SMG-700 User's Guide V1.00 (Nov 2004)
Contents
1. Router group service exit Router config show service object ICMP ECHO Object name Protocol Minmum port Maxmum port Ref ICMP_ECHO ICMP 8 8 1 Router config show object group service SGl Object Group name Type Reference ICMP_ECHO Object 1 ZyWALL ZLD CLI Reference Guide 247 Chapter 27 Services ZyWALL ZLD CLI Reference Guide Schedules Use schedules to set up one time and recurring schedules for policy routes firewall rules application patrol and content filtering 28 1 Schedule Overview The ZyWALL supports two types of schedules one time and recurring One time schedules are effective only once while recurring schedules usually repeat Both types of schedules are based on the current date and time in the ZyWALL BS Schedules are based on the current date and time in the ZyWALL One time schedules begin on a specific start date and time and end on a specific stop date and time One time schedules are useful for long holidays and vacation periods Recurring schedules begin at a specific start time and end at a specific stop time on selected days of the week Sunday Monday Tuesday Wednesday Thursday Friday and Saturday Recurring schedules always begin and end in the same day Recurring schedules are useful for defining the workday and off work hours 28 2 Schedule Commands Summary The following table describes the values required for many schedule2. 234 ZyWALL ZLD CLI Reference Guide Chapter 25 User Group Table 130 username groupname Commands Summary Users continued COMMAND DESCRIPTION username username no logon lease time Sets the lease time for the specified user Set it to lt 0 1440 gt zero to set unlimited lease time The no command sets the lease time to five minutes regardless of the current default setting for new users username username no logon re auth time Sets the reauthorization time for the specified user lt 0 1440 gt Set it to zero to set unlimited reauthorization time The no command sets the reauthorization time to thirty minutes regardless of the current default setting for new users 25 2 2 User Group Commands This table lists the commands for groups Table 131 username groupname Commands Summary Groups COMMAND DESCRIPTION show groupname groupname Displays information about the specified user group or about all user groups set up in the ZyWALL no groupname groupname Creates the specified user group if necessary and enters sub command mode The no command deletes the specified user group no description description Sets the description for the specified user group The no command clears the description for the specified user group no groupname groupname Adds the specified user group second groupname to the specified user group first groupname
3. Router policy SSL VPN TES Router policy SSL VPN TES network extension network NETWORK1 Router policy SSL VPN TES eps activate Router policy SSL VPN TES eps 1 EPS 1 Router policy SSL VPN TES exit 6 Displays the SSL VPN rule settings Router config show sslvpn policy SSL VPN TEST index 1 active yes name SSL VPN TEST description user Lester ssl applicaiton none network extension yes ip pool IP POOL dns server 1 DNS1 dns server 2 DNS2 wins server 1 none wins server 2 none network NETWORK1 cache clean no eps periodical check activation no eps periodical check 1 eps activation yes eps EPS 1 reference count 0 ZyWALL ZLD CLI Reference Guide Chapter 17 SSL VPN ZyWALL ZLD CLI Reference Guide L2TP VPN This chapter explains how to set up and maintain L2TP VPNs in the ZyWALL 18 1 L2TP VPN Overview L2TP VPN lets remote users use the L2TP and IPSec client software included with their computers operating systems to securely connect to the network behind the ZyWALL The remote users do not need their own IPSec gateways or VPN client software Figure 21 L2TP VPN Overview ri Petes te See m T I pes B n Internet YY H L2TP Tunnel The Layer 2 Tunneling Protocol L2TP works at layer 2 the data link layer to tunnel network traffic between two peers over another network like the I
4. You cannot set up a PPPoE PPTP interface virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPPoE PPTP interface on top of it ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 2 Interface General Commands Summary The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 15 Input Values for General Interface Commands LABEL DESCRIPTION interface_name The name of the interface lani ext wlan or dmz interface y 1 4 Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model ZyWALL USG 100 and 200 models use a name such as wan1 wan2 opt virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example gex y x2 1 N y21 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y2 1 4 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports virtual interface on top of bridge interface brx y x the number of the bridge PPPoE PPTP interface pppx x 0 N where N depe
5. ZyWALL ZLD CLI Reference Guide Chapter 4 Status Here is an example of the command that displays the open ports Router config show socket open No Proto Local_Address Foreign_Address State 1 tcp 172 23 1 317 240 22 172 23 37 10 1179 ESTABLISHED 2 udp 127 0 0 1 64002 0 0 031030 3 udp 0 0 0 0 520 0 0 0 0 0 4 udp 0 0 0 0 138 0 0 0 0 0 5 udp 0 0 0 0 138 0 0 0 0 0 6 udp 0 0 0 0 138 0 0 0 0 0 7 udp 0 0 0 0 138 0 0 0 0 0 8 udp 0 0 0 0 138 0 0 0 0 0 9 udp 0 0 0 0 138 0 0 0 0 0 10 udp 0 0 0 0 138 0 0 0 0 0 11 udp 0 0 0 0 32779 0 0 0 0 0 12 udp 192 168 1 1 4500 0 0 0 0 0 13 udp 1 1 1 124500 0 0 0 0 0 14 udp 10 0 0 8 4500 0 0 0 0 0 15 udp 172 23 37 205 4500 0 0 0 0 0 16 udp 172 23 37 240 4500 0 0 0 0 0 17 udp 127 0 0 1 4500 0 0 0 0 0 18 udp 127 0 0 1 63000 0 0 0 0 0 19 udp 127003 1 630 01 00 00 50 20 udp 127 0 0 1 63002 0 0 0 0 0 21 udp 0 0 0 0 161 0 0 0 0 0 22 udp 127 0 0 1 63009 0 0 0 0 0 23 udp 192 168 1 1 1701 0 0 0 0 0 24 udp LohlolsT701 00 00 00 25 udp 10 0 0 8 1701 0 0 0 0 0 26 udp LI2 23 337 42001104 0 0 0 0 0 27 udp 172 23 37 240 1701 0 0 0 0 0 28 udp 1277 0 0 1 170T 0 0 0 0 0 29 udp 127 0 0 1 63024 0 0 0 0 0 30 udp 127 0 0 1 30000 0 0 0 0 0 31 udp dry Tel 53 0 0 0 0 0 32 udp 175 2 52 3 31 2205253 0 0 0 0 0 33 udp 10 0 0 8 53 0 0 0 0 0 34 udp 172 23 37 240 53 0 0 0 0 0 35 udp 192 168 1 1 53 0 0 0 0 0 36 udp ELLOS 0 0 0 0 0 37 udp 0 0 0 0 67 0
6. ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 27 Cellular Interface Commands continued COMMAND DESCRIPTION no pin lt pin code gt Sets or clears the PIN code for the cellular device s 3G card Use 1 4 alphanumeric characters underscores _ or dashes no remote address ip Sets or clears the IP address of the cellular interface s peer like a gateway or PPPoE server interface cellular budget auto save Sets how often in minutes the ZyWALL saves time and data profile 5 1440 usage records for a connection using the 3G card show interface cellular Shows the status of the specified cellular interface corresponding slot device status support device show interface cellular corresponding Shows which cellular interface is on which slot and whether slot which cellular interface has been configured show interface cellular device status Displays the installed SIM card and 3G card status show interface cellular support device Displays all 3G card models the ZyWALL can support show interface cellular budget auto Displays how often in minutes the ZyWALL records time and save data usage of your 3G budgets show interface cellular status Displays the traffic statistics and connection status for your cellular interfaces See Section 6 6 1 on page 70 for all possible cellular status descrip
7. mail to 2 mail to 3 mail to 4 my email example com mail to 5 cpu usage yes mem usage yes Session usage yes port usage yes idp report yes av report yes as report yes traffic report yes Router config daily report send now 39 3 Reboot Use this to restart the device for example if the device begins behaving erratically If you made changes in the CLI you have to use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Use the reboot command to restart the device ZyWALL ZLD CLI Reference Guide Chapter 39 Reports and Reboot ZyWALL ZLD CLI Reference Guide Session Timeout Use these commands to modify and display the session timeout values You must use the configure terminal command before you can use these commands Table 192 Session Timeout Commands synsent tcp closewait timewait lt 1 300 gt COMMAND DESCRIPTION session timeout udp connect lt 1 300 gt udp Sets the timeout for UDP sessions to connect or deliver 1 300 icmp 1 300 deliver and for ICMP sessions session timeout session tcp established Sets the timeout for TCP sessions in the tcp synrecv tcp close tcp finwait tcp ESTABLISHED SYN RECV FIN WAIT tep lastack tcp SYN SENT CLOSE WAIT LAST ACK or TIME WAIT state udp show session timeout icmp tcp timewait Display
8. no passive interface interface_nam Sets the OSPF direction of the specified interface to in only The no command makes OSPF bi directional in the specified interface interface interface_nam Enters sub command mode no ip ospf priority lt 0 255 gt Sets the priority of the specified interface to the specified value The no command sets the priority to 1 no ip ospf cost lt 1 65535 gt Sets the cost to route packets through the specified interface The no command sets the cost to 10 no ip ospf authentication Disables authentication for OSPF in the specified interface ip ospf authentication Enables text authentication for OSPF in the specified interface ip ospf authentication message digest Enables MD5 authentication for OSPF in the specified interface ip ospf authentication same as area To exchange OSPF routing information with peer border routers you must use the same authentication method that they use This command makes OSPF authentication in the specified interface follow the settings in the corresponding area ospf authentication key password Sets the simple text password for OSPF text authentication in the specified interface The no command clears the text password password 1 8 alphanumeric characters or underscores ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 20 interface Commands OSPF Settings continued COMMAND DESCR
9. ZyWALL ZLD CLI Reference Guide 209 Chapter 22 Content Filtering Use this command to display the settings of the profile Router config show content filter profile sales_CF_PROFILE service active yes url match block no log no url unrate block no log no service offline block no log no category settings Adult Mature Content no Pornography tS noe Sex Education no Intimate Apparel Swimsuit no Nudity no Alcohol Tobacco to me Illegal Questionable no Gambling S dS Violence Hate Racism no Weapons no Abortion no Hacking no Phishing no Arts Entertainment y he Business Economy no Alternative Spirituality Occult no Illegal Drugs no Education no Cultural Charitable Organization no Financial Services no Brokerage Trading no Online Games no Government Legal no Military fo Qno Political Activist Groups no Health no Computers Internet no Search Engines Portals no Spyware Malware Sources no Spyware Effects Privacy Concerns no Job Search Careers no News Media no Personals Dating no Reference no Open Image Media Search no Chat Instant Messaging no Email no Blogs Newsgroups no Religion no Social Networking no Online Storage no Remote Access Tools no Shopping no Auctions no Real Estate no Society Lifestyle ono Sexuality Alternative Lifestyles no Restaurants Dining Food
10. Chapter 6 Interfaces The following commands show you how to connect and disconnect pppO Router interface dial pppO Router interface disconnect ppp0 6 6 Cellular Interface Specific Commands Use a 3G Third Generation cellular device with the ZyWALL for wireless broadband Internet access Use these commands to add edit dial disconnect or delete cellular interfaces When you add a new cellular interface make sure you enter the account You must use the configure terminal command to enter the configuration mode before you can use these commands Table 27 Cellular Interface Commands COMMAND DESCRIPTION interface name no interfac Creates the specified interface if necessary and enters sub command mode The no command deletes the specified interface no account profile name Specifies the ISP account for the specified cellular interface The no command clears the ISP account field no band auto wcdma gsm Sets or clears the cellular band that the cellular interface uses auto has the ZyWALL always use the fastest network that is in range gsm has this interface only use a 2 5G or 2 75G network respectively If you only have a GSM network available to you you may want to use this so the ZyWALL does not spend time looking for a WCDMA network wcdma has this interface only use a 3G or 3 5G network respectively You may want to use this if you want to make s
11. COMMAND DESCRIPTION no server group attribute Sets the value of an attribute that the ZyWALL is used lt 1 255 gt to determine to which group a user belongs This attribute s value is called a group identifier You can add ext group user user objects to identify groups based on different group identifier values For example you could configure attributes 1 10 and 100 and create a ext group user user object for each of them The no command clears the setting no server host Enter the IP address in dotted decimal notation or the radius server domain name of a RADIUS server to add to this server group The no command clears this setting no server key secret Sets a password up to 15 alphanumeric characters as the key to be shared between the RADIUS server s and the ZyWALL The no command clears this setting no server timeout time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting and set this to the default setting of 5 seconds 29 2 8 aaa group server Command Example The following example creates a RADIUS server group with two members and sets the secret key to 12345678 and the timeout to 100 seconds Then this example also shows how to view the RADIUS group settings Router configure terminal Router config aaa group server radius RADIUSGroupl Router group server radius server host 192 168 1 100 auth port 1812
12. no session limit activate Turns the session limit feature on or off session limit limit 0 8192 Sets the default number of concurrent NAT firewall sessions per host session limit rule number Enters the session limit sub command mode to set a session limit rule no activate Enables the session limit rule The no command disables the session limit rule no address address object Sets the source IP address The no command sets this to any which means all IP addresses no description description Sets a descriptive name up to 64 printable ASCII characters for a session limit rule The no command removes the descriptive name from the rule Quits the firewall sub command mode no limit lt 0 8192 gt Sets the limit for the number of concurrent NAT firewall sessions this rule s users or addresses can have 0 means any no user user_name Sets a session limit rule for the specified user The no command resets the user name to the default any any means all users session limit append Enters the session limit sub command mode to add a session limit rule to the end of the session limit rule list session limit delete rule number Removes a session limit rule session limit flush Removes all session limit rules session limit insert rule number Enters the session limit sub command mode to add a session limit rule b
13. The name of the zone The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN 23 2 1 General Anti Spam Commands The following table describes general anti spam commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 114 General Anti Spam Commands COMMAND DESCRIPTION no anti spam activate Enables or disables anti spam service show anti spam activation Displays anti spam service status ZyWALL ZLD CLI Reference Guide Chapter 23 Anti Spam 23 2 1 1 Activate Deactivate Anti Spam Example This example shows how to activate and deactivate anti spam on the ZyWALL Router configure terminal anti spam activation yes anti spam activation no Router config Router config anti spam activate Router config show anti spam activation Router config no anti spam activate Router config show anti spam activation 23 2 2 Zone to Zone Anti spam Rules The following table describes the commands for configuring the zone to zone rules You must use the configure terminal command to enter the configuration mode before you can use these commands Table 115 Commands for Zone to Zone Anti Spam Rules COMMAND DESCRIPTION anti spam rule append Enters the anti spam sub command mode to add a direction specific rule
14. ZyWALL ZLD CLI Reference Guide Chapter 38 Logs This table lists the commands for setting how often to send information to the VRPT ZyXEL s Vantage Report server Table 185 logging Commands VRPT Settings COMMAND DESCRIPTION vrpt send device information interval Sets the interval in seconds for how often the lt 15 3600 gt ZyWALL sends a device information log to the VRPT server vrpt send interface statistics interval Sets the interval in seconds for how often the lt 15 3600 gt ZyWALL sends an interface statistics log to the VRPT server vrpt send system status interval lt 15 3600 gt Sets the interval in seconds for how often the ZyWALL sends a system status log to the VRPT server show vrpt send device information interval Displays the interval in seconds for how often the ZyWALL sends a device information log to the VRPT server show vrpt send interface statistics interval Displays the interval in seconds for how often the ZyWALL sends an interface statistics log to the VRPT server show vrpt send system status interval Displays the interval in seconds for how often the ZyWALL sends a system status log to the VRPT server 38 1 4 E mail Profile Commands Table 186 logging Commands E mail Profile Settings This table lists the commands for the e mail profile settings COMMAND DESCRIPTION show logging status mail Displays the current settings f
15. address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive rule_number The number of a service control rule 1 X where X is the highest number of rules the ZyWALL model supports zone_object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN 36 3 HTTP HTTPS Commands The following table describes the commands available for HTTP HTTPS You must use the configure terminal command to enter the configuration mode before you can use these commands Table 166 Command Summary HTTP HTTPS COMMAND DESCRIPTION no ip http authentication auth_method Sets an authentication method used by the HTTP HTTPS server The no command resets the authentication method used by the HTTP HTTPS server to the factory default default auth_method The name of the authentication method You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive no ip http port 1 65535 Sets the HTTP service port number The no command resets the HTTP service port number
16. Chapter 6 Interfaces Table 18 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE PPTP Router config interface cellulari Router config interface wlan 1 1 Router config interface vlan1 Router config if cellular Router config if wlan Router config if vlan account block intra description band description downstream budget downstream exit connectivity exit ip description group key mss device hide mtu downstream idle no exit ip ping check local address mtu port metric no shutdown mtu ping check traffic prioritize no reauth upstream pin security vlan id ping check shutdown remote address ssid shutdown station limit traffic prioritize traffic prioritize upstream upstream wep key BRIDGE AUXILIARY Router config interface brO Router config interface aux Router config if brg Router config if aux description authentication downstream description exit dial timeout ip dialing type join exit mss idle mtu initial string no no ping check password shutdown phone number traffic prioritize port speed upstream shutdown traffic prioritize username 6 2 4 RIP Commands This table lists the commands for RIP settings Table 19 interface Commands RIP Settings COMMAND DESCRIPTION router rip Enters sub command mode no network interface_name Enables RIP for the specified interface The no command disables RIP for the specified interface no
17. Enable Display the ignoring of ARP responses for interfaces which don t own the IP address cat proc sys net ipv4 conf arp_ignore ZyWALL ZLD CLI Reference Guide Chapter 2 User and Privilege Modes Table 5 Debug Commands continued COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT debug no myzyxel server Set the myZyXEL com registration update server to the official site debug policy route Policy route debug command debug reset content filter profiling Content Filtering debug commands debug service register Service registration debug command debug show content filter server Category based content filtering debug command debug show myzyxel server Status Myzyxel com debug commands debug show ipset Lists the ZyWALL s received cards debug show myzyxel server status Myzyxel com debug commands debug sslvpn SSL VPN debug commands debug cmdexec corefilelip kernel mac id rewrite observer switch system zyinetpkt zysh ipt op ZLD internal debug commands debug update server Update server debug command ZyWALL ZLD CLI Reference Guide Object Reference This chapter describes how to use object reference commands 3 1 Object Reference Commands The object reference commands are used to see which configuration settings reference a specfic object You can use this t
18. Select the authentication requirement for users when their traffic matches this policy The no command means user authentication is not required force Users need to be authenticated and the ZyWALL automatically display the login screen when users who have not logged in yet try to send HTTP traffic required Users need to be authenticated They must manually go to the login screen The ZyWALL will not redirect them to the login screen no description description Sets the description for the specified condition The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long no destination address_object group_name Sets the destination criteria for the specified condition The no command removes the destination criteria making the condition effective for all destinations no eps lt 1 8 gt eps_object_nam Associates the specified End Point Security EPS object with the specified condition The ZyWALL checks authenticated users computers against the condition s endpoint security objects in the order of 1 to 8 You have to configure order 1 and then the others if any The no command means to deassociate the specified EPS rule with the condition To apply EPS for this condition you have to also make sure you enable EPS and set authentication to either required or force for this condition no
19. Sets the ZyWALL to create a log and optionally an alert when packets match this rule The no command sets the ZyWALL not to create a log or alert when packets match this rule no schedule schedule_object Sets the schedule that the rule uses The no command removes the schedule settings from the rule no service service_nam Sets the service to which the rule applies The no command resets the service settings to the default any any means all services no sourceip address_object Sets the source IP address es The no command resets the source IP address es to the default any any means all IP addresses no sourceport tcpludp eq lt 1 65535 gt range lt 1 65535 gt lt 1 65535 gt Sets the source port for a firewall rule The no command removes the source port from the rule no to zone_object ZyWALL Sets the zone to which the packets are sent The no command removes the zone to which the packets are sent and resets it to the default any any means all interfaces or VPN tunnels no user user_name Sets a user aware firewall rule The rule is activated only when the specified user logs into the system The no command resets the user name to the default any any means all users ZyWALL ZLD CLI Reference Guide Chapter 15 Firewall 15 2 2 Firewall Command Examples The following example shows you how to add a firewall rule to allow a My
20. ZyWALL ZLD CLI Reference Guide Chapter 22 Content Filtering 1 First create a sales address object This example uses a subnet that covers IP addresses 172 21 3 1 to 172 21 3 254 2 Then create a schedule for all day 3 Create a filtering profile for the group 4 Youcan use the following commands to block sales from accessing adult and pornography websites 5 Enable the external web filtering service BES You must register for the external web filtering service before you can use it see Chapter 5 on page 37 6 You can also customize the filtering profile The following commands block active X java and proxy access 7 Activate the customization Router configure terminal Router config address object sales 172 21 3 0 24 Router config schedule object all day 00 00 23 59 Router config content filter profile sales CF PROFILE Router config content filter profile sales CF PROFILE url category adult mature content Router config f content filter profile sales CF PROFILE url category pornography Router config content filter profile sales CF PROFILE url url server Router config content filter profile sales CF PROFILE custom java Router config content filter profile sales CF PROFILE custom activex Router config content filter profile sales CF PROFILE custom proxy Router config content filter profile sales CF PROFILE custom
21. 1 If your computer is connected to the ZyWALL over the Internet skip to the next step Make sure your computer IP address and the ZyWALL IP address are on the same subnet 2 In Windows click Start usually in the bottom left corner and Run Then type telnet and the ZyWALL s IP address For example enter telnet 192 168 1 1 the default management IP address 3 Click OK A login screen displays Enter the user name and password at the prompts BES The default login username is admin and password is 1234 The username and password are case sensitive 1 2 4 SSH Secure SHell You can use an SSH client program to access the CLI The following figure shows an example using a text based SSH client program Refer to the documentation that comes with your SSH program for information on using it BES The default login username is admin and password is 1234 The username and password are case sensitive ZyWALL ZLD CLI Reference Guide 15 Chapter 1 Command Line Interface Figure 8 SSH Login Example C gt ssh2 admin 192 168 1 1 Host key not found from database Key fingerprint xolor takel fipef zevit visom gydog vetan bisol lysob cuvun muxex You can get a public key s fingerprint by running ssh keygen F publickey pub on the keyfile Are you sure you want to continue connecting yes no yes Host key saved to C Documents and Settings user Application Data SSH hostkeys ey 22 192 168 1 1 pu
22. Displays the system protect profile details 21 3 6 Signature Search Use this command to search for signatures in the named profile BS It is recommended you use the web configurator to search for signatures Table 101 Signature Search Command COMMAND DESCRIPTION idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask Service service mask activate any yes no log any no log log alert action action mask Searches for signature s in a profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN IDP name WORM sid 0 severity O platform O policytype O service 0 activate any log any action searches for all signatures in the LAN_IDP profile containing the text worm within the signature name idp search system protect my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask Service service mask activate any yes no log any no log log alert action action mask Searches for signature s in a system protect profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN IDP name WORM sid O severity 0 platform O policytype 0 service 0 activate any log any action searches for all signatures in t
23. Publisher authenticity can not he verified Security Information 1 3 Do you want to trust the signed applet distributed by ZyXEL Hostname x This page contains both secure and nonsecure items Do you want to display the nonsecure items No More Info ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Figure 4 Web Console User Name Please Input User Nap x User Name OK 5 Enter the user name you want to use to log in to the console The console begins to connect to the ZyWALL BS The default login username is admin It is case sensitive Figure 5 Web Console Connecting Connecting to ZyWALL 1050 N O 172 23 19 244 22 Then the Password screen appears Figure 6 Web Console Password E Password Authentication x E User admin Password Cancel 6 Enter the password for the user name you specified earlier and click OK If you enter the password incorrectly you get an error message and you may have to close the console window and open it again If you enter the password correctly the console screen appears ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Figure 7 Web Console O 172 23 19 244 22 7 To use most commands in this User s Guide enter configure terminal The prompt should change to Router config 1 2 3 Telnet Use the following steps to Telnet into your ZyWALL
24. Router config Router config Router config Router config dnsbl query timeou anti spam dnsbl show anti spam t action anti spam dnsbl show anti spam query timeout pop3 forward with tag dnsbl query timeout pop3 forward with tag max query ip 4 dnsbl max query ip dnsbl max query ip 4 Router config anti spam dnsbl ip check order forward Router config show anti spam dnsbl ip check order anti spam dnsbl IP check order forward Router config Router config dnsbl tag DNSBL Router config Router config dnsbl timeout Router config DNSBL domain domain anti spam tag dnsbl DNSBL show anti spam tag dnsbl anti spam tag dnsbl timeout DNSBL timeout show anti spam tag dnsbl timeout ag DNSBL timeout show anti spam dnsbl statistics DNSBL example com 0 00 0 average time total query spam 0 clear 0 no timeout timeout 0 no response 0 0 23 3 Anti Spam Statistics The following table describes the commands for collecting and displaying anti spam statistics You must use the configure terminal command to enter the configuration mode before you can use these commands Table 120 Commands for Anti spam Statistics COMMAND DESCRIPTION no anti spam statistics collect Turn the collection of anti spam statistics on or off anti spam statistics flush Clears the collected statistics show anti spam statistics su
