Zyxel USG 1900 [179/438] Secure policy command examples

Some commands or command options in this guide may not be available in your product see your product s user s guide for a list of supported features every effort has been made to ensure that the information in this guide is accurate 2

Introduction 9 3

Reference 9 3

Chapter 1 command line interface 1 5

Chapter 2 user and privilege modes 5 5

Part i introduction 19 5

Table of contents 5

Chapter 3 object reference 1 6

Chapter 4 status 3 6

Chapter 5 registration 9 6

Chapter 6 ap management 3 6

Chapter 7 ap group 8 6

Chapter 8 wireless lan profiles 5 6

Part ii reference 39 6

Chapter 10 wireless frame capture 3 7

Chapter 11 dynamic channel selection 5 7

Chapter 12 auto healing 6 7

Chapter 13 leds 9 7

Chapter 14 interfaces 1 7

Chapter 9 rogue ap 9 7

Chapter 15 trunks 25 8

Chapter 16 route 29 8

Chapter 17 routing protocol 39 9

Chapter 18 zones 43 9

Chapter 19 ddns 47 9

Chapter 20 virtual servers 51 9

Chapter 21 http redirect 55 9

Chapter 22 alg 59 9

Chapter 23 upnp 63 10

Chapter 24 ip mac binding 67 10

Chapter 25 layer 2 isolation 70 10

Chapter 26 secure policy 73 10

Chapter 27 web authentication 89 10

Chapter 28 rtls 93 11

Chapter 29 ipsec vpn 95 11

Chapter 30 ssl vpn 09 11

Chapter 31 l2tp vpn 13 11

Chapter 32 bandwidth management 19 12

Chapter 33 application patrol 25 12

Chapter 34 anti virus 29 12

Chapter 35 idp commands 35 12

Chapter 36 content filtering 47 13

Chapter 37 anti spam 57 13

Chapter 38 ssl inspection 67 13

Chapter 39 device ha 73 13

Chapter 40 user group 79 14

Chapter 41 application object 86 14

Chapter 42 addresses 89 14

Chapter 43 services 95 14

Chapter 44 schedules 99 14

Chapter 45 aaa server 01 14

Chapter 46 authentication objects 07 15

Chapter 47 authentication server 10 15

Chapter 48 certificates 13 15

Chapter 49 isp accounts 17 15

Chapter 50 ssl application 19 15

Chapter 51 dhcpv6 objects 22 16

Chapter 52 system 25 16

Chapter 53 system remote management 37 16

Chapter 54 file manager 49 17

Chapter 55 logs 69 17

Chapter 56 reports and reboot 75 18

Chapter 57 session timeout 81 18

Chapter 58 diagnostics 83 18

Chapter 59 packet flow explore 85 18

Chapter 60 maintenance tools 89 18

Chapter 61 watchdog timer 95 18

List of commands alphabetical 99 18

Introduction 19

Accessing the cli 21

Command line interface 21

Overview 21

The configuration file 21

Console port 22

Note before you can access the cli through the web configurator make sure your computer supports the java runtime environment you will be prompted to download and install the java plug in if it is not already installed 22

Note the default login username is admin and password is 1234 the username and password are case sensitive 22

Web configurator console 22

Configure termina 24

Note the default login username is admin it is case sensitive 24

Router config 24

How to find commands in this guide 25

Note the default login username is admin and password is 1234 the username and password are case sensitive 25

Ssh secure shell 25

Telnet 25

Telnet 192 68 25

Background information optional 26

Command examples optional 26

Command input values optional 26

Command summary 26

Command syntax 26

How commands are explained 26

Note see the user s guide for background information about most features 26

Service objec 26

At the time of writing there is not much difference between user and privilege mode for admin users this is reserved for future use 27

Changing the password 27

Chapter 1 command line interface 27

Cli modes 27

Exactly as it appears followed by two numbers between 1 and 65535 27

It is highly recommended that you change the password for accessing the zywall usg see section 40 on page 280 for the appropriate commands 27

See chapter 40 on page 279 for more information about the user types user users can only log in look at but not run the available commands in user mode and log out limited admin users can look at the configuration in the web configurator and cli and they can run basic diagnostics in the cli admin users can configure the zywall usg in the web configurator or cli 27

Table 2 cli modes 27

User privilege configuration sub command 27

You run cli commands in one of several modes 27

Zywall usg zld cli reference guide 27

A list of valid commands can be found by typing 28

At the command prompt to view a list of available commands within a command group enter 28

Chapter 1 command line interface 28

Figure 10 help available command example 2 28

Figure 11 help sub command information example 28

Figure 12 help required user input example 28

Figure 9 help available commands example 1 28

List of available commands 28

List of sub commands or required user input 28

Shortcuts and help 28

To view detailed help information for a command enter 28

Zywall usg zld cli reference guide 28

Command history 29

Configur 29

Entering a in a command 29

Entering partial commands 29

Erase current command 29

Navigation 29

The no commands 29

Chapter 1 command line interface 30

Description 30

Input values 30

Table 3 input value formats for strings in cli commands 30

Tag values legal values 30

The following table provides more information about input values like 30

When you use the example above note that zywall usg usg 200 and below models use a name such as wan1 wan2 opt lan1 ext wlan or dmz 30

You can use the or tab to get more information about the next input value that is required for a command in some cases the next input value is a string whose length and allowable characters may not be displayed in the screen for example in the following example the next input value is a string called 30

Zywall usg zld cli reference guide 30

Chapter 1 command line interface 31

Table 3 input value formats for strings in cli commands continued 31

Tag values legal values 31

Zywall usg zld cli reference guide 31

Chapter 1 command line interface 32

Table 3 input value formats for strings in cli commands continued 32

Tag values legal values 32

Zywall usg zld cli reference guide 32

Chapter 1 command line interface 33

Command to save the current configuration to the zywall usg 33

Ethernet interfaces 33

For other zywall usg models use a name such as wan1 wan2 opt lan1 or dmz 33

For some zywall usg models use ge x x 1 n where n equals the highest numbered ethernet interface for your zywall usg model 33

How you specify an ethernet interface depends on the zywall usg model 33

Note always save the changes before you log out after each management session all unsaved changes will be lost after the system restarts 33

Saving configuration changes 33

Table 3 input value formats for strings in cli commands continued 33

Tag values legal values 33

Use the 33

Zywall usg zld cli reference guide 33

Logging out 34

User and privilege modes 35

Chapter 2 user and privilege modes 36

Command mode description 36

Command syntax description linux command equivalent 36

Debug commands 36

Debug commands marked with an asterisk are not available when the debug flag is on and are for zyxel service personnel use only the debug commands follow a linux based syntax so if there is a linux equivalent it is displayed in this chapter for your reference you must know a command listed here well before you use it otherwise it may cause undesired results 36

Note these commands are for zyxel s internal manufacturing process 36

Subsequent chapters in this guide describe the configuration commands user privilege mode commands that are also configuration commands for example show are described in more detail in the related configuration command chapter 36

Table 4 user u and privilege p mode commands continued 36

Table 5 debug commands 36

Zywall usg zld cli reference guide 36

Chapter 2 user and privilege modes 37

Command syntax description linux command equivalent 37

Table 5 debug commands continued 37

Zywall usg zld cli reference guide 37

Reference 39

Object reference 41

Object reference commands 41

Chapter 3 object reference 42

Command description 42

Object reference command example 42

Table 6 show reference commands continued 42

This example shows how to check which configuration is using an address object named lan1_subnet for the command output firewall rule 3 named lan1 to usg 2000 is using the address object 42

Zywall usg zld cli reference guide 42

Status 43

Chapter 4 status 44

Here are examples of the commands that display the cpu and disk utilization 44

Here are examples of the commands that display the fan speed mac address memory usage ram size and serial number 44

Zywall usg zld cli reference guide 44

Chapter 4 status 45

Here is an example of the command that displays the listening ports 45

Zywall usg zld cli reference guide 45

Chapter 4 status 46

Here is an example of the command that displays the open ports 46

Zywall usg zld cli reference guide 46

Chapter 4 status 47

Here are examples of the commands that display the system uptime and model firmware and build information 47

This example shows the current led states on the zywall usg the sys led lights on and green the hdd leds is off 47

Zywall usg zld cli reference guide 47

Myzyxel com overview 49

Registration 49

Subscription services available on the zywall usg 49

Configure termina 50

Note to update the signature file or use a subscription service you have to register the zywall usg and activate the corresponding service at myzyxel com through the zywall usg 50

Registration commands 50

Chapter 5 registration 51

Command examples 51

The following command displays the account information and whether the device is registered 51

The following command displays the service registration status and type and how many days remain before the service expires 51

Zywall usg zld cli reference guide 51

Ap management 53

Ap management commands 53

Ap management overview 53

Ap group profile ap group profile_name sets the ap group to which the ap belongs 54

Capwap ap local ap 54

Chapter 6 ap management 54

Command description 54

Command to enter the configuration mode before you can use these commands 54

Configure termina 54

Sets the ap group to which the ap belongs 54

Sets the output power between 0 to 30 dbm for the radio on the 54

Sets the output power between 0 to 30 dbm for the radio on the built in ap that belongs to this group 54

Sets the zywall usg to overwrite the ap s lan port settings use the no command to not overwrite the specified settings 54

Sets the zywall usg to overwrite the ap s output power radio or ssid profile settings for the specified radio use the no command to not overwrite the specified settings 54

Slot_name monitor profile profile_name sets the specified radio slot_name to monitor mode and assigns a created profile to the radio monitor mode aps act as wireless monitors which can detect rogue aps and help you in building a list of friendly ones see also section 8 on page 65 use the no command to remove the monitor mode profile assignment for the specified radio slot_name 54

Table 10 command summary ap management 54

That belongs to this group 54

The following table describes the commands available for ap management you must use the 54

Use the no command to remov 54

Zywall usg zld cli reference guide 54

Chapter 6 ap management 56

Command description 56

Creates a new vlan or configures an existing vlan you can disable or enable the vlan set the vlan id assign up to three ports to this vlan as members and set whether the port is to tag outgoing traffic with the vlan id vlan_interface the name of the vlan vlan1 for example 56

Join lan_port tag untag lan_port tag untag lan_port tag untag 56

No vlan_interface removes the specified vlan 56

Show capwap ap ac ip displays the address of the zywall usg or auto if the ap finds the zywall usg through broadcast packets 56

Show capwap ap fallback displays whether the managed ap s will change back to associate with the primary ap controller when the primary ap controller is available 56

Show capwap ap fallback interval displays the interval for how often the managed ap s check whether the primary ap controller is available 56

Show country code list displays a reference list of two letter country codes 56

Show default country code displays the default country code configured on the zywall usg 56

Table 10 command summary ap management continued 56

Zywall usg zld cli reference guide 56

Ap management commands example 57

Chapter 6 ap management 57

Command description 57

Displays the port and or vlan settings for the specified ap you can also set to display settings for a specified port a sepcified vlan all physical ethernet ports the uplink port or all vlans on the ap 57

Show lan provision ap ap_mac interface lan_port vlan_interface all ethernet uplink vlan 57

Table 10 command summary ap management continued 57

The following example shows you how to add an ap to the management list and then edit it 57

Zywall usg zld cli reference guide 57

Ap group 58

Ap group commands 58

Wireless load balancing overview 58

Table 12 command summary ap group continued 59

Note this parameter has been optimized for the zywall usg and should not be changed unless you have been specifically directed to do so by zyxel support 60

Table 12 command summary ap group continued 60

Note this parameter has been optimized for the zywall usg and should not be changed unless you have been specifically directed to do so by zyxel support 61

Table 12 command summary ap group continued 61

Ap group examples 62

Table 12 command summary ap group continued 62

The following example shows you how to create an ap group profile named test and configure the ap s first radio to work in repeater mode using the default radio profile and the zymesh_test zymesh profile it also adds the ap with the mac address 00 a0 c5 01 23 45 to this ap group 62

The following example shows you how to create an ap group profile named gp1 and configure ap load balancing in by station mode the maximum number of stations is set to 1 63

The following example shows you how to create an ap group profile named gp2 and configure ap load balancing in by traffic mode the traffic level is set to low and disassociate station is enabled 63

The following example shows the settings and status of the vlan s configured for the managed aps nwa5301 nj in the default ap group 64

