535 gt mapped ip address_name lt 0 65535 gt lt 0 65535 gt Maps the specified IP address and port range original ip to the specified IP address and port range mapped ip and inserts this rule before the specified rule in dnat lt 1 10 gt protocol all tcp udp original ip address name lt 0 65535 gt lt 0 65535 gt mapped ip address name lt 0 65535 gt 0 655355 Creates or revises the specified rule and maps the specified IP address and port range original ip to the specified IP address and port range mapped ip ZyWALL ZLD CLI Reference Guide Chapter 17 IPSec VPN 17 2 3 IPSec SA Commands for Manual Keys This table lists the additional commands for IPSec SAs using manual keys VPN connections using manual keys Table 73 crypto map Commands IPSec SAs Manual Keys COMMAND DESCRIPTION crypto map map name set session key ah 256 4095 Sets the active protocol SPI lt 256
260. ation authentication key aubthkey scsi a 109 fol area IP antbentieaElon NeSBsgB dIGSBL denia dm x Xu URGERE dob S De Uae eee Tene RU 109 no area IP authentication message digest key lt 1 255 gt md5 authkey 109 noel fee DB accua X dunlaeedgcsE k ER Ev Id QE eed ee dus ees eae E ad ee hee G eee 109 TUS area IBS wirtuslelunk IF authentication econ krii A A e AAA a deb E Rus 109 no area IP virtual link IP authentication authentication key authkey 109 no area IP virtu el link IP authentication message digest ik sd ves ed bees ede Oe eee 109 no area IP virtual link IP authentication message digest key 1 255 md5 authkey 109 no ares IP virt sl link IP suthenticotlor Sa e d8 ALES cimas ACE OR a RR 109 hol area IP virtual link IP sopthenticatlohn key SULBEES suis dee sede eee AA XO e 1059 no authentication chap pap chap pep mechap mecha 2 ienaoco s we caekhe Eam Roms 264 no authentication ohap pap chap pap mechap mschap wv2 eios m e eme x ewe 90 Hol autisstccstoiosa Torce PEQUES abarca eee edweadRurdoegom dub RUE Ede dde SEGA EUR E E RUE 234 hol authentication none pap SES ccaceocectaaseenrk ese RORCNCRC PAR RUE AUR od aed 265 nol authentication string passord AMAS DESSWOUCHLPRS aer A ka EErEE S AS Bes 226 nol authentication mode Mas TERE criar ARA AAA AA AAA AAA A A 108 fol AULAS tia Bering SHLIEDEN dadas A DA AAA a as dus e had 108 nol AULAS
261. atistics DNSBL domain 1 domain DNSBL example com average time 0 00 total query 0 spam 0 clear 0 no timeout O0 timeout 0 no response O0 ZyWALL ZLD CLI Reference Guide Chapter 24 Anti Spam 24 3 Anti Spam Statistics The following table describes the commands for collecting and displaying anti spam statistics You must use the configure terminal command to enter the configuration mode before you can use these commands Table 123 Commands for Anti spam Statistics COMMAND DESCRIPTION no anti spam statistics collect Turn the collection of anti spam statistics on or off anti spam statistics flush Clears the collected statistics show anti spam statistics summary Displays an overview of the collected statistics show anti spam statistics collect Displays whether the collection of anti spam statistics is turned on or off source mail address address source lists the source IP addresses of the most spam show anti spam statistics ranking Query and sort the anti spam statistics entries by source IP address or mail mail address lists the most common source mail address for spam show anti spam ip reputation Displays the mail sender IP reputation checking statistics statistics show anti spam mail scan Displays the mail scan statistics statistics 24 3 1 Anti Spam Statistics Example This example shows how to collect anti spam statist
262. ays which configuration settings reference the specified trunk object object name show reference object group aaa ad Displays which configuration settings reference the specified AAA AD group name group object show reference object group aaa ldap Displays which configuration settings reference the specified AAA LDAP group object S how reference group name object grou p aaa radius Displays which configuration settings reference the specified AAA RADIUS group object 3 1 1 Object Reference Command Example This example shows how to check which configuration is using an address object named LAN1 SUBNET For the command output firewall rule 3 named LAN1 to USG 2000 is using the address object 3 Firewall LAN1 to USG 2000 Router config Router config show reference object address LAN1 SUBNET LAN1 SUBNET References Category Rule Priority Description Rule Name ZyWALL ZLD CLI Reference Guide Status This chapter explains some commands you can use to display information about the ZyWALL s current operational state Table7 Status Show Commands COMMAND DESCRIPTION show boot status Displays details about the ZyWALL s startup state show comport status Displays whether the console and auxiliary ports are on or off show cpu status Displays the CPU utilization show disk Displays the disk utilization show extension slot Displays t
263. berbste IHDSFf3CE HOD aprochat OP A a ANNA ir AC E CUR e ACORN 74 ginbertucs In er ace DES irradia DG NAAA m rd Pda d ad de ewe dhe aw zd 88 interlace Im er aCe DAN aoesdeasseaneXgR be Reece UR RON CIR RU CRURA Sl eer Se NC a c RR X HA go ae eov Roa e Ree 89 ISP Eis Sheer re Nene CIBER ainia aia 58 inberisce INLOLLICS_ HIDE DO UE kad ctand ines eee eae ee AAA Ges KR d eee RUE SURG E HP ob scan 60 interface reset interface name virtual interface name all o oooooooooo ooo o ooo 61 lnperfsce send statistics interval LS QU aria rra dad ce EUER AA o d ka wa dea 61 interface name ppp interface thernet interface user defined name 61 interface rename old user defined name new user defined name etn 61 to SOUUEES Iipr PD A d EAocQ d Fog NOR RC d ede ESTER E BOR RE oe pH eR Ann oppi ESE EER ESRS 81 ip dhep pool rename profile name profile Dale spas bx RAOLEG ORGCXOKOR AA ORC ERROR OR de d 63 Jf nes S6Lres ASS IES A EROR AGE AE GRR ER EEE ROOK ARA GEO Ie RR EA Jen S Re o A 283 ip dns server rule lt 1 32 gt append insert lt 1 32 gt access group ALL address object zone IALL addresu object action accept ldeny eieccezekeeeonce OR CR AAA eee m ROW aa ard 284 to dns Berar mule mee tlie 29 be 431 82 Beek Redes kee hater AAA ARA 284 ip dns server zone forwarder lt 1 32 gt append insert lt 1 32 gt domain zone name user defined Wix e privat sterface Ifnterfasce name subsl sc
264. ble 35 Input Values for VLAN Interface Commands LABEL DESCRIPTION interface name VLAN interface vlanx x 0 4094 Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 200 and below models use a name such as wanl wan2 opt lan1 ext wlan or dmz This table lists the VLAN interface commands Table 36 interface Commands VLAN Interfaces COMMAND DESCRIPTION interface interface name Creates the specified interface if necessary and enters sub command mode no port interface name Specifies the Ethernet interface on which the VLAN interface runs The no command clears the port 88 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 36 interface Commands VLAN Interfaces continued COMMAND DESCRIPTION no vlan id 1 4094 Specifies the VLAN ID used to identify the VLAN The no command clears the VLAN ID show port vlan id Displays the Ethernet interface VLAN settings 6 10 1 VLAN Interface Command Examples The following commands show you how to set up VLAN vlan100 with the following parameters VLAN ID 100 interface gel IP 1 2 3 4 subnet 255 255 255 0 MTU 598 gateway 2 2 2 2 description am vlan100 upstream bandwidth 345 and downstream bandwidth 123 Router configure terminal Router config interface vlan100 Router
265. bnet mask no ip gateway ip Adds the specified gateway using the specified interface The no command removes the gateway ip gateway ip metric 0 15 Sets the priority relative to every gateway on every interface for the specified gateway The lower the number the higher the priority no metric 0 15 Sets the tunnel PPPoE PPTP or cellular interface s priority relative to other interfaces The lower the number the higher the priority no mss 536 1460 Specifies the maximum segment size MSS the interface is to use MSS is the largest amount of data specified in bytes that the interface can handle in a single unfragmented piece The no command has the interface use its default MSS no mtu 576 1500 Specifies the Maximum Transmission Unit which is the maximum number of bytes in each packet moving through this interface The ZyWALL divides larger packets into smaller fragments The no command resets the MTU to 1500 no shutdown Deactivates the specified interface The no command activates it traffic prioritize tcp ack content filter dns ipsec vpn ssl vpn bandwidth 0 1048576 priority lt 1 7 gt maximize bandwidth usage Applies traffic priority when the interface sends TCP ACK traffic traffic for querying the content filter traffic for resolving domain names or encrypted traffic for an IPSec or SSL VPN tunnel It also sets how much bandwidth the traff
266. by the SSH server to the factory default Gefault certificate name The name of the certificate You can use up to 31 alphanumeric and amp _ characters no ip ssh server port lt l 65535 gt Sets the SSH service port number The no command resets the SSH service port number to the factory default 22 ip ssh server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for SSH service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive The ZyWALL USG 200 and lower models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN ip ssh server rule move rule_number to rule_number Changes the index number of a SSH service control rule no ip ssh server vl Enables remote management using SSH v1 The no command stops the ZyWALL from using SSH v1 no ip ssh server rule rule number Deletes a service control rule for SSH service show ip ssh server status Displays SSH settings 38 4 4 SSH Command Examples Thi
267. c 3C EO UR Qe dod AR ee en e ca ee M LO was 59 nd 8 GDLHeXOOBIIO Llag ARANA AAA AAA 59 nad La gtheb soHITU DLSO ADE bm PR EN AA A a Ac epe A RAS EARNE A E 60 nd ra prefir advertisement dhopa profile dhep suffix O4 isee4ek3 kk Rb ROR A ARA cea 4 60 nd fa prefix advertisement DHCPG PROFILE DHGPE6 SUFFIX 64 26440 ON sek EERE ORO ORA EURO ore 61 nd ra prefix advertisement ipv6 addr prefix auto on off link on off pre ferred time lt 0 4294967294 gt infinity valid time lt 0 4294967294 gt infinity 59 Du ra Pase na loe note ndubs d Xd A E NS duca quede dra eren eee Mewes AA 61 na Xa peschacleerame wU 900DDDUDU GusaqqeWdesg cqpaecteaede AA eaK ae dd SES ire pa Su 59 ie Fe Wuapgenlseu 4G cries cece hes SAAS BOSSES NER A Rd SAKE See d S Rd daba ee md adu o aca dud dedo d 6L ha sa Febrace timer De 20590 5E STA ear a RANA RAS 59 nd 2a PeULer preterence E low medium HIGH Po ux eee 39 ex aa he Feu exa ks be Debwork I0 Mask qs eared Kad KAM GUAE WHA EDEL EERE RAI AA OS REN Ro MERE REM OY MG RARA R OX A RS 64 Network IP isso AR cR Rede RUE HNO EEK ON ES Rae eRe OR AA 64 ng address object ob eect ane 2244 ra d each GEE P KC RUE dox Rd SE Ree Rae Eden eb dea eee 238 ie AanblspaN AnS dorain dreni dancin 6 460 24 AAA exem EE A ee 217 no anti virus Wdell xmbecrt ext ecLIVEDe uua 64d SEDER SHER E C ADR SO SAER EERE LEDER CORK OEMS 174 ge APO Beer SLE Peer duaesdebp wea KORRES RS OREM ed Re Deke pw ae ew
268. c Custom Sianat re Examples ada 192 28 5 Up EDF SIDES apii ere uti MR TER ane MHA Rad A PI PR nO 195 22 9 1 Update stig he E UU aai cr aininetoat ped uUn os 196 CRINIBUS D mU DTE 196 22 BE IDE Seuss EXGURDIB rai pa Kap 197 ZyWALL ZLD CLI Reference Guide Table of Contents Chapter 23 Content EA 199 23 1 Content PUTAS AON LL v aac ei aa i Eua ie nad UL toa AR ak Eco x audet GER p d 199 2x2 Gomen FISH POLI iei iere rI te uan iaaea Aa ODD I MEERR PAN Ar EL nU DM ME IK ERG 199 23 3 External Web FINN SEVICE ss rr ai dan E dard 199 23A Conen PENITUS Repor 3 ca isd cates ri dece det eio bordi bees Qi PO Epod A Ta bor RI dior e 199 2205 Conteni Filter command Inpul Valles vis ra eei be e RO Ro reddo da ten ga da 200 23 8 General Content Filter Commands sussista edana FecR ud aa RUE E aps dd 201 237 Content Fitter Filtering Prone Comme siii 203 23 8 Content Filter URL Cache Commands santa cape io lac iad aan s a Opa Gao 205 207 Gonen PIESHhO USOS dai 206 23 9 1 Coment Fllernhg Statishics EXSmplb sc 207 23 10 Content Filtering Commande Example iii a nera ws aaan ai kara acu E aa 207 Chapter 24 A 211 CLE i cnp ra Pet DT 211 c4 Aa SINS acad ere Re repe aae d Gad Cn e Pa qu bre as lona dE Rud Ia rud ade 211 242 1 General And Spam Commands sra 211 24 2 2 Zone to Zone Anti spam Rules i roorairre ctii errante Ad iia 212 ELSE UII i AA E aT Eaa ER 214 24 2 3 DNSBL Anti Spam
269. c directions of packet travel Table 101 IDP Zone to Zone Rule Commands COMMAND DESCRIPTION idp signature lt 1 32 gt anomaly rule append insert 1 32 Create an IDP signature or anomaly rule and enter the sub command mode bind profile Binds the IDP profile to the entry s traffic direction no bind Removes the IDP profile s binding no from zone zone profile Specifies the zone the traffic is coming from The no command removes the zone specification no to zone zone profile Specifies the zone the traffic is going to The no command removes the zone specification no activate Turns on the IDP profile to traffic direction binding The no command turns it off idp signature 123227 anomaly rule delete move lt 1 32 gt to lt 1 32 gt Remove or move an IDP profile to traffic direction entry no idp signature anomaly rule 1 32 Removes an IDP profile to traffic direction entry show idp signature anomaly rules Displays the IDP zone to zone rules ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands 22 3 2 1 Example of IDP Zone to Zone Rule Commands The following example creates I DP zone to zone rule one The rule applies the LAN IDP profile to all traffic going to the LAN zone Signature rules idp rule 1 from zone any to zone LAN profile LAN IDP activate yes Router config idp
270. c rules show policy route override direct route Displays whether or not the ZyWALL forwards packets that match a policy route according to the policy route instead of sending the packets to a directly connected network rules show policy route controll virtual server Displays whether or not policy routes have priority over NAT virtual server rules 1 1 SNAT show policy route6 override direct route Displays whether or not the ZyWALL forwards I Pv6 packets that match a policy route according to the policy route instead of sending the packets to a directly connected network n how policy route rule count Displays the number of policy routes that have been configured on the ZyWALL n how policy route underlayer rules Displays all policy route rule details for advanced debugging ZyWALL ZLD CLI Reference Guide Chapter 8 Route 8 2 1 Assured Forwarding AF PHB for DiffServ Assured Forwarding AF behavior is defined in RFC 2597 The AF behavior group defines four AF classes Inside each class packets are given a high medium or low drop precedence The drop precedence determines the probability that routers in the network will drop packets when congestion occurs If congestion occurs between classes the traffic in the higher class smaller numbered class is generally given priority Combining the classes and drop precedence produces the following twelve DSC
271. cally renew their lease time no users update lease automation Lets users automatically renew their lease time The no command prevents them from automatically renewing it show users idle detection settings Displays whether or not users are automatically logged out and if so how many minutes of idle time must pass before they are logged out no users idle detection Enables logging users out after a specified number of minutes of idle time The no command disables logging them out no users idle detection timeout lt 1 60 gt Sets the number of minutes of idle time before users are automatically logged out The no command sets the idle detection timeout to three minutes 26 2 3 1 User Setting Command Examples The following commands show the current settings for the number of simultaneous logins Router configure terminal Router config f show users simultaneous logon settings enable simultaneous logon limitation for administration account yes maximum simultaneous logon per administration account EL enable simultaneous logon limitation for access account yes maximum simultaneous logon per access account 53 ZyWALL ZLD CLI Reference Guide Chapter 26 User Group 26 2 4 Force User Authentication Commands This table lists the commands for forcing user authentication Table 136 username groupname Commands Summary Forcing User Authentication COMMAND DESCRIPTION no force au
272. cation patrol exception rule commands Note that not all rule commands use all the sub commands listed here Table 86 app patrol exception rule Sub commands COMMAND DESCRIPTION access forward drop reject Specifies the action when traffic matches the rule no action block l1ogin message audio video file transfer Blocks use of a specific feature no activate Turns on this rule The no command turns off this rule bandwidth inbound 0 1048576 outbound Limits inbound or outbound bandwidth in kilobits per second O disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 Set the priority for traffic that matches this rule The smaller the number the higher the priority no destination profile name Adds the specified destination address to the rule no from zone name Specifies the source zone no inbound dscp mark lt 0 63 gt class default dscp_class no log alert This is how the ZyWALL handles the DSCP value of the outgoing packets to a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 Creat
273. ce add del virtual interface name interface name Adds or deletes an interface or a virtual interface for which to capture packets to the capture interfaces list ip version iplip6lany Sets wether to capture IPv4 or IPv6 traffic Any means to capture packets for all types of traffic proto type icmp icmp6 igmp igrp pim ah esp vrrp udp tcp any Sets the protocol of traffic for which to capture packets any means to capture packets for all types of traffic snaplen lt 68 1512 gt Specifies the maximum number of bytes to capture per packet The ZyWALL automatically truncates packets that exceed this size As a result when you view the packet capture files in a packet analyzer the actual size of the packets may be larger than the size of captured packets storage internal usbstorage Sets to have the ZyWALL only store packet capture entries on the ZyWALL internal or on a USB storage connected to the ZyWALL ring buffer enable disable Enables or disables the ring buffer used as a temporary storage split size 1 2048 Specify a maximum size limit in megabytes for individual packet capture files After a packet capture file reaches this size the ZyWALL starts another packet capture file size lt 0 65527 gt lt 1 4096 gt interface interface name virtual interface name extension forever count filter extension Ping ipv4 hostname
274. ce group llf example interface 1 ge3 interface 2 vlan5 loadbalancing index outbound ZyWALL ZLD CLI Reference Guide Chapter 7 Trunks The following example creates a spill over trunk for Ethernet interfaces gel and ge3 which will apply to both incoming and outgoing traffic through the trunk The ZYWALL sends traffic through gel until it hits the limit of 1000 kbps The ZYWALL sends anything over 1000 kbps through ge3 Router configure terminal Router config interface group spill example Router if group mode trunk Router if group algorithm spill over Router if group interface 1 gel limit 1000 interface 2 ge3 limit 1000 Router if group Router if group loadbalancing index total Router if group exit Router config 7 6 Link Sticking You can have the ZyWALL send each local computer s traffic through a single WAN interface for a specified period of time This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file If the user s subsequent sessions came from a different WAN IP address the file server would deny the request Here is an example Figure 14 Link Sticking r3 _ Internet Y m A V o _ p M S pl ie A Fe Y 9 Ill A 4 Z h de LAN user A tries to downloa
275. ce objects Table 143 service object Commands Service Objects COMMAND DESCRIPTION show service object object name Displays information about the specified service or about all the services no service object object name Deletes the specified service service object object name tcp udp eq Creates the specified TCP service or UDP service using the lt 1 65535 gt range lt 1 65535 gt lt 1 65535 gt specified parameters ZyWALL ZLD CLI Reference Guide EJ Chapter 28 Services Table 143 service object Commands Service Objects continued COMMAND DESCRIPTION service object object name icmp icmp value Creates the specified ICMP message using the specified parameters icmp value lt 0 255 gt alternate address conversion error echo echo reply information reply information request mask reply mask request mobile redirect parameter problem redirect router advertisement router solicitation source quench time exceeded timestamp reply timestamp request unreachable service object object name protocol 1 255 Creates the specified user defined service using the specified parameters service object rename object name object name Renames the specified service from the first object name to the second object name service object object name icmpv6 lt 0 255 gt neighbor solicitation echo packet toobig router solicita
276. ce the specified I Pv6 address object name object show reference object eps object name Displays which configuration settings reference the specified endpoint security object show reference object service Displays which configuration settings reference the specified service object name object show reference object schedule Displays which configuration settings reference the specified schedule object Displays which configuration settings reference the specified interface or virtual interface object show reference default object aaa authentication auth method Displays which configuration settings reference the specified AAA authentication object show reference local remote object ca category cert_name Displays which configuration settings reference the specified authentication method object show reference object_name object account pppoe Displays which configuration settings reference the specified PPPoE account object show reference object_name object account pptp Displays which configuration settings reference the specified PPTP account object show reference object_name object sslvpn application Displays which configuration settings reference the specified SSL VPN application object show reference crypto_name object crypto map Displays which configuration settings reference the specified VPN connection object show reference isakmp_name
277. ch virtual router 25 6 Legacy Mode VRRP Device HA Commands The following table identifies the values required for many device ha commands Other input values are discussed with the corresponding commands Table 127 Input Values for device ha Commands LABEL DESCRIPTION vrrp group name The name of the VRRP group The name can consist of alphanumeric characters the underscore and the dash and may be up to fifteen alphanumeric characters long The following sections list the device ha commands ZyWALL ZLD CLI Reference Guide 225 Chapter 25 Device HA 25 6 1 VRRP Group Commands This table lists the commands for VRRP groups Table 128 device ha Commands VRRP Groups COMMAND DESCRIPTION show device ha vrrp group Displays information about all VRRP groups no device ha vrrp group Creates the specified VRRP group if necessary and enters sub command mode vrrp group name The no command deletes the specified VRRP group no vrid 1 254 Sets the specified VRRP group s ID to the specified VR ID The no command clears the VR ID no interface interface name Specifies the interface that is part of the specified VRRP group The no command removes the specified interface from the specified VRRP group no role master backup Specifies the role of the specified VRRP group in the virtual router The no command clears the role which makes the configuration incomplet
278. check ping check domain name ip default Specifies what the ZyWALL pings for the ping check and sets the gateway timeout lt 1 10 gt number of seconds the ZyWALL waits for a response ping check domain name ip default Specifies what the ZyWALL pings for the ping check and sets the gateway fail tolerance 1 10 number of times the ZyWALL times out before it stops routing through the specified interface ping check domain name ip default Sets how the ZyWALL checks the connection to the gateway gateway method icmp tcp i ie icmp ping the gateway you specify to make sure it is still available tcp perform a TCP handshake with the gateway you specify to make sure it is still available ping check domain name ip default Specifies the port number to use for a TCP connectivity check 70 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 2 6 1 Connectivity Check Command Example The following commands show you how to set the WAN1 interface to use a TCP handshake on port 8080 to check the connection to IP address 1 1 1 2 Router configure terminal Router config interface wanl Router config if wanl ping check 1 1 1 2 method tcp port 8080 Router config if wanl exit Router config show ping check Interface wanl Check Method tcp IP Address 1 1 1 2 Period 30 Timeout 5 Fail Tolerance 5 Activate yes Port 8080 Router config 6 3 Ethern
279. cify no alg lt h323 ftp gt Turns on or configures the H 323 or FTP ALG signal port lt 1025 65535 gt signal extra port 1025 655352 transformation Use signal port with a listening port number 1025 to 65535 if you are using H 323 on a TCP port other than 1720 or FTP on a TCP port other than 21 Use signal extra port With a listening port number 1025 to 65535 if you are also using H 323 or FTP on an additional TCP port number enter it here Use transformation to have the ZyWALL modify IP addresses and port numbers embedded in the H 323 or FTP data payload You do not need to use this if you have an H 323 or FTP device or server that will modify IP addresses and port numbers embedded in the H 323 or FTP data payload The no command turns off the H 323 or FTP ALG or removes the settings that you specify no alg sip defaultport Adds or removes a custom UDP port number for SIP traffic lt 1 65535 gt show alg sip h323 ftp Displays the specified ALG s configuration ZyWALL ZLD CLI Reference Guide Chapter 14 ALG 14 3 ALG Commands Example The following example turns on pass through for SIP and turns it off for H 323 Router configure terminal Router config f alg sip Router config f no alg h323 ZyWALL ZLD CLI Reference Guide Chapter 14 ALG ZyWALL ZLD CLI Reference Guide IP MAC Binding 15 1 IP MAC Binding Overview IP address
280. co 143 Mongolia 144 Montserrat 145 Morocco 146 Mozambique 147 Namibia 148 Nauru 149 Nepal 150 Netherlands 151 Netherlands Antilles 152 New Caledonia 153 New Zealand 154 Nicaragua 155 Niger 156 Nigeria 157 Niue 158 Norfolk Island 159 Northern Mariana Islands 160 Norway 161 Not Determined 162 Oman 163 Pakistan 164 Palau 165 Panama 166 Papua New Guinea 167 Paraguay 168 Peru 169 Philippines 170 Pitcairn Island 171 Poland 172 Portugal 173 Puerto Rico 174 Qatar 175 Reunion Island 176 Romania 177 Russian Federation 178 Rwanda 179 Saint Kitts and Nevis 180 Saint Lucia 181 Saint Vincent and the Grenadines 182 San Marino 183 Sao Tome and Principe 184 Saudi Arabia 185 Senegal 186 Seychelles 187 Sierra Leone 188 Singapore 189 Slovak Republic 190 Slovenia 191 Solomon Islands 192 Somalia 193 South Africa 194 South Georgia and the South Sandwich Islands 185 Spain 196 Sri Lanka ZyWALL ZLD CLI Reference Guide Chapter 5 Registration Table 10 Country Codes continued COUNTRY COUNTRY NAME COUNTRY COUNTRY NAME 197 St Pierre and Miquelon 198 St Helena 199 Suriname 200 Svalbard and Jan Mayen Islands 201 Swaziland 202 Sweden 203 Switzerland 204 Taiwan 205 Tajikistan 206 Tanzania 207 Thailand 208 Togo 209 Tokelau 210 Tonga 211 Trinidad and Tobago 212 Tunisia 213 Turkey 214 Turkmenistan 215 Turks and Caicos Islands 216 Tuvalu
281. col Protocol 1K Xmodem LS mu Then click Send 6 Wait for about three and a half minutes for the Xmodem upload to finish Figure 38 Recovery I mage Upload Complete Total 1867264 bytes received ei ESL DPI 85S See ETT ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager 39 10 Enter atgo The ZyWALL starts up If Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen the firmware file is damaged and you need to use the procedure in Section 39 10 on page 310 to recover the firmware Figure 39 atgo Debug Command Restoring the Firmware This procedure requires the ZyWALL s firmware Download the firmware package from www zyxel com and unzip it The firmware file uses a bin extension for example 1 01 XL 0 CO bin Do the following after you have obtained the firmware file Note This section is not for normal firmware uploads You only need to use this section if you need to recover the firmware Connect your computer to the ZyWALL s port 1 only port 1 can be used The ZyWALL s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 Use an FTP client on your computer to connect to the ZyWALL For example in the Windows command prompt type ftp 192 168 1 1 Keep the console session connected in order to see when the firmware recovery finishes
282. command mode The no command removes the specified service group no service object object_name Adds the specified service to the specified service group The no command removes the specified service from the specified group ZyWALL ZLD CLI Reference Guide Chapter 28 Services Table 144 object group Commands Service Groups continued COMMAND DESCRIPTION no object group group name Adds the specified service group second group name to the specified service group first group name The no command removes the specified service group from the specified service group no description description Sets the description to the specified value The no command removes the description description You can use alphanumeric and _ characters and it can be up to 60 characters long object group service rename group name group name Renames the specified service group from the first group name to the second group name 28 2 2 1 Service Group Command Examples The following commands create service ICMP ECHO create service group SG1 and add ICMP ECHO to SG1 Router configure terminal Router Router Object name ICMP ECHO Object Group name ICMP ECHO Router config service object ICMP ECHO icmp echo Router config object group service SG1 group service service object ICMP_ECHO group service exit Router config sho
283. command clears it no ha iface interface name Sets the HA interface in the specified DDNS profile The no command clears it no backmx Enables the backup mail exchanger The no command disables it no wildcard Enables the wildcard feature The no command disables it ZyWALL ZLD CLI Reference Guide 117 Chapter 11 DDNS ZyWALL ZLD CLI Reference Guide Virtual Servers This chapter describes how to set up manage and remove virtual servers Virtual server commands configure NAT 12 1 Virtual Server Overview Virtual server is also known as port forwarding or port translation Virtual servers are computers on a private network behind the ZyWALL that you want to make available outside the private network If the ZyWALL has only one public IP address you can make the computers in the private network available by using ports to forward packets to the appropriate private IP address 12 1 1 1 1 NAT and Many 1 1 NAT 1 1 NAT If the private network server will initiate sessions to the outside clients use 1 1 NAT to have the ZyWALL translate the source IP address of the server s outgoing traffic to the same public IP address that the outside clients use to access the server Many 1 1 NAT If you have a range of private network servers that will initiate sessions to the outside clients and a range of public IP addresses use many 1 1 NAT to have the ZyWALL translate the source IP address of each server
284. config if vlan vlan id 100 port gel ip address 1 2 3 4 255 255 255 0 Router config if vlan Router config if vlan Router config if vlan ip gateway 2 2 2 2 mtu 598 Router config if vlan upstream 345 Router config if vlan downstream 123 Router config if vlan Router config if vlan description I am vlan100 exit Router config if vlan 6 11 Bridge Specific Commands This section covers commands that are specific to bridge interfaces Bridge interfaces also use many of the general interface commands discussed at the beginning of Section 6 2 on page 57 The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 37 Input Values for Bridge Interface Commands LABEL DESCRIPTION interface name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 200 and below models use a name such as wanl1 wan2 opt lan1 ext wlan or dmz VLAN interface vlanx x 0 4094 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports This table lists the bridge interface commands Table 38 interface Commands Bridge Interfaces COMMAND DESCRIPTION interface interface name Create
285. correct tags Dial in Management Commands The following table describes the commands available for dial in management You must use the configure terminal command to enter the configuration mode before you can use these commands Table 178 Command Summary Dial in Management no COMMAND DESCRIPTION dial in Enters sub command mode no activate Turns dial in management on The no command turns it off answer rings Sets how many times the ZyWALL lets the incoming dial in management session ring before processing it The no command sets it to one no description description Specifies the description for the dial in management connection The no command clears the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long no initial string initial string Specifies the initial string of the auxiliary interface The no command removes the initial string initial string You can use up to 64 characters Semicolons and backslashes 1 are not allowed no mute Stops the external serial modem from making audible sounds during a dial in management session The no command turns the sounds back on no port speed 9600 19200 38400 57600 115200 Specifies the baud rate of the auxiliary interface The no command sets the baud rate to 115200 show dial in Displays dial in management settings
286. ct For users who fail the endpoint security checking Peter decides to show them an error message of Endpoint Security checking failed Contact helpdesk at 7777 if you have any questions The following shows how to configure the error message Router config eps failure messages Endpoint Security checking failed Contact helpdesk at 7777 if you have any questions Router config ZyWALL ZLD CLI Reference Guide 275 DHCPv6 Objects This chapter describes how to configure and view DHCPv6 request and lease objects 36 1 DHCPv6 Object Commands Summary The following table identifies the values required for many DHCPv6 object commands Other input values are discussed with the corresponding commands Table 162 DHCPv6 Object Command Input Values LABEL DESCRIPTION dhcp6 profile The name of a DHCPv6 request object Use a string of less than 31 characters interface name wlan or dmz The name of the interface This depends on the ZyWALL model For the USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model For the ZyWALL USG 200 and below use a name such as wan1 wan2 opt lan1 ext The following sections list the DHCPv6 object commands 36 1 1 DHCPv6 Object Commands This table lists the commands for creating endpoint security objects Use the configure terminal command to enter the configuration mode to
287. ctory directory traversal details oversize chunk encoding webroot non rfc http Shows http inspection settings for the specified IDP profile show idp anomaly profile tcp decoder all details Shows tcp decoder settings for the specified I DP profile show idp anomaly profile tcp decoder undersize len undersize offset oversize offset bad length options truncated options ttcp detected experimental options details obsolete options Shows tcp decoder settings for the specified IDP profile show idp anomaly profile udp decoder all details Shows udp decoder settings for the specified IDP profile n how idp anomaly profile udp decoder truncated header undersize len oversize len details Shows specified udp decoder settings for the specified IDP profile n how idp anomaly profile icmp decoder all details Shows all icmp decoder settings for the specified DP profile show idp anomaly profile icmp decoder truncated header truncated timestamp header header details truncated address Shows specified icmp decoder settings for the specified IDP profile ZyWALL ZLD CLI Reference Guide 187 Chapter 22 IDP Commands 22 3 4 1 Creating an Anomaly Profile Example In this example we create a profile named test configure some settings display them and then return to global command mode Router configure terminal Router config
288. d IP address domain name or interface peer ip ip domain name ip domain name Sets the remote gateway address es to the specified IP address es or domain name s keystring pre shared key Sets the pre shared key that can be used for authentication The pre shared key can be 8 32 alphanumeric characters or amp _ lt gt e 16 64 hexadecimal 0 9 A F characters preceded by Ox The pre shared key is case sensitive local id type ip ip fqdn domain_name mail e_mail dn distinguished_name Sets the local ID type and content to the specified IP address domain name or e mail address peer id type any ip ip fadn domain name mail e mail dn distinguished name Sets the peer ID type and content to any value the specified IP address domain name or e mail address no xauth type server xauth method client name username password password Enables extended authentication and specifies whether the ZyWALL is the server or client If the ZyWALL is the server it also specifies the extended authentication method aaa authentication profile name if the ZyWALL is the client it also specifies the username and password to provide to the remote IPSec router The no command disables extended authentication username You can use alphanumeric characters underscores and dashes and it can be up to 31 characters long password You can use
289. d IPSec SA first map name to the specified name second map name crypto map map name activate deactivate Activates or deactivates the specified IPSec SA adjust mss auto lt 200 1500 gt Set a specific number of bytes for the Maximum Segment Size MSS meaning the largest amount of data in a single TCP segment or IP datagram for this VPN connection or use auto to have the ZyWALL automatically set it ipsec isakmp policy name Specifies the IKE SA for this IPSec SA and disables manual key encapsulation tunnel transport Sets the encapsulation mode transform set crypto algo esp crypto algo esp crypto algo esp Sets the active protocol to ESP and sets the encryption and authentication algorithms for each proposal crypto algo esp esp null md5 esp null sha esp null sha256 esp null sha512 esp des md5 esp des sha esp des sha256 esp des sha512 esp 3des md5 esp 3des sha esp 3des sha256 esp 3des sha512 esp aes128 md5 esp aes128 sha esp aes128 sha256 esp aes128 sha512 esp aes192 md5 esp aes192 sha esp aes192 sha256 esp aes192 sha512 esp aes256 md5 esp aes256 sha esp aes256 sha256 esp aes256 sha512 transform set crypto algo ah crypto algo ah crypto algo ah Sets the active protocol to AH and sets the encryption and authentication algorithms for each proposal crypto algo ah ah md5 ah sha ah sha256 ah sha512 Scenario site to
290. d a file from server B on the Internet The ZyWALL uses WAN1 to send the request to server B However remote server B is actually a redirect server So server B sends a file list to LAN user A The file list lets LAN user A s computer know that the desired file is actually on file server C At the same time register server B informs file server C that a computer located at the WAN1 s IP address will download a file The ZyWALL is using active active load balancing So when LAN user A tries to retrieve the file from file server C the request goes out through WAN2 ZyWALL ZLD CLI Reference Guide Chapter 7 Trunks 4 File server C finds that the request comes from WAN2 s IP address instead of WAN1 s IP address and rejects the request 5 If link sticking had been configured the ZyWALL would have still used WAN1 to send LAN user A s request to file server C and the file server would have given the file to A 7 7 Link Sticking Commands Summary The following table lists the ip 1oad balancing link sticking commands for link sticking The link sticking commands have the prefix ip load balancing because they affect the ZyWALL s load balancing behavior You must use the configure terminal command to enter the configuration mode before you can use these commands See Table 40 on page 94 for details about the values you can input with these commands Table 42 ip load balancing link sticking Commands Summary COMMAN
291. d compatible only Table 85 app Commands Exception Rules in Pre Defined Applications COMMAND DESCRIPTION app protocol name exception insert rule number Creates a new rule at the specified row and enters sub command mode See Table 86 on page 166 for the sub commands app protocol name exception append Creates a new rule appends it to the end of the list and enters sub command mode See Table 86 on page 166 for the sub commands app protocol name exception rule number Enters sub command mode for editing the rule at the specified row See Table 86 on page 166 for the sub commands app or app protocol_name protocol_name exception exception rule_number modify rule_number Enters sub command mode for editing the rule at the specified row See Table 86 on page 166 for the sub commands app or app protocol_name protocol_name exception exception default modify default Enters sub command mode for editing the default rule for the application See Table 86 on page 166 for the sub commands app protocol_name to rule_number exception move rule_number Moves the specified rule first index to the specified location The process is 1 remove the specified rule from the table 2 re number 3 insert the rule at the specified location 20 2 3 1 Exception Rule Sub commands The following table describes the sub commands for several appli
292. d forwards when queries to the mail scan servers time out show anti spam xheader query timeout Display the name and value for the X Header the ZyWALL adds to e mails that it tags and forwards when queries to the mail scan servers time out ZyWALL ZLD CLI Reference Guide Chapter 24 Anti Spam 24 2 2 1 Zone to Zone Anti spam Rule Example This example shows how to configure and display a WAN to DMZ anti spam rule to scan POP3 and SMTP traffic SMTP spam is forwarded POP3 spam is marked with a spam tag The ZyWALL logs the event when an e mail matches the DNSBL see Section 24 2 4 on page 216 for more on DNSBL The white and black lists are ignored Router Router Anti Spam Rule 1 active yes log log from zone WAN DMZ Scan protocols smtp yes pop3 yes match action smtp forward pop3 bypass bypass bypass bypass bypass bypass to zone dnsbl no Router config as rul Router config as rul Router config as rul config as rul config as rul Router config as rul Router config as rul Router config as rul Router config as rul Router config as rul Router config anti spam Router config as rul Router config show anti spam rule 1 forward with tag white list black list ip reputation yes yes mail content virus outbreak rule 1 activate Se from zone WAN to zone DMZ scan smtp Scan pop
293. d prefix The combined address is the network prefix for the network For example you got a delegated prefix of 2003 1234 5678 48 You want to divide it into 2003 1234 5678 1111 64 for this interface and 2003 1234 5678 2222 64 for another interface You can use 1111 64 and 2222 64 for the suffix address respectively But if you do not want to divide the delegated prefix into subnetworks enter 0 48 here which keeps the same prefix length 48 as the delegated prefix dhcp6 server client relay upper Sets the IPv6 interface to be a DHCPv6 server client or relay For relay config interface ipv6_addr specify an interface from which to get the DHCPv6 server s address or the IPv6 address of a DHCPv6 server dhcp6 rapid commit This shortens the DHCPv6 message exchange process from four to two steps to help reduce network traffic Note Make sure you also enable this option in the DHCPv6 clients to make rapid commit work dhcp6 address request Get this interface s IPv6 address from the DHCPv6 server dhcp6 refresh time Sets the number of seconds a DHCPv6 client should wait before 600 4294967294 infinity refreshing information retrieved from DHCPv6 dhcp6 duid duid mac Specify the DHCP Unique Dentifier DUI D of the interface or have it generated from the interface s default MAC address dhcp6 lease object dhcp6 profile For a DHCPv6 server interface specify the profile of DHCPv6
294. d with the corresponding commands Table 132 username groupname Command Input Values LABEL DESCRIPTION username The name of the user account You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive groupname The name of the user group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive It cannot be the same as the user name The following sections list the username groupname commands 26 2 1 User Commands The first table lists the commands for users Table 133 username groupname Commands Summary Users COMMAND DESCRIPTION show username username Displays information about the specified user or about all users set up in the ZyWALL username username nopassword user type admin guest limited admin user Creates the specified user if necessary disables the password and sets the user type for the specified user username username password password user type admin guest limited admin user Creates the specified user if necessary enables and sets the password and sets the user type for the specified user password You can use 1 63 printable ASCII characters except double quotation marks and question marks username username user type ext user Creates the specified u
295. ddress es The no command resets the source IP address es to the default any any means all IP addresses no sourceip6 address object Sets the source IP address es The no command resets the source IP address es to the default any any means all IP addresses no sourceport tcpludp eq lt 1 65535 gt range Sets the source port for a firewall rule The no command lt 1 65535 gt lt 1 65535 gt removes the source port from the rule ZyWALL ZLD CLI Reference Guide 137 Chapter 16 Firewall Table 67 firewall Sub commands continued COMMAND DESCRIPTION no to zone object ZyWALL Sets the zone to which the packets are sent The no command removes the zone to which the packets are sent and resets it to the default any any means all interfaces or VPN tunnels no user user name Sets a user aware firewall rule The rule is activated only when the specified user logs into the system The no command resets the user name to the default any any means all users 16 2 2 Firewall Command Examples These are IPv4 firewall configuration examples The IPv6 firewall commands are similar The following example shows you how to add an IPv4 firewall rule to allow a MyService connection from the WAN zone to the IP addresses Dest 1 in the LAN zone Enter configuration command mode Create an IP address object Create a service object Enter the firewall sub
296. ddresses do not match the local and remote policy if you want to use the IPSec SA in a VPN concentrator ZyWALL ZLD CLI Reference Guide Chapter 17 IPSec VPN Table 72 crypto Commands IPSec SAs continued COMMAND DESCRIPTION no nail up Automatically re negotiates the SA as needed The no command does not no replay detection Enables replay detection The no command disables it no netbios broadcast Enables NetBIOS broadcasts through the IPSec SA The no command disables NetBI OS broadcasts through the IPSec SA no out snat activate Enables out bound traffic SNAT over IPSec The no command disables out bound traffic SNAT over IPSec out snat source address name destination address name snat address name Configures out bound traffic SNAT in the IPSec SA no in snat activate Enables in bound traffic SNAT in the IPSec SA The no command disables in bound traffic SNAT in the IPSec SA in snat source address name destination address name snat address name Configures in bound traffic SNAT in the IPSec SA no in dnat activate Enables in bound traffic DNAT in the IPSec SA The no command disables in bound traffic DNAT in the I PSec SA in dnat delete 1 10 Deletes the specified rule for in bound traffic DNAT in the specified IPSec SA in dnat move lt 1 10 gt to 1 10 Moves the specified rule first rule number to the specified loc
297. de ERE FA Wd met 78 interface ISterfsco meme Device DESTL S sr RA GG ARE KK EA FERS SOROS A Hee 78 interface interfaco namo device STATES irc AREA ARANA OG EGOS CER S 78 interface ppp systemn defsUlE cago kacekAoes e X ab UR YO ROC Ea E KH dE C A ce eR Ra AAA 75 interfiscs Pop User dorine aros Rd ee Gee PEG VERE Gd EEA SOS EA EG SORES OREO RES 19 in eras Send Statistics Abas 2123465239342 SOAR WES dS ROL Rabe Pus S BEE TES SR ERAT 58 inper ace Summary SQL rre Ego dos gg op web hua ge o otto pp Roi ppt AI Bho 58 qub IQ CAUSEN ALL Beate seeder ane weed eas NE RE darius Wd dex Pd ce dre weg dod r Jg In Seri sre inne SACU eri AAA NA 81 interroge CUS 11406 sn be ES ae wed Soe ages s Ed dd cedo Ed ia AA 81 interface group system default user define group name ooo oo oooo 94 INTCEPLACS AMS 4d icr exe d eu EE MIROR added ex SOREEEE OAS OS Hed E dap due dd v bd e aree 61 ip Abc binding SB rav ed de 3x X xeu be A do 240 E AAA ACER a E RE eee Bo ER CR dod 65 jp dhep dHopeopLlODE ore iot Rc euro A AAA OE ESE A ARAS drca ow CORO eee SOE A 63 ip dhep posl rete Se detest verb dg Ede ise A dox REOR RC i eo or YU A acc dH P een RR dE 63 ip dhep pool profile name GRGP OpLIONS escedcbaeock x ew 4ok OR Ee EEE HES Re aa 63 ip ANS EVE quia d kd XC Rebs n CUR DA RO ACE OK COCA RR AUR ACC OCC A BOR ECCO Ue de REE OR RARA 284 ES fs Server data babe duogkdreicioxck ad eno gedauert Rp Rd qudd 284 Soo ms Gere LOS iubes eed ewe barca es eee
298. device Displays all 3G card models the ZyWALL can support show interface cellular budget auto save Displays how often in minutes the ZyWALL records time and data usage of your 3G budgets show interface cellular status Displays the traffic statistics and connection status for your cellular interfaces See Section 6 6 1 on page 78 for all possible cellular status descriptions show interface interface name budget Displays the budget control settings for the specified cellular interface show interface interface name device status Displays the 3G card and SIM card information for the specified cellular interface show interface interface name device Displays the 3G connection profile settings of the specified cellular interface 6 6 1 Cellular Status The following table describes the different kinds of cellular connection status on the ZyWALL Table 28 Cellular Status STATUS DESCRIPTION No device no 3G device is connected to the ZyWALL No service no 3G network is available in the area you cannot connect to the Internet 78 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 28 Cellular Status STATUS DESCRIPTION Limited service returned by the service provider in cases where the SIM card is expired the user failed to pay for the service and so on you cannot connect to the Internet Device detected displays when you connect a 3G device Device error a
299. diag info copy usb storage Sets to have the ZyWALL save or stop saving the current system diagnostics information to the connected USB storage device You may need to send this file to customer support for troubleshooting show diag info copy usb storage Displays whether enable or disable the ZyWALL saves the current system diagnostics information to the connected USB storage device no corefile copy usb storage Sets to have the ZyWALL save or not save a process s core dump to the connected USB storage device if the process terminates abnormally crashes You may need to send this file to customer support for troubleshooting show corefile copy usb storage Displays whether enable or disable the ZyWALL saves core dump files to the connected USB storage device 6 8 1 USB Storage General Commands Example This example shows how to display the status of the connected USB storage device Activation enable USB Storage Status Device description Usage N A Filesystem N A Speed N A Status none Detail none Router show usb storage USBStorage Configuration Criterion Number 100 Criterion Unit megabyte N A 6 9 WLAN Specific Commands You can install a compatible WLAN card to use the ZyWALL as an access point AP for a wireless network The following table identifies the values required for several WLAN commands Other input values are discussed with the corresponding com
300. directory and file name to use for the duplicate Always copy the file into the same directory copy running config startup config Saves your configuration changes to the flash non volatile or long term memory The ZyWALL immediately uses configuration changes made via commands but if you do not use this command or the write command the changes will be lost when the ZyWALL restarts copy running config conf file name conf Saves a duplicate of the configuration file that the ZyWALL is currently using You specify the file name to which to copy file name delete cert conf idp j Removes a file Specify the directory and file name of the file that you packet trace script tmp file name want to delete dir cert conf idp Displays the list of files saved in the specified directory packet trace script tmp rename cert conf idp Changes the name of a file packet trace script tmp old E file name cert conf idp Specify the directory and file name of the file that you want to rename Dacket Ltate script tmp new Then specify the directory again followed by the new file name rename script old file name script new file name Changes the name of a shell script run script file name zysh Has the ZyWALL execute a specific shell script file You must still use the write command to save your configuration changes to the flash non volatil