25. Router config address objec Router config address objec Router config policy insert 1 Router policy route description example Router policy route destination any Router policy rout interface gel ct ct Router policy rout next hop gateway GW_1 Router policy route snat outgoing interface Router policy route source TW_SUBNET Router policy route exit Router config show policy route 1 index 1 active yes description example user any schedule none interface gel tunnel none sslvpn none source TW_SUBNET destination any DSCP code any service any nexthop type Gateway nexthop GW 1 nexthop state Not support auto destination no bandwidth 0 bandwidth priority 0 maximize bandwidth usage no SNAT outgoing interface DSCP marking preserve amount of port trigger 0 Router config 8 3 IP Static Route The ZyWALL has no knowledge of the networks beyond the network that is directly connected to the ZyWALL For instance the ZyWALL knows about network N2 in the following figure through gateway R1 However the ZyWALL is unable to route a packet to network N3 because it doesn t know that there is a route through the same gateway R1 via gateway R2 The static routes are for you to tell the ZyWALL about the networks beyond the network connected to the ZyWALL directly 94 ZyWALL ZLD CLI Reference Guide Chapter 8 Rou
26. This example shows how to change the user defined name from VIP to Partner Note that you have to use the interface rename command if you do not know the system name of the interface To use the interface name command you have to find out the corresponding system name first ge4 in this example This example also shows how to change the user defined name from Partner to Customer using the interface name command Router config interface rename VIP Partner Router config show interface name No System Name User Defined Nam 1 gel gel 2 ge2 ge2 3 ge3 ge3 4 ge4 Partner 5 ge5 ge5 Router config Router config interface name ge4 Customer Router config show interface name No System Name User Defined Nam 1 gel gel 2 ge2 ge2 3 ge3 ge3 4 ge4 Customer 5 ge5 ge5 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces This example shows how to restart an interface You can check all interface names on the ZyWALL Then use either the system name or user defined name of an interface ge4 or Customer in this example to restart it Router show interface name No System Name User Defined Nam 1 gel gel 2 ge2 ge2 3 ge3 ge3 4 ge4 Customer 5 ge5 ge5 Router gt configure terminal Router config interface reset ge4 Router config interface reset Customer Router config 6 2 2 DHCP Setting Commands This table lists DHCP
27. daily report no mail subject append date tim Determine whether the sending date time will be appended at subject of the report e mails daily report mail from e mail Sets the sender value of the report e mails daily report mail to 1 e mail Sets to whom the ZyWALL sends the report e mails up to five recipients daily report mail to 2 e mail See above daily report mail to 3 e mail See above daily report mail to 4 e mail See above daily report mail to 5 e mail See above daily report no item cf report Determines whether or not content filtering statistics are included in the report e mails daily report no item cpu usage Determines whether or not CPU usage statistics are included in the report e mails daily report no item mem usage Determines whether or not memory usage statistics are included in the report e mails ZyWALL ZLD CLI Reference Guide Chapter 39 Reports and Reboot Table 191 Email Daily Report Commands continued COMMAND DESCRIPTION daily report no item session usag Determines whether or not session usage statistics are included in the report e mails daily report no item port usage Determines whether or not port usage statistics are included in the report e mails daily report no item idp report Determines whether or not IDP statistics are included in the report e mails d
28. disti nguished name mail e mail dn distinguished name IP address domain name or e mail address peer id type any ip ip fqdn Sets the peer ID type and content to any value the domain name mail e mail dn specified IP address domain name or e mail address no xauth type server xauth_method client nam username password password Enables extended authentication and specifies whether the ZyWALL is the server or client If the ZyWALL is the server it also specifies the extended authentication method aaa authentication profile_name ifthe ZyWALL is the client it also specifies the username and password to provide to the remote IPSec router The no command disables extended authentication username You can use alphanumeric characters underscores _ and dashes and it can be up to 31 characters long password You can use most printable ASCII characters You cannot use square brackets double quotation marks question marks tabs or spaces It can be up to 31 characters long isakmp policy rename policy_name policy_name Renames the specified IKE SA first policy_name to the specified name second policy_name ZyWALL ZLD CLI Reference Guide Chapter 16 IPSec VPN 16 2 2 IPSec SA Commands except Manual Keys This table lists the commands for IPSec SAs excluding manual keys VPN connections using VPN gateways Table 69 crypto Commands IPS
29. riebi timepoe iag serca RU doves duaesd RARA 216 anti span tag blsckelist Cag stance ide chic ROMAE e ener die aa Eds dA ak qe wei weed 214 anti virus black list replace old av file pattern new av file pattern activate deacti VACAS irrt eiir ERRATA rn 179 anta 20S Pelg d SaLe qpaeud e b gbd ed redu d eade eq quim d pied psc ee d puedes 176 anti virus Pulse SDLBDd bis aene x Ears e ec RU A X de COKER DRED EE Oe EAE dE E OR eae 178 anti SUS bulo delete lise eri AAA RNA AA AA as a 177 aneas arus le taser Alaro whe eee qued qd a e A Da mae RA 176 anti virus rule move Ll Ste X5 Els A Luggage doe ede ss ac Rb A 177 201 p se Pale Sl soe dS aAa D LAR A RUE aw c idi Sd xsara ded ee soa L77 anti virus search signature all category category id id name name severity se yener Vern s Es See d duque ees E Quam SR dub EUR RR Ee ode S Caran d e aida 180 Anbpiegifus SEATI ties Lith 62 aka de eee Ra SS RNC CS yo doo ol uos dee dr AA A CORR nde Seg s 181 antlevlbus update Cally 0 2239 2s paw hk eg doce qon Ghee EG ep See Meee OE Rae ee E Eon 180 anti virus Update DOUI daqGdiuaeaudoudkd ASA NOE DE C LR deae RC CR RNC C Rob E D Ro CN 180 Ata iros Update BIOHARDIEBE ia A puc ves doped ea eh eee See de ded te 180 anti virus update weekly sun mon tue wed thu fri sat lt 0 23 gt 180 anti virus white list replace old av file pattern new av file pattern activate deacti VAR ad ARA ERA SEA Je RPG DAN ede EA UP REOR eee e 178
30. 1 30009 adi nbd eee eee be edhe oo ieee eee ee Y Pu 187 scan detection sensitivity low medium Bagh siones A ho RR E RR 187 Scenario site to site static site to site dynamic remote access server remote access Blasen smack donde dx RE Mel Sube O Beek oS ward O eed ee eee Rod di 140 schedule object object name date Lime date LIH encotrar 250 schedule object object name time time day day day day day day day 250 security mode none wep wpa wpa wpa2z Wpal eee mmm Rn em m mime T9 Security wep mete open Sates aceras pr e Ord dco terius tes dona dard wan dud dd TS security wep lt 64 129 detault kes Lili nic A a da Rd Se eR 75 security wpa lt tkip ees Bsp SRESERAD iris 4 OE NOE qi CE eA E eee bee A AR Ta security wpa lt tkip aes eap internal profile nam tls cert certificate name 75 Security woe lt tkip aes psk Key BSk hey fb cee bee eee REO SN PH POR Ro RARO deb ORO Ee SS 75 S CUELES Whee tklp 868 cap SEDBEDG Qni 2sqa ka R4 AS RC edad DR ee CLR T9 security wpa2 tkip aes eap internal profile nam tls cert certificate name 75 security paz lt DEL aes gt psk key DSE EBW sia REX Ed Ac RAO KORR CR GO ee eee aS 75 security wpa wpa2 lt tkip aBs eap externd sorrise che Sevan x9 R3 a e 79 security wpa wpa2 tkip aes eap internal profile nam tls cert certificate name 75 security wpa wpa2 tkip as psk key psk keY oeeenexee9en CRESS TERE ORE RAR Ro OR RC T5 server type file shari
31. 1 2 2 Web Configurator Console BS Before you can access the CLI through the web configurator make sure your computer supports the Java Runtime Environment You will be prompted to download and install the Java plug in if it is not already installed When you access the CLI using the web console your computer establishes a SSH Secure SHell connection to the ZyWALL Follow the steps below to access the web console 1 Log into the web configurator 2 Click the Console icon in the top right corner of the web configurator screen 3 If the Java plug in is already installed skip to step 4 Otherwise you will be prompted to install the Java plug in If the prompt does not display and the screen remains gray you have to download the setup program 4 The web console starts This might take a few seconds One or more security screens may display Click Yes or Always Figure 3 Web Console Security Warnings Warning Security xj A Do you want to trust the signed applet distributed by 35P LTD Publisher anthantizihu varifiad hu Thauks Canculkinn cct Warning Security or Do you want to accept the certificate from web site encrypted information x ZyWALL 1050 Factory Default Certificate For the purpose of exchanging A Publisher auth AAA i x bets A The se IN Hostname Mismatch aep Tehoi a xi name of th d The se Hostname ZyWALL 1 Do you wa Finally the User Name screen appears
32. 226 87 0 Mbytes free disk space 226 File successfully transferred 226 3 231 seconds measured here gt 10 83 Mbytes per second 36708858 bytes sent in 3 23Seconds 11350 91Kbytes sec ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager 8 After the transfer is complete Firmware received or ZLD current received displays Wait up to four minutes while the ZyWALL recovers the firmware Figure 43 Firmware Received and Recovery Started Firmware received Update Filesystem Updating Code 9 The console session displays done when the firmware recovery is complete Then the ZyWALL automatically restarts Figure 44 Firmware Recovery Complete and Restart Kernel Extracting Kernel Image done Writing Kernel Image done BootModulel Extracting BootModule Image done Writing BootModule Restarting system 10 The username prompt displays after the ZyWALL starts up successfully The firmware recovery process is now complete and the ZyWALL is ready to use ZyWALL ZLD CLI Reference Guide 323 Chapter 37 File Manager Figure 45 Restart Complete Setting the System Clock using the Hardware Clock as reference System Clock set Local time Sun Jan 26 21 40 24 UTC 2003 Cleaning tmp vuvar lock varvrun Initializing random number generator done Initializing Debug Account Authentication Seed DAAS done Lionic device init successfully cavium nitrox device C
33. 4 Ed AAA ARA we AR 180 nol B amp mntiewv EE Martes Liso SOLIVADES lt a dire ERA AAA eee TS 178 no anti virus white list file pattern av file pattern activate deactivate 178 Bo AB access Posie Name 6 DAgescoeeuee30 2 99 ee nan eeu a Bees I CER e AA Ronde So e NER 270 nO s a O NN 167 no app Highest sip bandwidth pDrsiEXltY esos SOEORORCRCE EOROECE RCKUR C E CAO ROW ROROR AAA 167 nol App mne des here u gx piod eoegakwed eee wueg opcs q dor d Re Bob WS ee wein oq 166 no app ptber protocol namo bBanudwroth egraph 2244484 3 4 e A REOR OR ROSA EUR 168 Bol App rococo ume aaa ose ce ligase nl she ERAS RA RB Ea oe NR aab OUS ae RR 162 no app protocol name allowpurt Li DIDIIS era AA AR ES RO 162 no op protocal hae DatndwWIdLhegrapl series ia A 167 no app protocol same DM 6 66 eae Sa OEC 9o d RORA EO CR OUR ON KE ACCORD TRAE Oe A CC ACE Ree KC 162 nol aep protocol name delsultporut 1 D925 5 Era ARRIAGA A OY ORC OR GR EES 162 no epp protocol same Ing alert eaux kg kk CR E AC REOR ON KOXOEGROXCK R RE OCA AC OR RAR ed Rid 163 hol application application ODIOS biG ease ed ER Y AURA AS do aede ee eee 146 nol application forbidden process Process Hane lnanasxeemedoes mur DOWER A UC CA 2179 nol application trusbed process PROCESS FAME everest ineo EAE Raw eR Ree eae DT 279 nel Ape vacch ao mBSLEDUSEM unir ee E bx RSS STE Rd A wei 352 Ee ppewsteotedeg Clete isa 3 ddp sor he NUR RUD EU CO ASA AU ARR ARE RRR SON RR 352 no sapp watc
34. G4 amp tN mac address 0 12 even hexadecimal number for example aa aabbcc aabbccddeeff 1 8 Ethernet Interfaces How you specify an Ethernet interface depends on the ZyWALL model e For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model e The ZyWALL USG 100 and 200 models use a name such as wanl wan2 opt lanl ext wlan or dmz 1 9 Saving Configuration Changes Use the write command to save the current configuration to the ZyWALL ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface BS Always save the changes before you log out after each management session All unsaved changes will be lost after the system restarts 1 10 Logging Out Enter the exit or end command in configure mode to go to privilege mode Enter the exit command in user mode or privilege mode to log out of the CLI ZyWALL ZLD CLI Reference Guide 25 Chapter 1 Command Line Interface ZyWALL ZLD CLI Reference Guide User and Privilege Modes This chapter describes how to use these two modes 2 1 User And Privilege Modes This is the mode you are in when you first log into the CLI Do not confuse user mode with types of user accounts the ZyWALL uses See Chapter 25 on page 233 for more information about the user types User type accounts can only run exit in this mode However
35. Table 190 Input Values for Email Daily Report Commands LABEL DESCRIPTION e_mail An e mail address You can use up to 80 alphanumeric characters underscores _ periods or dashes and you must use the character Use these commands to have the ZyWALL e mail you system statistics every day You must use the configure terminal command to enter the configuration mode before you can use these commands Table 191 Email Daily Report Commands COMMAND DESCRIPTION daily report no activate Turns daily e mail reports on or off show dail y report status Displays the e mail daily report settings daily report smtp address ip hostname Sets the SMTP mail server IP address or domain name daily report no smtp auth activate Enables or disables SMTP authentication password daily report smtp auth username usernam password Sets the username and password for SMTP authentication daily report no smtp address Resets the SMTP mail server configuration daily report no smtp auth username Resets the authentication configuration daily report mail subject set subject Configures the subject of the report e mails daily report no mail subject set Clears the configured subject for the report e mails name daily report no mail subject append system Determines whether the system name will be appended to the subject of report mail
36. anti spam rule insert rule_number Enters the anti spam sub command mode to add a direction specific rule anti spam rule rule_number Enters the anti spam sub command mode to edit the specified direction specific rule no activate Turns a direction specific anti spam rule on or off no log alert Sets the ZyWALL to create a log and optionally an alert when packets match this rule and are found to be spam The no command sets the ZyWALL not to create a log or alert when packets match this rule no from zone zone object Sets the zone on which the packets are received The no command removes the zone setting This is equal to any so the rule applies to all packets the ZyWALL sends out no to zone zone object Sets the zone to which the packets are sent The no command removes the zone setting This is equal to any so the rule applies to all packets the ZyWALL sends out no scan smtp pop3 Sets the protocols of traffic to scan for spam no match action smtp drop forward forward with tag Sets the action to take when the ZyWALL detects a spam SMTP e mail The file can be deleted forwarded or forwarded with a spam tag no bypass white list black list Bypassing has the ZyWALL not check files against your dnsbl configured white allowed list black spam list or DNSBL servers list show Displays the details of the anti spam rule you are configu
37. block Activates or deactivates UDP scan detection options where udp xxx udp portscan udp decoy portscan udp portsweep udp distributed portscan udp filtered portscan udp filtered decoy portscan udp filtered distributed portscan udp filtered portsweep Also sets UDP scan detection logs or alerts and blocking no deactivates UDP scan detection its logs alerts or blocking no scan detection ip xxx activate log alert block Activates or deactivates IP scan detection options where ip xxx ip protocol scan ip decoy protocol scan ip protocol sweep ip distributed protocol scan ip filtered protocol scan ip filtered decoy protocol scan ip filtered distributed protocol scan ip filtered protocol sweep Also sets IP scan detection logs or alerts and blocking no deactivates IP scan detection its logs alerts or blocking no scan detection icmp sweep icmp filtered sweep activate log alert block Activates or deactivates ICMP scan detection options Also sets ICMP scan detection logs or alerts and blocking no deactivates ICMP scan ZyWALL ZLD CLI Reference Guide detection its logs alerts or blocking Chapter 21 IDP Commands Table 99 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION no alert Scan detection open port activate log block Activates or deactivates open port scan detection options
38. guest limited admin user 234 username username user typ MEUSE Sine CRAE IRA ARANA AMARA CESS aed e 234 users gefault setting no Jogon lease ime D 144009 sist RO ceed OR OE RESI 235 users default setting no logon re auth time e0 14409 L ili kaek Ro kB Rom Rd 235 users default setting no user type admin ext user guest limited admin user 236 Users forse IlogoUt 2p USSERAME uugaexx A A RR AN A RA AL EE QR ACER deb eed 239 vVpnecongcentrtator rename profile name Profile Name aserrada A 143 vrpt send device information interval lt 15 3600 gt laksAx ERA R REGE OC RCACK CR OR RON 332 vrpt send interface statistics interval 15 3500 iii 3 xa OX AGE RO UEOR XR eee eed 332 TEPE Sena System Status int rval 15 120009 earn cana AAA A EEE e 332 prid lo 1M sarrera eae a a AA ARAN AR ARA 76 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical windows version windows 2000 windows xp windows 2003 windows 2008 windows vista eiegows 7 wangows IODUDEZ E ss d UR REOR Ae ae OES ERED RARA AA AAA COLL 280 wlan mac filter associate allow deny wk cea tek eh ECR A Re WO SRE AAA T WS e 44 ek doo DEKE ERS RE E RE RECON ICE IB A GER UR CE e ORAE 13 o A A 28 o O ROSE OG ROCA RC SEW ESS SR ERE ERS Seale ae 316 zone POLLS Name xu ke deeem P Rae ES FO d ER ERE SLES RA Eu E ARANA a Oe RES 102 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical ZyWALL ZLD CLI Reference
39. no Sports Recreation Hobbies no Travel no Vehicles no Humor Jokes i o nme Software Downloads no Pay to Surf t quo Peer to Peer no Streaming Media MP3s t ome Proxy Avoidance no For Kids no Web Advertisements no Web Hosting no Unrated no custom active yes allow traffic to trusted hosts only no allow features to trusted hosts to ono block activex yes block java yes block cookie 5 me block proxy yes No Trusted Host No Forbidden Host No Keyword ZyWALL ZLD CLI Reference Guide Anti Spam This chapter introduces and shows you how to configure the anti spam scanner 23 1 Anti Spam Overview The anti spam feature can mark or discard spam unsolicited commercial or junk e mail Use the white list to identify legitimate e mail Use the black list to identify spam e mail The ZyWALL can also check e mail against a DNS black list DNSBL of IP addresses of servers that are suspected of being used by spammers 23 2 Anti Spam Commands The following table identifies the values used in some of these commands Other input values are discussed with the corresponding commands Table 113 Input Values for General Anti Spam Commands LABEL DESCRIPTION rule_number The index number of an anti spam rule 1 X where X is the highest number of anti spam rules the ZyWALL model supports See the ZyWALL s User s Guide for details zone object
40. no user username Adds the specified user to the specified user group show Displays information about the specified user group groupname rename groupname groupname Renames the specified user group first groupname to the specified group name second groupname 25 2 3 User Setting Commands This table lists the commands for user settings except for forcing user authentication Table 132 username groupname Commands Summary Settings COMMAND DESCRIPTION show users default setting all admin user guest limited admin user type xt user Displays the default lease and reauthentication times for the specified type of user accounts lt 0 1440 gt users default setting no logon lease time Sets the default lease time in minutes for each lt 0 1440 gt new user Set it to zero to set unlimited lease time The no command sets the default lease time to five users default setting no logon re auth time Sets the default reauthorization time in minutes for each new user Set it to zero to set unlimited reauthorization time The no command sets the default reauthorization time to thirty ZyWALL ZLD CLI Reference Guide Chapter 25 User Group Table 132 username groupname Commands Summary Settings continued COMMAND DESCRIPTION users default setting no user type admin lext user guest limited admin user gt Sets the default u
41. tr uncated address header deterlsS esencia A EER REG RA OR RC UR 190 ide anomaly profile temp decodes all details cstwacasdasadd Saved nara tawe 190 10p anomaly profile soan deteoction lall details escena a 189 idp anomaly profile scan detection icmp sweep icmp filtered sweep open port detail ARAS REO E XO EE AR WE dro Re AAA CO CR 189 idp anomaly profile scan detection ip protocol scan ip decoy protocol scan ip protocol sweep ip distributed protocol scan ip filtered protocol scan ip filtered decoy protocol scan ip filtered distributed protocol scan ip fil tered protocol ies SECHULDE perrera SRE SHED EERE AAA 189 idp anomaly profile scan detection tcp portscan tcp decoy portscan tcp ports weep tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep details 189 idp anomaly profile scan detection udp portscan udp decoy portscan udp ports weep udp distributed portscan udp filtered portscan udp filtered decoy Porvscaty aent qwe Dee STARE Ra REO doe WE OC UR AC AAA AA UO ACRES RACER Ir RR 189 idp anomaly profile tcp decoder undersize len undersize offset oversize offset bad length options truncated options ttcp detected obsolete options ex parimanbcsl ODLLIDNS OQOLSILAR Beier edhe EY ure REL SS SPORE quae d rad Node 190 ido anomaly profile Ltep decoder all details i224 a eG 4 E
42. 31 3 Certificates Commands Input Values The following table explains the values you can input with the certificate commands Table 152 Certificates Commands Input Values LABEL DESCRIPTION certificate_name The name of a certificate You can use up to 31 alphanumeric and amp _ characters cn_address A common name IP address identifies the certificate s owner Type the IP address in dotted decimal notation cn domain name A common name domain name identifies the certificate s owner The domain name is for identification purposes only and can be any string The domain name can be up to 255 characters You can use alphanumeric characters the hyphen and periods cn email A common name e mail address identifies the certificate s owner The e mail address is for identification purposes only and can be any string The e mail address can be up to 63 characters You can use alphanumeric characters the hyphen the symbol periods and the underscore ZyWALL ZLD CLI Reference Guide Chapter 31 Certificates Table 152 Certificates Commands Input Values continued LABEL DESCRIPTION organizational_unit Identify the organizational unit or department to which the certificate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore organization Identify the company or group to which the certif
43. 37 Command Line Interface This chapter describes how to access and use the CLI Command Line Interface 1 1 Overview If you have problems with your ZyWALL customer support may request that you issue some of these commands to assist them in troubleshooting Dd Use of undocumented commands or misconfiguration can damage the ZyWALL and possibly render it unusable 1 1 1 The Configuration File When you configure the ZyWALL using either the CLI Command Line Interface or the web configurator the settings are saved as a series of commands in a configuration file on the ZyWALL You can store more than one configuration file on the ZyWALL However only one configuration file is used at a time You can perform the following with a configuration file Back up ZyWALL configuration once the ZyWALL is set up to work in your network Restore ZyWALL configuration Save and edit a configuration file and upload it to multiple ZyWALLs of the same model in your network to have the same settings BES You may also edit a configuration file using a text editor 1 2 Accessing the CLI You can access the CLI using a terminal emulation program on a computer connected to the console port from the web configurator or access the ZyWALL using Telnet or SSH Secure SHell ZyWALL ZLD CLI Reference Guide at Chapter 1 Command Line Interface BS The ZyWALL might force you to log out of your session if rea
44. ASA adea p d de Odd added Eee ous Qa auia eed d ia dp e tides 164 idu cdd d Toad a b aud aue A DA caua quada e E Ed aad bb ped bd DAE 164 ype windows linux mac osx SENSES serra ser ni robo 280 atepewec LOO OS Jp aoe Aa aaukeee edd d RACER CO A ee meas T3 snat source address name destination address name snat address name 140 Se CopeuEe IONINIQUED dub xs qe FOE Yd dedos AX Eque die d que AR Ed aee 345 a a Seed eke ee XRD EERE PENALEAN RA ACC RR CHAR RO RR e OX E ORO EE Ee RC 28 t trace interface interface name ip proto lt 0 255 gt protocol name any src host ip hostname any dst host ip hostname any port lt 1 65535 gt anyj file duration lt 1 3600 gt extension filter filter extension ss 4 id type any ip ip fqdn domain name mail e mail dn distinguished name 138 ip fae consta name a Conradin Sene asii Reo GE Saned dea A 138 SD IE 142 Dieters Oe ees A ewes behead Renee RA ee eee 28 check domain name xp default qgateway ek eg x x Ronnie xe ee dc ek oedada 62 check domain name ip default gateway fail tolerance lt 1 10 gt 62 check domain name ip default gateway method icmp tcp 62 check domain name ip default gateway period lt 5 30 gt 62 pheck domain name ip default qateway port 1 655355 reint ori as 62 che
45. Also sets open port scan detection logs or alerts and blocking no deactivates open port scan detection its logs alerts or blocking flood detection block period 1 3600 Sets for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack no flood detection tcp flood udp flood Activates or deactivates TCP UDP IP or ICMP ip flood icmp flood activate log flood detection Also sets flood detection logs alert block or alerts and blocking no deactivates flood detection its logs alerts or blocking no http inspection http xxx activate Activates or deactivates http inspection options where http xxx ascii encoding u encoding bare byte unicode encoding base36 encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal directory traversal apache whitespace non rfc http delimiter non rfc defined char oversize request uri directory oversize chunk encoding webroot directory traversal http inspection http xxx log alert Sets http inspection log or alert no http inspection http xxx log Deactivates http inspection logs no http inspection http xxx action drop Sets http inspection action reject sender reject receiver reject both no tcp decoder tcp xxx activate Activates or deactivates tcp de
46. Android or other operating systems windows version windows 2000 windows xp windows 2003 windows 2008 windows vista windows 7 windows 2008r2 If you set windows as the operating system using the os type command use this command to set the version of Windows matching criteria any all Select whether the user s computer has to match just one of the endpoint security object s checking criteria or all of them list signature anti virus personal firewall status Displays all the anti virus software packages personal firewall software packages or EPS signature information respectively The status command displays the EPS signature version release date and the total number of software packages for which the ZyWALL s endpoint security can check no enable windows auto update disable ignore If you set windows as the operating system using the os type command you can use enable with this command if the user s computer must have the Windows Auto Update feature installed and activated use disable if the Windows Auto Update feature must be installed but deactivated use ignore if the Windows Auto Update feature must be installed but does not matter if it is activated or not The no command does not check the Windows Auto Update feature no windows service pack 1 10 If you set windows as the operating system using the os type command you can enter the minimum Windows se
47. COMMAND DESCRIPTION show account cellular profile name Displays information about the specified account no account cellular profile name Creates a new cellular ISP account with name profile name if necessary and enters sub command mode The no command deletes the specified ISP account profile name use 0 30 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive no apn access_point_name Sets the Access Point Name APN for the cellular ISP account The no command clears the APN access_point_name Use up to 64 alphanumeric characters and underscores _ dashes periods and no phone phone_number Sets the username for the specified ISP account The no command clears the username username Use up to 64 alphanumeric characters and underscores _ dashes periods and S no user username Sets the username for the specified ISP account The no command clears the username username Use up to 64 alphanumeric characters and underscores _ dashes periods and S 270 ZyWALL ZLD CLI Reference Guide Chapter 32 ISP Accounts Table 155 Cellular Account Commands continued COMMAND DESCRIPTION no password password Sets the password for the specified ISP account The no command clears the password password Use up to 63 printable ASCII ch