The following example shows the status of ethernet ports for the managed aps nwa5301 nj in the default ap group it also shows whether the lan1 port is enabled and what the port s vlan id is 64

Ap radio profile commands 65

Wireless lan profiles 65

Wireless lan profiles overview 65

Band 2 g 5g band mode bg bgn a ac an sets the radio band 2 ghz or 5 ghz and band mode for this profile band mode details for 2 ghz bg lets ieee 802 1b and ieee 802 1g clients associate with the ap for 2 ghz bgn lets ieee 802 1b ieee 802 1g and ieee 802 1n clients associate with the ap for 5 ghz a lets only ieee 802 1a clients associate with the ap for 5 ghz ac lets ieee 802 1a ieee 802 1n and ieee 802 1ac clients associate with the ap for 5 ghz an lets ieee 802 1a and ieee 802 1n clients associate with the ap 66

Chapter 8 wireless lan profiles 66

Command description 66

Command to enter the configuration mode before you can use these commands 66

Configure termina 66

Label description 66

Table 13 input values for general radio and monitor profile commands continued 66

Table 14 command summary radio profile 66

The following table describes the commands available for radio profile management you must use the 66

Zywall usg zld cli reference guide 66

Chapter 8 wireless lan profiles 68

Command description 68

Table 14 command summary radio profile continued 68

Zywall usg zld cli reference guide 68

Chapter 8 wireless lan profiles 69

Command description 69

Table 14 command summary radio profile continued 69

Zywall usg zld cli reference guide 69

2 g band with channel 6 70

A beacon interval of 100ms 70

A dtim period of 2 70

A short guard interval 70

Ampdu frame aggregation enabled 70

Amsdu frame aggregation enabled 70

An ampdu buffer limit of 65535 bytes 70

An ampdu subframe limit of 64 frames 70

An amsdu buffer limit of 4096 70

An output power of 100 70

Ap profile commands example 70

Block acknowledgement enabled 70

Channel width of 20mhz 70

Chapter 8 wireless lan profiles 70

Command description 70

It will also assign the ssid profile labeled default in order to create wlan vap wlan 1 1 functionality within the radio profile 70

Table 14 command summary radio profile continued 70

The following example shows you how to set up the radio profile named radio01 activate it and configure it to use the following settings 70

Zywall usg zld cli reference guide 70

Ap monitor profile commands 71

Configure termina 71

Chapter 8 wireless lan profiles 72

Command description 72

Exit exits configuration mode for this profile 72

Label description 72

Sets the duration in milliseconds that the device using this profile scans each channel 72

Ssid profile commands 72

Table 16 command summary monitor profile continued 72

Table 17 input values for general ssid profile commands 72

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 72

Zywall usg zld cli reference guide 72

Chapter 8 wireless lan profiles 73

Command description 73

Command to enter the configuration mode before you can use these commands 73

Configure termina 73

Note the managed aps must be dual band capable 73

Sets the timeout period in seconds within which the ap accepts probe or authentication requests to a 2 ghz wi fi network when the band select mode is set to standard 73

Table 18 command summary ssid profile 73

The following table describes the commands available for ssid profile management you must use the 73

Zywall usg zld cli reference guide 73

Chapter 8 wireless lan profiles 74

Command description 74

Ssid profile example 74

Table 18 command summary ssid profile continued 74

The following example creates an ssid profile with the name zyxel it makes the assumption that both the security profile security01 and the mac filter profile macfilter01 already exist 74

Zywall usg zld cli reference guide 74

Chapter 8 wireless lan profiles 75

Command description 75

Command to enter the configuration mode before you can use these commands 75

Configure termina 75

Label description 75

No dot11w data frames in 802 1 wlans can be encrypted and authenticated with wep wpa or wpa2 but 802 1 management frames such as beacon probe response association request association response de authentication and disassociation are always unauthenticated and unencrypted ieee 802 1w protected management frames allows aps to use the existing security mechanisms encryption and authentication methods defined in ieee 802 1i wpa wpa2 to protect management frames this helps prevent wireless dos attacks enables management frame protection mfp to add security to 802 1 management frames use the no parameter to disable it 75

Security profile commands 75

Sets whether wireless clients have to support management frame protection in order to access the wireless network 1 if you do not require the wireless clients to support mfp management frames will be encrypted if the clients support mfp 2 wireless clients must support mfp in order to join the ap s wireless network 75

Table 19 input values for general security profile commands 75

Table 20 command summary security profile 75

The following table describes the commands available for security profile management you must use the 75

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 75

Zywall usg zld cli reference guide 75

Chapter 8 wireless lan profiles 76

Command description 76

Table 20 command summary security profile continued 76

Zywall usg zld cli reference guide 76

Chapter 8 wireless lan profiles 77

Command description 77

Command to enter the configuration mode before you can use these commands 77

Configure termina 77

Label description 77

Mac filter profile commands 77

Security profile example 77

Table 21 input values for general mac filter profile commands 77

Table 22 command summary mac filter profile 77

The following example creates a security profile with the name security01 77

The following table describes the commands available for security profile management you must use the 77

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 77

Zywall usg zld cli reference guide 77

Chapter 8 wireless lan profiles 78

Mac filter profile example 78

The following example creates a mac filter profile with the name macfilter01 78

Zywall usg zld cli reference guide 78

Rogue ap 79

Rogue ap detection commands 79

Rogue ap detection overview 79

Chapter 9 rogue ap 80

Command description 80

Rogue ap detection examples 80

Table 24 command summary rogue ap detection continued 80

This example displays the rogue ap detection list 80

This example sets the device associated with mac address 00 13 49 11 11 11 as a rogue ap and the device associated with mac address 00 13 49 11 11 22 as a friendly ap it then removes mac address from the rogue ap list with the assumption that it was misidentified 80

Zywall usg zld cli reference guide 80

Note containing a rogue ap means broadcasting unviable login data at it preventing legitimate wireless clients from connecting to it this is a kind of denial of service attack 81

Rogue ap containment overview 81

Chapter 9 rogue ap 82

Command description 82

Command to enter the configuration mode before you can use these commands 82

Configure termina 82

Label description 82

Rogue ap containment commands 82

Rogue ap containment example 82

Table 25 input values for rogue ap containment commands 82

Table 26 command summary rogue ap containment 82

The following table describes the commands available for rogue ap containment you must use the 82

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 82

This example contains the device associated with mac address 00 13 49 11 11 12 then displays the containment list for confirmation 82

Zywall usg zld cli reference guide 82

Wireless frame capture 83

Wireless frame capture commands 83

Wireless frame capture overview 83

Chapter 10 wireless frame capture 84

Command description 84

Command to enter the configuration mode before you can use these commands 84

Configure termina 84

Table 28 command summary wireless frame capture 84

The following table describes the commands available for wireless frame capture you must use the 84

This example configures the wireless frame capture parameters for an ap located at ip address 192 68 84

This example shows frame capture status and configuration 84

Wireless frame capture examples 84

Zywall usg zld cli reference guide 84

Dcs commands 85

Dcs overview 85

Dynamic channel selection 85

Auto healing 86

Auto healing commands 86

Auto healing overview 86

Auto healing examples 87

Chapter 12 auto healing 87

Command description 87

Table 31 command summary auto healing continued 87

This example enables auto healing and sets the power level in dbm to which the neighbor aps of the failed ap increase their output power 87

Zywall usg zld cli reference guide 87

Hapter 89

Led suppression commands 89

Led suppression mode 89

Chapter 13 leds 90

Led locator 90

Led locator commands 90

Led locator commands example 90

Led suppression commands example 90

Note you should run this command before enabling the led locator function 90

Table 33 led locator commands 90

The following example activates led suppression mode on the ap with the mac address 00 a0 c5 01 23 45 and displays the settings 90

The following example turns on the led locator feature on the ap with the mac address 00 a0 c5 01 23 45 sets how long the locator led stays blinking and also displays the settings 90

The led locator feature identifies the location of the wac ap among several devices in the network you can run this feature and set a timer 90

Use these commands to run the led locator feature you must use the configure terminal command before you can use these commands 90

Zywall usg zld cli reference guide 90

Interface overview 91

Interfaces 91

Types of interfaces 91

Chapter 14 interfaces 92

Characteristics ethernet ethernet ethernet vlan bridge ppp virtual 92

Characteristics ethernet vlan bridge pppoe pptp virtual 92

Port groups and trunks have a lot of characteristics that are specific to each type of interface these characteristics are listed in the following tables and discussed in more detail farther on 92

Table 34 characteristics of ethernet vlan bridge pppoe pptp and virtual interface for some zywall usg models 92

Table 35 ethernet vlan bridge ppp and virtual interface characteristics for other zywall usg models 92

Zywall usg zld cli reference guide 92

Chapter 14 interfaces 93

Characteristics cellular 93

Characteristics ethernet ethernet ethernet vlan bridge ppp virtual 93

Table 35 ethernet vlan bridge ppp and virtual interface characteristics for other zywall usg models continued 93

Table 36 cellular and wlan interface characteristics 93

Zywall usg zld cli reference guide 93

Chapter 14 interfaces 94

In the zywall usg interfaces are usually created on top of other interfaces only ethernet interfaces are created directly on top of the physical ports or port groups the relationships between interfaces are explained in the following table 94

Interface required port interface 94

Relationships between interfaces 94

Table 37 relationships between different types of interfaces 94

Zywall usg zld cli reference guide 94

Basic interface properties and ip address commands 95

Chapter 14 interfaces 95

Command description 95

Interface general commands summary 95

Label description 95

Table 38 input values for general interface commands 95

Table 39 interface general commands basic properties and ip address assignment 95

The following sections introduce commands that are supported by several types of interfaces see section 14 on page 115 for the unique commands for each type of interface 95

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 95

This table lists basic properties and ip address commands 95

Zywall usg zld cli reference guide 95

Chapter 14 interfaces 96

Command description 96

Table 39 interface general commands basic properties and ip address assignment continued 96

Zywall usg zld cli reference guide 96

Chapter 14 interfaces 97

Command description 97

Table 39 interface general commands basic properties and ip address assignment continued 97

Zywall usg zld cli reference guide 97

Chapter 14 interfaces 98

Command description 98

Note make sure you also enable this option in the dhcpv6 clients to make rapid commit work 98

Table 39 interface general commands basic properties and ip address assignment continued 98

Zywall us 98

Zywall usg zld cli reference guide 98

Chapter 14 interfaces 99

Command description 99

Note make sure you also disable this option in the dhcpv6 clients 99

Table 39 interface general commands basic properties and ip address assignment continued 99

Zywall usg zld cli reference guide 99

Basic interface properties command examples 100

Chapter 14 interfaces 100

The following commands make ethernet interface ge1 a dhcp client 100

This example shows how to change the user defined name from vip to partner note that you have to use the interface rename command if you do not know the system name of the interface to use the interface name command you have to find out the corresponding system name first ge4 in this example this example also shows how to change the user defined name from partner to customer using the interface name command 100

This example shows how to modify the name of interface ge4 to vip first you have to check the interface system name ge4 in this example on the zywall usg then change the name and display the result 100

Zywall usg zld cli reference guide 100

Chapter 14 interfaces 101

Command description 101

Enter configuration terminal mode and select an interface 101

Igmp proxy commands 101

Table 40 interface commands igmp proxy commands 101

This example shows how to restart an interface you can check all interface names on the zywall usg then use either the system name or user defined name of an interface ge4 or customer in this example to restart it 101

Zywall us 101

Zywall usg zld cli reference guide 101

Chapter 14 interfaces 102

Command description 102

Dhcp setting commands 102

Igmp command example 102

Network 102

Table 41 interface commands dhcp settings 102

The following commands activate igmp version 2 upstream on the lan1 interface 102

This table lists dhcp setting commands dhcp is based on dhcp pools create a dhcp pool if you want to assign a static ip address to a mac address or if you want to specify the starting ip address and pool size of a range of ip addresses that can be assigned to dhcp clients there are different commands for each configuration afterwards in either case you have to bind the dhcp pool to the interface 102

Zywall usg zld cli reference guide 102

Chapter 14 interfaces 103

Command description 103

Hardware addres 103

Networ 103

Note the dhcp pool must have the same subnet as the interface to which you plan to bind it 103

Note the ip address must be in the same subnet as the interface to which you plan to bind the dhcp pool 103