301. do e dr eq EES OSS esee ced d d dd pe A qud A e dd edad ced dde pde dk dei 135 firewall default rule action allow deny reject no log log alert 133 firewall delete rule MUMS ied Gh ck RACE A CARSEAT TANS ERR CR CHECA GEO ARCA GEO ACRIOR CR 135 TUCASA AAA AAA AAA A ARA AAA DARAN ORAS mm 135 firewall Insert BULLS nuMDOEP a ke owe Swe ANA AR ARRA EEO SOROR C ANA VON RE HC RR ORC 135 firewall move rule number CO Hule NUBES asias is ad A AAA 135 firewall Pulse mnumDOY prior RARA AA RAN ANS dog e S Cea dios 134 firewall zone object dzone bJect zyWALLE Append arrasar A wee edna ae ey 134 firewall zone object zone object ZyWALL delete lt 1 5000 gt celle 135 firewall zone object some caJjeceElZyNALD flush asii rra Sed OS RC RC ERE See 135 firewall zone object zone object ZyWALL insert rule number cele 135 firewall zone object zone object ZyWALL move rule number to rule number 135 firewall sone object zone object ZyWALL rule number esencia 134 FACADE Beene san adnan buxo une Sed baee og db sx atop SD CER RE Mose uec ad ife ep EO aUa lat 136 firewall6 default rule action allow deny reject no log log alert 136 firewalle delete ule number exc SRSA ESE SERENE EONS GS e SO AC RO OEC ORA OR COE EON 136 TAPAS ELISA SnLg qux 4 b RACE ES AS do dicio d VOR CR e RE DKL whe CC cde c A AL RC AL 136 fireyalle Insert rule Rumer 64 eaves ww a Rak CURVE SDR ee e
302. dress object map to address object ip map type any nat loopback nat 1 1 map deactivate deactivate nat 1 1 map deactivate Creates or modifies the specified virtual server and maps the specified destination IP address for all destination ports to the specified destination address object or IP address The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address object NAT loopback allows local users to use a domain name to access this virtual server Select what kind of NAT this rule is to perform nat 1 1 map means the NAT type is either 1 1 NAT or many 1 1 NAT See Section 12 1 1 on page 119 for more information Using this command without nat 1 1 map means the NAT type is Virtual Server This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL like the Internet The deactivate command disables the virtual server rule ip virtual server profile name interface interface name original ip any IP address object map to address object ip map type port protocol any tcp udp original port 1 65535 mapped port lt 1 65535 gt nat loopback nat 1 1 map nat 1 1 map deactivate deactivate deactivate ip virtual server profile name interface interface name original ip any IP address object map to address object ip map type ports protoco
303. ds in either case you have to bind the DHCP pool to the interface Table 17 interface Commands DHCP Settings COMMAND DESCRIPTION show ip dhcp dhcp options Shows the DHCP extended option settings show ip dhcp pool profile_name Shows information about the specified DHCP pool or about all DHCP pools show ip dhcp pool profile_name dhcp options Shows the specified DHCP pool s DHCP extended option settings ip dhcp pool profile_name rename profile_name Renames the specified DHCP pool from the first profile_name to the second profile_name no ip dhcp pool profile name Creates a DHCP pool if necessary and enters sub command mode You can use the DHCP pool to create a static entry or to set up a range of IP addresses to assign dynamically About the sub command settings If you use the host command the ZyWALL treats this DHCP pool as a static DHCP entry If you do not use the host command and use the network command the ZyWALL treats this DHCP pool as a pool of IP addresses If you do not use the host command or the network command the DHCP pool is not properly configured and cannot be bound to any interface The no command removes the specified DHCP pool show Shows information about the specified DHCP pool Use the following commands to create a static DHCP entry If you do not use the host command the commands that are not in this section have
304. e List of Commands Alphabetical username username user typ a A Bue dero ur duin dU a woes iod edu d edis 230 users default setting no logon lease tite 0 14409 enim Ped RR RACE ERE CAR adm 231 users detault sertinq pne Logon tfe aut tidle SOS 190 sans OR OW OR RR HEE RUBORE dU o 231 users default setting no user type admin ext user guest limited admin user ext group user 231 users default setting no user type admin ext user guest limited admin user ext group user logonslesse Luime D 128059 cones 5440 E 3 RAO KORR ROC ERU E Go Ar REESE RSE CORE EE ER OE E RO 23l users default setting no user type admin ext user guest limited admin user ext group user lngsnebre subhetome UU LIS ag bia hc pO UR e x Mo RNC ERU Ne AA x Sore dede Ra Paw s qo Mie FAC Deets fusce Logout nsername 2p p dd derma x x RUE honed Ene Ros RR wo a N 235 vpn concentrator rename profile name profile DAMNE ieqeekemuoesm oe komo gor RR e XR Oo eae ae we dea mane 148 xm coenfiguracios proyisroh authentication auth mebbod anar AAA A dE 148 vpn configuration provision rule append conf index insert conf index p 148 vpn configuration provision rule delete conf index move conf index to conf index 148 verpt send device information interval 915 420009 iki XA E EG RR AER 320 vrot Send Interface SLBLISLIOE interval x12 35009 Lenco ese Re 4 e wende A 320 VEDt Send system status interval SU DEDOS
305. e no priority 1 254 Sets the priority of the specified VRRP group in the virtual router The no command resets the priority to 100 no preempt Lets the ZyWALL preempt lower priority routers in the virtual router The no command prevents the ZyWALL from preempting lower priority routers no manage ip IP Specifies the IP address of the specified VRRP group when it is not the master The no command clears the IP address no authentication string Specifies the authentication method and password for the specified VRRP group password ah md5 password The no command means that the specified VRRP group does not use authentication password You may use alphanumeric characters the underscore and some punctuation marks amp and it can be up to eight characters long no description description Specifies the description for the specified VRRP group The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long no activate Turns on the specified VRRP group The no command turns off the VRRP group 25 6 2 VRRP Synchronization Commands This table lists the commands for synchronization You can synchronize with other ZyWALL s of the same model that are running the same firmware version Table 129 device ha Commands Synchronization COMMAND DESCRIPTION show device ha sync Displays the current
306. e IPY BORNE guroret ketika ADHERE uc OE ab dee EO Fa E EE 235 HE uad ska eX RR C SEL REDS RO HEARSE RU ECCL ICA IC RR S KE OA RR SES MORE EN RR CE Ob e ORC Ro RE 206 uri server rating server timeout query CimBOUUL scsi vada de awed oe eum ea n 202 DEI EXUSSUE ABE Camada Drain eee ohne Sew AA dup Mcd dE ure dup i i ded ees 202 WSB SEDLADS MOUNE aan Von ERE Rd een edge nda dex x Pd Usu Ree dd e DE ee 82 USE Seer eee MOUNE cheese eee eub dd QE d d eS RARE 82 usb storage warn number percentaseimogabyte arpa ee mh RR hot dee e dea a ae x dc 82 DegeHBrcHnedemae elas ARIAS AAA AAA T2 User DEOR any chs quado Rd NE Raa AS OE ACA RE ERU aa LAA AAA RA DER Saeed Rob Rd 148 Username rename JsoPfnamo USERNAMES 6246862 cee SAE URN SRE SOAS COREE TEASERS ER RO ERS EERO Te 230 username Username no description desctiptiol ue x koe AA A A RR EUR RUE EORR ACA GRO REO A A ea Re 230 username username no Togon lease time 0 14405 isa AAA Zol username username no logoh re autbh time 0 14409 l l x Se ee Ae RR ROM RR aee SCARE Re RR 231 username username no logon time setting lt default man sel cesa m m go OR RR m isi 230 username username nopassword user type admin guest limited admin user 230 username username password password user type admin guest limited admin user 230 username username user typ xt group user associated aaa server server profile group id id 230 ZyWALL ZLD CLI Reference Guid
307. e or long term memory Schedule run 1 file name zysh daily monthly weekly time date sun mon tue wed thu fri sat Has the ZyWALL execute the specified specific shell script file at the the specified time You must still use the write command to save your configuration changes to the flash non volatile or long term memory ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager Table 185 File Manager Commands Summary continued COMMAND DESCRIPTION show running config Displays the settings of the configuration file that the system is using setenv startup stop on error off Has the ZyWALL ignore any errors in the startup config conf file and apply all of the valid commands show setenv startup Displays whether or not the ZyWALL is set to ignore any errors in the startup config conf file and apply all of the valid commands write Saves your configuration changes to the flash non volatile or long term memory The ZyWALL immediately uses configuration changes made via commands but if you do not use the write command the changes will be lost when the ZyWALL restarts 39 5 File Manager Command Examples This example saves a back up of the current configuration before applying a shell script file Router config copy running config conf backup conf Router config run script vpn setup zysh These commands run the aaa zysh script at
308. e 94 Commands for Anti virus White and Black Lists COMMAND DESCRIPTION no anti virus white list activate Turn on the white list to have the ZyWALL not perform the anti virus check on files with names that match the white list patterns no anti virus white list file pattern av file pattern activate deactivate Adds or removes a white list file pattern Turns a file pattern on or off anti virus white list replace old av file pattern new av file pattern activate deactivate Replaces the specified white list file pattern with a new file pattern no anti virus black list activate Turn on the black list to log and delete files with names that match the black list patterns 176 ZyWALL ZLD CLI Reference Guide Chapter 21 Anti Virus Table 94 Commands for Anti virus White and Black Lists continued COMMAND DESCRIPTION no anti virus black list file pattern av file pattern activate deactivate Adds or removes a black list file pattern Turns a file pattern on or off anti virus black list replace old av file pattern new av file pattern lactivate deactivate Replaces the specified black list file pattern with a new file pattern 21 2 3 1 White and Black Lists Example This example shows how to enable the white list and configure an active white list entry for files with a exe extension It also enables the black list and configure an inactive black li
309. e Guide Chapter 6 Interfaces 6 2 Interface General Commands Summary The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 15 Input Values for General Interface Commands LABEL DESCRIPTION interface name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model ZyWALL USG 200 and below models use a name such as wanl1 wan2 opt lan1 ext wlan or dmz virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example gex y x 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y 2 1 4 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports profile_name The name of the DHCP pool You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive domain_name Fully qualified domain name You may up to 254 alphanumeric characters da
310. e Name Portl Port2 Port3 Port4 Port5 1 gel yes no no no yes 2 ge2 no yes no no no 3 ge3 no no yes no no 4 ge4 no no no yes no 5 ge5 no no no no no The following commands set port 1 to use auto negotiation auto and port 2 to use a 10 Mbps connection speed and half duplex Router config port status Portl Router config port status negotiation auto Router config port status exit Router config port status Port2 Router config port status duplex half Router config port status speed 10 Router config port status exit Router config exit 6 4 Virtual Interface Specific Commands Virtual interfaces use many of the general interface commands discussed at the beginning of Section 6 2 on page 57 There are no additional commands for virtual interfaces 6 4 1 Virtual Interface Command Examples The following commands set up a virtual interface on top of Ethernet interface gel The virtual interface is named ge1 1 with the following parameters IP 1 2 3 4 subnet 255 255 255 0 ZyWALL ZLD CLI Reference Guide 73 Chapter 6 Interfaces gateway 4 6 7 8 upstream bandwidth 345 downstream bandwidth 123 and description I am vir interface Router Router config if vir Router config if vir Router config if vir Router config if vir Router configure terminal Router config interface gel 1 Router config if vir config if vir f
311. e NbtSeredcrest TURE cd tte wa a vb t See RR RR oe cR ode opidi lieri ae pbc itc dr beoe AR po aed ied a hh 124 AULAS CESA dyeeaud d A A qe Pa geared AA d e NE wed dua de ewe Bard 69 IS Bast subhent sstrpm ESSE LESA legdde kgs eoo qoa do OP NUE CR equi p XC Eo esca de ebd d CN A EON 69 ip Beet aubhenticstisa SS OASR AERE hse dda waked Wee Rag E e eq aA d demde ERE ede Rud 69 if Sept messace digest kev lt 1 255 gt mos DasSWOER 0 diee red Reto dH A ane penc dee 69 ip route replace w x y z w x y z interface w x y z 0 127 with w x y z w x y z in a e CODL qX 19 lg kts Se E Ue Eann NENEN ACACN EASES ERAS BOSS STRESS REARS AC 105 ip ssh server rule rule number append insert rule number access group ALL address object zone ALL Zone Object action accept deny s m 1 GO A bees A ARIANE A A ew 289 ip ssh server rule move rule number Lo File HUME Loses ERG EHE E S ARA 289 ip telnet server rule rule number append insert rule number access group ALL address object zone IALL rone object action iscobBpL lgeny eed ensescee qoe arene Red Re onn o digo oh e n 290 ip telnet server rule move rule number to rule number sake da wen SCD EERE A RR 290 ip virtual server activate deactivate profile Fame clldGa e id RR Ad 121 ip yirtual sever delete profile nane exar 6S RES SONS add dux ER deed A RC E dul lg wuEbusbeserums E TUS seri EORR opo CORR delete s ke A Ga UB we Rew SEC e p rA depo ineo v 121 370 ZyWALL ZLD CLI Reference Guide
312. e ZyWALL check or not check incoming certificates that are signed by this certificate against a Certificate Revocation List CRL on a LDAP Lightweight Directory Access Protocol directory server ldap ip iplfqdn port 1 65535 id name password password deactivate Sets the validation configuration for the specified remote trusted certificate where the directory server uses LDAP ip Type the IP address in dotted decimal notation or the domain name of the directory server The domain name can use alphanumeric characters periods and hyphens Up to 255 characters port Specify the LDAP server port number You must use the same server port number that the directory server uses 389 is the default server port number for LDAP The ZyWALL may need to authenticate itself in order to access the CRL directory server Type the login name up to 31 characters from the entity maintaining the server usually a certification authority You can use alphanumeric characters the underscore and the dash Type the password up to 31 characters from the entity maintaining the CRL directory server usually a certification authority You can use the following characters a zA Z0 9 amp _ lt gt ocsp activate deactivate Has the ZyWALL check or not check incoming certificates that are signed by this certificate against a directory server that uses OCSP Online Certificate Status Protocol oc
313. e capture file when either this period of time has passed or the file reaches the size specified using the files size command below 0 means there is no time limit ZyWALL ZLD CLI Reference Guide Chapter 46 Maintenance Tools Table 204 Maintenance Tools Commands in Privilege Mode continued COMMAND DESCRIPTION file suffix profile name Specifies text to add to the end of the file name before the dot and filename extension to help you identify the packet capture files Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name The file name format is interface name file suffix cap for example vlan2 packet capture cap files size lt 1 10000 gt Specify a maximum size limit in megabytes for the total combined size of all the capture files on the ZyWALL including any existing capture files and any new capture files you generate The ZyWALL stops the capture and generates the capture file when either the file reaches this size or the time period specified using the duration command above expires host ip ip address profile name any Sets a host IP address or a host IP address object for which to capture packets any means to capture packets for all hosts host port 0 65535 If you set the IP Type to any tcp or udp using the proto type command below you can specify the port number of traffic to capture ifa
314. e computer and saves it on the ZyWALL as next conf Note Uploading a custom signature file named custom rules overwrites all custom signatures on the ZyWALL Figure 28 FTP Configuration File Upload Example C iXo Fftp 192 168 1 1 Connected to 192 168 1 1 220 FTP Server ZyWALL 192 168 1 1 User 192 168 1 1 none admin 331 Password required for admin Password 230 User admin logged in ftp cd conf 250 CWD command successful ftp bin 200 Type set to I ftp put tomorrow conf next conf 200 PORT command successful 150 Opening BINARY mode data connection for next conf 226 Post action ok 226 Transfer complete ftp 20231 bytes sent in 0 00Seconds 20231000 00Kbytes sec 39 6 3 Command Line FTP File Download 1 Connect to the ZyWALL 2 Enter bin to set the transfer mode to binary 3 Use cd to change to the directory that contains the files you want to download 4 Use dir or Is if you need to display a list of the files in the directory 5 Use get to download files For example get vpn setup zysh vpn zysh transfers the vpn setup zysh configuration file on the ZyWALL to your computer and renames it vpn zysh 1 When you upload a custom signature the ZyWALL appends it to the existing custom signatures stored in the custom rules file ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager 39 6 4 Command Line FTP Configuration File Download Example The followi
315. e cursor to the end of the line 1 6 7 Erase Current Command Press CTRL U to erase whatever you have currently typed at the prompt before pressing ENTER 1 6 8 The no Commands When entering the no commands described in this document you may not need to type the whole command For example with the no mss 536 1452 command you use mss 536 to specify the MSS value But to disable the MSS setting you only need to type no mss instead of no mss 536 ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface 1 7 Input Values You can use the or TAB to get more information about the next input value that is required for a command In some cases the next input value is a string whose length and allowable characters may not be displayed in the screen For example in the following example the next input value is a string called description description Router configure terminal Router config f interface gel Router config if ge description When you use the example above note that ZyWALL USG 200 and below models use a name such as wanl wan2 opt lanl ext wlan or dmz The following table provides more information about input values like lt description gt Table 3 Input Value Formats for Strings in CLI Commands TAG VALUES LEGAL VALUES El all ALL authentication key Used in IP
316. e me oe Gh ae ee ie ue ae be Bra eee 136 firewalls move rule numbor to rule MBE 4s heme A dee DS wae etwas Wee Seed UR 136 firewalls PULSE DUENDE ir ERMA EEDERARERH CER Nap vie x eK d RHE dC Na ode x Ra ESE a MERE SS 135 firewalle zone object zone object ZyWALL eppend 4 b4 lt sias cee Re 3 E Y devine tan ad nae ebiae eas 136 firewall6 zone object zone object ZyWALL delete lt 1 5000 gt ccce 136 rfairewallb zone obec izosB cbjBSLIEVWANLL ELSE secs Sawds ded Bau OR e RO RB wes wena nee s 136 firewall6 zone object zone_object ZyWALL insert rule number ee ee eee eee eee ee 136 firewall6 zone object zone object ZyWALL move rule number to rule number 136 firewalle zone object sone object zyWALL tule numbef Ake cade eee Re DESDE SER ER ROR RR 135 tlosdg debecrioN bDIogSk period EL o GUI 46s ek Kee Hee SORE RE RAO Rd Ed edo PUDE de X Edo Rd rk 155 LIMES 45 2 N SRRA CREED e doa XO E SPER OES ERROR SREY A 94 force aubh mo exoceptional sefUViCe Service DAME 9 ieskzekexk e bg ok eed NAS EORR OR UR A 233 force auth default rule authentication required unnecessary no log log alert 233 TACOS AUN Policy Ls XE DIR R A RUE AA RA AIN AAA ae ao Ae aD RR CU Rd eee 225 Pres utH policy Aprenda seriada anda a AAA ERRARE RE Ed owe dd ex Shs AAA 233 Pores eubi polar delete wl IOLA user dre sens ae he e AA dace Ret edo eod 3 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical
317. e name Adds the specified schedule to the rule no user username Adds the specified user to the rule no from zone name Specifies the source zone no to zone name Specifies the destination zone no source profile name Adds the specified source address to the rule no destination profile name Adds the specified destination address to the rule no protocol tcp udp Adds the specified protocol to the rule access forward drop reject Specifies the action when traffic matches the rule no action block Blocks use of a specific feature login message audio video file transfer bandwidth inbound outbound 0 1048576 Limits inbound or outbound bandwidth in kilobits per second O disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 Set the priority for traffic that matches this rule The smaller the number the higher the priority no inbound dscp mark 0 63 class This is how the ZyWALL handles the DSCP value of the outgoing default dscp class packets to a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 no log alert Creates log entries and alerts for traffic that
318. e oe dea Re ORE RICE e CX AA ae A LES baendwridbs iirsnbousdloutbocngd 0 10485759 cco Wen RR ok eO dae aia 168 Mooi Priore Xia sacha tase SEAN ADA B d md wee ddr ec eens Ee M meee 165 bandwrldbbh re ae LaS AA O Re on db do a e d pd da e ace ma ehh 166 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical HONOR p GNIS SLs DA AE Wes opc deque deere ewes Sa 168 hendurdgthegEODE Goss dd A AR A ENG d qd dead Eq adr RE RN Reb AA dE A A REGE d EON QE Kor oA ees 164 IM Gg PrO IG dixedu debo ope e Mi uo qvid ae eic eee SH Oh ee Rew hee rbi dedu EUR RM e dels 183 budget logl Iiog lsrt recursive D 1555939 cca dws Sedan X ced EON chewed KC RORC 3 Ree dox cR RAO de dd a budget log percentage log percentage alert recursive lt 1 65535 gt eer 78 budget curvent connection keepa rop case nd Okc eds A Pe ADAC ROW REESE EERE KR AUR AL CE RC ae budget Seweocon ebotiom Isl TOWIZPRSGl d aria be betes SAAR He eA ee eee eS kee Sea RUE ees 77 budget percentage ipramel paaral Mess sidra AA AE AAA 78 bhudgsc FESSE SeUnters AA AAA eee en ee AAA AAA AA AA AAA Eu DTS FESSE AN US II Golbasd EG SR NR E SU QUSS Manat Ra SRI q e ak Dawe Seances ma eas NR Br B do de Ee T7 ca enroll cmp name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type rsa dsa key len key length mum 0 99999990 password password Ga
319. e pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN rule_number The priority number of a firewall rule 1 X where X is the highest number of rules the ZyWALL model supports See the ZyWALL s User s Guide for details schedule_object The name of the schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive service_name The name of the service group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following table describes the commands available for the firewall You must use the configure terminal command to enter the configuration mode before you can use the configuration commands Commands that do not have IPv6 specified in the description are for IPv4 Table 66 Command Summary Firewall COMMAND DESCRIPTION no firewall asymmetrical route activate Allows or disallows asymmetrical route topology no connlimit max per host 1 8192 Sets the highest number of sessions that the ZyWALL will permit a host to have at one time The no command removes the settings firewall rule number Enters the firewall sub command mode to set a firewall rule See Table 67 on page 137 for the sub commands firewall zone object zone object ZyWALL rule number Enters the firewall sub com
320. e quotes For example enter Bad Site to block access to any web page that includes the exact phrase Bad Site This does not block access to web pages that only include part of the phrase such as Bad in this example message The message to display when a web site is blocked Use up to 255 characters 0 9a zA Z amp _ in quotes For example Access to this web page is not allowed Please contact the network administrator redirect url The URL of the web page to which you want to send users when their web access is blocked by content filtering The web page you specify here opens in a new frame below the denied access message Use http followed by up to 255 characters 0 9a ZA Z amp _ in quotes For example http 192 168 1 17 blocked access license The license key up to 15 characters for the external web filtering service service timeout The value specifies the maximum querying time in seconds lt 1 60 gt timeout The value specifies the maximum life time in hours lt 1 720 gt url The URL of a web site in http xxx xxx xxx format rating server The hostname or IP address of the rating server query timeout The value specifies the maximum querying time when testing the connection to an external content filtering server or checking its rating for a URL lt 1 60 gt seconds 23 6 General Content Filter Commands T
321. e s IPv6 address from the DHCPv6 server ipv6 dhcp6 duid duid mac Specify the DHCP Unique IDentifier DUI D of the interface or have it generated from the interface s default MAC address no ipv6 dhcp6 request object dhcp6 profile For a DHCPv6 client interface specify the profile of DHCPv6 request settings that determine what additional information to get from the DHCPv6 server The no command removes the DHCPv6 request settings profile show interface ppp system default Displays system default PPP interfaces non deletable that come with the ZyWALL show interface ppp user define Displays all PPP interfaces that were manually configured on the ZyWALL 6 5 1 PPPoE PPTP Interface Command Examples The following commands show you how to configure PPPoE PPTP interface pppO with the following characteristics base interface gel ISP account Hinet local address 1 1 1 1 remote address ZyWALL ZLD CLI Reference Guide 75 Chapter 6 Interfaces 2 2 2 2 MTU 1200 upstream bandwidth 345 downstream bandwidth 123 description I am pppO and dialed only when used O Router config if Router config if Router config if Router Router p p p config if p config rf m Router config if p Router config if p Router config if p p Hb db dE dE dE db db db O COO cO Cc CO Oo D Router config if Routerf configure terminal
322. e set 178 ZyWALL ZLD CLI Reference Guide Chapter 21 Anti Virus 21 3 1 Update Signature Examples These examples show how to enable disable automatic anti virus downloading schedule updates display the schedule display the update status show the new updated signature version number show the total nu mber of signatures and show the date time the signatures were created Router config Router config Router config Router config Router config Router config auto yes Router config SH e HE Router config current status Router config current version release date Router configure terminal ANTI VIRUS signature update in progress Please check system log for future information schedule weekly at Friday 13 o clock Tue Apr 17 10 18 00 2007 last update time 2007 04 07 10 41 01 signature number 4124 anti virus update signatures anti virus update auto no anti virus update auto anti virus update hourly anti virus update daily 10 anti virus update weekly fri 13 show anti virus update show anti virus update status Anti Virus Current signature version 1 046 on device is latest at show anti virus signatures status 1 046 2007 04 06 10 41 29 21 4 Anti virus Statistics The following table describes the commands for collecting and displaying anti virus statistics You must use the con these commands
323. e specified IP address users force logout username ip ipv6_addr Logs out the specified login ZyWALL ZLD CLI Reference Guide Chapter 26 User Group 26 2 5 1 Additional User Command Examples The following commands display the users that are currently logged in to the ZyWALL and forces the logout of all logins from a specific IP address Router configure terminal Router config show users all No 0 Name admin Type admin From console Service console Session_Time 25 46 00 Idle_Time unlimited Lease_Timeout unlimited Re_Auth_Timeout unlimited User_Info admin No 1 Name admin Type admin From 192 168 1 34 Service http https Session_Time 00 02 26 Idle_Time unlimited Lease_Timeout unlimited Re_Auth_Timeout unlimited User_Info admin Router config users force logout 192 168 1 34 Logout user admin from 192 168 1 34 OK Total 1 user has been forced logout Router config show users all No 0 Name admin Type admin From console Service console Session_Time 25 48 33 Idle_Time unlimited Lease_Timeout unlimited Re_Auth_Timeout unlimited User_Info admin The following commands display the users that are currently locked out and then unlocks the user who is displayed Router configure terminal Router config show lockout users No Username Tried From 1726160155 2 46 Router config unlock lockout users 172 16 1 5 User from 172 16 1 5 is unlocked Rout
324. e wb fuc d Saree eee ee tease wee eee eee 159 Snow spp hugheub Sip Bandwidth prieYywgiw deca e Ka POR EU RO Oe cee eee eaten A oe EO A d s 170 suo ape OX Siete BECTON cidad AE AAA AAA E c ES ru SA 189 Show ap Ghee Gone ids hd ECR ERED ACC E CAE EDR UU ER ARA RS Dae ROCA A 169 shgw app other ruile Bll sino Seabee pues RANA BOW EEN Oe ICI eb ded med de E 3 EOE ESS 159 show apo other rule all SESTUSELOS apnd xxd3 qe b ee ds erke de ADR eee eee Ue do dia SE D e e RC deems 159 show app other rule default 20288 SOK Se FERRERS DSR GRO ARA SEER OR ER Oe P C 169 show app other iile default statistics cea e dk edad RARAS ER ORO ERE RE ee oka SEES 169 show app other rule Pale RURALES w eaque Fhe Rob ow TSE YORE CEA OH OOS d Ed op d ee Oa ee 169 Siow app Other rule rule number statistics Ae eed ashes dE 149 SO PO Deer SESCLSEDOS erigir AA a a RAI e cit 159 Show ape PrStocol tae COREE Unida 19 show Ape PrOCOCO ame deran Leer IRA ARA ARA AAA Ie ca E A da 159 SHOW APP Peele deme mud UL ada aria ora SES DANES C RU MESON Fea du qu Aqu URL KR ROS REUS 169 show app probosol name rule all ELAGUSELES serseri cede een Soe i de cec Re S led rs odd mee dons A 169 show app Protocol nane Pulse AS SUIE escoria RR EAN NAAA OP 169 show ape protocol name Lule defeult SESCISTIOS arar a AR AA A e A 169 show app protocol namo rule File BUMDQE crasas ARTESANA RRA AAA Oe 169 show app protocol namo rule rule smumber Statistics L2b2adGa MOOR EER Re Red eee e deo 159 shon app protoc
325. ecified area no area IP stub nssa Creates the specified area and sets it to the indicated type The no command removes the area no area IP authentication Enables text authentication in the specified area The no command disables authentication in the specified area no area IP digest authentication message Enables MD5 authentication in the specified area The no command disables authentication in the specified area no area IP authentication authentication key authkey digest key 1 255 md5 authkey no area IP authentication message Sets the password for text authentication in the specified area The no command clears the password Sets the MD5 ID and password for MD5 authentication in the specified area The no command clears the MD5 ID and password 9 2 4 Virtual Link Commands This table lists the commands for virtual links in OSPF areas Table 52 router Commands Virtual Links in OSPF Areas COMMAND DESCRIPTION show ospf area IP virtual link Displays information about virtual links for the specified area router ospf no area IP virtual link IP Creates the specified virtual link in the specified area The no command removes the specified virtual link no area IP virtual link IP authentication Enables text authentication in the specified virtual link The no command disables authentication in the specified virtual link no
326. econds session timeout udp connect 10 Router config f session timeout udp deliver 15 ZyWALL ZLD CLI Reference Guide Chapter 42 Session Timeout ZyWALL ZLD CLI Reference Guide Diagnostics This chapter covers how to use the diagnostics feature 43 1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the ZyWALL s configuration and diagnostic information You may need to generate this file and send it to customer support during troubleshooting 43 2 Diagnosis Commands The following table lists the commands that you can use to have the ZyWALL collect diagnostics information Use the configure terminal command to enter the configuration mode to be able to use these commands Table 200 diagnosis Commands COMMAND DESCRIPTION diag info collect Has the ZyWALL create a new diagnostic file show diag info Displays the name size and creation date in yyyy mm dd hh mm ss format of the diagnostic file 43 3 Diagnosis Commands Example The following example creates a diagnostic file and displays its name size and creation date Router configure terminal Router config diag info collect Please wait collecting information Router config show diag info Filename diaginfo 20070423 tar bz2 File size 1259 KB Date 2007 04 23 09 55 09 ZyWALL ZLD CLI Reference Guide Chapter 43 Diagnostics
327. ection map name to bind to this VPN configuration provisioning rule s user or group user username Specifies a user or group of users allowed to use the ZyWALL IPSec VPN client to retrieve the associated VPN rule settings A user may belong to a number of groups If VPN configuration provisioning rules are configured for different groups the ZyWALL will allow VPN rule setting retrieval based on the first match found Admin or limited admin users are not allowed no user Removes the VPN configuration provisioning rule s user or user group configuration In other words any users can match the rule In the GUI any will display in the Allowed User field exit Leaves the sub command mode vpn configuration provision rule delete conf index move conf index to conf index Deletes or moves the specified VPN configuration provisioning rule no vpn configuration provision activate Turns the VPN configuration provisioning service on or off vpn configuration provision authentication auth method Sets the authentication method the VPN configuration provisioning service uses to authenticate users show vpn configuration provision activation Displays whether or not the VPN configuration provisioning service is activated show vpn configuration provision authentication Displays the authentication method the VPN configuration provisioning service uses to authenticate users show vpn configuration
328. ee ee et dees Sea RE NE ESRB eu dard du fused nae oboe Ru Rd i dos 250 ldape servey sesrel time laimit CIRS errors ocio ep rodeo eG ga cte e qe 250 IMA SELECT mud RARA opened nek ee Geese Bek dL eee ek ee es ur a uda ida dads 250 lease TES as Is ATI ZDRENGUERR ii eee ede Oe eee Ree ae 65 Pei esti wae hoe eS CARES BOs be ee Owes HE SOEs ed dd dE edes li Sh Dawe 129 Tas RN X co arara tam atte sh de eae Bear Bin oe RR Raat aaa AAA om a ARAN 140 logole adg sess SEU ONDA Cees Te EER ERED EE ARANDA 78 Saladas IO A X4 d em kd do X Eq dob RI acd ea db Ee eee OE OEC de See ee 74 jog SLQEUL A E pon m de y hee oso e CR C RU ORO A POR Oe ES ere ee Ar GC d pci ee EGER E ga 137 lou E A A x COS ERU RE dee Re NN LES t g aleti sseeiPiddasb ped eee ened AAA AAA bbe ee eee ee ee oh d e 166 lo TaLsrt beara ke ee XO OR ARIE SEARS SHEA SRERSRERY SCENES SCENERY CREE Read aes 168 iog Sib sc cme sata es choca ge ct nine Jahan tabs re Sect sd AAA AAA cma amp AR meee P 175 Joc Lale errar eee dx mede ad uide donus b ede duas du wd v dur dai E eR de aoe 212 loSgginH Console Vend 44e E ReEURS Had A qe dad quede uide eee dde s ia ee Aue logging console Category Moule Wane airis Retake ds aed devas NR aab US E CE ras aed durat Logging elus SUDDIBSEXIXM aoesueseseke4eqx Eoi ce NA Bodo obe reos ee ita Go 319 Legit debug Suppression interyal DO DUE quesGQucBed Endo wes BoE es Dawe ESS laci e 319 aia deg dE AL IA A ES AAA A AA Id EE dub 320 logging mail 1 29 se a
329. ee ef arie das 108 redistribute fetatis rip metric type 1 2 5 metric 0 1567772 145 erica 108 reDDLESUGEOSEE EID Zee CARES as Md dud aae d adco d dau Sous 78 FemgbteemRdOIBSESE SER sera e dox qoe poe dna ko meee oe dide eoe Rug ipod og on oo Ae ote Gok a eid 74 a a O X Feb Soe TERS Oe Ree i eed e pude dx es Se ed 146 ESDDEE Lesh KEES SR EME SEE a XX ES Yeu E Fea req PAN ARNET RANA ARAS a o M dod 323 report pocket Si se AELEACTAICI S se eee bed E eh eee A AAA ee oe a Fra 324 EoOSQL CUODDMEOE aer 4k E SHORES A RR KAYE RA SEON CRADLE YR e RC Re RR T AA ER EE 326 Sole master DSeEUD censores OER P EEO ERR ES ORES AA 226 EU AES WE ginidik A Lac Ke dod ed EORR Red RC Rod eee RA AA 108 scan ithe FEP imepd smer POPS cerrar ti EoR Ecke p e nC ME n CR pepes UR mod e Rem aie 175 spar Dm RUM suet Reged iure x E ees pue Bad tee deus qi E qu s 212 Scan detection icmp sweep icmp filtered sweep activate log alert block 185 secar detection ip xxx adtivata L69 alert BXosk asdecdiuds devine ibe Roe SCR E RR 185 scan detection tep xxx activate log Leberc DIGGER ceeszaesesece e eR qmm mmm 185 Bocan detseeotign Dudp xkxx l activate los alergi BLSGE S euaw zsRiosaetadk a 185 sean detection open port activate log alert Block i2 e 12 9 RR RR 185 SCneCuULS Pret rie MoNS SS hes eae d o S tea ee eee ROC DEM Ru da bur ep die or EE dde E pde du 165 sochedube PESCA NANS urrad io penu AS eR e UC
330. ee sated 323 show report packet size statistics interface name interval interval 325 sbon report pastel LoS ATALC SCLES ESTOS arrienda 324 Show report SESEUS penent AAA AA RARA SA RARAS A BA AAA RNA AE AAA OER RARA 323 show rip global Interfase Fall Znterface marell sede eee RS OH S CROX C Ue o9 OR EE OE Re x 68 SHOW NORD Were A duibsui d Rad Rd dd EE meas mM Qc RBS SX d Web RR E d M 323 SHOW EUA EGEL ar aoa ole Roe Rogo depo dotes dp Rod gk eh olei ole poi qe deed pot we dol dpa its 304 show sa monitor begin lt 1 1000 gt end lt 1 1000 gt crypto map regexp policy regexp irsort sort order SOLE SOL Order irradia AAA AA de 149 glow SE RSS asii AAA e ad eu Rd de d addas AA 247 le dic 222 Missi A TH 41 shon serwviocesobjeoct pebjJeOt Same eae ee pd ok qase AAA AN NA AAA E X EE 243 show servics register gontent filter s6ngife ires kaoersq4 kind ninie ROC KORR SREY ER BOG RE eS 47 shov SECUaCe megiSeer paanllegfebQEO 2 peewee oe eA QUK RCRUM OKT EERE Pee ee See Eee 47 Show Service reg1ster SOPIVOD LVDE rarisimo ede BOR UC UR KK A e RC dase A ea dee 47 show service Pegister status aell t dp av sslypu sslvph statusb saci ceed sek a 47 Bhon sorVIOCB PBCISDOT SEAS HE ia A QR AER A Ke Dawe POS WEES Rha OR e ul UR Rod ae 47 show service register status content filter bluecoat commtouch F m o m n 47 Blow Session timeout due
331. eekly day day hour lt 0 23 gt minute lt 0 59 gt 2 n 341 logging mail elect Sending NOW 2er ia AEREA C cio poa ee ORE Ec RF de 321 logging system log category module name disable level normal level all 318 logging gshestorsqge GOaceqary category disable eset e99 a E eR EUER eee bee eee SERS E 82 logging usb storage category category Ilevel lt all normal gt i i mA RR RR ar ERE 82 legging usb storage fl shlIBresholg Lo TODOS rra RR HIS REESE AAA CRURA ra im 82 lggin page background color oolor rgb color name color number ls max pau sesos 280 login page message color Tioolor rgb color name Colsr n umDBF p 2405 i ek sewed Km EON RR 280 Ignpenmage eee GIGS ira 9i4dG3 940 nca d S XQ dead du Ba aded xe a dd RR EUR 280 l glnesage trLle colpr qgcalbr rgb codogr name SOlGr cmumer cee e kt dw ed bees woe 280 ZyWALL ZLD CLI Reference Guide 371 List of Commands Alphabetical logrin page window oolor color rgb sclor name Golor numbef i 2ned ee Rr Grdana ees 281 logo background color oior rgb color name codor number xi 9 b RE Eh 9 eee ee ee 281 WAS MES 62 cht cheba Cee Ge HEARERS SAMOS RECEDES EEO CHASE EOE SHEN SORA ORR See eos 71 HasLlcsub jeUEJgSeb SURES gpd Edd EAE GR EAE RUE Ud RE laste Ae ies dent E S ae eee eile hae 325 marching criteria tony SUL senior pu red bed pude ed Su AA dap d ex dede 212 mode main ARIVESILES Lasaac dur AR Od CR
332. ees E e d dE 182 show idp signature a omaly base profile cc icsaeececae neve EUROSCRUR UO AAA ARA AAA ae 182 show idp signature system protect signatures version date number 195 show ide signature system Protect Update sopesar bra od a 195 show ide signature eysteu protest update status uasesG RAW sU bodes se dos A 195 show idp Isrgneture anctaly J PULES cisma X des beac RR NA A AA Doe RA oed 193 show idp anomaly profile flood detsctlon all details eeexce 9 ERSRERAY Y XA E ROCK 187 show idp anomaly profile flood detection tcp flood udp flood ip flood icmp flood details 187 show idp anomaly profile http inspection ascii encoding u encoding bare byte unicod n coding base36 encoding utf 8 encoding iis unicode codepoint encoding multi Slash encoding iis backslash evasion self directory traversal directory traversal apache whitespace non rfc http delimiter non rfc defined char oversize request uri directory oversize chunk encoding webroot directory traversal details 187 show Lap anomalss profile htcbtp inspecsEron all detalls ekle gw eee cede ha BORNE Sha GRE KR EO 187 show idp anomaly profile icmp decoder truncated header truncated timestamp header trun ested address hemRUer details ii e Kon X bare ae RUNDE SCR Oe ol Bp eee eo or ne 187 show idp anomaly profile 1omp decoler all details eo e eakuoketed obe SH LORS RO nb EER Ee REE d 187 show idp anomaly profile scan
333. eked ee Oddo dede Qe qoa E QE CRUS AAA AUR UO od dee Pe co EEG 139 show Licey SESC S Steric esos de Vb AE qs e HORSE Sea d A Bee ee Re d Pd added r ee de dp 1395 show firewall Zone object zone oObject ZyWALL aae MER SS eee ORO SRR DON Eee eR Hew 135 show firewall zone object zone object ZyWALL rule number ellen 135 Bu AURA A nee equi ee Kenda ds AAA dard a dur ded O wide duda pads 136 Show rirewallbs Any ZyNADL ac ciae 34 A A de Cea AAA dex EP Ede Update dde E s L3G show TIENE BlogOk KUlGS lange RARa Seo Er A 136 show Ilrews lb FUE MSR sank sew etek RA DEA Rh OI ee ERR Rep AA nde doo ol epos Gem ACA ae 136 Siew ILL eats sia een eee acer aw wate aged Gone ren ard cd de pad A 136 show Iirewall zone object zone Cb 7ece ZyWALL i2exwee ker Ree dene beedeeehabedeatadaaae 136 show firewall6 zone object zone_object ZyWALL rule number ee eee ee ee eee eee 136 Show EStos auch AGELVACLON iris RXGGCGGER AGU ARA Nd qu NK OR KC KU ROR SHEER KOC Rd ES 233 show PXorce guch exceptioHSTesOETi O oy ah ae xd PECORE eee ORE REE Sew dO Ye d md ek i8 Show Xoroce auth policy lt 1 1024 Am errar A AN RAS AA 233 BU EUH o 2205k RIA AA AA I OR RA ROI PSEA eR EAS LER eee ee Roy ep Ro E P al 281 Show gronpname groupname gaqud px co EORR G CHORO A E A ROCA RCAOE RRA AC EERE SD OEE RHEE RAR Zol show hardware wartohdog tiner STATUS axe A d En Fa Ke S EN A a Ade a UE 347 Blow ME sins cada desarro eS Edda ud Oe REX Rd See edu s
334. enerate pkcs10 name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type rsa dsa key len key length Generates a PKCS 710 certification request ca generate pkcsl2 name name password password Generates a PKCS 12 certificate ca generate x509 name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type rsa dsa key len key length Generates a self signed x509 certificate ca rename category local remote old name new name Renames a local my certificates or remote trusted certificates certificate ZyWALL ZLD CLI Reference Guide Chapter 32 Certificates Table 156 ca Commands Summary continued COMMAND DESCRIPTION ca validation remote certificate Enters the sub command mode for validation of certificates signed by the specified remote trusted certificates cdp activate deactivate Turns certificate revocation on or off When it is turned on the ZyWALL validates a certificate by getting a Certificate Revocation List CRL through HTTP or LDAP can be configured after activating the LDAP checking option and online responder can be configured after activating the OCSP checking option You also need to configure the OSCP or LDAP server details ldap activate deactivate Has th
335. ensitive Deletes all authentication profiles or the specified authentication profile Note You can NOT delete a profile that is currently in use show aaa authentication group name default Displays the specified authentication server profile settings no aaa authentication profile name Sets a descriptive name for the authentication profile The no command deletes a profile no aaa authentication default memberl member2 member3 member4 Sets the default profile to use the authentication method s in the order specified member group ad group Idap group radius or local Note You must specify at least one member for each profile Each type of member can only be used once in a profile The no command clears the specified authentication method s for the profile ZyWALL ZLD CLI Reference Guide Chapter 31 Authentication Objects Table 153 aaa authentication Commands continued COMMAND DESCRIPTION no aaa authentication Sets the profile to use the authentication method s in the order specified profile name memberl member2 member3 member4 member group ad group Idap group radius or local Note You must specify at least one member for each profile Each type of member can only be used once in a profile The no command clears the specified authentication method s for the profile aaa authentication no match Enable this to treat a user successfu
336. ent Router configure terminal Router config ip http secure server cert MyCert 38 4 SSH Unlike Telnet or FTP which transmit data in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network 38 4 1 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption methods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for remote management on port 22 by default 38 4 2 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connect to the ZyWALL over SSH 288 ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management 38 4 3 SSH Commands The following table describes the commands available for SSH You must use the configure terminal command to enter the configuration mode before you can use these commands Table 172 Command Summary SSH COMMAND DESCRIPTION no ip ssh server Allows SSH access to the ZyWALL CLI The no command disables SSH access to the ZyWALL CLI no ip ssh server cert certificate name Sets a certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections The no command resets the certificate used
337. ents sent out the interface The router lifetime value should be equal to or greater than the router advertisement interval nd ra retrans timer 0 4294967295 Sets the IPv6 router advertisement retransmission interval in milliseconds ipv6 address dhcp 6 profile dhcp6 suffix 128 Has the ZyWALL obtain an I Pv6 prefix from the ISP or a connected uplink router for an internal network such as the LAN or DMZ dhcp6 profile Specify the DHCPv6 request object to use dhcp6 suffix 128 Specify the ending part of the IPv6 address a slash and the prefix length The ZyWALL appends it to the delegated prefix For example you got a delegated prefix of 2003 1234 5678 48 You want to configure an IP address of 2003 1234 5678 1111 1 128 for this interface then enter 1111 0 0 0 1 128 for the dhcp6 suffix 128 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 16 interface General Commands Basic Properties and IP Address Assignment continued COMMAND DESCRIPTION nd ra prefix advertisement dhcp6 profile dhcp6 suffix 64 Configures the network prefix to use a delegated prefix as the beginning part of the network prefix dhcp6 profile Specify the DHCPv6 request object to use for generating the network prefix for the network dhcp6 suffix 64 Specify the ending part of the IPv6 network address plus a slash and the prefix length The ZyWALL appends it to the selected delegate
338. er config show lockout users No Username Tried From Lockout Time Remaining Lockout Time Remaining ZyWALL ZLD CLI Reference Guide 27 Addresses This chapter describes how to set up addresses and address groups for the ZyWALL 27 1 Address Overview Address objects can represent a single IP address or a range of IP addresses Address groups are composed of address objects and other address groups You can create IP address objects based on an interface s IP address subnet or gateway The ZyWALL automatically updates these objects whenever the interface s IP address settings change This way every rule or setting that uses the object uses the updated IP address settings For example if you change the LANI interface s IP address the ZyWALL automatically updates the corresponding interface based LAN1 subnet address object So any configuration that uses the LANI subnet address object is also updated Address objects and address groups are used in dynamic routes firewall rules application patrol content filtering and VPN connection policies For example addresses are used to specify where content restrictions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important 27 2
339. er a license key to have the ZyWALL use more SSL VPN tunnels The content filter allows or blocks access to web sites Subscribe to category based content filtering to block access to categories of web sites based on content Your ZyWALL accesses an external database that has millions of web sites categorized based on content You can have the ZyWALL block block and or log access to web sites based on these categories You will get automatic e mail notification of new signature releases from mySecurityZone after you activate the I DP AppPatrol service You can also check for new signatures at http mysecurity zyxel com See the respective chapters for more information about these features Note To update the signature file or use a subscription service you have to register the ZyWALL and activate the corresponding service at myZyXEL com through the ZyWALL 5 2 Registration Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table8 Input Values for General Registration Commands LABEL DESCRIPTION user name The user name of your myZyXEL com account You must use six to 20 alphanumeric characters and the underscore Spaces are not allowed password The password for the myZyXEL com account You must use six to 20 alphanumeric characters and the underscore Spaces are not allowed The following table d
340. erface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports Virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports module_name The name of the category kernel syslog The default category includes debugging messages generated by open source software The all category includes all messages in all categories protocol The name of a protocol such as TCP UDP ICMP The following sections list the logging commands ZyWALL ZLD CLI Reference Guide 317 Chapter 40 Logs 40 1 1 Log Entries Commands This table lists the commands to look at log entries Table 187 logging Commands Log Entries COMMAND DESCRIPTION show logging entries priority pri srcip ip dstip6 ipv6 addr module name dstip ip service name service keyword keyword dstiface interface name category srcip6 ipv _addr begin 1 512 end lt 1 512 gt srciface interface name protocol protocol Displays the specified entries in the system log pri alert crit debug emerg error info notice warn keyword You can use alphanumeric and S_ characters and it can be up to 63 characters long This searches the message source destination and notes fields
341. erfaces 6 7 Tunnel Interface Specific Commands The ZyWALL uses tunnel interfaces in Generic Routing Encapsulation GRE IPv6 in IPv4 and 6to4 tunnels This section covers commands specific to tunnel interfaces Tunnel interfaces also use many of the general interface commands discussed at the beginning of Section 6 2 on page 57 Use these commands to add edit activate deactivate or delete tunnel interfaces You must use the configure terminal command to enter the configuration mode before you can use these commands GRE mode tunnels support ping check See Section 6 2 6 on page 70 for more on ping check Table 29 Tunnel Interface Commands COMMAND DESCRIPTION no interface tunnel iface Creates the specified interface if necessary and enters sub command mode The no command deletes the specified interface tunnel iface Name of tunnel interface tunnel 0 3 no shutdown Deactivates the specified interface The no command activates it tunnel source ipv4 tunnel bind interface any Configures the outer source IP address of the tunneled packets Specify an IPv4 address or use the IP address of an interface _any Have automatically select the outer source IP Not available for ipv6ip mode tunnels tunnel destination ipv4 Configures the outer destination IP address of the tunneled IPv4 packets ip address ipv4 ipv4 Sets the inner source IP of packets sent through the tunnel interface
342. erminal Router config f show app http config application http active yes mode portless default access forward bandwidth graph yes Router configure terminal Router config show app http defaultport No Port Router configure terminal Router config f show app http rule all index default activate yes port 0 Schedule none user any from zone any to zone any Source address any destination address any access forward action login na action message na action audio na action video na action file transfer na DSCP inbound marking preserve DSCP outbound marking preserve bandwidth excess usage no bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no 170 ZyWALL ZLD CLI Reference Guide Chapter 20 Application Patrol Router configure terminal bandwidth graph yes Router config f show app other config Routerf configure terminal index 1 activate yes port 5963 Schedule none user any from zone any to zone any Source address any destination address any protocol tcp access forward bandwidth excess usage bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no index default activate yes port 0 Schedule none user any from zone any to zone any Source address any destination address any protocol any access forward bandwidth excess usage bandwidth priorit