48. Ho VASO na e seas bh a p acude d A eee Oke Or qi dpt RR do RS oa ee eae De e dea ee SML ida orp inpet ron AMECO RI DO age acr AO RU ECCE AAA eee ROBO US 188 no icmp decoder truncated header truncated timestamp header truncated address head EE HECTOR paradero Ed AAA eq B REA RASEN e do e adapte EERE 189 no icmp decoder truncated header truncated timestamp header truncated address head er IpO rre 189 po xp perience anomalie Pror demas pam A A A 184 Ho Lap signature anomaly Y wale Li taa A AA AA A A eeadanaeaked 185 no Sp customize Signature CUSCO SNO Sir an Ri EAE ORO PR wed danas US CE CA 194 HO 1p des server emule Sl IS 2 cia R3 ea bg E Ce de Rel de dea dedo ee elc de RC COR ica e 293 Hd up EO SEPUO pile Fule NUMER estiba eee ES EG AA 302 no ip http secure server cipher suite cipher aslgorithm c vedas ood XAR aw XAR 297 no ip http secure server table admin user rule rule number 297 no ip http server table admin wser rule rule number scrirsarerncai s a aia 297 pa 2p hbttn rfedsleect SOSCEIDLIGON adri AAA A bots eee dede sees 116 RO XH EE SUMS Tee seach ae tes Sees maids EN ESAS 60 HO Xp ospi Messadge digese kEF nieres MaKe HEA wo Re ee nio FEE ee pon eRe it 61 no Xp sh Serve sule Ree MINDET sce creas ioke US SG OK S operc kes Bau Sar wed ai ADA 299 AD ip telnet Server rule rule UNDE ica e Pa cR Up URBE cS XR E SOR AA RON OER SE GR 300 nO XH wirbLuslecasprver PILLS HANG di AAA AAA 110 Ho l2tpeove r
49. Les Wel DS MEL aa RI DABA A AAA aa A RRA 205 content ti ler Url Gest GEE sonaron ema o eicere do Eo du geo edi ide 207 content filter url server test url server rating server timeout query timeout 205 content filter url server test url server rating server timeout query timeout 207 contents T1 Lele xS port lA A A dr eee MEG EG I debeo e RR dea kd NOR E RC 205 DODU greit korriten d nego dde d pede Wa qe bu dq dps d quere RE de quede aded a px dp di ees 21 copy cert conf idp packet_trace script tmp file_name a conf cert conf idp packet trace script tmp file name b conf 215 cope PUnhing CoOnNtiy Jeontflle RAS BONS eked nha hen eh RA ATA Od ae oC REN Ed Re qd 315 Copy unning contig GLSStUDedU EG Kb kdb hss A s Ra ie CN Se RR CRGO ORE MOREE GREE ALS DIUDEte tise acl Hew nae 2453 dx GR ARS Sd bo wes EROR UP E So thence ees aded seda SQ 139 SETUP eS SS REB OMS pq dun oes ee ee AAA A ea RU Re ww Gi d A Be e SCR CAR Bb OR A d 129 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical Coos MES Mer ere ara a Een Kener ewer Aaa ee were eee ee 142 OfipLo map rename map namo Jap Name nie es seve cave RR eevee eee kaveoe rea ees aus 139 HSGlVyermeoosr Nel IVO uw uucipubi dg ce dog db RC eee eee ew bro eee ee SS 337 Gatly report puo Iben ES ESPD T dueXq pA A A Roe dede ER dae RC RR e ea Dec bakes 338 gadslverepost nol item SV EEPOrTE rss te
50. The types supported vary by ZyWALL model Port groups create a hardware connection between physical ports at the layer 2 data link MAC address level Ethernet interfaces are the foundation for defining other interfaces and network policies RIP and OSPF are also configured in these interfaces VLAN interfaces receive and send tagged frames The ZyWALL automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer 2 data link MAC address level Unlike port groups bridge interfaces can take advantage of some security features in the ZyWALL You can also assign an IP address and subnet mask to the bridge PPPoE PPTP interfaces support Point to Point Protocols PPP ISP accounts are required for PPPoE PPTP interfaces Cellular interfaces are for 3G WAN connections via a connected 3G device WLAN interfaces are for wireless LAN IEEE 802 11b g connections via an installed wireless LAN card ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Virtual interfaces IP alias provide additional routing information in the ZyWALL There are three types virtual Ethernet interfaces virtual VLAN interfaces and virtual bridge interfaces The auxiliary interface along with an external modem provides an interface the ZyWALL can use to dial out This interface can be used as a backup W
51. alphanumeric characters and the underscore Spaces are not allowed The following table describes the commands available for registration You must use the configure terminal command to enter the configuration mode before you can use these commands Table 9 Command Summary Registration COMMAND DESCRIPTION device register checkuser user_nam Checks if the user name exists in the myZyXEL com database device register username user_name password password e mail user domainname country code country_code Registers the device with an existing account or creates a new account and registers the device at one time country code see Table 10 on page 40 service register checkexpire Gets information of all service subscriptions from myZyXEL com and updates the status table Service register service type standard license key key value Activates a standard service subscription with the license key service register service type trial service Activates the content filter or IDP trial service content filterlidp subscription service register service type trial service all Activates all of the trial service subscriptions kav zav including Kaspersky or ZyXEL anti virus service register service type trial service av kav zav Activates a Kaspersky or ZyXEL anti virus trial service subscription service register service type kav zav trial av engine C
52. app other eel forward drop Segept espiraii n Kokorea Ra C3 OR A eestor ERRORS S 166 Spo OLIOT BERN E352 34 whee wee Ree 394 55955258 Ch RAS a me dua adu SE qd es d Eo SARS 166 BDD GEBOT GETAUE unuoerse chen C RURGRURC CHCRO RARA SOROR UP EUN Gh ahem ele HRS RR eRe ea aut 166 20 gt LIBE Gert Fie nee asa ees dec S ge Ros ur undici e bcr dicc Bo odo oe dica diu ewes 166 app Other move uie TURNOS Lo HULE SUDUSS ta eru Re RUN ER PE NR e de ax Ua RE xe A A 166 IPPO GENE ALAN ara d Rus A Rakes uio ra Rule wd hese A aal A RE 156 app protocol same forward drop PS7660 Lue exse i UE Reo EEEn RA AUR CROR Od qe 3e XR eco 162 app protocol same bBsndegygLh De LOCOS 44464 eue OAR REG A 162 app protocol name exosbtrion ADDODO nixa a Ro AEGRO REC ARA A LAS eed CC CN o CALOR 164 app protocol name exception Celle aegdcsagndb A aec RE ROT RH OR CRGO CERCA LES 164 app protocol name exception insert SUIS numbDef 64446400 pa EG RE CRGO EROR ARCA ACCRUE A 164 app protocol Mane exception modits default 2263449993 X Gd 3 EORR ROC oe dee eed ee Oe 164 app protocol name exception modify rule HUME 2 284 sido keen URS RUE Dawes san ad ada CR CA 164 app protocol name exception move rule number to rule number e 164 app protocol name BxCOBMLLON TIL NONE S sierras arde don SURE Baw sd WC RO Eccc RR 164 App protocol name exception Full numbef sareste rfki UR E X EUR OR A AA RUNE KER EYER 164 app protocol mame mode port less Portas sierra nacida O
53. commands ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Table 2 CLI Modes continued complex parts such as an interface USER PRIVILEGE CONFIGURATION SUB COMMAND What Limited e Look at system e Look at system Unable to access Unable to access Admin users can information like information like do Status screen Status screen Run basic Run basic diagnostics diagnostics What Admin e Look at system e Look at system Configure simple Configure users can do information like information like features such as complex parts Status screen Status screen an address such as an e Run basic Run basic object interface in the diagnostics diagnostics Create or remove ZyWALL How you enter it Log in to the ZyWALL Type enable in User mode Type configure terminal in User or Privilege mode Type the command used to create the specific part in Configuration mode What the prompt Router Router Router config varies by part looks like Router zone Router config if ge How you exit it Type exit Type disable Type exit Type exit See Chapter 25 on page 233 for more information about the user types User users can only log in look at but not run the available commands in User mode and log out Limited Admin users can look at the configuration in the web configurator and CLI and they can run basic diagnostics in th
54. continued LABEL DESCRIPTION rating_server The hostname or IP address of the rating server query_timeout The value specifies the maximum querying time when rating a URL in zysh lt 1 60 gt seconds The following table lists the content filtering web category names Table 108 Content Filtering Web Category Names CATEGORY NAME CATEGORY NAME Adult Mature Content Pornography Sex Education Intimate Apparel Swimsuit Nudity Alcohol Tobacco Illegal Questionable Gambling Violence Hate Racism Weapons Abortion Hacking Phishing Arts Entertainment Business Economy Alternative Spirituality Occult Illegal Drugs Education Cultural Charitable Organization Financial Services Brokerage Trading Online Games Government Legal Military Political Activist Groups Health Computers Internet Search Engines Portals Spyware Malware Sources Spyware Effects Privacy Concerns Job Search Careers News Media Personals Dating Reference Open Image Media Search Chat Instant Messaging Email Blogs Newsgroups Religion Social Networking Online Storage Remote Access Tools Shopping Auctions Real Estate Society Lifestyle Sexuality Alternative Lifestyles Restaurants Dining Food Sports Recreation Hobbies Travel Vehicles Humor Jokes Software Downloads Pay to Surf Peer to Peer Streaming M
55. icmp icmp echo echo echo echo request request request request Router packet trace duration 3 tcpdump listening on eth0 19 24 43 239798 192 168 1 10 192 168 1 1 icmp echo request 19 24 43 240199 192 168 1 1 192 168 1 10 icmp echo reply 19 24 44 258823 192 168 1 10 192 168 1 1 icmp echo request 19 24 44 259219 192 168 1 1 192 168 1 10 icmp echo reply 19 24 45 268839 192 168 1 10 192 168 1 1 icmp echo request 19 24 45 269238 192 168 1 1 192 168 1 10 icmp echo reply 6 packets received by filter 0 packets dropped by kernel Routers packet trace interface ge2 ip proto icmp fil xtension filter s 500 n tcpdump listening on ethl 07 24 07 898639 192 168 105 133 192 168 105 40 icmp echo request DF 07 24 07 900450 192 168 105 40 192 168 105 133 icmp echo reply 07 24 08 908749 192 168 105 133 192 168 105 40 icmp echo request DF 07 24 08 910606 192 168 105 40 192 168 105 133 icmp echo reply 8 packets received by filter 0 packets dropped by kernel Router packet trace interface ge2 ip proto icmp fil xtension filter traceroute 1 31235235253 1 25 2 SL 7262336 3253 ds 2236 651 4 xk 4 5 991 ms 3 049 ms 2 983 ms 5x Router traceroute www zyxel com to www zyxel com 203 160 232 7 30 hops max 1 947 ms 1 979 ms 2 961 ms 2 980 ms 968 ms 6 984 ms 38 byte packets ZyWALL ZLD CLI Reference Guide 347 Chapter 42 Maintenanc
56. local network remote policy address_name Sets the address object for the remote policy remote network no policy enforcement Drops traffic whose source and destination IP addresses do not match the local and remote policy This makes the IPSec SA more secure The no command allows traffic whose source and destination IP addresses do not match the local and remote policy Note You must allow traffic whose source and destination IP addresses do not match the local and remote policy if you want to use the IPSec SA in a VPN concentrator no nail up Automatically re negotiates the SA as needed The no command does not no replay detection Enables replay detection The no command disables it no netbios broadcast Enables NetBIOS broadcasts through the IPSec SA The no command disables NetBIOS broadcasts through the IPSec SA no out snat activate Enables out bound traffic SNAT over IPSec The no command disables out bound traffic SNAT over IPSec out snat source address name destination address name snat address name Configures out bound traffic SNAT in the IPSec SA no in snat activate Enables in bound traffic SNAT in the IPSec SA The no command disables in bound traffic SNAT in the IPSec SA ZyWALL ZLD CLI Reference Guide Chapter 16 IPSec VPN Table 69 crypto Commands IPSec SAs continued COMMAND DESCRIPTION in snat s
57. n a 64 IMAP 4194304 WEB_ATTACKS 128 MISC 8388608 WEB CGI 256 NETBIOS 16777216 WEB FRONTPAGE 512 NNTP 33554432 WEB IS 1024 ORACLE 67108864 WEB MISC 2048 P2P 134217728 WEB PHP 4096 POP2 268435456 MISC BACKDOOR 8192 POP3 536870912 MISC_DDOS 16384 RPC 1073741824 MISC_EXPLOIT 32768 RSERVICES 21 3 6 2 Signature Search Example This example command searches for all signatures in the LAN_IDP profile Containing the text worm within the signature name With an ID of 12345 Has a very low severity level Is enabled Generates logs Operates on the Windows NT platform Is a scan policy type DNS service Router config Router configure terminal Router config idp search signature LAN IDP name worm sid 12345 severity 1 platform 4 policytype 4 service 1 activate yes log log action 2 21 4 IDP Custom Signatures Use these commands to create a new signature or edit an existing one BES It is recommended you use the web configurator to create edit signatures using the web configurator Anti X gt IDP gt Custom Signatures screen ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands BES You must use the web configurator to import a custom signature file Table 104 Custom Signatures COMMAND DESCRIPTION idp customize signature quoted_string Create a new custom signature The quoted string is the signature comma
58. no radius server key secret Sets a password up to 15 alphanumeric characters as the key to be shared between the RADIUS server and the ZyWALL The no command clears this setting no radius server timeout time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting 29 2 4 radius server Command Example The following example sets the secret key and timeout period of the default RADIUS server 172 23 10 100 to 87643210 and 80 seconds Router config Router config host authentication port key timeout Router config Router configure terminal Router config radius server host 172 23 10 100 auth port 1812 radius server key 876543210 Router config f radius server timeout 80 show radius server 172 29 10 100 1812 876543210 80 ZyWALL ZLD CLI Reference Guide Chapter 29 AAA Server 29 2 5 aaa group server ad Commands The following table lists the aaa group server ad commands you use to configure a group of AD servers Table 147 aaa group server ad Commands COMMAND DESCRIPTION clear aaa group server ad group name Deletes all AD server groups or the specified AD server group Note You can NOT delete a server group that is currently in use show aaa group server ad group name Displays the specified AD server group settings no aaa group server ad grou
59. section if you need to recover the firmware 1 Connect your computer to the Zy WALL Ss port 1 only port 1 can be used 2 The ZyWALL s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 3 Use an FTP client on your computer to connect to the ZyWALL For example in the Windows command prompt type ftp 192 168 1 1 Keep the console session connected in order to see when the firmware recovery finishes 4 Hit enter to log in anonymously al Set the transfer mode to binary type bin 6 Transfer the firmware file from your computer to the ZyWALL Type put followed by the path and name of the firmware file This examples uses put e ftproot ZLD FW 1 01 XL 0 CO bin Figure 41 FTP Firmware Transfer Command C gt ftp 192 168 1 1 Connected to 192 168 1 1 220 lt x gt gt 2 lt C lt Welcome to PureFTPd 1 0 11 gt gt lt x gt gt 226 You are user number 1 of 58 allowed VA A time is now 21 33 and the load is ES ISA 226 Only anonymous FTP is allowed here 226 You will be disconnected after 15 minutes of inactivity User 192 168 1 1 none gt gt 238 Anonymous user logged in ftp bi 266 TYPE is now 8 bit binary ftp gt put E ftproot ZLD_FWMBBXLOCAOM BBCXL B gt CB bin 7 Wait for the file transfer to complete Figure 42 FTP Firmware Transfer Complete 266 PORT command successful 156 Connecting to port 1564
60. signal quality Poor device type WCDMA device manufacturer Huawei device model E220 E270 E800A device firmware 076 11 07 106 device IMEI ESN 351827019784694 SIM card IMSI 466923100565274 This example shows the 3G connection profile settings for interface cellular2 on the Zy WALL You have to dial 99 1 to use profile 1 but authentication is not required Dail 99 2 to use profile 2 and authentication is required Router config show interface cellular2 device profile profile 1 apn internet dial string 99 1 authentication none user n a password n a profile 2 apn internet dial string 99 2 authentication chap user password 6 7 WLAN Specific Commands You can install a compatible WLAN card to use the ZyWALL as an access point AP for a wireless network 72 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces The following table identifies the values required for several WLAN commands Other input values are discussed with the corresponding commands Table 29 Input Values for WLAN Interface Commands LABEL DESCRIPTION psk key Use 8 to 63 case sensitive alphanumeric characters or 64 hexadecimal characters This is used for WLAN interface commands See Table 31 on page 74 6 7 1 WLAN General Commands Use these commands to configure global settings that apply to all of the wireless LAN inte
61. they may need to log into the device in order to be authenticated for user aware policies for example a firewall rule that a particular user is exempt from or a VPN tunnel that only certain people may use Type enable to go to privilege mode No password is required All commands can be run from here except those marked with an asterisk Many of these commands are for trouble shooting purposes for example the htm hardware test module and debug commands Customer support may ask you to run some of these commands and send the results if you need assistance troubleshooting your device For admin logins all commands are visible in user mode but not all can be run there The following table displays which commands can be run in user mode All commands can be run in privilege mode Dd The htm and psm commands are for ZyXEL s internal manufacturing process Table 4 User U and Privilege P Mode Commands COMMAND MODE DESCRIPTION apply P Applies a configuration file atse U P Displays the seed code clear U P Clears system or debug logs or DHCP binding configure U P Use configure terminal to enter configuration mode copy P Copies configuration files debug U P For support personnel only The device needs to have the debug flag enabled delete P Deletes configuration files details P Performs diagnostic commands ZyWALL ZLD CLI Reference Guide Chap
62. to the factory default 80 no ip http secure port 1 65535 Sets the HTTPS service port number The no command resets the HTTPS service port number to the factory default 443 no ip http secure server Enables HTTPS access to the ZyWALL web configurator The no command disables HTTPS access to the ZyWALL web configurator no ip http secure server auth client Sets the client to authenticate itself to the HTTPS server The no command sets the client not to authenticate itself to the HTTPS server ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management Table 166 Command Summary HTTP HTTPS continued COMMAND DESCRIPTION no ip http secure server cert certificate_name Specifies a certificate used by the HTTPS server The no command resets the certificate used by the HTTPS server to the factory default default certificate_name The name of the certificate You can use up to 31 alphanumeric and amp _ characters rule number append insert rule number access group ALL address object zone ALL zone object action accept deny no ip http secure server force redirect Redirects all HTTP connection requests to a HTTPS URL The no command disables forwarding HTTP connection requests to a HTTPS URL ip http secure server table admin user rule Sets a service control rule for HTTPS service
63. vibes BIER Ske hoe de REWER A ARANA A E E AA E A REO A di A 23 ZyWALL ZLD CLI Reference Guide 379 List of Commands Alphabetical show n T O ES now now now now now now now now now now now now now now now now now now now NOW NOW NOW NOW Q0 ooouoooooooocoooooooozoozucozoooxuozxuo3no wu Snow show show show show show show show show show show show show show show pos alce Mes OTHO dg aA UE A AAA 278 eps prorirle profiilia mnane ir AS A A RUE ACCI N EA cde eee Reeds 280 eps profile profile name signature anti virus personal firewall 280 eps signature anti virus personal firewall Status ii RR 281 e a o A m eu Ot ee kee Severe Es bd idem ed eV PS TE 33 A A 33 PPM tae eed Pek soe Robes dos oa dia d PEMA Shwe Bek Mou op E do eee E FOE ats 127 Fireya l I rule TUNDET airada WEG bed d RD eae wes SOR UR E CR ACA NK ee eee 127 Lieve SEACE A UR RO GR odd de A a a A haw 127 firewall gone object zone obgect ZyWALL 2 34 diteacaW dares AA A AAA LEY firewall zone object zone object ZyWALL rule number ooooooooooooooooo 127 torba LS SLIDE 22 5 I OP d RIP E uod ud dide dates cda d edad we dw iua 23 force auth QXOHBLIGHSLDeSQGIPUVISO 6 444 464 Pandan Y s Ka DIRE aos xd dea eade a dry SERS S237 Ponce A0Cn policy sede ORAS d GLUED A RO Ok ee eee eee EE 237 LONE LLEIDA RA KE d ade UG ERE Wed eg RR AR KE OR Kd Re SE SERS OLE Xp RR CM
64. 0 N where N depends on the number of bridge interfaces your ZyWALL model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports The following table describes the commands available for HTTP redirection You must use the configure terminal command to enter the configuration mode before you can use these commands Table 60 Command Summary HTTP Redirect COMMAND DESCRIPTION ip http redirect description interface Sets a HTTP redirect rule interface_name redirect to w x y z lt 1 65535 gt ip http redirect description interface Disables a HTTP redirect rule interface_name redirect to w x y z lt 1 65535 gt deactivate ip http redirect activate description Enables a rule with the specified rule name ip http redirect deactivate description Disables a rule with the specified rule name no ip http redirect description Removes a rule with the specified rule name ip http redirect flush Clears all HTTP redirect rules show ip http redirect description Displays HTTP redirect settings ZyWALL ZLD CLI Reference Guide Chapter 13 HTTP Redirect 13 2 1 HTTP Redirect Command Examples The following commands create a HTTP redirect rule disable it and display the settings Router configure te
65. 1 Router config See Chapter 17 on page 145 for how to configure an SSL VPN using this EPS object For users who fail the endpoint security checking Peter decides to show them an error message of Endpoint Security checking failed Contact helpdesk at 7777 if you have any questions The following shows how to configure the error message Router config eps failure messages Endpoint Security checking failed Contact helpdesk at 7777 if you have any questions Router config ZyWALL ZLD CLI Reference Guide Chapter 34 Endpoint Security ZyWALL ZLD CLI Reference Guide PART IX system System 287 System Remote Management 295 System This chapter provides information on the commands that correspond to what you can configure in the system screens 35 1 System Overview Use these commands to configure general ZyWALL information the system time and the console port connection speed for a terminal emulation program They also allow you to configure DNS settings and determine which services protocols can access which ZyWALL zones if any from which computers 35 2 Customizing the WWW Login Page Use these commands to customize the Web Configurator login screen You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet See Chapter 25 on page 233 for more on access user accounts
66. 12 00 Router config show schedule object Object name Type Start End Ref SCHE SCHE DULE1 DULE2 Recurring 11 00 12 00 Once MonTueWedThuFri 2006 07 29 11 00 2006 07 31 12 00 0 Router config no schedule object SCHEDULE1 Router config show schedule object Object name Type Start End Ref SCHEDULE2 Once 2006 07 29 11 00 2006 07 31 12 00 0 ZyWALL ZLD CLI Reference Guide AAA Server This chapter introduces and shows you how to configure the ZyWALL to use external authentication servers 29 1 AAA Server Overview You can use an AAA Authentication Authorization Accounting server to provide access control to your network The following lists the types of authentication server the ZyWALL supports Local user database The ZyWALL uses the built in local user database to authenticate administrative users logging into the ZyWALL s web configurator or network access users logging into the network through the ZyWALL You can also use the local user database to authenticate VPN users Directory Service LDAP AD LDAP Lightweight Directory Access Protocol AD Active Directory is a directory service that is both a directory and a protocol for controlling access to a network The directory consists of a database specialized for fast information retrieval and filtering activities You create and store user profile and login informati
67. 2 21 ftp 711 bytes Incoming Router config show report gel url No Hit URL ch a 140 114 79 60 Router config show report status Report status on Collection period 0 days 0 hours 0 minutes 18 seconds 39 1 3 Session Commands This table lists the command to display the current sessions for debugging or statistical analysis Table 189 session Commands COMMAND DESCRIPTION show conn user username any unknown service service name any unknown source tiplany destination iplany begin lt 1 128000 gt end lt 1 128000 gt Displays information about the selected sessions or about all sessions You can look at all the active sessions or filter the information by user name service object source IP destination IP or session number s any means all users services and IP addresses resepectively unknow means unknown users and services resepectively show conn ip traffic destination Displays information about traffic session sorted by the destination show conn ip traffic source Displays information about traffic session sorted by the source show conn status Displays the number of active sessions ZyWALL ZLD CLI Reference Guide Chapter 39 Reports and Reboot 39 2 Email Daily Report Commands The following table identifies the values used in some of these commands Other input values are discussed with the corresponding commands
68. Areas COMMAND DESCRIPTION router ospf Enters sub command mode no network interface area IP Adds the specified interface to the specified area The no command removes the specified interface from the specified area no area IP stub nssa Creates the specified area and sets it to the indicated type The no command removes the area no area IP authentication Enables text authentication in the specified area The no command disables authentication in the specified area no area IP authentication message digest Enables MD5 authentication in the specified area The no command disables authentication in the specified area no area IP authentication Sets the password for text authentication in the authentication key authkey specified area The no command clears the password no area IP authentication message Sets the MD5 ID and password for MD5 digest key 1 255 md5 authkey authentication in the specified area The no command clears the MD5 ID and password 9 2 4 Virtual Link Commands This table lists the commands for virtual links in OSPF areas Table 50 router Commands Virtual Links in OSPF Areas COMMAND DESCRIPTION show ospf area IP virtual link Displays information about virtual links for the specified area router ospf no area IP virtual link IP Creates the specified virtual link in the specified area The no command removes the specified v
69. Aves ID cans tei ee kad eck ERG AAA Edo TUER Re dq ede qs 60 network extension activate ip pool address object 1st dns address object ip 2nd dns address object ip lst wins address object ip 2nd wins address object 2p j Metwork eddress obJeck susi A cas dada ened eee 147 next hop auto gateway address object interface interface_ name trunk frunb name tunnel tunsel Dome L bee RGA SEAS ARANA AAA AA RR AAA 91 MEW Cen ed asec ereeCanKeeye ates ee Gath SOG ROhGee eek adi roe Jum a dob dete 290 Rep Beever IIGEEISSGESTR EST fakes bee ha Res Ses SER 54 SARS eae dd d SOEs See ads RE 290 Gbgect group address group TOMS acd gene neqoe RR NUR eee Soe NOR CONCRA HEU OR RON Reena aw Red we kw 243 Obgeetegcogp eee hate a A E A do AAA wed ud ERA 243 pogestegrsup Broce meme ii xq BR ed Ra RN ER e de A x de Ida had 247 Dbjectegroup Service ALU ESSE bic koe sends AAA DAI han ac wee 246 outbound dscp mark lt 0 63 gt class default dscp class L4 m 164 gutbound dscp mark lt 0 63 gt grass default dsop class eeeeec e 9 9 165 outbound dscp mark lt 0 63 gt class default dsecp cilass i a IET CULOnIyHinteriace Interot e DNE orrara kh ete SHARES Cee EA EN AAA ae p toniy Lnteriace 2ST TACs HD aii Ra x ce ORDER ESE ee eS RR eas 98 dULeBHAT GOLUUHDE qudd qu Ver vexit pp PECES AAA A eee A died obe 140 podketesDpEUre Belts Kh abe Hes eRe metas sed Se Lee RA RE e dd See md AR 345 passivye interiage AACST LACS DN ena
70. Clear Log Total logging entries 8 30 Y entries per page Pa 1 2007 05 11 11 25 00 info IDP New IDP rule has been appended 2 2007 05 11 11 24 59 info IDP New IDP rule has been appended 3 2007 05 11 11 24 59 info IDP IDP profile DMZ_IDP has been modified 4 2007 05 11 11 24 59 info IDP IDP profile DMZ_IDP has been created 5 2007 05 11 11 24 59 info IDP IDP profile LAN_IDP has been modified 6 2007 05 11 11 24 59 info IDP IDP profile LAN_IDP has been created 2Ut07 Us 24 59 info IDP Enable IDP succeeded 8 2007 05 11 11 23 42 alert IDP IDP signatures misssing please refer to your user documentation to recover the default datab O IIA Eee This procedure requires the ZyWALL s default system database file Download the firmware package from www zyxel com and unzip it The default system database file uses a db extension for example 1 01 XL 0 CO db Do the following after you have obtained the default system database file ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager 37 11 1 Using the atkz u Debug Command BS You only need to use the atkz u command if the default system database is damaged 1 Restart the ZyWALL 2 When Press any key to enter debug mode within 3 seconds displays press a key to enter debug mode Figure 49 Enter Debug Mode BootModule Version U1 011 i 2007 03 30 12 22 57 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Versio