Table 41 interface commands dhcp settings continued 103

Zywall usg zld cli reference guide 103

Chapter 14 interfaces 104

Command description 104

First and the start address must be in the same subnet 104

Network numbe 104

Note you must specify the 104

Table 41 interface commands dhcp settings continued 104

Zywall usg zld cli reference guide 104

Chapter 14 interfaces 105

Dhcp extended option setting command example 105

Dhcp setting command examples 105

The following example configures the dhcp_test pool with a sip server code 120 extended dhcp option with one ip address to provide to the sip clients 105

The following example uses these commands to configure dhcp pool dhcp_test 105

Zywall usg zld cli reference guide 105

Cellular vlan 106

Chapter 14 interfaces 106

Interface parameter command examples 106

Table 42 examples for different interface parameters ethernet virtual interface pppoe pptp 106

This table shows an example of each interface type s sub commands the sub commands vary for different interface types 106

Zywall usg zld cli reference guide 106

Bridge tunnel 107

Chapter 14 interfaces 107

Command description 107

Ospf commands 107

Rip commands 107

Table 42 examples for different interface parameters 107

Table 43 interface commands rip settings 107

Table 44 interface commands ospf settings 107

This table lists the commands for ospf settings 107

This table lists the commands for rip settings 107

Zywall usg zld cli reference guide 107

Chapter 14 interfaces 108

Command description 108

Ip ospf dead interva 108

Ip ospf hello interva 108

Table 44 interface commands ospf settings continued 108

Zywall usg zld cli reference guide 108

Chapter 14 interfaces 109

Command description 109

Connectivity check ping check commands 109

Table 45 interface commands ping check 109

This table lists the ping check commands 109

Use these commands to have an interface regularly check the connection to the gateway you specified to make sure it is still available you specify how often the interface checks the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the zywall usg stops routing to the gateway the zywall usg resumes routing to the gateway the first time the gateway passes the connectivity check 109

Zywall usg zld cli reference guide 109

Chapter 14 interfaces 110

Command description 110

Connectivity check command example 110

Ethernet interface specific commands 110

Label description 110

Mac address setting commands 110

Table 46 input values for ethernet interface commands 110

Table 47 interface commands mac setting 110

The following commands show you how to set the wan1 interface to use a tcp handshake on port 8080 to check the connection to ip address 1 110

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 110

This section covers commands that are specific to ethernet interfaces 110

This table lists the commands you can use to set the mac address of an interface on some zywall usg models these commands only apply to a wan or opt interface 110

Zywall usg zld cli reference guide 110

Chapter 14 interfaces 111

Command description 111

Note in cli representative interfaces are also called representative ports 111

Port grouping commands 111

Table 47 interface commands mac setting continued 111

Table 48 basic interface setting commands 111

This section covers commands that are specific to port grouping 111

Zywall us 111

Zywall usg zld cli reference guide 111

Chapter 14 interfaces 112

Port grouping command examples 112

The following commands add physical port 7 to representative interface lan2 112

The following commands set port 1 to use auto negotiation auto and port 2 to use a 10 mbps connection speed and half duplex 112

The following commands set up a virtual interface on top of ethernet interface ge1 the virtual interface is named ge1 1 with the following parameters ip 1 subnet 255 55 55 112

Virtual interface command examples 112

Virtual interface specific commands 112

Virtual interfaces use many of the general interface commands discussed at the beginning of section 14 on page 95 there are no additional commands for virtual interfaces 112

Zywall usg zld cli reference guide 112

Chapter 14 interfaces 113

Command description 113

Gateway 4 upstream bandwidth 345 downstream bandwidth 123 and description i am vir interface 113

Label description 113

Pppoe pptp specific commands 113

Table 49 input values for pppoe pptp interface commands 113

Table 50 interface commands pppoe pptp interfaces 113

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 113

This section covers commands that are specific to pppoe pptp interfaces pppoe pptp interfaces also use many of the general interface commands discussed at the beginning of section 14 on page 95 113

This table lists the pppoe pptp interface commands 113

Zywall usg zld cli reference guide 113

Chapter 14 interfaces 114

Command description 114

Pppoe pptp interface command examples 114

Table 50 interface commands pppoe pptp interfaces continued 114

The following commands show you how to configure pppoe pptp interface ppp0 with the following characteristics base interface ge1 isp account hinet local address 1 remote address 114

Zywall usg zld cli reference guide 114

Cellular interface specific commands 115

Chapter 14 interfaces 115

Command description 115

Command to enter the configuration mode before you can use these commands 115

Configure terminal 115

Mtu 1200 upstream bandwidth 345 downstream bandwidth 123 description i am ppp0 and dialed only when used 115

Table 51 interface cellular commands 115

The following commands show you how to connect and disconnect ppp0 115

Use a 3g third generation cellular device with the zywall usg for wireless broadband internet access 115

Use these commands to add edit dial disconnect or delete cellular interfaces when you add a new cellular interface make sure you enter the account you must use the 115

Zywall usg zld cli reference guide 115

Chapter 14 interfaces 116

Command description 116

Table 51 interface cellular commands continued 116

Zywall us 116

Zywall usg zld cli reference guide 116

Cellular status 117

Chapter 14 interfaces 117

Command description 117

Status description 117

Table 51 interface cellular commands continued 117

Table 52 cellular status 117

The following table describes the different kinds of cellular connection status on the zywall usg 117

Zywall usg zld cli reference guide 117

Chapter 14 interfaces 118

Status description 118

Table 52 cellular status 118

Zywall usg zld cli reference guide 118

Cellular interface command examples 119

Chapter 14 interfaces 119

This example shows the 3g and sim card information for interface cellular2 on the zywall usg 119

This example shows the 3g connection profile settings for interface cellular2 on the zywall usg you have to dial 99 1 to use profile 1 but authentication is not required dial 99 2 to use profile 2 and authentication is required 119

This example shows the configuration of a cellular interface named cellular2 for use with a sierra wireless ac850 3g card it uses only a 3g or 3 g connection pin code 1234 an mtu of 1200 bytes a description of this is cellular2 and sets the connection to be nailed up 119

This second example shows specifying a new pin code of 4567 119

Zywall usg zld cli reference guide 119

Chapter 14 interfaces 120

Command description 120

Command to enter the configuration mode before you can use these commands gre mode tunnels support ping check see section 14 on page 109 for more on ping check 120

Configure termina 120

Table 53 interface tunnel commands 120

The zywall usg uses tunnel interfaces in generic routing encapsulation gre ipv6 in ipv4 and 6to4 tunnels this section covers commands specific to tunnel interfaces tunnel interfaces also use many of the general interface commands discussed at the beginning of section 14 on page 95 120

Tunnel interface specific commands 120

Use these commands to add edit activate deactivate or delete tunnel interfaces you must use the 120

Zywall usg zld cli reference guide 120

Chapter 14 interfaces 121

Command description 121

Note for the zywall usg which supports more than one usb ports these commands only apply to the usb storage device that is first attached to the zywall usg 121

Table 54 usb storage general commands 121

This example creates a tunnel interface called tunnel0 that uses wan1 as the source 168 68 68 68 as the destination and 10 00 and 255 55 as the inner source ip 121

Tunnel interface command examples 121

Usb storage specific commands 121

Use these commands to configure settings that apply to the usb storage device connected to the zywall usg 121

Zywall usg 121

Zywall usg zld cli reference guide 121

Chapter 14 interfaces 122

Command description 122

Label description 122

Table 54 usb storage general commands continued 122

Table 55 input values for vlan interface commands 122

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 122

This example shows how to display the status of the connected usb storage device 122

This section covers commands that are specific to vlan interfaces vlan interfaces also use many of the general interface commands discussed at the beginning of section 14 on page 95 122

Usb storage general commands example 122

Vlan interface specific commands 122

Zywall usg zld cli reference guide 122

Bridge specific commands 123

Chapter 14 interfaces 123

Command description 123

Label description 123

Table 56 interface commands vlan interfaces 123

Table 57 input values for bridge interface commands 123

The following commands show you how to set up vlan vlan100 with the following parameters vlan id 100 interface ge1 ip 1 subnet 255 55 55 mtu 598 gateway 2 description i am vlan100 upstream bandwidth 345 and downstream bandwidth 123 123

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 123

This section covers commands that are specific to bridge interfaces bridge interfaces also use many of the general interface commands discussed at the beginning of section 14 on page 95 123

This table lists the vlan interface commands 123

Vlan interface command examples 123

Zywall usg zld cli reference guide 123

Bridge interface command examples 124

Chapter 14 interfaces 124

Command description 124

Table 58 interface commands bridge interfaces 124

The following commands show you how to set up a bridge interface named br0 with the following parameters member ge1 ip 1 subnet 255 55 55 mtu 598 gateway 2 upstream bandwidth 345 downstream bandwidth 123 and description i am br0 124

This table lists the bridge interface commands 124

Zywall usg zld cli reference guide 124

Trunk scenario examples 125

Trunks 125

Trunks overview 125

Chapter 15 trunks 126

Command description 126

Command to enter the configuration mode before you can use these commands see table 59 on page 126 for details about the values you can input with these commands 126

Commands 126

Commands you must use the 126

Configure termina 126

Interface grou 126

Interface group 126

Label description 126

Table 59 interface group command input values 126

Table 60 interface group commands summary 126

The following table explains the values you can input with the 126

The following table lists the 126

Trunk commands input values 126

Trunk commands summary 126

Zywall usg zld cli reference guide 126

Chapter 15 trunks 127

Command description 127

Table 60 interface group commands summary continued 127

The following example creates a least load first trunk for ethernet interface ge3 and vlan 5 which will only apply to outgoing traffic through the trunk the zywall usg sends new session traffic through the least utilized of these interfaces 127

The following example creates a weighted round robin trunk for ethernet interfaces ge1 and ge2 the zywall usg sends twice as much traffic through ge1 127

Trunk command examples 127

Zywall usg zld cli reference guide 127

Chapter 15 trunks 128

The following example creates a spill over trunk for ethernet interfaces ge1 and ge3 which will apply to both incoming and outgoing traffic through the trunk the zywall usg sends traffic through ge1 until it hits the limit of 1000 kbps the zywall usg sends anything over 1000 kbps through ge3 128

Zywall usg zld cli reference guide 128

Policy route 129

Policy route commands 129

Chapter 16 route 130

Command description 130

Command to enter the configuration mode before you can use these commands 130

Configure termina 130

Label description 130

Table 61 input values for general policy route commands continued 130

Table 62 command summary policy route 130

The following table describes the commands available for policy route you must use the 130

Zywall usg zld cli reference guide 130

Chapter 16 route 131

Command description 131

Table 62 command summary policy route continued 131

Zywall usg zld cli reference guide 131

Chapter 16 route 132

Command description 132

Table 62 command summary policy route continued 132

Zywall usg zld cli reference guide 132

Chapter 16 route 133

Command description 133

Table 62 command summary policy route continued 133

Zywall usg zld cli reference guide 133

Assured forwarding af behavior is defined in rfc 2597 the af behavior group defines four af classes inside each class packets are given a high medium or low drop precedence the drop precedence determines the probability that routers in the network will drop packets when congestion occurs if congestion occurs between classes the traffic in the higher class smaller numbered class is generally given priority combining the classes and drop precedence produces 134

Assured forwarding af phb for diffserv 134

Chapter 16 route 134

Command description 134

Table 62 command summary policy route continued 134

Zywall usg zld cli reference guide 134

Chapter 16 route 135

Class 1 class 2 class 3 class 4 135

Ip static route 135

Policy route command example 135

Table 63 assured forwarding af behavior group 135

The following commands create two address objects tw_subnet and gw_1 and insert a policy that routes the packets with the source ip address tw_subnet and any destination ip address through the interface ge1 to the next hop router gw_1 this route uses the ip address of the outgoing interface as the matched packets source ip address 135

The following twelve dscp encodings from af11 through af43 the decimal equivalent is listed in brackets 135

The zywall usg has no knowledge of the networks beyond the network that is directly connected to the zywall usg for instance the zywall usg knows about network n2 in the following figure through gateway r1 however the zywall usg is unable to route a packet to 135

Zywall usg zld cli reference guide 135

Configure termina 136

Static route commands 136

Chapter 16 route 137

Static route commands examples 137

The following command deletes a specific static ipv6 route 137

The following command deletes all static ipv6 routes with the same prefix 137

The following command sets a static route with ip address 10 0 0 and subnet mask 255 55 55 and with the next hop interface ge1 then use the show command to display the setting 137