343. es from internal interfaces to external interfaces for example LAN to WAN traffic internal Set this to connect to a local network Other corresponding configuration options DHCP server and DHCP relay The ZyWALL automatically adds default SNAT settings for traffic flowing from this interface to an external interface external Set this to connect to an external network like the Internet The ZyWALL automatically adds this interface to the default WAN trunk general Set this if you want to manually configure a policy route to add routing and SNAT settings for the interface no use defined mac Has the interface use its default MAC address use defined mac Has the interface use a MAC address that you specify 6 3 2 Port Grouping Commands This section covers commands that are specific to port grouping Note In CLI representative interfaces are also called representative ports Table 24 Basic Interface Setting Commands COMMAND DESCRIPTION show port grouping Displays which physical ports are assigned to each representative interface port grouping lt 1 x gt representative_interface port Adds the specified physical port to the specified representative interface representative_interface gex in a ZyWALL USG 300 or above A dmz ext wlan or lan1 interface in a ZyWALL USG 100 or 200 lt 1 x gt where x equals the highest numbered port for your ZyWALL model no port lt l x g
344. es log entries and alerts for traffic that matches the rule The no command does not create any log entries ZyWALL ZLD CLI Reference Guide Chapter 20 Application Patrol Table 86 app patrol exception rule Sub commands continued COMMAND DESCRIPTION no outbound dscp mark 0 63 class default dscp_class This is how the ZyWALL handles the DSCP value of the outgoing packets from a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 port 0 65535 Specifies the destination port 0 means any no schedule profile name Adds the specified schedule to the rule show Displays the rule s configuration no source profile name Adds the specified source address to the rule no to zone name Specifies the destination zone no user username Adds the specified user to the rule 20 2 4 Other Application Commands This table lists the commands for other applications in application patrol Table 87 app Commands Other Applications COMMAND DESCRIPTION app other del forward drop reject Specifies the default action for other applications no app other log alert Creates log entries and alerts for other applications The no command does not create any log entries 20 2 5 Rule
345. es xe Rose ROO A AE DAA eaae is den 2542 ho server DURARON Pines aeesencupo icu A Rum eR ee Eoo depo denied mc oi eq B elt depo oboe an peek gee 29a Mol SERES CN ISABEL RUNS uax qasd eee terns AAA AAA A 252 hol Server Sh Lenk SiS Uid ema X kb ER Ra Ry AAA Ead AA edax Re 293 nal Server JdONSCEIDLLOD QBSOEIDCTOM ARA EU E ak idR PE eae eee OS eS A REP MEN 252 Me server description CESCELDEL N ari Ea x dar he A RA A AAA ke BARR Ai a EA 293 nal Server descripELon JEscEIDCIOGS dudbbi baeo kOe eee SO An ERO e YER ITE eee ee des ext 254 HOT server GPoup sELP2buLO 41 2557 arras A A deb RACKS Se AUC Eee ERR eoe RO RC do d 254 nol Server gooup sLbribute POSE DVDS ab dees sea AER EIC RON MUR se ee RESO ae EERO Ope 252 AS server group attribute grovp attriDuba ai ek bald e AA EEE 6 RAR Ro ede Zo nol server host SA SETVS esae4 exe d OS HERERO EDR RAS A DeRose RSD ee Ewe CRACK d 254 Del Server Fost Sse Serres aiii G bodes Soe Ri Eq SAREE Redux da Sad ud AAA es See due 2599 NO server host JXHUTUBLIETVERE arre X XCROQOECEOROEOCROE OK ACWOR NOR RUE A RANA AAA 254 GNE A O AR 26D BEI Server hey DESESE anaes hakea hed AA dar ORE P CN eee RR a d ac A Gad eas 254 Del Seer Password PESOS narnia ed m eed ORE ARS RA OR Bd De Eb acea dq RU Gap ue 2942 nol server password peSSUOFU sastra X4OG OR RE RO AR A AAN AR AA RAR ROR e Rec 253 nol Server POPE PORE HO oi ded es ORO dee ev ORES EERE do eR Priced eA Ee ROS e 252 Beo Server port POPE HO Lbguck eh REDE
346. escribes the commands available for registration You must use the configure terminal command to enter the configuration mode before you can use these commands Table 9 Command Summary Registration reseller phone phone number vat vat number COMMAND DESCRIPTION device register checkuser user name Checks if the user name exists in the myZyXEL com database device register username user name password password Registers the device with an existing account or creates a e mail user domainname country code country code new account and registers the device at one time reseller name name reseller mail email address country code see Table 10 on page 48 service register checkexpire Gets information of all service subscriptions from myZyXEL com and updates the status table ZyWALL ZLD CLI Reference Guide Chapter 5 Registration Table 9 Command Summary Registration continued COMMAND DESCRIPTION service register service type standard license key Activates a standard service subscription with the license key value key service register service type trial service content Activates the content filter or IDP trial service filter idp subscription service register service type trial service all Activates all of the trial service subscriptions including kav zav Kaspersky or ZyXEL anti virus service register service type trial service av Activates a Kaspersky
347. escription downstream budget downstream exit connectivity encrypted wep key ip description exit ipv6 device group key mss downstream hide mtu encrypted pin idle no exit ip ping check local address mtu port metric no shutdown mtu ping check traffic prioritize network selection reauth type no Security upstream pin shutdown vlan id ping check ssid remote address station limit shutdown traffic prioritize traffic prioritize upstream upstream wep key ZyWALL ZLD CLI Reference Guide 67 Chapter 6 Interfaces Table 18 Examples for Different Interface Parameters BRIDGE AUXILIARY TUNNEL Router config st interface brO Router config interface aux downstream Router config if brg Router config if aux exit description authentication ip downstream description ipv6 exit dial timeout metric ip dialing type mtu ipv6 encrypted password no join exit ping check mss idle shutdown mtu initial string traffic prioritize no no tunnel ping check password upstream shutdown phone number traffic prioritize port speed type shutdown upstream traffic prioritize username 6 2 4 RIP Commands This table lists the commands for RIP settings Table 19 interface Commands RIP Settings COMMAND DESCRIPTION router rip Enters sub command mode no network interface name Enables RIP for the specified interface The no command disables RIP for the specified interface
348. esist dee ee eke AAA A ee Ek du du P RIA SERRE ee eee 203 show content tallies prorile Piltering Profile casa DAA E RC Rx RETRO Ad cR CR A MAA 205 shon Gontent Tileer SOCLLLIDUS lev vc Rede SASS qv ed eee Re Ree Eq Ege o uade eee d e 203 show content Filter statistics collect dida bd aya ti ruine SH RHE SHRP EVAL CERES MER AIR A 206 shon Gonpent TileSr SESELSCIOS SUG cana ee Ro OEC E QUIDNE OE AUN Leck ewok ee ae eee Shea ee 206 Show Content Ti lies Statistics SIMS srl A ES qx A EN RUE dobES deed hata RAS eRe Rae ee Ke 206 show Cone ELLESE MICAH AAA CRAKE UR ERO KEE WEDGE A IA eee RS AAA 206 show content filter url cach all category begin url cache range end url cache range L CEDURE aeceszekee eq 43 x43 XRACHCE de ORO QE CROP OR RC DEED RURR ACER NOR OEC RH EORR ER REOR 4 ROO CRUK d OR RO HO 206 pli acetil Gopr HEDCELUESdE wlpxueacsed ved Sdexce d d e ARA Sca Vega dopo do shes wee Esa rd 83 show CoN SESOINS Aira AAA OGG ER ada ENSE ed Oe Hee eee iude ep AA 41 Show Cryoee ma Ma ES aria RR A AER AAA A A AAA AAA 144 Show CALI PEPUEE SESEEHES ase A de e AA DES ca do LU OER rab e Me a Qd obe D Dees 325 show dans proie MAME aids dee Roe E dab es che OSE V ed eR E eR uq iP mr dud ede d x ree e 116 Show odevrioce ha ap mod backup SYNG i260 beeen bid RUHAREO A AS Re ADR SSE DREN dE e ee CAL RA dod ae 224 show gevice 5e ap Mode Backup Syne ESTOS cas ce dq eR AACR HOMES ROKER OR ER Eee ESE 224 show cevice ha ap mode backup Syne SUMAS 16 iceds RE
349. espectively unknow means unknown users and services respectively show conn ip traffic destination Displays information about traffic session sorted by the destination show conn ip traffic source Displays information about traffic session sorted by the source show conn status Displays the number of active sessions 41 1 4 Packet Size Statistics Commands Using the packet size statistics to view packet size distribution may aid you in troubleshooting network performance In particular a large number of small packets can drastically reduce throughput This table lists the commands to enable and disable packet size statistics data collection and display the setting status and statistics Table 196 Packet Size Statistics Commands COMMAND DESCRIPTION no report packet size statistics Enables or disables packet size statistics data collection show report packet size statistics status Shows whether packet size statistics data collection is enabled or disabled ZyWALL ZLD CLI Reference Guide Chapter 41 Reports and Reboot Table 196 Packet Size Statistics Commands continued COMMAND DESCRIPTION show report packet size statistics Displays the specified interface s packet size distribution statistics You interface name interval interval can also specify the packet size interval into which to group the statistics interval 128 256 or 512 bytes report pac
350. essricomeluntbe Iimdt We BUSES derrito pon diode be Bo a 140 pesslon lunitie tere rule number t ruile PUSS obe erm AA SOROR QUE WC BUR ee rS RC Rc RR ERS 140 sossTonelimpB SUS HUBMDUDIJ lib G DC d RO AAA ATA OR I ORA CAO ARA A HD A CR RUE 140 set pis Igroupl SEU groups NOMS Lm 09 tetki rE RA SEES ERA AAA 145 set security association lifetime seconds 1580 3000000 sieeve avawae 9 X RR Rx Roe AA 145 set session key ah 256 4095 auth key esp lt 256 4095 gt cipher enc key authenticator Bub he ol gdGgqamdd RR a XX AN RU AGER OY OU EA RR RORACEO RR A 147 SIB e cc cere ETE 34 setenv startup Stor on orror QUEE osa RGEXG3XRAeGgqqeepA RR UR RERO Ka EC OR ER AG ORC RACK RR RARE eS 304 BOOS 2 xs era dd HE m esdea d qaid ada ed desde ea ER eq RJ dd dbi ano Pes dress e don qol dea afr ode Ree Res 155 SHOWS Sach ndecac hs xig cid ais ee ea due S Rd RR dd OS SOs GR RSEN dd a Rd dd adu RE Rd oes E a ud nd d Rs 154 BON Sea er AAA AER qd Edo AAA A A Epl dca MUR i ge pop ARA AAA 168 BIN O A xo us me wee iem hee etras ge ee ees mee ae eee ees 212 BON eke seh eria eeta HEREIN eea OA iB e dee d Seo BAENA Gom e qiu qae A A whe Sh ead epa ad ideae era ind pa 234 ccc Arr 34 SOR apriri eee ER PLE sb Ed Ede PONS eS Ob qiu SHEE Re SE ed4P SERERE d Pd qm Pd v pde Rx eus 63 Shon STEED nuda RAR a EES OR URP ANA A ARAS RS OR QD COUR dC RC 178 show address object address6 object service object schedule object object name 238 show daa a Uthen
351. et Interface Specific Commands This section covers commands that are specific to Ethernet interfaces The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 22 Input Values for Ethernet Interface Commands LABEL DESCRIPTION interface_name The name of the Ethernet interface This depends on the ZyWALL model For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 200 and below models use a name such as wan1 wan2 opt lan1 ext wlan or dmz 6 3 1 MAC Address Setting Commands This table lists the commands you can use to set the MAC address of an interface On the ZyWALL USG 200 and below models these commands only apply to a WAN or OPT interface Table 23 interface Commands MAC Setting COMMAND DESCRIPTION interface interface_name Enters sub command mode no mac Has the interface use its default MAC address mac mac Specifies the MAC address the interface is to use ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 23 interface Commands MAC Setting continued COMMAND DESCRIPTION type internal Sets which type of network you will connect this interface The ZyWALL automatically adds external general default route and SNAT settings for traffic it rout
352. f restricted web pages url Tests whether or not a web site is saved in the ZyWALL s database of restricted web pages exit Leaves the sub command mode 23 9 Content Filtering Statistics The following table describes the commands for collecting and displaying content filtering statistics You must use the configure terminal command to enter the configuration mode before you can use these commands Table 115 Commands for Content Filtering Statistics COMMAND DESCRIPTION no content filter statistics collect Turn the collection of content filtering statistics on or off content filter statistics flush Clears the collected statistics show content filter statistics summary show content filter statistics collect off Displays the collected statistics Displays whether the collection of content filtering statistics is turned on or show content filter statistics summary Displays the current content filtering statistics ZyWALL ZLD CLI Reference Guide Chapter 23 Content Filtering 23 9 1 Content Filtering Statistics Example This example shows how to collect and display content filtering statistics Router config content filter statistics collect Router config f show content filter statistics summary total web pages inspected 0 web pages warned by category service 0 web pages blocked by category service 0 web pages blocked by custom service 0 res
353. ffic and the HTTP server in this example both use TCP port 80 So you set the port mapping type to port the protocol type to TCP and the original and mapped ports to 80 Router config ip virtual server To VirtualServer WWW interface ge2 original ip ge2 HTTP map to DMZ HTTP map type port protocol tcp original port 80 mapped port 80 Router config 3 Configure firewall Create a firewall rule to allow HTTP traffic from the WAN zone to the DMZ web server Router config firewall insert 1 Router firewall description To VirtualServer WWW Router firewall from WAN Router firewall to DMZ Router firewall destinationip DMZ HTTP Router firewall service HTTP Router firewall exit Router config write Router config Now the public can go to IP address 1 1 1 2 to access the HTTP server 122 ZyWALL ZLD CLI Reference Guide HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL 13 1 HTTP Redirect Overview HTTP redirect forwards the client s HTTP request except HTTP traffic destined for the ZyWALL to a web proxy server 13 1 1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources services A proxy server can act as a firewall or an ALG application layer gateway between the private network and the Internet or other networks It also keeps hackers fr
354. ffic by IP address and direction service traffic by service and direction url hits by URL ZyWALL ZLD CLI Reference Guide Chapter 41 Reports and Reboot 41 1 2 Report Command Examples The following commands start collecting data display the traffic reports and stop collecting data Router configure terminal Report status on 41 1 3 Session Commands Router config show report gel ip No IP Address User Amount Direction 1 192 168 1 4 admin 1273 bytes Outgoing 2 192 168 1 4 admin 711 bytes Incoming Router config show report gel service No Port Service Amount Direction 1 21 ftp 1273 bytes Outgoing 2 21 ftp 711 bytes Incoming Router config f show report gel url No Hit URL 1 1 140 114 79 60 Router config show report status Collection period 0 days 0 hours 0 minutes 18 seconds This table lists the commands to display the current sessions for debugging or statistical analysis Table 195 Session Commands end lt 1 128000 gt COMMAND DESCRIPTION show conn user Displays information about the selected sessions or about all sessions You can username any unknown service look at all the active sessions or filter the information by user name service service name any unknown object source IP destination IP or session number s source iplany destination iplanyl begin lt 1 128000 gt any means all users services and IP addresses r
355. ffic prigoritise Itep ack eontent rilter dns ipsec vpn ssl vpn deactivate 2229 4 58 Lransform set crypto algo ah crypto algo ah crypto algo aBll eee x deren a ee aca ox 145 Lransform set crypto algo esp lerypto algo esp Llorypto algo esp l eee 9 REOS Y 145 Lransform set isskmp algo isskmp algo Xsakmp algo iix eamack wk mm rina OR AO a ee we 143 trigger append incoming service name trigger service name ooo oooooooooooooooooo ooo 101 Pinder Celebs 41 48 ies hed DAA ee eae peda ceed hee ARA RC Cae eae aoa e bate 101 trigger insert 1 8 incoming service name trigger service name eee 101 Drury move XL Qe ARE sesh adeeb Qs T Ce AG EG ESI d wu a de bee dex aes EE DS E EA 101 Pune DESEA LAN AGE he edited armas RO AR ee RA AI e cipe da es 81 Lunsel mede I ipro ommancusl Seok pod Y errar AE AA 81 punys mode Ip GES airada Ka ex wx he ane wea AA a de ARA ep EGER 81 tunnel source i0y4 tunneli bind intertacel shy sorses RAO owed uA sik A 81 Eype internal external ener resida hex R eO RR UR Rog Rd comi grep d dele Re t RR T72 udp decoder truncated header undersize len oversize len action drop reject sender PaTect creceswer ZSeqecb DDLh ice sted hie QR A ASA ARA ded REGE RU a RR do 196 udp decoder truncated header undersize len oversize len log alert 186 udp filtered distributed portscan udp filtered portsweep details 187 unlock Toskouceusers IZ5 consol
356. for e mails that have a sender or relay IP address in the header that matches a blacklist maintained by a DNSBL domain dnsbl timeout displays the message or label to add to the mail subject of e mails that the ZyWALL forwards if queries to the DNSBL domains time out show anti spam dnsbl statistics Displays anti spam DNSBL statistics for each configured DNSBL domain anti spam dnsbl statistics flush Clears the anti spam DNSBL statistics for each configured DNSBL domain anti spam dnsbl query timeout time 1 10 Sets how long the ZyWALL waits for a reply from the DNSBL domains show anti spam dnsbl query timeout time Displays how long the ZyWALL waits for a reply from the DNSBL domains ZyWALL ZLD CLI Reference Guide 217 Chapter 24 Anti Spam Table 122 DNSBL Commands COMMAND DESCRIPTION no anti spam xheader dnsbl mail header Specify the name and value for the X Header to add to e mails with a mail header value sender or relay IP address in the header that matches a black list maintained by a DNSBL domain in the ZyWALL s list show anti spam xheader dnsbl Display the name and value for the X Header to add to e mails with a sender or relay IP address in the header that matches a black list maintained by a DNSBL domain in the ZyWALL s list 24 2 4 1 DNSBL Example This example Sets the ZyWALL to use DNSBL example com as a DNSBL Turns DNSBL checking on Se
357. for this application show app protocol name rule all statistics Displays all the rule statistics for this application show app other config Displays the basic configuration for other applications show app other statistics Displays statistics for other applications show app other rule rule number Displays the rule s configuration show app other rule rule number statistics Displays the rule s statistics show app other rule default Displays the default rule s configuration show app other rule default statistics Displays the default rule s statistics show app other rule all Displays the configurations of all the rules for other applications show app other rule all statistics Displays all the rule statistics for other applications ZyWALL ZLD CLI Reference Guide Chapter 20 Application Patrol Table 90 app Commands Pre Defined Applications continued COMMAND DESCRIPTION show app highest sip bandwidth priority Displays whether or not the option to maximize the throughput of SIP traffic is enabled show bwm activation Displays whether or not the global setting for bandwidth management on the ZyWALL is enabled 20 2 6 1 General Command Examples The following examples show the information that is displayed by some of the show commands Router configure terminal Router config show bwm activation bwm activation yes Router configure t
358. for this SSL application file sharing create a file share application for VPN SSL owa Outlook Web Access to allow users to access e mails contacts calenders via an Microsoft Outlook like interface using supported web browsers The ZyWALL supports one OWA object web server to allow access to the specified web site hosted on the local network url Enter the fully qualified domain name FQDN or IP address of the application server You must enter the http or https prefix Remote users are restricted to access only files in this directory For example if you enter remote in this field emote users can only access files in the remote directory entry point Optional Specify the name of the directory or file on the local server as the home page or home directory on the user screen ZyWALL ZLD CLI Reference Guide Chapter 34 SSL Application Table 159 SSL Application Object Commands COMMAND DESCRIPTION server type file sharing share path share path Specifies the IP address domain name or NetBI OS name computer name of the file server and the name of the share to which you want to allow user access Enter the path in one of the following formats W IP address V share name gt W domain name share name gt AV computer name share name gt For example if you enter my server Tmp this allows remote users to access all files and or folders in
359. g command displays the current status of the system log Router configure terminal Router config show logging status system log 512 events logged suppression active yes suppression interval 10 category settings content filter normal forward web sites no z blocked web sites normal user normal myZyXEL com normal zysh normal idp normal app patrol normal ike normal ipsec normal firewall normal sessions limit normal policy route normal built in service normal system normal connectivity check normal device ha normal routing protocol normal nat normal pki normal interface normal interface statistics no y account normal port grouping normal force auth normal l2tp over ipsec normal anti virus normal white list normal black list normal ssl vpn normal cnm normal traffic log no file manage normal dial in normal adp normal default all m 40 1 3 Debug Log Commands This table lists the commands for the debug log settings Table 189 logging Commands Debug Log Settings COMMAND DESCRIPTION show logging debug status show logging debug entries category module_name priority pri srcip ip srcip6 dstip ip dstip6 ipv6 addr service service name srciface interface name dstiface interface name protocol protocol begin 1 512 end lt 1 512 gt keyword keyword ipv 6 addr Displays the current settings for the debu
360. g log Displays the specified entries in the system log pri alert crit debug emerg error info notice warn keyword You can use alphanumeric and QS characters and it can be up to 63 characters long This searches the message source destination and notes fields show logging debug entries field field begin lt 1 1024 gt end lt 1 1024 gt Displays the specified field in the debug log field time msg src dst note pri cat all lt 10 600 gt no logging debug suppression Enables log consolidation in the debug log The no command disables log consolidation in the debug log no logging debug suppression interval Sets the log consolidation interval for the debug log The no command sets the interval to ten clear logging debug buffer Clears the debug log ZyWALL ZLD CLI Reference Guide Chapter 40 Logs This table lists the commands for the remote syslog server settings Table 190 logging Commands Remote Syslog Server Settings COMMAND DESCRIPTION show logging status syslog Displays the current settings for the remote servers no logging syslog 1 4 Enables the specified remote server The no command disables the specified remote server no logging syslog 1 4 address ip hostname Sets the URL or IP address of the specified remote server The no command clears this field hostname You may up to
361. g order This policy applies endpoint security policies and uses the following settings Activate yes ZyWALL ZLD CLI Reference Guide Chapter 26 User Group Description EPS on LAN Source use address object LAN1 SUBNET Destination use address object DMZ Servers User Authentication required Schedule no specified Endpoint security Activate endpoint security object use EPS WinXP and EPS WinVista for the first and second checking EPS objects description EPS on LAN destination DMZ Servers authentication force Router configure terminal Router config f force auth policy insert 1 Router config force auth 1 activate Router config force auth 1 Router config force auth 1 source LAN1_SUBNET Router config force auth 1 Router config force auth 1 Router config force auth 1 no schedule Router config force auth 1 eps activate Router config force auth 1 eps 1 EPS WinXP Router config force auth 1 eps 2 EPS WinVista Router config force auth 1 exit 26 2 5 Additional User Commands This table lists additional commands for users Table 138 username groupname Commands Summary Additional COMMAND DESCRIPTION show users username all current Displays information about the users logged onto the system show lockout users Displays users who are currently locked out unlock lockout users ip console ipv6 addr Unlocks th
362. ge 229 for more information about the user types User users can only log in look at but not run the available commands in User mode and log out Limited Admin users can look at the configuration in the web configurator and CLI and they can run basic diagnostics in the CLI Admin users can configure the ZyWALL in the web configurator or CLI At the time of writing there is not much difference between User and Privilege mode for admin users This is reserved for future use ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface 1 6 Shortcuts and Help 1 6 1 List of Available Commands A list of valid commands can be found by typing or TAB at the command prompt To view a list of available commands within a command group enter command or command TAB Figure 9 Help Available Commands Example 1 Router cr apply atse clear configure shutdown telnet test traceroute write Router Figure 10 Help Available Command Example 2 Router show wlan ap interface aaa access page account ad server address object wlan workspace zone Router show 1 6 2 List of Sub commands or Required User Input To view detailed help information for a command enter command sub command Figure 11 Help Sub command Information Example Router config ip telnet server cr port rule Router config f ip telnet server
363. ge 304 If you do not assign the duration the ZyWALL keeps dumping traffic until you use Ctrl C Use the extension filter to extend the use of this command protocol name You can use the name instead of the number for some IP protocols such as tcp udp icmp and so on The names consist of 1 16 alphanumeric characters or dashes The first character cannot be a number hostname You can use up to 252 alphanumeric characters dashes or periods The first character cannot be a period filter extension You can use 1 256 alphanumeric characters spaces or _ characters traceroute ip hostname Displays the route taken by packets to the specified destination Use Ctrl c to return to the prompt traceroute6 ipv6 hostname Displays the route taken by packets to the specified destination Use Ctrl c to return to the prompt no packet capture activate Performs a packet capture that captures network traffic going through the set interface s Studying these packet captures may help you identify network problems The no command stops the running packet capture on the ZyWALL Note Use the packet capture configure command to configure the packet capture settings before using this command packet capture configure Enters the sub command mode duration 0 300 Sets a time limit in seconds for the capture The ZyWALL stops the capture and generates th
364. gure 32 Recovery Image Damaged Press any key to enter debug mode within 3 seconds Invalid Recovery Image ERROR Enter Debug Mode gt ZyWALL ZLD CLI Reference Guide 307 Chapter 39 File Manager 4 f Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen the firmware file is damaged Use the procedure in Section 39 10 on page 310 to restore it If the message does not display the firmware is OK and you do not need to use the firmware recovery procedure Figure 33 Firmware Damaged Building Connect a computer to port 1 and FIP to 192 168 1 1 to upload the neu file 39 9 Restoring the Recovery Image This procedure requires the ZyWALL s recovery image Download the firmware package from www zyxel com and unzip it The recovery image uses a ri extension for example 1 01 XL 0 CO ri Do the following after you have obtained the recovery image file Note You only need to use this section if you need to restore the recovery image 1 Restart the ZyWALL 2 When Press any key to enter debug mode within 3 seconds displays press a key to enter debug mode Figure 34 Enter Debug Mode BootModule Version U1 011 i 2007 03 30 12 22 57 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version U2 4 2 kernel 2006 08 21 i 2006 08 21 19 54 00 ZLD Version UV1 01 XL 0 2006 09 11 17 41 56 Press any key to enter deb
365. h is an internal network Router config f interface ge2 Router config if ge f ip address 10 1 1 254 255 255 255 0 Router config if ge f exit Router config f interface ge3 Router config if ge f ip address 172 16 10 254 255 255 255 0 Router config if ge exit 2 Create four address objects for the SSL VPN DHCP pool DNS servers and the local network for SSL VPN authenticated users to access Router config address object IP POOL 192 168 100 1 192 168 100 10 Router config address object DNS1 172 16 5 1 Router config address object DNS2 172 16 5 2 Router config address object NETWORK1 172 16 10 0 24 3 Create an endpoint security profile named EPS 1 SSL VPN users computers must install Windows XP and TrendMicro PC Cillin Internet Security 2007 Besides the PC Cillin anti virus must be activated Router config eps profile EPS 1 Router eps EPS 1 f matching criteria all Router eps EPS 1 4 os type windows Router eps EPS 1 f windows version windows xp Router eps EPS 1 f anti virus activate Router eps EPS 1 f anti virus TrendMicro PC Cillin Internet Security 2007 detect auto protection enable Router eps EPS 1 exit 4 Create the SSL VPN user account named tester with password 1234 Router config username tester password 1234 user type user 5 Create an SSL VPN rule named SSL VPN TEST Enable it and apply objects you just created Router c
366. h username username password password 44 44 0484 SERS ERE AKERS REA SOR ACERO ORE ORO 323 A AAA 342 snmp server rule rule number append insert rule number access group ALL address object mone ALL Zone D5J860Lt action DISGOGODLIGO D moss ye dew AA AAA og 293 Ssnmp server rule move rule number to rule number 204448446 RACOROE OA XX SR OAS RAO ORA RRS EO de 293 SH LESS EL ADA AAA A dagen ATA AR A E NOCH A AAA A 342 ASIA SO er a Aa Rx RE AD AAA A A IAN As 87 Ssalypa metworbeextensgon locales LY ener RR d oe Rea Re CRURA OR UR de ed wee 152 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical Sela pr NO Connection pS errado Veer DNE aca A RE E de BUR OB DUE a A dE HUR 153 sslvpn policy profile name profile name append profile name insert 1 16 sinere 152 Sslapa Palic Were 1a lbe CO a UR a ee ae EOD EGER Ee ee Pee SUDO ORE al 153 sslvphn policy rename profile name profile Name acarrear AAA PEM eRe EES TOS startion Iinmit Ste A eee eure ae hae pue dcm d edv eds a be arid ahs Ol eer ee ae ee de 87 storage lt 1ib erie MSUSECTAGe s okt RR RE XU SOARES NW No AA AR P ALAEGUE Rd due AER de RR A M ERE 342 system Ueredglte interfsce oProunm QEUUDSTABIU ir Pe NO CE d E ap donde SM NES RARI head 55 bpop ugBegder ieee dom PEEL dues EU Rx SE ed hack ego Roc Sq eer qos cae URGE SUA CR ake WORD UR ae eee 186 LOTNEE dita Y Bed ct heehee Bde DAN Ed ee eed ees een eda SOS scd ede ede Oe ean eee xcd 34 Cock
367. he CLI You can access the CLI using a terminal emulation program on a computer connected to the console port from the web configurator or access the ZyWALL using Telnet or SSH Secure SHell Note The ZyWALL might force you to log out of your session if reauthentication time lease time or idle timeout is reached See Chapter 26 on page 229 for more information about these settings ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface 1 2 4 Console Port The default settings for the console port are as follows Table 1 Managing the ZyWALL Console Port SETTING VALUE Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off When you turn on your ZyWALL it performs several internal tests as well as line initialization You can view the initialization information using the console port Garbled text displays if your terminal emulation program s speed is set lower than the ZyWALL s No text displays if the speed is set higher than the ZyWALL s f changing your terminal emulation program s speed does not get anything to display restart the ZyWALL f restarting the ZyWALL does not get anything to display contact your local customer support Figure 1 Console Port Power on Display FLASH AMD 16M BootModule Version V1 14 07 09 2010 11 00 00 DRAM Size 256 Mbytes Kernel Version V2 6 25 4 2011 10 28 00 25 30 ZLD Version V3 00 BDR 0 b9 2011 10 2
368. he following table lists the commands that you can use for general content filter configuration such as enabling content filtering viewing and ordering your list of content filtering policies creating a denial of access message or specifying a redirect URL and checking your external web filtering service registration status Use the configure terminal command to enter the configuration ZyWALL ZLD CLI Reference Guide Chapter 23 Content Filtering mode to be able to use these commands See Table 111 on page 200 for details about the values you can input with these commands Table 112 content filter General Commands COMMAND DESCRIPTION no content filter active Turns on content filtering The no command turns it off no content filter block message message Sets the message to display when content filtering blocks access to a web page The no command clears the setting no content filter block redirect redirect url Sets the URL of the web page to which to send users when their web access is blocked by content filtering The no command clears the setting no content filter timeout timeout Sets how long the ZyWALL is to keep an entry in the content filtering URL before discarding it The no command clears the setting no content filter default block Has the ZyWALL block sessions that do not match a content filtering policy The no command allows sessions that do not match a content filtering policy
369. he interface that works best for that type of traffic and if that interface s connection goes down the ZyWALL can still send its traffic through another interface 7 2 Trunk Scenario Examples Suppose one of the ZyWALL s interfaces is connected to an ISP that is also your Voice over IP Vol P service provider You may want to set that interface as active and set another interface connected to another ISP to passive This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface s connection is up Another example would be if you use multiple ISPs that provide different levels of service to different places Suppose ISP A has better connections to Europe while ISP B has better connections to Australia You could use policy routing and trunks to send traffic for your European branch offices primarily through ISP A and traffic for your Australian branch offices primarily through ISP B ZyWALL ZLD CLI Reference Guide Chapter 7 Trunks 7 3 Trunk Commands Input Values The following table explains the values you can input with the interface group commands Table 40 interface group Command Input Values LABEL DESCRIPTION group name A descriptive name for the trunk For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive The ZyWALL USG 200 and lower models use WAN TRUNK or WAN TRUNK
370. he session limit feature on or off session limit limit lt 0 8192 gt Sets the default number of concurrent NAT firewall sessions per host session limit rule number Enters the session limit sub command mode to set a session limit rule no activate Enables the session limit rule The no command disables the session limit rule no address address object Sets the source IP address The no command sets this to any which means all IP addresses no description description Sets a descriptive name up to 64 printable ASCII characters for a session limit rule The no command removes the descriptive name from the rule exit no limit lt 0 8192 gt Quits the sub command mode Sets the limit for the number of concurrent NAT firewall sessions this rule s users or addresses can have 0 means any no user user name Sets a session limit rule for the specified user The no command resets the user name to the default any any means all users ZyWALL ZLD CLI Reference Guide Chapter 16 Firewall Table 69 Command Summary Session Limit continued COMMAND DESCRIPTION session limit append Enters the session limit sub command mode to add a session limit rule to the end of the session limit rule list session limit delete rule number Removes a session limit rule session limit flush Removes all session limit rules session l
371. he status of the extension card slot and USB ports and the names of devices connected to them Snow fan speed Displays the current fan speed show led status Displays the status of each LED on the ZyWALL show mac Displays the ZyWALL s MAC address show mem status Displays what percentage of the ZyWALL s memory is currently being used Snow ram size Displays the size of the ZyWALL s on board RAM u NOW redundant power status Displays the status of the ZyWALL s power modules The ZyWALL has two power modules It can continue operating on a single power module if one fails Snow serial number Displays the serial number of this ZyWALL Snow Socket listen Displays the ZyWALL s listening ports show socket open Displays the ports that are open on the ZyWALL Snow System uptime Displays how long the ZyWALL has been running since it last restarted or was turned on Snow version Displays the ZyWALL s model firmware and build information Here are examples of the commands that display the CPU and disk utilization Router config show cpu status CPU utilization 0 CPU utilization for 1 min 0 CPU utilization for 5 min 0 Router config show disk cr Router config show disk No Disk Size MB Usage 1 image 67 amp 2 onboard flash 163 i ZyWALL ZLD CLI Reference Guide Chapter 4 Status
372. header truncated address header log 365 4 Mgr 186 Reece E Neha es CORSE PEP ON OER EE RNS Tet LS mA duds qd ies SEE d ES ad Bd 85 idp signature system protect update daily D 2335 srbn tA rRNA kanek RO EOROXCR GR Mos qox ea ae aed 195 ide signature cysten protect wpadate Hourly piss das eausa enda V RUE EUR SCR OE Shee Eee Meee eens 195 dep signature evetem protecc update Signatures eoeces a ks a se ac Es Og GE RR RR 195 idp signature system protect update weekly sun mon tue wed thu fri sat lt 0 23 gt 195 Pap signature a omaly J rule append lt la 32 gt Inserir L 3295 F i24 EYE REGE 183 idp signature anomaly rule delete lt 1 32 gt move 1 32 to lt 1 32 gt b LL 183 ido anomaly newboro base tall mene caeka da deared REOR DARE CORES Se ee kee e eee Stee eed 133 idp customize signature edit guated StEPIDSQ 1484044 aS AREER OEE NOE RR SE EKER dR A 191 tap customize signature Quoted amp CIISQ sisi ria RANIA AS Desa elg iugis 1942553951354 90b2dE MARNE SESS dux d ei EK ER du war Qu seems bbe due d EUR 182 idp rename signature anomaly profilel profile paene radia gno qo coke Ron eire sewers 182 idp search signature my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log teny ns Leg log alert action delion nask aca whe Rh re AAA 189 idp search sys
373. hether this service is enabled or not 37 6 3 DNS Command Example This command sets an A record that specifies the mapping of a fully qualified domain name www abc com to an IP address 210 17 2 13 Router configure terminal Router config ip dns server a record www abc com 210 17 2 13 ZyWALL ZLD CLI Reference Guide System Remote Management This chapter shows you how to determine which services protocols can access which ZyWALL zones if any from which computers Note To access the ZyWALL from a specified computer using a service make sure no service control rules or to ZyWALL firewall rules block that traffic 38 1 Remote Management Overview You may manage your ZyWALL from a remote location via nternet WAN only ALL LAN amp WAN amp DMZ LAN only DMZ only To disable remote management of a service deselect Enable in the corresponding service screen 38 1 1 Remote Management Limitations Remote management will not work when 1 You have disabled that service in the corresponding screen 2 The accepted IP address in the Service Control table does not match the client IP address If it does not match the ZyWALL will disconnect the session immediately 3 There is a firewall rule that blocks it 38 1 2 System Timeout There is a lease timeout for administrators The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period
374. his table lists the commands for SSL VPN You must use the configure terminal command to enter the configuration mode before you can use these commands Table 78 SSL VPN Commands COMMAND show sslvpn policy profile name DESCRIPTION Displays the settings of the specified SSL VPN access policy show ssl vpn network extension local ip show sslvpn monitor Displays the IP address that the ZyWALL uses in setting up the SSL VPN Displays a list of the users who are currently logged into the VPN SSL client portal Sslvpn network extension local ip ip Sets the IP address that the ZyWALL uses in setting up the SSL VPN sslvpn policy profile name profile name append profile name insert 1 16 Enters the SSL VPN sub command mode to add or edit an SSL VPN access policy no activate Turns the SSL VPN access policy on or off no application application object Adds the SSL application object to the SSL VPN access policy no cache clean activate Cleans the cookie history and temporary Internet files in the user s browser s cache when the user logs out The ZyWALL returns them to the values present before the user logged in The no command disables this setting no description description Adds information about the SSL VPN access policy Use up to 60 characters 0 9 a z A Z and no eps 1 8 eps profile name Sets endpoint security objects to be
375. hol address Adicts BIOL AAA ARA A qe EOE qud edet ed ed ER 139 no address6 object object name ipv6 address ipv6 range ipv6 subnet 238 no address6 object object name interface ip interface dhcpv6 link local slaac static CAE CINE AAA AA dod ice p o ox e Oo e IR AE CORE He 238 no address6 object object name interface subnet interface dhcpv6 slaac static Lager Fee LiebuaashAa duh mE Be RAE udbdex suxe474L239 PE 3GdaReuaden d ege rud du Ee AES uEA 238 hb sddress ohJect SUISOL On ahem ae ee A RN wee way ane geal Bor Wok 240 Dol au server Basen DESCUIDO agg mde S qup dor cS ores ne p uie Ro Kor Wo bow ad wa dori qc V PS 249 TUS idb mbrwer Dulngda MINOO Lae ve Sad ewq udi cdm RR daw ees Ka de dea eod ade no d A ORS NOR Ee dr 250 for ales aan ILL WM 26026 ees he dee Reheat hee XA E Eu e dd BA acre Bob duce x COE e 250 nol ad server host Sd SOIVOEF 264646 cd E 29 o9 EERE A CK RR ORC ACE EUR OK OR CR EROR NOR RC a a 25D nol SU Getves Pannon POSSEL cq pde qa dox A NR oss RA RN b P ood AS fe uc A obs 250 tio ad server pssSswotd cnorypted Password escoria e Rees beee RES CEU ACE AA AAA See Ron 250 hol ad server POPU SEVEN sana Cee eee Oe REE TORE SOR EOE VHC ROPA CAO ae ROS A 250 nol ad server sostoh timp limast CIAO sk2e kc aseddalse edhe be bod ea deen eas sa eaee ke seals aw 250 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no
376. ic can use and can turn on maximize bandwidth usage traffic prioritize tcp ack content filter dns ipsec vpn ssl vpn deactivate Turns off traffic priority settings for when the interface sends the specified type of traffic no upstream 0 1048576 Specifies the upstream bandwidth for the specified interface The no command sets the upstream bandwidth to 1048576 interface interface name ipv6 Creates the specified IPv6 interface if necessary and enters sub command mode address ipv 6 addr prefix gateway ipv6 addr metric lt 0 15 gt Sets an IPv6 address with prefix for the interface Sets the specified IPv6 address s metric ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 16 interface General Commands Basic Properties and IP Address Assignment continued COMMAND DESCRIPTION enable Turns on the IPv6 interface nd ra accept Sets the IPv6 interface to accept IPv6 neighbor discovery router advertisement messages nd ra advertise Sets the IPv6 interface to send IPv6 neighbor discovery router advertisement messages nd ra managed config flag Turns on the flag in IPv6 router advertisements that tells hosts to use managed stateful protocol for address autoconfiguration in addition to any addresses autoconfigured using stateless address autoconfiguration nd ra other config flag Turns on the other stateful configuration flag in
377. ice before you can use it see Chapter 5 on page 45 Table 92 General Anti virus Commands COMMAND DESCRIPTION no anti virus activate Enables anti virus service Anti virus service also depends on anti virus service registration show anti virus activation Displays anti virus service status no anti virus eicar activate Turns detection of the EI CAR test file on or off show anti virus eicar activation Displays whether or not detection of the EICAR test file is turned on anti virus reload signatures Recovers the anti virus signatures You should only need to do this if instructed to do so by a support technician no anti virus skip unknown Sets whether or not anti virus checks files for which the ZyWALL cannot identify a file type activate type show anti virus skip unknown Displays whether or not anti virus checks files for which the ZyWALL cannot identify file type activation a type anti virus mail infect ext Has the ZyWALL add a notification text file to an e mail after destroying a virus activate infected e mail attachment no anti virus mail infect ext Has the ZyWALL not add a notification text file to an e mail after destroying a activate virus infected e mail attachment 21 2 1 1 Activate Deactivate Anti Virus Example This example shows how to activate and deactivate anti virus on the ZyWALL Router configure terminal Router config anti virus activate Router
378. ics and display a summary Router config f anti spam statistics collect Router config f show anti spam statistics collect collect statistics yes collect statistics time since 2008 03 11 07 16 01 to 2008 03 11 07 16 13 Router config show anti spam statistics summary total mails scanned 0 total clear mails 0 clear mail by whitelist O0 total spam mails 0 spam detected by blacklist 0 spam detected by ip reputation 0 spam detected by mail content 0 spam detected by dnsbl 0 spam detected with virus 0 total virus mails O0 dnsbl timeout 0 mail session forwarded 0 mail session dropped 0 ZyWALL ZLD CLI Reference Guide Chapter 24 Anti Spam ZyWALL ZLD CLI Reference Guide Device HA Use device HA to increase network reliability Device HA lets a backup ZyWALL B automatically take over if a master ZyWALL A fails Figure 24 Device HA Backup Taking Over for the Master m A qu _ _ w we zm Internet Y MI m 5 M en 25 1 Device HA Overview Active Passive Mode and Legacy Mode Active passive mode lets a backup ZyWALL take over if the master ZyWALL fails Legacy mode uses VRRP Virtual Router Redundancy Protocol groups and allows for more complex relationships between the master and backup ZyWALLs such as active active or using different ZyWALLs as the master ZyWALL for individual interfaces Legacy mode configuration involves a greater degree of comp
379. idth management including traffic prioritization to enhance the performance of delay sensitive applications like voice and video Note The ZyWALL checks firewall rules before application patrol rules for traffic going through the ZyWALL To use a service make sure both the firewall and application patrol allow the service s packets to go through the ZyWALL Application patrol examines every TCP and UDP connection passing through the ZyWALL and identifies what application is using the connection Then you can specify by application whether or not the ZyWALL continues to route the connection 20 2 Application Patrol Commands Summary The following table describes the values required for many application patrol commands Other values are discussed with the corresponding commands Table 81 Input Values for Application Patrol Commands LABEL DESCRIPTION protocol name The name of a pre defined application These are listed by category general ftp smtp pop3 irc http im msn aol icq yahoo qq p2p bittorrent eDonkey fasttrack gnutella napster h323 sip soulseek stream rtsp rule_number The number of an application patrol rule 1 X where X is the highest number of rules the ZyWALL model supports See the ZyWALL s User s Guide for details ZyWALL ZLD CLI Reference Guide Chapter 20 Application Patrol Table 81 Input Values for Application Patrol Commands continued LABEL DESCRIP
380. ied ISP account The no command clears the password password Use up to 63 printable ASCII characters Spaces are not allowed no authentication none Sets the authentication for the cellular account The no command sets the pap chap authentication to none no idle 0 360 Sets the idle timeout for the cellular account Zero disables the idle timeout The no command sets the idle timeout to zero ZyWALL ZLD CLI Reference Guide SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN 34 1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network You can apply one or more SSL application objects in the VPN SSL VPN screen for a user account user group 34 1 1 SSL Application Object Commands This table lists the commands for creating SSL application objects You must use the configure terminal command to enter the configuration mode before you can use these commands Table 159 SSL Application Object Commands COMMAND DESCRIPTION show sslvpn application application object Displays SSL VPN application objects no sslvpn application application object Enters the sub command mode to create an SSL VPN application object Server type file sharing owa web server url URL entry point entry point Specify the type of service
381. ils 22 3 6 Signature Search Use this command to search for signatures in the named profile 188 ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands Note It is recommended you use the web configurator to search for signatures Table 105 Signature Search Command COMMAND DESCRIPTION idp search signature my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no 1og alert action action mask Log Searches for signature s in a profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN_IDP name WORM sid 0 severity 0 platform O policytype O service O activate any log any action searches for all signatures in the LAN IDP profile containing the text worm within the signature name idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action action mask show idp search signature my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service yes no log any no log alert action action mask service mask activate any log Searches for signature s in a system protec
382. ily report Router config daily report item cpu usage item mem usage item port usage Router config daily report Router config daily report Router config daily report item session usage Router config daily report Router config daily report item traffic report activate Router config daily report smtp auth activate Router config daily report exit Router config daily report no mail to 5 Router config ZyWALL ZLD CLI Reference Guide 327 Chapter 41 Reports and Reboot This displays the email daily report settings and has the ZyWALL send the report Router config show daily report status email daily report status activate yes Scheduled time 13 57 reset counter no smtp address example SMTP mail server com smtp port 25 smtp auth yes smtp username 12345 smtp password pass12345 mail subject test subject append system name no append date time yes mail from my email example com mail to 1 example administrator example com mail to 2 mail to 3 mail to 4 my email example com mail to 5 cpu usage yes mem usage yes Session usage yes port usage yes traffic report yes Router config daily report send now 41 3 Reboot Use this to restart the device for example if the device begins behaving erratical
383. imit insert rule number Enters the session limit sub command mode to add a session limit rule before the specified rule number session limit rule number move rule number to Moves a session limit to the number that you specified show session 1 imit Shows the session limit configuration show session 1 rule number imit begin rule number end Shows the settings for a range of session limit rules show session 1 imit rule number Shows the session limit rule s settings show session 1 imit status Shows the general session limit settings no session 1 imit6 activate Turns the IPv6 session limit feature on or off session limit6 limit lt 0 8192 gt Sets the default number of concurrent NAT firewall IPv6 sessions per host session limit6 rule number Enters the IPv6 session limit sub command mode to set a session limit rule no activate Enables the IPv6 session limit rule The no command disables the session limit rule no address address 6 object Sets the IPv6 source IP address The no command sets this to any which means all IP addresses no description description Sets a descriptive name up to 64 printable ASCII characters for a session limit rule The no command removes the descriptive name from the rule exit Quits the sub command mode no limit 0 8192 Sets the limit for the number of concurrent NAT fire
384. imum data fragment size that can be sent no super Enables super mode fast frame and packet bursting role ap Sets the ZyWALL to act as an AP only the AP role is supported at the time of writing output power 100 Sets the wireless output power Reducing output power can help reduce interference with 50 25 12 5 other nearby APs qos none wmm Applies Wi Fi Multimedia Quality of Service QoS or no wireless QoS ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 32 WLAN General Commands continued COMMAND DESCRIPTION guard interval short Sets Guard Interval to Short increases data throughput or Long prioritize data long integrity no amsdu Enables Aggregated Mac Service Data Unit AMSDU for faster data transfer rates no ampdu Enables Aggregated Mac Protocol Data Unit AMPDU for faster data transfer rates no block ack Adds the block ACK BA mechanism to increase data output exit Leaves the sub command mode 6 9 1 1 WLAN General Commands Example This example sets wireless slot 1 to use the IEEE 802 11b and IEEE 802 11g bands channel 5 super mode 50 96 output power and enables it Router config wlan slotl Router config wlan slot band bg Router config wlan slot channel 5 Router config wlan slot super output power 50 Router config wlan slot activate Router config wlan slot