71. Editing Creating IDP Signature Profiles Use these commands to create a new IDP signature profile or edit an existing one It is recommended you use the web configurator to create edit profiles If you do not specify a base profile the default base profile is none BS You CANNOT change the base profile later Table 98 Editing Creating IDP Signature Profiles COMMAND DESCRIPTION idp signature newpro base all lan wan dmz Creates a new IDP signature profile called none newpro newpro uses the base profile you specify Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode no signature sid activate Activates or deactivates an IDP signature Signature sid log alert Sets log or alert options for an IDP signature no signature sid log Deactivates log options for an IDP signature signature sid action drop reject sender reject both reject receiver Sets an action for an IDP signature no signature sid action Deactivates an action for an IDP signature show idp profile signature sid details Shows signature ID details of the specified profile show idp profile signature all custom signature details Shows the signature details of the specified profile ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands 21 3 4 Editing Creating Anomaly Profiles Use these co
72. Guide
73. HSSOPIDUIONM COELLO AA A RUE EO eR AA RR ADR OE CREER EUR Ro AAA ee ee 243 HOSTALES IPECESDELOR pseudo bi cee eee AA eee eee a eS 247 description AOS DELI AAA ROG oe A EHE Eee dod E RE decade 219 es o e e A seh eae eS Hee Ree EX eh E Pd ee ded ee P Es 306 descripcion Messer eC ION rta SA RE NI E ERA Qd AAA 52 ASSETIPELON ACECTTLPELOR rr qoc re e pao Gum eo oleum qo o ore ep dodo aepo iion xe 56 descrip ion MeSer ICI OU 60854 GA Ra NONE ee come iru Uu iis rU Vom A bdo Grab ced 90 destination address object group dame LceeseeBps Re 3 xm ey cxx UR OR OR WR OR RR RC REUROR 238 destinacion oda recS OSO ESO aa aaa ERU E der RU dde BC Pare bay adndsceuas 90 desgrtonacsron BIDIIJIGS WOME ai o Kok eee e RR Re e lod oe e dC e e OR RCM d en e DI ce de i dt 163 destination DOLLIE TANE rs bu edd Ee Po eR Pa Rare eoe ORS d bd do pw er 165 destination Dros NANS is A A ob A RE ORE doa EORR aC Re dox dd 166 destination ACTES OD EEE AAA AAA EEG NE SOR RA DE eee ees eee te dr 128 davice SgBVSOS Modal BANE 15 1 ct aR Ned Vox ar oc do UR Co dede Re COEUR D OR I C ROC o d CGU 59 dewvlgpeh ROBIMVAELA Uae tte eb bd qx kee SORE RE db Oh hoe ERE cee EE 224 device ha ap mode authentication string key ah md5 key 226 device ha ap mode backup sync authentication password password 226 device ap mods BSCLUD SyHO BUGS dress 226 device ha ap mode backup sync from master address port port 226 device ha ap mode backup sync
74. IPSec VPN commands 16 2 1 IKE SA Commands This table lists the commands for IKE SAs VPN gateways Table 68 isakmp Commands IKE SAs COMMAND DESCRIPTION show isakmp keepalive Displays the Dead Peer Detection period show isakmp policy policy_name Shows the specified IKE SA or all IKE SAs isakmp keepalive lt 2 60 gt Sets the Dead Peer Detection period no isakmp policy policy_name Creates the specified IKE SA if necessary and enters sub command mode The no command deletes the specified IKE SA activate Activates or deactivates the specified IKE SA deactivate authentication pre share rsa sig Specifies whether to use a pre shared key or a certificate for authentication certificate certificate name Sets the certificate that can be used for authentication no dpd Enables Dead Peer Detection DPD The no command disables DPD no fall back Set this to have the ZyWALL reconnect to the primary address when it becomes available again and stop using the secondary connection if the connection to the primary address goes down and the ZyWALL changes to using the secondary connection Users will lose their VPN connection briefly while the ZyWALL changes back to the primary connection To use this the peer device at the secondary address cannot be set to use a nailed up VPN connection fall back check interval 60 86400 Sets how often in sec
75. POLE DO sarria E EG RU a Ss OSE EGO RETRO RO RUE OR RO POR o OR EERE ESS 235 abrv6or port Perl NG sis RACER RON KR KR ASA HR ACE CR CELA EERE REE MAA 256 Server Sesbchetigg llmic GIN ded dass HR RPEREROREGd Oe dex Eu EY LOR A d dede eee ES 253 serie sgbPch tlme llmut Cine dei Jedas ee UR booed RACK SSeS awa bE ode dede ea 296 Servar SEL 26h eet Pees e RARA PELE OCR ERO A AAA ER ORE eR Rs 255 Bert SS errar RRR CERT RI de qe qe EAP EATA OR ole d a e ERED ERROR ERR SS o 256 Server CAMBIE Cime 224855 ex Ga e ROPA BUR EUER d Ead Ea AA A AAA A Ns 257 Service DEBBIE HamebpAUV whe weote ao ARAS SORES ST SACOS EeTVIOS DOR serr qoe eon E CROP aad o ee e NOR A A eae I RR OP GR wom Rane aOR ane ay ee 128 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical nol eervics name lap hostrame service Dartel asii chs di024 RR aad ee enue 270 Ho SePvice ob ject DJECE nane usd X3 AS LASSE EREDAR TAO dC A ORUM CRE de daos de 246 no service type dyndns dyndns static dyndns custom dynu basic dynu premium g exp pespab hull 3322 09n S3322 8t8tlPg xanax 444 dav e A a ii A 106 hol Session LIME AELC VADE 22s cee ss eres dde Pad AA idu ed d d bed ebd es 121 ho SMITA raorir ad O 52 ne Sigra ure Sig AGELVADE pasos de IER Edo CER SA Pee FK ud eet hee eee Ee 186 Rel Bigatti fie Acie iii e Ee CB a Hobo wowed sesso 191 no sat outaging intertacel posl address object scsi lc oy R
76. RC 254 clear aaa group server ldap Lgroup namo si ek ka SRSA DREMEL X EORR K RoRCK E ROR A EC OR A CX OR 4 OX EES ADM Cleese daa group server radite SEOUD HERRO uario we 3 eS d Fa RR CER PH CARE P NOR Ed SR EEG 256 clear ip dhcp binding ip SU segs dd4nbem ades EN Ed NERA rad d ae was aw ee ae Sg glesr longing d bug DUffSP aparta e gea Eon ode eee Rime Brite edd AiR doe diee Re dE RR dol clear dogging amp evsten log DUWIbeP 1seQRG oh ODORE SG EUR EROR a 330 clear Geer Linteri ace Dam bs eden eee BOR ACE NC ARA Roe KR eS AA AA UD Re ER d 335 Sleek date yvyvemn gg Late DAS 235604500405 bbe X RE E P RU Ad RA Eod E Raab d dC HA 290 EN ei ETE rn eke nk ii ie dd AAA a dc AP a ae ae a a oa 290 pumesgent keene live interval 10 90S aio rr ieee RO E RO IRE QUE ope doe PC do pac tae 307 Gnime agent periodic intorm interval 10 86042300 ocres REA 307 aumeseceuL Lrolodgerernrtoerm ERESERATO seed A RAS E ae VeRO d P oed ORC R Ses 307 CONCLUS aano Rede ba ea qaod re d UR e QR OU oC EUR diea thd cR Rabat dene code e be Re oe de Ma a 27 connectivity fnesll np disleonedeNSDd seur Cee CARE Eee PX eA ew eee dene Oa e 69 Gontert TI lLters passed warning LUSH ocncieid dav Ad eean seks ER Re de ACE e e 205 content t1 ter passed warning taneous lt 1 LADA eque ceed ee eae hale Raa ele PK dg 205 ponbtent tfrltey policy policy Sumber SOMETA arar qs m mdp banged wed uds RC Koen 200 contene tilter Statisties El dde ORO RU ea Ra AA A ana ede eH 208 Conan
77. RCOE CERCARE CR OCCORRE e a 296 ip http sBOc re servear cert certificate HAND scort eee bee HE eee RARO OR ewes 297 ip http sec re server foDOO SOdlbecL toe eee ke ee nen KG REOR KG KA REESE RAS 297 Dp ER SEES ooh hes dd pura e ad hee a eb eam Rae dde qi Ho Eee Ra ced Gi e ap OR a wa ai of 297 ip load balancing link Sticking activate sreda tenes iara in Anie A 88 ip lpad palancing Jlink sStioking timsout TLASOD E dais R3 E ee eh ee Ee hae 88 ip ospi dubhesutrcdbroH hev PASSVOrG a aia dead dad ware du dE de ied hon ae ROS RR 60 IO SDE D ROUES C Ulo c 60 Ip o e Slee Ahret earra e e Qd DucbR E AR ER e abated RR HR Fare 61 ip ospi hello shbebval AL 655397 iwhiovay Sad ore wee E KORR EROR E dea A mE 61 ip OBI PELOTLES 50422999 EIA RE ARP ACE DUC RUE ue Sd E qo AA AAA AAA RA 60 ip gspf rGtfansmit inrtorval 1 035539 arar d RW UE d Xx ER REC EHE RE ROC KA SS EOS RHR 61 ip rip senad receive Version l25 xdg eX ects ERR EAE REG G EG PX due Y eR Od 60 ip lp TEDESCO acda ex ax ed X AR AAA WX ROO ARERR MORES eA BS 60 lp Paute wy vse fw Vee frinterfaco W X y U L2 7 esses 3 ek ERES 95 Xp Sah Seven Lack gabe eee kek eJ Rue dq xEC ERGO Ra e AA ARANA KE UC pa de pue RR C KORR ed CR 299 ip ga Server gert pcerbtrflcu OB MEMOS acond AA RU RED Ere d 299 ip A ELSE DONE X1 50539 26665065 243943 Th dha eed dd d qud RO NR RR E Ed NS aS 299 LO gon SEPRSE Vl id ARANDA RR AAA NA A de 299 ZyWALL ZLD CLI Reference
78. RR 145 eam ici UTER 151 Application POLO 1 s taki n RRRRRAA RARI IS 159 enr pest RR nra Ree TET T OS EST 161 AA TRI P e qe Ia 173 ANS E E E cu n 175 DECIS so a 183 CANSO PISO srl ia tia dl Ara D KG RE CA 201 BIS II istud tiep eU daa 211 ON E OE 221 DMI IA dao 223 ZyWALL ZLD CLI Reference Guide Contents Overview MN Sr asl 231 Boc yel Hr T O Ree 233 E SIC TE T TTE TOT TO T T TET TT TT 241 o nas 245 ep pp c 249 ARA SEIN c 251 PUTS MIRON ODETI qe 259 DoE a ha A E AE AA A A IE PEE E A ER Le REN NOD DEKA Ne RNC Erw E T 263 ESP ASUS A AA AAA 269 ESL APIS asado nada o Roa ro aab 273 zasa SIRI EPT fece ocius e pad cap ER d aD Kon b a 277 lqn Mee 285 OCDE nonis censes eda sata uf arc bw sean ntes enone eene DAR anaes 287 System Remote Mana ga Med ai 295 MaintenaNCE rsusririoninnntia a ii iS 309 File gp aussi 311 Ince T E A a o ld 329 Feb NIG al MR A eae ea 335 wich TIRSO PTT 341 LIBS RNG d e CE Ce 343 puETIisiuripe ca me UR 345 bir poc RE T i 1 1 1 amrelis ety 351 A ENG YX V 4 355 Listar Commands Alphabetical arar 357 ZyWALL ZLD CLI Reference Guide PART Introduction Command Line Interface 11 User and Privilege Modes 27 Object Reference 31 Status 33 Registration
79. Re i cos 2365 no users simultaneo 0s logon administration 8690658 enforce i962 3 xotg 236 no users sim lteneous logon administration access limit lt 1 1024 gt commons 236 nel Usern ppodgsteclbease GULOENNEIOS barda YO EC SAE ESR Roe DEC eee UR Rd o Oca go ons 236 BO yere on Alsons ba oic juice Kp OD A Wa ar duda dir du doeet es osi a o teria dioe 98 ROI Fla ta GL 40989 priori Oe ed ed EK CY ei ote Ge eol a d de pr eadeni ox en x e ad ees 78 HO wpu 00DOS8nbratur prore Mee uexiduexcoedos OU RO ERA A dore debe es M Rc n ne 142 OIM IG CE oo mem 228 Hol wan rfaspe Interface DONE irritar reo 107 Ho WwebBSISCBHSEWDE 224 690 IA eode DEN HERERO Rage qd aep adip as 274 nO ILEI Aa A Ead dd ERE a dde nor qe RC Eae 107 no windows auto update enabl disabile Igore sed ee eee eee eds Shaw eed cand 280 no windows registry registry_key eq gt lt ge le neq registry_value 280 ho vindons s c rity pateh SOCIE pateh sprak Koha bd DEO AK as WORSE A OE OM dob Re 280 nol saindows servlesepack 41 2 0009 iue a Bice bei wea AENA ARA A AAA AA 280 Ho slam mae ELLE SCC WeLe 224g d2E XO 3 Ku qox RON e E oap dee el n CR ere Ra e ed CR 33 no wlan mac filter mac address description descrzption ex mh exa 77 no xauth type server xauth_method client name username password password 138 BO ene Eccle MEME abarca eet cd Ears AAA A oe ORC OR NR kas ERAN ROR ease OR 102 Pole dete I5 metre SD SE O ane docesd esa IAEA anne p cb AR woe rapid
80. Router group server radius server host 172 23 22 100 auth port 1812 Router group server radius server key 12345678 Router group server radius server timeout 100 Router group server radius exit Router config show aaa group server radius RADIUSGroupl key 12345678 timeout 100 description group attribute SET No Host Member Auth Port 1 192 168 1 100 1812 2 172 23 22 100 1812 ZyWALL ZLD CLI Reference Guide 257 Chapter 29 AAA Server ZyWALL ZLD CLI Reference Guide Authentication Objects This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database 30 1 Authentication Objects Overview After you have created the AAA server objects you can specify the authentication objects containing the AAA server information that the ZyWALL uses to authenticate users using VPN or managing through HTTP HTTPS 30 2 aaa authentication Commands The following table lists the aaa authentication commands you use to configure an authentication profile Table 150 aaa authentication Commands COMMAND DESCRIPTION aaa authentication rename profile name old profile name new Changes the profile name profile name You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive clear aaa authentica
81. The following commands show how to insert a force authentication policy at position 1 of the checking order This policy applies endpoint secruity policies and uses the following settings Activate yes Description EPS on LAN e Source use address object LANI SUBNET e Destination use address object DMZ Servers User Authentication required Schedule no specified Endpoint security Activate endpoint security object use EPS WinXP and EPS WinVista for the first and second checking EPS objects Router configure terminal Router config force auth policy insert 1 Router config force auth 1 activate Router config force auth 1 description EPS on LAN Router config force auth 1 source LAN1_SUBNET Router config force auth 1 destination DMZ_Servers Router config force auth 1 authentication force Router config force auth 1 no schedule Router config force auth 1 ps activate Router config force auth 1 ps 1 EPS WinXP Router config force auth 1 ps 2 EPS WinVista Router config force auth 1 xit 25 2 5 Additional User Commands This table lists additional commands for users Table 135 username groupname Commands Summary Additional COMMAND DESCRIPTION show users username all current Displays information about the users logged onto the system show lockout users Displays users who are currently locked out unlock lockout use
82. Turns compression on or off for the specified ISP account The no command turns off compression no idle lt 0 360 gt Sets the idle timeout for the specified ISP account ZyWALL ZLD CLI Reference Guide The no command sets the idle timeout to zero Chapter 32 ISP Accounts Table 154 PPPoE and PPTP ISP Account Commands continued COMMAND DESCRIPTION service_name no service name ip hostname Sets the service name for the specified PPPoE ISP account The no command clears the service name hostname You may up to 63 alphanumeric characters dashes or periods but the first character cannot be a period service_name You can use 1 253 alphanumeric characters underscores _ dashes and R characters no server ip Sets the PPTP server for the specified PPTP ISP account The no command clears the server name 128 no encryption nomppe mppe 40 Sets the encryption for the specified PPTP ISP account The no command sets the encryption to nomppe no connection id connection id Sets the connection ID for the specified PPTP ISP account The no command clears the connection ID connection id You can use up to 31 alphanumeric characters underscores dashes and colons 32 1 2 Cellular Account Commands The following table lists the cellular ISP account commands Table 155 Cellular Account Commands
83. User USEF Nam each al eke DAA A Ewe Ak RR Ra QR Rc 154 ldap server basouu Das coria on rdc cd we P ROCK LEW GSE ORO X TEES SE Ee ES 252 igap server Bindon Bane yr id soe 1 AAA RE 2902 Lgapeseruegb a Idane lites HIE A AA Y EON RUE GE ON Se E OR dde AS 252 L ap server host Ica SO VOES Lil ssaeaa page cA ARRANCA NE RR 252 LASpP SECYSE peusswUrd PESANDO qid y iaiki keria aar A Re Gas 252 Lesp Servet port POLE DO 25064855 66565 0245S B SAREE See dud da Sad ad gud Ed Zon ldapessBrwver sarch timB LUmrCt ELMS nes e n SOROR RCRUR NOR NOR ORUEUEO OR RON A Rea wee 299 Les SEUL Sel Qee3 0 d Rura S NOR LR OR ER WS A S Sd eed dde eund 293 lease 0 ads 20 259 ERAS uad dea e RACE Spade S es DT Dao US OA AS SET RE Rau d Rel dads eres E TN ET ET 154 bogal a dress XD ARA AS e A de d A ade Re eS e a DU A AS 67 bDocaelend neEs 218k tinite oo kori gradene ea aaa a kaea 69 Og A parait ee oO EAEEren ADERE AEE re E a 128 log LISTE id ADA AA RA EUER KP e WU EN M da e eee OE eRe re eee 164 Log paler aq kpaG pack 3 X ERONURORAOKOROEOR A ORC GOLA CR ACER OR c 165 log Lale creara AAA AAA A ARA A ARA 187 bem a a A A O oma wes Sea RE LFF Lss P dioc MET oe or ee eee aeea aa a RRA RRA ANA 212 MOGLA COOLE aue ur ici era dicendae e dud Rea Sad deu iba dre ad wana EEE 333 logging console category modules Dam a ekdead yak c8en RR NOR RS orna RORUR CR URSUR HD Re BUR E 334 agita eeu SUBPEEESION ricm ara AAA SEE ae babes dudes qe dd A EM 331 Logging debug suppres
84. any is logged in the system log and debugging log for the specified category lt 10 600 gt no logging system log suppression interval Sets the log consolidation interval for the system log The no command sets the interval to ten no logging system log suppression Enables log consolidation in the system log The no command disables log consolidation in the System log activate no connectivity check continuous log Has the ZyWALL generate a log for each connectivity check The no command has the ZyWALL only log the first connectivity check show connectivity check continuous log status Displays whether or not the ZyWALL generates a log for each connectivity check clear logging system log buffer Clears the system log 38 1 2 1 System Log Command Examples The following command displays the current status of the system log myZyXEL com idp ike firewall policy route system device ha nat interface account force auth anti virus black list cnm file manage adp Router configure terminal Router config show logging status system log 512 events logged suppression active suppression interval category settings content filter blocked web sites yes normal normal normal normal normal normal normal normal normal normal normal normal normal normal normal normal normal normal forward web sites no user normal zysh norm
85. authenticate itself in order to access the OCSP server Type the login name up to 31 characters from the entity maintaining the server usually a certification authority You can use alphanumeric characters the underscore and the dash password Type the password up to 31 characters from the entity maintaining the OCSP server usually a certification authority You can use the following characters a zA Z0 9 O2 96 amp _ MJ lt gt no ca category local remote certificate name Deletes the specified local my certificates or remote trusted certificates certificate no ca validation name Removes the validation configuration for the specified remote trusted certificate show ca category local remote name certificate name certpath Displays the certification path of the specified local my certificates or remote trusted certificates certificate show ca category local remote name certificate name format text pem Displays a summary of the certificates in the specified category local for my certificates or remote for trusted certificates or the details of a specified certificate show ca validation name name Displays the validation configuration for the specified remote trusted certificate show ca spaceusage Displays the storage space in use by certificates ZyWALL ZLD CLI Reference Guide Chapter 31 Certificates 31 5 Certificates Comm
86. authentication password You may use alphanumeric characters the underscore and some punctuation marks 5 1 amp A and it can be up to eight characters long no description description Specifies the description for the specified VRRP group The no command clears the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long no activate Turns on the specified VRRP group The no command turns off the VRRP group 24 6 2 VRRP Synchronization Commands Table 126 This table lists the commands for synchronization You can synchronize with other ZyWALL s of the same model that are running the same firmware version device ha Commands Synchronization COMMAND DESCRIPTION show device ha sync Displays the current settings for synchronization show device ha sync status Displays the current status of synchronization no device ha sync from hostname ip Specifies the fully qualified domain name FQDN or IP address of the ZyWALL router Usually this is the IP address or FQDN of the virtual router The no command clears this field hostname You may up to 254 alphanumeric characters dashes or periods but the first character cannot be a period no device ha sync port lt 1 65535 gt Specifies the port number to use to synchronize with the
87. automatically renew their lease time The no command prevents them from automatically renewing it show users idle detection settings Displays whether or not users are automatically logged out and if so how many minutes of idle time must pass before they are logged out no users idle detection Enables logging users out after a specified number of minutes of idle time The no command disables logging them out no users idle detection timeout 1 60 Sets the number of minutes of idle time before users are automatically logged out The no command sets the idle detection timeout to three minutes 25 2 3 1 User Setting Command Examples The following commands show the current settings for the number of simultaneous logins Router configure terminal Router config show users simultaneous logon settings enable simultaneous logon limitation for administration account yes maximum simultaneous logon per administration account s xL enable simultaneous logon limitation for access account yes maximum simultaneous logon per access account 3 ZyWALL ZLD CLI Reference Guide Chapter 25 User Group 25 2 4 Force User Authentication Commands This table lists the commands for forcing user authentication Table 133 username groupname Commands Summary Forcing User Authentication COMMAND DESCRIPTION no force auth activate Enables force user authentication tha
88. before dropping it Use transformation to have the ZyWALL modify IP addresses and port numbers embedded in the SIP data payload You do not need to use this if you have a SIP device or server that will modify IP addresses and port numbers embedded in the SIP data payload The no command turns off the SIP ALG or removes the settings that you specify no alg lt h323 ftp signal port lt 1025 65535 gt signal extra port lt 1025 65535 gt transformation Turns on or configures the H 323 or FTP ALG Use signal port With a listening port number 1025 to 65535 if you are using H 323 on a TCP port other than 1720 or FTP on a TCP port other than 21 Use signal extra port With a listening port number 1025 to 65535 if you are also using H 323 or FTP on an additional TCP port number enter it here Use transformation to have the ZyWALL modify IP addresses and port numbers embedded in the H 323 or FTP data payload You do not need to use this if you have an H 323 or FTP device or server that will modify IP addresses and port numbers embedded in the H 323 or FTP data payload The no command turns off the H 323 or FTP ALG or removes the settings that you specify no alg sip defaultport 1 65535 Adds or removes a custom UDP port number for SIP traffic show alg sip h323 ftp Displays the specified ALG s configuration ZyWALL ZLD CLI Reference Guide Chapter 14 ALG 14 3 AL
89. can specify whether or not the ZyWALL is to respond to probing for unused ports You must use the configure terminal command to enter the configuration mode before you can use these commands Table 172 Command Summary ICMP Filter COMMAND DESCRIPTION no ip icmp filter activate Turns the ICMP filter on or off ip icmp filter rule lt 1 32 gt append insert Sets an ICMP filter rule lt 1 32 gt access group ALL ADDRESS OBJECT ADDRESS OBJECT The name of the IP address zone ALL ZONE OBJECT icmp type ALL group object You may use 1 31 alphanumeric lecho reply destination unreachable characters underscores or dashes but the first source quench redirect echo request character cannot be a number This value is case sensitive router advertisement router solicitation time exceeded parameter problem ZONE OBJECT The name of the zone You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive timestamp request timestamp reply address mask request address mask reply action accept deny no ip icmp filter rule lt 1 64 gt Deletes an ICMP filter rule ip icmp filter rule move lt 1 64 gt to Changes the index number of an ICMP filter rule lt 1 64 gt show ip icmp filter status Displays ICMP filter settings 36 10 Dial in Management Conne
90. can specify a fully qualified domain name IP address or the default gateway for the interface ping check domain name ip default Specifies what the ZyWALL pings for the ping gateway period 5 30 check and sets the number of seconds between each ping check ping check domain name ip default Specifies what the ZyWALL pings for the ping gateway timeout 1 10 check and sets the number of seconds the ZyWALL waits for a response ping check domain name ip default Specifies what the ZyWALL pings for the ping gateway fail tolerance 1 10 check and sets the number of times the ZyWALL times out before it stops routing through the specified interface ping check domain name ip default Sets how the ZyWALL checks the connection to the gateway method icmp tcp gateway icmp ping the gateway you specify to make sure it is still available tcp perform a TCP handshake with the gateway you specify to make sure it is still available ping check domain name ip default Specifies the port number to use for a TCP gateway port lt 1 65535 gt connectivity check 62 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 2 6 1 Connectivity Check Command Example The following commands show you how to set the WANI interface to use a TCP handshake on port 8080 to check the connection to IP address 1 1 1 2 Router configure terminal Router config interface wanl Router co
91. chunk encoding webroot directory traversal details Shows http inspection settings for the specified IDP profile show idp anomaly profile tcp decoder all details Shows tcp decoder settings for the specified IDP profile show idp anomaly profile tcp decoder undersiz Shows tcp decoder settings for the specified len undersize offset oversize offset bad IDP profile length options truncated options ttcp detected obsolete options experimental options details show idp anomaly profile udp decoder all details Shows udp decoder settings for the specified IDP profile show idp anomaly profile udp decoder truncated Shows specified udp decoder settings for the header undersize len oversize len details specified IDP profile show idp anomaly profile icmp decoder all details Shows all icmp decoder settings for the specified IDP profile show idp anomaly profile icmp decoder truncated header truncated timestamp header truncated address header details Shows specified icmp decoder settings for the specified IDP profile 21 3 4 1 Creating an Anomaly Profile Example In this example we create a profile named test configure some settings display them and then return to global command mode Router configure terminal Router config idp anomaly test Router config R
92. create a myZyXEL com account register your ZyWALL and activate a service using the Licensing gt Registration screens Alternatively go to http www myZyXEL com with the ZyWALL s serial number and LAN MAC address to register it Refer to the web site s on line help for details To activate a service on a ZyWALL you need to access myZyXEL com via that ZyWALL 5 1 1 Subscription Services Available on the ZyWALL The ZyWALL can use anti virus IDP AppPatrol Intrusion Detection and Prevention and application patrol SSL VPN and content filtering subscription services The ZyWALL s anti virus packet scanner uses the signature files on the ZyWALL to detect virus files Your ZyWALL scans files transmitting through the enabled interfaces into the network Subscribe to signature files for ZyXEL s anti virus engine or one powered by Kaspersky After the service is activated the ZyWALL can download the up to date signature files from the update server http myupdate zy wall zyxel com ZyWALL ZLD CLI Reference Guide Chapter 5 Registration When using the trial you can switch from one engine to the other in the Registration screen There is no limit on the number of times you can change the anti virus engine selection during the trial but you only get a total of one anti virus trial period not a separate trial period for each anti virus engine After the service is activated the ZyWALL can download the up to date si
93. daily report mail to 3 Router config daily report mail to 4 my email example com Router config no daily report mail to 5 Router config daily report smtp auth activate c Router config daily report smtp auth username 12345 password pass12345 Router config daily report schedule hour 13 minutes 57 no daily report schedule reset counter daily report item cpu usage daily report item mem usage daily report item session usag daily report item port usage daily report item idp report daily report item av report daily report item as report daily report item traffic report daily report activate Router config Router config Router config Router config Router config Router config Router config Router config Router config Router config Cock oc CP GR ch Gt ZyWALL ZLD CLI Reference Guide Chapter 39 Reports and Reboot This displays the email daily report settings and has the ZyWALL send the report now Router config show daily report status email daily report status activate yes Scheduled time 13 57 reset counter no smtp address example SMTP mail server com smtp auth yes smtp username 12345 smtp password pass12345 mail subject test subject append system name no append date time yes mail from my email example com mail to 1 example administrator example com
94. default Router config Router config Router config show 12tp over ipsec L2TP over IPSec l2tp over ipsec crypto Default L2TP VPN Connection l2tp over ipsec pool L2TP POOL l2tp over ipsec user L2TP test l2tp over ipsec activate activate yes crypto Default_L2TP_VPN_Connection address pool L2TP_POOL authentication default user L2TP test keepalive timer 60 first dns server aux 1st dns Second dns server aux 1st dns first wins server Second wins server 18 5 4 Configuring the Policy Route for L2TP Example The following commands configure and display the policy route for the L2TP VPN connection entry Set the policy route s Source Address to the address object that you want to allow the remote users to access LAN SUBNET in this example Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users L2TP POOL in this example Set the next hop to be the Default L2TP VPN Connection tunnel ZyWALL ZLD CLI Reference Guide Chapter 18 L2TP VPN Enable the policy route Router config policy 3 Router policy route 4 source LAN SUBNET D Router policy route destination L2TP Router policy route f service any Router policy route next hop tunnel Default_L2TP_VPN_ConnectionRouter policy route no deactivate Router policy route exit Router config show policy route 3 index 3 active ye