The following commands set and show three examples of static ipv6 routes for traffic destined for ipv6 addresses with prefix 2002 22 22 34 the first route sends the traffic out through interface ge2 and uses metric 1 the second sends the traffic to gateway 2001 12 12 and uses metric 2 the third sends the traffic to the fe80 1 2 link local gateway on interface ge2 and uses metric 2 137

Zywall usg zld cli reference guide 137

Routing protocol 139

Routing protocol commands summary 139

Routing protocol overview 139

Chapter 17 routing protocol 140

Command description 140

General ospf commands 140

Rip commands 140

Table 67 router commands rip 140

Table 68 router commands general ospf configuration 140

This table lists the commands for general ospf configuration 140

This table lists the commands for rip 140

Zywall usg zld cli reference guide 140

Chapter 17 routing protocol 141

Command description 141

Ospf area commands 141

Table 69 router commands ospf areas 141

Table 70 router commands virtual links in ospf areas 141

This table lists the commands for ospf areas 141

This table lists the commands for virtual links in ospf areas 141

Virtual link commands 141

Zywall usg zld cli reference guide 141

Chapter 17 routing protocol 142

Command description 142

Learned routing information commands 142

Show ip route command example 142

Table 70 router commands virtual links in ospf areas continued 142

Table 71 ip route commands learned routing information 142

The following example shows learned routing information on the zywall usg 142

This table lists the commands to look at learned routing information 142

Zywall usg zld cli reference guide 142

Zones overview 143

Chapter 18 zones 144

Command description 144

Label description 144

Table 72 input values for zone commands 144

Table 73 zone commands 144

The following table describes the values required for many zone commands other values are discussed with the corresponding commands 144

This table lists the zone commands 144

Zone commands summary 144

Zywall usg zld cli reference guide 144

Chapter 18 zones 145

The following commands add ethernet interfaces ge1 and ge2 to zone a 145

Zone command examples 145

Zywall usg zld cli reference guide 145

Ddns overview 147

Chapter 19 ddns 148

Command description 148

Ddns commands summary 148

Label description 148

Table 75 input values for ddns commands 148

Table 76 ip ddns commands 148

The following table describes the values required for many ddns commands other values are discussed with the corresponding commands 148

The following table lists the ddns commands 148

Zywall usg zld cli reference guide 148

Chapter 19 ddns 149

Command description 149

Ddns commands example 149

Table 76 ip ddns commands continued 149

The following example sets up a ddns profile where the interface is wan1 and uses http 149

Zywall usg zld cli reference guide 149

1 1 nat and many 1 1 nat 151

Virtual server commands summary 151

Virtual server overview 151

Virtual servers 151

Chapter 20 virtual servers 152

Command description 152

Table 78 ip virtual server commands 152

The following table lists the virtual server commands 152

Zywall usg zld cli reference guide 152

Chapter 20 virtual servers 153

Command description 153

Table 78 ip virtual server commands continued 153

The following command creates virtual server wan lan_h323 on the wan1 interface that maps ip addresses 10 to 192 68 6 for tcp protocol traffic on port 1720 it also adds a nat loopback entry 153

The following command shows information about all the virtual servers in the zywall usg 153

Virtual server command examples 153

Zywall usg zld cli reference guide 153

Tutorial how to allow public access to a server 154

Http redirect 155

Http redirect overview 155

Web proxy server 155

Configure termina 156

Http redirect commands 156

Chapter 21 http redirect 157

Http redirect command examples 157

The following commands create a http redirect rule disable it and display the settings 157

Zywall usg zld cli reference guide 157

Alg introduction 159

Alg commands 160

Chapter 22 alg 160

Command description 160

Command to enter the configuration mode before you can use these commands 160

Commands you must use the 160

Configure termina 160

Table 81 alg commands 160

The following table lists the 160

Zywall usg zld cli reference guide 160

Alg commands example 161

Upnp and nat pmp commands 163

Upnp and nat pmp overview 163

Chapter 23 upnp 164

Command description 164

Table 82 ip upnp commands continued 164

The following example turns on upnp and nat pmp on the zywall usg and it s two lan interfaces it also shows the upnp and nat pmp settings 164

Upnp nat pmp commands example 164

Zywall usg zld cli reference guide 164

Chapter 23 upnp 165

The following example displays the zywall usg s port mapping entries and removes the entry with the specified port number and protocol type 165

Zywall usg zld cli reference guide 165

Ip mac binding 167

Ip mac binding commands 167

Ip mac binding overview 167

Chapter 24 ip mac binding 168

Ip mac binding commands example 168

The following example enables ip mac binding on the lan1 interface and displays the interface s ip mac binding status 168

Zywall usg zld cli reference guide 168

Layer 2 isolation 170

Layer 2 isolation overview 170

Chapter 25 layer 2 isolation 171

Command description 171

Command to enter the configuration mode before you can use these commands 171

Configure terminal 171

Layer 2 isolation commands 171

Layer 2 isolation white list sub commands 171

Table 84 l2 isolation commands 171

Table 85 l2 isolation white list sub commands 171

The following table describes the sub commands for l2 isolation white list commands 171

The following table lists the l2 isolation commands you must use the 171

Zywall usg zld cli reference guide 171

Chapter 25 layer 2 isolation 172

Command description 172

Layer 2 isolation commands example 172

Table 85 l2 isolation white list sub commands continued 172

The following example enables layer 2 isolation on the zywall usg and interface lan2 it also creates a rule in the white list to allow access to the device with ip address 172 7 6 it then displays the layer 2 isolation settings 172

Zywall usg zld cli reference guide 172

Secure policy 173

Secure policy overview 173

Chapter 26 secure policy 174

Command description 174

Command to enter the configuration mode before you can use the configuration commands commands that do not have ipv6 specified in the description are for ipv4 174

Configure termina 174

Label description 174

Secure policy commands 174

Table 86 input values for secure policy commands 174

Table 87 command summary secure policy 174

The following table describes the commands available for the secure policy you must use the 174

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 174

Zywall usg zld cli reference guide 174

Chapter 26 secure policy 175

Command description 175

Table 87 command summary secure policy continued 175

Zywall usg zld cli reference guide 175

Chapter 26 secure policy 176

Command description 176

Table 87 command summary secure policy continued 176

Zywall usg zld cli reference guide 176

Chapter 26 secure policy 177

Command description 177

Secure policy sub commands 177

Table 87 command summary secure policy continued 177

Table 88 firewall sub commands 177

The following table describes the sub commands for several secure policy and secure policy6 commands 177

Zywall usg zld cli reference guide 177

Chapter 26 secure policy 178

Command description 178

Table 88 firewall sub commands continued 178

Zywall usg zld cli reference guide 178

Chapter 26 secure policy 179

Command description 179

Create a service object 179

Create an ip address object 179

Enter configuration command mode 179

Enter the secure policy sub command mode to add a secure policy rule 179

Secure policy command examples 179

Set the action the zywall usg is to take on packets which match this rule 179

Set the destination ip address es 179

Set the direction of travel of packets to which the rule applies 179

Set the service to which this rule applies 179

Table 88 firewall sub commands continued 179

The following example shows you how to add an ipv4 secure policy rule to allow a myservice connection from the wan zone to the ip addresses dest_1 in the lan zone 179

These are ipv4 secure policy configuration examples the ipv6 secure policy commands are similar 179

Zywall usg zld cli reference guide 179

Chapter 26 secure policy 180

The following command displays the default ipv4 secure policy rule that applies to the wan to zywall usg packet direction the secure policy rule number is in the rule s priority number in the global rule list 180

Zywall usg zld cli reference guide 180

Chapter 26 secure policy 181

Label description 181

Session limit commands 181

Table 89 input values for general session limit commands 181

The following command displays the default ipv6 firewall rule that applies to the wan to zywall usg packet direction the firewall rule number is in the rule s priority number in the global rule list 181

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 181

Zywall usg zld cli reference guide 181

Chapter 26 secure policy 182

Command description 182

Command to enter the configuration mode before you can use these commands 182

Configure termina 182

Label description 182

Table 89 input values for general session limit commands continued 182

Table 90 command summary session limit 182

The following table describes the session limit commands you must use the 182

Zywall usg zld cli reference guide 182

Adp commands overview 183

Protocol anomalies 183

Traffic anomalies 183

Adp activation commands 184

Adp command input values 184

Adp global profile commands 184

Adp zone to zone rule commands 184

Chapter 26 secure policy 184

Label description 184

Table 91 input values for adp commands 184

Table 92 adp activation commands 184

Table 93 adp global profile commands 184

Table 94 adp zone to zone rule commands 184

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 184

These commands bind adp profiles 184

These coomands apply to all adp profiles on the 184

Use these coomands to activate adp and see statius 184

Zywall usg zld cli reference guide 184

Adp add edit profile commands 185

Chapter 26 secure policy 185

Label description 185

Table 94 adp zone to zone rule commands continued 185

Table 95 adp add edit profile commands 185

These commands create or edit exsiting adp profiles 185

Zywall usg zld cli reference guide 185

Chapter 26 secure policy 186

Label description 186

Table 95 adp add edit profile commands continued 186

Zywall usg zld cli reference guide 186

Chapter 26 secure policy 187

Label description 187

Table 95 adp add edit profile commands continued 187

Zywall usg zld cli reference guide 187

Web authentication 189

Web authentication commands 189

Web authentication overview 189

Chapter 27 web authentication 190

Command description 190

Table 96 web auth commands continued 190

Table 97 web auth policy sub commands 190

The following table describes the sub commands for several web auth policy commands note that not all rule commands use all the sub commands listed here 190

Web auth policy sub commands 190

Zywall usg zld cli reference guide 190

Chapter 27 web authentication 191

Command description 191

Sso configuration commands 191

Sso does not support ipv6 or radius you must use it in an ipv4 network environment with windows ad active directory or ldap lightweight directory access protocol authentication databases 191

Sso overview 191

Sso single sign on integrates domain controller and zywall usg authentication mechanisms so that users just need to log in once single login to get access to permitted resources 191

Table 97 web auth policy sub commands continued 191

Table 98 sso commands and subcommnds 191

The zywall usg the dc the sso agent and the ldap or ad server must all be in the same domain and be able to communicate with each other 191

Use these commands to configure the zywall usg to communicate with sso 191

You must enable web authentication to use sso 191

Zywall usg zld cli reference guide 191

Chapter 27 web authentication 192

Command description 192

Command setup sequence example 192

Sso show commands 192

Table 99 sso show commands 192

The following commands show how to configure the zywall usg to communicate with an an sso agent at ip address 1 using port 2158 and preshared key 12345678 192

You don t need to enter the configuration mode before you can use these commands use them to see sso configurations done 192

Zywall usg zld cli reference guide 192

Rtls overview 193

Chapter 28 rtls 194

Command description 194

Rtls configuration commands 194

Rtls configuration examples 194

Table 101 rtls commands 194

The following command displays the commands run on the ap 194

The following commands show how to enable rtls to use wi fi to track the location of ekahau wi fi tags specify the ip address of the ekahau rtls controller and then show the configuration settings 194

Use these commands to configure rtls on the zywall usg 194

Zywall usg zld cli reference guide 194

Ipsec vpn 195

Ipsec vpn overview 195

Ipsec vpn commands summary 196

Chapter 29 ipsec vpn 197

Command description 197

Ipv4 ikev1 sa commands 197

Label description 197

Table 102 input values for ipsec vpn commands continued 197

Table 103 isakmp commands ike sas 197

The following sections list the ipsec vpn commands 197

This table lists the commands for ike sas vpn gateways 197

Zywall usg zld cli reference guide 197

Aaa authentication 198

Chapter 29 ipsec vpn 198

Command description 198

Ipv4 ipsec sa commands except manual keys 198

Table 103 isakmp commands ike sas continued 198

Table 104 crypto commands ipsec sas 198

This table lists the commands for ipsec sas excluding manual keys vpn connections using vpn gateways 198

Zywall usg zld cli reference guide 198

Chapter 29 ipsec vpn 199

Command description 199

Table 104 crypto commands ipsec sas continued 199

Zywall usg zld cli reference guide 199

Chapter 29 ipsec vpn 200

Command description 200

Note you must allow traffic whose source and destination ip addresses do not match the local and remote policy if you want to use the ipsec sa in a vpn concentrator 200