385. included in the report e mails no item mem usage Determines whether or not memory usage statistics are included in the report e mails no item port usage Determines whether or not port usage statistics are included in the report e mails no item session usage Determines whether or not session usage statistics are included in the report e mails no item traffic report Determines whether or not network traffic statistics are included in the report e mails schedule hour 0 23 minute lt 00 59 gt Sets the time for sending out the report e mails no reset counter Determines whether or not to discard all report data and starts all of the report statistics data counters over at zero after successfully sending out a report e mail send now Sends the daily e mail report immediately reset counter now exit Discards all report data and starts all of the report statistics data counters over at zero Leaves the sub command mode 41 2 1 Email Daily Report Example This example sets the following about sending a daily report e mail Disables the reporting e Specifies example SMTP mail server com as the address of the SMTP mail server Sets the subject of the report e mails to test Stops the system name from being appended to the mail subject Appends the date and time to the mail subject Sets the sender as my email example com Sets exa
386. inspection log or alert no http inspection http xxx log Deactivates http inspection logs no http inspection http xxx action drop reject sender reject receiver reject both no tcp decoder tcp xxx activate Sets http inspection action Activates or deactivates tcp decoder options where tcp xxx undersize len undersize offset oversize offset bad length options truncated options ttcp detected obsolete options experimental options tcp decoder tcp xxx log alert Sets tcp decoder log or alert options no tcp decoder tcp xxx log Deactivates tcp decoder log or alert options no tcp decoder tcp xxx action drop reject sender reject receiver reject both Sets tcp decoder action no udp decoder truncated header undersize len oversize len activate Activates or deactivates udp decoder options udp decoder truncated header undersize len oversize len log alert Sets udp decoder log or alert options no udp decoder truncated header undersize len oversize len log Deactivates udp decoder log options udp decoder truncated header undersize len oversize len action drop reject sender reject receiver reject both Sets udp decoder action no udp decoder truncated header undersize len oversize len action Deactivates udp decoder actions no icmp decoder truncated header truncated timestamp heade
387. installed and settings being configured before they access the company s SSL VPN Router config eps profile EPS Example Router eps EPS Example windows version windows xp Router eps EPS Example personal firewall activate Router eps EPS Example anti virus activate Router eps EPS Example windows auto update enable Router eps EPS Example windows service pack 2 Router eps EPS Example personal firewall Windows Firewall detect auto protection enable Router eps EPS Example anti virus Kaspersky Anti Virus v2011 detect auto protection enable Router eps EPS Example matching criteria all Router eps EPS Example f exit Router config Then he leaves the sub command mode and uses the show command to view the EPS object settings Router eps EPS Example exit Router config show eps profile name EPS Example description os type windows windows version windows xp matching criteria all anti virus activation yes anti virus 1 name Kaspersky Anti Virus v2011 detect auto protection enable personal firewall activation yes personal firewall 1 name Windows Firewall detect auto protection enable windows update enable windows service pack 2 windows security patch windows registry trusted application forbidden application file information reference count 1 Router config See Chapter 18 on page 151 for how to configure an SSL VPN using this EPS obje
388. interface Commands Auxiliary Interface COMMAND DESCRIPTION interface dial aux interface disconnect aux Dials or disconnects the auxiliary interface interface aux Enters sub command mode initial_string no authentication chap pap Specifies the authentication type of the auxiliary interface The no command chap pap mschap mschap v2 sets the authentication to chap pap no dial timeout lt 30 120 gt Specifies the number of seconds the auxiliary interface waits for an answer each time it tries to connect The no command disables the timeout no dialing type tone Specifies the dial type of the auxiliary interface The no command sets the dial pulse type to tone no idle lt 0 360 gt Specifies the number of seconds the auxiliary interface waits for activity before it automatically disconnects The no command disables the idle timeout no initial string Specifies the initial string of the auxiliary interface The no command sets the initial string to ATZ initial_string You can use up to 64 characters Semicolons and backslashes are not allowed no password password Specifies the password of the auxiliary interface The no command clears the password password You can use up to 63 printable ASCII characters Spaces are not allowed ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 39 interface Commands Auxiliary Interf
389. inued app protocol name rule modify default COMMAND DESCRIPTION app protocol name rule default Enters sub command mode for editing the default rule for the or application See Table 84 on page 165 for the sub commands no app protocol name rule rule number Deletes the specified rule 20 2 2 1 Rule Sub commands The following table describes the sub commands for several application patrol rule commands Note that not all rule commands use all the sub commands listed here Table 84 app protocol rule Sub commands COMMAND DESCRIPTION access forward drop reject no action block login messagelaudio video file transfer Specifies the action when traffic matches the rule Blocks use of a specific feature no activate Turns on this rule The no command turns off this rule bandwidth inbound outbound lt 0 1048576 gt Limits inbound or outbound bandwidth in kilobits per second 0 disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 Set the priority for traffic that matches this rule The smaller the number the higher the priority no destination profile name Adds the specified destination address to the rule no from zone name Specifies the source zone
390. ion ZyWALL ZLD CLI Reference Guide IDP Commands This chapter introduces IDP related commands 22 1 Overview Commands mostly mirror web configurator features t is recommended you use the web configurator for IDP features such as searching for web signatures creating editing an IDP profile or creating editing a custom signature Some web configurator terms may differ from the command line equivalent Note The no command negates the action or returns it to the default value The following table lists valid input for IDP commands Table 98 Input Values for IDP Commands LABEL DESCRIPTION zone profile The name of a zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 200 and lower models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN idp profile The name of an IDP profile It can consist of alphanumeric characters the underscore and the dash and it is 1 31 characters long Spaces are not allowed 22 2 General IDP Commands 22 2 1 IDP Activation Note You must register for the IDP AppPatrol signature service at least the trial before you can use it See Chapter 5 on page 45 ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands This table shows the IDP signature anomaly and system protect activation commands
391. ion no logging mail 1 2 authentication username username password password Sets the username and password required by the SMTP mail server The no command clears the username and password fields username You can use alphanumeric characters underscores _ and dashes and it can be up to 31 characters long password You can use most printable ASCII characters You cannot use square brackets double quotation marks question marks tabs or spaces It can be up to 31 characters long no logging mail lt 1 2 gt port lt 1 65535 gt Sets the port number of the mail server for the specified e mail profile no send alerts to logging mail 1 2 send log to e mail Sets the e mail address for logs or alerts The no command clears the specified field e mail You can use up to 63 alphanumeric characters underscores or dashes and you must use the character no logging mail 1 2 subject subject no logging mail 1 2 category module name level alert all Sets the subject line when the ZyWALL mails to the specified e mail profile The no command clears this field subject You can use up to 60 alphanumeric characters underscores dashes or G characters Specifies what kind of information is logged for the specified category The no command disables logging for the specified category no logging mail 1 2
392. ires you need to purchase an iCard for the anti virus engine you want to use and enter the PIN number license key in the Registration Service screen You must use the ZyXEL anti virus iCard for the ZyXEL anti virus engine and the Kaspersky anti virus iCard for the Kaspersky anti virus engine If you were already using an iCard anti virus subscription any remaining time on your earlier subscription is automatically added to the new subscription Even if the earlier iCard anti virus subscription was for a different anti virus engine For example ZyWALL ZLD CLI Reference Guide Chapter 5 Registration suppose you purchase a one year Kaspersky engine anti virus service subscription and use it for six months Then you purchase a one year ZyXEL engine anti virus service subscription and enter the iCard s PIN number license key in the Registration gt Service screen The one year ZyXEL engine anti virus service subscription is automatically extended to 18 months The IDP and application patrol features use the I DP AppPatrol signature files on the ZyWALL IDP detects malicious or suspicious packets and responds immediately Application patrol conveniently manages the use of various applications on the network After the service is activated the ZyWALL can download the up to date signature files from the update server http myupdate zywall zyxel com SSL VPN tunnels provide secure network access to remote users You can purchase and ent
393. irewall6 WAN ZyWALL user any schedule none from WAN to ZyWALL Source IP any source port any destination IP any service Default Allow v6 WAN To ZyWALL log no action allow status yes 16 3 Session Limit Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 68 Input Values for General Session Limit Commands LABEL DESCRIPTION rule number The priority number of a session limit rule 1 1000 address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive address6 object The name of the IPv6 address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive user name The name of a user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive The following table describes the session limit commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 69 Command Summary Session Limit COMMAND DESCRIPTION no session limit activate Turns t
394. irst second or third DNS server or the ZyWALL itself The no command resets the setting to its default value no first wins server ip Specifies the first WI NS server IP address to assign to the remote users The no command removes the setting no second wins server ip Specifies the second WINS server IP address to assign to the remote users The no command removes the setting no lease lt 0 365 gt 0 23 lt 0 59 gt infinite Sets the lease time to the specified number of days hours and minutes or makes the lease time infinite The no command resets the first DNS server setting to its default value interface interface_name Enters sub command mode no ip dhcp pool profile_name Binds the specified interface to the specified DHCP pool You have to remove any DHCP relays first The no command removes the binding no ip helper address ip Creates the specified DHCP relay You have to remove the DHCP pool first if the DHCP pool is bound to the specified interface The no command removes the specified DHCP relay release dhcp interface name Releases the TCP IP configuration of the specified interface The interface must be a DHCP client This command is available in privilege mode not configuration mode renew dhcp interface name Renews the TCP IP configuration of the specified interface The interface must be a DHCP client This command is available in privilege
395. isables the specified policy The no command enables the specified policy no description description Sets a descriptive name for the policy The no command removes the name for the policy destination address object any Sets the destination IP address the matched packets must have The no command resets the destination IP address to the default any any means all IP addresses ZyWALL ZLD CLI Reference Guide Chapter 8 Route Table 44 Command Summary Policy Route continued COMMAND DESCRIPTION no dscp any lt 0 63 gt Sets a custom DSCP code point 0 63 This is the DSCP value of incoming packets to which this policy route applies any means all DSCP value or no DSCP marker no dscp class default dscp class Sets a DSCP class Use default to apply this policy route to incoming packets that are marked with DSCP value 0 Use one of the pre defined AF classes including af11 af13 af21 af23 af31 af33 and af41 af43 to apply this policy route to incoming packets that are marked with the DSCP AF class The af entries stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 104 for more details dscp marking 0 63 dscp marking class default dscp class Sets a DSCP value to have the ZyWALL apply that DSCP value to the r
396. isk space no app watch dog disk threshold min lt 1 100 gt max 1 1005 Sets the percentage thresholds for sending a disk usage alert The ZyWALL starts sending alerts when disk usage exceeds the maximum the second threshold you enter The ZyWALL stops sending alerts when the disk usage drops back below the minimum threshold the first threshold you enter The no command changes the setting back to the default no app watch dog mem threshold min lt 1 100 gt max 1 100 Sets the percentage thresholds for sending a memory usage alert The ZyWALL starts sending alerts when memory usage exceeds the maximum the second threshold you enter The ZyWALL stops sending alerts when the memory usage drops back below the minimum threshold the first threshold you enter The no command changes the setting back to the default app watch dog reboot log flush Flushes the reboot log record no app watch dog sys reboot If auto recover fail reaches the maximum retry count app watch dog reboots the device The no command turns off system auto reboot show app watch dog config Displays the application watchdog timer settings show app watch dog monitor list Display the list of applications that the application watchdog is monitoring show app watch dog reboot 1log Displays the application watchdog reboot log 47 3 1 Application Watchdog Commands Example The following example d
397. isplays the application watchdog configuration and lists the processes that the application watchdog is monitoring ZyWALL ZLD CLI Reference Guide Chapter 47 Watchdog Timer 0 0 0 0 e 0 0 MMMM MMMM e o m o m qunoo tey xeu 419Ao2941 Cd od cd od cd oc cd od nd o ed o nd od nd o o no n T qunoo d3434 xeu 19AO291 Cd od cd od cd oc ond ond oed o n o nd o Ho do n n T S eM 19A0D9DA1 Cd cd cd ond oc oc on nO c on on on on onn n n n on n on n od du e qoogqer 1940091 Oddooooooudduddooooooooooooduo T eiqeue 19Ao2e1 A 1 Cd oc ed od cd oc cd ond nd od e o nd o n o ndo o Tz T pearurq un a unoo sseoodd xeu 4qunoo sseooad uqu paoqaruoudr utq pdtqo pse 1odde1m Teubts oxd Ppyanez uMopdu yuTT eiqez papa pda peu supp iebboi Az bu bors s pboTAz udoesdruss pdoup pdaau pusAz pm pysAz psei pdra pidso AJTSSETO pai3auoo pAorrod prI A eili puen eueu dde AsTT zojtuow bop uo3e dde moys STJUOD 193INOY 06 06 06 08 PIOousedu3 xSIp 208 prToysa1y3 ndo 08 prousedu3 ueu spuooes 09 RATE QUT So 300qe4 we qsds sa 1a8A0091 opne qunoo A1391 sKemte qutad eqposuoo So 31918 sof eqeat joe 5uta339s oq yo quem uot jeottddy ZyWALL ZLD CLI Reference Guide Chapter 47 Watchdog Timer ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical List of Commands Alphabetica
398. it Router config show object group address Group name Reference Description TW_TEAM 5 RD 0 Router config show object group address RD Object Group name Type Reference Al Object 1 A2 Object 1 ZyWALL ZLD CLI Reference Guide Chapter 27 Addresses ZyWALL ZLD CLI Reference Guide Services Use service objects to define TCP applications UDP applications and ICMP messages You can also create service groups to refer to multiple service objects in other features 28 1 Services Overview See the appendices in the web configurator s User Guide for a list of commonly used services 28 2 Services Commands Summary The following table describes the values required for many service object and service group commands Other values are discussed with the corresponding commands Table 142 Input Values for Service Commands LABEL DESCRIPTION group name The name of the service group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive object name The name of the service You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following sections list the service object and service group commands 28 2 1 Service Object Commands The first table lists the commands for servi
399. ith tag anti spam mail scan query timeout time timeout Select how to handle SMTP mail if querying the mail scan server times out Use drop to discard the SMTP mail orward to send it or forward with tag to add a tag to the mail subject and send it Set how many seconds the ZyWALL waits for a reply from the mail scan server before taking the relevant timeout action anti spam tag query timeout tag Specify the label to add to the mail subject of e mails the ZyWALL tags and forwards when queries to the mail scan servers time out no xheader name xheader value anti spam xheader query timeout Specify the name and value for the X Header to add to e mails the ZyWALL forwards when queries to the mail scan servers time out show anti spam mail scan query timeout Display the action the ZyWALL takes on SMTP mail if querying the mail scan server times out show anti spam mail scan query timeout pop3 Display the action the ZyWALL takes on POP3 mail if querying the mail scan server times out show anti spam mail scan query timeout time Display how many seconds the ZyWALL waits for a reply from the mail scan server before taking the relevant timeout action show anti spam mail scan status Displays the ZyWALL s settings for IP reputation mail content and virus outbreak checking show anti spam tag query timeout Display the label the ZyWALL adds to the mail subject of e mails that it tags an
400. ive failures are required before the ZyWALL stops routing to the gateway The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check This table lists the ping check commands Table 21 interface Commands Ping Check COMMAND DESCRIPTION show ping check interface name activate status no connectivity check continuous log Displays information about ping check settings for the specified interface or for all interfaces status displays the current connectivity check status for any interfaces upon which it is activated Use this command to have the ZyWALL logs connectivity check result continuously The no command disables the setting show connectivity check continuous log status Displays the continuous log setting about connectivity check interface interface name Enters sub command mode no ping check activate Enables ping check for the specified interface The no command disables ping check for the specified interface gateway port 1 65535 ping check domain name ip default Specifies what the ZyWALL pings for the ping check you can gateway specify a fully qualified domain name IP address or the default gateway for the interface ping check domain name ip default Specifies what the ZyWALL pings for the ping check and sets the gateway period 5 30 number of seconds between each ping
401. ket size statistics clear Clears the packet size statistics data for all interface 41 2 Email Daily Report Commands The following table identifies the values used in some of these commands Other input values are discussed with the corresponding commands Table 197 Input Values for Email Daily Report Commands e mail An e mail address You can use up to 80 alphanumeric characters underscores periods or dashes and you must use the character Use these commands to have the ZyWALL e mail you system statistics every day You must use the configure terminal command to enter the configuration mode before you can use these commands Table 198 Email Daily Report Commands COMMAND DESCRIPTION show daily report status Displays the e mail daily report settings daily report Enters the sub command mode for configuring daily e mail reports settings no activate Turns daily e mail reports on or off draw usage graphics Has the report e mail include usage graphs smtp address ip hostname Sets the SMTP mail server IP address or domain name no smtp auth activate Enables or disables SMTP authentication smtp auth username username password password Sets the username and password for SMTP authentication no smtp address Resets the SMTP mail server configuration no smtp auth username Resets the authentication configuration no smtp port 1 65535 Sets
402. l This section lists the commands and sub commands in alphabetical order Commands and subcommands appear at the same level Ping ipv4 hostname source ipv4 size lt 0 65507 gt forever count lt 1 4096 gt 342 nol anti virus personsl firewaell activate asirio REREAD EROR CAE RR p UE ed Cd 270 hol prt ipy4t cidr ipv range wildcard domainname tid ene RE 203 no aaa authentication default memberl member2 member3 member4 255 el usa sULbhenLlcstron BTL PS ISSUE iia Res wa She eO ERAS ae ed Oe doen oie io n 299 no aaa authentication profile name member1 member2 member3 member4 256 TO aaa Group Server Ad Frou anes rss rra E REOR KS I AGE ROC A A NEGRO eee 291 fol aaa group server ldap grgBp NsSHe sad bn do 0 SER ee WRN eriak A X RU aub SOS X X cR ALS e d 252 nol ea group BBrwer tadius GPOOGUDCDEIE Jarratt a e R edP s e eR OR i opo oi E S 253 nol ecsBpE Bage cslor wingdbw DesckiscUDE deed belies opu ed Ras Na i oca ae wee eae eee 280 hol aoccess page message LoxE IGSSERQO sade esd ROCK RG se RR RS NA A ORC SERRE SERS Ge 280 nol acconnt pes ple PESTL ES DOM buisse esse deh eee OR dra rol OR CHOR AAA ge 264 hot account Cellular SSpiTIle NAMS nd kick e dede ch dox 33 A ARR KORR dod pde RR E RA ACRAS a Ko Edo deals A 265 hol accaunt DIOIISe NANE surta RA AAA dq qb e RE AA 74 WO Acroni profiilia NEMS S ug RO RR OE de C
403. l any tcp udp original port begin 1 65535 original port end lt 1 65535 gt mapped port begin lt 1 65535 gt nat loopback nat 1 1 map nat 1 1 map deactivate deactivate deactivate Creates or modifies the specified virtual server and maps the specified destination IP address protocol and destination port to the specified destination IP address and destination port The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address object NAT loopback allows local users to use a domain name to access this virtual server nat 1 1 map means the NAT type is either 1 1 NAT or many 1 1 NAT See Section 12 1 1 on page 119 for more information Using this command without nat 1 1 map means the NAT type is Virtual Server This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL like the Internet The deactivate command disables the virtual server rule Creates or modifies the specified virtual server and maps the specified destination IP address protocol and range of destination ports to the specified destination IP address and range of destination ports The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address object NAT loopback allows local users to use a domain name to access this
404. l CORP dido Rm 108 ZyWALL ZLD CLI Reference Guide Table of Contents Tea er Apa Om INSEE apto 109 A a cst exo dla thot Sassen antes D mds aed kdo brc dde Red nci ht dio duda 109 9 2 5 Learned Routing Information COommialYde scr ea 110 g2 E show w Oute Command Exempli aee ecce p d xb e Rr Re A TR ARA ER Hide ada 110 Chapter 10 TOO isisiisssssssssiisrisindissidiatisrisiNaNANESNrEASSSSNASSERAAANOTANIA AAAAAANESNEANAPATESNSSSAAKEOENEAANESNANANEN SJANESNENASAES ANOA 111 T opes OVERIO E a a a es errs reer erent eererrre re 111 6 2008 Camma as DIT ias 112 10 2 1 Zone Command BAMPIES cosas A A A 118 Chapter 11 DON E 115 ER cies c m 115 11 2 DDNS Commande SUMMA ad E E 116 Chapter 12 M 119 1a VIPS Derer OVID e m 119 1d NAV ari Mary EI BAT a Habrkd atm e ep amen anata 119 12 2 Vital Server Commands SUMMA asias dio 119 12 21 Virtual Server Command Explicar 121 12 2 2 Tutorial How to Allow Public Access to a Server coooccnocinnccccnoccconancncnoncccnn noc cnnnnrc narran 122 Chapter 13 HTTP ROGU OCR csi a 123 TTT TP AS DUST id 123 AA E da guapa II Hoc rdi 123 TOS ATIF Baclrect CORIISEITGS saajina ie 124 13 24 HTTP Redirect Command Example iiec id 125 Chapter 14 rrr cad cad og 127 VELA IO Mor
405. l rules that deny access show firewall any ZyWALL Shows all the to ZyWALL firewall rules no connlimit6 max per host 1 8192 Sets the highest number of IPv6 sessions that the ZyWALL will permit a host to have at one time The no command removes the setting firewall6 rule number Enters the IPv6 firewall sub command mode to set a firewall rule See Table 67 on page 137 for the sub commands firewall6 zone object zone object ZyWALL rule number Enters the IPv6 firewall sub command mode to set a direction specific through ZyWALL rule or to ZyWALL rule See Table 67 on page 137 for the sub commands ZyWALL ZLD CLI Reference Guide Chapter 16 Firewall Table 66 Command Summary Firewall continued COMMAND DESCRIPTION firewall6 zone object zone object ZyWALL append Enters the IPv6 firewall sub command mode to add a direction specific through ZyWALL rule or to ZyWALL rule to the end of the global rule list See Table 67 on page 137 for the sub commands firewall6 zone object zone object ZyWALL delete Removes a direction specific IPv6 through ZyWALL lt 1 5000 gt rule or to ZyWALL rule lt 1 5000 gt the index number in a direction specific firewall rule list firewall6 zone object zone_object ZyWALL flush Removes all direction specific IPv6 through ZyWALL rule or to ZyWALL rules firewall6 zone object zone object ZyWALL
406. lays a IPv6 firewall rule s settings show firewall6 zone object zone_object ZyWALL Displays all IPv6 firewall rules settings for the specified packet direction rule number show firewall6 zone object zone_object ZyWALL Displays a specified Pv6 firewall rule s settings for the specified packet direction show firewall6 status Displays whether or not the IPv6 firewall is active whether or not IPv6 asymmetrical route topology is allowed and the default IPv6 firewall rule s configuration show firewall6 block rules Displays all the I Pv6 firewall rules that deny access show firewall6 any ZyWALL Shows all the IPv6 to ZyWALL firewall rules no firewall6 asymmetrical route activate Allows or disallows asymmetrical route topology for IPv6 traffic ZyWALL ZLD CLI Reference Guide Chapter 16 Firewall 16 2 1 Firewall Sub Commands The following table describes the sub commands for several firewall and firewall6 commands Table 67 firewall Sub commands COMMAND DESCRIPTION action allow deny reject Sets the action the ZyWALL takes when packets match this rule no activate Enables a firewall rule The no command disables the firewall rule no ctmatch dnat snat Use dnat to block packets sent from a computer on the ZyWALL s WAN network from being forwarded to an internal network according to a virtual server rule Use snat to block packets sent f
407. le Checking CODE Done Updating Connect a computer to port 1 and FIP to 192 168 1 1 to upload the neu file The ZyWALL s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 Use an FTP client on your computer to connect to the ZyWALL For example in the Windows command prompt type ftp 192 168 1 1 Keep the console session connected in order to see when the default system database recovery finishes ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager 7 Hit enter to log in anonymously 8 Setthe transfer mode to binary type pin 9 Transfer the firmware file from your computer to the ZyWALL Type put followed by the path and name of the firmware file This examples uses put e ftproot ZLD FW 11 01 XL 0 C0 db Figure 51 FTP Default System Database Transfer Command C gt ftp 192 168 1 1 Connected to 192 168 1 1 228 lt x gt gt 2 lt C lt Welcome to PureFTPd 1 0 11 gt gt lt gt gt 22080 You are user number 1 of 50 allowed 226 Local time is now 03 56 and the load is 0 00 Server port 21 22 Only anonymous FTP is allowed here 220 You will be disconnected after 15 minutes of inactivity User 192 168 1 1 lt none gt gt 238 Anonymous user logged in ftp gt bin 206 TYPE is now 8 bit binary ftp gt put E ftproot ZLD_FW 1G1KL 161XLGCOM1 B1 lt XL B gt C8 db 10 Wait for the fi
408. le signature fall ocustom signature details iliis 4 3 x RUBRA aaa 184 show idp profile signature sid debtea amp lS shtick ow dead de Sea ri ncm MaKe de pK wo Ce Ro AM d Rp a cc Rd 184 ZyWALL ZLD CLI Reference Guide 379 List of Commands Alphabetical show show show show show show show show show show show show show show show show show show show show show n eg O NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW Qo ooouooooooooodoozoozoonuuo ocoooooxuoououoxuouyoouoocoocooscooscuucoo3cususu SUR DESIILOR arar spud e paras ewe eu er ion de etie ard Gira eura wd quick du 182 idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_ mask policytype policytype_ mask service service_mask activate any yes no log any no leg log alert action dctLon Mask sissies enone AETERNE EERS 189 idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action action Mask i a b we 9 oe 189 Jd Sitti SEN Geese Gahan ee censis bue DAR uS adu dici eua lard qr dc d uoa werdende en 182 idp signature base profile all none wan lan gdmz settings dm RR RR 182 idp Signature
409. le transfer to complete Figure 52 FTP Default System Database Transfer Complete 200 PORT command successful 1580 Connecting to port 3789 226 248 5 Mbytes free disk space 226 File successfully transferred 226 M 008 seconds measured here gt 13 31 Mbytes per second ftp 112398 bytes sent in 2Seconds 7024 88Kbytes sec ftp 11 The console session displays done after the default system database is recovered Figure 53 Default System Database Received and Recovery Complete Default System Database received Update Filesystem Updating Database done ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager 12 The username prompt displays after the ZyWALL starts up successfully The default system database recovery process is now complete and the ZyWALL IDP and anti virus features are ready to use again Figure 54 Startup Complete nothing was mounted Hostname localhost Setting the System Clock using the Hardware Clock as reference Systen Clock set Local time Wed May 9 93 26 53 UTC 200 Cleaning tmp zvarzlock vvar run Initializing random number generator done Initializing Debug Account Authentication Seed DAAS done Lionic device init successfully caviun nitrox device CN505 init complete INIT Entering runlevel 3 Starting zylog daemon zylogd zylog starts Starting syslog ng Starting uan daenon Starting app patrol daemon Starting periodic command scheduler cron Start ZyWALL
410. lent values If you want to combine platforms in a search then add their respective numbers together For ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands example to search for signatures for Windows NT Windows XP and Windows 2000 computers then type 12 as the platform parameter Table 106 Severity Platform and Policy Type Command Values SEVERITY PLATFORM POLICY TYPE 1 Very Low 1 All 1 DoS 2 Low 2 Win95 98 2 Buffer Overflow 3 Medium 4 WinNT 3 Access Control 4 High 8 WinXP 2000 4 Scan 5 Severe 16 Linux 5 Backdoor Trojan 32 FreeBSD 6 Others 64 Solaris 7 P2P 128 SGI 8 IM 256 Other Unix 9 Virtus Worm 512 Network Device 10 Porn 11 Web Attack 12 Spam The following table displays the command line service and action equivalent values If you want to combine services in a search then add their respective numbers together For example to search for signatures for DNS Finger and FTP services then type 7 as the service parameter Table 107 Service and Action Command Values SERVICE SERVICE ACTION 1 DNS 65536 SMTP 1 None 2 FINGER 131072 SNMP 2 Drop 4 FTP 262144 SQL 4 Reject sender 8 MYSQL 524288 TELNET 8 Reject receiver 16 ICMP 1048576 TFTP 16 Reject both 32 IM 2097152 n a 64 IMAP 4194304 WEB_ATTACKS 128 MISC 8388608 WEB_CGI 256 NETBIOS 512 NNTP 1024 ORACLE 2048 P2
411. lert IDP IDP signatures misssing please refer to your user docurnentation to recover the default datab ne ey This procedure requires the ZyWALL s default system database file Download the firmware package from www zyxel com and unzip it The default system database file uses a db extension for ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager 39 11 1 example 1 01 XL 0 C0 db Do the following after you have obtained the default system database file Using the atkz u Debug Command Note You only need to use the atkz u command if the default system database is damaged Restart the ZyWALL When Press any key to enter debug mode within 3 seconds displays press a key to enter debug mode Figure 48 Enter Debug Mode BootModule Version U1 011 i 2007 03 30 12 22 57 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version V2 4 2 kernel 2006 08 21 2006 08 21 19 54 00 ZLD Version V1 01 XL 0 2006 09 11 17 41 56 Press any key to enter debug mode within 3 seconds Enter Debug Mode gt E Enter atkz u to start the recovery process Figure 49 atkz u Command for Restoring the Default System Database gt atkz u Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen Connect your computer to the ZyWALL s port 1 only port 1 can be used Figure 50 Use FTP with Port 1 and IP 192 168 1 1 to Upload Fi
412. lexity Active passive mode is recommended for general failover deployments The ZyWALLs must all support and be set to use the same device HA mode either active passive or legacy Management Access You can configure a separate management IP address for each interface You can use it to access the ZyWALL for management whether the ZyWALL is the master or a backup The management IP address should be in the same subnet as the interface IP address Synchronization Use synchronization to have a backup ZyWALL copy the master ZyWALL s configuration signatures anti virus IDP application patrol and system protect and certificates Note Only ZyWALLs of the same model and firmware version can synchronize ZyWALL ZLD CLI Reference Guide 221 Chapter 25 Device HA Otherwise you must manually configure the master ZyWALL s settings on the backup by editing copies of the configuration files in a text editor for example 25 1 1 Before You Begin Configure a static IP address for each interface that you will have device HA monitor Note Subscribe to services on the backup ZyWALL before synchronizing it with the master ZyWALL Synchronization includes updates for services to which the master and backup ZyWALLs are both subscribed For example a backup subscribed to I DP AppPatrol but not anti virus gets IDP AppPatrol updates from the master but not anti virus updates It is highly recommended to subscribe the ma
413. lid commands The ZyWALL still generates a log for any errors 39 2 3 ZyWALL Configuration File Details You can store multiple configuration files on the ZyWALL You can also have the ZyWALL use a different configuration file without the ZyWALL restarting When you first receive the ZyWALL it uses the system default conf configuration file of default settings When you change the configuration the ZyWALL creates a startup config conf file of the current configuration The ZyWALL checks the startup config conf file for errors when it restarts If there is an error in the startup config conf file the ZyWALL copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager When the ZyWALL reboots if the startup config conf file passes the error check the ZyWALL keeps a copy of the startup config conf file as the lastgood conf configuration file for you as a back up file If you upload and apply a configuration file with an error you can apply lastgood conf to return to a valid configuration 39 2 4 Configuration File Flow at Restart If there is not a startup config conf when you restart the ZyWALL whether through a management interface or by physically turning the power off and back on the ZyWALL uses the system default conf configuration file with the ZyWALL s default
414. ll 16 1 Firewall Overview The ZyWALL s firewall is a stateful inspection firewall The ZyWALL restricts access by screening data packets against defined access rules It can also inspect sessions For example traffic from one zone is not allowed unless it is initiated by a computer in another zone first A zone is a group of interfaces or VPN tunnels Group the ZyWALL s interfaces into different zones based on your needs You can configure firewall rules for data passing between zones or even between interfaces and or VPN tunnels in a zone This example shows the ZyWALL s default firewall behavior for WAN to LAN traffic and how stateful inspection works A LAN user can initiate a Telnet session from within the LAN zone and the firewall allows the response However the firewall blocks Telnet traffic initiated from the WAN zone and destined for the LAN zone The firewall allows VPN traffic between any of the networks Figure 18 Default Firewall Action Your customized rules take precedence and override the ZyWALL s default settings The ZyWALL checks the schedule user name user s login name on the ZyWALL source IP address destination P address and IP protocol type of network traffic against the firewall rules in the order you list them When the traffic matches a rule the ZyWALL takes the action specified in the rule For example if you want to allow a specific user from any computer to access one zone by logging in to the ZyWALL
415. llowing the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 104 for more details dscp marking 0 63 Sets a DSCP value to have the ZyWALL apply that DSCP value to the route s outgoing packets dscp marking class default dscp class Sets how the ZyWALL handles the DSCP value of the outgoing packets that match this route Set this to default to have the ZyWALL set the DSCP value of the packets to 0 Set this to an af class including af11 af13 af21 af23 af31 af33 and af41 af43 which stands for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 104 for more details no dscp marking Use this command to have the ZyWALL not modify the DSCP value of the route s outgoing packets exit Leaves the sub command mode no interface interface name Sets the interface on which the matched packets are received The no command resets the incoming interface to the default any any means all interfaces no int next hop auto gateway gatewayv6 erface interface name trunk trunk name tunnel tunnel name Sets the next hop to which the matched packets are routed The no command resets next hop settings to the default auto no schedule schedule object Sets the schedule The no command removes
416. lly authenticated by a remote auth server as a default group defat ext user If the remote authentication server is LDAP the default ext user account is an Idap user If the remote authentication server is AD the default ext user account is an ad user If the remote authentication server is RADIUS the default ext user account is a radius user 31 2 1 aaa authentication Command Example The following example creates an authentication profile to authentication users using the LDAP server group and then the local user database Router configure terminal Router config f aaa authentication LDAPuser group ldap local Router config show aaa authentication LDAPuser No Method Router config 31 3 test aaa Command The following table lists the test aaa command you use to teat a user account on an authentication server Table 154 test aaa Command COMMAND DESCRIPTION test aaa server secure server ad ldap host Tests whether a user account exists on the specified hostname ipv4 address host hostname ipv4 authentication server address port lt 1 65535 gt base dn base dn string bind dn bind dn string password password login name attribute attribute alternative login name attribute attribute account account name 31 3 1 Test a User Account Command Example The following example shows how to test whether a user account named userABC exists on the AD authentication server which
417. lor name color number Sets the color of the access page s colored background Sets the color of the login page s background no login page color background Sets the login page to use a solid colored background no login page color window background Sets the login page s window to use a solid colored background login page message color color rgb color name color number Sets the color of the message text on the login page no login page message text message Sets a note to display at the bottom of the login screen Use up to 64 printable ASCII characters Spaces are allowed login page title title Sets the title for the top of the login screen Use up to 64 printable ASCII characters Spaces are allowed login page title color color rgb color name color number Sets the title text color of the login page ZyWALL ZLD CLI Reference Guide Chapter 37 System Table 164 Command Summary Customization continued COMMAND DESCRIPTION login page window color color rgb Sets the color of the login page s window border color name color number logo background color color rgb color name color number Sets the color of the logo banner across the top of the login screen and access page show access page settings Lists the current access page settings show login page default title Lists the factory default title for the login
418. lsunilthultue wedl Simus GIfsekR azlaacdo a cde AAA ees 282 pol ELO Ciel TERESA cae qb RA DARAS SSO OLG WV AAA DARA AAA SES 282 no enm agent acs password password for ACS connection request ii n m rwn 207 no cnm agent acs username username for ACS connection request ooo 296 haul ou agehBL BOLIVALDO deu ees Ee qe d mn dar PSOE b We Ee RE dde SE HNIC d A 296 NO Sn egent guth DOLLS rd gd xq LOVES SES AS de A ALACRI RC 296 hol QGnarsagent Manager SEA eso avr 93 AUR a ERE KERN SOARS COURSED EH SS REEDS Eee SENOS Eee 296 nol AAN pissword ST R UCo PASSWoz aaa ew ede dae Re daw ee Ri ak eee eRe 297 nol enm asgent Period iba BebIwste sg 4g xw a Se db be eee a Rex dp ede Gade Ge 29 nol eonm agent username IBR 069 Usernames aserrada A A A A AL RR 297 nol TARTESSOS Cem BOI irradia din 264 nal Contarle SOBDODIIAON JG usare GP dE 265 nol eomnesctrvcty fTnaril up Gual d n demshd oomeocem 3 Ro RO AA e VERA NES 74 hol connectivity check pcontinnous Llod activate 4 46455 54464 bee WU SSR ERR OR ORC OR OER A E 318 nol connectivity chsck contin ous log activats nick eke eee ee ROEDER a GoRO Ra E AA RA Rd KC dc 70 hol Gonnligvl Mek per se Le MAS ohh cbc ed dees BRE eee be ae edd dudes tud AA Rd eee 134 ne seonnlamibe maex per Bost lt lin LAZOS cstateb cosas shane ON deb a cee eee Ee ei CA EON Soa web D A33 hot Console Dand IIA RALE os Sh XA AA ARA AAN ARA AA REA GE ORC ACCES RC 282 Bo coHbt nrp IiltgeY AGELYS qu
419. lt 1 512 gt end lt 1 512 gt show logging entries field field begin Displays the specified fields in the system log field time msg src dst note pri cat all 40 1 2 System Log Commands This table lists the commands for the system log settings Table 188 logging Commands System Log Settings COMMAND DESCRIPTION show logging status system log Displays the current settings for the system log logging system log category module name disable level normal level all Specifies what kind of information if any is logged in the system log and debugging log for the specified category no logging system log suppression interval 10 600 Sets the log consolidation interval for the system log The no command sets the interval to ten no logging system log suppression Enables log consolidation in the system log The no command disables log consolidation in the system log no connectivity check continuous log activate Has the ZyWALL generate a log for each connectivity check The no command has the ZyWALL only log the first connectivity check show connectivity check continuous log status Displays whether or not the ZyWALL generates a log for each connectivity check clear logging system log buffer Clears the system log ZyWALL ZLD CLI Reference Guide Chapter 40 Logs 40 1 2 1 System Log Command Examples The followin
420. lter lter lter lter Router config schedule object all pro pro pro pro pro pro pro pro file file file file file file file file Sai Sai Sai Sai Sai Sai Sai Sai Router config address object sales 172 21 3 0 24 L day 00 00 23 59 les CF PROFI les CF PROFI les CF PROFI les CF PROFI les CF PROFI les CF PROFI les CF PROFI les CF PROFI policy append all day activate LE url ca LE url ca LE url ur LE custom tegory adult mature content tegory pornography l server LE custom java LE custom activex LE custom proxy any RD RD CF PROFILE ZyWALL ZLD CLI Reference Guide Chapter 23 Content Filtering Use this command to display the settings of the profile service active yes url match unsafe block no warn url match other block yes warn url unrate block no warn service offline block no warn category settings Adult Mature Content Sex Education Nudity Illegal Questionable Violence Hate Racism Abortion Phishing Business Economy Illegal Drugs Cultural Charitable Organization Brokerage Trading Government Legal Political Activist Groups Computers Internet Spyware Malware Sources Job Search Careers Personals Dating Open Image Media Search Email Religion Online Storage Shopping Real Estate Sexuality Alternative Lifestyles Sports Recreation Hobbies Vehicles Software Downloads Peer to Peer Proxy Avoida
421. ly If you made changes in the CLI you have to use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Use the reboot command to restart the device ZyWALL ZLD CLI Reference Guide Session Timeout Use these commands to modify and display the session timeout values You must use the configure terminal command before you can use these commands Table 199 Session Timeout Commands COMMAND DESCRIPTION Session timeout udp connect 1 300 udp deliver lt 1 300 gt icmp lt 1 300 gt Sets the timeout for UDP sessions to connect or deliver and for ICMP sessions session timeout session tcp established tcp synrecv tep close tcp finwait tcp synsent tcp closewait tcp lastack tcp timewait 1 300 show session timeout icmp tcp timewait udp Sets the timeout for TCP sessions in the ESTABLISHED SYN RECV FIN WAIT SYN SENT CLOSE WAIT LAST ACK or TIME WAIT state Displays ICMP TCP and UDP session timeouts The following example sets the UDP session connect timeout to 10 seconds the UDP deliver session timeout to 15 seconds and the ICMP timeout to 15 seconds Router config Router config Session timeout icmp 15 Router config show session timeout udp UDP session connect timeout 10 seconds UDP session deliver timeout 15 seconds Router config f show session timeout icmp ICMP session timeout 15 s
422. mand mode to set a direction specific through ZyWALL rule or to ZyWALL rule See Table 67 on page 137 for the sub commands firewall zone object zone object ZyWALL append Enters the firewall sub command mode to add a direction specific through ZyWALL rule or to ZyWALL rule to the end of the global rule list See Table 67 on page 137 for the sub commands ZyWALL ZLD CLI Reference Guide Chapter 16 Firewall Table 66 Command Summary Firewall continued COMMAND DESCRIPTION firewall zone object zone object ZyWALL delete 1 5000 Removes a direction specific through ZyWALL rule or to ZyWALL rule lt 1 5000 gt the index number in a direction specific firewall rule list firewall zone object zone object ZyWALL flush Removes all direction specific through ZyWALL rule or to ZyWALL rules firewall zone object zone object ZyWALL insert rule number Enters the firewall sub command mode to add a direction specific through ZyWALL rule or to ZyWALL rule before the specified rule number See Table 67 on page 137 for the sub commands firewall zone object zone object ZyWALL move rule number to rule number Moves a direction specific through ZyWALL rule or to ZyWALL rule to the number that you specified no firewall activate Enables the firewall on the ZyWALL The no command disables the firewall firewall append Enters the firewall sub command mode to add
423. mands Table31 Input Values for WLAN Interface Commands LABEL DESCRIPTION psk key Use 8 to 63 case sensitive alphanumeric characters or 64 hexadecimal characters This is used for WLAN interface commands See Table 33 on page 85 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 9 1 WLAN General Commands Use these commands to configure global settings that apply to all of the wireless LAN interfaces you create on the WLAN card Table 32 WLAN General Commands COMMAND DESCRIPTION wlan slot name Specifies the slot the WLAN card is installed in and enters sub command mode slot name The name of the slot where the WLAN card is installed in the ZyWALL Use slotx where x equals the number of the card slot no activate Turns the wireless device on The no command turns it off band b g bgl bgn Sets which IEEE 802 11 wireless standard wireless clients can use to connect to the gn wireless interface e b 9 borg e b g orn gorn channel Sets the wireless operating channel of an IEEE 802 11n interface wireless channel p autos wireless channel Specify the channel number The numbers available vary by region channel width auto Sets how wide a channel the IEEE 802 11n interface uses 20m 40m guard interval short Sets the IEEE 802 11n interface s gap between data transmissions from users to reduce long interference short increases da
424. minutes between each synchronization if the ZyWALL automatically synchronizes with the specified ZyWALL router The no command resets the interval to five minutes no device ha sync now Synchronize now 25 6 3 Link Monitoring Commands This table lists the commands for link monitoring Link monitoring has the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down This way the backup ZyWALL takes over all of the master ZyWALL s functions Table 130 device ha Commands Synchronization COMMAND DESCRIPTION device ha link monitoring activate Turns on device HA link monitoring no device ha link monitoring Turns off device HA link monitoring show device ha link monitoring Displays the current link monitoring setting device ha stop stub interface activate Has the master ZyWALL shut down any 3G or wireless LAN interfaces if one of its VRRP interface links goes down no device ha stop stub interface Has the master ZyWALL not shut down any 3G or wireless LAN interfaces if one of its VRRP interface links goes down show device ha stop stub interface Displays whether or not the ZyWALL is set to have the master ZyWALL shut down any 3G or wireless LAN interfaces if one of its VRRP interface links goes down ZyWALL ZLD CLI Reference Guide 227 Chapter 25 Device HA ZyWALL ZLD CLI Reference Guide User Group
425. mited admin user ext group new user Set it to zero for unlimited reauthorization time The no user logon re auth time 0 1440 command sets the default reauthorization time to thirty show users retry settings Displays the current retry limit settings for users no users retry limit Enables the retry limit for users The no command disables the retry limit no users retry count 1 99 Sets the number of failed login attempts a user can have before the account or IP address is locked out for lockout period minutes The no command sets the retry count to five no users lockout period lt 1 65535 gt Sets the amount of time in minutes a user or IP address is locked out after retry count number of failed login attempts The no command sets the lockout period to thirty minutes show users simultaneous logon settings Displays the current settings for simultaneous logins by users no users simultaneous logon administration Enables the limit on the number of simultaneous logins by users of access enforce the specified account type The no command disables the limit or allows an unlimited number of simultaneous logins no users simultaneous logon administration Setsthe limit for the number of simultaneous logins by users of the access limit 1 1024 specified account type The no command sets the limit to one show users update lease settings Displays whether or not access users can automati
426. mm 151 uccisi ATI pd e ct A 151 193 2 95L Access Policy LI IAG A ani a ARR eR 151 pore i gene p M H M 151 1B 22 ele VP CO AIS aig pP PODER pnt a rap P On E PU pL d ana Pu eph an 152 19 2 2 Serdng an SSL VFN Rule TUlerial aan 153 Chapter 19 gp VPN e 157 TOE VPN ERIN consortis neon pou abo nadie verbos peus Raab a Ub DL Gn me 157 EA E E IGANG ooo li ed 157 19 2 1 Using the Default L2TP VPN Comec ion ssp 158 jo fuus POU UT T TIU 158 TO S LSTE VPM Caida 159 TIA T LTP WRN ici 159 AS S LZTP VEI O curis diste aoc addicti uber cecidi Fo de Utd sm ddr our dua o Er tulit d M Kd 160 19 5 1 Configuring the Default L2TP VPN Gateway Example sse 161 19 5 2 Configuring the Default L2TP VPN Connection Example sssseeeenee 161 19 5 3 Configuring the L2TP VPN Settings Example vir sess tuctkn ora sut a ec 161 19 5 4 Contiguring the Policy Route for LATP Example iiec tuae nter adire ertet 162 ZyWALL ZLD CLI Reference Guide 9 Table of Contents Chapter 20 Applicaton OOO oO o0Eo000OO 163 20 1 Applicaton PARECEN Lassus cosas auuea t nr o 163 20 2 Applicaton Patrol Commands SUMMAI sonic 163 20 2 1 Prede ned Application Commands acre 164 20 2 2 Rule Commands for Pre defined Applications esesseeeeeeennnn 164 20 2