95. deny Sets a service control rule for DNS requests ip dns server rule move lt 1 32 gt to lt 1 32 gt Changes the number of a service control rule ZyWALL ZLD CLI Reference Guide Chapter 35 System Table 164 Command Summary DNS continued COMMAND DESCRIPTION no ip dns server zone forwarder lt 1 32 gt append insert lt 1 32 gt domain_zone_name interface interface_nam Sets a domain zone forwarder record that specifies a fully qualified domain name You can also use a star if all domain zones are served by the specified DNS server s domain_zone_name This is a domain zone not a host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name For example whenever the ZyWALL receives needs to resolve a zyxel com tw domain name it can send a query to the recorded name server IP address interface_name This is the interface through which the ISP provides a DNS server The interface should be activated and set to be a DHCP client The no command deletes a zone forwarder record ip dns server zone forwarder 1 32 append insert lt 1 32 gt domain_zone_name user defined w x y z private interfac interface_name auto Sets a domain zone forwarder record that specifies a DNS server s IP address private interface Use private ifthe ZyWALL connects to the DNS server through a VPN tunnel Other
96. destination ports to the specified destination IP address and range of destination ports The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address ob ject NAT loopback allows local users to use a domain name to access this virtual server nat 1 1 map means the NAT type is either 1 1 NAT or many 1 1 NAT See Section 12 1 1 on page 109 for more information Using this command without nat 1 1 map means the NAT type is Virtual Server This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL like the Internet The deactivate command disables the virtual server rule ip virtual server profile name interfac interface name original ip any IP address object map to address object ip map type original service service object mapped service service object nat loopback nat 1 1 map deactivate nat 1 1 map deactivate deactivate Creates or modifies the specified virtual server and maps the specified destination IP address protocol and service object to the specified destination IP address and service object The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address object NAT loopback allows local users to use a domain name to access this virtual server nat 1 1 map means the NAT
97. diagnostic file 41 3 Diagnosis Commands Example The following example creates a diagnostic file and displays its name size and creation date Router configure terminal Router config diag info collect Please wait collecting information Router config show diag info Filename diaginfo 20070423 tar bz2 File size 1259 KB Date 2007 04 23 09 55 09 ZyWALL ZLD CLI Reference Guide Chapter 41 Diagnostics ZyWALL ZLD CLI Reference Guide Maintenance Tools Use the maintenance tool commands to check the conditions of other devices through the ZyWALL The maintenance tools can help you to troubleshoot network problems Here are maintenance tool commands that you can use in privilege mode Table 194 Maintenance Tools Commands in Privilege Mode COMMAND DESCRIPTION interface_name ip any src packet trac interfac proto lt 0 255 gt protocol name host ip hostname any dst host ip hostname any port lt 1 65535 gt any file duration lt 1 3600 gt extension filter filter extension traceroute ip hostname Sends traffic through the specified interface with the specified protocol source address destination address and or port number If you specify ile the ZyWALL dumps the traffic to packet trace packet trace interface UseFTP to retrieve the files see Section 37 6 on page 316 If you do not assign the d
98. dnsb1 configures the message or label to add to the beginning of the mail subject of e mails that have a sender or relay IP address in the header that matches a blacklist maintained by a DNSBL domain listed in the ZyWALL dnsbl timeout configures the message or label to add to the mail subject of e mails that the ZyWALL forwards if queries to the DNSBL domains time out Use up to 15 alphanumeric characters underscores colons or dashes show anti spam dnsbl status Displays the activation status of the anti spam DNSBL checking show anti spam dnsbl domain Displays the ZyWALL s configured anti spam DNSBL domain entries show anti spam dnsbl max query ip Displays how many sender and relay server IP addresses in the mail header anti spam checks against the DNSBL show anti spam dnsbl ip check order Displays the order in which anti spam checks e mail header IP addresses against the DNSBLs show anti spam dnsbl smtp pop3 query timeout Displays how the ZyWALL handles SMTP or POP3 mail if the queries to the DNSBL domains time out ZyWALL ZLD CLI Reference Guide Chapter 23 Anti Spam Table 119 DNSBL Commands COMMAND DESCRIPTION show anti spam tag dnsbl dnsbl dnsb1 displays the anti spam tag for e mails that have a timeout sender or relay IP address in the header that matches a blacklist maintained by a DNSBL domain dnsbl timeout di
99. eade ex deed qd ud dun d 139 ip type iomp igmp igrp pim ah esp vrrp udp top any s 346 Leen ESA LAS AS winch ch ihe d dub T edad ub SW ER RE ad dd d S aed dd S MS 137 isakmp policy rename policy name policy name lt s cae RkaRk ed EG EERE TREES SRE REM RE ORC 138 Reustri ng Cre gared ROY sok hie chet S4 AENA d Ee ARANA 138 l2tp over ipsec authentication aaa authentication profile name 154 LC penWBF YDSED CONOS MOD DONO c axssiEBdob a ER SOMES AMOS ok a Ge NU EC OR eee awe Eee 153 l2rpenwer ipssc pogl ed rcsseoDIBOL aidera kehelet ROCCO EC EU deo ees dodo da eae 153 l2tp ower ipses recover defrault ipsec poliy dsb bea see he Ee LESH PROC HER ROC E RR RR 153 language English Simplified Chinese Traditional Chinese 308 lup factuuateldssbgwabB se eee ee eee aR AR dores yen dic oe ol ware Ae Ri 265 ldap ip iplfgdn port 1 65535 id name password password deactivate 265 L3retime Ad A duis ei Rd EN Edd v Vom aka ARRA Gg deo eu Re A e ome RU oe ee 138 List signature anti virus persanal Iisswall Stakus aci n carioca ES 280 local id type ip ip fqdn domain name mail e mail dn distinguished name 138 local ip ip ip domain name interface interface name 138 a GO ua idu rakito A abc teat eR eda dq edd x abe w d d eade queat eb SEE 142 bogalenolutev ADOS HAMS ds done dO dee AAA TEA EO ee ee o EO eee EES 140 logging console category mod
100. eevee s ER GG A CaO sib dcl 259 aaa authentication profile name memberl member2 member3 member4 260 aaa group Server al group Nane 244656555865 Rea RR Gd Hee heads de oad isa 254 dud group Server Ldap GIDL INE 44444 o Roe A ORE o ean ae eee aw 299 a a group Server raoius Groupee ose ek bse Shae wane eA c RA 236 actess pade palorewlmdow bsckgqroum 249 2 eee A ROUEN EUR RU pov ear x CRF e Se ed 288 docsess pado mossage LoxL Message 264 6k eek 4S ECR TORRE kia DER Er AC OE FOE EO Te RS 288 account Teppce Dpto SPOT Te NEO aggere x UR RR EARLE EOD Ee REE eee diclo 269 eccounc cellular profile SG ods oa ed bed ee Sede obese Sh PE We ded dex EE ves 270 account Dror Pone EDESA A A edu EE AE NAA ed AR S EAT AS 66 BOOOUEC Precis Teme si A AR SES oa e e e E Ore Ed E Mares 68 action block login message audio video file transfer 163 action block login messsgelaudio video file transfef 1 9 Ris 155 action block login messegelaudro video file e transfer acies cara a 167 o C A 128 Crit 1e d itCT PP O reU Tr ET 131 BOLIUEDE quise e ER dc id A dumm esa ee due me Ede aam ed RE 146 a waite qaa ates SR Edd dud ed Remix eae dom ddnde dud E A 153 a Lg eg Rag bbb adidas heae EGEOEN EROR RO AGAR CR REA CANC AUR e dE doR RR RR E ed eee Roo Rc 155 io eN e ayi AENA AAA dd x Pd ded exe 166 a uos tei be xx M do ER QUE aa qe RUE RN deb aM qua dta doi aR l1TT PLING Pr PT 185 sen
101. eps activate Enables EPS for the specified condition The no command means to disable EPS for the condition eps insert lt 1 8 gt eps_object_name Inserts the specified EPS object for the condition The number determines the order that this EPS rule is executed in the condition eps move 1 8 to lt 1 8 gt Changes an endpoint object s position in the execution order of the condition no eps periodical check lt 1 1440 gt Sets a number of minutes the ZyWALL has to repeat the endpoint security check The no command means that the ZyWALL only perform the endpoint security check when users log in to the ZyWALL no force Forces users to log in to the ZyWALL if the specified condition is satisfied The no command means that users do not log in to the ZyWALL ZyWALL ZLD CLI Reference Guide Chapter 25 User Group Table 134 force auth policy Sub commands continued COMMAND DESCRIPTION no schedule schedule_nam Sets the time criteria for the specified condition The no command removes the time criteria making the condition effective all the time no source address_object group_name Sets the source criteria for the specified condition The no command removes the source criteria making the condition effective for all sources show Displays information about the specified condition 25 2 4 2 Force Authentication Policy Insert Command Example
102. esp aes256 mab esp aes256 sha esp des md5 esp des sha esp null md5 esp null sha transform set ah md5 ah sha ah sha ah md5 ah sha ah md5 Sets the active protocol to AH and sets the encryption and authentication algorithms for each proposal ZyWALL ZLD CLI Reference Guide Chapter 16 IPSec VPN Table 69 crypto Commands IPSec SAs continued COMMAND DESCRIPTION Scenario site to site static site to site dynamic remote access server remot access client Select the scenario that best describes your intended VPN connection Site to site The remote IPSec router has a static IP address or a domain name This ZyWALL can initiate the VPN tunnel site to site dynamic The remote IPSec router has a dynamic IP address Only the remote IPSec router can initiate the VPN tunnel remote access server Allow incoming connections from IPSec VPN clients The clients have dynamic IP addresses and are also known as dial in users Only the clients can initiate the VPN tunnel remote access client Choose this to connect to an IPSec server This ZyWALL is the client dial in user and can initiate the VPN tunnel Set security association lifetime seconds lt 180 3000000 gt Sets the IPSec SA life time set pfs groupl group2 group5 none Enables Perfect Forward Secrecy group local policy address_name Sets the address object for the local policy
103. for the setting later Router gt configure terminal Router config show eps signature anti virus No Name Detection 1 Kaspersky_Anti Virus_v2009 yes 2 Kaspersky_Anti Virus_v2010 yes 3 Kaspersky_Internet_Security_v2009 yes 4 Kaspersky_Internet_Security_v2010 yes 5 Norton_Anti Virus_v2010 no 6 Norton_Internet_Security_v2010 no 7 Norton_360_v3 no 8 icrosoft_Security_Center yes 9 TrendMicro PC cillin AntiVirus v2010 yes 10 TrendMicro PC cillin Internet Security v2010 yes 11 TrendMicro PC cillin Internet Security Pro v2010 yes 12 Avira Antivir Personal v2009 noRouter config ZyWALL ZLD CLI Reference Guide Chapter 34 Endpoint Security Then he also needs to check the personal firewall software name defined on the ZyWALL Copy and paste the name of the output item 11 for the setting later Router config show eps signature personal firewall No Name Detection 1 Kaspersky_Internet_Security_v2009 yes 2 Kaspersky_Internet_Security_v2010 yes 3 Microsoft_Security_Center yes 4 Windows_Firewall yes 5 TrendMicro_PC cillin_Internet_Security_v2010 yes 6 TrendMicro_PC cillin_Internet_Security_Pro_v2010 yesRouter config Now Peter can create the EPS object profile as the example shown next Note that he uses the matching criteria all command to make sure all users computers have the required software installed and settings being configured before they access the compan
104. for TW TEAM for remote management firewall WAN ZyWALL insert 4 sourceip TW TEAM service TELNET action allow exit write While configuration files and shell scripts have the same syntax the ZyWALL applies configuration files differently than it runs shell scripts This is explained below Table 177 Configuration Files and Shell Scripts in the ZyWALL Configuration Files conf Shell Scripts zysh Resets to default configuration Goes into CLI Privilege mode e Goes into CLI Configuration mode Runs the commands in the shell script Runs the commands in the configuration file You have to run the example in Table 28 on page 312 as a shell script because the first command is run in Privilege mode If you remove the first command you have to run the example as a configuration file because the rest of the commands are executed in Configuration mode See Section 1 5 on page 17 for more information about CLI modes 37 2 1 Comments in Configuration Files or Shell Scripts In a configuration file or shell script use or as the first character of a command line to have the ZyWALL treat the line as a comment Your configuration files or shell scripts can use exit or a command line consisting of a single to have the ZyWALL exit sub command mode ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager BES exit
105. forwarder lt 1 32 gt append insert lt 1 32 gt domain zone name user defined w x y z privat interface interface name auto 293 ip dis server Eone Iorwarder move 1 325 LO l1la5325 serios 254464 Sd REA AO ER RO de 293 ip ftp server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny 302 ip ftp server rule move rule number to rule number eee 302 TU gateway S1 METAS UD USES oque ace eee UE Oh HOAs qe dps arido en Roto dodo a doe eoe Be si mde 52 ip http secure server cipher suite cipher algorithm cipher algorithm cipher Algoritam cipher algoritm Adeadeohede Ed 2G ed he pede CRUS RE RO opo 297 ip http secure server table admin user rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny 297 ip http secure server table admin user rule move rule number to rule number 297 ip http server table admin user rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny OS OR ip http server table admin user rule move rule number to rule number 297 ip http red irect activate gdescripoi0l ge geka dex ERG RON UR ORO RR ROCK Gad esa CREE HREM RC TAL RON 116 ip Hhbtp redirest deactivate JOSQUISUIDS Locke hoa eee Pee hae Beo Ree dele RR dea ce n 11 ip http redirect description i
106. gt end lt 1 1000 gt crypto map regexp policy regexp rsort sort order sort sort order Displays the current IPSec SAs and the status of each one You can specify a range of SA entries to display You can also control the sort order of the display and search by VPN connection or local or remote policy regexp A keyword or regular expression Use up to 30 alphanumeric and _ 4 lt gt characters A question mark lets a single character in the VPN connection or policy name vary For example use a c without the quotation marks to specify abc acc and so on Wildcards let multiple VPN connection or policy names match the pattern For example use abc without the quotation marks to specify any VPN connection or policy name that ends with abc A VPN connection named testabc would match There could be any number of any type of characters in front of the abc at the end and the VPN connection or policy name would still match A VPN connection or policy name named testacc for example would not match A in the middle of a VPN connection or policy name has the ZyWALL check the beginning and end and ignore the middle For example with abc 123 any VPN connection or policy name starting with abc and ending in 123 matches no matter how many characters are in between The whole VPN connection or policy name has to match if you do not use a question mark or asteri
107. interface The following sections list the device ha commands 24 4 1 Active Passive Mode Device HA Commands This table lists the commands for configuring active passive mode device HA Table 123 device ha ap mode Commands COMMAND DESCRIPTION no device ha ap mode preempt Turn on preempt if this ZyWALL should become the master ZyWALL if a lower priority ZyWALL is the master when this ZyWALL is enabled device ha ap mode role master backup Sets the ZyWALL to be the master or a backup in the virtual router device ha ap mode cluster id lt 1 32 gt Sets the cluster ID number A virtual router consists of a master ZyWALL and all of its backup ZyWALLs If you have multiple ZyWALL virtual routers on your network use a different cluster ID for each virtual router ZyWALL ZLD CLI Reference Guide 225 Chapter 24 Device HA Table 123 device ha ap mode Commands continued COMMAND DESCRIPTION device ha ap mode priority lt 1 254 gt Sets backup ZyWALL s priority The backup ZyWALL with the highest value takes over the role of the master ZyWALL if the master ZyWALL becomes unavailable The priority must be between 1 and 254 The master interface has priority 255 device ha ap mod ah md5 key no authentication string key Sets the authentication method the virtual router uses Every interface in a virtual router must use the sa
108. interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports ppp_interface PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports map_name The name of an IPSec SA You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive user_name The name of a user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive The following sections list the L2TP VPN commands 18 4 1 L2TP VPN Commands This table lists the commands for L2TP VPN You must use the configure terminal command to enter the configuration mode before you can use these commands Table 76 L2TP VPN Commands COMMAND DESCRIPTION l2tp over ipsec recover If the default L2TP IPSec policy has been deleted use this command to default ipsec policy recreate it with the default settings no 12tp over ipsec Turns L2TP VPN on The no command turns it off activate l2tp over ipsec crypto Specifies the IPSec VPN connection the ZyWALL uses for L2TP VPN It map name must meet the requirements listed in Section 18 2 on page 151 Note Modifying this VPN connection or the VPN gateway that it uses disconnects any existing L2TP VPN sessions l2t
109. interval lt 1 1440 gt i il 4 hh mr ERR 226 dewice ha ap mode interface name aclivate sk ceed eee eRe REE aOR a ee ced 226 device ha ap mode interface name manage ip ip subnet mask 226 device ha ap mode master sync authentication password password 226 dewlceeha Spenge Pree S aug feds doi ee kde wee IUBE UE oi A dr C Poe FOR Oca Seas E device hs sync authentication password Password ii skuu ek eo REOR ai RAS 229 devici SUNG AUER Sitios Feb Oba A PETERS SE eee Pb PX e d pu ded s 229 device ha syre from Dhestsame XE ass etad shee A A AR ai 229 uewlop hae 8706 Jeter Ae LAOS uade OE eee EO A roe A EUR MCCC A 229 st IA D ded Raw 229 gevite ha Syne Pore Lo NGOs bash costes A A d ed eq EAR de aR 229 Gevicbe hs wrrp group VERO groun DAME si ee ch REGOAOROR ROCK Rub doe A A 228 dialvtngetwpe tone PULSE smart A aa p Re b 80 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no CIal Ewe Heverlee dii eoe dub eux obo dci gea DE IAEA AAA 80 doman ene donL MAE ira galls ee XX a RRA A dd 2989 demairmenalNe dorain DONE uaque dox ke EO EON AGRO RC OOM OD EE ACE ADAC SOR a ORA CAO E ACA CRAT RE 56 downsteeasm 0 I040SIDO papii vd Sa
110. ip helper address ip Creates the specified DHCP relay You have to remove the DHCP pool first if the DHCP pool is bound to the specified interface The no command removes the specified DHCP relay release dhcp interface name Releases the TCP IP configuration of the specified interface The interface must be a DHCP client This command is available in privilege mode not configuration mode renew dhcp interface name Renews the TCP IP configuration of the specified interface The interface must be a DHCP client This command is available in privilege mode not configuration mode show ip dhcp binding ip Displays information about DHCP bindings for the specified IP address or for all IP addresses clear ip dhcp binding ip Removes the DHCP bindings for the specified IP ZyWALL ZLD CLI Reference Guide address or for all IP addresses Chapter 6 Interfaces 6 2 2 1 DHCP Setting Command Examples The following example uses these commands to configure DHCP pool DHCP_TEST Router configure terminal Router config ip Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool Router config ip dhcp pool dhcp pool DHCP TEST network 192 168 1 0 24 domain name zyxel com first
111. ip http secure server table admin user rule move rule number to rule number Changes the index number of a HTTPS service control rule ip http secure server cipher suit cipher algorithm cipher algorithm cipher algorithm cipher algorithm Sets the encryption algorithms up to four that the ZyWALL uses for the SSL in HTTPS connections and the sequence in which it uses them The cipher algorithm can be any of the following rc4 RC4 RC4 may impact the ZyWALL s CPU performance since the ZyWALL s encryption accelerator does not support it aes AES des DES 3des Triple DES no ip http secur cipher_algorithm server cipher suit Has the ZyWALL not use the specified encryption algorithm for the SSL in HTTPS connections no ip http server Allows HTTP access to the ZyWALL web configurator The no command disables HTTP access to the ZyWALL web configurator ip http server table admin user rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for HTTP service ip http server table admin user rule move rule number to rule number Changes the number of a HTTP service control rule no ip http secure server tabl rule number admin user rule Deletes a service control rule for HTTPS service no ip http server table admin user rule rule number Deletes a
112. is one example of a VPN tunnel Figure 19 VPN Example m o err mn m eel V Internet l The VPN tunnel connects the ZyWALL X and the remote IPSec router Y These routers then connect the local network A and remote network B A VPN tunnel is usually established in two phases Each phase establishes a security association SA a contract indicating what security parameters the ZyWALL and the remote IPSec router will use The first phase establishes an Internet Key Exchange IKE SA between the ZyWALL and remote IPSec router The second phase uses the IKE SA to securely establish an IPSec SA through which the ZyWALL and remote IPSec router can send data between computers on the local network and remote network This is illustrated in the following figure ZyWALL ZLD CLI Reference Guide 135 Chapter 16 IPSec VPN Figure 20 VPN IKE SA and IPSec SA In this example a computer in network A is exchanging data with a computer in network B Inside networks A and B the data is transmitted the same way data is normally transmitted in the networks Between routers X and Y the data is protected by tunneling encryption authentication and other security features of the IPSec SA The IPSec SA is secure because routers X and Y established the IKE SA first 16 2 IPSec VPN Commands Summary The following table describes the values required for many IPSec VPN commands Other values are disc
113. list of certificates and certification requests You can also create certificates or certification requests Use the configure terminal command to enter the configuration mode to be able to use these commands Table 153 ca Commands Summary password ca ca name url url organization c country key type rsa dsa key len key length num lt 0 99999999 gt password COMMAND DESCRIPTION ca enroll cmp name certificate name cn typ Enrolls a certificate with a CA using Certificate ip cn cn address fqdn cn cn domain name mail Management Protocol CMP The certification cn cn email ou organizational unit o authority may want you to include a reference number and key password to identify your certification request ca name url url key len key length password password ca ca enroll scep name certificate name cn type Enrolls a certificate with a CA using Simple ip cn cn address fqdn cn cn domain name mail Certificate Enrollment Protocol SCEP The cn cn email ou organizational unit o certification authority may want you to include a organization c country key type rsaldsa key password to identify your certification request ZyWALL ZLD CLI Reference Guide Chapter 31 Certificates Table 153 ca Commands Summary continued COMMAND DESCRIPTION ca generate pkcs10 name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn emailj ou organizational uni
114. lt ge 1 neq file version file version 279 file info file path file path eq gt lt ge le neg file version qu MEL uid eh NOI E RS E DE CAR Ded akt S ob ardeo UE Cn De a ORE OK ERED 0 219 Pipe Cette EA ASIA E EE P PER Ed ES Edo bu dE dE der ee ed ibus 127 first dns server ip interface name 1st dns 2nd dns 3rd dns ZyWALL 57 LIPO Wie Bere 2 gues ones 3 pe RP dd Eu mu ee hee ede Esd done be eee eed eee hee 57 flood detection tcp flood udp flood ip flood icmp flood activate log latere Black 4648064645 eed AA doe deo Kec dr Roe Roo RE ee wade a wade weld 188 BUE Sed cb Sp ended du de ind ua Saws Nd Mdb e arid qux dud uM NER 238 forpeaqutN SOPIVEDE eiewgche d RR QE IR eV BRE AR E Ead aded desde d de epa dex eder ey So 237 frag a ce dC xoaudu dias 45444 ASIA RI NR daa dud dd idu PS WAS REE xS ds 73 from one NAME 2beeedaoes dd 3kaAR E RO SEEDER DORE EOS OS Eh EERE ROA Ker RR aed RA 163 LYON DONA DONE AAA AAA SESSA OY ERE EGRESS CS 165 a Cone DON 6b ch Kee O 166 Crom BORO D DE bets had xu edd ao odo adr E OSEE M ap RS aon hae ee eee o ideas dica 129 LEG ZOE ODDO AA d A Re ee dq aX Ub deu mds da dex d E dax eR d d Rc d aic d LIF Erom zone BONS ODTOQL e44 4 ua PE PER d en AAA AA 212 LEONES one DECEO DR Ad A RUE RERO RAE RC EORR CR CN e PRES 185 GUAPAS DEPURISTE abcd pak ee ORE pU Ro eB ORO HS Ree c eee Rep ee RR eee a cdi 235 Groupo Mo ESTAS hiner Edu ees dou acies e oii A eee e Gic se WORD RNA 273 ka iface I
115. management Zones cannot overlap Each Ethernet interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 16 Example Zones Internet 3 a ZyWALL ZLD CLI Reference Guide Chapter 10 Zones 10 2 Zone Commands Summary The following table describes the values required for many zone commands Other values are discussed with the corresponding commands s Table 52 Input Values for Zone Commands LABEL DESCRIPTION profile_name The name of a zone or the name of a VPN tunnel For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN This table lists the zone commands Table 53 zone Commands COMMAND DESCRIPTION show zone profile_name Displays information about the specified zone or about all zones show zone binding iface Displays each interface and zone mappings show zone default binding Displays the pre configured interface and zone mappings that come with the ZyWALL show zone none binding Displays the interfaces tunnels and SSL VPNs that are not associated w
116. mschap Xzeschap v2 l esseaekakc moms 80 no authentication fierce eeguifOedld inser a koe xou REOR Re Uke R dd CREM eRe RSS Bae 238 Bol authedbdosLDSM mene pep GHAR norris E ROS OR CUR RUSO EROR RUE N Re RR S E 271 no authentication string password ab md5 password ciecdo 2423 9x amm AX ERA 229 nel avehentication mode mas CEEI econ A AAA a eR ep BE ea GR eal 98 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical Bol authentication Seeing ALIEN airada AAA VC top RR E UN es 98 Bo d rccOBSPEDEEIOM Phew cies AS A qe ad REN Gd AA AE RW Wd deed AAA 90 ho cocer Nd E ARA og d ee eh Se Eee nic doe doe Aot RN e 90 MO DSCNS eaa ode ea e a AA dre dex e QUE ACER deae Ee E KR qe KU R REE d Rae 1037 nol Beschupeoustod XE AAA xe i uice dude dede EE is 106 ho back p irace Asf6ftfs95p HAMS 0 xa dd AEN EEG AR ERR ACE ACA e Ciel E RON qd dod T d 107 nol Band aute wooHalqBei sens anar AA AAA A AAA AAA RR AA 68 nol Barracas USOS Suar ds ad ea 163 nol Bandwigth EXPESE USADO Didi A o AAA pu der eee Gud 165 Hol bandwidth BSROBEBVUEESOUE uuesapasdicdidup Iiqdsd4 ARAS AA 167 no bandwidth lt 1 1048576 gt priority lt 1 1024 gt maximize bandwidth usage 90 Hol hind Severe ees DEDE lt A ERE SE NN douse Dates Edda Yr aloe ee B Eo BIC duae dee PES ha Ratatat ee Se Vd d ehe S ir eae RI eade aod eee lg Me odios hrs rcr SRE TEMES TES SOUS ASEH TER ER ECE SORTER SES Oe ER eee Se eS 74 HO Budget SE
117. name 21 3 6 1 Search Parameter Tables The following table displays the command line severity platform and policy type equivalent values If you want to combine platforms in a search then add their respective numbers together For example to search for signatures for Windows NT Windows XP and Windows 2000 computers then type 12 as the platform parameter Table 102 Severity Platform and Policy Type Command Values SEVERITY PLATFORM POLICY TYPE 1 VeryLow 1 All 1 DoS 2 Low 2 Win95 98 2 Buffer Overflow 3 Medium 4 WinNT 3 Access Control 4 High 8 WinXP 2000 4 Scan 5 Severe 16 Linux 5 Backdoor Trojan 32 FreeBSD 6 Others 64 Solaris 7 P2P 128 SGI 8 IM 256 Other Unix 9 Virtus Worm 512 Network Device 10 Porn 11 Web Attack 12 Spam ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands The following table displays the command line service and action equivalent values If you want to combine services in a search then add their respective numbers together For example to search for signatures for DNS Finger and FTP services then type 7 as the service parameter Table 103 Service and Action Command Values SERVICE SERVICE ACTION 1 DNS 65536 SMTP 1 None 2 FINGER 131072 SNMP 2 Drop 4 FTP 262144 SQL 4 Reject sender 8 MYSQL 524288 TELNET 8 Reject receiver 16 ICMP 1048576 TFTP 16 Reject both 32 IM 2097152
118. name MSN signature 1 virus id 41212 virus name MSN category virus severity Low 20 3 Update Anti virus Signatures Use these commands to update new signatures You should have already registered for anti virus service Table 92 Update Signatures COMMAND DESCRIPTION anti virus update signatures Immediately downloads signatures from an update server no anti virus update auto Enables disables automatic signature downloads at regular times and days anti virus update hourly Enables automatic signature download every hour anti virus update daily lt 0 23 gt Enables automatic signature download every day at the time specified anti virus update weekly sun mon tue Enables automatic signature download once a week wed thu fri sat 0 23 at the time and day specified show anti virus update Displays signature update schedule show anti virus update status Displays signature update status show anti virus signatures status Displays details about the current signature set 180 ZyWALL ZLD CLI Reference Guide Chapter 20 Anti Virus 20 3 1 Update Signature Examples These examples show how to enable disable automatic anti virus downloading schedule updates display the schedule display the update status show the new updated signature version number show the total number of signatures and show the date time the signatures were created R