Table 104 crypto commands ipsec sas continued 200

Zywall usg zld cli reference guide 200

Chapter 29 ipsec vpn 201

Command description 201

Ipv4 ipsec sa commands for manual keys 201

Table 105 crypto map commands ipsec sas manual keys 201

Table 106 vpn concentrator commands vpn concentrator 201

This table lists the additional commands for ipsec sas using manual keys vpn connections using manual keys 201

This table lists the commands for the vpn concentrator 201

Vpn concentrator commands 201

Zywall usg zld cli reference guide 201

Chapter 29 ipsec vpn 202

Command description 202

Table 106 vpn concentrator commands vpn concentrator continued 202

Table 107 vpn configuration provision commands vpn configuration provisioning 202

This table lists the commands for vpn configuration provisioning 202

Vpn configuration provisioning commands 202

Zywall usg zld cli reference guide 202

Chapter 29 ipsec vpn 203

Command description 203

Ipv4 ikev2 sa commands 203

Sa monitor commands 203

Table 108 sa commands sa monitor 203

Table 109 sa commands ipv4 ikev2 203

This table lists the commands for the ipv4 ikev2 sa 203

This table lists the commands for the sa monitor 203

Zywall usg zld cli reference guide 203

Chapter 29 ipsec vpn 204

Command description 204

Table 109 sa commands ipv4 ikev2 continued 204

Zywall usg zld cli reference guide 204

Chapter 29 ipsec vpn 205

Command description 205

Ipv6 ikev2 sa commands 205

Table 110 sa commands ipv6 ikev2 205

This table lists the commands for the ipv4 ikev2 sa 205

Zywall usg zld cli reference guide 205

Chapter 29 ipsec vpn 206

Command description 206

Ipv6 ipsec sa commands 206

Table 110 sa commands ipv6 ikev2 continued 206

Table 111 crypto commands ipv6 ipsec sas 206

This table lists the commands for ipv6 ipsec sas 206

Zywall usg zld cli reference guide 206

0 ipv6 vpn concentrator commands 207

Chapter 29 ipsec vpn 207

Command description 207

Note you must allow traffic whose source and destination ip addresses do not match the local and remote policy if you want to use the ipsec sa in a vpn concentrator 207

Table 111 crypto commands ipv6 ipsec sas continued 207

Table 112 vpn concentrator commands vpn concentrator 207

This table lists the commands for the ipv6 vpn concentrator 207

Zywall usg zld cli reference guide 207

Chapter 29 ipsec vpn 208

Command description 208

Table 112 vpn concentrator commands vpn concentrator continued 208

Zywall usg zld cli reference guide 208

Ssl access policy 209

Ssl access policy limitations 209

Ssl application objects 209

Ssl vpn 209

Ssl vpn commands 209

Chapter 30 ssl vpn 210

Command description 210

Command to enter the configuration mode before you can use these commands 210

Configure termina 210

Ssl vpn commands 210

Table 114 ssl vpn commands 210

The following sections list the ssl vpn commands 210

This table lists the commands for ssl vpn you must use the 210

Zywall usg zld cli reference guide 210

Setting an ssl vpn rule tutorial 211

Chapter 30 ssl vpn 212

Displays the ssl vpn rule settings 212

Zywall usg zld cli reference guide 212

Ipsec configuration 213

L2tp vpn 213

L2tp vpn overview 213

L2tp_pool 214

Lan_subnet 214

Policy route 214

Using the default l2tp vpn connection 214

Chapter 31 l2tp vpn 215

Command description 215

Command to enter the configuration mode before you can use these commands 215

Configure termina 215

L2tp vpn commands 215

Label description 215

Note modifying this vpn connection or the vpn gateway that it uses disconnects any existing l2tp vpn sessions 215

Table 115 input values for l2tp vpn commands 215

Table 116 l2tp vpn commands 215

The following sections list the l2tp vpn commands 215

The following table describes the values required for some l2tp vpn commands other values are discussed with the corresponding commands 215

This table lists the commands for l2tp vpn you must use the 215

Zywall usg zld cli reference guide 215

3 7 05 l2tp_pool 192 68 0 0 192 68 0 0 216

Chapter 31 l2tp vpn 216

Command description 216

Figure 23 l2tp vpn example 216

L2tp vpn example 216

Lan_subnet 192 68 24 216

Table 116 l2tp vpn commands 216

The remote user has a dynamic public ip address and connects through the internet 216

The zywall usg has a static ip address of 172 3 7 05 for the ge3 interface 216

This example uses the following settings in creating a basic l2tp vpn tunnel see the web configurator user s guide for how to configure l2tp in remote user computers using windows xp and windows 2000 216

Zywall usg zld cli reference guide 216

Configuring the default l2tp vpn connection example 217

Configuring the default l2tp vpn gateway example 217

Configuring the l2tp vpn settings example 217

Chapter 31 l2tp vpn 218

Configuring the policy route for l2tp example 218

Enable the connection 218

Enable the policy route 218

Set the destination address to the ip address pool that the zywall usg assigns to the remote users l2tp_pool in this example 218

Set the next hop to be the default_l2tp_vpn_connection tunnel 218

Set the policy route s source address to the address object that you want to allow the remote users to access lan_subnet in this example 218

The following commands configure and display the policy route for the l2tp vpn connection entry 218

Zywall usg zld cli reference guide 218

Bandwidth management 219

Bandwidth management commands 219

Bandwidth management overview 219

Bwm type 219

Bandwidth sub commands 220

Chapter 32 bandwidth management 220

Command description 220

Table 117 bwm commands continued 220

Table 118 bwm sub commands 220

The following table describes the sub commands for several bwm commands 220

Zywall usg zld cli reference guide 220

Chapter 32 bandwidth management 221

Command description 221

Table 118 bwm sub commands continued 221

Zywall usg zld cli reference guide 221

Chapter 32 bandwidth management 222

Command description 222

Table 118 bwm sub commands continued 222

Zywall usg zld cli reference guide 222

Bandwidth management commands examples 223

Chapter 32 bandwidth management 223

Command description 223

Table 118 bwm sub commands continued 223

The following example sets the priority code to 3 for packets in vlan 1 that don t match any other bwm rule bwm rule 1 marks matching outgoing traffic from vlan 1 to priority code 4 223

Zywall usg zld cli reference guide 223

Chapter 32 bandwidth management 224

The following example adds a new bandwidth management policy for trial users to limit incoming and outgoing bandwidth and sets the traffic priority to 3 it then displays the policy settings 224

Zywall usg zld cli reference guide 224

Application patrol 225

Application patrol commands summary 225

Application patrol overview 225

Application patrol command examples 226

Application patrol commands 226

Chapter 33 application patrol 226

Command description 226

Table 120 app commands application patrol 226

This command shows details of an application patrol profile created 226

This table lists the application patrol commands 226

Zywall usg zld cli reference guide 226

Chapter 33 application patrol 227

These are some other example application patrol usage commands 227

Zywall usg zld cli reference guide 227

Anti virus 229

Anti virus commands 229

Anti virus overview 229

Anti virus profile 230

Chapter 34 anti virus 230

Command description 230

Command to enter the configuration mode before you can use these commands 230

Configure termina 230

General anti virus commands 230

Note you must register for the anti virus service before you can use it see chapter 5 on page 49 230

Table 122 general anti virus commands 230

Table 123 anti virus profile commands 230

The following table describes general anti virus commands you must use the 230

This table lists the av profile related commands 230

Zywall usg zld cli reference guide 230

Anti virus profile command example 231

Chapter 34 anti virus 231

Command description 231

Command to enter the configuration mode before you can use these commands 231

Configure termina 231

Table 123 anti virus profile commands 231

Table 124 commands for anti virus white and black lists 231

The following table describes the commands for configuring the white list and black list you must use the 231

This is an example of anti virus profile commands 231

White and black lists 231

Zywall usg zld cli reference guide 231

Chapter 34 anti virus 232

Command description 232

Command to enter the configuration mode before you can use this command 232

Configure termina 232

Signature search anti virus command 232

Signature search example 232

Table 124 commands for anti virus white and black lists continued 232

Table 125 command for anti virus signature search 232

The following table describes the command for searching for signatures you must use the 232

This example shows how to enable the white list and configure an active white list entry for files with a exe extension it also enables the black list and configure an inactive black list entry for files with a exe extension 232

This example shows how to search for anti virus signatures with msn in the name 232

White and black lists example 232

Zywall usg zld cli reference guide 232

Chapter 34 anti virus 233

Command description 233

Table 126 update signatures 233

These examples show how to enable disable automatic anti virus downloading schedule updates display the schedule display the update status show the new updated signature version number show the total number of signatures and show the date time the signatures were created 233

Update anti virus signatures 233

Update signature examples 233

Use these commands to update new signatures you should have already registered for anti virus service 233

Zywall usg zld cli reference guide 233

Anti virus statistics 234

Anti virus statistics example 234

Chapter 34 anti virus 234

Command description 234

Command to enter the configuration mode before you can use these commands 234

Configure termina 234

Table 127 commands for anti virus statistics 234

The following table describes the commands for collecting and displaying anti virus statistics you must use the 234

This example shows how to collect and display anti virus statistics it also shows how to sort the display by the most common destination ip addresses 234

Zywall usg zld cli reference guide 234

General idp commands 235

Idp activation 235

Idp commands 235

Overview 235

Activate deactivate idp example 236

Chapter 35 idp commands 236

Command description 236

Global profile commands 236

Idp profile commands 236

Table 129 idp activation 236

Table 130 global profile commands 236

This example shows how to activate and deactivate signature based idp on the zywall usg 236

Use these commands to rename or delete existing profiles and show idp base profiles 236

Zywall usg zld cli reference guide 236

Chapter 35 idp commands 237

Command description 237

Editing creating idp signature profiles 237

Example of global profile commands 237

In this example we rename an idp signature profile from old_profile to new_profile delete the bye_profile and show all base profiles available 237

Note you cannot change the base profile later 237

Signature search 237

Table 131 editing creating idp signature profiles 237

Use these commands to create a new idp signature profile or edit an existing one it is recommended you use the web configurator to create edit profiles if you do not specify a base profile the default base profile is none 237

Use this command to search for signatures in the named profile 237

Zywall usg zld cli reference guide 237

Chapter 35 idp commands 238

Command description 238

Note it is recommended you use the web configurator to search for signatures 238

Search parameter tables 238

Severity platform policy type 238

Table 132 signature search command 238

Table 133 severity platform and policy type command values 238

The following table displays the command line severity platform and policy type equivalent values if you want to combine platforms in a search then add their respective numbers together for example to search for signatures for windows nt windows xp and windows 2000 computers then type 12 as the platform parameter 238

Zywall usg zld cli reference guide 238

Chapter 35 idp commands 239

Containing the text worm within the signature name 239

Generates logs 239

Has a very low severity level 239

Idp custom signatures 239

Is a scan policy type dns service 239

Is enabled 239

Operates on the windows nt platform 239

Service service action 239

Signature search example 239

Table 134 service and action command values 239

The following table displays the command line service and action equivalent values if you want to combine services in a search then add their respective numbers together for example to search for signatures for dns finger and ftp services then type 7 as the service parameter 239

This example command searches for all signatures in the lan_idp profile 239

Use these commands to create a new signature or edit an existing one 239

With an id of 12345 239

Zywall usg zld cli reference guide 239

Chapter 35 idp commands 240

Command description 240

Custom signature examples 240

Custom signatures screen 240

Note you must use the web configurator to import a custom signature file 240

Table 135 custom signatures 240

These examples show how to create a custom signature edit one display details of one all and show the total number of custom signatures 240

Zywall usg zld cli reference guide 240

Chapter 35 idp commands 241

This example shows you how to display custom signature details 241

This example shows you how to edit a custom signature 241

Zywall usg zld cli reference guide 241

Chapter 35 idp commands 242

This example shows you how to display custom signature contents 242

Zywall usg zld cli reference guide 242

Chapter 35 idp commands 243

Command description 243

Note you must use the web configurator to import a custom signature file 243

Table 136 update signatures 243

This example shows you how to display all details of a custom signature 243

This example shows you how to display the number of custom signatures on the zywall usg 243