427. mmand mode no packet flow activate show packet flow status Turns the packet flow filter on or off Displays whether or not the packet flow filter is activated and whether the ring buffer is enabled or disabled show packet flow buffer pf cpu core num Displays the details of the captured packet flow show packet flow filter pf filter num range Displays the specified packet flow filter s settings packet flow buffer clear pf cpu core num Clears the specified CPU core s buffer packet flow buffer write Writes buffer content of all CPU cores to a file you can download from the FTP tmp directory no packet flow ring buffer activate Activate the packet flow ring buffer to overwrite the oldest record with the newest record Use the no command to stop to capture packet after the buffer is full 45 3 Packet Flow Filter Commands Examples The following example configures packet flow filter 1 to display how the firewall and policy routes handle UDP protocol 17 traffic with source port 123 sent from IP address 1 2 3 4 to IP address 5 6 7 8 port 456 Then it turns on the packet flow filter Router config fexit Router Router configure terminal Router coonfig packet flow filter 1 Router coonfig packet fl Router coonfig packet fl Router coonfig packet fl Router coonfig packet fl Router coonfig packet fl Router coonfig packet fl
428. mmands Use the configure terminal command to enter the configuration mode to be able to use these commands Table 209 app watchdog Commands print always once COMMAND DESCRIPTION no app watch dog activate Turns the application watchdog timer on or off no app watch dog auto recover If app watch dog detects a dead process app watch dog will try to auto recover The no command turns off auto recover no app watch dog console Display debug messages on the console every time they occur or once The no command changes the setting back to the default no app watch dog cpu threshold min lt 1 100 gt max 1 100 Sets the percentage thresholds for sending a CPU usage alert The ZyWALL starts sending alerts when CPU usage exceeds the maximum the second threshold you enter The ZyWALL stops sending alerts when the CPU usage drops back below the minimum threshold the first threshold you enter The no command changes the setting back to the default no app watch dog interval 6 300 Sets how frequently in seconds the ZyWALL checks the system processes The no command changes the setting back to the default no app watch dog retry count l1 52 Set how many times the ZyWALL is to re check a process before considering it failed The no command changes the setting back to the default no app watch dog alert Has the ZyWALL send an alert the user when the system is out of memory or d
429. mmands in Configuration Mode COMMAND DESCRIPTION ipv6 neighbor flush ipv6 eL Clears the specified IPv6 address or all IPv6 addresses from the IPv6 neighbor cache 46 1 Maintenance Command Examples Some packet trace command examples are shown below 19 19 19 19 19 19 tcpdump 24 24 24 24 24 24 43 44 44 45 45 240199 268839 269238 192 192 19245 192 192 192 Router packet trace duration 3 listening on eth0 239798 43 258823 259219 168 168 168 168 168 168 6 packets received by filter O packets dropped by kernel O gt 192 168 1 1 icmp echo request 192 168 1 10 icmp echo reply 0 gt 192 168 1 1 icmp echo request 192 168 1 10 icmp echo reply O gt 192 168 1 1 icmp echo request 192 168 1 10 icmp echo reply listening on ethl T92 192 192 1924 898639 900450 908749 910606 Router packet trace interface ge2 ip proto icmp file extension filter s gt 50 0 n tcpdump 07 24 07 07 24 07 07 24 08 07 24 08 168 168 168 168 8 packets received by filter O packets dropped by kernel 105 133 192 168 105 40 icmp echo request DF 105 40 192 168 105 133 icmp echo reply 105 133 192 168 105 40 icmp echo request DF 105 40 192 168 105 133 icmp echo reply tcpdump 07 26 07 26 07 26 07 26 51 52 54 752774 192 19
430. mode not configuration mode show ip dhcp binding ip Displays information about DHCP bindings for the specified IP address or for all IP addresses clear ip dhcp binding ip Removes the DHCP bindings for the specified IP address or for all IP addresses ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 2 2 1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP TEST Router configure terminal Router config ip dhcp pool DHCP TEST Router config ip dhcp pool network 192 168 1 0 24 Router config ip dhcp pool domain name zyxel com Router config ip dhcp pool first dns server 10 1 5 1 Router config ip dhcp pool second dns server gel 1st dns Router config ip dhcp pool third dns server 10 1 5 2 Router config ip dhcp pool default router 192 168 1 1 Router config ip dhcp pool lease 0 1 30 Router config ip dhcp pool starting address 192 168 1 10 pool size 30 Router config ip dhcp pool hardware address 00 0F 20 74 B8 18 Router config ip dhcp pool client identifier 00 0F 20 74 B8 18 Router config ip dhcp pool client name TWtesterl Router config ip dhcp pool exit Router config interface gel Router config if ip dhcp pool DHCP TEST Router config if exit Router config show ip dhcp server status binding interface gel binding pool DHCP_TEST 6 2 2 2 DHCP Extended O
431. mple administrator example com as the first account to which to send the mail Has the ZyWALL not use the second and third mail to options Sets my email example com as the fourth mail to option Has the ZyWALL not use the fifth mail to option ZyWALL ZLD CLI Reference Guide Chapter 41 Reports and Reboot Has the ZyWALL provide username 12345 and password 12345 to the SMTP server for authentication Sets the ZyWALL to send the report at 1 57 PM Has the ZyWALL not reset the counters after sending the report Has the report include CPU memory port and session usage along with traffic statistics Turns on the daily e mail reporting Router config daily report Router config daily report no activate Router config daily report Router config daily report smtp address example SMTP mail server com mail subject set test Router config daily report no mail subject append system name Router config daily report Router config daily report mail subject append date time mail from my email example com Router config daily report mail to 1 example administrator example com no mail to 2 no mail to 3 Router config daily report Router config daily report Router config daily report mail to 4 my email example com Router config daily report smtp auth username 12345 password pass12345 Schedule hour 13 minutes 57 no reset counter Router config daily report Router config da
432. n pass 204 content filter profile filtering profile url unrate block log warn pass 204 pconLenrerilte statistics TASH aprisa EP E e E dee EE Sd E dd dE d oes du 206 contenbE ilte r url e6gcole COSE Asi Skee SOev ARA A AS RUE REY CE ALUR NADA NERY OR SA RC ES 206 content tTiltor url seruer test IlU9GQONU eab3os4 ROCA HONEC SACS CRE He CE ESE SRE EASE ESO 202 COntene Tilier uril sesriver test OONUmeSQER drdaidtekecues beh IR De dee A CR CAR aie dey cawee vow 202 goutenbesileea Ssh pore AL 59 EE AAA AAA Rok URN CE ORE E UR CU eee he oo ear S Dre 202 BUE I Ima dnd RUE ae ui Renuncia d mu SiC d iN Vau DE hae oma meee RU da aU E a3 copy cert conf idp packet_trace script tmp file_name a conf cert conf idp packet trace seripe ftmupl Tile name b coonf sio dada War Re ROGO Ee 203 copy ruantag contig ocont file name CONE escri RN A A A A RARA 303 Copy Binion Config SEALED CONID urnas rei AA AA AS AAA Ua CONDES PED isd ep DAS id d RAE AU RR ON e do READER UN ea oS Ce clo e eod RN cR E RC RC 144 crypto tor BAD aH Lgadqdeaqbdo pd Scy QW Pr AA duces eee eRe Be eM dog R PIPER d Vb AAA 145 Erupto Map Sup Samb Leg AAA RATA A ERE QC ACORN o AMADA AAA OS OCCUR SAS SES 147 GIVDULO map fonaue Map nome MAD ASM sesar sce RR P OOEORK TOR OR ERROR DECR SORE SE ORTA RC OL OE A 145 SEUDLO Mar HANS lla ax pad qa mu x ea Uno UR de Te eA Rea e d UR RACES eae ed dqCX BORN Rae qua qo e qoe oa dox d 148 Meter Guxwud
433. name in the specified DDNS profile The no command clears the domain name hostname You may up to 254 alphanumeric characters dashes or periods but the first character must be alphanumeric no ip select iface auto custom Sets the IP address update policy in the specified DDNS profile The no command clears the policy no ip select backup iface auto custom Sets the alternate IP address update policy in the specified DDNS profile The no command clears the policy no custom ip Sets the static IP address in the specified DDNS profile The no command clears it no backup custom ip Sets the static IP address for the backup interface in the specified DDNS profile The no command clears it no mx ip domain name Enables the mail exchanger and sets the fully qualified domain name of the mail server to which mail from this domain name is forwarded The no command disables the mail exchanger domain name You may up to 254 alphanumeric characters dashes or periods but the first character must be alphanumeric no wan iface interface name Sets the WAN interface in the specified DDNS profile The no command clears it ZyWALL ZLD CLI Reference Guide Chapter 11 DDNS Table 58 ip ddns Commands continued COMMAND DESCRIPTION no backup iface interface name Sets the backup WAN interface in the specified DDNS profile The no
434. nce Web Advertisements Extreme Tobacco Web Applications Alternative Sexuality Lifestyles Non viewable Placeholders Potentially Unwanted Software Audio Video Clips Radio Audio Streams Internet Telephony Newsgroups Forums Entertainment Sports Recreation Alternative Spirituality Belief yes log no no log no yes log no yes log no yes Pornography yes no Intimate Apparel Swimsuit no no Alcohol Tobacco no no Gambling no no Weapons no no Hacking no no Arts Entertainment no no Alternative Spirituality Occult no no Education no no Financial Services no no Online Games no no Military no no Health no no Search Engines Portals no no Spyware Effects Privacy Concerns no no News Media no no Reference no no Chat Instant Messaging no no Blogs Newsgroups no no Social Networking no no Remote Access Tools no no Auctions no no Society Lifestyle no no Restaurants Dining Food no no Travel no no Humor Jokes no no Pay to Surf no no Streaming Media MP3s no no For Kids no no Web Hosting no no Alcohol no no Blogs Personal Pages no no Suspicious no no LGBT no no Content Servers no no Open Mixed Content no no Greeting Cards no no Media Sharing no no TV Video Streams no no Online Meetings no no Art Culture no no Games no no Translation no no Society Daily Living no SN LP 3 5 ce 25525552225 Router config show content filter profile sales CF PROFILE commtouch
435. nd clears this setting and set this to the default setting of 5 seconds no server ssl Enables the ZyWALL to establish a secure connection to the LDAP server The no command disables this feature 30 2 7 aaa group server radius Commands The following table lists the aaa group server radius commands you use to configure a group of RADIUS servers Table 152 aaa group server radius Commands COMMAND DESCRIPTION clear aaa group server radius group Deletes all RADIUS server groups or the specified RADIUS server group name Note You can NOT delete a server group that is currently in use Show aaa group server radius group Displays the specified RADIUS server group settings name no aaa group server radius group Sets a descriptive name for the RADIUS server group The no command name deletes the specified server group aaa group server radius rename group Sets the server group name name old group name new ZyWALL ZLD CLI Reference Guide Chapter 30 AAA Server Table 152 aaa group server radius Commands continued COMMAND DESCRIPTION aaa group server radius group name Enter the sub command mode no case sensitive Specify whether or not the server checks the username case Set this to be the same as the server s behavior no description server description Sets the descriptive information for the RADIUS server group You can use up
436. nd mode The no command deletes the specified address group Adds the specified address to the specified address group The no command removes the specified address from the specified group no object group group name Adds the specified address group second group name to the specified address group first group name The no command removes the specified address group from the specified address group ZyWALL ZLD CLI Reference Guide Chapter 27 Addresses Table 141 object group Commands Address Groups continued COMMAND DESCRIPTION no description description Sets the description to the specified value The no command clears the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long object group address rename group_name Renames the specified address group from the first group_name to the group_name second group_name 27 2 2 1 Address Group Command Examples The following commands create three address objects AO A1 and A2 and add A1 and A2 to address group RD Router configure terminal Router config address object AO 192 168 1 1 Router config address object Al 192 168 1 2 192 168 2 20 Router config address object A2 192 168 3 0 24 Router config object group address RD Router group address address object Al Router group address address object A2 Router group address ex
437. nderscores dashes or characters EJ ZyWALL ZLD CLI Reference Guide Chapter 17 IPSec VPN Table 70 Input Values for IPSec VPN Commands continued LABEL DESCRIPTION distinguished name A domain name You can use up to 511 alphanumeric characters spaces or _ characters sort order Sort the list of currently connected SAs by one of the following classifications algorithm encapsulation inbound name outbound policy timeout uptime The following sections list the IPSec VPN commands 17 2 1 IKE SA Commands This table lists the commands for IKE SAs VPN gateways Table 71 isakmp Commands IKE SAs COMMAND DESCRIPTION show isakmp keepalive Displays the Dead Peer Detection period show isakmp policy policy name Shows the specified IKE SA or all IKE SAs isakmp keepalive 2 60 Sets the Dead Peer Detection period no isakmp policy policy name Creates the specified IKE SA if necessary and enters sub command mode The no command deletes the specified IKE SA activate deactivate Activates or deactivates the specified IKE SA l authentication pre share rsa sig Specifies whether to use a pre shared key or a certificate for authentication certificate certificate name Sets the certificate that can be used for authentication no dpd Enables Dead Peer Detection DPD The no command disables DPD
438. nds available for date and time setup You must use the configure terminal command to enter the configuration mode before you can use these commands Table 166 Command Summary Date Time COMMAND DESCRIPTION clock date yyyy mm dd time hh mm ss Sets the new date in year month and day format manually and the new time in hour minute and second format aprlaug dec feb jan jul jun mar mayl nov oct sep 1 2 3 4 last fri mon sat sun thu tue wed hh mm end apr aug dec feb jan jul jun mar may nov oct sep 112131I4 1ast offset fri mon sat sun thu tue wed hh mm no clock daylight saving Enables daylight saving The no command disables daylight saving no clock saving interval begin Configures the day and time when Daylight Saving Time starts and ends The no command removes the day and time when Daylight Saving Time starts and ends offset a number from 1 to 5 5 by 0 5 increments clock time hh mm ss Sets the new time in hour minute and second format no clock time zone hh Sets your time zone The no command removes time zone settings no ntp Saves your date and time and time zone settings and updates the data and time every 24 hours The no command stops updating the data and time every 24 hours no ntp server fqdn w x y z Sets the IP address or URL of your NTP time server The no command removes time server information ntp sync Gets the time and date
439. nection Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 In this example it is already created and called L2TP POOL This example uses the default authentication method the ZyWALL s local user data base Select a user or group of users that can use the tunnel Here a user account named L2TP test has been created The other settings are left to the defaults in this example ZyWALL ZLD CLI Reference Guide Chapter 19 L2TP VPN Enable the connection Router config l2tp over ipsec crypto Default L2TP VPN Connection Router config l2tp over ipsec pool L2TP POOL Router config l2tp over ipsec authentication default Router config l2tp over ipsec user L2TP test 12tp over ipsec activate Router config show l2tp over ipsec L2TP over IPSec Router config activate yes crypto Default_L2TP_VPN_Connection address pool L2TP_POOL authentication default user L2TP test keepalive timer 60 first dns server aux lst dns second dns server aux lst dns first wins server Second wins server 19 5 4 Configuring the Policy Route for L2TP Example The following commands configure and display the policy route for the L2TP VPN connection entry Set the policy route s Source Address to the address object that you want to allow the remote users to access LAN SUBNET in this example Set the Destination Address to the IP address pool that the
440. net gt A ZyWALL ZLD CLI Reference Guide m Chapter 10 Zones 10 2 Zone Commands Summary The following table describes the values required for many zone commands Other values are discussed with the corresponding commands s Table 54 Input Values for Zone Commands LABEL DESCRIPTION profile name The name of a zone or the name of a VPN tunnel For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive About the pre defined zones in the ZyWALL USG 200 and below models e Thelan1 interface always belongs to the LAN1 zone e The lan2 interface always belongs to the LAN2 zone The dmz interface always belongs to the DMZ zone The wanl wan2 wanl ppp or wan2 ppp interfaces always belong to the WAN zone An opt ppp interface can be added to the WAN or OPT zone This table lists the zone commands Table 55 zone Commands COMMAND DESCRIPTION show zone profile name Displays information about the specified zone or about all zones show zone binding iface Displays each interface and zone mappings show zone default binding Displays the pre configured interface and zone mappings that come with the ZyWALL show zone none binding Displays the interfaces tunnels and SSL VPNs that are not associated with a zone yet show zone system default Display
441. nfig if cellular config if cellular Router connectivity nail up Router config if cellular description This is cellular2 Router config if cellular mtu 1200 Router config if cellular exit This second example shows specifying a new PIN code of 4567 Router config interface cellular2 Router config if cellular pin 4567 Router config if cellular exit This example shows the 3G and SIM card information for interface cellular2 on the ZyWALL Router config show interface cellular2 device status interface name cellular2 extension slot USB 1 service provider Chunghwa Telecom cellular system WCDMA signal strength 95 dBm signal quality Poor device type WCDMA device manufacturer Huawei device model E220 E270 E800A device firmware 076 11 07 106 device IMEI ESN 351827019784694 SIM card IMSI 466923100565274 This example shows the 3G connection profile settings for interface cellular2 on the ZyWALL You have to dial 99 1 to use profile 1 but authentication is not required Dial 99 2 to use profile 2 and authentication is required Router config f show interface cellular2 device profile profile 1 apn internet dial string 99 14 authentication none user n a password n a profile 2 apn internet dial string 99 2 authentication chap user password ZyWALL ZLD CLI Reference Guide Chapter 6 Int
442. nfigure Router packet capture iface add wanl ip type any host ip any Router Router packet capture packet capture Router packet capture Router packet capture file suffix Example Router packet capture files size 10 duration 150 storage usbstorage ring buffer disable split size 100 Router packet capture Router Router packet capture packet capture Router packet capture Exit the sub command mode and have the ZyWALL capture packets according to the settings you just configured Router packet capture exit Router config packet capture activate Router config Manually stop the running packet capturing Router config no packet capture activate Router config Check current packet capture status and list all stored packet captures Router config show packet capture status Capture status off Router config dir packet trace File Name Size Modified Time Router config wanl Example cap 575160 2009 11 24 09 06 59 You can use FTP to download a capture file Open and study it using a packet analyzer tool for example Ethereal or Wireshark ZyWALL ZLD CLI Reference Guide Chapter 46 Maintenance Tools ZyWALL ZLD CLI Reference Guide 47 Watchdog Timer This chapter provides information about the ZyWALL s watchdog
443. ng no scan detection open port activate log alert block Activates or deactivates open port scan detection options Also sets open port scan detection logs or alerts and blocking no deactivates open port scan detection its logs alerts or blocking flood detection block period lt 1 3600 gt Sets for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack no flood detection tcp flood udp flood ip flood icmp flood activate log alert block Activates or deactivates TCP UDP IP or ICMP flood detection Also sets flood detection logs or alerts and blocking no deactivates flood detection its logs alerts or blocking ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands Table 103 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION no http inspection http xxx activate Activates or deactivates http inspection options where http xxx ascii encoding u encoding bare byte unicode encoding base36 encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal directory traversal apache whitespace non rfc http delimiter non rfc defined char oversize request uri directory oversize chunk encoding webroot directory traversal http inspection http xxx log alert Sets http
444. ng check domain name ip default gateway method icmp tcp 70 ping eheek demain name ip default gateway period lt 5 30 gt i184 bk v n RAE T EGRE ROTER EUR 70 ping check domain name zip default gateway port 1 655359 Liuix nlss kr nk x ker gr ER 70 ping eheck demain name ip default gateway timeout lt L DOS iseiesx e 9 9 UR p YR UR EY 70 policy policy number append insert Polley mumDer g 2 cock ec ds see dav es REOR AURGUR E X EORR des 100 policy PAS TRACER EC irse nt e o oen eda opo ore dro ee ler a dede Bt phn AR gag Ate Sih ebb de 103 Polley delste POLLO Per RISA EAN NAAA AAA US policy DIESE ir A A dei it A ADA AA AAA AAA AA 103 poler Lage Candle arde 103 policy move policy number to policy NUDE ugs km qm ia eG ranma Ee REOR de eee Gok Men 103 policys policy number append insert policy Humber lt ck dee ewes e OR 3 ORARE Se ORARE 102 A o Khe Side eoe d o Rene SE deg d ed db qo doe RR deb M AC Mod A RE diee dox be Soe o E 185 OIL Ca eee A RC HE ned veo d x vd herb di ap SE d ap dp doe aao eh vrbe oe ee 167 post Ls endaxge paosb Al BRISA udekapageq x33 a dot bees dee sede cae a d 267 port 1 865535 ending pere lt 1 6553Ss program path program path asirio 267 Port stetus Port larei ab se RARE RAR AAA CC ARAS A ENEN EY EES RA AAA AR AA A T2 purt Gronuping represon ative IRALSEFADO POPE CL cheek ides Eae RR M EA E ARAS 72 protoe type icmp zempo igmp igrp pam ah esp
445. ng commands Table 121 Input Values for DNSBL Commands LABEL DESCRIPTION dnsbl domain A domain that is maintaining a DNSBL You may use 0 254 alphanumeric characters or dashes ZyWALL ZLD CLI Reference Guide Chapter 24 Anti Spam This table describes the DNSBL commands Table 122 DNSBL Commands COMMAND DESCRIPTION no anti spam dnsbl activate Turns DNSBL checking on or off p 51 dnsbl domain activate deactivate anti spam dnsbl domain Adds or edits a DNSBL domain for checking e mail header IP addresses no anti spam dnsbl domain dnsbl domain Removes the specified DNSBL domain anti spam dnsbl query timeout smtp drop forward forward with tag Sets how the ZyWALL handles SMTP mail mail going to an e mail server if the queries to the DNSBL domains time out anti spam dnsbl query timeout pop3 forward forward with tag Sets how the ZyWALL handles POP3 mail mail coming to an e mail client if the queries to the DNSBL domains time out anti spam dnsbl max query ip 1 5 Sets up to how many sender and relay server IP addresses in the mail header to check against the DNSBL anti spam dnsbl ip check order forward backward Configures the order in which anti spam checks e mail header IP addresses against the DNSBLs forward checks the first N IP addresses Checking starts from the first IP address in the mail header This is the I
446. ng example gets a configuration file named today conf from the ZyWALL and saves it on the computer as current conf Figure 29 FTP Configuration File Download Example CeVertp 192 158 1 7 Connected to 192 168 1 1 220 FTP Server ZyWALL 192 168 1 1 User 192 168 1 1 none admin 331 Password required for admin Password 230 User admin logged in ftp bin 200 Type set to I ftp cd conf 250 CWD command successful ftp get today conf current conf 200 PORT command successful 150 Opening BINARY mode data connection for conf today conf 20220 bytes 226 Transfer complete ftp 20220 bytes received in 0 03Seconds 652 26Kbytes sec 39 7 ZyWALL File Usage at Startup The ZyWALL uses the following files at system startup Figure 30 ZyWALL File Usage at Startup 1 Boot Module Y 2 Recovery Image Y 3 Firmware 1 The boot module performs a basic hardware test You cannot restore the boot module if it is damaged The boot module also checks and loads the recovery image The ZyWALL notifies you if the recovery image is damaged 2 The recovery image checks and loads the firmware The ZyWALL notifies you if the firmware is damaged ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager 39 8 Notification of a Damaged Recovery Image or Firmware The ZyWALL s recovery image and or firmware could be damaged for example by the power going off during a fi
447. ng profile to block Cookies The no cookie command sets the profile to allow Cookies content filter profile filtering profile custom list Enters the sub command for configuring the content forbid filtering profile s list of forbidden hosts no forbid hosts Adds a forbidden host to the content filtering profile s list The no command removes it exit Leaves the sub command mode no content filter profile filtering profile custom Sets a content filtering profile to block Java The no java command sets the profile to allow Java ZyWALL ZLD CLI Reference Guide Chapter 23 Content Filtering Table 113 content filter Filtering Profile Commands Summary continued COMMAND DESCRIPTION content filter profile filtering profile custom list keyword Enters the sub command for configuring the content filtering profile s list of forbidden keywords This has the content filtering profile block access to Web sites with URLs that contain the specified keyword or IP address in the URL no keyword Adds a forbidden keyword or IP address to the content filtering profile s list The no command removes it exit Leaves the sub command mode no content filter profile filtering profile custom proxy Sets a content filtering profile to block access to web proxy servers The no command sets the profile to allow access to proxy servers content filter profile filtering profile custom list trust E
448. nly create a log one time when the time or data limit is exceeded budget new connection allow disallow Sets to permit allow or drop block disallow new 3G connections when the time or data limit is exceeded budget current connection keep drop Sets to maintain the existing 3G connection keep or disconnect it drop when the time or data limit is exceeded You cannot set budget new connection to allow and budget current connection to drop at the same time If you set budget new connection to disallow and budget current connection to keep the ZyWALL allows you to transmit data using the current connection but you cannot build a new connection if the existing connection is disconnected ZyWALL ZLD CLI Reference Guide 77 Chapter 6 Interfaces Table 27 Cellular Interface Commands continued COMMAND DESCRIPTION budget percentage ptime pdata lt 0 99 gt Sets a percentage 0 99 of time budget pt ime or data pdata limit When the specified limit is exceeded the ZyWALL takes the action configured using the budget log percentage log percentage alert command budget log percentage log percentage alert recursive lt 1 65535 gt Sets to have the ZyWALL create a log 1og percentage or an alert log 1og percentage alert when the set percentage of time budget or data limit is exceeded You can configure the percentage using the budget percentage command You can
449. no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no BARES Eel queues Ed Eee Reus dca makes qao ius qr oder doa Mar dolor a a AAA AA 250 SM PT EE AKERS SRE SEAREK EERE ES 2S BENG S RED R HA EVE POE REESE BES RAR SRO 84 APO Atte Lec eek ee Se hE XR de TEMES ox pde od Heh BERETA CECE eee ee ewe poe doy ee ROO eg 85 SNS quang der ques qx ege qa qm a e de cR TEER MERA SR KAY UE A UR Ja debe RUN CDE d ege K Pop e de LAORE EES 84 ANUS d peces Ru PR HP OUe cb d Ed Ed SPORE SO bd due q quee EEO REE BE AOD queni ub RE qe d e ED E TEE 85 ASES EVE a Ncc PI 295 anti spam smtp Peps dgeraultport p rt number ascii x x AAN AH seus nee 212 ict e A a e eek pl SCR A DE 2il anti spam black list rule number e mail email activate deactivate ZLS anti spam black list rule number ip address ip subnet mask activate deactivate 215 anti spam black list rule number mail header mail header mail header value activate de PISS ager Beale hee Bx EG EG edu ER dde OO 215 anti spam black list rule number subject subject activate deactivate 215 arica Piece last HOLEVADO ads pee eee e c ER Eq E dE ede ue dae oo a Pe AE E o p deir ee 215 anki span GMS ACLLLADS V lagu astrLqC RuokA akku A A AGE Oh X e d CE E 217 anti span Ip repi Cation SOLIVAte st jawed d ed pav NA e dard
450. no effect but you can still set them ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 17 interface Commands DHCP Settings continued COMMAND DESCRIPTION no host ip Specifies the static IP address the ZyWALL should assign Use this command along with hardware address to create a static DHCP entry Note The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool When this command is used the ZyWALL treats this DHCP pool like a static entry regardless of the network setting The no command clears this field no hardware address mac address Reserves the DHCP pool for the specified MAC address Use this command along with host to create a static DHCP entry The no command clears this field no client identifier mac address Specifies the MAC address that appears in the DHCP client list The no command clears this field no client name host name Specifies the host name that appears in the DHCP client list The no command clears this field host name You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive Use the following commands to create a pool of IP addresses These commands have no effect if you use the host command You can still set them however dhcp option lt 1 254 gt option name boolean lt 0 1 gt uint8 lt 0 255 gt
451. noon every day on the first day of every month and on every Monday Wednesday and Friday Router configure terminal Router config f schedule run 1 aaa zysh daily 12 00 Router config f schedule run 1 aaa zysh monthly 12 00 01 Router config f schedule run 1 aaa zysh weekly 12 00 mon wed fri Router config 39 6 FTP File Transfer You can use FTP to transfer files to and from the ZyWALL for advanced maintenance and support 39 6 1 Command Line FTP File Upload 1 Connect to the ZyWALL 2 Enter bin to set the transfer mode to binary 3 You can upload the firmware after you log in through FTP To upload other files use cd to change to the corresponding directory 4 Use put to transfer files from the computer to the ZyWALL For example In the conf directory use put config conf today conf to upload the configuration file config conf to the ZyWALL and rename it today conf put 1 00 XL 0 bin transfers the firmware 1 00 XL 0 bin to the ZyWALL 304 ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager The firmware update can take up to five minutes Do not turn off or reset the ZyWALL while the firmware update is in progress If you lose power during the firmware upload you may need to refer to Section 39 8 on page 307 to recover the firmware 39 6 2 Command Line FTP Configuration File Upload Example The following example transfers a configuration file named tomorrow conf from th
452. nt continued COMMAND DESCRIPTION show interface send statistics interval Displays the interval for how often the ZyWALL refreshes the sent packet statistics for the interfaces show interface summary all Displays basic information about the interfaces show interface summary all status Displays the connection status of the interfaces no interface interface name Creates the specified interface if necessary and enters sub command mode The no command deletes the specified interface no description description Specifies the description for the specified interface The no command clears the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long no downstream lt 0 1048576 gt exit This is reserved for future use Specifies the downstream bandwidth for the specified interface The no command sets the downstream bandwidth to 1048576 Leaves the sub command mode no ip address dhcp Makes the specified interface a DHCP client the DHCP server gives the specified interface its IP address subnet mask and gateway The no command makes the IP address static IP address for the specified interface See the next command to set this IP address no ip address ip subnet mask Assigns the specified IP address and subnet mask to the specified interface The no command clears the IP address and the su
453. nt register your ZyWALL and activate a service using the Licensing Registration screens Alternatively go to http www myZyXEL com with the ZyWALL s serial number and LAN MAC address to register it Refer to the web site s on line help for details Note To activate a service on a ZyWALL you need to access myZyXEL com via that ZyWALL 5 1 1 Subscription Services Available on the ZyWALL The ZyWALL can use anti virus anti spam IDP AppPatrol Intrusion Detection and Prevention and application patrol SSL VPN and content filtering subscription services The ZyWALL s anti virus packet scanner uses the signature files on the ZyWALL to detect virus files Your ZyWALL scans files transmitting through the enabled interfaces into the network Subscribe to signature files for ZyXEL s anti virus engine or one powered by Kaspersky After the service is activated the ZyWALL can download the up to date signature files from the update server http myupdate zywall zyxel com When using the trial you can switch from one engine to the other in the Registration screen There is no limit on the number of times you can change the anti virus engine selection during the trial but you only get a total of one anti virus trial period not a separate trial period for each anti virus engine After the service is activated the ZyWALL can download the up to date signature files from the update server http myupdate zywall zyxel com After the trial exp
454. nterface U P Dials or disconnects an interface no packet trace U P Turns off packet tracing nslookup U P Resolves an IP address to a host name and vice versa packet trace U P Performs a packet trace ping U P Pings an IP address or host name ping6 U P Pings an IPv6 address or a host name psm U P Goes to psm product support module mode for setting product parameters You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting Note These commands are for ZyXEL s internal manufacturing process reboot P Restarts the device release P Releases DHCP information from an interface rename P Renames a configuration file renew P Renews DHCP information for an interface run P Runs a script setenv U P Turns stop on error on terminates booting if an error is found in a configuration file or off ignores configuration file errors and continues booting show U P Displays command statistics See the associated command chapter in this guide shutdown P Writes all d data to disk and stops the system processes It does not turn off the power telnet U P Establishes a connection to the TCP port number 23 of the specified host name or IP address test aaa U P Tests whether the specified user name can be successfully authenticated by an external authentication server traceroute P Traces the route to the specified host name or IP address traceroute6 P Traces the route to the specified host name
455. nters the sub command for configuring the content filtering profile s list of trusted hosts no trust hosts exit Adds a trusted host to the content filtering profile s list The no command removes it Leaves the sub command mode no content filter profile filtering profile custom trust allow features Sets a content filtering profile to permit Java ActiveX and Cookies from sites on the trusted list The no command has the content filtering profile not permit Java ActiveX and Cookies from sites on the trusted list no content filter profile filtering profile custom trust only Sets a content filtering profile to only allow access to web sites that are on the trusted list The no command has the profile allow access to web sites that are not on the trusted list no content filter profile filtering profile url category category name Sets a content filtering profile to check for specific web site categories The no command has the profile not check for the specified categories content filter profile filtering profile url match unsafe block log pass Sets the action for attempted access to web pages that match the profile s selected unsafe categories Block access log access or allow access content filter profile filtering profile url match block log warn pass Sets the action for attempted access to web pages that match the profile s selected managed categories Block
456. nti virus black list file pattern av file pattern activate deactivate 177 amp kV ee Breas GCD ISSUE A 23e dd EG AA a aa EEG mU dbi 174 anti vir s skip eunksnowh filoe tvpe Activate deere so ERE E Re cR IHR Uc de dg dep GS 174 AL IVS Otat otea QOIDSED cae obese ise WR TERS OSE RO ROE xq Ede epa de dev ed qux e 179 anti virus pate AULO anata AUR E eq Ead dede REN LE ud xg qoe x E RE oo A ebd 178 anti giros WWPDESINUAL SOLIWNOUO Guxckeeuke d oy doe dd AS p PC o bor dice OEC Swe c 176 anti virus white list file pattern av file pattern activate deactivate 176 AD decas DDOIDI HAN dose eS SES Ha ea ANA AAA qe Se DAA ex et 265 BDD DUREE ghee Aa eke See hd dedo bd RR rM RC Mew SHER TOES dea AA 159 spp highest Sip bandyi khi PBELSELES que endo RR Rap eee ee aei org deis 169 oer Seti tem SST sas doge ca uu Rue qr E ed ox Saw dc go AA eee ewes 151 app other procogcl same DandwiQgth Sraeph secure dra ER dE E do 159 BD dGDEI USE MELINEEE 2640 nbs dard AAA Basa hare dus d ui Na 164 App Proteo name SLlowpart le DS uad da eae ee ee en OR dote do de gogo iae gen ce de 164 gre pueros Hane laudi LMeH SD 26a ier eda e quac egre Shee Wolter cd Se 159 apo protocol nama DUO RARAS RA RN RC RC AGER AAA REOR CK C dod CR Ue SSS 164 app protocol pame deraglLpOPt 1446595395 22460068 SOA CR COKE ESAS SEL ORG RR ERA BEE 164 aps protocol neme Log lert sacceeecdeeee Kae 4 SS SSSR GR EG K CK OX X ROR ORE RNR ERR FOR 164 Ape teat ben APLICA E
457. number to policy number Moves a routing policy to the number that you specified no policy override direct route activate Has the ZyWALL forward packets that match a policy route according to the policy route instead of sending the packets to a directly connected network Use the no command to disable it no policy activate controll virtual server rules Gives policy routes priority over NAT virtual server rules 1 1 SNAT Use the no command to give NAT virtual server rules priority over policy routes activate no policy6 override direct route Has the ZyWALL forward IPv6 packets that match a policy route according to the policy route instead of sending the packets to a directly connected network Use the no command to disable it show bwm activation Displays whether or not the global setting for bandwidth management on the ZyWALL is enabled show bwm usage policy route policy number interface interface name Displays the specified policy route or interface s bandwidth allotment current bandwidth usage and bandwidth usage statistics show policy route policy number Displays all or specified policy route settings lt 1 200 gt show policy route begin lt 1 200 gt end Displays the specified range of policy route settings rules show policy route controll ipsec dynamic Displays whether the ZyWALL checks policy routes first before IPSec dynami
458. numeric characters or underscores no ip ospf message digest key Clears the ID and password for OSPF MD5 authentication in the specified interface no ip ospf hello interval lt 1 65535 gt Sets the number of seconds between hello messages to peer routers These messages let peer routers know the ZyWALL is available The no command sets the number of seconds to 10 See ip ospf dead interval for more information no ip ospf dead interval 1 65535 Sets the number of seconds the ZyWALL waits for hello messages from peer routers before it assumes the peer router is not available and deletes associated routing information The no command sets the number of seconds to 40 See ip ospf hello interval for more information no ip ospf retransmit interval 1 465535 Sets the number of seconds the ZyWALL waits for an acknowledgment in response to a link state advertisement before it re sends the advertisement Link state advertisements LSA are used to share the link state and routing information between routers ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 2 6 Connectivity Check Ping check Commands Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available You specify how often the interface checks the connection how long to wait for a response before the attempt is a failure and how many consecut
459. ny any means all users policy6 policy_number policy_number append insert Enters the IPv6 policy route sub command mode to configure add or insert a policy no bandwidth lt 1 1048576 gt priority Sets the maximum bandwidth and priority for the policy The no lt 1 1024 gt maximize bandwidth usage command removes bandwidth settings from the rule You can also turn maximize bandwidth usage on or off no deactivate Disables the specified policy The no command enables the specified policy no description description Sets a descriptive name for the IPv6 policy The no command removes the name for the policy no destination address6 object any Sets the destination IPv6 IP address the matched packets must have The no command resets the destination IP address to the default any any means all IP addresses no dscp any lt 0 63 gt Sets a custom DSCP code point 0 63 This is the DSCP value of incoming packets to which this policy route applies any means all DSCP value or no DSCP marker no dscp class default dscp class Sets a DSCP class Use default to apply this policy route to incoming packets that are marked with DSCP value 0 Use one of the pre defined AF classes including af11 af13 af21 af23 af31 af33 and af41 af43 to apply this policy route to incoming packets that are marked with the DSCP AF class The af entries stand for Assured Forwarding The number fo
460. o Gep timewark ME lt a ceo 3o oi ORC daw dos V Nor dh s ee Mae e Ru oe 329 BOW BERSIGO USDA a E Rec S dax x ded des qe angi dee eorr Qa Po P eed wp E auo des aoo ede SE er 140 Show session limit begin rule number end rule n umnbef spread A eas 140 show sessionelumAnlt FETS DUDOR ocak dk wee Rake DA ACC eR dee En SO GER RR Re AUR ane Gow Re HC de e 140 Siw Sesion lac Calas 22249893 594 9 2 9 4 Our eaaa qd dH go gukiS karen V gari a wear tuper ae 140 Show SESSIONS 2234454345332 9 2 83 3 2 Ed A QUE GUN eee Sees Exe dd RON qeu Nd ES 140 show sessi n limit6 begin rule number end Lules HURDOF cie ERR SO REE AAA 140 Shor SESSIONS amis NTSC Ue quas ak ped AONO AX OCCUR EDR ED ROE SAS dea eX Ro REESE 140 how SEREIOHSIINMEDS SEALUS Midis de eee ee ee ORE REE AAA PI due eee eee 140 show seboenwvestaerbD ri a RE Mee ORES SERRE REET ESAS REESE ENO AAA A CADRE RE CSR ee eS 304 shon snp GEACUS urnas ERAS PRR See dle oM OA SE SOR dre EER SRE ee ee ee eee ee B3 BEON SGDESD EXSEOD aueaedaoepbaed 43 9 A ee oae qo E ee dap di b oo eat be dede biked eee dea x e eee M dod 41 show DIE DUST Biar DAA AA AA A NAS AA ARAS RRS soa ao 41 Stow SoILtware wesLtchdogeLtlImee LoS 6226445456465 08405 A ASA ANS A 347 Shor sO Lwarb wastehdog tlHEer SOHEUS ira a Oae ae ok cR eps ok m eMe OR e Ghe 347 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical glow Selo anplrcabbon spool cHLrOoNoOSEJS
461. o system default snat Enables or disables Source NAT SNAT When SNAT is enabled the ZyWALL uses the IP address of the outgoing interface as the source IP address of the packets it sends out through the WAN interfaces show system default snat show system default interface group Displays whether the ZyWALL enable SNAT or not The ZyWALL performs SNAT by default for traffic going to or from the WAN interfaces Displays the WAN trunk the ZyWALL first attempts to use 7 5 Trunk Command Examples The following example creates a weighted round robin trunk for Ethernet interfaces gel and ge2 The ZyWALL sends twice as much traffic through gel Router configure terminal Router if group mode trunk if group Router if group Router algorithm wrr Router if group HE db db dk Router exit Router if group config Router config interface group wrr example interface 1 gel weight 2 interface 2 ge2 weight 1 The following example creates a least load first trunk for Ethernet interface ge3 and VLAN 5 which will only apply to outgoing traffic through the trunk The ZYWALL sends new session traffic through the least utilized of these interfaces Router configure terminal mode trunk algorithm 11f Router 1f group Router if group Router if group Router if group Router if group Router if group exit Router config Router config interfa
462. o log into the LDAP server group The no command clears this setting no server description Sets the descriptive information for the LDAP server group You can use up description to 60 printable ASCII characters The no command clears this setting no server group attribute Sets the name of the attribute that the ZyWALL is to check to determine to group attribute which group a user belongs The value for this attribute is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create an ext group user user object for each group One with sales as the group identifier another for RD and a third for management The no command clears the setting no server host ldap server Enter the IP address in dotted decimal notation or the domain name of an LDAP server to add to this group The no command clears this setting no server password password Sets the bind password up to 15 characters The no command clears this setting no server port port no Sets the LDAP port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no server search time limit Sets the search timeout period in seconds Enter a number between 1 and time 300 The no comma
463. oE PPTP interfaces your ZyWALL model supports The following table describes the commands available for DNS You must use the configure terminal command to enter the configuration mode before you can use these commands Table 169 Command Summary DNS COMMAND DESCRIPTION no ip dns server a record fqdn w x y z Sets an A record that specifies the mapping of a fully qualified domain name FQDN to an IP address The no command deletes an A record ip dns server cache flush Clears the DNS ZyWALL ZLD CLI Reference Guide 283 Chapter 37 System Table 169 Command Summary DNS continued COMMAND DESCRIPTION no w x y z fqan ip dns server mx record domain name Sets a MX record that specifies a mail server that is responsible for handling the mail for a particular domain The no command deletes a MX record ip dns server rule lt 1 32 gt lappend insert lt 1 32 gt access group ALL address object zone ALL address object action accept deny Sets a service control rule for DNS requests ip dns server rule move lt 1 32 gt to 1 32 Changes the number of a service control rule no 1 32 append insert lt 1 32 gt domain zone name interface interface name ip dns server zone forwarder Sets a domain zone forwarder record that specifies a fully qualified domain name You can also use a star if all domain zones are served by the
464. oe e s M ias 301 39 2 4 Configuration File Flow at Restart scsi E cibi a lad dace dpa 302 35 3 File Manager Commands Input Valles msi 302 294 File Manager Commands SUMmMATY sisas ba etre ap t o ee c b el a RE t i PR 303 39 5 File Manager Command Examples asias 304 S90 FTP File TRAMSIGE e n 304 39 6 1 Command Line FTP Fle UBI serrirostris aeii aaa xoa uS Rot ud 304 39 6 2 Command Line FTP Configuration File Upload Example sse 305 28 5 2 Command Line FTP File Downoad seran tai 305 39 6 4 Command Line FTP Configuration File Download Example sesee 306 et AMB LF Usage ASIA Me 306 39 8 Notification of a Damaged Recovery Image or Firmware cooonnccccconnnncccncnnnanocononononoconcnnnnnnccnnnnnnnns 307 299 Restonng the O 308 ccNNS ccelum Ai 310 39 11 Restoring the Default System Database isa annona ba Docks nova dida dada aenea nd 312 28 11 1 Using the atkz uj Debug Commana sia 314 Chapter 40 C 317 2051 Log Commands SUMMA asusta ase nl ei bna pl aua ie die 317 10 1 Log Enmes Commands mt 318 20 1 2 aysen Logd GOmmal Ie sos 318 qU 1 3 Debug Eon Ri 01 1g eiua poesie ortis deae acus oco at aov eue ee Ud dua aad aid FE dd 319 SUN EZUCICUILASSMNINS POET o o S Do o TEST 320 101 5 Console Port Logging Commande sucia dd Fac een n aL a dad 322 Chapter 41 pig and po
465. ok wa ete Raine eee qoe doi RUP Ret Syne db d lop oe RAS eO S de pt e condis 152 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no ses prota La Serre NR ugue veu dd dre ee a iux opui dei Bard ee dug ed e eia d loe a ue 210 eps rename profile name new profila nale sn is ERE CSREES RON ACORN Reb a Ra Rm 213 psg a p AAA EEE AOE Sk eek dee OAS EE eee ewe ORE ARA 143 file decompresst n unsupported destroy ies RR EORR ACER RR ERR ROCA Rd e CR e RR 4175 pilleeieto Dlbg Doth Lie DOO ahs chose eR AAA heehee ee ee eee des zTl file info file path file path eq gt lt ge le neq file size lt 1 1073741824 gt 27 file info file path file path eq gt lt ge le neq file size lt 1 1073741824 gt eq de rit ge le neg file version fle VEretGn isa ia rRNA 272 file info file path file path eq gt lt ge 1 neq file version file version 271 firewall ARELFADS Aurrera pear d aq ae 135 Firewall SogtgwsbE ees d bsQxpkcs Gate reu AA Paca EE ep Ed xe mede sese e 136 Farewell Asymmetrical ronte SOLIVEDE siii ERR ua Sa a ee AAA OR PR E FERE qe 134 Firewalls esymmetraosl route activate uieaegk d ra RR EA AO E Gap ae AA TE CELA RE AR 136 first dns server ip
466. ol Dae SLELLSLLON annee kb x SORA AS d eg wes s bee bud PPP desde ee RSE E 169 Shor apbewebchedgod SOBEJQ A en Ghd ea A AA RO TA AR ER SE D e eR RR dod AL 348 show eBp watehedoH moDlter eL sQ e e d qx E SRE ore E RE REDE OR poe e Ro eee oie RR qnm 348 Snow app uwatcs Hse PEDOOE L aserrada dE SERIEN E CREE AAA CR SRL da RC ROSE CAO we DER S S in 348 SHOW Arp panle dqQudeuadee3 Geese kath AAA Ad aie ey aa d e mde qe edv ede iae eq de edulis 344 Sow Peer BESTUS sirves a A Redde RAE RAS Ex M wa dud pag ed M RE Se Mu 41 show bridge Bvmrlable SIDE sore ir pea Roo eec eared kao cei Meg Ee o E RUD p ded p et quie dnd 90 SUSM JUL Beer Abdu ka Eod dona d Eur Da Rc Iu Bere AAA AAA werte es ae 103 Bh Dust GP PE WORETOUNY sibel edo bag Rx Ed EXE E Red dE E AE E PERDE MRNA aei A ES 170 show bwm usage policy route policy number interface interface name 103 show ca category local remote name certificate name format text pem 262 show ca category local remote name certificate name certpath ees 262 SHOW ca SDAaCcEDEOHO Asides GEREN Rex E ACR A CRGA CREATES HERES RARA ACA AA NS eee Ro CUR 262 Snow Go Validation Gene Rane eunsdeauputd E oro Moog d de Re OE I EOD NE SUE ewe M rbi od ede eb ee eee ee 262 BON Clase date Quac dd d ode Uo e iU e dee eat E da 2e 6 dec ead oae dee eh ob p Rd e adea D HORAE 282 SOON CIC Beats oeunsdea XA RR Ed dad e PER eq BJ dedo ano Pes dor edite doa quy de a al ewe ee eae 282
467. om knowing internal IP addresses ZyWALL ZLD CLI Reference Guide 123 Chapter 13 HTTP Redirect 13 2 HTTP Redirect Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 61 Input Values for HTTP Redirect Commands LABEL DESCRIPTION description The name to identify the rule You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive interface name The name of the interface Ethernet interface For the ZyWALL USG 300 and above usegex x 2 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 200 and lower models use a name such as wan1 wan2 opt lan1 ext wlan or dmz virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example gex y x 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y 21 4 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPOE PPTP interface pppx x 0 N where N depends on the number of PPPOE PPTP interfaces your ZyWALL model supports The follo
468. ommand deactivates the specified condition no authentication force required Select the authentication requirement for users when their traffic matches this policy The no command means user authentication is not required force Users need to be authenticated and the ZyWALL automatically display the login screen when users who have not logged in yet try to send HTTP traffic required Users need to be authenticated They must manually go to the login screen The ZyWALL will not redirect them to the login screen no description description Sets the description for the specified condition The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long no destination address object group name Sets the destination criteria for the specified condition The no command removes the destination criteria making the condition effective for all destinations no eps 1 8 eps object name Associates the specified End Point Security EPS object with the specified condition The ZyWALL checks authenticated users computers against the condition s endpoint security objects in the order of 1 to 8 You have to configure order 1 and then the others if any The no command removes the specified EPS object s association with the condition To apply EPS for this condition you have to also make sure you enable EPS and set authentica