119. no command clears the password password You can use up to 63 printable ASCII characters Spaces are not allowed phone number phon Specifies the phone number of the auxiliary interface You can use 1 20 numbers commas or plus signs 4 Use a comma to pause during dialing Use a plus sign to tell the external modem to make an international call The no command clears the phone number no port speed 9600 19200 57600 115200 38400 Specifies the baud rate of the auxiliary interface The no command sets the baud rate to 115200 no username usernam Specifies the username of the auxiliary interface The no command clears the username username You can use alphanumeric underscores dashes and S characters and it can be up to 30 characters long ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 10 1 Auxiliary Interface Command Examples The following commands show you how to set up the auxiliary interface aux with the following parameters phone number 0340508888 tone dialing port speed 115200 initial string ATZ timeout 10 seconds retry count 2 retry interval 100 seconds username kk password kk u2online chap pap authentication and description I am aux interface Router Router Router Router Router Router Router Router Router Router Router Router config if aux config if aux config if aux config if aux config if aux
120. other rule rule number Displays the rule s configuration show app other rule rule number statistics Displays the rule s statistics show app other rule default Displays the default rule s configuration show app other rule default statistics Displays the default rule s statistics show app other rule all Displays the configurations of all the rules for other applications show app other rule all statistics Displays all the rule statistics for other applications ZyWALL ZLD CLI Reference Guide Chapter 19 Application Patrol Table 86 app Commands Pre Defined Applications continued COMMAND DESCRIPTION show app highest sip bandwidth priority Displays whether or not the option to maximize the throughput of SIP traffic is enabled show bwm activation Displays whether or not the global setting for bandwidth management on the ZyWALL is enabled 19 2 6 1 General Command Examples The following examples show the information that is displayed by some of the show commands Router gt configure terminal Router config show bwm activation bwm activation yes Router configure terminal Router config show app http config application http active yes mode portless default access forward bandwidth graph yes Router configure terminal Router config show app http defaultport No Port 1 80 ZyWALL ZLD CLI Reference Guide Ch
121. percentage 0 99 of time budget pt ime or data pdata limit When the specified limit is exceeded the ZyWALL takes the action configured using the budget log percentage log percentage alert command budget log percentage log percentage alert recursiv lt 1 65535 gt Sets to have the ZyWALL create a log log percentage or an alart log 10g percentage alert when the set percentage of time budget or data limit is exceeded You can configure the percentage using the budget percentage command You can also set how often from 1 to 65535 minutes to send the log or alert no budget log percentage recursive Sets the ZyWALL to not create a log when the set percentage of time budget or data limit is exceeded You can configure the percentage using the budget percentage command You can also specify recursive to have the ZyWALL only create a log one time when the set percentage of time budget or data limit is exceeded connectivity nail up dial on demand Sets the connection to be always on or only when there is traffic no device lt device_model_name gt Sets or clears the model name of the cellular device that the cellular interface uses Use 0 30 alphanumeric characters underscores _ or dashes no local address lt ip gt Sets or clears the cellular interface s local own IP address mtu lt 576 1492 gt Sets the Maximum Transmission Unit in bytes
122. port to the specified representative interface representative interface gexina ZyWALL USG 300 or above A dmz ext wlan or lan1 interface in a ZyWALL USG 100 or 200 1 x where x equals the highest numbered port for your ZyWALL model no port lt l x gt Removes the specified physical port from its current representative interface and adds it to its default representative interface for example port x gt gex port status Port lt l x gt Enters a sub command mode to configure the specified port s settings no duplex lt full half gt Sets the port s duplex mode The no command returns the default setting exit Leaves the sub command mode ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 24 Basic Interface Setting Commands continued COMMAND DESCRIPTION no negotiation auto Sets the port to use auto negotiation to determine the port speed and duplex The no command turns off auto negotiation no speed lt 100 10 gt Sets the Ethernet port s connection speed in Mbps The no command returns the default setting show port setting Displays the Ethernet port negotiation duplex and speed settings show port status Displays statistics for the Ethernet ports 6 3 2 1 Port Grouping Command Examples The following commands add physical port 5 to representative interface gel Router configure terminal Router co
123. profile Dane aspira Re duh ies dares RUF WE AA 147 Station Imelda uad Eie AAA Xa RR REP eS DEM eee ne UP dedu adea sud qi eem 76 system defanlt interfiace group group DONE asesor VOR AC GN TERE EROS RO eS tep decoder tocp xxx Log alert css ee Gee tee E Xe NA Se had eee AO 198 ESTASE 2k cee 46 Le REA TSO oed TORGH ESL AA ETE OEE ved E Ex eI IE ERE ERIT PE dquePi edes 28 test ada uadakGokd 4 Oh SEEN KARE SEER ES ESA e RECO ACA EEA SRERE SMA UC LACE C e UO QR LR RC 28 test aaa server secure server ad ldap host hostname ipv4 address host host name ipv4 address port lt 1 65535 gt base dn base dn string bind dn bind dn string password password login name attribute attribute alternative login nam attribute attribute account account name assess 261 EVASSERUES preda beiee RADAR OSA HOSE RADE HE RETR AER ORE ARNO RA 28 Pener EE I5 Peele arras AAA AAA cores A 345 Lescercugbe Idm P 2BOoSDHeNQ 245062 8ececdires VE MORE S Ku QUA C CHE d quiae ie ao de ese iad 345 traffic prioritize tcp ack content filter dns ipsec vpn ssl vpn bandwidth 0 1048576 priority 1 7 moximixe bandwrigth ussge l exeun 52 traffic prioritize tcp ack content filter dns ipsec vpn ssl vpn deactivate 55 transform set ah md5 ah sha ah md5 ah shaj ah md5 ah sha 139 transform set esp ecrypto algo esp orypto algo esp oerypto algol amp ei 4 n 139 Lransf
124. protocol scan ip decoy protocol scan ip protocol sweep ip distributed protocol scan ip filtered protocol scan ip filtered decoy protocol scan ip filtered distributed protocol scan ip filtered protocol sweep details Shows IP scan detection settings for the specified IDP profile show idp anomaly profile scan detection icmp weep icmp filtered sweep open port details o Shows ICMP scan detection settings for the specified IDP profile how idp anomaly profile flood detection all S details Shows all flood detection settings for the specified IDP profile show idp anomaly profile flood detection tcp flood udp flood ip flood icmp flood details Shows flood detection settings for the specified IDP profile show idp anomaly profile http inspection all details Shows http inspection settings for the specified IDP profile ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands Table 99 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION show idp anomaly profile http inspection ascii encoding u encoding bare byte unicod encoding base36 encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal directory traversal apache whitespace non rfc http delimiter non rfc defined char oversize request uri directory oversize
125. removes a web site from the trusted list no content filter profile custom trust allow features filtering profile Sets a content filtering profile to permit Java ActiveX and Cookies from sites on the trusted list The no command has the content filtering profile not permit Java ActiveX and Cookies from sites on the trusted list ZyWALL ZLD CLI Reference Guide Chapter 22 Content Filtering Table 110 content filter Filtering Profile Commands Summary continued COMMAND DESCRIPTION no conten custom trus t only t filter profile filtering profile Sets a content filtering profile to only allow access to web sites that are on the trusted list The no command has the profile allow access to web sites that are not on the trusted list no conten url category category name t filter profile filtering profile Sets a content filtering profile to check for specific web site categories The no command has the profile not check for the specified categories no conten url match unsafe block log warn t filter profile filtering profile Sets the action for attempted access to web pages that match the profile s selected unsafe categories The no command clears the setting Block access allow and log access or display a warning message before allowing access no content filter profile filtering profile url match block log Set
126. service control rule for HTTP service show ip http server status Displays HTTP settings show ip http server secure status Displays HTTPS settings ZyWALL ZLD CLI Reference Guide 297 Chapter 36 System Remote Management 36 3 1 HTTP HTTPS Command Examples This following example adds a service control rule that allowed an administrator from the computers with the IP addresses matching the Marketing address object to access the WAN zone using HTTP service Router configure terminal Router config ip http server table admin rule append access group Marketing zone WAN action accept This command sets an authentication method used by the HTTP HTTPS server to authenticate the client s Router configure terminal Router config ip http authentication Example This following example sets a certificate named MyCert used by the HTTPS server to authenticate itself to the SSL client Router configure terminal Router config ip http secure server cert MyCert 36 4 SSH Unlike Telnet or FTP which transmit data in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network 36 4 1 SSH Implementation on the ZyWALL Your ZyWALL supports SSH versions 1 and 2 using RSA authentication and four encryption me
127. service control rule for SSH service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN ip ssh server rule move rule number to rule number Changes the index number of a SSH service control rule no ip ssh server vl Enables remote management using SSH v1 The no command stops the ZyWALL from using SSH v1 rule number no ip ssh server rul Deletes a service control rule for SSH service show ip ssh server status Displays SSH settings 36 4 4 SSH Command Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SSH service Router configure terminal Router config ip ssh server rul accept 2 access group Marketing zone WAN action ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management This command sets a certificate Default to be used to identify the ZyWALL Router configure termina
128. specified ZyWALL router The no command resets the port to 21 no password device ha sync authentication password Specifies the password to use when synchronizing Every router in the virtual router should use the same password The no command resets the password to 1234 password You can use 4 63 alphanumeric characters underscores _ dashes and Characters no device ha sync auto Specifies whether or not to automatically synchronize at regular intervals no device ha sync interval lt 5 1440 gt Specifies the number of minutes between each synchronization if the ZyWALL automatically synchronizes with the specified ZyWALL router The no command resets the interval to five minutes no device ha sync now Synchronize now ZyWALL ZLD CLI Reference Guide Chapter 24 Device HA 24 6 3 Link Monitoring Commands This table lists the commands for link monitoring Link monitoring has the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down This way the backup ZyWALL takes over all of the master ZyWALL s functions Table 127 device ha Commands Synchronization COMMAND DESCRIPTION device ha link monitoring activate Turns on device HA link monitoring no device ha link monitoring Turns off device HA link monitoring show device ha link monitoring Displays the curre
129. specified computer using a service make sure you do not have a service control rule or to ZyWALL rule to block that traffic 36 1 Remote Management Overview You may manage your ZyWALL from a remote location via Internet WAN only ALL LAN amp WAN amp DMZ LAN only DMZ only To disable remote management of a service deselect Enable in the corresponding service screen 36 1 1 Remote Management Limitations Remote management will not work when 1 You have disabled that service in the corresponding screen 2 The accepted IP address in the Service Control table does not match the client IP address If it does not match the ZyWALL will disconnect the session immediately 3 There is a firewall rule that blocks it 36 1 2 System Timeout There is a lease timeout for administrators The ZyWALL automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also forced to log in the ZyWALL for authentication again when the reauthentication time expires ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management 36 2 Common System Command Input Values The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 165 Input Values for General System Commands LABEL DESCRIPTION
130. static DHCP entry If you do not use the host command the commands that are not in this section have no effect but you can still set them ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 17 interface Commands DHCP Settings continued COMMAND DESCRIPTION no host ip Specifies the static IP address the ZyWALL should assign Use this command along with hardware address to create a static DHCP entry Note The IP address must be in the same subnet as the interface to which you plan to bind the DHCP pool When this command is used the ZyWALL treats this DHCP pool like a static entry regardless of the network setting The no command clears this field no hardware address mac_address Reserves the DHCP pool for the specified MAC address Use this command along with host to create a static DHCP entry The no command clears this field no client identifier mac address Specifies the MAC address that appears in the DHCP client list The no command clears this field no client name host name Specifies the host name that appears in the DHCP client list The no command clears this field host name You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive Use the following commands if you want to create a pool of IP addresses These commands have no effect if you use t
131. status off Router config dir packet trace File Name Size Modified Time wanl Example cap 575160 2009 11 24 09 06 59 Router config You can use FTP to download a capture file Open and study it using a packet analyzer tool for example Ethereal or Wireshark ZyWALL ZLD CLI Reference Guide Chapter 42 Maintenance Tools ZyWALL ZLD CLI Reference Guide Watchdog Timer This chapter provides information about the ZyWALL s watchdog timers 43 1 Hardware Watchdog Timer The hardware watchdog has the system restart if the hardware fails lt gt The hardware watchdog timer commands are for support engineers It is recommended that you not modify the hardware watchdog timer settings Table 196 hardware watchdog timer Commands COMMAND DESCRIPTION no hardware watchdog timer lt 4 37 gt Sets how long the system s hardware can be unresponsive before resetting The no command turns the timer off show hardware watchdog timer status Displays the settings of the hardware watchdog timer 43 2 Software Watchdog Timer The software watchdog has the system restart 1f the core firmware fails D gt The software watchdog timer commands are for support engineers It is recommended that you not modify the software watchdog timer settings Table 197 software watchdog timer Commands COMMAND DESCRIPTION no software watchdog timer lt 10 600 gt Sets h
132. table describes the DNSBL commands Table 119 DNSBL Commands COMMAND DESCRIPTION no anti spam dnsbl activate Turns DNSBL checking on or off anti spam dnsbl 1 5 domain dnsbl domain activate deactivate Adds or edits a DNSBL domain for checking e mail header IP addresses no anti spam dnsbl domain dnsbl domain Removes the specified DNSBL domain anti spam dnsbl query timeout smtp drop forward forward with tag Sets how the ZyWALL handles SMTP mail mail going to an e mail server if the queries to the DNSBL domains time out anti spam dnsbl query timeout pop3 forward forward with tag Sets how the ZyWALL handles POP3 mail mail coming to an e mail client if the queries to the DNSBL domains time out anti spam dnsbl max query ip 1 5 Sets up to how many sender and relay server IP addresses in the mail header to check against the DNSBL anti spam dnsbl ip check order forward backward Configures the order in which anti spam checks e mail header IP addresses against the DNSBLs forward checks the first N IP addresses Checking starts from the first IP address in the mail header This is the IP of the sender or the first server that forwarded the mail backward checks the last N IP addresses Checking starts from the last IP address in the mail header This is the IP of the last server that forwarded the mail anti spam tag dnsbl dnsbl timeout tag
133. the WAN interfaces show system default snat Displays whether the ZyWALL enable SNAT or not The ZyWALL performs SNAT by default for traffic going to or from the WAN interfaces show system default interfac group Dispalys the WAN trunk the ZyWALL first attempts to use 7 5 Trunk Command Examples The following example creates a weighted round robin trunk for Ethernet interfaces gel and ge2 The ZyWALL sends twice as much traffic through gel Router configure terminal Router Router if group mode trunk if group algorithm wrr Router config interface group wrr example Router Router if group interfac 1 gel weight 2 if group interfac Router Router if group exit config 2 ge2 weight 1 The following example creates a least load first trunk for Ethernet interface ge3 and VLAN 5 The ZyWALL sends new session traffic through the least utilized of these interfaces Router configure terminal Router if group mode trunk Router config Router config interface group llf example Router if group algorithm llf Router if group interface 1 ge3 Router if group interface 2 vlan5 Router if group exit ZyWALL ZLD CLI Reference Guide Chapter 7 Trunks The following example creates a spill over trunk for Ethernet interfaces gel and ge3 The ZyWALL sends traffic through gel until it hits the limit
134. the firewall is active or not ZyWALL ZLD CLI Reference Guide Chapter 15 Firewall 15 2 1 Firewall Sub Commands The following table describes the sub commands for several firewall commands Table 64 firewall Sub commands COMMAND DESCRIPTION action allow deny reject Sets the action the ZyWALL takes when packets match this rule no activate Enables a firewall rule The no command disables the firewall rule no ctmatch dnat snat Use dnat to block packets sent from a computer on the ZyWALL s WAN network from being forwarded to an internal network according to a virtual server rule Use snat to block packets sent from a computer on the ZyWALL s internal network from being forwarded to the WAN network according to a 1 1 NAT or Many 1 1 NAT rule The no command forwards the matched packets no description description Sets a descriptive name up to 60 printable ASCII characters for a firewall rule The no command removes the descriptive name from the rule no destinationip address_object Sets the destination IP address The no command resets the destination IP address es to the default any any means all IP addresses no from zone_object Sets the zone on which the packets are received The no command removes the zone on which the packets are received and resets it to the default any any means all interfaces or VPN tunnels no log alert
135. this command or the write command the changes will be lost when the ZyWALL restarts copy running config conf file name conf Saves a duplicate of the configuration file that the ZyWALL is currently using You specify the file name to which to copy delete cert conf idp packet trace Removes a file Specify the directory and file name of the file that you want to delete Displays the list of files saved in the specified directory script tmp file name dir cert conf idp packet trace script tmp rename cert conf idp packet trace script tmp old file name cert conf idp packet trace script tmp new file name Changes the name of a file Specify the directory and file name of the file that you want to rename Then specify the directory again followed by the new file name rename script old file name script new file name Changes the name of a shell script ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager Table 179 File Manager Commands Summary continued COMMAND DESCRIPTION run script file_name zysh Has the ZyWALL execute a specific shell script file You must still use the write command to save your configuration changes to the flash non volatile or long term memory show running config Displays the settings of the configuration file that the system is using sete
136. to enter the configuration mode before you can use these commands Table 175 Command Summary Language COMMAND DESCRIPTION language English Specifies the language used in the web configurator Simplified Chinese Screens Traditional Chinese show language setting all setting displays the current display language in the web configurator screens a11 displays the available languages 308 ZyWALL ZLD CLI Reference Guide PART X Maintenance File Manager 311 Logs 329 Reports and Reboot 335 Diagnostics 343 Maintenance Tools 345 File Manager This chapter covers how to work with the ZyWALL s firmware certificates configuration files custom IDP signatures packet trace results shell scripts and temporary files 37 1 File Directories The ZyWALL stores files in the following directories Table 176 FTP File Transfer Notes DIRECTORY FILE TYPE ENGIN A Firmware upload only bin cert Non PKCS 12 certificates cer conf Configuration files conf idp IDP custom signatures rules packet trace Packet trace results download only script Shell scripts zysh tmp Temporary system maintenance files and crash dumps for technical support use download only A After you log in through FTP you do not need to change directories in order to upload the firmware 37 2 Configuration Files and Shell Scripts Overview You can store mu
137. you want to enter multiple applications use this command for each of them The user s computer must not have any of the forbidden applications running to pass this checking item Include the filename extension for Linux operating systems no process process_name application trusted If you selected windows or linux as the operating system using the os type command you can use this command to set an application that a user s computer must be running The user s computer must have all of the trusted applications running to pass this checking item Include the filename extension for Linux operating systems no description description Type a description for this endpoint security object You can use alphanumeric and _ characters and it can be up to 60 characters long no file info file path If you selected windows or linux as the operating system using file_path the os type command you can use this command to check details of specific files on the user s computer The user s computer must pass one of the file information checks to pass this checking item file_version no file info file path Sets whether the size of the file on the user s computer has to be file path eq gt lt ge _ equal to eq greater than gt less than 1t greater than or equal 1 neq file siz to ge less than or equal to 1e or not equal to neq the size of l
138. 0 0 0 0 38 udp 127 0 0 1 63046 0 0 0 0 0 39 udp 127 0 0 1 65097 0 0 0 0 0 40 udp 0 0 0 0 65098 0 0 0 0 0 41 udp 1923168 D 13000 0 0 0 0 0 42 udp Toda 35 00 0 0 0 0 0 43 udp 10 0 0 8 500 0 0 0 0 0 44 udp 132 23 377205 500 0 0 0 0 0 45 udp 172 23 37 240 500 0 0 0 0 0 46 udp 127 0 0 1 500 0 0 0 0 0 ZyWALL ZLD CLI Reference Guide Chapter 4 Status Here are examples of the commands that display the system uptime and model firmware and build information Router gt show system uptime system uptime 04 18 00 Router gt show version ZyXEL Communications Corp model ZyWALL USG 100 firmware version 2 20 AQQ 0 b3 BM version 108 build date 2009 11 21 01 18 06 This example shows the current LED states on the ZyWALL The SYS LED lights on and green The AUX and HDD LEDs are both off Router show led status SyS green aux off hdd off Router 36 ZyWALL ZLD CLI Reference Guide Registration This chapter introduces myzyxel com and shows you how to register the ZyWALL for IDP AppPatrol anti virus content filtering and SSL VPN services using commands 5 1 myZyXEL com overview BS BS myZyXEL com is ZyXEL s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL You need to create an account before you can register your device and activate the services at myZyXEL com You can directly
139. 024 gt Creates a new condition for forcing user authentication at the specified location renumbers the other conditions accordingly and enters sub command mode See Table 134 on page 238 for the sub commanas force auth policy delete 1 1024 Deletes the specified condition To modify a condition you can insert a new condition N and then delete the one N 1 that you want to modify force auth policy flush Deletes every condition force auth policy move lt 1 1024 gt to lt 1 1024 gt Moves the specified condition to the specified location and renumbers the other conditions accordingly show force auth activation Displays whether forcing user authentication is enabled or not show force auth exceptional service Displays services that users can access without user authentication show force auth policy lt 1 1024 gt all Displays details about the policies for forcing user authentication ZyWALL ZLD CLI Reference Guide 237 Chapter 25 User Group 25 2 4 1 force auth Sub commands The following table describes the sub commands for several force auth policy commands Note that not all rule commands use all the sub commands listed here Table 134 force auth policy Sub commands COMMAND DESCRIPTION no activate Activates the specified condition The no command deactivates the specified condition no authentication force required
140. 13 af21 af23 af31 af33 and af41 af43 to apply this policy route to incoming packets that are marked with the DSCP AF class The af entries stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 93 for more details dscp marking lt 0 63 gt Sets a DSCP value to have the ZyWALL apply that DSCP value to the route s outgoing packets dscp marking class default dscp_class Sets how the ZyWALL handles the DSCP value of the outgoing packets that match this route Set this to default to have the ZyWALL set the DSCP value of the packets to 0 Set this to an af class including af11 af13 af21 af23 af31 af83 and af41 af43 which stands for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 93 for more details no dscp marking Use this command to have the ZyWALL not modify the DSCP value of the route s outgoing packets no interface interface name Sets the interface on which the incoming packets are received The no command resets the incoming interface to the default any any means all interfaces no next hop auto gateway address object interface interface nam trunk trunk name tunnel tunnel name Sets the next hop to which the matched p
141. 192 168 1 1 220 lt gt lt lt Welcome to PureFTPd 1 0 11 gt gt CC PL 226 You are user number 1 of 58 allowed 22 Local time is now 03 56 and the load is 0 00 Server port 21 226 Only anonymous FTP is allowed here 226 You will be disconnected after 15 minutes of inactivity User lt 192 168 1 1 none gt gt 238 Anonymous user logged in ftp gt bin 206 TYPE is now 8 bit binary ftp put E ftproot ZLD_FW 1G1XL 161XLGCOM1 B1 lt XL B gt CB db 10 Wait for the file transfer to complete Figure 53 FTP Default System Database Transfer Complete 206 PORT command successful 158 Connecting to port 3789 226 248 5 Mbytes free disk space 226 File successfully transferred 226 6 6068 seconds measured here gt 13 31 Mbytes per second ftp 112398 bytes sent in 02Seconds 7624 88Kbytes sec Ftp gt m 11 The console session displays done after the default system database is recovered Figure 54 Default System Database Received and Recovery Complete Default System Database received Update Filesystem Updating Database done 12 The username prompt displays after the ZyWALL starts up successfully The default system database recovery process is now complete and the ZyWALL IDP and anti virus features are ready to use again ZyWALL ZLD CLI Reference Guide 327 Chapter 37 File Manager Figure 55 Startup Complete nothing was mounted Hostname localhost Setting the System Clock using t
142. 192 168 100 10 Router config address object DNS1 172 16 5 1 Router config address object DNS2 172 16 5 2 Router config address object NETWORK1 172 16 10 0 24 3 Create an endpoint security profile named EPS 1 SSL VPN users computers must install Windows XP and TrendMicro PC Cillin Internet Security 2007 Besides the PC Cillin anti virus must be activated Router config eps profile EPS 1 Router eps EPS 1 matching criteria all Router eps EPS 1 os type windows Router eps EPS 1 windows version windows xp Router eps EPS 1 anti virus activate Router eps EPS 1 anti virus TrendMicro PC Cillin Internet Security 2007 detect auto protection enabl Router eps EPS 1 xit 4 Create the SSL VPN user account named tester with password 1234 Router config username tester password 1234 user type user ZyWALL ZLD CLI Reference Guide Chapter 17 SSL VPN 5 Create an SSL VPN rule named SSL_VPN_TEST Enable it and apply objects you just created Router config sslvpn policy SSL_VPN_TEST Router policy SSL VPN TEST activate Router policy SSL VPN TES user tester Router policy SSL VPN TES network extension activate Router policy SSL VPN TES network extension ip pool P POOL I network extension 1st dns D network extension 2nd dns DNS2 N Router policy SSL VPN TES