Update idp signatures 243

Use these commands to update new signatures you register for idp service before you can update idp signatures although you do not have to register in order to update system protect signatures 243

Zywall usg zld cli reference guide 243

Chapter 35 idp commands 244

Command description 244

Command to enter the configuration mode before you can use these commands 244

Configure termina 244

Idp statistics 244

Table 137 commands for idp statistics 244

The following table describes the commands for collecting and displaying idp statistics you must use the 244

These examples show how to enable disable automatic idp downloading schedule updates display the schedule display the update status show the new updated signature version number show the total number of signatures and show the date time the signatures were created 244

Update signature examples 244

Zywall usg zld cli reference guide 244

Chapter 35 idp commands 245

Idp statistics example 245

This example shows how to collect and display idp statistics it also shows how to sort the display by the most common signature name source ip address or destination ip address 245

Zywall usg zld cli reference guide 245

Content filtering 247

Content filtering overview 247

Content filtering reports 247

External web filtering service 247

Chapter 36 content filtering 248

Commands 248

Content filte 248

Content filter command input values 248

Label description 248

Table 138 content filter command input values 248

The following table explains the values you can input with the 248

Zywall usg zld cli reference guide 248

Chapter 36 content filtering 249

Command to enter the 249

Configure termina 249

General content filter commands 249

Label description 249

Table 138 content filter command input values continued 249

The following table lists the commands that you can use for general content filter configuration such as creating a denial of access message or specifying a redirect url and checking your external web filtering service registration status use the 249

Zywall usg zld cli reference guide 249

Chapter 36 content filtering 250

Command description 250

Configuration mode to be able to use these commands see table 138 on page 248 for details about the values you can input with these commands 250

Table 139 content filter general commands 250

Zywall usg zld cli reference guide 250

Chapter 36 content filtering 251

Command description 251

Command to enter the configuration mode to be able to use these commands see table 138 on page 248 for details about the values you can input with these commands 251

Configure termina 251

Content filter filtering profile commands 251

Table 140 content filter filtering profile commands summary 251

The following table lists the commands that you can use to configure a content filtering profile use the 251

Zywall usg zld cli reference guide 251

Chapter 36 content filtering 252

Command description 252

Table 140 content filter filtering profile commands summary continued 252

Zywall usg zld cli reference guide 252

Chapter 5 on page 49 253

Configure termina 253

Content filtering commands example 253

Content filtering statistics 253

Content filtering statistics example 253

Note you must register for the external web filtering service before you can use it see 253

Append a secure policy with content filter profile 254

Chapter 36 content filtering 254

You can also customize the filtering profile the following commands block active x java and proxy access 254

Zywall usg zld cli reference guide 254

Chapter 36 content filtering 255

Use this command to display the settings of the profile 255

Zywall usg zld cli reference guide 255

Anti spam 257

Anti spam commands 257

Anti spam overview 257

Anti spam profile rules 257

Chapter 37 anti spam 258

Command description 258

Table 143 commands for anti spam profile rules continued 258

Zywall usg zld cli reference guide 258

Anti spam profile example 259

Chapter 37 anti spam 259

Command description 259

Table 143 commands for anti spam profile rules continued 259

This example shows how to configure and display a wan to dmz anti spam profile to scan pop3 and smtp traffic smtp spam is forwarded pop3 spam is marked with a spam tag the zywall usg logs the event when an e mail matches the dnsbl see section 37 on page 262 for more on dnsbl the white and black lists are ignored 259

Zywall usg zld cli reference guide 259

Chapter 37 anti spam 260

Command description 260

Command to enter the configuration mode before you can use these commands 260

Configure termina 260

Label description 260

Table 144 input values for white and black list anti spam commands 260

Table 145 commands for anti spam white and black lists 260

The following table identifies values used in these commands other input values are discussed with the corresponding commands 260

Use the white list to identify legitimate e mail and the black list to identify spam e mail the following table describes the commands for configuring the white list and black list you must use the 260

White and black lists 260

Zywall usg zld cli reference guide 260

Chapter 37 anti spam 261

Command description 261

Regular expressions in black or white list entries 261

Table 145 commands for anti spam white and black lists continued 261

The following applies for a black or white list entry based on an e mail subject e mail address or e mail header value 261

This example shows how to configure and enable a white list entries for e mails with testwhite in the subject e mails from whitelist ourcompany com e mails with the date header set to 2007 and e mails from or forwarded by ip address 192 68 with subnet 255 55 55 261

Use a question mark to let a single character vary for example use a c without the quotation marks to specify abc acc and so on 261

White and black lists example 261

You can also use a wildcard for example if you configure def com any e mail address that ends in def com matches so mail def com matches 261

Zywall usg zld cli reference guide 261

Chapter 37 anti spam 262

Command description 262

Command to enter the configuration mode before you can use these commands 262

Configure termina 262

Dnsbl anti spam commands 262

Label description 262

Table 146 input values for dnsbl commands 262

Table 147 dnsbl commands 262

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 262

The wildcard can be anywhere in the text string and you can use more than one wildcard you cannot use two wildcards side by side there must be other characters between them 262

The zywall usg checks the first header with the name you specified in the entry so if the e mail has more than one received header the zywall usg checks the first one 262

This section describes the commands for checking the sender and relay ip addresses in e mail headers against dns domain name service based spam black lists dnsbls you must use the 262

This table describes the dnsbl commands 262

Zywall usg zld cli reference guide 262

Chapter 37 anti spam 263

Command description 263

Dnsbl example 263

Sets the dnsbl tag to dnsbl 263

Sets the dnsbl timeout tag to dnsbl timeout 263

Sets the zywall usg to check up to 4 sender and relay server ip addresses in e mail headers against the dnsbl 263

Sets the zywall usg to forward pop3 mail with a tag if the queries to the dnsbl domains time out 263

Sets the zywall usg to start dnsbl checking from the first ip address in the mail header 263

Sets the zywall usg to use dnsbl example com as a dnsbl 263

Table 147 dnsbl commands 263

This example 263

Turns dnsbl checking on 263

Zywall usg zld cli reference guide 263

Anti spam statistics 264

Chapter 37 anti spam 264

Command description 264

Command to enter the configuration mode before you can use these commands 264

Configure termina 264

Displays the dnsbl statistics 264

Table 148 commands for anti spam statistics 264

The following table describes the commands for collecting and displaying anti spam statistics you must use the 264

Zywall usg zld cli reference guide 264

Anti spam statistics example 265

Chapter 37 anti spam 265

Command description 265

Table 148 commands for anti spam statistics continued 265

This example shows how to collect anti spam statistics and display a summary 265

Zywall usg zld cli reference guide 265

Ssl inspection 267

Ssl inspection commands summary 267

Ssl inspection overview 267

Chapter 38 ssl inspection 268

Command description 268

Ssl inspection exclusion commands 268

Ssl inspection profile settings 268

Table 150 ssl inspection exclusion commands 268

Table 151 ssl inspection profile commands 268

The following sections list the commands 268

There may be privacy and legality issues regarding inspecting a user s encrypted session the legal issues may vary by locale so it s important to check with your legal department to make sure that it s ok to intercept ssl traffic from your zywall usg users 268

This table lists the ssl inspection exclusion related commands 268

This table lists the ssl inspection profile setting commands 268

To ensure individual privacy and meet legal requirements you can configure an exclusion list to exclude matching sessions to destination servers this traffic is not intercepted and is passed through uninspected 268

Zywall usg zld cli reference guide 268

Chapter 38 ssl inspection 269

Command description 269

Ssl inspection certificate cache 269

Ssl inspection certificate update 269

Table 151 ssl inspection profile commands 269

Table 152 ssl inspection certificate cache commands 269

Table 153 ssl inspection certificate update commands 269

This table lists the ssl inspection certificate cache commands 269

Use these commands to update the latest certificates of servers using ssl connections to the zywall usg network you should have internet access and have activated ssl inspection on the zywall usg at myzyxel com 269

Zywall usg zld cli reference guide 269

Chapter 38 ssl inspection 270

Command description 270

Ssl inspection statistics 270

Table 153 ssl inspection certificate update commands 270

Table 154 ssl inspection statistics commands 270

These are some example ssl inspection certificate update usage commands 270

This table lists the ssl inspection statistics commands 270

Zywall usg zld cli reference guide 270

Chapter 38 ssl inspection 271

Ssl inspection command examples 271

These are some other example ssl inspection usage commands 271

Zywall usg zld cli reference guide 271

Device ha 273

Device ha overview 273

Active passive mode device ha 274

Before you begin 274

Cluster id 274

General device ha commands 274

Monitored interfaces in active passive mode device ha 274

Note subscribe to services on the backup zywall usg before synchronizing it with the master zywall usg 274

Virtual router 274

Virtual router and management ip addresses 274

Active passive mode device ha commands 275

Chapter 39 device ha 275

Command description 275

Commands 275

Device h 275

Each interface can also have a management ip address you can connect to this ip address to manage the zywall usg regardless of whether it is the master or the backup 275

Label description 275

Table 156 input values for device ha commands 275

Table 157 device ha ap mode commands 275

The following sections list the 275

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 275

This table lists the commands for configuring active passive mode device ha 275

Zywall usg zld cli reference guide 275

Chapter 39 device ha 276

Command description 276

Table 157 device ha ap mode commands continued 276

Zywall usg zld cli reference guide 276

Active passive mode device ha command example 277

Chapter 39 device ha 277

This example configures a zywall usg to be a master zywall usg for active passive mode device ha there is a management ip address of 192 68 on lan1 wan1 and lan1 are monitored the synchronization password is set to mysyncpassword 277

Zywall usg zld cli reference guide 277

User account overview 279

User group 279

User types 279

Chapter 40 user group 280

Command description 280

Commands 280

Commands other input values are discussed with the corresponding commands 280

Label description 280

Table 159 username groupname command input values 280

Table 160 username groupname commands summary users 280

The first table lists the commands for users 280

The following sections list the 280

The following table identifies the values required for many 280

User commands 280

User group commands summary 280

Username groupnam 280

Zywall usg zld cli reference guide 280

Chapter 40 user group 281

Command description 281

Table 160 username groupname commands summary users continued 281

Table 161 username groupname commands summary groups 281

Table 162 username groupname commands summary settings 281

This table lists the commands for groups 281

This table lists the commands for user settings except for forcing user authentication 281

User group commands 281

User setting commands 281

Zywall usg zld cli reference guide 281

Chapter 40 user group 282

Command description 282

Table 162 username groupname commands summary settings continued 282

The following commands show the current settings for the number of simultaneous logins 282

User setting command examples 282

Zywall usg zld cli reference guide 282

Chapter 40 user group 283

Command description 283

Create a mac role mac address user type user account named zyxel mac 283

Mac auth commands 283

Mac auth example 283

Map a wireless client s mac address of 00 13 49 11 a0 c4 to the zyxel mac mac role mac address user account 283

Modify the wlan security profile named securewlan1 as follows 283

Table 163 mac auth commands summary 283

The following commands 283

This example uses an external server to authenticate wireless clients by mac address after authentication the zywall usg maps the wireless client to a mac address user account mac role configure user aware features to control mac address user access to network services 283

This table lists the commands for mappings mac addresses to mac address user accounts 283

Turn on mac authentication 283

Use colons to separate the two character pairs within account mac addresses 283

Use the authentication method named auth1 283

Zywall usg zld cli reference guide 283

Additional user commands 284

Chapter 40 user group 284

Command description 284

Table 164 username groupname commands summary additional 284

This table lists additional commands for users 284

Use upper case letters in the account mac addresses 284

Zywall usg zld cli reference guide 284

Additional user command examples 285

Chapter 40 user group 285

The following commands display the users that are currently locked out and then unlocks the user who is displayed 285

The following commands display the users that are currently logged in to the zywall usg and forces the logout of all logins from a specific ip address 285

Zywall usg zld cli reference guide 285

Application object 286

Application object commands 286

Application object commands summary 286

Application object 287

Application object group commands 287

Chapter 41 application object 287

Command description 287

Examples 287

Table 167 object group application commands 287

These are some example usage commands 287

This table lists the application object group commands 287

Zywall usg zld cli reference guide 287

Chapter 41 application object 288

Examples 288

Object group application 288

These are some example usage commands 288

Zywall usg zld cli reference guide 288

Address commands summary 289

Address overview 289

Addresses 289

Address object commands 290

Chapter 42 addresses 290

Command description 290

Table 169 address object and address6 object commands 290

The following sections list the address object and address group commands 290

This table lists the commands for address objects 290

Zywall usg zld cli reference guide 290

Address object command examples 291

Chapter 42 addresses 291

The following example creates three ipv4 address objects and then deletes one 291