469. on if you use the CLI to set up a virtual Interface Parameters Table 12 Ethernet VLAN Bridge PPP and Virtual Interface Characteristics ZyWALL USG 200 and Below Models CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE PPP VIRTUAL Name opt wanl wan2 lanl ext vlanx brx pppx wlan dmz Configurable Zone Yes No No Yes Yes No No IP Address Assignment Static IP address Yes Yes Yes Yes Yes Yes Yes DHCP client Yes Yes No Yes Yes Yes No Routing metric Yes Yes Yes Yes Yes Yes Yes Interface Parameters Bandwidth Yes Yes Yes Yes Yes Yes Yes restrictions ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 12 Ethernet VLAN Bridge PPP and Virtual Interface Characteristics ZyWALL USG 200 and Below Models continued CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE PPP VIRTUAL Packet size MTU Yes Yes Yes Yes Yes Yes No Data size MSS Yes Yes Yes Yes Yes Yes No DHCP DHCP server Yes No Yes Yes Yes No No DHCP relay Yes No Yes Yes Yes No No Connectivity Check Yes Yes No Yes Yes Yes No Each name consists of 2 4 letters interface type followed by a number x For most interfaces x is limited by the maximum number of the type of interface For VLAN interfaces x is defined by the number you enter in the VLAN name field For example Ethernet interface names are want wan2
470. on objects 18 1 2 SSL Access Policy Limitations You cannot delete an object that is used by an SSL access policy To delete the object you must first unassociate the object from the SSL access policy 18 2 SSL VPN Commands The following table describes the values required for some SSL VPN commands Other values are discussed with the corresponding commands Table 77 Input Values for SSL VPN Commands LABEL DESCRIPTION profile name The descriptive name of an SSL VPN access policy You may use up to 31 characters a z A Z 0 9 with no spaces allowed address object The name of an IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive application object The name of an SSL application object You may use up to 31 characters 0 9 a z A Z and No spaces are allowed ZyWALL ZLD CLI Reference Guide 151 Chapter 18 SSL VPN Table 77 Input Values for SSL VPN Commands continued LABEL DESCRIPTION user name The name of a user group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive eps profile name The name of an endpoint security object The following sections list the SSL VPN commands 18 2 1 SSL VPN Commands T
471. onfig f sslvpn policy SSL VPN TEST Router policy SSL VPN TEST activate Router policy SSL VPN TEST user tester Router policy SSL VPN TEST network extension activate Router policy SSL VPN TEST 4 network extension ip pool IP POOL Router policy SSL VPN TEST network extension 1st dns DNS1 Router policy SSL VPN TEST network extension 2nd dns DNS2 Router policy SSL VPN TEST network extension network NETWORK1 Router policy SSL VPN TEST f eps activate Router policy SSL VPN TEST eps 1 EPS 1 Router policy SSL VPN TEST 4 exit ZyWALL ZLD CLI Reference Guide Chapter 18 SSL VPN 6 Displays the SSL VPN rule settings index 1 active yes name SSL VPN TEST description user tester ip pool IP POOL dns server 1 DNS1 dns server 2 DNS2 wins server 1 none wins server 2 none network NETWORK1 cache clean no eps periodical check eps activation yes eps EPS 1 reference count 0 ssl application none network extension yes Router config f show sslvpn policy SSL VPN TEST eps periodical check activation no i ZyWALL ZLD CLI Reference Guide Chapter 18 SSL VPN ZyWALL ZLD CLI Reference Guide L2TP VPN This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL 19 1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers operating systems to secu
472. onships Between Interfaces In the ZyWALL interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physical ports or port groups The relationships between interfaces are explained in the following table Table 14 Relationships Between Different Types of Interfaces INTERFACE REQUIRED PORT INTERFACE auxiliary interface auxiliary port port group physical port Ethernet interface physical port port group VLAN interface Ethernet interface bridge interface PPPoE PPTP interface ZyWALL USG 300 and above Ethernet interface WLAN interface VLAN interface Ethernet interface VLAN interface bridge interface PPPoE PPTP interface ZyWALL USG 200 and below models WAN1 WAN2 OPT virtual interface virtual Ethernet interface virtual VLAN interface virtual bridge interface Ethernet interface VLAN interface bridge interface trunk Ethernet interface Cellular interface VLAN interface bridge interface PPPOE PPTP interface auxiliary interface You cannot set up a PPPoE PPTP interface virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPPoE PPTP interface on top of it ZyWALL ZLD CLI Referenc
473. ontent You can create different content filtering policies for different addresses schedules users or groups and content filtering profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and another policy that lets him access them after work 23 2 Content Filtering Policies A content filtering policy allows you to do the following Use schedule objects to define when to apply a content filtering profile Use address and or user group objects to define to whose web access to apply the content filtering profile Apply a content filtering profile that you have custom tailored 23 3 External Web Filtering Service When you register for and enable the external web filtering service your ZyWALL accesses an external database that has millions of web sites categorized based on content You can have the ZyWALL block block and or log access to web sites based on these categories 23 4 Content Filtering Reports See the web configurator User s Guide to see how to view content filtering reports after you have activated the category based content filtering subscription service ZyWALL ZLD CLI Reference Guide Chapter 23 Content Filtering 23 5 Content Filter Command Input Values The following table explains the values you can input with the content filter commands Table 111 Content Filter Command Input Values LABEL DESCRIPTION policy numbe
474. opia 070 Falkland Islands Malvina 071 Faroe Islands 072 Fiji 073 Finland 074 France 075 France Metropolitan 076 French Guiana 077 French Polynesia 078 French Southern Territories 079 Gabon 080 Gambia 081 Georgia 082 Germany 083 Ghana 084 Gibraltar 085 Great Britain 086 Greece 087 Greenland 088 Grenada 089 Guadeloupe 090 Guam 091 Guatemala 092 Guernsey 093 Guinea 094 Guinea Bissau 095 Guyana 096 Haiti 097 Heard and McDonald Islands 098 Holy See City Vatican State 099 Honduras 100 Hong Kong 101 Hungary 102 Iceland 103 India 104 Indonesia 105 Ireland 106 Isle of Man 107 Italy 108 Jamaica 109 Japan 110 Jersey 111 Jordan 112 Kazakhstan 113 Kenya 114 Kiribati 115 Korea Republic of 116 Kuwait 117 Kyrgyzstan 118 Lao People s Democratic Republic ZyWALL ZLD CLI Reference Guide Chapter 5 Registration Table 10 Country Codes continued COUNTRY COUNTRY NAME COUNTRY COUNTRY NAME 119 Latvia 120 Lebanon 121 Lesotho 122 Liberia 123 Liechtenstein 124 Lithuania 125 Luxembourg 126 Macau 127 Macedonia Former Yugoslav 128 Madagascar Republic 129 Malawi 130 Malaysia 131 Maldives 132 Mali 133 Malta 134 Marshall Islands 135 Martinique 136 Mauritania 137 Mauritius 138 Mayotte 139 Mexico 140 Micronesia Federal State of 141 Moldova Republic of 142 Mona
475. opt lan1 ext wlan dmz VLAN interfaces are viano vian1 vlan2 and so on The names of virtual interfaces are derived from the interfaces on which they are created For example virtual interfaces created on Ethernet interface wan1 are called wan1 1 wan1 2 and so on Virtual interfaces created on VLAN interface vlan2 are called vlan2 1 vlan2 2 and so on You cannot specify the number after the colon in the web configurator it is a sequential number You can specify the number after the colon if you use the CLI to setupa virtual interface Table 13 Cellular and WLAN Interface Characteristics CHARACTERISTICS CELLULAR WLAN Name cellularx wlan x x Configurable Zone Yes Yes IP Address Assignment Static IP address Yes Yes DHCP client Yes No Routing metric Yes No Interface Parameters Bandwidth Yes Yes restrictions Packet size MTU Yes Yes Data size MSS Yes Yes DHCP DHCP server No Yes DHCP relay No Yes Connectivity Check Yes No Each name consists of letters interface type followed by a number x For most interfaces x is limited by the maximum number of the type of interface For WLAN interfaces the first number identifies the slot and the second number identifies the individual interface Cellular interfaces can be added to the WAN zone or no zone ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 1 2 Relati
476. or ZyXEL anti virus trial service kav zav subscription service register service type trial av engine Changes from one anti virus engine to the other kav zav show device register status show service register reseller info Displays whether the device is registered and account information Displays your seller s information that you have entered when registration show service register server type Displays the type of the register server to which your ZyWALL is connected show service register status alllidplav sslvpn sslvpn status Displays service license information show service register status content filter bluecoat commtouch Displays BlueCoat or Commtouch service license information show service register content filter engine Displays which external web filtering service the ZyWALL is set to use for content filtering Service register content filter engine bluecoat commtouch Sets whether the ZyWALL uses BlueCoat or Commtouch for content filtering Service register service type trial service as Activates the Anti Spam trial service subscription show service register status as Displays whether the Anti Spam service is registered and account information debug service register erase service as Removes the ZyWALL s Anti Spam service registration 5 2 1 Command Examples The following commands allow you to register your device with an
477. ore 284 ip das server zone tfotwarder move 1 32 TO SL LIZ soisi RR ARR REOR E p RAR RC 284 ip ftp server rule rule number append insert rule number access group ALL address object Zone JALL z ne object action accept deny i iaskae3x ed X a we hee eae SERRE a EDA 284 Ip ftp server rule move rule number Lo rule RUMDEF seaswe X 3o ge k ira 291 EE gateway D Metric lt ALIS give Rag RA A AR IA ARA RARA AA 58 ip http secure server cipher suit cipher algorithm cipher algorithm cipher algorithm apra acu TP AAA AD AA x edic ard hanes b aaa 287 ip http secure server table admin user rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny 287 ip http secure server table admin user rule move rule number to rule number 287 ip http server table admin user rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny 287 ip http server table admin user rule move rule number to rule number 287 ip hitp redirect Activate TOS CRI pETOR caca orati denies A AA AAA 4 AAA LA eee 124 TO Htbopereqireoct deegrlvete Gari EION eii AGA AAA ARAS dE RARO RN 124 ip http redirect description interface interface name redirect to w x y z lt 1 65535 gt 124 ip http redirect description interface interface name redirect to w x y z lt 1 65535 gt deactivate 124 X
478. oute s outgoing packets Sets how the ZyWALL handles the DSCP value of the outgoing packets that match this route Set this to default to have the ZyWALL set the DSCP value of the packets to 0 Set this to an af class including af11 af13 af21 af23 af31 af33 and af41 af43 which stands for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 104 for more details no dscp marking Use this command to have the ZyWALL not modify the DSCP value of the route s outgoing packets exit Leaves the sub command mode no interface interface name Sets the interface on which the incoming packets are received The no command resets the incoming interface to the default any any means all interfaces no next hop auto gateway address object interface interface name trunk trunk name tunnel tunnel name Sets the next hop to which the matched packets are routed The no command resets next hop settings to the default auto no schedule schedule object no service service name any Sets the schedule The no command removes the schedule setting to the default none none means any time Sets the IP protocol The no command resets service settings to the default any any means all services no snat outgoing interface pool address object Sets the source IP address of the matched packets
479. ower models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN ip ftp server rule move rule_number to rule_number Changes the index number of a service control rule no ip ftp server rule rule_number Deletes a service control rule for FTP service show ip ftp server status Displays FTP settings ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management 38 7 2 FTP Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using FTP service Router configure terminal Router config f ip ftp server rule 4 access group Sales zone WAN action accept This command displays FTP settings Router configure terminal Router config show ip ftp server status active yes port 2 21 certificate default TLS no service control No Zone Address Action 38 8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices Your ZyWALL supports SNMP agent functionality which allows a manager station to manage and monitor the ZyWALL through the network The ZyWALL supports SNMP version one SNMPv1 and version two SNMPv2c 38 8 1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC 1213 and RFC 1215 The ZyWALL also supports private MIBs zywall
480. page show login page settings Lists the current login page settings n how logo settings Lists the current logo background banner and floor line below the banner settings show page customization Lists whether the ZyWALL is set to use custom login and access pages or the default ones 37 3 Host Name Commands The following table describes the commands available for the hostname and domain name You must use the configure terminal command to enter the configuration mode before you can use these commands Table 165 Command Summary Host Name COMMAND DESCRIPTION no domainname domain_name Sets the domain name The no command removes the domain name domain_name This name can be up to 254 alphanumeric characters long Spaces are not allowed but dashes and underscores _ are accepted no hostname hostname Sets a descriptive name to identify your ZyWALL The no command removes the host name show fqdn Displays the fully qualified domain name 37 4 Time and Date For effective scheduling and logging the ZyWALL system time must be accurate The ZyWALL s Real Time Chip RTC keeps track of the time and date There is also a software mechanism to set the time manually or get the current time and date from an external server ZyWALL ZLD CLI Reference Guide Chapter 37 System 37 4 1 Date Time Commands The following table describes the comma
481. pass ip reputation mail content virus outbreak Have the ZyWALL not check mail s IP reputation content or for viruses show Displays the details of the anti spam rule you are configuring anti spam rule move rule number to rule number Moves a direction specific anti spam rule to the number that you specified anti spam rule delete rule number Removes a direction specific anti spam rule show anti spam rule rule number no anti spam smtp pop3 defaultport port number Displays the details of all the configured anti spam rules or a specific anti spam rule Specify a custom SMTP or POP3 TCP port to check ZyWALL ZLD CLI Reference Guide Chapter 24 Anti Spam Table 118 Commands for Zone to Zone Anti Spam Rules continued COMMAND DESCRIPTION show anti spam smtp pop3 Display the SMTP or POP3 TCP ports the ZyWALL checks for spam defaultport no anti spam ip reputation activate Set whether or not to use IP reputation to identify spam by the sender s IP address anti spam ip reputation query timeout time timeout Set how many seconds the ZyWALL waits for a reply when checking the IP reputation of a sender s IP address show anti spam ip reputation query timeout time Display how many seconds the ZyWALL waits for a reply when checking the IP reputation of a sender s IP address no check activate anti spam ip reputation private Set
482. pe server xauth method client name username password password 144 hol one DI IIS DOMS serra ARAN oca od RP donc eaedem opus Sok edis 112 no adderss6 object object name interface gateway interface slaac static addr_index 238 Signestuece anomaly system protect ASOSLIVELB Auaeq4ebk EGO ete AAA ARES 182 signature amomalyv susce protect BOLIVSEION oss dA a cox OX EGO KA CR Robe ORR OE 182 int32 lt 0 4294967295 gt ip ipv4 ipv4 ipv4 fqdn fgdn fgdn fgdn text text hex hex vivc enterprise id hex s enterprise id hex s vivs enterprise id hex s beter Se ll DAR T Usa eee hake el eee ee eee eee eee eee 64 asd authentication ue aebch Hefsulkt dbOUD i 4h 64004 X eR UREA OREO Ree d 255 aaa authentication rename profile name old profile name new eee 255 da Group BEIUOT BW Greys gs cht beads dees AED Da es AA 25 aga group server ad rename group namo GLOUP NAMEe serian RARA NOR ORON CR TREE DODO ES ERE ROMS 2p mud Group server LOSE SEXUS usquequo a Seabee wee RU ER CAR RCRUM AA AAA A 2a aga group server ldap rename oroup name QrOUp BamNe erario 252 ada Group Server TALUS Seep eme usais Sakas eG chee X RU dodo Owes NOR Cua DRUSI CR wed 254 aaa group server radius rename group name old group name new ee eee eee eee ee eee 293 socess iotward aoe Peec quae R pSREG 4 bok eee ER Ra Eee Seo dd d e E 165 access Forward grep egest wreauckes sue o d AA RU RUN SHEE A de
483. pecifies a description for the DHCP pool for identification The no command removes the description no domain name domain name Specifies the domain name assigned to DHCP clients The no command clears this field ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 17 interface Commands DHCP Settings continued COMMAND DESCRIPTION no starting address ip pool size 1 65535 Sets the IP start address and maximum pool size of the specified DHCP pool The final pool size is limited by the subnet mask Note You must specify the network number first and the start address must be in the same subnet The no command clears the IP start address and maximum pool size no first dns server ip interface name 1st dns 2nd dns 3rd dns ZyWALL Sets the first DNS server to the specified IP address the specified interface s first second or third DNS server or the ZyWALL itself The no command resets the setting to its default value no second dns server ip interface name 1st dns 2nd dns 3rd dns ZyWALL Sets the second DNS server to the specified IP address the specified interface s first second or third DNS server or the ZyWALL itself The no command resets the setting to its default value no third dns server ip interface name 1st dns 2nd dns 3rd dns ZyWALL Sets the third DNS server to the specified IP address the specified interface s f
484. pn policy profile name Deletes the specified SSL VPN access policy sslvpn policy rename profile name Renames the specified SSL VPN access policy profile name show workspace application Displays the SSLVPN resources available to each user when logged into SSLVPN show workspace cifs Displays the shared folders available to each user when logged into SSLVPN 18 2 2 Setting an SSL VPN Rule Tutorial Here is an example SSL VPN configuration The SSL VPN rule defines Only users using the tester account can use the SSL VPN The ZyWALL will assign an IP address from 192 168 100 1 to 192 168 100 10 defined in object P POOL to the computers which match the rule s criteria The ZyWALL will assign two DNS server settings 172 16 1 1 and 172 16 1 2 defined in objects DNS1 and DNS2 to the computers which match the rule s criteria The SSL VPN users are allowed to access the ZyWALL s local network 172 16 10 0 24 defined in object Network1 Users have to access the SSL VPN using a computer that complies with all the following criteria defined in object EPS 1 Windows XP is installed TrendMicro PC Cillin Internet Security 2007 is installed and activated ZyWALL ZLD CLI Reference Guide Chapter 18 SSL VPN 1 First of all configure 10 1 1 254 24 for the IP address of interface ge2 which is an external interface for public SSL VPN to access Configure 172 16 10 254 24 for the IP address of interface ge3 whic
485. psmork 0 bas class Idefaulc ABE olassh siii 166 lnboudd gacp m erk pe0 603 class default decp eless siaakebRekdg xk m e xD Reo 168 IAOEE ASLA de ded ia ee d nde usc RE oh eie oben ELEC eee deo AP pU ed E ROSE aU b WAP c 146 interted action destroy se nd win HeUg apes odo a ode KR ORE RR Kee dda ee aaa ead 115 Ine Serine LHe SOIN ii BOR X RR US d a auod ce dr tak Box e Rr iie d p qot RR ded 295 ii eel erie Bees Sere whe ds ts pA Red OS RO XAR da R4 SARE SORES dea edu dd x eR Ra 90 SDSS Se NPE eG pS hn a ev ie Rim eR AA dipole a re ach pono i p o el cR 146 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no IHS TAGs AUREA BEAM aues oben IDA A E RUE AI SORORE Ce wow wee RR ACE E 95 i terfsce sp IDDEPISUD rr AA CURRO RE ROCCO RIA AR ERR GER CR d 25 interlace ENCOPLACO HAMS oe EA E GC E ORC XOR ADI EE AAA ANA AAA ADR ee ORA CUORE ORG AA OC 101 inber coe ea o a ae fs aka Gaede EA PUGS dca re GRE RCRC dC dede oe CAO DRE RS eR e ed 102 interface Interfaoco HANDS 24h GEESE SERA SE E GU bod OC X ERR Ee AS SS DOES LEENA EV PR vd 112 inber ere iee Rh pap Vau E uox acd deed cae UR CR Co d de E I GG qo C ele e Oe duod a RC do
486. ption Setting Command Example The following example configures the DHCP_TEST pool with a SIP server code 120 extended DHCP option with one IP address to provide to the SIP clients Router configure terminal Router config ip dhcp pool DHCP TEST Router config ip dhcp pool dhcp option 120 sip ip 192 168 1 20 Router config ip dhcp pool exit ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 2 3 Interface Parameter Command Examples This table shows an example of each interface type s sub commands The sub commands vary for different interface types Table 18 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE PPTP Router config interface wan1 Router config interface wan1 1 Router config interface wan1_ppp Router config if wan1 Router config if vir Router config if ppp description description account downstream downstream bind exit exit connectivity ip ip description ipv6 no downstream mac shutdown exit mss upstream ipv6 mtu local address no metric ping check mss shutdown mtu traffic prioritize no type ping check upstream remote address use defined mac shutdown traffic prioritize upstream CELLULAR WLAN VLAN Router config interface cellulari Router config interface wlan 1 1 Router config interface vlan1 Router config if cellular Router config if wlan Router config if vian account block intra description band d
487. put values are discussed with the corresponding commands Table 43 Input Values for General Policy Route Commands LABEL DESCRIPTION address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive address6 object The name of the IPv6 address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive interface name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 200 and lower models use a name such as wan1 wan2 opt lan1 ext wlan or dmz virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example gex y x 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y 2 1 12 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model support
488. quxkpiaseX4 Rd OREGON GO Qd NOR X E b EVER SEU EEE AAA RA RARAS 202 nol eontemtericter block message MOSSOS lg 244 m ERROR qe XO eee hed ee ede heehee ba deeds 202 nol content tilter block redirect redirect url sairas RARE ar GA Gd NE ad 202 nol esnpentsetilber Geral ALOE rra GER tees ROS e SUR OCHO RD seinen CR RU EORR HEU OR RR SCR E z202 nol concenti lest Uacsase LICENSE odo opa iseni anga IAEA AAA AAA AA ge aes 202 hol cbnbent HLibber LISAS Leese da 1d ge xd ub Rd RU ebd AN AAA AAA AA AR de eds 203 no content filter policy policy number address schedule filtering profile 202 nol oontent rilter profiile filtering profils na 3 KOREA ERED Oa CARER ee 203 no content filter profile filtering profile commtouch url category category name 205 mol contenb Iilter protite filtering profile QUSEON 1654 kote kan eee OS CER RON KORR aod A ROS CR On 203 hol content fileter protile filtering profile CUSLON QOLIMON waka cde EGO Onde RROE ACE sees Fog 203 no content filter profile filtering profile cusLoNm COOKER asar a ECRURCRCA CR ews 203 hol Gontent f1 leer protile filtering profile custo Jav areas AAA 203 nol content filter prorile filtering profile Guston PEOR cox do ndidew se nde dd deo aaa 204 no content filter profile filtering profile custom trust allow f atufes esexeem my 204 nol eontent filter protile filtering profile custom Lr sb only lt o 2ibes dare hor CAEORORCA A ies 204 no content filter profile filtering profile url
489. r _ encryption key 16 64 Ox or OX 16 64 hexadecimal values 8 32 alphanumeric or NV G4 amp NN file name 0 31 alphanumeric or filter extension 1 256 alphanumeric spaces or _ fqdn Used in ip dns server 0 252 alphanumeric or first character alphanumeric or Used in ip ddns time server device HA VPN certificates and interface ping check 0 254 alphanumeric or first character alphanumeric or full file name 0 256 alphanumeric or _ hostname Used in hostname command 0 63 alphanumeric or _ first character alphanumeric or Used in other commands 0 252 alphanumeric or first character alphanumeric or import configuration 1 26 conf alphanumeric or GQ amp t file add conf at the end import shell script I 264 2ysh alphanumeric or gt amp _ gt add zysh at the end initial string 1 64 alphanumeric spaces or S_ amp isp account password 0 63 alphanumeric or amp _ t pi lt gt isp account username 0 30 alphanumeric or _ ipv6_addr An IPv6 address The 128 bit IPv6 address is written as eight 16 bit hexadecimal blocks separated by colons This is an example IPv6 address 2001 0db8 1a2b 0015 0000 0000 1a2f 0000 IPv6 addresses can be abbreviated in two ways Leading zeros in a block can be omitted So 2001 0db8 1a2b 0015 0000 0000 1a2 0000 can be w
490. r Set it to zero to set unlimited reauthorization time The no command sets the reauthorization time to thirty minutes regardless of the current default setting for new users 26 2 2 User Group Commands This table lists the commands for groups Table 134 username groupname Commands Summary Groups COMMAND DESCRIPTION show groupname groupname no groupname groupname Displays information about the specified user group or about all user groups set up in the ZyWALL Creates the specified user group if necessary and enters sub command mode The no command deletes the specified user group no description description Sets the description for the specified user group The no command clears the description for the specified user group no groupname groupname Adds the specified user group second groupname to the specified user group first groupname no user username Adds the specified user to the specified user group show Displays information about the specified user group groupname rename groupname groupname Renames the specified user group first groupname to the specified group name second groupname 26 2 3 User Setting Commands This table lists the commands for user settings except for forcing user authentication Table 135 username groupname Commands Summary Settings COMMAND DESCRIPTION show users default setting all ext gro
491. r This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL like the Internet The deactivate command disables the virtual server rule ip virtual server activate deactivate profile name Activates or deactivates the specified virtual server ip virtual server delete profile name ip virtual server flush Deletes the specified virtual server Deletes all virtual servers ip virtual server rename profile name profile name Renames the specified virtual server from the first pro ile name to the second profile name 12 2 1 Virtual Server Command Examples The following command creates virtual server WAN LAN H323 on the wan1 interface that maps IP addresses 10 0 0 8 to 192 168 1 56 for TCP protocol traffic on port 1720 It also adds a NAT loopback entry Router configure terminal nat loopback Router config Router config ip virtual server WAN LAN H323 interface wanl original ip 10 0 0 8 map to 192 168 1 56 map type port protocol tcp original port 1720 mapped port 1720 The following command shows information about all the virtual servers in the ZyWALL virtual server yes interface wanl NAT loopback active NAT 1 1 original IP 10 0 0 8 mapped IP 192 168 1 56 mapping type port protocol type tcp original service active yes no mapped service start port end port original original mapped start po
492. r https may contain one pound sign Used in other content filtering commands http alphanumeric or amp _ starts with http may contain one pound sign user name Used in VPN extended authentication 1 31 alphanumeric or _ Used in other commands 0 30 alphanumeric or _ first character letters or _ username 6 20 alphanumeric or _ registration user name 1 alphanumeric or logging commands user domainname 1 80 alphanumeric or Q vrrp group name less 1 15 alphanumeric or than 15 chars week day sequence i e 1 4 l first 2 second xauth method 1 31 alphanumeric or xauth password 1 31 alphanumeric or G amp N mac address 0 12 even hexadecimal number for example aa aabbcc aabbccddeeff 1 8 Ethernet Interfaces How you specify an Ethernet interface depends on the ZyWALL model For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model e The ZyWALL USG 200 and below models use a name such as wan1l wan2 opt lan1 ext wlan or dmz 1 9 Saving Configuration Changes Use the write command to save the current configuration to the ZyWALL Note Always save the changes before you log out after each management session All unsaved changes will be lost after the system restarts ZyWALL ZLD CLI Reference Guide
493. r it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create an ext group user user object for each group One with sales as the group identifier another for RD and a third for management The no command Clears the setting no server host ad server Enter the IP address in dotted decimal notation or the domain name of an AD server to add to this group The no command clears this setting no server password password Sets the bind password up to 15 alphanumerical characters The no command clears this setting no server port port no Sets the AD port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no server search time limit Sets the search timeout period in seconds Enter a number between 1 and time 300 The no command clears this setting and set this to the default setting of 5 seconds no server ssl Enables the ZyWALL to establish a secure connection to the AD server The no command disables this feature 30 2 6 aaa group server Idap Commands The following table lists the aaa group server ldap commands you use to configure a group of LDAP servers Table 151 aaa group server Idap Commands COMMAND DESCRIPTION clea
494. r The number of the policy lt 0 X gt where X depends on the number of content filtering policies the ZyWALL model supports See the CLI help for details address The name up to 63 characters of an existing address object or group to which the policy should be applied schedule The name up to 63 characters of an existing schedule to control when the policy should be applied filtering profile The filtering profile defines how to filter web URLs or content You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive category name The name of a web category adult mature content pornography sexeducation intimate apparel swimsuit nudity alcohol tobacco illegal questionable gambling violence hate racism weapons abortion hacking phishing arts entertainment business economy alternative spirituality occult illegal drugs education cultural charitable organization financial services brokerage trading online games government legal military political activist groups health computers internet search engines portals spyware malware sources spyware effects privacy concerns job search careers news media personals dating reference open image media search chat instant messaging email blogs newsgroups religion social networking online storage remote access tools shopping auctions real estate society
495. r aaa group server ldap group Deletes all LDAP server groups or the specified LDAP server group name Note You can NOT delete a server group that is currently in use show aaa group server ldap group name Displays the specified LDAP server group settings no aaa group server ldap group name Sets a descriptive name for an LDAP server group Use this command to enter the sub command mode The no command deletes the specified server group aaa group server ldap rename group Changes the descriptive name for an LDAP server group name group name aaa group server ldap group name Enter the sub command mode ZyWALL ZLD CLI Reference Guide Chapter 30 AAA Server Table 151 aaa group server Idap Commands continued COMMAND DESCRIPTION no case sensitive Specify whether or not the server checks the username case Set this to be the same as the server s behavior no server alternative cn Sets the second type of identifier that the users can use to log in if any For identifier uid example name or e mail address The no command clears this setting no server basedn basedn Sets the base DN to point to the LDAP directory on the LDAP server group The no command clears this setting no server binddn binddn Sets the user name the ZyWALL uses to log into the LDAP server group The no command clears this setting no server cn identifier uid Sets the user name the ZyWALL uses t
496. r computer must have an FTP client 38 7 1 FTP Commands The following table describes the commands available for FTP You must use the configure terminal command to enter the configuration mode before you can use these commands Table 174 Command Summary FTP COMMAND DESCRIPTION no ip ftp server Allows FTP access to the ZyWALL The no command disables FTP access to the ZyWALL no ip ftp server cert certificate_name Sets a certificate to be used to identify the ZyWALL The no command resets the certificate used by the FTP server to the factory default no ip ftp server port lt 1 65535 gt Sets the FTP service port number The no command resets the FTP service port number to the factory default 21 no ip ftp server tls required Allows FTP access over TLS The no command disables FTP access over TLS ip ftp server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for FTP service address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 200 and l
497. r table admin user rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for HTTP service ip http server table admin user rule move rule_number to rule_number Changes the number of a HTTP service control rule no ip http secure server table admin user rule rule number Deletes a service control rule for HTTPS service no ip http server table admin user rule rule number Deletes a service control rule for HTTP service show ip http server status Displays HTTP settings show ip http server secure status Displays HTTPS settings ZyWALL ZLD CLI Reference Guide 287 Chapter 38 System Remote Management 38 3 1 HTTP HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service Router configure terminal Router config f ip http server table admin rule append access group Marketing zone WAN action accept This command sets an authentication method used by the HTTP HTTPS server to authenticate the client s Router configure terminal Router config ip http authentication Example This following example sets a certificate named MyCert used by the HTTPS server to authenticate itself to the SSL cli
498. r truncated address header activate Activates or deactivates icmp decoder options icmp decoder truncated header truncated timestamp header truncated address header log alert Sets icmp decoder log or alert options no icmp decoder truncated header truncated timestamp header truncated address header log Deactivates icmp decoder log options icmp decoder truncated header truncated timestamp header truncated address header action drop reject sender reject receiver reject both Sets icmp decoder action no icmp decoder truncated header truncated timestamp header truncated address header action show idp anomaly profile scan detection all details Deactivates icmp decoder actions Shows all scan detection settings of the specified IDP profile ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands Table 103 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION show idp anomaly profile scan detection tcp portscan tcp decoy portscan tcp portsweep tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep details Shows selected TCP scan detection settings for the specified IDP profile show idp anomaly profile scan detection udp portscan udp decoy portscan udp portsweep udp distributed portscan udp filtered portscan
499. racters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 200 and lower models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN ip telnet server rule move rule_number to rule_number Changes the index number of a service control rule no ip telnet server rule rule_number Deletes a service control rule for Telnet service show ip telnet server status Displays Telnet settings 38 6 1 Telnet Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using Telnet service Router configure terminal accept Router config f ip telnet server rule 11 access group RD zone LAN action ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management This command displays Telnet settings active yes port H23 service control No Zone Router config Router configure terminal Router config show ip telnet server status Address Action 38 7 Configuring FTP You can upload and download the ZyWALL s firmware and configuration files using FTP To use this feature you
500. rely connect to the network behind the ZyWALL The remote users do not need their own IPSec gateways or VPN client software Figure 21 L2TP VPN Overview EEN i ml i o E Internet Ja H l L2TP Tunnel The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the Internet In L2TP VPN an IPSec VPN tunnel is established first see Chapter 17 on page 141 for information on IPSec and then an L2TP tunnel is built inside it Note At the time of writing the L2TP remote user must have a public IP address in order for L2TP VPN to work the remote user cannot be behind a NAT router or a firewall 19 2 IPSec Configuration You must configure an IPSec VPN connection for L2TP VPN to use see Chapter 17 on page 141 for details The IPSec VPN connection must Be enabled Use transport mode Not be a manual key VPN connection Use Pre Shared Key authentication Use a VPN gateway with the Secure Gateway set to 0 0 0 0 if you need to allow L2TP VPN clients to connect from more than one IP address ZyWALL ZLD CLI Reference Guide 157 Chapter 19 L2TP VPN 19 2 1 Using the Default L2TP VPN Connection Default L2TP VPN Connection is pre configured to be convenient to use for L2TP VPN If you use it edit the following Configure the local and remote policies as follows For the Local Policy create an addres
501. rface General Commands Basic Properties and IP Address Assignment continued COMMAND DESCRIPTION nd ra hop limit Removes the maximum number of hops setting for router advertisements and all IPv6 packets originating from the interface nd ra min rtr interval Removes the minimum IPv6 router advertisement transmission interval setting nd ra max rtr interval Removes the maximum IPv6 router advertisement transmission interval setting nd ra reachable time Sets the amount of time a remote IPv6 node is considered reachable after a reachability confirmation event to the default nd ra default lifetime Sets the router lifetime value included in all IPv6 router advertisements the interface sends to the default The router lifetime value should be equal to or greater than the router advertisement interval nd ra retrans timer Sets the IPv6 router advertisement retransmission interval to the default ipv6 address dhcp6 profile dhcp6 suffix 128 Removes the specified setting for having the ZyWALL obtain an IPv6 prefix from the ISP or a connected uplink router for an internal network nd ra prefix advertisement DHCP6 PROFILE DHCP6 SUFFIX 64 dhcp6 Removes the specified setting for using a delegated prefix as the beginning part of the network prefix Sets the interface s DHCPv6 setting back to the default dhcp6 address request Has the ZyWALL not get this interface s IPv6 address from the DHCPv6
502. ri IRREAL ege Ret RC LIT h rgdware agdress Asc address diarpQka Ras ROC ORO ECAR ENED DEES MOS DOMED CR OR AS OR CR OR REDE SES 64 hergwa reewatehdogepimevr d a o aquai BURN ee AO E Rap eed eben d da dea a doe d O deus 347 Hig A ead c adgueISawgu rad d4da44 3 T2693 2 89 SANS ak daa ur daa Sad bee Ro e rabia 85 host PSI ae sap im oh dete sel a or mera gh A ARA eer Rod on A e SO ede ep ded n E 333 host BOSDIHSURES parranda VOX m ab b GaSe Eee dex VEU a queas aed PRX qued qub ed eus deg ek 116 DOSE 20 IAEA ARRA ORE A eae De dde RUN Ub Wr tol dc MORE eee DR OR CREE Qe doe A 64 hostname HOSTEL arre A SEE SE acere AAA ECM Ar EET SOR UE Recap E ROC De RC 281 http inspection http xxx action drop reject sender reject receiver reject both 186 http inspecroons JNEDOSEXEM activate sewed Rd A EORR SE OREN AA E RAED Ge RR Reb 186 icmp decoder truncated header truncated timestamp header truncated address header SECIS a Bes ix adii e ae dix RR AA AAA DAS 186 Vale CIEN 70 Mmm 264 De o a Seine a ahah eg equi aeo Sas aada lud end eu ea diae pq d ede pu mE 265 OUR Re sg O aaa a a a a a a a a a R a 90 SO ars drip Soe ba ae Equi gee meres edes dde qucd e eara bera we fada dee 182 ido signature systeu b obect Update SULU asian dans ELA GS swede dod RA 195 TE Sba ie tiese BAISSE waves athe ee qur Ei a FE S AR S dod quib we eee E 196 inbound d cp mark lt 0 63 gt class default dscp cias Lizeeraocseee k ex A cus 165 lu boond dac
503. ritten as 2001 db8 1a2b 15 0 0 la2f 0 Any number of consecutive blocks of zeros can be replaced by a double colon A double colon can only appear once in an IPv6 address So 2001 0d58 0000 0000 1a2 0000 0000 0015 can be written as 2001 0db8 1a2 0000 0000 0015 2001 0db8 0000 0000 1a2f 0015 2001 db8 1a2 0 0 15 Or 2001 db8 0 0 la2f 15 ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Table3 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES key length 512 768 1024 1536 2048 license key 25 S 6 upper case letters or numbers 16 upper case letters or numbers mac address aa bb cc dd ee ff hexadecimal mail server fqdn lower case letters numbers or name 1 31 alphanumeric or _ notification message 1 81 alphanumeric spaces or S _ password less than 15 1 15 alphanumeric or amp _ t 1 2 lt gt chars password less than 8 1 8 alphanumeric or amp _ chars password Used in user and ip ddns 1 63 alphanumeric or gt amp _ t 1 pi lt gt Used in e mail log profile SMTP authentication 1 63 alphanumeric or S amp _ j i lt gt Used in device HA synchronization 1 63 alphanumeric or _ Used in registration 6 20 alphanumeric or _ phone number
504. rmware upgrade This section describes how the ZyWALL notifies you of a damaged recovery image or firmware file Use this section if your device has stopped responding for an extended period of time and you cannot access or ping it Note that the ZyWALL does not respond while starting up It takes less than five minutes to start up with the default configuration but the start up time increases with the complexity of your configuration 1 Use a console cable and connect to the ZyWALL via a terminal emulation program such as HyperTerminal Your console session displays the ZyWALL s startup messages If you cannot see any messages check the terminal emulation program s settings see Section 1 2 1 on page 20 and restart the ZyWALL 2 The system startup messages display followed by Press any key to enter debug mode within 3 seconds Note Do not press any keys at this point Wait to see what displays next Figure 31 System Startup Stopped BootModule Version V1 08 05 05 2006 11 42 55 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version 2 4 2 KL 2006 05 29 2006 05 29 15 23 46 ZLD Version Y2W1050_10 DailyBuild New 2006 05 29 15 18 32 3 Ifthe console session displays Invalid Firmware or Invalid Recovery Image or the console freezes at Press any key to enter debug mode within 3 seconds for more than one minute go to Section 39 9 on page 308 to restore the recovery image Fi
505. rom a computer on the ZyWALL s internal network from being forwarded to the WAN network according to a 1 1 NAT or Many 1 1 NAT rule The no command forwards the matched packets no description description Sets a descriptive name up to 60 printable ASCII characters for a firewall rule The no command removes the descriptive name from the rule no destinationip address object Sets the destination IP address The no command resets the destination IP address es to the default any any means all IP addresses no destinationip6 address object Sets the destination IPv6 address The no command resets the destination IP address es to the default any any means all IP addresses no from zone object Sets the zone on which the packets are received The no command removes the zone on which the packets are received and resets it to the default any meaning all interfaces or VPN tunnels no log alert Sets the ZyWALL to create a log and optionally an alert when packets match this rule The no command sets the ZyWALL not to create a log or alert when packets match this rule no schedule schedule object Sets the schedule that the rule uses The no command removes the schedule settings from the rule no service service name Sets the service to which the rule applies The no command resets the service settings to the default any any means all services no sourceip address object Sets the source IP a
506. rt mapped end port Router config 1720 Router config show ip virtual server WAN LAN_H323 1720 ZyWALL ZLD CLI Reference Guide Chapter 12 Virtual Servers 12 2 2 Tutorial How to Allow Public Access to a Server This is an example of making an HTTP web server in the DMZ zone accessible from the Internet the WAN zone You will use a public IP address of 1 1 1 2 on the ge2 or wanl on USG 200 and lower models interface and map it to the HTTP server s private IP address of 192 168 3 7 Figure 17 Public Server Example Network Topology pre 1 1 12 192 168 3 7 Se rie Follow the following steps for the setting 1 Configure Address object Create two address objects One is named DMZ HTTP for the HTTP server s private IP address of 192 168 3 7 The other one is named ge2 HTTP for the ge2 wan1 public IP address of 1 1 1 2 Router configure terminal Router config address object DMZ HTTP 192 168 3 7 Router config address object ge2 HTTP 1 1 1 2 Router config 2 Configure NAT You need a NAT rule to send HTTP traffic coming to IP address 1 1 1 2 on ge2 wan1 to the HTTP server s private IP address of 192 168 3 7 Use the following settings This NAT rule is for any HTTP traffic coming in on ge2 wan1 to IP address 1 1 1 2 The NAT rule sends this traffic to the HTTP server s private IP address of 192 168 3 7 defined in the DMZ HTTP object HTTP tra
507. rver address server address starting i i eee eee ee be eed SR ER EE ES 267 Server Pe MOL Melo EL iaa bd dead heh eee EORR AAA RARAS eee eG ee ee 267 service object object name tcp udp eq lt 1 65535 gt range lt 1 65535 gt lt 1 65535 gt DEDE parugo amp ob gest cbIe6L nane MO PE VALUE adhe eae E EROR OUR EGER P PC EROR GC C REY E FE 244 service object object name icmpv6 lt 0 255 gt neighbor solicitation router advertisement echo packet toobig router solicitation echo reply parameter problem time ex ceeded neighbor advertisement redirect unreachable 244 Beivice obgect aDJBCL Dame protocsl L 2909 entr Kod RAUCHEN UE RO BORRAR IC hee ee di 244 Bervyice object rename object same object rame cer cb cba Rhe m xx de dares EUR RUE vee AGIACACN RORCR RR R VOR 244 BOIuvICG NGSqr mCEI CRECESIPLES ese cR poe nod e SESE Ee Oe hare Boe Roe ob Hea bue de cir dios 46 service register content Iilter engine bluecoat commtouch ac saad rosarina dowd 47 service register service type standard license key key value ee ee eee eee 47 service segister servlce tyvoe trial aveanglu e Kav EAV lt 2 646 ROMER tikir AA ay service register service type trial service content filter idp ooomocooooronn i aso 37 servige register service type trial service all ESV Z8UV acercarse A HERE RC REO 47 service register servlce type trial servic GS arar NESE RE RATE SRD KARE RR
508. s ZyWALL ZLD CLI Reference Guide Chapter 8 Route Table 43 Input Values for General Policy Route Commands continued LABEL DESCRIPTION policy number The number of a policy route 1 X where X is the highest number of policy routes the ZyWALL model supports See the ZyWALL s User s Guide for details schedule object The name of the schedule You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive service name The name of the service group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive user name The name of a user group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive destv6 The IPv6 route prefix subnet address for the destination prefix The IPv6 prefix length O 128 gatewayv The IPv6 address of the specified gateway ipv6 addr An IPv6 address ipv6 global address An IPv6 address excluding the link local address fe80 ipv6 link local An fe80 IPv6 address The following table describes the commands available for policy route You must use the configure terminal command to enter the configuration mode before you can use these commands Table
509. s case sensitive interface name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 200 and lower models use a name such as wan1 wan2 opt lan1 ext wlan or dmz VLAN interface vlanx x 0 4094 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports ppp interface PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports map name The name of an IPSec SA You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive user name The name of a user group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following sections list the L2TP VPN commands 19 4 1 L2TP VPN Commands This table lists the commands for L2TP VPN You must usethe configure terminal command to enter the configuration mode before you can use these commands Table 80 L2TP VPN Commands COMMAND DESCRIPTION ipsec policy 12tp over ipsec recover default If the default L2TP IPSec policy has been deleted use this command to recreate it with the default settings
510. s 10 10 10 0 and subnet mask 255 255 255 0 and with the next hop interface gel Then use the show command to display the setting Router config f ip route 10 10 10 0 255 255 255 0 gel Router config Router config show ip route settings Route Netmask Nexthop Metric 10 10 10 0 255255259530 gel 0 The following commands set and show three examples of static IPv6 routes for traffic destined for IPv6 addresses with prefix 2002 22 22 34 The first route sends the traffic out through interface ge2 and uses metric 1 The second sends the traffic to gateway 2001 12 12 and uses metric 2 The third sends the traffic to the fe80 1 2 link local gateway on interface ge2 and uses metric 2 Router config ip6 route 2002 22 22 34 64 ge2 1 Router config f ip6 route 2002 22 22 34 64 2001 12 12 2 link local gateway bind on interface Router config f ip6 route 2002 22 22 34 64 fe80 1 2 ge2 2 Router config show ip6 route settings No Route Prefix Length Nexthop Metric 1 2002 22 22 34 64 2001 125712 2 2 2002 22 22 34 64 ge2 1 The following command deletes a specific static IPv6 route Router config no ip6 route 2002 22 22 34 64 2001 12 12 The following command deletes all static IPv6 routes with the same prefix Router config no ip6 route 2002 22 22 34 64 ZyWALL ZLD CLI Reference Guide Routing Protocol This chapter describes how to set up RIP and
511. s backup ZyWALL is to synchronize master address The master ZyWALL s I P address or fully qualified domain name FQDN port The master ZyWALL s FTP port number device ha ap mode backup sync now Synchronize now Snow device ha ap mode interfaces Displays the device HA AP mode interface settings and status summary show device ha ap mode next sync time Displays the next time and date in hh mm yyyy mm dd format the ZyWALL will synchronize with the master show device ha ap mode status Displays the ZyWALL s key device HA settings show device ha ap mode master sync Displays the master ZyWALL s synchronization settings show device ha ap mode backup sync Displays the backup ZyWALL s synchronization settings show device ha ap mode backup sync Displays the backup ZyWALL s current synchronization status status show device ha ap mode backup sync Displays the backup ZyWALL s synchronization settings show device ha interface name ap mode forwarding port If you apply Device HA on a bridge interface on a backup ZyWALL you can use this command to see which port in the bridge interface is chosen to receive VRRP packets used to monitor if the master ZyWALL goes down interface name This is a bridge interface For example brx ZyWALL ZLD CLI Reference Guide Chapter 25 Device HA 25 4 2 Active Passive Mode Device HA Command Example This example configures a
512. s command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SSH service Routerf configure terminal Router config ip ssh server rule 2 access group Marketing zone WAN action accept This command sets a certificate Default to be used to identify the ZyWALL Router configure terminal Router config ip ssh server cert Default ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management 38 5 Telnet You can configure your ZyWALL for remote Telnet access 38 6 Telnet Commands The following table describes the commands available for Telnet You must use the configure terminal command to enter the configuration mode before you can use these commands Table 173 Command Summary Telnet COMMAND DESCRIPTION no ip telnet server Allows Telnet access to the ZyWALL CLI The no command disables Telnet access to the ZyWALL CLI no ip telnet server port 1 65535 Sets the Telnet service port number The no command resets the Telnet service port number back to the factory default 23 ip telnet server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for Telnet service address_object The name of the IP address group object You may use 1 31 alphanumeric cha