143. 2 5 192 168 2 23 keyword A keyword or a numerical IP address to search URLs for and block access to if they contain it Use up to 63 case insensitive characters 0 9a zA Z 2 amp _ in double quotes For example enter Bad Site to block access to any web page that includes the exact phrase Bad Site This does not block access to web pages that only include part of the phrase such as Bad in this example message The message to display when a web site is blocked Use up to 255 characters 0 9a zA Z amp _ in quotes For example Access to this web page is not allowed Please contact the network administrator redirect url The URL of the web page to which you want to send users when their web access is blocked by content filtering The web page you specify here opens in a new frame below the denied access message Use http followed by up to 255 characters 0 9a zA Z amp _1 0 in quotes For example http 192 168 1 17 blocked access license The license key up to 15 characters for the external web filtering service service timeout The value specifies the maximum querying time in seconds lt 1 60 gt timeout The value specifies the maximum life time in hours lt 1 720 gt url The URL of a web site ZyWALL ZLD CLI Reference Guide Chapter 22 Content Filtering Table 107 Content Filter Command Input Values
144. 200 38400 57600 or 115200 show console Displays console port speed 35 6 DNS Overview DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it 35 6 1 Domain Zone Forwarder A domain zone forwarder contains a DNS server s IP address The ZyWALL can query the DNS server to resolve domain zones for features like VPN DDNS and the time server A domain zone is a fully qualified domain name without the host For example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name ZyWALL ZLD CLI Reference Guide Chapter 35 System 35 6 2 DNS Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 163 Input Values for General DNS Commands LABEL DESCRIPTION address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive interface_name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 2 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 100 and 200 models use a nam
145. 289 a rougname PIONDEANE ascos sn does HORT Ue XO d OWS EERSTE Ree SERS ded hsrdware wetcohdog timerk SEACUS serried orati eniin SAANEEN do ACE Vee oe aad LOS AT PEUT 184 ido signature anomaly Dase DIOIIIB ds Ed xix Re R4 BOR AC Ree ea e oed RR 184 idp signature system protect signatures version date number 198 ap Qssgnabture System Protect Update saciar ae haves Rom OR E e CAE RS RCRGA CN 198 idp signature system protect update Status ilesecesesxekeeemeon ro yon XR RC war rds 198 ioe snanatese essay P Gules ori A A ul Sil Bue eee Roa 185 itp an maly profile riood detesbtrom All details ex en RE ea Seek e dew eae 189 idp anomaly profile flood detection tcp flood udp flood ip flood icmp flood COURS eee hie d dada eddie E UE dC AE ded qoa de dos cd be bab edo M de aco acd ARA dia dea 189 idp anomaly profile http inspection ascii encoding u encoding bare byte uni code encoding base36 encoding utf 8 encoding iis unicode codepoint encoding multi slash encoding iis backslash evasion self directory traversal di rectory traversal apache whitespace non rfc http delimiter non rfc defined char oversize request uri directory oversize chunk encoding webroot direc Paty rapera Geta tebe eho leees weet ADA 190 idp anomaly profile http ruspectiom all details s m de ed ee eam 189 idp anomaly profile icmp decoder truncated header truncated timestamp header
146. 4 The ZyWALL has a static IP address of 172 23 37 205 for the ge3 interface The remote user has a dynamic public IP address and connects through the Internet You configure an IP address pool object named L2TP POOL to assign the remote users IP addresses from 192 168 10 10 to 192 168 10 20 for use in the L2TP VPN tunnel The VPN rule allows the remote user to access the LAN SUBNET which covers the 192 168 1 1 24 subnet 18 5 1 Configuring the Default L2TP VPN Gateway Example The following commands configure the Default LZTP VPN GW entry Configure the My Address setting This example uses interface ge3 with static IP address 172 23 37 205 Configure the Pre Shared Key This example uses top secret Router config isakmp policy Default L2TP VPN GW Router config isakmp Default L2TP VPN GW 4 local ip interface ge3 Router config isakmp Default L2TP VPN GW 4 authentication pre share Router config isakmp Default L2TP VPN GW keystring top secret activate exit Router config isakmp Default_L2TP_VPN_GW Router config isakmp Default_L2TP_VPN_GW Router config 18 5 2 Configuring the Default L2TP VPN Connection Example The following commands configure the Default_L2TP_VPN_Connection entry Enforce and configure the local and remote policies For the Local Policy create an address object that uses host type and contains the My Address IP address that you configured in the Def
147. 5 Server DASS Base 25 45 58446 28h dE A AAA CS a A 254 servor PASCO DASEN 6es wae mare ree ee NARRAR e oe B 255 Sorter Pena SISSE 646s dA GE QE RE Ecedca eS 3 aS aa dc duis 254 Server Bingen Seno a A er ERRARE Rad a d pog dee ed ade nce Me dc RN dca 255 pErveroDHeddBHLllgisg M A arial HASHES Soy XE Ra AR BA Sikes eara E cans 254 Serter AMEE LE U dci eR dox E o pe Rua we Rha Se Re Bk oq Ba aR a imme hy rh oe Wk 255 server descrigrion description isis FER SORE RS pd Lek ee d rueda d eee ac 254 Server JdJeSCITOLION COSEFEDEDOR ida ee te Ran EK ACCU Se dea Roa E bb ge aw do decx dos d Server HOBSCTIDUILON description 24 cscs ce AR RORIS A ROIG ELS e o dp Prio PORA ee o i ded 256 Server gqrgcupestterbure groHD ettribHLO sidra Edokdex ko3 AG Ro Qu e RUE dea ec od 254 server group sttrib Le qQUOBD SLLIEIDULE ceased 68g uo ERA EG SH REC d des ed eR E vas 256 Server g ggp sttribubpe ALBO ir qa bed APO E A SEE SEEKER bea Re a A FACE server hoet 3d Server 24 44 bed eek ee Qo Ro XR e o HOES OED CK RO ORO A A OE dr RR A 254 Serre Hee Ou Serves sibit Qus dares eek aci uo er nese har dU NC E ee cb wee dup SC e aed 256 server HOSE PAZOS BBEW GY Gol3xeqesd he eee Gates Oba c Ke ROAD RO OC RR ACA AA 257 paa 2S dod mae ab aces mi RE ses Sones cokes weg ds ea dcin d Bad i e wad resend 270 Servet Key SECRET ae waa 297 perver Ragswcirm PASSOS aiiud RU RENS EAN a wowed AAA 254 Server paseword SGSSMON by dass coke eS AnA RRA ARAS AA KA ER FRESE X Ed KR 296 Server POPC
148. 5 ID and password for MD5 authentication in the specified virtual link no area IP virtual link IP message digest key lt 1 255 gt Clears the MD5 ID in the specified virtual link 9 2 5 Learned Routing Information Commands This table lists the commands to look at learned routing information Table 51 ip route Commands Learned Routing Information COMMAND DESCRIPTION show ip route kernel connected static Displays learned routing and other routing ospf rip bgp information 9 2 6 show ip route Command Example The following example shows learned routing information on the ZyWALL Router show ip route Flags A Activated route S Static route C directly Connected O OSPF derived R RIP derived G selected Gateway reject B Black hole L Loop IP Address Netmask Gateway IFace Metric Flags Persist 0 0 0 0 0 172 16 1 254 wanl 0 ASG 10 59 0 0 24 0 0 0 0 ext wlan 0 ACG 127 0 0 0 8 0 0 0 0 lo 0 ACG 172 16 1 0 24 0 0 0 0 wanl 0 ACG 192 168 1 0 24 0 0 0 0 lanl 0 ACG 192 168 2 0 24 0 0 0 0 lan2 0 ACG 192 168 3 0 24 0 0 0 0 dmz 0 ACG ZyWALL ZLD CLI Reference Guide Zones Set up zones to configure network security and network policies in the ZyWALL 10 1 Zones Overview A zone is a group of interfaces and VPN tunnels The ZyWALL uses zones not interfaces in many security and policy settings such as firewall rules and remote
149. 63 characters of an existing address object or group to which the policy should be applied schedule The name up to 63 characters of an existing schedule to control when the policy should be applied filtering profile The filtering profile defines how to filter web URLs or content You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive category number The number of a web category lt 0 60 gt Each number corresponds to a category name category name The name of a web category see Table 108 on page 204 ZyWALL ZLD CLI Reference Guide Chapter 22 Content Filtering Table 107 Content Filter Command Input Values continued LABEL DESCRIPTION trust_hosts The IP address or domain name of a trusted web site Use a host name such as www good site com Do not use the complete URL of the site that is do not include http All subdomains are allowed For example entering zyxel com also allows www zyxel com partner zyxel com press zyxel com etc Use up to 63 case insensitive characters 0 9a z You can enter a single IP address in dotted decimal notation like 192 168 2 5 You can enter a subnet by entering an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address The range is 0 to 32 To find the bit number convert the subne
150. A e 32 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical show reference obIect group address profile lt avda anne rra rar dened RA 32 show reference object group interface profile scort Erek eRe ERS ea 32 show tefterence object group service profile css atan sone ake AAA 32 show reference object group username username i l2x ak RA RR EORR EORR waa aS 3A show report trterface name in service HELL usais AAA 25 show Eeport Stats sak besa eee SHEA Se ANTAS AAA ARRE AAA RNA e ROCA QU EMRE RES ROS 2239 show rip global interface Tall interface hamel iie 9 o ciar 60 ds CONTEI A e ke bates dde oceda du eue quali cd dra we dd dr ee Sareea ORA dd 316 show sa monitor begin lt 1 1000 gt end lt 1 1000 gt crypto map regexp policy regexp rsort sort_order SOFC sert DEJE 2 644464 54065 bee ws Ree X RA 143 show sehedule pbC SEE aed esa tek hese ah dee So ast ool RR AA eA Rede qe a 250 Show Sra RUS det beaten Geka ne E Od WS d ea teases etude qt ASE wea dun ode 33 Show sBfvioBebqect lon lect name 24 b0die ere A RP bee Ie SUE SOR UR RC Seek eed a 245 show service register status all content filter 3dp sslvpn av e 9 RR 39 show Session timeout icmp ftop timewslt HOG xddgeiweradkGee Medea eee Shad x xac AAA 341 a lI Gitte 494939 EQEG Rh bue e eee dee eee Re IAE She ee eee ded is SL show sesston 11mit begin rule number end rule n mb
151. AE OSLER EHS 206 content filter service timeoub service E mecutl iiam a m saved das AUR O RUE wana 207 content t2less Statistice Collett decora AAA a aed tea Rog Se Ge 208 poentent Ftrilter Limeout timeout airis cd ceed RUE dp EE deed bee adbviua eee 205 geontent fllter trnmeout CIRBOUL eos gon eR y A A E A a hm we 208 acia Mera A e Que doR S d eda d uA dci ewes mm d ede ecd woes Side dod 139 Steve Mae Morn Done OIR ARA ANA Rr RR RUE opu e SD pa Ga 139 DEUDLS MAp NOMS abu Choe ES eee hee OE ORE TS ARA CO RR EHE p HEC TSS oy KS 143 DCIUto Prete NaS gigas evar eee Ke he E A HACEN UR E QE e e eee Reale dU CA 102 ctmatch dnat BINDS A xdi AEdcAPP SERES eX bead dESERGesqHCXdd d Erud 128 StSPES 2256 1 2595S ARA AA ICA HACK OMe SRE Nod KC Ue GROS EOS EUG Re AC e COR T3 QUSLOE DER desc AA Pee A o Rd di dea ai roo eee ae ES 106 doxlyerepoPt PESSE ECUDES ic a xe 3 9 da e e e e Rea CR cea E Re CU e eee e oae Dee nae 338 BESSA LARES AA AAA AAA di deu AAA AAA AAA eae Ry 90 iaa e o A A ees RODS EE ad duod ad OR 56 HESCYAIPCLON description aa exuek gd xU RO Rx PO RORGROR ORO RORORRGORUE BLUCRCR ST RES RU RE ER AUR Ed FR 128 OSOS CECILIO POSTEO asa peus dU Sce dr ce hc aqu RA ewes wc didt uo doen d 131 HeSGCeIperen HOSEL BELON 6344444950 A ASA dos ia 146 descripcion HOSP ee O apra RA AE AAA AAA 229 description GsSCEIDETOR eaae ERDAS EE ORDER EAR a ROC e oie C p A 2 35 descrip ticn SEGCOPIOLIOM dpbgquee bad eS ke m d edv Pd SERE x EP Sq me dede Ee ES 238
152. ALL to a web proxy server 13 1 1 Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources services A proxy server can act as a firewall or an ALG application layer gateway between the private network and the Internet or other networks It also keeps hackers from knowing internal IP addresses ZyWALL ZLD CLI Reference Guide 115 Chapter 13 HTTP Redirect 13 2 HTTP Redirect Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 59 Input Values for HTTP Redirect Commands LABEL DESCRIPTION description The name to identify the rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive interface_name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 100 and 200 models use a name such as want wan2 opt lant ext wlan or dmz virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example gex y x2 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y2 1 4 bridge interface brx x
153. AN interface for example The auxiliary interface controls the DIAL BACKUP port labeled AUX on some models Trunks manage load balancing between interfaces Port groups trunks and the auxiliary interface have a lot of characteristics that are specific to each type of interface These characteristics are listed in the following tables and discussed in more detail farther on Table 11 Characteristics of Ethernet VLAN Bridge PPPoE PPTP and Virtual Interface ZyWALL USG 300 and Above CHARACTERISTICS ETHERNET VLAN BRIDGE PPPOE PPTP VIRTUAL Name gex vlanx brx pppx us IP Address Assignment static IP address Yes Yes Yes Yes Yes DHCP client Yes Yes Yes Yes No routing metric Yes Yes Yes Yes Yes Interface Parameters bandwidth restrictions Yes Yes Yes Yes Yes packet size MTU Yes Yes Yes Yes No data size MSS Yes Yes Yes Yes No traffic prioritization Yes Yes Yes Yes No DHCP DHCP server Yes Yes Yes No No DHCP relay Yes Yes Yes No No Ping Check Yes Yes Yes Yes No The format of interface names is strict Each name consists of 2 4 letters interface type followed by a number x limited by the maximum number of each type of interface For example Ethernet interface names are ge1 ge2 ge3 VLAN interfaces are vlanO vlan1 vlan2 and so on The names of virtual interfaces are derived from the interfaces on which t
154. Alphabetical debug qe meses ASES A ari deem AS ES qq SERRE ER Ed E need 30 debug DOLLOP EDIUE AA ADA ue b SO a E A AAA A AA A A Od 30 Cebit eset Concent t1 Leer prolO sacks eed EAS eee eee OR eR RUE 30 Ceri service begi ter a be CRRA EO de deal Qo do RR Sele ew awe eee dae 30 debug show Sontent ELILSE Server arica rra 30 debug Siow UISBD ddgadokeeecac AER SSRI Ad eb ORE e RH RC CN E Ae e eed E e e eR 30 debug Show gycyxel server Stats 26 decease A EROR ESE Bde KO Sh SEER RR S E 30 debug Show Mayol Server SLACIS arrasa A qao doe d b quc CR Ue Re NC ee wo Aa 30 denno Seley AGuddeulqoe ieee Qao Aes UE Wc eo ed ERN aor ac Bra dac Pr Re do be eder du que af pd hs E 30 debug e a P5 A A SA NO 30 Hr Ae 27 delete feert cont idp packet trace script tmp file name i i 315 eed dE duse wwe mu vlr ead ed Bore qa d END A BR E ed DADAS deed ue evade dep i e PS 27 devlocs he ap Tode Duchup Syne BOW csi 1ede RO eERCE AA A eee Sw come eee ERES 221 device ha ap ode ClusberaHid Als 79 aa AS A GE Rue Kd X dex E RR UE KC Re Chee E T CR CN 225 Hewlpsshe ap made Priority 91 025409 inicias Y READERS Re keh PEG PIG Y EE tas 226 device h ap mide sole Imester Dback B rss eo kee ba ACE KO AO bd d NCC ME eee 225 devics he JIXNESWORITLQEPCEQG ELLOS AA ace Ae OR ARA UP D CR rb iR ORE CR RUD ON 2230 device ha mede active
155. Changes the index number of a service control rule no ip telnet server rule rule number Deletes a service control rule for Telnet service show ip telnet server status Displays Telnet settings ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management 36 6 1 Telnet Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using Telnet service Router configure terminal Router config ip telnet server rule 11 access group RD zone LAN action gt accept This command displays Telnet settings Router configure terminal Router config show ip telnet server status active yes port t 23 Service control No Zone Address Action Router config 36 7 Configuring FTP You can upload and download the ZyWALL s firmware and configuration files using FTP To use this feature your computer must have an FTP client 36 7 1 FTP Commands The following table describes the commands available for FTP You must use the configure terminal command to enter the configuration mode before you can use these commands Table 169 Command Summary FTP COMMAND DESCRIPTION no ip ftp server Allows FTP access to the ZyWALL The no command disables FTP access to the ZyWALL no ip ftp server cert certificate_name Sets a certificate
156. DESCRIPTION no action block login message audio video fil transfer Blocks use of a specific feature bandwidth inbound outbound lt 0 1048576 gt Limits inbound or outbound bandwidth in kilobits per second 0 disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 Set the priority for traffic that matches this rule The smaller the number the higher the priority no inbound dscp mark lt 0 63 gt class default dscp class This is how the ZyWALL handles the DSCP value of the outgoing packets to a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 no log alert Creates log entries and alerts for traffic that matches the rule The no command does not create any log entries no outbound dscp mark lt 0 63 gt class default dscp_class This is how the ZyWALL handles the DSCP value of the outgoing packets from a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 show Displays the rule s con
157. DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN snmp server rule move rule number to rule number Changes the index number of a service control rule no snmp server rule rule number Deletes a service control rule for SNMP service show snmp status Displays SNMP Settings 36 8 4 SNMP Commands Examples The following command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using SNMP service Router configure terminal accept Router config snmp server rule 11 access group Example zone WAN action The following command sets the password secret for read write rw access Router configure terminal Router config snmp server community secret rw The following command sets the IP address of the host that receives the SNMP notifications to 172 23 15 84 and the password sent with each trap to qwerty Router configure terminal Router config snmp server host 172 23 15 84 qwerty ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management 36 9 ICMP Filter The ip icmp filter commands are obsolete See Chapter 15 on page 125 to configure firewall rules for ICMP traffic going to the ZyWALL to discard or reject ICMP packets destined for the ZyWALL Configure the ICMP filter to help keep the ZyWALL hidden from probing attempts You
158. E pos a OR Se L77 Stan Stee l EOP O naa aaa aaa dA dq dc aa MEER RA 212 Scan detection icmp sweep icmp filtered sweep activate log alert block 187 sUdn detectioH Xp xxx factivace Log alest BLOCK Rex 187 scan detection tep xxx activate log alert bDloGk b ze tans 187 scan detection udp xxx activate log alert block i a 187 sean detectiohn open port activate leg alert block i 188 schedule profila SABE LD e ASS sd se ee RE E E RC CORR aC CR de decade 164 Aide Prete MAS tee asad dose er Roo REOR E HOC GC qr pa debui dob OR er a E ae eS 165 achedule profila DANS a A A 1 ede doe AA A Rae Re dod ic eR de eee 166 schedule schedule maf sesion da as a AA 239 pohedule mBochecule GDIqN L irlanda bes cers ARS SERE ANA dH 128 schedule schegule QUIS cham nee ex Roy 9 eA REREAD DS DAT REESE RO RO EORR UR O Re RR En second dns server ip interface name 1st dns 2nd dns 3rd dns ZyWALL 57 SECON WINS SEI NOYX JOD a d kA ey RES dad Ea E Peine nex d eet RE ges eg 53 SoC y Moelle sob fe pore Sle PSI de ARAS 76 security DOLAR SOLIDE Qugauced ouk du ease Sie eens Dive biden ies cae e Baa c wd 76 security detiz AULh ID port ls OSA Girardi 76 Security external acet ip Perk L 0959595 e ARX XA EA RR AAA od LAC UR 76 sec rtity external BUEN ID ODOSE L 209582959 RANA AAA AR 76 Server alternative pn identiiier ULA ctas RARA AAA AR AAA e de 254 server altermatriga 9A 1 REEL Gig 6st ae be See A ARA 25
159. ER ER I Oe Re SORES a ow o de dogs OS SEE TORRES n dip e ciue Ee dor ER See 131 SETE 2610s bed oven ee A SAO CE ee A A Se ee a ae A 28 CNG cate cadd eb Sere eee eed AAA Pd ee eek eed ee SE 52 CALC BAKES UR EEO CACHE AAA SAA RRA AAN AAA AA RARAS LT AA AR AAA ARMAS ASAS 64 1 C aie Rate ae ho E ae ee aah su 73 SIDE 3342405 sues eee Ss Kees ae uS dca aca siu eo Soke Dear dua dardon es aes wee a 85 Ftallebackeobeck xnuterwal 59 90 T005 iaa Fe a ORAL E RO CP NOR A p Seed 127 csbes size N D DOE xdxudhuedne Quid ASA manatee een x e er ac dd de muda d adl 346 Ftale spDEPILX PEO Bee ear deus Op aah iia die a Gm ok dioere dele a ay eei hok 346 EEG I CANNE oes sss prada A AAA TT 127 firewall default rule action allow deny reject no log log alert 127 firewall delete rule Nn er isa x X OR xo Rr ae SHER ARA AAA ADE I GR RHEIN 127 Firewall MUSA quaauoRideedpodw e AA ASA DMR de b dede Qe e a Oo Rc b cd 127 Iipewsall insert Lala AUS cia SA EDS OR EDR REC Ke AA Ew ROC APRES 127 Firewall moveo rule numbgf LO dul MONS nh corked ce AAN CE A C C oe 127 ElbPewall ule PEP quao ze UE RO A Ae EES SEES ER UR Ww Re A aCe SS Hoe 129 firewall zone object tone obJject ZyWALL seppend oilonewbaaaGgckadeX dax AR ee ame 127 firewall zone object zone_object ZyWALL delete lt 1 5000 gt e 127 firewall zane object zone objece ZyWALL FLUSH aeisrnarsario ees Saves aaa ad 127 fi
160. Enin CEA ORE RE Sale eR Rede cR 289 manage ip IF ue EG A de Ra m d s dna d ded dud aad ade m e dodo m 228 match acktion smtp drop forward forward with LtsSqg lt 4686 40044 40604 RR ER x 212 a rmi 52 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no MES See IIS queq aamddu da dure dae e ding qq dde ee qe dob iei n aS ee ema eee dd 67 diss X BIS DADO EXE ie hens ou EN Nd qe AA ene qe A AR EE AE AAA eR ERR 52 ay See ee POO beck late ut vou e a dici PERPE SUE Edu dur Erico SAA ed edes 52 EM Seow UN eed rrr 74 HOCS CEU 306 dax es ll Moi ME PA as bx Aeee RR RERO R ALEX ERE o ORE ER AREAN ODAN 106 pd eB BS xb E duse i bares o bd e dri REA A Pek qi t tod a epa SUE 140 EHE decaer ue ais iius da ead ut dcbet wd es ae ee dc M DR SE CERCHI I we mea 138 BREGOLISCIBI CUES rai eed dc 44 4 P E aoro BUR ded oun Gab CM RC eR da e dio eaa cR ede RR 65 Deco oS PrO CaSe aria ide E Od Ware TABS oxidase qs dd 140 RELWwOEE Interiace drea TE rs erac Ried E o eei b Noon aa oic a anm ain Bw 99 necp intor ace Nae uooqad u Qa a EGwaS ROS ESSEN RA dd d uae qm 58 gHebcwOFE INCBP PSSB MENS uq Ga kv Xd REA EUR CV ROC NUR OE AA AAA A AAA do b eo A 98 debGEE Inter TACs Pete
161. G CEP AUCresSe A A A RR EP Re ue qu m e sd us 33T daily report 0 CEP SUE de isa cian dae ADA ARA 337 daily report fSeOSGI OOURDGBeDOUM nia Y obo ROC EC UE Oed ded CA dea E ES Dee Reale 338 dacly s5ebost schedule hour 0 235 MUS S00 999 es pude pus EFT X Pa Tad uev es 338 ci DIL SBIOICNOW hentia FR Kew nd Rc qo E AR Kc RU aa qq RR RR AE CR ee de RR ded E OE e Ro ML GR 338 dal teport amto address 10 Dosane 6 bok edict a RANA AAA AN AA AR Ei i daily report smtp auth username username password password ooooooomoooooooo o 331 UGRGLIVADE Lenker ieee eee AE d ew esque rex uet reip HEE SORE Beka uq E GUS es eee dd dide 137 A 4 A 002235555 eQAS EOS au hes ad edu Ee aed ele EE eae ad clu eens 129 A LO MC P 27 debug cmdexec corefile ip kernel mac id rewrite observer switch system zyinetpkt zy sHenpbeoml 7 shh eke heated Ra Pade REN RR Phe oy See ee RG e C S d Ka ep Re eee oe e 30 pe SUS issues aus O A He Se Pee SES SENE ANE Wa eens beaches ud add eee sees 29 Cebu ANETO 446d as ach ANA ope dao wee Rea wea ee Bike erred Sak OR poe de aia gd rios 29 debug SRC edekdmeipx disued ee 4x SOR Oe HSL SAE Ree ORS ORNS Balhae Ob apa pP Eq dea edes 29 debug app Show IYTpDOCODOl F octave oae ated RAR oe kee RA hace ete dae ae bs ORES Be Se 29 debug Ga Re tae ceed a oe ree eee Se Hee eee eR Oe ee Ee ew ae eek ee Se 29 debug CONEGDESELDEOE shi a4 Rd eee se weds he oa c
162. G Commands Example The following example turns on pass through for SIP and turns it off for H 323 Router configure terminal Router config alg sip Router config no alg h323 ZyWALL ZLD CLI Reference Guide E Chapter 14 ALG 122 ZyWALL ZLD CLI Reference Guide PART Ill Firewall Firewall This chapter introduces the ZyWALL s firewall and shows you how to configure your ZyWALL s firewall 15 1 Firewall Overview The ZyWALL s firewall is a stateful inspection firewall The ZyWALL restricts access by screening data packets against defined access rules It can also inspect sessions For example traffic from one zone is not allowed unless it is initiated by a computer in another zone first A zone is a group of interfaces or VPN tunnels Group the Zy WALL S interfaces into different zones based on your needs You can configure firewall rules for data passing between zones or even between interfaces and or VPN tunnels in a zone The following figure shows the ZyWALL s default firewall rules in action as well as demonstrates how stateful inspection works User 1 can initiate a Telnet session from within the LAN zone and responses to this request are allowed However other Telnet traffic initiated from the WAN or DMZ zone and destined for the LAN zone is blocked Communications between the WAN and the DMZ zones are allowed The firewall allows VPN traffic between any of the networks Fig
163. GR REOR ROC A ed wwe 130 idp anomaly profile udp decoder truncated header undersize len oversize len OSTALLE serian d uackx either EJ Nob ed A Ea headed ou bee E doloe CN MR ee a ee he OE i Ra 190 idp anomaly profile udp decoder gll d tails ks exce RR RR Rex E ER 130 dp profile signature all eustom signature detalles Liii sese 4a xh dae daws 186 Loe profile SiGnatute sz CECAIS eones ind a Gas Kee ha ae eam Ace ae e 186 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical pou Ap OESTE seriada E dubors sedo wee ees Gone eae Oba NUR M ORAE wd p qoaa 185 show idp search signature my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action action mask 192 show idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action BOTION SEE wea ua pew ra OSS OS ee Deed AA rdc Ra NOE AU A 192 show Dom sughnsture all detala 0214 90 90 0 Ron RU RUE dee FR Rr RN Na GR I d eae Mop Seek HR 184 show idp signature base profile all none wan lan dmz settings 185 Show idp signature profile signature all details cesta ey acinar te y Rot Ue Baw aa emo 184 Show idp signatures cusbon sosg sture a
164. General Commands COMMAND DESCRIPTION no wlan mac filter mac_address Specifies the MAC address in XX XX XX XX XX XX format description description of the wireless station that is to be allowed or denied access to the ZyWALL The no command removes the entry description You can use alphanumeric and S_ characters and it can be up to 60 characters long no wlan mac filter activate Turns the MAC address filter on or off wlan mac filter associate allow Defines the filter action for the list of MAC addresses in the deny MAC address filter table Allow permits them to access to the ZyWALL MAC addresses not listed will be blocked Deny blocks the listed addresses from accessing the router MAC addresses not listed will be allowed to access the router show wlan mac filter status Displays the MAC filter s activation and association settings show wlan mac filter Displays the WLAN MAC filter entries 6 7 3 1 WLAN MAC Filter Commands Example This example creates a MAC filter entry for MAC address 01 02 03 04 05 06 and sets the ZyWALL to allow wireless access from that entry s MAC address only Router config wlan mac filter 01 02 03 04 05 06 description example Router config wlan mac filter associate allow Router config wlan mac filter activate Router config show wlan mac filter status Enable yes Association allow Router config show wlan mac filter No
165. Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no Ip Telnet Sores laus 3sqdRpEdmE S Rcge i edens woe dpa seer qa dud cba dr uiuit 300 ip telnet Server port 1 559052959 pelipis rent ua RADEON Re ADAC eS RR CR UR ACE OR eo LR CR 300 ipesplecr JoDsce auto GUSEN seda rr ch p UE a IPRC Ar IRR eR NS 106 ip selsct backup arace ute CUSTOM escrit Edoxueu Roe a RO doe RR e Re RR 106 SALMO POLICY Palta Nane gtaess eed pedo ede eee y RE RE A 137 qm SINDOICAQpe ROSE uude AR Edo ENG Eq dob AROEN RC ALLE CO MCA FREES OE oe dod AE oS 19 Loep Over eee SGUUPITIVSLDE Anes dope AENA PS ke e eod eee posue 153 l2tp over ipsec first dns server ip interface name 1st dns 2nd dns 3rd dns ppp mterfacelauxilstedne znee s8s aerea a RR CR Rec nex RUE Box CR ia ci 154 lXtp over ibge0 frfSE Wlns SOEYvEE XI sierra AE AR Soe GSR CR S 154 lI2L5p over ipsesc keepalive timer lt 1 GUS socte eet e Ge gene eee 9e de en 154 l2tp over ipsec second dns server ip interface name 1st dns 2nd dns 3rd dns ppp Jmterface lsuxjilst dns Zznddgnms zisawse3c RU Ex RR Ry AAE SORGE ORC 154 LTUDeOVOEEPSTDSEXC BeacondswIlHBeSEPVOE SO er X Gd deb pk do cg eee OE dedo de RR 154 I2bp0 OVEIr IDSeG
166. Hewpre base fall none srta RR BOR ER NOR LSU CX CR OR OR MC EUR ACER 187 idp customize signature edit quoted BLEISU 224646584 660 de eR RLS AR SOR RUSO RNC LS 194 idp customize signature Quito SERINE uegGauesmedex Rod ee etre Ree de CR IER ER RECAP RE UR RR A DIU odios de 194 agg PelGed LA eed Gee Oke seb bbe wate bee AAA bata Sa e pd duo dope e 184 idp ename signature anomaly profilel profile iiiiek RBA RON eve AL AA 184 idp search signature my profile name quoted string sid SID severity severity mask plat form platform mask policytype policytype mask service service mask activate any yes no log fany no log log aletrt action action mask 29 ex 191 idp search system protect my profile name quoted string sid SID severity severity mask platform platform mask policytype policytype mask service service mask activate any yes no log any no log log alert action action mask 191 idp signature sewpro base all ian wan dma sone i RR 186 d Pere cee Le inside iaa dc wos tenes dedu bd d RC LS 199 idp ENEE BLE KK T91 idp Syste POLEC SOCIE AOS iS ERA DADA AAA 184 iface add del interface name virtual interface name ooooooooooooo o 346 in dnat append protocol all tcp udp original ip address name lt 0 65535 gt 0 65535 mapped 1p address name D 058535 0 06533559 siris kik AAA Ra 141 adn delete EL LS 1 643 doce eek Goba ewe RADA SS adidas 141 in dnat ins