Zywall usg zld cli reference guide 291

Address group commands 292

Chapter 42 addresses 292

Command description 292

Table 170 object group commands address groups 292

The following example creates host range subnet and link local ipv6 address objects and then deletes the subnet ipv6 address object 292

This table lists the commands for address groups 292

Zywall usg zld cli reference guide 292

Address group command examples 293

Chapter 42 addresses 293

Command description 293

Table 170 object group commands address groups continued 293

The following commands create three address objects a0 a1 and a2 and add a1 and a2 to address group rd 293

Zywall usg zld cli reference guide 293

Service object commands 295

Services 295

Services commands summary 295

Services overview 295

Chapter 43 services 296

Command description 296

Service group commands 296

Service object command examples 296

Table 172 service object commands service objects continued 296

Table 173 object group commands service groups 296

The first table lists the commands for service groups 296

The following commands create four services displays them and then removes one of them 296

Zywall usg zld cli reference guide 296

Chapter 43 services 297

Command description 297

Service group command examples 297

Table 173 object group commands service groups continued 297

The following commands create service icmp_echo create service group sg1 and add icmp_echo to sg1 297

Zywall usg zld cli reference guide 297

Schedule commands summary 299

Schedule overview 299

Schedules 299

Chapter 44 schedules 300

Command description 300

Schedule command examples 300

Table 175 schedule commands continued 300

The following commands create recurring schedule schedule1 and one time schedule schedule2 and then delete schedule1 300

Zywall usg zld cli reference guide 300

Aaa server 301

Aaa server overview 301

Ad server commands 301

Authentication server command summary 301

Chapter 45 aaa server 302

Command description 302

Commands you use to set the default ldap server 302

Ldap server 302

Ldap server commands 302

Table 176 ad server commands continued 302

Table 177 ldap server commands 302

The following table lists the 302

Zywall usg zld cli reference guide 302

Aaa group server ad 303

Aaa group server ad commands 303

Chapter 45 aaa server 303

Command description 303

Commands you use to configure a group of ad servers 303

Commands you use to set the default radius server 303

Note you can not delete a server group that is currently in use 303

Radius server 303

Radius server command example 303

Radius server commands 303

Table 178 radius server commands 303

Table 179 aaa group server ad commands 303

The following example sets the secret key and timeout period of the default radius server 172 3 0 00 to 87643210 and 80 seconds 303

The following table lists the 303

Zywall usg zld cli reference guide 303

Aaa group server ldap 304

Aaa group server ldap commands 304

Chapter 45 aaa server 304

Command description 304

Commands you use to configure a group of ldap servers 304

Note you can not delete a server group that is currently in use 304

Table 179 aaa group server ad commands continued 304

Table 180 aaa group server ldap commands 304

The following table lists the 304

Zywall usg zld cli reference guide 304

Aaa group server radius 305

Aaa group server radius commands 305

Chapter 45 aaa server 305

Command description 305

Commands you use to configure a group of radius servers 305

Note you can not delete a server group that is currently in use 305

Table 180 aaa group server ldap commands continued 305

Table 181 aaa group server radius commands 305

The following table lists the 305

Zywall usg zld cli reference guide 305

Aaa group server command example 306

Chapter 45 aaa server 306

Command description 306

Table 181 aaa group server radius commands continued 306

The following example creates a radius server group with two members and sets the secret key to 12345678 and the timeout to 100 seconds then this example also shows how to view the radius group settings 306

Zywall usg zld cli reference guide 306

Aaa authentication commands 307

Authentication objects 307

Authentication objects overview 307

Aaa authentication command example 308

Base dn dc zyxel dc com 308

Bind dn zyxel engineerabc 308

Chapter 46 authentication objects 308

Command description 308

Command you use to teat a user account on an authentication server 308

Ip address 172 6 0 308

Note you must specify at least one member for each profile each type of member can only be used once in a profile 308

Port 389 308

Table 182 aaa authentication commands continued 308

Table 183 test aaa command 308

Test a user account command example 308

Test aa 308

Test aaa command 308

The following example creates an authentication profile to authentication users using the ldap server group and then the local user database 308

The following example shows how to test whether a user account named userabc exists on the ad authentication server which uses the following settings 308

The following table lists the 308

Zywall usg zld cli reference guide 308

Chapter 46 authentication objects 309

Login name attribute samaccountname 309

Password abcdefg 309

The result shows the account exists on the ad server otherwise the zywall usg responds an error 309

Zywall usg zld cli reference guide 309

Authentication server 310

Authentication server commands 310

Authentication server overview 310

Authentication server command examples 311

Chapter 47 authentication server 311

Command description 311

Table 184 command summary authentication server continued 311

The following example shows you how to enable the authentication server feature on the zywall usg and sets a trusted radius client profile this example also shows you the authentication server and client profile settings 311

Zywall usg zld cli reference guide 311

Certificate commands 313

Certificates 313

Certificates commands input values 313

Certificates overview 313

Certificates commands summary 314

Chapter 48 certificates 314

Command description 314

Command to enter the configuration mode to be able to use these commands 314

Configure termina 314

Label description 314

Table 185 certificates commands input values continued 314

Table 186 ca commands summary 314

The following table lists the commands that you can use to display and manage the zywall usg s summary list of certificates and certification requests you can also create certificates or certification requests use the 314

Zywall usg zld cli reference guide 314

Chapter 48 certificates 315

Command description 315

Table 186 ca commands summary continued 315

Zywall usg zld cli reference guide 315

Certificates commands examples 316

Chapter 48 certificates 316

Command description 316

Table 186 ca commands summary continued 316

The following example creates a self signed x 09 certificate with ip address 10 8 as the common name it uses the rsa key type with a 512 bit key then it displays the list of local certificates finally it deletes the pkcs12request certification request 316

Zywall usg zld cli reference guide 316

Isp accounts 317

Isp accounts overview 317

Pppoe and pptp account commands 317

Cellular account commands 318

Chapter 49 isp accounts 318

Command description 318

Table 187 pppoe and pptp isp account commands continued 318

Table 188 cellular account commands 318

The following table lists the cellular isp account commands 318

Zywall usg zld cli reference guide 318

Ssl application 319

Ssl application object commands 319

Ssl application overview 319

Chapter 50 ssl application 320

Command description 320

Table 189 ssl application object commands 320

Zywall usg zld cli reference guide 320

Chapter 50 ssl application 321

Ssl application command examples 321

The following commands create and display a server type ssl application object named zw5 for a web server at ip address 192 68 2 321

Zywall usg zld cli reference guide 321

Dhcpv6 object commands 322

Dhcpv6 object commands summary 322

Dhcpv6 objects 322

Chapter 51 dhcpv6 objects 323

Command description 323

Dhcpv6 object command examples 323

Table 191 dhcpv6 object commands continued 323

This example creates and displays a dhcpv6 lease object named test1 for ipv6 address 2003 1 with duid 00 01 02 03 04 05 06 07 323

This example makes test1 into a dhcpv6 address pool lease object for ipv6 addresses 2004 10 to 2004 40 323

Zywall usg zld cli reference guide 323

Chapter 51 dhcpv6 objects 324

This example creates a dhcpv6 prefix delegation request object named pfx and displays its settings 324

This example creates and displays a dhcpv6 prefix delegation lease object named pfx for ipv6 address prefix 2005 64 and duid 00 01 02 03 04 05 06 07 then renames it to pd 324

This example deletes the test1 dhcpv6 lease object 324

Zywall usg zld cli reference guide 324

Customizing the www login page 325

System 325

System overview 325

Configure termina 326

Logo title 326

Message color of all text 326

Note message last line of text 326

Window background 326

Configure termina 327

Host name commands 327

Time and date 327

Configure termina 328

Console port speed 328

Date time commands 328

Dns overview 329

Domain zone forwarder 329

Chapter 52 system 330

Command description 330

Command to enter the configuration mode before you can use these commands 330

Configure termina 330

Dns commands 330

Label description 330

Table 196 input values for general dns commands 330

Table 197 command summary dns 330

The following table describes the commands available for dns you must use the 330

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 330

Zywall usg zld cli reference guide 330

Chapter 52 system 331

Command description 331

Table 197 command summary dns continued 331

Zywall usg zld cli reference guide 331

Authentication server overview 332

Chapter 52 system 332

Command description 332

Dns command examples 332

Table 197 command summary dns continued 332

The zywall usg can also work as a radius server to exchange messages with other aps for user authentication and authorization 332

This command displays security options configured for the customized and default rules 332

This command sets an a record that specifies the mapping of a fully qualified domain name www abc com to an ip address 210 7 3 332

Zywall usg zld cli reference guide 332

Authentication server commands 333

Chapter 52 system 333

Command description 333

Defaul 333

Table 198 command summary authentication server 333

The following table lists the authentication server commands you use to configure the zywall usg s built in authentication server settings 333

Zywall usg zld cli reference guide 333

Authentication server command examples 334

Configure termina 334

Language commands 334

Configure termina 335

Ipv6 commands 335

Zon commands 335

Zon overview 335

Chapter 52 system 336

Command description 336

Table 201 command summary zon continued 336

This example enables lldp discovery and displays whether lldp discovery is enabled on the zywall usg 336

Zon examples 336

Zywall usg zld cli reference guide 336

Remote management limitations 337

Remote management overview 337

System remote management 337

System timeout 337

Chapter 53 system remote management 338

Command description 338

Command to enter the configuration mode before you can use these commands 338

Common system command input values 338

Configure termina 338

Defaul 338

Http https commands 338

Label description 338

Table 202 input values for general system commands 338

Table 203 command summary http https 338

The following table describes the commands available for http https you must use the 338

The following table identifies the values required for many of these commands other input values are discussed with the corresponding commands 338

Zywall usg zld cli reference guide 338

Chapter 53 system remote management 339

Command description 339

Defaul 339

Table 203 command summary http https continued 339

Zywall usg zld cli reference guide 339

Http https command examples 340

Requirements for using ssh 340

Ssh implementation on the zywall usg 340

Chapter 53 system remote management 341

Command description 341

Command to enter the configuration mode before you can use these commands 341

Configure termina 341

Defaul 341

Ssh command examples 341

Ssh commands 341

Table 204 command summary ssh 341

The following table describes the commands available for ssh you must use the 341

This command sets a certificate default to be used to identify the zywall usg 341

This command sets a service control rule that allowed the computers with the ip addresses matching the specified address object to access the specified zone using ssh service 341

Zywall usg zld cli reference guide 341

Chapter 53 system remote management 342

Command description 342

Command to enter the configuration mode before you can use these commands 342

Configure termina 342

Table 205 command summary telnet 342

Telnet 342

Telnet commands 342

Telnet commands examples 342

The following table describes the commands available for telnet you must use the 342

This command displays telnet settings 342

This command sets a service control rule that allowed the computers with the ip addresses matching the specified address object to access the specified zone using telnet service 342

You can configure your zywall usg for remote telnet access 342

Zywall usg zld cli reference guide 342

Configure termina 343

Configuring ftp 343

Ftp commands 343

Ftp commands examples 343

Snmp traps 344

Supported mibs 344

Chapter 53 system remote management 345

Command description 345

Command to enter the configuration mode before you can use these commands 345

Configure termina 345

Object label object id description 345

Snmp commands 345

Table 207 snmp traps continued 345

Table 208 command summary snmp 345

The following table describes the commands available for snmp you must use the 345

Zywall usg zld cli reference guide 345

Access 346

Chapter 53 system remote management 346

Command description 346

Snmp commands examples 346

Table 208 command summary snmp continued 346

The following command sets a service control rule that allowed the computers with the ip addresses matching the specified address object to access the specified zone using snmp service 346

The following command sets the ip address of the host that receives the snmp notifications to 172 3 5 4 and the password sent with each trap to qwerty 346

The following command sets the password secret for read write 346

The following commands create an snmpv3 rule and then displays the configured settings 346