513. s common input values for the commands for the feature in one or more tables 1 4 3 Command Summary This section lists the commands for the feature in one or more tables 1 4 4 Command Examples Optional This section contains any examples for the commands in this feature 1 4 5 Command Syntax The following conventions are used in this User s Guide A command or keyword in courier new must be entered literally as shown Do not abbreviate Values that you need to provide are in italics Required fields that have multiple choices are enclosed in curly brackets A range of numbers is enclosed in angle brackets lt gt Optional fields are enclosed in square brackets The symbol means OR For example look at the following command to create a TCP UDP service object service object object name tcp udp eq lt 1 65535 gt range 1 65535 lt 1 65535 gt 1 Enter service object exactly as it appears 2 Enter the name of the object where you see object name 3 Enter tcp or udp depending on the service object you want to create 4 Finally do one of the following Enter eq exactly as it appears followed by a number between 1 and 65535 ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Enter range exactly as it appears followed by two numbers between 1 and 65535 1 4 6 Changing the Password It is highly recommended that you change the password for accessing the ZyWA
514. s log is not discussed above no logging console Enables the console log The no command disables the console log logging console category module name level alert Controls whether or not debugging information for the crit debug emerg error info notice warn specified priority is displayed in the console log if logging for this category is enabled no logging console category module name Enables logging for the specified category in the console log The no command disables logging ZyWALL ZLD CLI Reference Guide Reports and Reboot This chapter provides information about the report associated commands and how to restart the ZyWALL using commands It also covers the daily report e mail feature 41 1 Report Commands Summary The following sections list the report session and packet size statistics commands 41 1 1 Report Commands This table lists the commands for reports Table 194 report Commands COMMAND DESCRIPTION no report Begins data collection The no command stops data collection show report status Displays whether or not the ZyWALL is collecting data and how long it has collected data clear report interface name Clears the report for the specified interface or for all interfaces show report interface name Displays the traffic report for the specified interface and controls the format of the ip service url report Formats are ip tra
515. s object that uses host type and contains the My Address IP address that you configured in the Default L2TP VPN GW Use this address object in the local policy For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default L2TP VPN GW gateway entry Configure the My Address setting according to your requirements Replace the default Pre Shared Key 19 3 Policy Route You must configure a policy route to let remote users access resources on a network behind the ZyWALL Set the policy route s Source Address to the address object that you want to allow the remote users to access LAN SUBNET in the following figure Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users L2TP POOL in the following figure Figure 22 Policy Route for L2TP VPN r T TA L2TP_POOL LAN_SUBNET ZyWALL ZLD CLI Reference Guide Chapter 19 L2TP VPN 19 4 L2TP VPN Commands The following table describes the values required for some L2TP VPN commands Other values are discussed with the corresponding commands Table 79 Input Values for L2TP VPN Commands LABEL DESCRIPTION address object The name of an IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value i
516. s outgoing traffic to the same one of the public IP addresses that the outside clients use to access the server The private and public ranges must have the same number of IP addresses One many 1 1 NAT rule works like multiple 1 1 NAT rules but it eases the configuration effort since you only create one rule 12 2 Virtual Server Commands Summary The following table describes the values required for many virtual server commands Other values are discussed with the corresponding commands Table 59 Input Values for Virtual Server Commands LABEL DESCRIPTION service object The name of a service You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive profile name The name of the virtual server You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive ZyWALL ZLD CLI Reference Guide es Chapter 12 Virtual Servers The following table lists the virtual server commands Table 60 ip virtual server Commands COMMAND DESCRIPTION show ip virtual server no ip virtual server profile name profile name Displays information about the specified virtual server or about all the virtual servers Deletes the specified virtual server ip virtual server profile name interface interface name original ip any ip ad
517. s the action for attempted access to web pages if the CommTouch external content filtering database is unavailable Block access allow and log access display a warning message before allowing access or allow access content filter profile filtering profile commtouch url unrate block log warn pass Sets the action for attempted access to web pages that the CommTouch external web filtering service has not categorized Block access allow and log access display a warning message before allowing access or allow access no content filter profile filtering profile commtouch url match unsafe log Has the ZyWALL not log attempted access to web pages that match the CommTouch profile s selected unsafe categories no content filter profile filtering profile commtouch url match log Has the ZyWALL not log attempted access to web pages that match the CommTouch profile s selected managed categories no content filter profile filtering profile commtouch url offline log Has the ZyWALL not log access to web pages if the CommTouch external content filtering database is unavailable no content filter profile filtering profile commtouch url unrate log Has the ZyWALL not log access to web pages that the CommTouch external web filtering service has not categorized show content filter profile filtering profile Displays the specified content filtering profile s settings or the settings
518. s the pre configured default zones that you cannot delete from the ZyWALL show zone user define Displays all customized zones no zone profile name Creates the zone if necessary and enters sub command mode The no command deletes the zone zone profile name Enter the sub command mode no block Blocks intra zone traffic The no command allows intra zone traffic no interface Adds the specified interface to the specified zone The no command removes interface name the specified interface from the specified zone See Section 6 2 on page 57 for information about interface names no crypto Adds the specified IPSec VPN tunnel to the specified zone The no command profile name removes the specified IPSec VPN tunnel from the specified zone no sslvpn Adds the specified SSL VPN tunnel to the specified zone The no command profile name removes the specified SSL VPN tunnel from the specified zone ZyWALL ZLD CLI Reference Guide Chapter 10 Zones 10 2 1 Zone Command Examples The following commands add Ethernet interfaces gel and ge2 to zone A and block intra zone traffic Router configure terminal Router config zone A Router zone interface gel Router zone interface ge2 Router zone block Router zone exit Router config show zone No Name Block Member 1 A yes gel ge2 Router config show zone A blocking intra zone traffic yes No Type Member 1 interface gel 2 interface ge2
519. s the specified interface if necessary and enters sub command mode ZyWALL ZLD CLI Reference Guide IN Chapter 6 Interfaces Table 38 interface Commands Bridge Interfaces continued COMMAND DESCRIPTION no join interface name Adds the specified Ethernet interface or VLAN interface to the specified bridge The no command removes the specified interface from the specified bridge show bridge available member Displays the available interfaces that could be added to a bridge 6 11 1 Bridge Interface Command Examples The following commands show you how to set up a bridge interface named brO with the following parameters member gel IP 1 2 3 4 subnet 255 255 255 0 MTU 598 gateway 2 2 2 2 upstream bandwidth 345 downstream bandwidth 123 and description I am brO Router config if Router config if Router config if Router Router config if config if Router config if Router config if Router config if Router configure terminal Router config interface br0 brg join gel ip address 1 2 3 4 255 255 255 0 brg ip gateway 2 2 2 2 brg mtu 598 brg upstream 345 brg downstream 123 brg description I am brO brg exit 6 12 Auxiliary Interface Specific Commands The first table below lists the auxiliary interface commands and the second table explains the values you can input with these commands Table 39
520. sS see X p ER eased Ed Ra AAA xd ERES wed 244 QUI area IF SERS ala ebiensekew dox ode A dp oie iode obe Reg agen era wee RM dee de Gk 109 pockebegspDLHEGO QUII arios ci A AAA a qe qb dps eed due dpa Fd ee E e 343 packeb capbubPe SESEMS fy cance wens NE ON EROR RRA ORE RARAS LA ARAN TRAD A EME ENE ES RACE e i 342 packer ilow Butter pi epu Cate AUN sack eek eee TORCHES CODER SORES PEE ae EE E RC 238 peckert rtow falter pF iite DUM PUEDES 0 be Kale m4 aOR KOE RR OR Reda XO ACA CROCO e de 338 pechkebellogw SAUS sensores enews d Ru Chee Bee Oe ee Re Sere ded sede ee A 338 PATATAS RAS cA A X RSME eee RON dod C ACA GAL AC RC LAS e e a RN AAA 281 ping check Lrmterface name GStSEUE fees eedadeeenekad ee Shere Re anew eae de aoe Rene AUR eol gd 70 polxesvesboape IGI ieee Gia dne acaE Sra fon uici Aree palos woe arid uS Rc ied ae 103 policy rgute begim l 2005 end lt la gt concer eis Rap RR EUR RU A A ad S dete 103 policy route coutxoll ipsBcO OQunamis PULS isaac Oe RU RR NOS A A 103 polaoyesenute Gonbrollevrrfrtusl sSBFVEI EBLORS rita Re ded eee uk pem Gee 103 poligv route Swerrdeedirsob r onbe ira da A A ica ae 103 pulsopv roupe Sube COON inercia AAA EA QE EARS wed ds 103 palie route UE SE lever eres abs ar AAA AAA AAA A 103 polijieverpubeb5 Gveoebrige OiTBCLb POUL wk dase Meade exa SAVORED ChE EC RE Re GRE 103 por SECTAS oh ieee eee eee eek CECE PEIUS ee bee SE Rr PE O 72 purt SEQUUS Juda ge d ue WEEMS ANGES EC SEAHORSES AE CORE AC Reb e NAR
521. ser if necessary and sets the user type to Ext User username username user type ext group user associated aaa server server profile group id id Specify the value of the AD or LDAP server s Group Membership Attribute that identifies the group to which the specified ext group user type user account belongs no username username Deletes the specified user username rename username username Renames the specified user first username to the specified username second username username username no description description Sets the description for the specified user The no command clears the description description You can use alphanumeric and 40 characters and it can be up to 60 characters long username username no logon time setting default manual Sets the account to use the factory default lease and reauthentication times or custom ones ZyWALL ZLD CLI Reference Guide Chapter 26 User Group Table 133 username groupname Commands Summary Users continued COMMAND DESCRIPTION username username no logon lease time Sets the lease time for the specified user Set it to zero to set 0 1440 unlimited lease time The no command sets the lease time to five minutes regardless of the current default setting for new users username username no 0 1440 logon re auth time Sets the reauthorization time for the specified use
522. server A domain zone is a fully qualified domain name without the host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name 37 6 2 DNS Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 168 Input Values for General DNS Commands LABEL DESCRIPTION address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive interface name The name ofthe interface Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 200 and lower models use a name such as wan1 wan2 opt lan1 ext wlan or dmz virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example gex y x 2 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y 1 12 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPOE PPTP interface pppx x 0 N where N depends on the number of PPP
523. settings If there is a startup config conf the ZyWALL checks it for errors and applies it If there are no errors the ZyWALL uses it and copies it to the lastgood conf configuration file If there is an error the ZyWALL generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the ZyWALL applies the system default conf configuration file You can change the way the startup config conf file is applied Include the setenv startup stop on error off command The ZyWALL ignores any errors in the startup config conf file and applies all of the valid commands The ZyWALL still generates a log for any errors 39 3 File Manager Commands Input Values The following table explains the values you can input with the file manager commands Table 184 File Manager Command Input Values LABEL DESCRIPTION file name The name of a file Use up to 25 characters including a zA Z0 9 amp _ ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager 39 4 File Manager Commands Summary The following table lists the commands that you can use for file management Table 185 File Manager Commands Summary COMMAND DESCRIPTION apply conf file name conf ignore Has the ZyWALL use a specific configuration file You mus
524. settings for synchronization show device ha sync backup next sync time Displays the next time and date in hh mm yyyy mm dd format the ZyWALL will synchronize with the master show device ha sync status Displays the current status of synchronization no device ha sync from hostname ip Specifies the fully qualified domain name FQDN or IP address of the ZyWALL router Usually this is the IP address or FQDN of the virtual router The no command clears this field hostname You may up to 254 alphanumeric characters dashes or periods but the first character cannot be a period ZyWALL ZLD CLI Reference Guide Chapter 25 Device HA Table 129 device ha Commands Synchronization continued COMMAND DESCRIPTION no device ha sync port lt 1 65535 gt Specifies the port number to use to synchronize with the specified ZyWALL router The no command resets the port to 21 no device ha sync authentication password password Specifies the password to use when synchronizing Every router in the virtual router should use the same password The no command resets the password to 1234 password You can use 4 63 alphanumeric characters underscores dashes and characters no device ha sync auto Specifies whether or not to automatically synchronize at regular intervals no device ha sync interval 5 1440 Specifies the number of
525. shes or periods but the first character cannot be a period The following sections introduce commands that are supported by several types of interfaces See Section 6 6 on page 76 for the unique commands for each type of interface 6 2 1 Basic Interface Properties and IP Address Commands This table lists basic properties and IP address commands Table 16 interface General Commands Basic Properties and IP Address Assignment COMMAND DESCRIPTION show interface ethernet vlan bridge Displays the connection status of the specified type of interfaces ppp auxiliary status show interface interface name ethernet Displays information about the specified interface specified type of vlan bridge ppp virtual ethernet interfaces or all interfaces See Section 6 6 1 on page 78 for all possible virtual vlan virtual bridge auxiliary cellular status description all show ipv6 interface interface name Displays information about the specified IPv6 interface or all IPv6 all interfaces show ipv6 static address interface Displays the static IPv6 addresses configured on the specified IPv6 interface show ipv6 nd ra status config interface Displays the specified IPv6 interface s IPv6 router advertisement configuration ZyWALL ZLD CLI Reference Guide 57 Chapter 6 Interfaces Table 16 interface General Commands Basic Properties and IP Address Assignme
526. show show show show show show show show show show show show show show show show show show show show show show Toye qui Me TALES COREL Aerie ba usq stuns bu Era Eq RE Se anis ed eda qp es 5 ipy HEU nr aL Es EX Ed qd dE EA A E RS eee Ras eRe eee d 343 TONO Statio Bddbess JISCBELADO serbio NR AE UE Meu M neo o EX RA eee De TUTO ASEOS swe kaa oe eee ee eS A E QUE SERRE UE DeLee ae ee eb i eee amp 298 Teak REospDeld B ad4ed4e4 494 3 FOROS Sh qbus AAA ewe ee eee Re 143 sm poles Pettey Semel rica de VES A RARA INTA LAA EORR ATA Li E 143 SA O EN dara A AAA AA A AAA DAA 149 Abro ISE aniston dra ad eae Boe as aaa 160 lZLpeswBE UDESO SESSION IA A A AA A A A GREE SS 160 latas aer tamal aU assi nai AZARES DADAS RE 29 idap YSE eee 2250 Jed o a Laks Sauer haa dob Seda Soa ea aa eres d d Gus O bese ee Badio dir 41 JOPCROQULMDEQES acque eo RUE Sed cb i o EROS a DE a ee deep aba c ie RE MG CONS AA de D D edo A235 logging debug entries priority pri category module name srcip ip srcip6 ipv6 addr dstip ip dstip6 ipv6 addr service service name srciface interface name dstiface interface name protocol protocol begin lt 1 512 gt end lt 1 512 gt keyword keyword 319 logging debug entries field field begin 1 1024 end lt 1 10247 i5 n R dus 2319 Lema ty Cenc WWLSCUS iaa X Qoa RE RES OG E SBE ER d Kcd Kd dede eda ee qd de CR OR
527. show anti spam white list Type Status E subject yes ite e mail yes ist ourcompany com mail header yes 2007 ip address yes 8 1 0 5 25522554255 0 24 2 3 2 Regular Expressions in Black or White List Entries The following applies for a black or white list entry based on an e mail subject e mail address or e mail header value Use a question mark to let a single character vary For example use a c without the quotation marks to specify abc acc and so on You can also use a wildcard For example if you configure def com any e mail address that ends in def com matches So mail def com matches The wildcard can be anywhere in the text string and you can use more than one wildcard You cann ot use two wildcards side by side there must be other characters between them The ZyWALL checks the first header with the name you specified in the entry So if the e mail has more than one Received header the ZyWALL checks the first one 24 2 4 DNSB This se L Anti Spam Commands ction describes the commands for checking the sender and relay IP addresses in e mail headers against DNS Domain Name Service based spam Black Lists DNSBLs You must use the configure terminal command to enter the configuration mode before you can use these commands The following table identifies the values required for many of these commands Other input values are discussed with the correspondi
528. show anti spam white list status Displays the current anti spam white list Use status to show the activation status only show anti spam black list status Displays the current anti spam black list Use status to show the activation status only show anti spam tag black list Show the configured anti spam black list tag no anti spam xheader white list black Specify the name and value for the X Header to add to e mails that list mail header mail header value match the ZyWALL s spam white list or black list show anti spam xheader white list black Display the name and value for the X Header to add to e mails that list match the ZyWALL s spam white list or black list ZyWALL ZLD CLI Reference Guide Chapter 24 Anti Spam 24 2 3 1 White and Black Lists Example This example shows how to configure and enable a white list entries for e mails with testwhite in the subject e mails from whitelist ourcompany com e mails with the Date header set to 2007 and e mails from or forwarded by IP address 192 168 1 0 with subnet 255 255 255 0 Router Router Router Router Router No Conten testwh 2 whitel 3 Date 4 192 16 config anti spam white list subject testwhite activate config anti spam white list e mail whitelist ourcompany com activate config anti spam white list mail header Date 2007 activate config anti spam white list ip address 192 168 1 0 255 255 255 0 activate config
529. signature 1 Router config idp signature 1 Router config idp signature 1 Router configure terminal Router config idp signature rule 1 Router config idp signature 1 from zone any to zone LAN bind LAN_IDP activate Router config idp signature 1 exit Router config show idp signature rules 22 3 3 Editing Creating IDP Signature Profiles Use these commands to create a new IDP signature profile or edit an existing one It is recommended you use the web configurator to create edit profiles If you do not specify a base profile the default base profile is none Note You CANNOT change the base profile later Table 102 Editing Creating IDP Signature Profiles COMMAND DESCRIPTION idp signature newpro base all lan wan Creates a new IDP signature profile called newpro newpro uses the dmz none base profile you specify Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode no signature sid activate Activates or deactivates an IDP signature signature sid log alert Sets log or alert options for an IDP signature no signature sid log Deactivates log options for an IDP signature signature sid action drop reject Sets an action for an IDP signature sender reject receiver reject both no signature sid action Deactivates an action for an IDP signature show idp profile signature sid details Shows
530. signature edit quoted_string Edits an existing custom signature no idp customize signature custom_sid Deletes a custom signature show idp signatures custom signature custom_sid Displays custom signature information details contents non contents show idp signatures custom signature all details Displays all custom signatures information show idp signatures custom signature number Displays the total number of custom signatures ZyWALL ZLD CLI Reference Guide Chapter 22 IDP Commands 22 4 1 Custom Signature Examples These examples show how to create a custom signature edit one display details of one all and show the total number of custom signatures Router configure terminal Router config idp customize signature test sid 9000000 y sid 9000000 test policy type severity platform all no Win95 98 WinNT no WinXP 2000 Linux no FreeBSD Solaris SGI no other Unix message no no no no no network device service outbreak no no alert tcp any any lt gt any any msg This example shows you how to edit a custom signature Router config idp customize signature edit test edit sid 9000000 sid 9000000 message test edit policy type severity platform all no Win95 98 WinNT no WinXP 2000 Linux no FreeBSD Solaris SGI other Unix no network device no no no
531. sp url url id name password password deactivate Sets the validation configuration for the specified remote trusted certificate where the directory server uses OCSP url Type the protocol IP address and pathname of the OCSP server name The ZyWALL may need to authenticate itself in order to access the OCSP server Type the login name up to 31 characters from the entity maintaining the server usually a certification authority You can use alphanumeric characters the underscore and the dash password Type the password up to 31 characters from the entity maintaining the OCSP server usually a certification authority You can use the following characters a zA Z0 9 1 amp _ lt gt no ca category local remote certificate name no ca validation name Deletes the specified local my certificates or remote trusted certificates certificate Removes the validation configuration for the specified remote trusted certificate ZyWALL ZLD CLI Reference Guide Chapter 32 Certificates Table 156 ca Commands Summary continued COMMAND DESCRIPTION S e how ca category local remote name certificate name ertpath Displays the certification path of the specified local my certificates or remote trusted certificates certificate Qu how ca category local remote name ertificate name format text pem Displays a summary of the certificates in the
532. specified category local for my certificates or remote for trusted certificates or the details of a specified certificate how ca validation name name Displays the validation configuration for the specified remote trusted certificate now ca Spaceusage Displays the storage space in use by certificates ZyWALL ZLD CLI Reference Guide Chapter 32 Certificates 32 5 Certificates Commands Examples The following example creates a self signed X 509 certificate with IP address 10 0 0 58 as the common name It uses the RSA key type with a 512 bit key Then it displays the list of local certificates Finally it deletes the pkcs12request certification request Router configure terminal Router config ca generate x509 name test x509 cn type ip cn 10 0 0 58 key type rsa key len 512 Router config f show ca category local certificate default type SELF subject CN ZyWALL 1050 Factory Default Certificate issuer CN ZyWALL 1050 Factory Default Certificate Status VALID ID ZyWALL 1050 Factory Default Certificate type EMAIL valid from 2003 01 01 00 38 30 valid to 2022 12 27 00 38 30 certificate test type REQ subject CN 1 1 1 1 issuer none status VALID IDss Leds Lo L type IP valid from none valid to none certificate pkcsl2request type REQ subject CN 1 1 1 2 issuer none status VALID IDs 215 152 type IP valid from none valid to none certificate test_x509 type SELF
533. specified DNS server s domain zone name This is a domain zone not a host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name For example whenever the ZyWALL receives needs to resolve a zyxel com tw domain name it can send a query to the recorded name server IP address interface name This is the interface through which the ISP provides a DNS server The interface should be activated and set to be a DHCP client The no command deletes a zone forwarder record ip dns server zone forwarder x1 32 appendlinsert lt 1 32 gt domain zone name user defined w x y z auto private interface interface name Sets a domain zone forwarder record that specifies a DNS server s IP address private interface Use private if the ZyWALL connects to the DNS server through a VPN tunnel Otherwise use the interface command to set the interface through which the ZyWALL sends DNS queries to a DNS server The auto means any interface that the ZyWALL uses to send DNS queries to a DNS server according to the routing rule ip dns server zone forwarder move lt 1 32 gt to lt 1 32 gt Changes the index number of a zone forwarder record no ip dns server rule 1 32 Deletes a service control rule show ip dns server Displays all DNS entries show ip dns server database Displays all configured records show ip dns server status Displays w
534. ss object object name ip ip range ip subnet interface ip interface subnet interface gateway interface Creates the specified I Pv4 address object using the specified parameters ip range lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 1 255 gt lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 1 255 gt ip_subnet lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 0 255 gt lt 1 32 gt interface Specify an interface when you create an object based on an interface no address object object_name Deletes the specified address object address object rename object name object name Renames the specified address first object name to the second object name no address6 object object name ipv6 address ipv 6 range ipv6 subnet Creates the specified I Pv6 address object using the specified parameters The no command removes the specified address object ipv6 address IPv6 address ipv6 range Pv6 address range For example fe80 1234 1 fe80 1234 ffff ipv6 subnet Pv6 prefix format For example fe80 211 85ff fe0e dec 128 no address6 object object name interface ip interface dhcpv6 link local slaac Creates the specified IPv6 address object based on the specified interface object Specify whether it is a DHCPv6 server link local IP subnet interface dhcpv6 slaac static addr index static addr index address StateLess Address Auto Configuration IP address sl
535. ss the network or an SSL VPN tunnel After a successful user authentication a user s computer must meet the endpoint security object s Operating System OS option and security requirements to gain access You can configure the endpoint security object to require a user s computer to match just one of the endpoint security object s checking criteria or all of them Configure endpoint security objects to use with the authentication policy and SSL VPN features What Endpoint Security Can Check The settings endpoint security can check vary depending on the OS of the user s computer Depending on the OS EPS can check user computers for the following Operating System Windows Linux Mac OSX or others Windows version and service pack version Windows Auto Update setting and installed security patches Personal firewall installation and activation Anti virus installation and activation Windows registry settings Processes that the endpoint must execute Processes that the endpoint cannot execute The size and version of specific files Multiple Endpoint Security Objects You can configure an authentication policy or SSL VPN policy to use multiple endpoint security objects This allows checking of computers with different OSs or security settings When a client attempts to log in the ZyWALL checks the client s computer against the endpoint security objects one by one The client s computer must match one of the force authentica
536. st entry for files with a exe extension Router config anti virus anti virus anti virus Router config Router config Router config anti virus Router config anti virus Router config No Status File Pattern exe No Status File Pattern white list white list white list black list black list show anti virus white list anti virus white list status Router config f show anti virus white list Router config f show anti virus black list anti virus black list status Router config f show anti virus black list activate file pattern file pattern exe activate activate file pattern exe deactivate status yes status yes 21 2 4 Signature Search Anti virus Command The following table describes the command for searching for signatures You must use the configure terminal command to enter the configuration mode before you can use this command Table 95 Command for Anti virus Signature Search COMMAND DESCRIPTION anti virus search signature all category category id id name name severity severity from id to id medium Or low Search for signatures by their ID name severity or category all displays all signatures category Select whether you want to see virus signatures or spyware signatures id type the ID or part of the ID of the signature you want to find name type the name or part of the name of the signature s
537. ster and backup ZyWALLs to the same services 25 2 General Device HA Commands This table lists the general commands for device HA Table 124 device ha General Commands COMMAND DESCRIPTION show device ha status Displays whether or not device HA is activated the configured device HA mode and the status of the monitored interfaces no device ha activate Turns device HA on or off device ha mode active passive legacy Sets the ZyWALL to use active passive or legacy VRRP group based device HA 25 3 Active Passive Mode Device HA Virtual Router The master and backup ZyWALL form a single virtual router Cluster ID You can have multiple ZyWALL virtual routers on your network Use a different cluster ID to identify each virtual router Monitored Interfaces in Active Passive Mode Device HA You can select which interfaces device HA monitors If a monitored interface on the ZyWALL loses its connection device HA has the backup ZyWALL take over Enable monitoring for the same interfaces on the master and backup ZyWALLs Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL 222 ZyWALL ZLD CLI Reference Guide Chapter 25 Device HA Virtual Router and Management IP Addresses f a backup takes over for the master it uses the master s IP addresses These IP addresses are know as the
538. sword for the specified ISP account The no command clears the password password You can use up to 63 printable ASCII characters Spaces are not allowed no authentication chap pap Sets the authentication for the specified ISP account The no command sets chap pap mschap mschap v2 the authentication to chap pap no compression yes no Turns compression on or off for the specified ISP account The no command turns off compression no idle 0 360 Sets the idle timeout for the specified ISP account The no command sets the idle timeout to zero no service name ip hostname Sets the service name for the specified PPPoE ISP account The no service name command clears the service name hostname You may up to 63 alphanumeric characters dashes or periods but the first character cannot be a period service name You can use up to 63 alphanumeric characters underscores _ dashes and characters ZyWALL ZLD CLI Reference Guide Chapter 33 ISP Accounts Table 157 PPPoE and PPTP ISP Account Commands continued COMMAND DESCRIPTION no server ip Sets the PPTP server for the specified PPTP ISP account The no command clears the server name no encryption nomppe mppe 40 Sets the encryption for the specified PPTP ISP account The no command mppe 128 sets the encryption to nomppe no connection id connection id Setsthe connection ID for the specified PPTP ISP account
539. t Removes the specified physical port from its current representative interface and adds it to its default representative interface for example port x gt gex port status Port 1 x Enters a sub command mode to configure the specified port s settings no duplex full half Sets the port s duplex mode The no command returns the default setting exit Leaves the sub command mode no negotiation auto Sets the port to use auto negotiation to determine the port speed and duplex The no command turns off auto negotiation no speed 100 10 Sets the Ethernet port s connection speed in Mbps The no command returns the default setting show port setting Displays the Ethernet port negotiation duplex and speed settings show port status Displays statistics for the Ethernet ports 72 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 3 2 1 Port Grouping Command Examples The following commands add physical port 5 to representative interface gel Router configure terminal Router config f show port grouping No Representative Name Portl Port2 Port3 Port4 Port5 T gel yes no no no no 2 ge2 no yes no no no 3 ge3 no no yes no no 4 ge4 no no no yes no 5 ge5 no no no no yes Router config port grouping gel Router config port grouping port 5 Router config port grouping exit Router config show port grouping No Representativ
540. t certification authorities You can use the ZyWALL to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority 32 2 Certificate Commands This section describes the commands for configuring certificates 32 3 Certificates Commands Input Values The following table explains the values you can input with the certificate commands Table 155 Certificates Commands Input Values LABEL DESCRIPTION certificate name The name of a certificate You can use up to 31 alphanumeric and M93x 96 amp T characters cn address A common name IP address identifies the certificate s owner Type the IP address in dotted decimal notation cn domain name A common name domain name identifies the certificate s owner The domain name is for identification purposes only and can be any string The domain name can be up to 255 characters You can use alphanumeric characters the hyphen and periods cn email organizational unit A common name e mail address identifies the certificate s owner The e mail address is for identification purposes only and can be any string The e mail address can be up to 63 characters You can use alphanumeric characters the hyphen the 9 symbol periods and the underscore Identify the organizational unit or department to which the certificate owner belongs You can use up to 31 characters
541. t for the ZyWALL to authenticate the server using HTTP digest authentication No removes the password of the ACS connection request Configure the username of the ZyWALLfor the ACS server to authenticate the ZyWALL using HTTP digest authentication No removes the password of the ACS server authentication request no enm agent password TR 069 password Configure the password of the ZyWALL for the ACS server to authenticate the ZyWALL using HTTP digest authentication No removes the password of the ACS server authentication request cnm agent server type vantage tr069 Configure the server type of the management server as either a Vantage CNM server or a TRO69 ACS server 38 11 1 1 Vantage CNM Command Examples The following example turns on Vantage CNM management and sets the ZyWALL to register with a server at https 1 2 3 4 vantage TRO69 Router configure terminal Router config cnm agent activate Router config f cnm agent manager https 1 2 3 4 vantage TR069 Router config f show cnm agent configuration Activate YES ACS URL https 1 2 3 4 vantage TR069 Keepalive ENABLE Keepalive Interval 60 Periodic Inform DISABLE Periodic Inform Interval 3600 Custom IP NO HTTPS Authentication NO Vantage Certificate zwl050 cer456 38 12 Language Commands Use the language commands to display what language the web configurator is using or change it You must use the config
542. t of ports 1 65535 used to identify the specified application This port number can only be included in one application s list The no command removes the specified port from the list app protocol name forward drop reject Specifies what action the ZyWALL should take when it identifies this application app protocol name mode portless portbase Specifies how the ZyWALL identifies this application no app protocol name log alert Creates log entries and alerts for the specified application The no command does not create any log entries 20 2 2 Rule Commands for Pre defined Applications This table lists the commands for rules in each pre defined application Table 83 app Commands Rules in Pre Defined Applications COMMAND DESCRIPTION app protocol name rule insert rule number Creates a new rule at the specified row and enters sub command mode See Table 84 on page 165 for the sub commands app protocol name rule append Creates a new rule appends it to the end of the list and enters sub command mode See Table 84 on page 165 for the sub commands app protocol name rule rule number Enters sub command mode for editing the rule at the specified row or See Table 84 on page 165 for the sub commands app protocol name rule modify rule number ZyWALL ZLD CLI Reference Guide Chapter 20 Application Patrol Table 83 app Commands Rules in Pre Defined Applications cont
543. t profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN IDP name WORM sid O severity O platform O policytype O service O activate any log any action searches for all signatures in the LAN IDP profile containing the text worm within the signature name Searches for signature s in a profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN IDP name WORM sid O severity O platform O policytype O service 0 activate any log any action searches for all signatures in the LAN_IDP profile containing the text worm within the signature name show idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action action mask Searches for signature s in a system protect profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN IDP name WORM sid O severity O platform 0 policytype O service O activate any log any action searches for all signatures in the LAN IDP profile containing the text worm within the signature name 22 3 6 1 Search Parameter Tables The following table displays the command line severity platform and policy type equiva
544. t still use the error rollback write command to save your configuration changes to the flash non volatile or long term memory Use this command without specify both ignore error and rollback this is not recommended because it would leave the rest of the configuration blank If the interfaces were not configured before the first error the console port may be the only way to access the device Use ignore error Without rollback this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the ZyWALL apply most of your configuration and you can refer to the logs for what to fix Use both ignore error and rollback this applies the valid parts of the configuration file generates error logs for all of the configuration file s errors and starts the ZyWALL with a fully valid configuration file Use rollback Without ignore error this gets the ZyWALL started with a fully valid configuration file as quickly as possible You can use the apply conf system default conf command to reset the ZyWALL to go back to its system defaults copy cert conf idp packet trace script tmp file name a conf cert conf idp packet trace script tmp file name b conf Saves a duplicate of a file on the ZyWALL from the source file name to the target file name Specify the directory and file name of the file that you want to copy and the
545. ta throughput but may make data transfer more prone to errors long prioritizes data integrity but reduces data transfer rates no ampdu For an IEEE 802 11n interface enables or disables grouping of several A MPDUs Aggregate MAC Protocol Data Unit into one larger frame for faster data transfer rates no amsdu For an IEEE 802 11n interface enables or disables grouping of several A MSDUs Aggregate MAC Service Data Units into one large A MPDU Aggregate MAC Protocol Data Unit for faster data transfer rates no block ack Turns the IEEE 802 11n interface s block ACK BA mechanism on or off Block ACK lets multiple frames be streamed out and acknowledged by a single frame This cuts the wait time between frames and increases data throughput qos none wmm Select the WLAN Quality of Service priority for an IEEE 802 11n interface none Apply no priority to traffic wmm Wi Fi Multimedia has the priority of a data packet depend on the packet s IEEE 802 1q or DSCP header If a packet has no WMM value assigned to it it is assigned the default priority no ctsrts Sets the Clear To Send Request To Send threshold CTS RTS reduces data collisions 256 2346 caused by wireless clients that are associated with the same AP but out of range of one another The no command turns off CTS RTS no frag 256 2346 Sets the threshold number of bytes for the fragmentation boundary for directed messages It is the max
546. ted dynamic VPN rules show system route default wan Displays the default WAN trunk settings trunk show ip route static dynamic Displays activated static dynamic routes show system snat policy route Displays activated policy routes which use SNAT show system snat nat 1 1 Displays activated NAT rules which use SNAT show system snat nat loopback Displays activated activated NAT rules which use SNAT with NAT loopback enabled show system snat default snat Displays the default WAN trunk settings ZyWALL ZLD CLI Reference Guide Chapter 44 Packet Flow Explore 44 3 Packet Flow Explore Commands Example The following example shows all routing related functions and their order Router show route order route order Policy Route Direct Route 1 1 SNAT SiteToSite VPN Dynamic VPN Static Dynamic Route Default WAN Trunk Main Route The following example shows all SNAT related functions and their order Router show system snat order snat order Policy Route SNAT 1 1 SNAT Loopback SNAT Default SNAT The following example shows all SNAT related functions and their order Router show system route policy route No PR NO Source Destination Incoming DSCP Service Nexthop Type Nexthop Info The following example shows all activated 1 to 1 SNAT rules Router show system route nat 1 1 No VS Name Source Destination Outgoing Gateway The following example sho
547. tem protect my_profile name quoted_string sid SID severity severity_mask platform platform mask policytype policytype mask service service mask activate any yes no leg any ne Logd l0g alebPt Aetion action DESEE chance eae 4 ERGCKOR eA ACLARA Kd xD HORS 189 idp signature sewpro base fall Jan wan Ome Honel eeueesee9 et sm 9 at Enke Remy 184 Jb bSDOXSETOS LENS nh dekh od RR RR Qe Aene RACE ER doa e ee Ae Re e epe D o HAN Re 196 Jupe SE SDOHDPOLGRE serra SR FORGE ME Pede eque der eg ORR EE Eee ee eee ek AAA 188 idp sustoln Drotest deact LOADS uuu gau Cou ue QUE dae eS ee Ke RODE RM E ACER GE QU EEN See ee eos 182 iface add del interface name virtual interface name ooooooooooooooo ooo oooo 342 in dnat l 109 protocol all tep wep original ip address name 0 650535 lt 0 65535 gt diappederp address name Usb OU DIOS ra A Wu RR RON Miei BURN KR RR Rd 146 in dnat append protocol all tcp udp original ip address name 0 65535 0 65535 mapped Xp edurese name 90 999925 X04 OSOS auper edo eec Een Kop Rol ded i demde BP ars aoe dias 146 dipped A Oe ke eked wear depu ure dated vela qur udo duke dod a Qd rr dowd ub MORI E web aS iru gras 146 in dnat insert 1 10 protocol fall tep udp original ip address name lt 0 65535 gt 0 65535 mapped 1p address name 20 590J95 Ue DIOS fsa cae NE ph rs cee PORC ee ARA hee 146 lNe dhat Mere Si MOS Do Ele US Ladnad Ede x ded Re A dea d
548. th activate Enables force user authentication that force users to log in to the ZyWALL before the ZyWALL routes traffic for them The no command means the user authentication is not required alert force auth default rule authentication required unnecessary no log log Sets the default authentication policy that the ZyWALL uses on traffic that does not match any exceptional service or other authentication policy required Users need to be authenticated They must manually go to the ZyWALL s login screen The ZyWALL will not redirect them to the login screen unnecessary Users do not need to be authenticated no log log alert Select whether to have the ZyWALL generate a log log log and alert log alert or not no log for packets that match this default policy force aut n no exceptional service service name Sets a service which you want users to be able to access without user authentication The no command removes the specified service from the exceptional list force aut n policy lt 1 1024 gt Creates the specified condition for forcing user authentication if necessary and enters sub command mode The conditions are checked in sequence starting at 1 See Table 137 on page 234 for the sub commands force aut n policy append Creates a new condition for forcing user authentication at the end of the current list and enters sub command mode See Table 137 on page
549. that are exempt from IP MAC binding show ip ip mac binding interface name Shows whether I P MAC binding is enabled or disabled for the specified interface show ip ip mac binding all Shows whether IP MAC binding is enabled or disabled for all interfaces show ip ip mac binding status Displays the current IP MAC bindings for the specified interface interface name show ip ip mac binding status all Displays the current IP MAC bindings for all interfaces show ip ip mac binding exempt Shows the current IP MAC binding exempt list interface name ip ip mac binding clear drop count Resets the packet drop counter for the specified interface debug ip ip mac binding activate Turns on the IP MAC binding debug logs no debug ip ip mac binding activate Turns off the IP MAC binding debug logs ZyWALL ZLD CLI Reference Guide Chapter 15 IP MAC Binding 15 3 IP MAC Binding Commands Example The following example enables I P MAC binding on the LAN1 interface and displays the interface s IP MAC binding status Router configure terminal Router config f ip ip mac binding lanl activate Router config show ip ip mac binding lanl Name lanl Status Enable Log No Binding Count 0 Drop Count 0 Router config 132 ZyWALL ZLD CLI Reference Guide Firewall This chapter introduces the ZyWALL s firewall and shows you how to configure your ZyWALL s firewa
550. the IP address in dotted decimal notation or the domain name The no command clears this setting no ldap server password password Sets the bind password The no command clears this setting password no ldap server password encrypted Sets an encrypted bind password The no command clears this setting no ldap server port port no Sets the LDAP port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting time no ldap server search time limit Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting no ldap server ssl Enables the ZyWALL to establish a secure connection to the LDAP server The no command disables this feature ZyWALL ZLD CLI Reference Guide Chapter 30 AAA Server 30 2 3 radius server Commands Table 149 radius server Commands The following table lists the radius server commands you use to set the default RADIUS server COMMAND DESCRIPTION show radius server Displays the default RADIUS server settings no radius server host radius server auth port auth port Sets the RADIUS server address and service port number Enter the IP address in dotted decimal notation or the domain name of a RADIUS server The no command clears the settings no radius server key secret Sets a password up to 15 alphanumeric characters as the ke
551. the SMTP authentication port The no command deletes the setting mail subject set subject Configures the subject of the report e mails Spaces are allowed no mail subject set Clears the configured subject for the report e mails no mail subject append system name Determines whether the system name will be appended to the subject of the report e mails no mail subject append date time Determines whether the sending date time will be appended at subject of the report e mails no mail from e mail Sets the sender e mail address of the report e mails no mail to 1 e mail Sets to whom the ZyWALL sends the report e mails up to five recipients no mail to 2 e mail See above ZyWALL ZLD CLI Reference Guide Chapter 41 Reports and Reboot Table 198 Email Daily Report Commands continued COMMAND DESCRIPTION no mail to 3 e mail See above no mail to 4 e mail See above no mail to 5 e mail See above no item as report Determines whether or not anti spam statistics are included in the report e mails no item av report Determines whether or not anti virus statistics are included in the report e mails no item cf report Determines whether or not content filtering statistics are included in the report e mails no item cpu usage Determines whether or not CPU usage statistics are included in the report e mails no item idp report Determines whether or not IDP statistics are
552. the specified SIP server NTP server or DNS server DHCP lease object with the specified IPv6 address When you assign a request object the lease object value will be the request object value retrieved from the DHCPv6 server dhcp6 lease object rename dhcp6 profile dhcp6 profile Renames the specified DHCPv6 lease object to the specified name no dhcp6 lease object dhcp6 profile Deletes the specified DHCPv6 lease object dhcp6 request object dhcp6 profile dns server ntp server prefix delegation sip server Creates or edits the specified SIP server DNS server NTP server prefix delegation or SIP server DHCP request object dhcp6 request object rename dhcp6 profile dhcp6 profile Renames the specified DHCPv6 request object to the specified name no dhcp6 request object dhcp6 profile Deletes the specified DHCPv6 request object 36 1 2 DHCPv6 Object Command Examples This example creates and displays a DHCPv6 lease object named test1 for IPv6 address 2003 1 with DUID 00 01 02 03 04 05 06 07 00 01 02 03 04 05 06 07 DHCP6 Lease Object testl Object Type address Object Value 2003 1 DUID 00 01 02 03 04 05 06 07 Bind Iface REFERENCE O0 Router config dhcp6 lease object testl address 2003 1 duid Router config show dhcp6 lease object This example makes test1 into a DHCPv6 address pool lease object for IPv6 addresses 2004 10 to 2004 40 DHCP6
553. this so the ZyWALL does not spend time looking for a WCDMA network wcdma has this interface only use a 3G or 3 5G network respectively You may want to use this if you want to make sure the interface does not use the GSM network 76 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 27 Cellular Interface Commands continued COMMAND DESCRIPTION no network selection auto home Home network is the network to which you are originally subscribed Home has the 3G device connect only to the home network If the home network is down the ZyWALL s 3G Internet connection is also unavailable Auto is the default setting and allows the 3G device to connect to a network to which you are not subscribed when necessary for example when the home network is down or another 3G base station s signal is stronger This is recommended if you need continuous Internet connectivity If you select this you may be charged using the rate of a different network no budget active Sets a monthly limit for the user account of the installed 3G card You can set a limit on the total traffic and or call time The ZyWALL takes the actions you specified when a limit is exceeded during the month Use the no command to disable budget control no budget time active 1 672 Sets the amount of time in hours that the 3G connection can be used within one month If you change the value the ZyWALL resets the sta
554. ti spam rule rule_number Enters the anti spam sub command mode to edit the specified direction specific rule no activate Turns a direction specific anti spam rule on or off no log alert Sets the ZyWALL to create a log and optionally an alert when packets match this rule and are found to be spam The no command sets the ZyWALL not to create a log or alert when packets match this rule no from zone zone object Sets the zone on which the packets are received The no command removes the zone setting This is equal to any so the rule applies to all packets the ZyWALL sends out no to zone zone object Sets the zone to which the packets are sent The no command removes the zone setting This is equal to any so the rule applies to all packets the ZyWALL sends out no scan smtp pop3 Sets the protocols of traffic to scan for spam no match action pop3 forward forward with tag Sets the action to take when the ZyWALL detects a spam POP3 e mail The file can be forwarded or forwarded with a spam tag no match action smtp drop forward forward with tag Sets the action to take when the ZyWALL detects a spam SMTP e mail The file can be deleted forwarded or forwarded with a spam tag no bypass white list black list dnsbl Bypassing has the ZyWALL not check files against your configured white allowed list black spam list or DNSBL servers list no by