Zywall usg zld cli reference guide 346

Cloudcnm screen 347

Configure termina 347

Icmp filter 347

Chapter 53 system remote management 348

Command description 348

Table 210 command summary cloudcnm 348

The zywall usg must be able to communicate with the cloudcnm server 348

To allow cloudcnm management of your zywall usg 348

You must have a cloudcnm license with cnm id number or a cloudcnm url identifying the server 348

Zywall usg zld cli reference guide 348

Configuration files and shell scripts overview 349

File directories 349

File manager 349

Chapter 54 file manager 350

Comments in configuration files or shell scripts 350

Figure 27 configuration file shell script example 350

In a configuration file or shell script use or as the first character of a command line to have the zywall usg treat the line as a comment 350

Note exit or must follow sub commands if it is to make the zywall usg exit sub command mode 350

Table 212 configuration files and shell scripts in the zywall usg 350

These files have the same syntax which is also identical to the way you run cli commands manually an example is shown below 350

While configuration files and shell scripts have the same syntax the zywall usg applies configuration files differently than it runs shell scripts this is explained below 350

You have to run the example in table 27 on page 350 as a shell script because the first command is run in privilege mode if you remove the first command you have to run the example as a configuration file because the rest of the commands are executed in configuration mode see section 1 on page 27 for more information about cli modes 350

Your configuration files or shell scripts can use exit or a command line consisting of a single to have the zywall usg exit sub command mode 350

Zywall usg zld cli reference guide 350

Errors in configuration files or shell scripts 351

Setenv stop on error off 351

Zywall usg configuration file details 351

Configuration file flow at restart 352

File manager commands input values 352

Setenv startup stop on error of 352

Chapter 54 file manager 353

Command description 353

File manager commands summary 353

Table 214 file manager commands summary 353

The following table lists the commands that you can use for file management 353

Zywall usg zld cli reference guide 353

Chapter 54 file manager 354

Command description 354

File manager dual firmware commands 354

Table 214 file manager commands summary continued 354

Table 215 file manager dual firmware commands 354

The following table lists the commands that you can use for managing dual firmware firmware uploaded using ftp goes to the running partition use the web configurator to upload firmware to the standby partition the zywall usg reboots automatically when you upload firmware to the running partition 354

Zywall usg zld cli reference guide 354

Chapter 54 file manager 355

File manager command examples 355

Ftp file transfer 355

These are examples of the dual firmware commands 355

These commands run the aaa zysh script at noon every day on the first day of every month and on every monday wednesday and friday 355

This example saves a back up of the current configuration before applying a shell script file 355

You can use ftp to transfer files to and from the zywall usg for advanced maintenance and support 355

Zywall usg zld cli reference guide 355

Chapter 54 file manager 356

Command line ftp configuration file upload example 356

Command line ftp file download 356

Command line ftp file upload 356

Connect to the zywall usg 356

Enter bin to set the transfer mode to binary 356

Figure 28 ftp configuration file upload example 356

For example 356

In the conf directory use put config conf today conf to upload the configuration file config conf to the zywall usg and rename it today conf 356

Note uploading a custom signature file named custom rules overwrites all custom signatures on the zywall 356

Put 1 0 xl bin transfers the firmware 1 0 xl bin to the zywall usg 356

The firmware update can take up to five minutes do not turn off or reset the zywall usg while the firmware update is in progress if you lose power during the firmware upload you may need to refer to section 54 on page 358 to recover the firmware 356

The following example transfers a configuration file named tomorrow conf from the computer and saves it on the zywall usg as next conf 356

Use put to transfer files from the computer to the zywall usg 356

You can upload the firmware after you log in through ftp to upload other files use cd to change to the corresponding directory 356

Zywall usg zld cli reference guide 356

Boot module 357

Chapter 54 file manager 357

Command line ftp configuration file download example 357

Enter bin to set the transfer mode to binary 357

Figure 29 ftp configuration file download example 357

Figure 30 zywall usg file usage at startup 357

Firmware 357

Get vpn_setup zysh vpn zysh transfers the vpn_setup zysh configuration file on the zywall usg to your computer and renames it vpn zysh 357

Recovery image 357

The following example gets a configuration file named today conf from the zywall usg and saves it on the computer as current conf 357

The zywall usg uses the following files at system startup 357

Use cd to change to the directory that contains the files you want to download 357

Use dir or ls if you need to display a list of the files in the directory 357

Use get to download files for example 357

Zywall usg file usage at startup 357

Zywall usg zld cli reference guide 357

Note do not press any keys at this point wait to see what displays next 358

Notification of a damaged recovery image or firmware 358

Note you only need to use this section if you need to restore the recovery image 359

Restoring the recovery image 359

Note you only need to use the atuk or atur command if the recovery image is damaged 360

Note this section is not for normal firmware uploads you only need to use this section if you need to recover the firmware 361

Restoring the firmware 361

Restoring the default system database 363

Note you only need to use the atkz u command if the default system database is damaged 365

Using the atkz u debug command 365

Log commands summary 369

Chapter 55 logs 370

Command description 370

Log entries commands 370

System log commands 370

Table 217 logging commands log entries 370

Table 218 logging commands system log settings 370

This table lists the commands for the system log settings 370

This table lists the commands to look at log entries 370

Zywall usg zld cli reference guide 370

Chapter 55 logs 371

Command description 371

Debug log commands 371

System log command examples 371

Table 219 logging commands debug log settings 371

The following command displays the current status of the system log 371

This table lists the commands for the debug log settings 371

Zywall usg zld cli reference guide 371

Chapter 55 logs 372

Command description 372

Table 220 logging commands remote syslog server settings 372

Table 221 logging commands vrpt settings 372

This table lists the commands for setting how often to send information to the vrpt zyxel s vantage report server 372

This table lists the commands for the remote syslog server settings for the purposes of this device s cli access points are referred to as wtp 372

Zywall usg zld cli reference guide 372

Chapter 55 logs 373

Command description 373

E mail profile commands 373

Table 221 logging commands vrpt settings continued 373

Table 222 logging commands e mail profile settings 373

This table lists the commands for the e mail profile settings 373

Zywall usg zld cli reference guide 373

Chapter 55 logs 374

Command description 374

Console port logging commands 374

E mail profile command examples 374

Table 222 logging commands e mail profile settings continued 374

Table 223 logging commands console port settings 374

The following commands set up e mail log 1 374

This table lists the commands for the console port settings 374

Zywall usg zld cli reference guide 374

Report commands 375

Report commands summary 375

Reports and reboot 375

Chapter 56 reports and reboot 376

Command description 376

Packet size statistics commands 376

Report command examples 376

Session commands 376

Table 225 session commands 376

Table 226 packet size statistics commands 376

The following commands start collecting data display the traffic reports and stop collecting data 376

This table lists the commands to display the current sessions for debugging or statistical analysis 376

Using the packet size statistics to view packet size distribution may aid you in troubleshooting network performance in particular a large number of small packets can drastically reduce throughput this table lists the commands to enable and disable packet size statistics data collection and display the setting status and statistics 376

Zywall usg zld cli reference guide 376

Chapter 56 reports and reboot 377

Command description 377

Command to enter the configuration mode before you can use these commands 377

Configure termina 377

Email daily report commands 377

Label description 377

Table 226 packet size statistics commands continued 377

Table 227 input values for email daily report commands 377

Table 228 email daily report commands 377

The following table identifies the values used in some of these commands other input values are discussed with the corresponding commands 377

Use these commands to have the zywall usg e mail you system statistics every day you must use the 377

Zywall usg zld cli reference guide 377

Appends the date and time to the mail subject 378

Chapter 56 reports and reboot 378

Command description 378

Disables the reporting 378

Email daily report example 378

Has the zywall usg not use the second and third mail to options 378

Sets example administrator example com as the first account to which to send the mail 378

Sets my email example com as the fourth mail to option 378

Sets the sender as my email example com 378

Sets the subject of the report e mails to test 378

Specifies example smtp mail server com as the address of the smtp mail server 378

Stops the system name from being appended to the mail subject 378

Table 228 email daily report commands continued 378

This example sets the following about sending a daily report e mail 378

Zywall usg zld cli reference guide 378

Chapter 56 reports and reboot 379

Has the report include cpu memory port and session usage along with traffic statistics 379

Has the zywall usg not reset the counters after sending the report 379

Has the zywall usg not use the fifth mail to option 379

Has the zywall usg provide username 12345 and password 12345 to the smtp server for authentication 379

Sets the zywall usg to send the report at 1 57 pm 379

Turns on the daily e mail reporting 379

Zywall usg zld cli reference guide 379

Chapter 56 reports and reboot 380

Command to restart the device 380

Command to save the configuration before you reboot otherwise the changes are lost when you reboot 380

If you made changes in the cli you have to use the 380

Reboot 380

This displays the email daily report settings and has the zywall usg send the report 380

Use the 380

Use this to restart the device for example if the device begins behaving erratically 380

Zywall usg zld cli reference guide 380

Session timeout 381

Diagnosis commands 383

Diagnosis commands example 383

Diagnostics 383

Packet flow explore 385

Packet flow explore commands 385

Chapter 59 packet flow explore 386

Packet flow explore commands example 386

The following example shows all activated 1 to 1 snat rules 386

The following example shows all activated dynamic vpn rules 386

The following example shows all activated site to site vpn rules 386

The following example shows all routing related functions and their order 386

The following example shows all snat related functions and their order 386

The following example shows the default wan trunk s settings 386

Zywall usg zld cli reference guide 386

Chapter 59 packet flow explore 387

The following example shows all activated 1 to 1 nat rules 387

The following example shows all activated dynamic vpn rules 387

The following example shows all activated policy routes which use snat 387

The following example shows all activated policy routes which use snat and enable nat loopback 387

The following example shows all activated static dynamic vpn rules 387

Zywall usg zld cli reference guide 387

Chapter 59 packet flow explore 388

The following example shows the default wan trunk settings 388

Zywall usg zld cli reference guide 388

Maintenance tools 389

Chapter 60 maintenance tools 390

Command description 390

Table 232 maintenance tools commands in privilege mode continued 390

Zywall usg zld cli reference guide 390

Chapter 60 maintenance tools 391

Command description 391

Table 232 maintenance tools commands in privilege mode continued 391

Zywall usg zld cli reference guide 391

Chapter 60 maintenance tools 392

Command description 392

Here are maintenance tool commands that you can use in configuration mode 392

Maintenance command examples 392

Some packet trace command examples are shown below 392

Table 232 maintenance tools commands in privilege mode continued 392

Table 233 maintenance tools commands in configuration mode 392

Zywall usg zld cli reference guide 392

Chapter 60 maintenance tools 393

Command description 393

Here are maintenance tool commands that you can use in configure mode 393

Packet capture command example 393

Table 234 maintenance tools commands in configuration mode 393

The following example creates an arp table entry for ip address 192 68 0 and mac address 01 02 03 04 05 06 then it shows the arp table and finally removes the new entry 393

The following examples show how to configure packet capture settings and perform a packet capture first you have to check whether a packet capture is running this example shows no other packet capture is running then you can also check the current packet capture settings 393

Then configure the following settings to capture packets going through the zywall usg s wan1 interface only 393

Zywall usg zld cli reference guide 393

Chapter 60 maintenance tools 394

Check current packet capture status and list all stored packet captures 394

Duration 150 seconds 394

Exit the sub command mode and have the zywall usg capture packets according to the settings you just configured 394

File size 10 megabytes 394

File suffix example 394

Host ip any 394

Host port any then you do not need to configure this setting 394

Ip address any 394

Manually stop the running packet capturing 394

Save the captured packets to usb storage device 394

The maximum size of a packet capture file 100 megabytes 394

Use the ring buffer no 394

You can use ftp to download a capture file open and study it using a packet analyzer tool for example ethereal or wireshark 394

Zywall usg zld cli reference guide 394

Hardware watchdog timer 395

Software watchdog timer 395

Watchdog timer 395

App watchdog 396

Application watchdog 396

Chapter 61 watchdog timer 396

Command description 396

Command to enter the configuration mode to be able to use these commands 396

Commands use the 396

Configure termina 396

Table 237 app watchdog commands 396

The application watchdog has the system restart a process that fails these are the 396

Zywall usg zld cli reference guide 396

Application watchdog commands example 397

Chapter 61 watchdog timer 398

Zywall usg zld cli reference guide 398

List of commands alphabetical 399

Zyxel USG 1900 [179/438] Secure policy command examples

Содержание

Похожие устройства