555. ticaftcroR Qgsoup nameldetaubt veria 3 x Ed ox ARAS AAA Reese Rd Z0 show aaa group server ad group Hane dwesbg ka 84 DARA A ETRE dE ob d SOR A HC ea ee zo Show daa group Server ldap Grote 21422 4823 OES aa x Roc dU S EUR SWORE OR OS OUS RE XC UAR CD 2542 Bhow daa Group server fadis SUO NARS dics tote doe SOS EAMETS d Ne oo ER E lp aere Bed Rt ie 203 plc ar een Pano Se Cites arenas api ds ai AE awake da ed anale eee qud accio udo 221 show account pppoe profile name pptp profile namel oc A A 264 glow account gellolsr prat le EMS 2 dowd a ADA ARA A A do wes 265 SD SST C ad a ARA RA RA A A AAA AAA AAA 249 show anti span smtp popo asta ulEpabE airis AAA AA 213 show anti spam ACELERA j h ki QE a A E RR d ER QU ae Ban dob LC ete eee AS NS Soe Ro AL 211 show anti spin aos TSE aro VS dupggceseuniR dup ee eee aii NEA IAE dea E Cue oido ee RUP OK RUE eee 25 show anti spam Gehl oman ars A Rd e dex E ARRA RO debe e Po eae RACE ed A Rd RA va KLe 217 show anti span dasbl Ipenhegckeg de siria 217 show anti spam disbl maz guery ip Lad dg ex OCA add AU CE GREEN tea we SAKE ER CHARGE A AL e RU Z11 show anti spam dusbl query timsout smtp POP recorra Enkel om ecl om a dite Ziz snow antg spam NSDL qgusprr LbumBggE LU S inde des wd e Pup Saran Ver dong ca ede A 217 Blow anta Spam QuSDEI SOACLSELES siii RR a Exe ede AAA AA dg demam esi s 211 Snow a ER 298b LAOS dear dd 217 ghow anti span Zp repubstion PEIVELESCHeCK irreales de ee eee 21 3 show
556. tii rrr t tn OR 344 Chapter 47 pc AAPP aAa Taa E Aa i aiaa 347 Zr MIS a ere ia 347 ecsacu imu 347 es a MNT A E T 348 47 3 1 Application Watchdog Commands Example ene aaar reti ntur tnn ununi ku inantea naim reka 348 List of Commands Alphabetical uuisiaisissutisux dd uaa AS 351 ZyWALL ZLD CLI Reference Guide PART I Introduction Command Line Interface This chapter describes how to access and use the CLI Command Line Interface 1 1 Overview If you have problems with your ZyWALL customer support may request that you issue some of these commands to assist them in troubleshooting Use of undocumented commands or misconfiguration can damage the ZyWALL and possibly render it unusable 1 1 1 The Configuration File When you configure the ZyWALL using either the CLI Command Line Interface or the web configurator the settings are saved as a series of commands in a configuration file on the ZyWALL You can store more than one configuration file on the ZyWALL However only one configuration file is used at a time You can perform the following with a configuration file Back up ZyWALL configuration once the ZyWALL is set up to work in your network Restore ZyWALL configuration Save and edit a configuration file and upload it to multiple ZyWALLs of the same model in your network to have the same settings Note You may also edit a configuration file using a text editor 1 2 Accessing t
557. timers 47 1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails The hardware watchdog timer commands are for support engineers It is recommended that you not modify the hardware watchdog timer settings Table 207 hardware watchdog timer Commands COMMAND DESCRIPTION no hardware watchdog timer 4 37 Sets how long the system s hardware can be unresponsive before resetting The no command turns the timer off show hardware watchdog timer status Displays the settings of the hardware watchdog timer 47 2 Software Watchdog Timer The software watchdog has the system restart if the core firmware fails The software watchdog timer commands are for support engineers It is recommended that you not modify the software watchdog timer settings Table 208 software watchdog timer Commands COMMAND DESCRIPTION no software watchdog timer Sets how long the system s core firmware can be unresponsive before 10 600 resetting The no command turns the timer off show software watchdog timer status Displays the settings of the software watchdog timer show software watchdog timer log Displays a log of when the software watchdog timer took effect ZyWALL ZLD CLI Reference Guide 347 Chapter 47 Watchdog Timer 47 3 Application Watchdog The application watchdog has the system restart a process that fails These are the app watchdog co
558. tion echo reply parameter problem time exceeded neighbor advertisement router advertisement redirect unreachable Creates the specified ICMPv6 message using the specified parameters 28 2 1 1 Service Object Command Examples The following commands create four services displays them and then removes one of them Routerf configure terminal Router config f service object TELNET tcp eq 23 Router config service object FTP tcp range 20 21 Router config service object ICMP ECHO icmp echo Router config service object MULTICAST protocol 2 Router config show service object Object name Protocol Minmum port Maxmum port Ref TELNET TCP 23 23 0 FTP TER 20 21 0 ICMP_ECHO ICMP 0 0 0 MULTICAST 2 0 0 0 Router config no service object ICMP ECHO Router config f show service object Object name Protocol Minmum port Maxmum port Ref TELNET TCP 23 23 0 FTP TCP 20 21 0 MULTICAST 2 0 0 0 28 2 2 Service Group Commands The first table lists the commands for service groups Table 144 object group Commands Service Groups COMMAND DESCRIPTION show object group service group_name no object group service group_name Displays information about the specified service group Creates the specified service group if necessary and enters sub
559. tion or SSL VPN policy s endpoint security policies in order to gain access ZyWALL ZLD CLI Reference Guide Chapter 35 Endpoint Security Requirements User computers must have Sun s Java Java Runtime Environment or J RE installed and enabled with a minimum version of 1 4 35 1 1 Endpoint Security Commands Summary The following table describes the values required for many endpoint security object commands Other values are discussed with the corresponding commands Table 160 Input Values for Endpoint Security Commands LABEL DESCRIPTION profile name The name of the endpoint security object You may use 1 31 characters 0 9 a z A Z with no spaces allowed file path This is a file with the full directory path in quotation marks For example C Program Files Internet Explorer iexplore exe The following sections list the endpoint security object commands 35 1 2 Endpoint Security Object Commands This table lists the commands for creating endpoint security objects You must use the configure terminal command to enter the configuration mode before you can use these commands Table 161 Endpoint Security Object Commands COMMAND DESCRIPTION no eps failure messages failure_messages Specify a message to display when a user s computer fails the endpoint security check Use up to 1023 characters 0 9a ZA Z _ For example
560. tion to either required or force for this condition no eps activate eps insert 1 8 eps object name Enables EPS for the specified condition The no command means to disable EPS for the condition Inserts the specified EPS object for the condition The number determines the order that this EPS rule is executed in the condition eps move lt 1 8 gt to 1 8 Changes an endpoint object s position in the execution order of the condition no eps periodical check lt 1 1440 gt Sets a number of minutes the ZyWALL has to repeat the endpoint security check The no command means that the ZyWALL only perform the endpoint security check when users log in to the ZyWALL no force Forces users to log in to the ZyWALL if the specified condition is satisfied The no command means that users do not log in to the ZyWALL no schedule schedule_name Sets the time criteria for the specified condition The no command removes the time criteria making the condition effective all the time no source address_object group_name Sets the source criteria for the specified condition The no command removes the source criteria making the condition effective for all sources show Displays information about the specified condition 26 2 4 2 Force Authentication Policy Insert Command Example The following commands show how to insert a force authentication policy at position 1 of the checkin
561. tistics Use the no command to disable time budget control no budget data active download upload download upload lt 1 100000 gt Sets how much downstream and or upstream data in Mega bytes can be transmitted via the 3G connection within one month download set a limit on the downstream traffic from the ISP to the ZyWALL upload set a limit on the upstream traffic from the ZyWALL to the ISP download upload set a limit on the total traffic in both directions If you change the value the ZyWALL resets the statistics Use the no command to disable data budget control budget reset day lt 0 31 gt Sets the date on which the ZyWALL resets the budget every month If the date you selected is not available in a month such as 30th or 31st the ZyWALL resets the budget on the last day of the month budget reset counters Resets the time and data budgets immediately The count starts over with the 3G connection s full configured monthly time and data budgets This does not affect the normal monthly budget restart budget log log alert recursive lt 1 65535 gt Sets the ZyWALL to create a log log or an alert log log alert when the time or data limit is exceeded You can also specify how often from 1 to 65535 minutes to generate a log or an alert no budget log recursive Sets the ZyWALL to not create a log when the time or data limit is exceeded Specify recursive to have the ZyWALL o
562. to 60 printable ASCII characters The no command clears the setting no 255 server group attribute lt 1 Sets the value of an attribute that the ZyWALL is used to determine to which group a user belongs This attribute s value is called a group identifier You can add ext group user user objects to identify groups based on different group identifier values For example you could configure attributes 1 10 and 100 and create a ext group user user object for each of them The no command clears the setting no server host radius server Enter the IP address in dotted decimal notation or the domain name of a RADIUS server to add to this server group The no command clears this setting Server key secret Sets a password up to 15 alphanumeric characters as the key to be shared between the RADIUS server s and the ZyWALL The no command clears this setting no server timeout time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting and set this to the default setting of 5 seconds 30 2 8 The following example creates aaa group server Command Example a RADIUS server group with two members and sets the secret key to 12345678 and the timeout to 100 seconds Then this example also shows how to view the RADI US group settings Router configure terminal Router group server radius Router group server radi
563. to site lines A secure VPN is a combination of tunneling encryption authentication access control and auditing It is used to transport traffic over the Internet or any insecure network that uses TCP IP for communication Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is one example of a VPN tunnel Figure 19 VPN Example sid ches did d a dila l Internet B The VPN tunnel connects the ZyWALL X and the remote IPSec router Y These routers then connect the local network A and remote network B A VPN tunnel is usually established in two phases Each phase establishes a security association SA a contract indicating what security parameters the ZyWALL and the remote IPSec router will use The first phase establishes an Internet Key Exchange IKE SA between the ZyWALL and remote IPSec router The second phase uses the IKE SA to securely establish an IPSec SA through ZyWALL ZLD CLI Reference Guide Chapter 17 IPSec VPN which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network This is illustrated in the following figure Figure 20 VPN IKE SA and IPSec SA I
564. tricted web features 0 forbidden web sites 0 url keywords 0 web pages blocked without policy t web pages passed 0 unsafe web pages 0 other web pages 0 23 10 Content Filtering Commands Example The following example shows how to limit the web access for a sales group 1 First create a sales address object This example uses a subnet that covers IP addresses 172 21 3 1 to 172 21 3 254 2 Then create a schedule for all day 3 Create a filtering profile for the group 4 You can use the following commands to block sales from accessing adult and pornography websites 5 Enable the external web filtering service Note You must register for the external web filtering service before you can use it see Chapter 5 on page 45 6 You can also customize the filtering profile The following commands block active X java and proxy access 7 Append a content filter policy ZyWALL ZLD CLI Reference Guide 207 Chapter 23 Content Filtering 8 Activate the customization Router configure terminal Router config content fil Router config content fil content fil content fil Router config Router config content fil content fil content fil Router config Router config Router config content fil content fil content fil Router config Router config Router config lter lter lter lter lter lter
565. ts the ZyWALL to forward POP3 mail with a tag if the queries to the DNSBL domains time out Sets the ZyWALL to check up to 4 sender and relay server IP addresses in e mail headers against the DNSBL Sets the ZyWALL to start DNSBL checking from the first IP address in the mail header Sets the DNSBL tag to DNSBL Sets the DNSBL timeout tag to DNSBL timeout Displays the DNSBL statistics Router config f anti spam dnsbl domain DNSBL example com activate Router config f show anti spam dnsbl domain No Status Domain 1 yes DNSBL example com Router config f anti spam dnsbl activate Router config show anti spam dnsbl status anti spam dnsbl status yes Router config anti spam dnsbl query timeout pop3 forward with tag Router config show anti spam dnsbl query timeout pop3 dnsbl query timeout action forward with tag Router config anti spam dnsbl max query ip 4 Router config show anti spam dnsbl max query ip dnsbl max query ip 4 Router config anti spam dnsbl ip check order forward S I a S Router config anti spam dnsbl how anti spam dnsbl ip check order P check order forward nti spam tag dnsbl DNSBL how anti spam tag dnsbl Router config Router config dnsbl tag DNSBL Router config anti spam tag dnsbl timeout DNSBL timeout Router config show anti spam tag dnsbl timeout dnsbl timeout tag DNSBL timeout Router config f show anti spam dnsbl st
566. ts up the URL of the Vantage server that the ZyWALL registers with Include the full HTTPS or HTTP URL For example https 1 2 3 4 vantage TRO69 no cnm agent activate Turns management through Vantage CNM on or off cnm agent keepalive interval DD 90 Sets the keepalive interval no cnm agent periodic inform activate Turns the periodic inform on or off cnm agent periodic inform interval 10 86400 Sets the periodic inform interval cnm agent trigger inform interval initiates a TRO69 connection to the server You can also specify the interval for the inform messages no cnm agent auth activate Enables or disables authentication of the server when using HTTPS show cnm agent configuration Displays the Vantage CNM configuration no username for ACS connection cnm agent acs username request Configure the username of the ACS Auto Configuration Server connection request for the ZyWALL to authenticate the server using HTTP digest authentication No removes the username of the ACS connection request ZyWALL ZLD CLI Reference Guide Chapter 38 System Remote Management Table 179 Command Summary Vantage CNM COMMAND DESCRIPTION no enm agent acs password password for ACS connection request no enm agent username TR 069 username Configure the password of the ACS Auto Configuration Server connection reques
567. tual interface name 39 SHOW reference object seal policy peste haWel goadin nutare ues Bowed Cee ARR caedi RUE RR 39 show reference object schedul obo ect Dae sveeexecGened be Xe AA AAA 39 show reference Object Service p objysect nane isis A E RC Y Pe RARAS CR S 29 show reference object sslvpm application object name ekakaa ex 3 hx X Y eidi A A 39 show reference object sslvpms policy Object Dame teeta ee awa aa AA E S 29 show reference object usernane Username 1 14 iis cade S ae A AH SWEDE HERES REESE ROS 39 Show feference object mone Cher Tanel rs dea RUE ORA DE X Ro EORR bes AAA S 40 show reference object group ese sd GEGUB nane sas bode kee KAREENA ER eee ROC 40 show reference pb jgect sroup asa Ldap group name ise 26 em ex Rr x aom mx UR Geek OR REOR RR gc 40 show reference object group aas radius Group name os cineca nei donde Savas NCRURCRUROR m EORR RR RON CAL 40 show reference pbject group address object namel 2i eeeaecce mmc tetas Re ERAR AAA 40 show references objecb group addresses LobJject name resina QO Ra CR EROR ACA RC REOR RR ewe S 40 show reference pbject group interface object name 26 409 RR ikerkete Ron SOROR EORR RO RR e 40 Show reference obJjedcL group service object samel iiic sw RA ECEGK A ER EERE SERS CESS 40 show reference object group usernam USELESS dqaudg adr w X uk ERAS qo OEC OEC OR e CE 40 show report fsberbfsce name ip service VET ced eee ea ee eed hed RO Hy
568. u SE o e ACA od A 166 access iotwdrd Grop TSJE adgpucesd x uc dep deb RA Rd On EO AAA ee ORE SUE n dE ad 168 access page message color color rgb calor name oolor number i ok OR RE 280 agcess boge CICL CLETO Godex Pee d AAA RUE EP Wee qp e ebd d dd E Vade 280 dcce ss Bage window color eclor rgb color meme eoclor nu umber assess 280 dotpoon tallos deny iGEgeBEl erranak xem eo 309 9 08 x CR Rudi ioc os po Rol end e me pol eol eam od 124 SOINS E usticudi wee ede diode ced NS Maca d seas euni e mede d prex weg iade e 143 IE cnl Mae DC PC Terr rrr 145 ALLE PSP NOE Pore IAEA E AAA SAREE a RE iud d SES pedea x Feds wees 58 AQUEST Hee ERO o PETELE Giddy 0 AAA RA A A a A co AO de ori NO 60 address object object name ip ip range ip subnet interface ip interface subnet in teriace Garewey TEDESCO ae ii RA EROR 216 AERE XE ECKE A do Ur OE REAL de b BR ewe 238 address object renane object name OGObTOOCL NEMS Loxesocsa E POR ROG EEEE Rr PORA ROS EA 238 sdajust 1ss auto EZODGGd390029 arde AR beached NH EORR QC VeRO E DR PE anand 145 Algoritm DwrbrIllt spilledUvef g 9938 6A bd eee AAA V dra e Rod pd d pde eq eu ed d e ies 94 anti spam desbl l 5 domain dnsbl domain activete desctivate iis Ree RERO ROS X RC eed 217 anti spam dugsbl Lip check order forward backward escoria pe Gia ee egos eae wae A Ro 27 antlesdam Arnoni men ecueryate aso eras AA A Bede we ee ere ae 217 anti spam dosbl query timseout popa
569. udp filtered decoy portscan udp filtered distributed portscan portsweep details udp filtered Shows UDP scan detection settings for the specified IDP profile show idp anomaly profile scan detection ip protocol Scan ip decoy protocol scan distributed protocol scan ip filtered protocol scan ip filtered decoy protocol scan distributed protocol scan ip filtered ip filtered protocol sweep details ip protocol sweep ip Shows IP scan detection settings for the specified DP profile show idp anomaly profile scan detection icmp sweep icmp filtered sweep open port details show idp anomaly profile flood detection all details Shows ICMP scan detection settings for the specified IDP profile Shows all flood detection settings for the specified IDP profile show idp anomaly profile flood detection tcp flood udp flood ip flood icmp flood details Shows flood detection settings for the specified IDP profile show idp anomaly profile http inspection all details Shows http inspection settings for the specified IDP profile show idp anomaly profile http inspection ascii encoding u encoding base36 encoding bare byte unicode encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal directory traversal apache whitespace delimiter non rfc defined char oversize request uri dire
570. ug mode within 3 seconds Enter Debug Mode gt E 3 Enter atuk to initialize the recovery process If the screen displays ERROR enter atur to initialize the recovery process ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager Note You only need to use the atuk or atur command if the recovery image is damaged Figure 35 atuk Command for Restoring the Recovery Image gt atuk This command is for restoring the recovery image xxx ri se This command only uhen 1 the console displays Invalid Recovery Image or 2 the console freezes at Press any key to enter debug mode within 3 seconds for more than one ninute ote Please exit this command immediately if you do not need to restore the recovery image Do you want to start the recovery process Y N default ME 4 Enter v and wait for the Starting XMODEM upload message before activating XMODEM upload on your terminal Figure 36 Starting Xmodem Upload Do you want to start the recovery process Y N default N Starting XMODEM upload CRC mode C 5 This is an example Xmodem configuration upload using HyperTerminal Click Transfer then Send File to display the following screen Figure 37 Example Xmodem Upload Send File Folder C Product Filename C Product Firmware bin Type the firmware file s location or click Browse to search for it Browse Choose the 1K Xmodem proto
571. unnel If you do not user name configure this any user with a valid account and password on the ZyWALL to log in The no command removes the user name setting no l2tp over ipsec keepalive The ZyWALL sends a Hello message after waiting this long without receiving any timer 1 180 traffic from the remote user The ZyWALL disconnects the VPN tunnel if the remote user does not respond The no command returns the default setting no 12tp over ipsec first dns Specifies the first DNS server IP address to assign to the remote users You can specify a static IP address or a DNS server that an interface received from its DHCP server The no command removes the setting no server ip interface name 1st dns 2nd dns 3rd dns ppp interface aux 1st dns dns l2tp over ipsec second dns 2nd Specifies the second DNS server IP address to assign to the remote users You can specify a static IP address or a DNS server that an interface received from its DHCP server The no command removes the setting no server ip l2tp over ipsec first wins Specifies the first WINS server IP address to assign to the remote users The no command removes the setting no wins server ip l2tp over ipsec second Specifies the second WINS server IP address to assign to the remote users The no command removes the setting no l2tp over ipsec session tunnel id lt 0 65535 gt Deletes the specified L2TP VPN tunnel
572. up server ad rename group name group name Changes the descriptive name for an AD server group aaa group server ad group name Enter the sub command mode to configure an AD server group no case sensitive Specify whether or not the server checks the username case Set this to be the same as the server s behavior ZyWALL ZLD CLI Reference Guide Chapter 30 AAA Server Table 150 aaa group server ad Commands continued COMMAND DESCRIPTION no server alternative cn Sets the second type of identifier that the users can use to log in if any For identifier uid example name or e mail address The no command clears this setting no server basedn basedn Sets the base DN to point to the AD directory on the AD server group The no command clears this setting no server binddn binddn Sets the user name the ZyWALL uses to log into the AD server group The no command clears this setting no server cn identifier uid Sets the user name the ZyWALL uses to log into the AD server group The no command clears this setting no server description Sets the descriptive information for the AD server group You can use up to description 60 printable ASCII characters The no command clears the setting no server group attribute Sets the name of the attribute that the ZyWALL is to check to determine to group attribute which group a user belongs The value for this attribute is called a group identifie
573. up to 16 ASCII characters 24 2 1 General Anti Spam Commands The following table describes general anti spam commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 117 General Anti Spam Commands COMMAND DESCRIPTION no anti spam activate show anti spam activation Enables or disables anti spam service Displays anti spam service status ZyWALL ZLD CLI Reference Guide Chapter 24 Anti Spam 24 2 1 1 Activate Deactivate Anti Spam Example This example shows how to activate and deactivate anti spam on the ZyWALL Router configure terminal anti spam activation yes anti spam activation no Router config Router config anti spam activate Router config show anti spam activation Router config no anti spam activate Router config show anti spam activation 24 2 2 Zone to Zone Anti spam Rules The following table describes the commands for configuring the zone to zone rules You must use the configure terminal command to enter the configuration mode before you can use these commands Table 118 Commands for Zone to Zone Anti Spam Rules COMMAND DESCRIPTION anti spam rule append Enters the anti spam sub command mode to add a direction specific rule anti spam rule insert rule_number Enters the anti spam sub command mode to add a direction specific rule an
574. up user user type admin user guest limited admin ext user Displays the default lease and reauthentication times for the specified type of user accounts users default setting no 0 1440 logon lease time Sets the default lease time in minutes for each new user Set it to zero to set unlimited lease time The no command sets the default lease time to five lt 0 1440 gt users default setting no logon re auth time Sets the default reauthorization time in minutes for each new user Set it to zero to set unlimited reauthorization time The no command sets the default reauthorization time to thirty users default setting no user user type admin lext user guest limited admin user ext group Sets the default user type for each new user The no command sets the default user type to user users default setting no user logon lease time 0 1440 user type admin lext user guest limited admin user ext group Sets the default lease time in minutes for each type of new user Set it to zero for unlimited lease time The no command sets the default lease time to five ZyWALL ZLD CLI Reference Guide Chapter 26 User Group Table 135 username groupname Commands Summary Settings continued COMMAND DESCRIPTION users default setting no user type admin Sets the default reauthorization time in minutes for each type of ext user guest li
575. ure terminal command to enter the configuration mode before you can use these commands Table 180 Command Summary Language COMMAND DESCRIPTION language English Simplified Chinese Traditional Chinese Specifies the language used in the web configurator screens show language setting all setting displays the current display language in the web configurator screens all displays the available languages ZyWALL ZLD CLI Reference Guide 297 Chapter 38 System Remote Management 38 13 IPv6 Commands Use the ipv6 commands to enable or disable I Pv6 support You must use the configure terminal command to enter the configuration mode before you can use the commands that configure settings Table 181 Command Summary IPv6 COMMAND DESCRIPTION no ipv6 activate Enables or disables IPv6 support show ipv6 status Displays whether IPv6 support is enabled or disabled ZyWALL ZLD CLI Reference Guide File Manager This chapter covers how to work with the ZyWALL s firmware certificates configuration files custom IDP signatures packet trace results shell scripts and temporary files 39 1 File Directories The ZyWALL stores files in the following directories Table 182 FTP File Transfer Notes DIRECTORY FILE TYPE ENAN A Firmware upload only bin cert Non PKCS 12 certificates cer conf Configuration files conf idp IDP
576. us Router group server radius Router Router group server radius group server radius No Host Member L 192 168 1 100 2 172 23 22 100 Router config aaa group server radius RADIUSGroupl Router config show aaa group server radius RADIUSGroupl key 12345678 timeout 100 description group attribute LL server host 192 168 1 100 auth port 1812 server host 172 23 22 100 auth port 1812 server key 12345678 server timeout 100 exit ZyWALL ZLD CLI Reference Guide Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database 31 1 Authentication Objects Overview After you have created the AAA server objects you can specify the authentication objects containing the AAA server information that the ZyWALL uses to authenticate users using VPN or managing through HTTP HTTPS 31 2 aaa authentication Commands The following table lists the aaa authentication commands you use to configure an authentication profile Table 153 aaa authentication Commands COMMAND DESCRIPTION aaa authentication rename profile name old profile name new clear aaa authentication profile name Changes the profile name profile name You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case s
577. used for the SSL VPN access policy The ZyWALL checks authenticated users computers against the policy s selected endpoint security objects in the order from 1 to 8 you specified When a user s computer meets an endpoint security object s requirements the ZyWALL grants access and stops checking To make the endpoint security check as efficient as possible arrange the endpoint security objects in order with the one that the most users should match first and the one that the least users should match last no eps activate Sets to have the ZyWALL check that users computers meet the Operating System OS and security requirements of one of the SSL access policy s selected endpoint security objects before granting access The no command disables this setting eps insert 1 8 eps profile name Inserts the specified endpoint security object to the specified position for the endpoint security objects checking order eps move lt 1 8 gt to 1 8 no eps periodical check activate Moves the first specified endpoint security object to the second specified endpoint security object s position Sets whether to have the ZyWALL repeat the endpoint security check at a regular interval configured using the next command The no command disables this setting ZyWALL ZLD CLI Reference Guide Chapter 18 SSL VPN Table 78 SSL VPN Commands address object address_object ip COMMAND DE
578. ved and resets it to the default any any means all interfaces or VPN tunnels no to zone_object Sets the zone to which the packets are sent The no command removes the zone to which the packets are sent and resets it to the default any any means all interfaces or VPN tunnels no scan http ftp imap4 pop3 no infected action destroy win msg Sets the protocols of traffic to scan for viruses Sets the action to take when the ZyWALL detects a virus in a file The file can be destroyed filled with zeros from the point where the virus was found The ZyWALL can also send a message alert to the file s intended user using a Microsoft Windows computer connected to the to interface no bypass white list black list Have the ZyWALL not check files against a pattern list destroy no file decompression unsupported Enable file decompression to have the ZyWALL attempt to to decompress zipped files for further scanning You can also have it destroy the zipped files it cannot decompress due to encryption or system resource limitations show all Displays the details of the anti virus rule you are configuring or all the rules anti virus rule move lt 1 32 gt to 1 32 Moves a direction specific anti virus rule to the number that you specified anti virus rule delete 1 32 Removes a direction specific anti virus rule ZyWALL ZLD CLI Reference Guide
579. vice information log to the VRPT server show vrpt send interface statistics interval Displays the interval in seconds for how often the ZyWALL sends an interface statistics log to the VRPT server show vrpt send system status interval Displays the interval in seconds for how often the ZyWALL sends a system status log to the VRPT server 40 1 4 E mail Profile Commands This table lists the commands for the e mail profile settings Table 192 logging Commands E mail Profile Settings COMMAND DESCRIPTION show logging status mail no logging mail 1 2 Displays the current settings for the e mail profiles Enables the specified e mail profile The no command disables the specified e mail profile ZyWALL ZLD CLI Reference Guide Chapter 40 Logs Table 192 logging Commands E mail Profile Settings continued COMMAND DESCRIPTION no logging mail 1 2 address ip Sets the URL or IP address of the mail server for the specified e hostname mail profile The no command clears the mail server field hostname You may up to 63 alphanumeric characters dashes or periods but the first character cannot be a period logging mail 1 2 sending now Sends mail for the specified e mail profile immediately according to the current settings no logging mail 1 2 authentication Enables SMTP authentication The no command disables SMTP authenticat
580. virtual router IP addresses Each interface can also have a management IP address You can connect to this IP address to manage the ZyWALL regardless of whether it is the master or the backup 25 4 Active Passive Mode Device HA Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 125 Input Values for device ha Commands LABEL DESCRIPTION interface name The name ofthe interface This depends on the ZyWALL model For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model For the ZyWALL USG 200 and below use a name such as wanl wan2 opt lan1 ext wlan or dmz Besides in HA AP mode the interface can also be a bridge interface In HA Legacy mode the interface can also be a VLAN interface The following sections list the device ha commands 25 4 1 Active Passive Mode Device HA Commands This table lists the commands for configuring active passive mode device HA Table 126 device ha ap mode Commands COMMAND DESCRIPTION no device ha ap mode preempt Turn on preempt if this ZyWALL should become the master ZyWALL if a lower priority ZyWALL is the master when this ZyWALL is enabled device ha ap mode role master backup Sets the ZyWALL to be the master or a backup in the virtual router device ha ap mode cluster id
581. w service object ICMP ECHO Router config show object group service SG1 Protocol Minmum port Maxmum port Ref ICMP 8 8 T Type Reference Object 1 ZyWALL ZLD CLI Reference Guide Chapter 28 Services ZyWALL ZLD CLI Reference Guide Schedules Use schedules to set up one time and recurring schedules for policy routes firewall rules application patrol and content filtering 29 1 Schedule Overview The ZyWALL supports two types of schedules one time and recurring One time schedules are effective only once while recurring schedules usually repeat Note Schedules are based on the current date and time in the ZyWALL One time schedules begin on a specific start date and time and end on a specific stop date and time One time schedules are useful for long holidays and vacation periods Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring schedules always begin and end in the same day Recurring schedules are useful for defining the workday and off work hours 29 2 Schedule Commands Summary The following table describes the values required for many schedule commands Other values are discussed with the corresponding commands Table 145 Input Values for Schedule Commands LABEL DESCRIPTION object name The name of the schedule You may use
582. wall IPv6 sessions this rule s users or addresses can have 0 means any no user session limit6 user name append Sets an IPv6 session limit rule for the specified user The no command resets the user name to the default any any means all users Enters the IPv6 session limit sub command mode to add a session limit rule to the end of the session limit rule list session 1imit6 delete rule_number Removes an IPv6 session limit rule session 1imit6 flush Removes all IPv6 session limit rules session limit6 insert rule number Enters the IPv6 session limit sub command mode to add a session limit rule before the specified rule number session limit6 rule number move rule number to Moves an IPv6 session limit to the number that you specified show session 1 imit6 Shows the IPv6 session limit configuration show session 1 rule number imit6 begin rule number end Shows the settings for a range of IPv6 session limit rules show session 1 imit6 rule number Shows the IPv6 session limit rule s settings show session 1 imit6 status Shows the general IPv6 session limit settings ZyWALL ZLD CLI Reference Guide 17 IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL 17 1 IPSec VPN Overview A virtual private network VPN provides secure communications between sites without the expense of leased site
583. whether or not to check the IP reputation of private sender IP addresses show anti spam ip reputation private check no anti spam mail content activate Display the setting for checking the IP reputation of private sender IP addresses Set whether or not to identify spam by content such as malicious content no anti spam virus outbreak activate anti spam tag mail content virus outbreak tag Set whether or not to scan emails for attached viruses Specify the labels to add to the beginning of the mail subject if content analysis identified it as spam or it contains a virus no virus outbreak value anti spam xheader mail content xheader name xheader Specify the name and value for the X Header to add to content analysis identified spam or e mails containing a virus show anti spam tag mail content virus outbreak Display the labels for content analysis identified spam or e mails containing a virus show anti spam xheader mail content virus outbreak Display the name and value for the X Header to add to content analysis identified spam or e mails containing a virus anti spam mail scan query timeout pop3 forward forward with tag Select how to handle POP3 mail if querying the mail scan server times out Use forward to send it or forward with tag to add a tag to the mail subject and send it anti spam mail scan query timeout smtp drop forward forward w
584. wing table describes the commands available for HTTP redirection You must use the configure terminal command to enter the configuration mode before you can use these commands Table 62 Command Summary HTTP Redirect COMMAND DESCRIPTION ip http redirect description interface interface name Sets a HTTP redirect rule redirect to w x y z lt 1 65535 gt ip http redirect description interface interface name Disables a HTTP redirect rule redirect to w x y z 1 65535 deactivate ip http redirect activate description Enables a rule with the specified rule name ip http redirect deactivate description Disables a rule with the specified rule name no ip http redirect description Removes a rule with the specified rule name ip http redirect flush Clears all HTTP redirect rules show ip http redirect description Displays HTTP redirect settings ZyWALL ZLD CLI Reference Guide Chapter 13 HTTP Redirect 13 2 1 HTTP Redirect Command Examples The following commands create a HTTP redirect rule disable it and display the settings Router configure terminal Router config ip http redirect examplel interface gel redirect to 10 10 2 3 80 Router config ip http redirect examplel interface gel redirect to 10 10 2 3 80 deactivate Router config show ip http redirect Name Interface Proxy Server Port Active examplel gel 10 10 2 3 80 no ZyWALL ZLD CLI Reference Guide
585. word password no device ha ap mode interface_name Has device HA monitor the status of an interface s connection activate no device ha ap mode master sync This is for a master ZyWALL It specifies the password to require from synchronizing backup ZyWALLs Every router in the virtual router must use the same password The no command sets the password setting to blank which means no backups can synchronize with this master password Use 4 63 alphanumeric characters underscores _ dashes and 3 characters no device ha authentication ap mode backup sync password password Sets the password the backup ZyWALL uses when synchronizing with the master The no command sets the password setting to blank which means this backup ZyWALL cannot synchronize with the master password Use 4 63 alphanumeric characters underscores dashes and characters no device ha auto ap mode backup sync Turns on automatic synchronization according to the interval you specify in device ha ap mode backup sync interval The first synchronization begins after the specified interval not immediately from master address port port no device ha ap mode backup sync When you use automatic synchronization this sets how often in minutes interval 1 1440 the ZyWALL synchronizes with the master no device ha ap mode backup sync Sets the address of the master ZyWALL with which thi
586. ws all activated site to site VPN rules Router show system route site to site vpn No Source Destination VPN Tunnel The following example shows all activated dynamic VPN rules Router show system route dynamic vpn No Source Destination VPN Tunnel The following example shows the default WAN trunk s settings Router show system route default wan trunk No Source Destination Trunk 1 any any trunk_ex ZyWALL ZLD CLI Reference Guide Chapter 44 Packet Flow Explore The following example shows all activated dynamic VPN rules Router show system route dynamic vpn No Source Destination VPN Tunnel The following example shows all activated static dynamic VPN rules Router show ip route static dynamic Flags A Activated route S Static route C directly Connected O OSPF derived R RIP derived G selected Gateway reject B Black hole L Loop IP Address Netmask Gateway IFace Metric Flags Persis t 0 0 0 0 0 10 1 1 254 wanl 0 ASG x The following example shows all activated policy routes which use SNAT Router show system snat policy route No PR NO Outgoing SNAT The following example shows all activated 1 to 1 NAT rules Router show system snat nat 1 1 No VS Name Source Destination Outgoing SNAT The following example shows all activated policy routes which use SNAT and enable NAT loopback
587. y 1 bandwidth inbound 0 bandwidth outbound 0 log no Router config f show app other rule all DSCP inbound marking preserve DSCP outbound marking preserve no DSCP inbound marking preserve DSCP outbound marking preserve ZyWALL ZLD CLI Reference Guide 171 Chapter 20 Application Patrol 172 ZyWALL ZLD CLI Reference Guide Anti Virus This chapter introduces and shows you how to configure the anti virus scanner 21 1 Anti Virus Overview A computer virus is a small program designed to corrupt and or alter the operation of other legitimate programs A worm is a self replicating virus that resides in active memory and duplicates itself The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable 21 2 Anti virus Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 91 Input Values for General Anti Virus Commands LABEL DESCRIPTION zone object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a ZA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 200 and lower models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN av_file_pattern Use up to
588. y 4x 8oeciewe deeb he A AA Bash ee Bw ae meee ae Zee device SLHDTBbUBM LIOCEESACO SOLLO e arrasada hawk arb WE dome ues Kees Re 227 devicge register ochegkUSer User Pame okerrei AA de x sweden A ad e A 46 device register username user name password password e mail user domainname country code country code reseller name name reseller mail email address reseller phone phon Hoel Ue Vat ADEF lt A AAA ASA COP EP ERE EES xr EERO EES 46 AREPO 24 cacod RANKS SES REDDER MS PEASE TERED RO CE RR CAL UC Red RI ACC REM AAA d A CE OR AAA BRS 61 dhecp6 server client relay upper config interface ipv6 addr F zc 60 doops Sdbess equest o apex Ok X Ea KR ROUGE ACER E e HE RAY RRARHPR e p Reate e C Ge LORS RETR CR RE OR 60 ARCOS ANOS TEQUES exea du Dd UR Ky e VR RIDE A BUR RR dee co ECG rae B OE GR d RR de Re AA 61 Ries dura auna Mas E iris BeOS eS Se Ae Rose do RR dd and dux SAS edd ada Sense ead 60 EACH CapldecomiEG sierra RHSUROCRCR ANA AA AA ARA PA NEAR ORE SEER OER AOE She 60 Chess papu CORTE arrasa a A ADA ARE AAA weite deua di eee 61 dhcy e sefresh time Tf x0600 9294 95 12 945 XEEXTEDV P rtorras ARA ey RUE ACERO 60 d cpb lhidsse nbjast ACE Pre Sanders ERES wa RA es toe iude d ed db M c NU Sd des 60 dbopb lesse 0b est dhep DOr tS lt 2 ssa 54808 RAKE PASARE EAS RR eb Moo Re RE UR I CWS RS UR RR 61 dhcp6 lease object dhcp6 profile sip server ntp server dns server ipv _addr GCG DEDRXIS D
589. y config The ZyWALL is applying your configuration to the 3G device Device unready The 3G interface is disabled Active The 3G interface is enabled Incorrect device The connected 3G device is not compatible with the ZyWALL Correct device The ZyWALL detected a compatible 3G device Set band fail Applying your band selection was not successful Set band ok The ZyWALL successfully applied your band selection Set profile fail Applying your ISP settings was not successful Set profile ok The ZyWALL successfully applied your ISP settings PPP fail The ZyWALL failed to create a PPP connection for the cellular interface Need auth password You need to enter the password for the 3G card in the cellular edit screen Device ready The ZyWALL successfully applied all of your configuration and you can use the 3G connection ZyWALL ZLD CLI Reference Guide 79 Chapter 6 Interfaces 6 6 2 Cellular Interface Command Examples This example shows the configuration of a cellular interface named cellular2 for use with a Sierra Wireless AC850 3G card It uses only a 3G or 3 5G connection PIN code 1234 an MTU of 1200 bytes a description of This is cellular2 and sets the connection to be nailed up Router config interface cellular2 Router config if cellular device AC850 band wcdma pin 1234 Router config if cellular Router co
590. y debug commands GUI cgi related debug commands debug gui Web Configurator related debug commands debug hardware Hardware debug commands debug idp IDP debug commands debug idp av IDP and Anti Virus debug commands debug interface Interface debug commands debug interface ifconfig interface Shows system interfaces detail ifconfig interface debug interface group Port grouping debug commands debug ip dns DNS debug commands debug ip virtual server Virtual Server NAT debug commands debug ipsec IPSec VPN debug commands debug logging System logging debug commands debug manufacture Manufacturing related debug commands debug myzyxel server Myzyxel com debug commands debug network arpignore Enable Display the ignoring of ARP responses for interfaces which don t own the IP address cat proc sys net ipv4 conf arp ignore debug no myzyxel server Set the myZyXEL com registration update server to the official site debug policy route Policy route debug command debug reset content filter profiling Content Filtering debug commands debug service register Service registration debug command debug show content filter server Category based content filtering debug command debug show myzyxel server status Myzyxel com debug commands debug show ipset Lists the ZyWAL
591. y to be shared between the RADIUS server and the ZyWALL The no command clears this setting no radius server timeout time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting 30 2 4 radius server Command Example The following example sets the secret key and timeout period of the default RADIUS server 172 23 10 100 to 87643210 and 80 seconds Router configure terminal Router config Router config host authentication port 1812 timeout 80 Router config Router config radius server host 172 23 10 100 auth port 1812 radius server key 876543210 Router config radius server timeout 80 show radius server 172 23 10 100 key 876543210 30 2 5 aaa group server ad Commands The following table lists the aaa group server ad commands you use to configure a group of AD servers Table 150 aaa group server ad Commands COMMAND DESCRIPTION clear aaa group server ad group name Deletes all AD server groups or the specified AD server group Note You can NOT delete a server group that is currently in use show aaa group server ad group name Displays the specified AD server group settings no aaa group server ad group name Sets a descriptive name for an AD server group Use this command to enter the sub command mode The no command deletes the specified server group aaa gro
592. yWALL 55 mol CO ZAS DEJE EMAIL qupd ox E AAA HE RC M OR doe aL AR RR OR ecd A d IRA 138 Ol Bo sons Dame 645s dee Ses ed OSs XR ONE OR HOS AAA AAA SS 68S SOMES CeO AA E 165 nol to BONS HANE sesisirrncrridrr ti OE ESET CE CC RO RCEOR OR R SES SOROR RCA R NOR NCECR GR AC RORCR ON R ROROR NOR AAA ARS 157 pol BO zc na dra 4 Eom dep HS d ScXcm RON A RO AA DEA EDS C DAA AAA AA 168 TUI UN Eb BGs exse peu AN es used Ge ON EP E dU adnan Sate IBN ER RE EE S 175 fol gs 2008 00 sees fhe ch hee AS A ARE ok edid ada ea uw ca du e ad Zl2 nol to pe ODE DEDERIS daw ad em 3d RP Ex aae dq RE OR qo SEES AAA LA RR RCGNUM o ec c OR qe 193 ho trigger lt 1 8 gt incoming service name trigger service nale isle ceive rh RE 101 mol eS a iis ee dex 409 GE RON ap SOROR EERE A EC CR 204 not Cpe Se DEDE arriden ESE SSE ERED EO OE RES dr AO RUE ACCION GO DARA DECOR 102 no udp decoder truncated header undersize len oversize len activate 186 hol upstream CU 11040970F iria OS dees bee e ue dx ee AAA AA ques e wd ees 58 nur usbe bsbosage SOLDUMDO ride sandalia AAA Oh ue dx Ba dde sud ws boa 56 du eed 82 hol user UVES DAE 66 eee gogo SEERA IA AA HORE e Ree Rod ORE ROE Oa o Gh acorde wee Ro 102 nol user user NSPE Jw uonakoe Rok Aor d E LES EOD DDR SR NC Oe OR AR D E ROK Ba AA S50 SS WO A ESSER AA Ig nol user usar Mole 266k e eek SeEO So LAS CREE EA aeea a E KG KY Ro X CA CAKE RACE ROC C ed a E 138 tol user user NSPE b izu244A mA SORES REA edo REX RR
593. you can configure the trunk The no command removes the trunk algorithm wrr llf spill over Sets the trunk s load balancing algorithm exit Leaves the trunk sub command mode flush Deletes a trunk s interface settings interface num append insert num This subcommand adds an interface to a trunk Sets the interface s interface name weight 1 10 limit number It also sets the interface s weight and spillover limit or sets it lt 1 2097152 gt passive to be passive ZyWALL ZLD CLI Reference Guide Chapter 7 Trunks Table 41 interface group Commands Summary continued COMMAND DESCRIPTION loadbalancing index inbound outbound total Use this command only if you use least load first or spill over as the trunk s load balancing algorithm Set either inbound outbound Or total outbound and inbound traffic to which the ZyWALL will apply the specified algorithm Outbound traffic means the traffic travelling from an internal interface ex LAN to an external interface ex WAN Inbound traffic means the opposite mode normal trunk Sets the mode for a trunk Do this first in the trunk s sub command mode move lt 1 8 gt to 1 8 Changes a the interface order in a trunk no interface num interface name Removes an interface from the trunk system default interface group group name Sets the ZyWALL to first attempt to use the the specified WAN trunk n
594. ype Gateway nexthop state Not support 0 maximize bandwidth usage no SNAT outgoing interface DSCP marking preserve amount of port trigger 0 Router config f address object TW SUBNET 192 168 2 0 255 255 255 0 Router config address object GW 1 192 168 2 250 ZyWALL ZLD CLI Reference Guide Chapter 8 Route 8 3 IP Static Route The ZyWALL has no knowledge of the networks beyond the network that is directly connected to the ZyWALL For instance the ZyWALL knows about network N2 in the following figure through gateway R1 However the ZyWALL is unable to route a packet to network N3 because it doesn t know that there is a route through the same gateway R1 via gateway R2 The static routes are for you to tell the ZyWALL about the networks beyond the network connected to the ZyWALL directly Figure 15 Example of Static Routing Topology N1 8 4 Static Route Commands N2 N3 The following table describes the commands available for static route You must use the configure terminal command to enter the configuration mode before you can use these commands See Section Table 43 on page 99 for information on input values Table 46 Command Summary Static Route COMMAND no ip route w x y z 0 127 w x y z interfacelw x y z DESCRIPTION Sets a static route The no command deletes a static route ip route replace w x y z 0 127 with w x y z 0 127 w x y z w x y z
595. ystem Updating Code 9 The console session displays done when the firmware recovery is complete Then the ZyWALL automatically restarts Figure 43 Firmware Recovery Complete and Restart Update Kernell Extracting Kernel Image done Uriting Kernel Image done Update BootModule l Extracting BootModule Image done Uriting BootModule Restarting systen ZyWALL ZLD CLI Reference Guide Chapter 39 File Manager 10 The username prompt displays after the ZyWALL starts up successfully The firmware recovery process is now complete and the ZyWALL is ready to use Figure 44 Restart Complete setting the System Clock using the Harduare Clock as reference System Clock set Local time Sun Jan 26 21 40 24 UTC 2003 Cleaning tmp vuvar lock var run Initializing random number generator done Initializing Debug Account Authentication Seed DAAS done Lionic device init successfully cavium nitrox device CN1005 init complete INIT Entering runlevel 3 i zulog daemon zylogd zylog starts suslog ng uam daemon app patrol daemon periodic command scheduler cron Start ZyWALL system daemon Got LINK CHANGE Port 01 is up gt Group 0 is up Applying system configuration file please wait ZUWALL system is configured successfully with startup conf ig conf Welcome to ZyWALL 1050 Usernane 39 11 Restoring the Default System Database The default system database stores information such as
596. zA Z 9p V 96 For example Endpoint Security anti virus checking failed Please contact your network administrator for help The no command removes the setting Changes an endpoint security object name 35 1 3 Endpoint Security Object Command Example Peter wants to create and display an endpoint security object named EPS Example Only the computers that match the following criteria can access the company s SSL VPN Operating system Windows XP Windows auto update enabled Windows service pack 2 or above Personal firewall Windows firewall installed and enabled Anti Virus Kaspersky Anti Virus v2011 installed and enabled ZyWALL ZLD CLI Reference Guide 273 Chapter 35 Endpoint Security 274 However he needs to check the Anti Virus software name defined on the ZyWALL The following example shows how to check all available Anti Virus software packages for which the ZyWALL s endpoint security can check Copy and paste the name of the output item 17 for the setting later 0 J0 01 5 CQ ND HE o 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Router configure terminal Router config show eps signature anti virus No Name Norton Anti Virus v2010 Norton Internet Security v2010 Norton 360 v3 Microsoft Security Center TrendMicro PC cillin AntiVirus v2010 TrendMicro PC cillin Internet Security v2010 TrendMicro PC cillin Internet Security Pro v201
Download Pdf Manuals
Related Search