167. ION app protocol_name mode portless portbase Specifies how the ZyWALL identifies this application no app protocol_name log alert Creates log entries and alerts for the specified application The no command does not create any log entries 19 2 2 Rule Commands for Pre defined Applications This table lists the commands for rules in each pre defined application Table 79 app Commands Rules in Pre Defined Applications COMMAND DESCRIPTION app protocol_name rule insert rule_number Creates a new rule at the specified row and enters sub command mode See Table 80 on page 163 for the sub commands app protocol_name rule append Creates a new rule appends it to the end of the list and enters sub command mode See Table 80 on page 163 for the sub commands app protocol_name rule rule_number or app protocol_name rule modify rule_number Enters sub command mode for editing the rule at the specified row See Table 80 on page 163 for the sub commands app protocol_name rule default or app protocol_name rule modify default Enters sub command mode for editing the default rule for the application See Table 80 on page 163 for the sub commands no app protocol_name rule rule_number Deletes the specified rule 19 2 2 1 Rule Sub commands The following table describes the sub commands for several application patrol rule commands Note that not all rule comma
168. IPTION ip ospf message digest key 1 255 md5 password Sets the ID and password for OSPF MD5 authentication in the specified interface password 1 16 alphanumeric characters or underscores no ip ospf message digest key Clears the ID and password for OSPF MD5 authentication in the specified interface no ip ospf hello interval lt 1 65535 gt Sets the number of seconds between hello messages to peer routers These messages let peer routers know the ZyWALL is available The no command sets the number of seconds to 10 See ip ospf dead interval for more information no ip ospf dead interval lt 1 65535 gt Sets the number of seconds the ZyWALL waits for hello messages from peer routers before it assumes the peer router is not available and deletes associated routing information The no command sets the number of seconds to 40 See ip ospf hello interval for more information no ip ospf retransmit interval 1 65535 Sets the number of seconds the ZyWALL waits for an acknowledgment in response to a link state advertisement before it re sends the advertisement Link state advertisements LSA are used to share the link state and routing information between routers ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 2 6 Connectivity Check Ping check Commands Use these commands to have an interface regularly check the connection to the gateway you
169. L ZLD CLI Reference Guide Chapter 6 Interfaces 6 10 Auxiliary Interface Specific Commands The first table below lists the auxiliary interface commands and the second table explains the values you can input with these commands Table 37 interface Commands Auxiliary Interface COMMAND DESCRIPTION interface dial aux interface disconnect aux Dials or disconnects the auxiliary interface interface aux Enters sub command mode no authentication chap pap chap pap Specifies the authentication type of the auxiliary mschap mschap v2 interface The no command sets the authentication to chap pap no dial timeout 30 120 Specifies the number of seconds the auxiliary interface waits for an answer each time it tries to connect The no command disables the timeout no dialing type tone pulse Specifies the dial type of the auxiliary interface The no command sets the dial type to tone no idle 0 360 Specifies the number of seconds the auxiliary interface waits for activity before it automatically disconnects The no command disables the idle timeout initial string initial string Specifies the initial string of the auxiliary interface The no command sets the initial string to ATZ initial string You can use up to 64 characters Semicolons and backslashes 1 are not allowed password password Specifies the password of the auxiliary interface The
170. L VE doawakaququX bus a E NE xe I SS RESO E A ERR d E Ra XR ME 68 no budget data active download upload download upload lt 1 100000 gt 68 no budget tine active LBS ash occa aor REOR QE RACE Ao ALACRI DRC EC Ke Ke edic E doe RR 68 REI Gee BE nae Ei aede Mor oco re diode AA Me RR edic qoa de P C OR d e RE AA AA 168 Ho Bu o Qua eadcqud eu R9 E de Xabded qu t qoaa de olo OR E dolar doa abe Roque qe rab e ae QU 90 nel bypass fwhute list Dlack list dul sertar hirr a 9 dem x EUR RUN OR RR 212 Bol Bypass Dw lte Jrst Dlsgk LlisLb i 2429x 8333 BG XC d ux AAA X EA Ed xL Dy no sarhe cleaD AGEIVEES 4265 5 ew ROCHE ARA p RU RR SCR HERR TR RUN DORE DEER qi d E 146 nel Sisentetrcdenblflset Wee AO ERQE ug deae A AER ARA Shae NC e ap CR UR 56 nol amp elxentensme Gost HEIDE A EUROPA UR RO Ur we SOR m wd a p dh A 5b Bol lock Sati Sees era o AS Xd sex edd ds as uude x Er xU 290 no clock saving interval begin aprlaug dec feb jan jul jun mar may nov oct sep 1 2131 4 1ast frilmon sat sun thu tue wed hh mm end faprlaug dec feb jan jul jun mar may nov oct sep 1 2 3 4 last tIrilsonlsact psun thulpue wel RAUM QILSOUL zb o OX EC ARA 290 sel Clock CLEAN ASAE Made AR OR RACE UR UE RENE Re a A HECHO RON oai CC e RR 290 hol Snmeesonb ASTI VALE xwnied4ub ee es SACS AAA Bebe et ERE ded a pcd d eR Rost 307 Hol Sunudu dcenb anti Oliva asirios aia AAA d Bow d pos 307 He Bc acent INSIIBOOE GEL errar opes pe
171. L resets the budget on the last day of the month budget reset counters Resets the time and data budgets immediately The count starts over with the 3G connection s full configured monthly time and data budgets This does not affect the normal monthly budget restart budget logllog alertj recursiv lt 1 65535 gt Sets the ZyWALL to create a log log or an alert log log alert when the time or data limit is exceeded You can also specify how often from 1 to 65535 minutes to generate a log or an alert no budget log recursive Sets the ZyWALL to not create a log when the time or data limit is exceeded Specify recursive to have the ZyWALL only create a log one time when the time or data limit is exceeded budget new connection allow disallow Sets to permit allow or drop block disallow new 3G connections when the time or data limit is exceeded budget current connection keep drop Sets to maintain the existing 3G connection keep or disconnect it drop when the time or data limit is exceeded You cannot set budget new connection to allow and budget current connection to drop at the same time If you set budget new connection to disallow and budget current connection to keep the ZyWALL allows you to transmit data using the current connection but you cannot build a new connection if the existing connection is disconnected budget percentage ptime pdata 0 99 Sets a
172. Leaves the sub command mode ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 7 1 1 WLAN General Commands Example This example sets wireless slot 1 to use the IEEE 802 11b and IEEE 802 11g bands channel 5 super mode 50 output power and enables it Router Router Router Router Router Router Router Router config wlan slotl config wlan slot band bg config wlan slot channel 5 config wlan slot super config wlan slot output power 50 activate exit config wlan slot config wlan slot config 6 7 2 WLAN Interface Commands Use these commands to configure global settings that apply to all of the wireless LAN interfaces you create on the WLAN card Table 31 WLAN Interface Commands COMMAND DESCRIPTION no interface ap interface Creates the specified interface if necessary and enters sub command mode The no command deletes the specified interface ap interface The name of the WLAN Access Point interface Use w1an x y where x equals the number of the card slot and y equals the number of the individual WLAN interface For example wlan 1 1 no block intra Enables intra BSS blocking prevents wireless clients in this profile s BSS from communicating with one another group key lt 30 30000 gt Sets the WPA2 group key update timer This is the interval in seconds for how often the AP sends a new group key out to all c
173. MAC Description 1 01 02 03 04 05 06 example 6 8 VLAN Interface Specific Commands This section covers commands that are specific to VLAN interfaces VLAN interfaces also use many of the general interface commands discussed at the beginning of Section 6 2 on page 51 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 33 Input Values for VLAN Interface Commands LABEL DESCRIPTION interface name VLAN interface vlanx x 0 4094 Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 100 and 200 models use a name such as wan1 wan2 opt lan1 ext wlan or dmz This table lists the VLAN interface commands Table 34 interface Commands VLAN Interfaces COMMAND DESCRIPTION interface interface nam Creates the specified interface if necessary and enters sub command mode no port interface name Specifies the Ethernet interface on which the VLAN interface runs The no command clears the port no vlan id lt 1 4094 gt Specifies the VLAN ID used to identify the VLAN The no command clears the VLAN ID show port vlanid Displays the Ethernet interface VLAN settings 6 8 1 VLAN Interface Command Exa
174. MMAND DESCRIPTION no anti virus activate Enables anti virus service Anti virus service also depends on anti virus service registration show anti virus activation Displays anti virus service status no anti virus eicar activate Turns detection of the EICAR test file on or off show anti virus eicar activation Displays whether or not detection of the EICAR test file is turned on anti virus reload signatures Recovers the anti virus signatures You should only need to do this if instructed to do so by a support technician no anti virus skip unknown Sets whether or not anti virus checks files for which the ZyWALL file type activate cannot identify a type show anti virus skip unknown Displays whether or not anti virus checks files for which the ZyWALL file type activation cannot identify a type 20 2 1 1 Activate Deactivate Anti Virus Example This example shows how to activate and deactivate anti virus on the ZyWALL anti virus activation anti virus activation Router config Router configure terminal Router config anti virus activate Router config show anti virus activation yes Router config no anti virus activate Router config show anti virus activation no 20 2 2 Zone to Zone Anti virus Rules The following table describes the commands for configuring the zone to zone rules You must use the configure terminal command to enter the configuration mode before you can use these c
175. N1005 init complete INIT Entering runlevel 3 i zylog daemon zulogd zylog starts suslog ng uam daemon app patrol daemon periodic command scheduler cron Start ZyWALL system daemon Got LINK CHARMGE Port 0 is up gt Group 0 is up Applying system configuration file please wait ZUWALL system is configured successfully with startup conf ig conf Welcome to ZyWALL 1050 Usernane 37 11 Restoring the Default System Database The default system database stores information such as the default anti virus or IDP signatures The ZyWALL can still operate if the default system database is damaged or missing but related features like anti virus or IDP may not function properly If the default system database file is not valid the ZyWALL displays a warning message in your console session at startup or when reloading the anti virus or IDP signatures It also generates a log Here are some examples Use this section to restore the ZyWALL s default system database ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager Figure 46 Default System Database Console Session Warning at Startup Anti virus ck using the Hardwe al time Fri May eaning Initializing Initializi INIT Ent Starting ting tarting cumentati user documentation to re Figure 48 Default System Database Missing Log Anti virus View Log Logs Show Fitter Display IDP v Email Log Now Refresh
176. P server The no command removes the setting dns 2nd dns 3rd dns ppp_interface aux lst dns 2nd dns no 12tp over ipsec second Specifies the second DNS server IP address to assign to the remote users dns server ip You can specify a static IP address or a DNS server that an interface interface name 1st received from its DHCP server The no command removes the setting dns 2nd dns 3rd dns ppp_interface aux lst dns 2nd dns no 12tp over ipsec first Specifies the first WINS server IP address to assign to the remote users wins server ip The no command removes the setting no 12tp over ipsec second Specifies the second WINS server IP address to assign to the remote users wins server ip The no command removes the setting no l2tp over ipsec session Deletes the specified L2TP VPN tunnel tunnel id 0 65535 show l2tp over ipsec Displays the L2TP VPN settings show l2tp over ipsec session Displays current L2TP VPN sessions 18 5 L2TP VPN Example This example uses the following settings in creating a basic L2TP VPN tunnel See the Web Configurator User s Guide for how to configure L2TP in remote user computers using Windows XP and Windows 2000 ZyWALL ZLD CLI Reference Guide Chapter 18 L2TP VPN Figure 23 L2TP VPN Example ii UV V Internet m ii E ai 172 23 37 205 Y L3 l L2TP_POOL S j 192 168 10 10 192 168 10 20 LAN_SUBNET 192 168 1 1 2
177. R ema 100 show Gp POHLGSeBODEPEgS sb ce bu ine ce A AR PALA CARERE ad S Eod E Ra AAA 95 Show AP Sah Server SALUS santa ias d NX nke E PRG REPRE Ecc dd ee Ed b ee P ees E 299 show ip telnet Server SEARS 165640 dee Ree x dE eek SOs ewe RE Shes cC 300 show ip Virttval server previ te Wale 625 44 3 IG RGRX Kok 4 OROR AC AOE UE CR OA ee Ed dos dee ee ES TIO Snow Lakno keepa live Li A AS eee A ibe AAA A RARA E AA 127 Show asalto polioy pollet mem ae dcae3c AAA Ch eee MR RE EO ruo AAA 137 SDN NOSE ONE xaxd baked popu dex d koe ec e dee x o qood a de do ede papa e RC d CR Rea OM A 143 show Leary O SES IORES daa Ped Geeta qv suem Xa seed EHE eR e e A I aeo x RE RN E Rd 154 Siow ISLp svyer lBBBC Besson nara raras EA AA AN Red add cp d SERS 154 show Language setting Gl bck daca me dante e e ke RU Re cR ope Rok OE e Re Ro GA a a ag 308 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical show show show show show show show show show show show show show show show show show show show show show show show show show n T O Z now now now NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW NOW Qo ooouououoooocoozoooooooocooco3sccm n m O show show show show show show show show show show show show show REG COE IHE anas d Renee eeu dde aide has AAA A bauer eae 252 Ted Status Qd ch xe QUI AO Gode a e e Edd Se doc
178. RANA A ARAN A E A 69 374 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical Heer Lee ABE kone Ve dur eka A bue eee Aguas we amu d Rew ke 56 Rewer eye ES AS Oi ERE X e d hdi AR RR RU d B Ted a d d eae ee 56 na adore ss ob JOEL ADIOS DONO cece cated b ud AR OEC A NA A ee odo AR ded 242 no anti spa QaRESDI domain dne DOMAI need dae eG RA DORK KR REOR GE Re dex XC ACE RR e aided 216 ho ADD GLHGP SUIS RBRUMDOU ansias d exa vdd ECE DEER ES REE Oe ieee dede ers 166 no app protocol name Pulse rule numbef 2542 bee a OR RO OR RON ROO RACK ACRAS TERR RARA A RES 163 a area IP wirtual liHk IP message digest Key 1 2059 oe kacECR qrE A daa 100 no Ste ore dedos Bud adobe sa Ree doa Bees ra dera 348 RD Bu nen ication hee 26 dick AAA goi e Ry Ge Os Che d er we aedem eed ee es 98 no BB 2 5 toh heed 4 anaes eae aah ew Rd Eb Sce atado den dd eu ewes ae Pd cdd bd eR 185 Ho budget Jog SSCUESIVS aw oad mack edie made a Ron led e hoa ei e da ie a 69 ne budget percentage Eresurexvel cabanas rra A d wees ae we oun 69 AS ca category locallremote certificate name 1444 she betae ad ROXUROR RA CR UR RR eR 266 ides Walia PLA DEDE shat dee rp yo iuc d Pewee See dibus AS mro e dre d ded 266 o Hewice ha IrDnkEeMOBILOFOB ssrt seik OG R 3 A OQ UE RO RR Kd Ue KR de doc e e Rec N 230 sa device ha AWUtODp SLeD IHLGPISDOS usb G 4p ee oR SO eRe Re a SE Gee ee eee E EE PS 230
179. ROR qe x a RR P den x ERR ACE RE ALI aaa Spam cH Gi stistgeS asii aee hades ieee eewad bases ibd ed Ee ddp E Kd xU ay anta sSpan dns Chats assi dope hea neem ARAS AAN A 216 aba Spat rule Sale seer darias DAA A A a RA 212 autism Stetispros SILES gei we a Ge E eh RU ERE eR epee stan Se ae Se SIS anti span statisties ranking source mail adoresst led a eux e 219 anti span SCODUISPILOS SUMMA corra A X HERR SEU eae pe de o e Re eee LAC 218 anti spam tag cael ARSBISETRESUE rekrite eee de 217 g tissuemn tas BISCKH1 ui CLARE RA AAA ORO Cea A 213 ita aa uDite lust SCA LuiS sara rei AAA AAA 214 dota REBOTA EON AAA a A AA a de oc RR RC Coa Ue re Mcd 176 BOLIUNTEUM Sicar ACETATO qesetedX AAA A PESE e pue ded Eds 176 ALS Sine Meee SCA US iia AREA ARA 180 anti virus skipunknown E1ls typs activati 66nd we eee o ia deca 3145 Bleu bas Beene OELSE accede aimee eed AN Mod ee wd dad 181 anti virus statistics ranking destination source virus Hame 2 2 181 Prete a a a o A E dd ddp ER Xd A 181 Lise a Erea ea a R E RE A E a A 180 snt iL virys BDIOSDe SOSLUE esq sot eae eee eee eee eh LE ee Few as 180 app igenensllimlp2p sStreesm cs60idstebsobats ese een AAA hee ded SA oes 168 GE AILL AN 168 app gll deraultport apra ee Rog EGO AC XC RA READER KER P RC A DEERE de RC 168 Bp AUT HERLUSETIER edu tenes EE C I de E eibi de VP eben eee ied ee RP dug xe 168 SIG PE Ga uoka ac bu oes SERS CRANE eR d EORR E EERE DARN eR OO deoa oer co den 168 app hi
180. Router config show lockout users No Username Tried From Lockout Time Remaining No From Failed Login Attempt Record Expired Timer 1 172 23 29 060 2 46 Router config unlock lockout users 172 23 23 60 User from 172 23 23 60 is unlocked Router config show lockout users No Username Tried From Lockout Time Remaining No From Failed Login Attempt Record Expired Timer ZyWALL ZLD CLI Reference Guide Addresses This chapter describes how to set up addresses and address groups for the ZyWALL 26 1 Address Overview Address objects can represent a single IP address or a range of IP addresses Address groups are composed of address objects and other address groups You can create IP address objects based on an interface s IP address subnet or gateway The ZyWALL automatically updates these objects whenever the interface s IP address settings change This way every rule or setting that uses the object uses the updated IP address settings For example if you change the LANI interface s IP address the ZyWALL automatically updates the corresponding interface based LAN1 subnet address object So any configuration that uses the LANI subnet address object is also updated Address objects and address groups are used in dynamic routes firewall rules application patrol content filtering and VPN connection policies For example addresses are used to specify where content restrict
181. S sspe PE que Ted Ede 228 PELE lt 1 LS A cee eee AA behest eS AA A ee RE Sees 228 protosol te UES sar Heer ee ewe SEE EH QURE AA ESR OR OE Ree EE AA 166 radius server host radius server auth port auti DOSE csm sneaked ea ewe 253 radius Servor key HESESE dbolsues4 dds A Cadi A da e RR i23 PACAVe Ser ver TACO CNS Mia AA OER Edu Ru du Bd aded dece ad RR US 253 radlsteiube statie SABER ke xed eae Gud RU Re Sc ROR db dee Die Roh RRA AAA RR e mien 98 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no Pena cla taco Me caprina ARA AA Bona riot dup eae edu em 98 redistribute static rap merric type lt 1 2 gt metrie lt 0 16777214 gt x 98 g icu op ec etre 67 tolhdte adgubPEBS XXE aac bu dod x due E de Re qoa REDO Oe Eee de y de qoa Re Meals 70 teplay detesti 2 393 RTOS SOHO aOR REGRET eg PEE Eee dee aes d RE OS odo eue 140 SEGRE Gi beeen X dE dw ed alea A eo ROG UC C AR RARAS RTS DAA Re ER CON See EERE EMER OP Qe op e 239 tole Master BDagkODI anses RARA eed Se ACRIOR HR OS RRR SR ONE 228 FULL ua Ie aia eines A a dud muda rd olent ie Mos ae vcio d 99 sean bete fte imapa emtp POPS asma dr tue Ex RA RO ER
182. SE ner Pa Sd bad eee ise 80 EID dank oko der dC EA RG ROC AUN SSR OE E OCC RC RO OE e Qe POL RCRUM Ree RUE AR CE E KCN E OC Bea CR 184 age signature ayetem protect Update ABLA assistant cede ee eee eS T97 ido Stotistics DQOLISUT rca uq dau qax ewe Thee EO Ved rd do o Be diei Reed 198 cnbaund dscpenmaurk q1 0 03 Glass fdefanlt SE Sees corrido 164 inboundg dscp m rk T 0 539 Glass default dscp Classy izakeR aa 165 inbotind dAscp mark lt 0 63 Class detanlt dech plese isc 167 I See e A aeq Geen eee mate wea keane testes A A NOR RE wee eae 141 r nrepbtedeaction destroy sen wdBHeHWgU d cada exo RO EE Ree bre So eed den eee ee 177 astrales eine ALTE See REE oes heh BT eA RAR 306 LP eee aN APA SERING eta eR Gk ee e Sie ae ite oko oi ed e Gh way pus E 80 LEH SCA aa dep RE ames EA IPS QR Edu dE qeu b Bates woes e dad 140 interfasoe Qnum jJ isterfaOG i i ria AA EURO ORNA NUR RACER CR UNDA RC TAR 84 DAG ieee als PUDE DC AAA AA E Ea eda arbo EP aei d ms 74 IVECO LOSA DERE uae EQ 3d SARA ATA a ee RODEO e C e CR d 102 interface InberPfdgcs HAMS serias SS ERASERS REDRESS RESO AAA 228 Mee hee See ree OM Lusso ee aah e eda E Ki ee ad de d Uc Oe DR do a Rod X RN a1 interface Inler oce BON NARA ATA RSD SOSH EN SS a OSE Sw ES ROS 68 paa oce io MORE A d Xd EO ea E PEER CDU eO Re KEES ERS 91 Puterfiacgegrboup SEED Ham A x eee B OE A Rd E Nd ximus cx oak abe Gade 84 SD SEES UN 2256 San he eh ead Sm tue Bd EE RE es cad Sousa es d
183. SEN CR ACTA 102 show zone SUSLoON OSIAULL auae deweck doy ox RARO OR ee ACA REOR OR CR OR Eee T RRA ANA AAA AA 102 Show Sone Z585P JeF1AQ spidi aA ATE ed BA de c eae CR debe EUR Gb e CAU dade BES RES 102 Scoot ACERA EX as me e xd daga eda tud exque S d d dtu qq eue dene Md d e 28 signature sid action drop reject sender reject receiver reject both 186 signature sid action drop reject sender reject receiver reject both cod ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical Sena ues ea Los JoL sE erre debated e dca uw Sec eoa ire dr dub GP anne woe ndo RR A 186 signature sad lod pSbert adders ER A E AEN Go KLAR CAO RC E RR C UR RC RAD 191 shaplen Sr USES sokkar a wee AAA RR ae ee CORRE ESE SSE Se OE Re EORR one 346 snmp server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny 304 snmp server rule move rule number to rule number recrean ORE KON ACCU XC 304 HONG JUST DA Pee qubd dd eT EE d d e ER I MER AND Pak VE a Ed Mt E cm A T6 Selva Retos exceso lo6ai ipj ESO dara ub ddp DEus Bawa ce dei RR eave 146 selvpi Ho GonnesLtlGn usfname User Name 244 sexcter A BOR RUE RON OR REOR Kon Re Oe n n RR ide 147 sslvpn policy profile name profile name append profile name insert 1 16 146 selyph policy move Le DS EO Alo LGS foto ed ac waded newt nex po ee ep ide o Re Red 147 Selva policy rfename prot lle nane
184. SES EEG TAGS 163 SOO Protocol mamo we QUOQOE ack ee sede date wa e RR he Gon AA ek p t o BOR a RRR aoe 163 app protocol name rule derali onavees ese ro Y WP Rx aca dopo SOROR up Fr dep ee eas 163 app protocol name rule insert rule HUME boise be eae RR OE eae SE eR a A CAE RC dede ae 163 app Protocol same Pole modry Geral 25454 660 see E EORR dp dO eiie eee AR 163 app protocol same rule modity rule mWuDbDOF fiche kde eu Poked eee RR AAA A eed 163 app protocol hame rule uleg SUMDOI sico x See WX oe RE d Ee EO AAA 163 BDL Vu ERA d e Wo KC eb A a CR CR CR CC GIA AU Ie RS Rb ORE OO RC C SSS NERS OER AC RR RH Be een ad 27 apply conf file name conf ignere error rollback sess xe 2185 area IP vrirtual link IP message digest key 1 255 mao authkey iniiisexs ehh RR 100 arp DP yen BO PORE doxneadacd Ede d dq RE Ia d arx ds dai eee EC o d o UR i Cr Koi Ros ed deed 348 ALCS rra RE Ped E ba du S dos Qa AS TEDL GHGS aedi due RR Ro rd Re Rd Tee ESS ed M MM SO wes iT Authentication Ipre share ESA SiG irrita rh Nolo ees eee e n 137 authentication key l 2555 key strimy CULOS asii dees opoc QUE LE AAA 98 band b px ej una pk dex d ARCET dean dedav eid A OR LC GU SREY ESS eR OS T3 bandwidth inbound eutbound 0 41 D4059 705 sierra AGEACECK ike FO SSS GeO OY RR SOROR 1525 bandwidth Iainbionscloutbeumd 0I04RO YE gd quaa RRA RRA A db RR CORR EORR Re 153 bandwidth Iinbouhdlonutbound U I04B85YD drsko reretu eterra aa ee eee OR AA 167 bondwrgrh pr
185. SMMSSTES ars ARA AND AA REE TR n RUE A T podra eRe eRe OER ee 33 todundank power STATUS prkeCeoke epLdAqa ko v Up RR Ro AUR EORR BORA HERES e e ROR 33 reference object aaa authentication default auth method 31 reference object account pppoe profiile ais cra RA ARS SL referente object account pptp LprefilsB l seri A SO ae oe Gum aes ES reference Object areas PESETA asi NOE Romo RC raw aes eed UR DR C edel A 21 reference object ca category local remote cert name 31 reference object crypto map crypto namel 4 ce4 shinee Ru AAA SE references object eps lproftil l s m ee rk dcr eR ok Rol ed e o ay al a ler SL reference obj t interface interface name virtual interface name ai reference object isakmp policy isaktmhnp name csi si RON X CN Sea rd reference object schedul PROC I 22 agg p eee E A ARANDAS 31 feterchce object Service profile circa ad seine a ACE EO ACA RON e AA Ad tererenoe object sslvpa application profile emirato Rex E ACE RE Rh ee al reference object sslvpn policy Bestil l ari wee ESE wa DOE OCCORRE S AZ teterence object username username iced AR RR ORC RO CHOR AAA 31 teferenos object cone profl rar eked x c3 d OR AON EORR ACA CR RE RC e Re E RS qo DECR NC e RR 32 reference object group a a ad lorot namel emmm 32 reference object group aaa ldap group name i e oko RR RA REO arab eax canes 32 reference object group aaa radius group namel 4 eknckedee Eea ROO
186. Service connection from the WAN zone to the IP addresses Dest_1 in the LAN zone Enter configuration command mode Create an IP address object Create a service object Enter the firewall sub command mode to add a firewall rule Set the direction of travel of packets to which the rule applies Set the destination IP address es e Set the service to which this rule applies Set the action the ZyWALL is to take on packets which match this rule Router configure terminal Router config f service object MyService tcp eq 1234 Router config address object Dest 1 10 0 0 10 10 0 0 15 Router config firewall insert 3 Router firewall from WAN Router firewall to LAN Router firewall destinationip Dest 1 Router firewall service MyServic Router firewall action allow ZyWALL ZLD CLI Reference Guide Chapter 15 Firewall The following command displays the firewall rule s including the default firewall rule that applies to the packet direction from WAN to LAN The firewall rule numbers in the menu are the firewall rules priority numbers in the global rule list firewall rule description firewall rule description firewall rule description Router configure terminal Router config show firewall WAN LAN 3 user any schedule none from WAN to LAN source IP any source port any destination IP Dest 1 service MyServic log no ac
187. T OES ED OOM OSHA STEAD EDR E d HOR ETE aa 131 nel user User nam aadnaase32345 4 3 5 SR ERASE BSR ORE S Rok ACE RC RE A UE BOWES CSS AAA 147 Bo CESE MESERIME pak Lhe REA dee E AR EOE CAR RO AURA Oe Ru AN wd aw SRS EX A Ed Ax e 164 Hol User GESTS aosedekee kd ee de RA A OEE SEHR CORED AA Po or AAA A RAR 155 so user DEBERE Qi kqadGon x RUE EG EG OK OR E ASA A RARA HK RR EUN eC CARA OSE RE Fe RR 166 HO user SC NIC uaque iaa CERES ESE EOE DRESS LANGE CORSE Eee ee eee 235 nal CESE sorae Ld pd eg REM a ORS ESSERE CORE RE ESKER do ERA AA AAA AN PASAS eee 269 AS USS PESETAS sos a SURES OR RARO ROE AAA EROR AO UR CA AAA A ESE 270 hol MESE VESTIDO ale quod wx p dc E dee d ee d OR do o RARA C UA abe ARA oC AAA o gd 92 Be GSrname BEBEQDUSE RIA eA BU Ed dd dd eda qued aU RR ee ek ad ares qeu 80 nol username username password password 2465404 18s SRA RE SES DATES SEES SHRED SL X ER ES 106 RO MESES Ale SESSI dee rr qt ean qu E pop doll aU Re Wyle dp ee lop rah nC hdd gp ee a ele RO ee del 23b ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical nel users xdl dstestrom Lumeour len rec pnm Reque AA dod Run 236 ho users Tockopt perigd l JO ESSO Keke eee adeb qe a DEC Reb LAC CR A C eC Rd ACER e eod a CR 236 nol MESES POLPY DODOUL Sli D 2gdopiego ek ck OO E Oan ERAS GEO REOR AAA AA AAA SEE RR 236 Ho Usero Perry LINE Jace eed dia ede a do dea e o dox RE E de bdo E CR CR e eb e
188. The following figures identify the parts you can customize in the login and access pages Figure 26 Login Page Customization Logo My Device Message color of all text Background Login Note e a 2 Tun in ing in eb browser al in your web browser Note Message A last line of text ZyWALL ZLD CLI Reference Guide 287 Chapter 35 System Figure 27 Access Page Customization Logo Title Message color of all text Note Message last line of text Window Background You can specify colors in one of the following ways color rgb Enter red green and blue values in parenthesis and separate by commas For example use rgb 0 0 0 for black color name Enter the name of the desired color color number Enter a pound sign followed by the six digit hexadecimal number that represents the desired color For example use 000000 for black The following table describes the commands available for customizing the Web Configurator login screen and the page that displays after an access user logs into the Web Configurator to access network services like the Internet You must use the configure terminal command to enter the configuration mode before you can use these commands Table 159 Command Summary Customization COMMAND DESCRIPTION no access page color window Sets whether or not the access page uses a colored background background access pa
189. URCUS Lek dd RE Ra EHE ERS NAAA RAS A CORN ES 1 RA RARA SOW ERE KR Be 329 show rupto mop eap DONE aac rkib deh ADA AA AUR OCA eee AC P RRS 139 show dgxluerebpbt Sears arrasa dr XOXUE RR E CN de ede s MR dol dea eee RR RE ERG AO o AC 33T shov dans peor ie Name esed ida Heed SES OEE Rede SHE AAA 106 snow device hs ap mode Backup BDO cai Rd A A DARKANE OO ER Ue dae coda 227 show davice ha apemode backup SYDE SESEUS cocer oe Ghee dun eee ee cR a aR aod 227 shoy device ha sp mods backup Syne SuUnmMary escri A ee ee eee 221 show device ha ap mode forwarding port interface name sobornar 227 Shov device apemoge g3eterecsb aaasdsade cxeeed REG ch ieaw aw hare dienes up 5e daw ad wu 221 show dewice ha epemode Mask SYDE rin ria nd E aioe a 22 Siow evict spem ALIS aid guo S d Bade gua d ewes A pad wd dd ed 221 show deviceshs Ixek HOBILOFf MI ira A A A A d RA qe RA 230 show Uevilceehad SALES 26465268 x ede qe CSRS SA SED SSE SURES CORES SEK AA dicm acd OE BAe 224 show device ha stepespub inberfsCR escri AAA QE GR RC RS RACE CUR QR e RR 230 shov JBULODSha BUE gic eed d eee web Cease eRe eee AAA rS 229 Show devxcesha SiO GSEBLDES LaLegrese3ex A NALE Nob ACE e Eee eG E a A 229 shov dewigpeha VERO GIOUN bad AA dp Oh eee hae EHE ERR A AA GA 228 show deyice tregis ter SESCUSo audaces de e qa d ER de ed hood ea Cog oe De ACCU eerie baw De oc Mee 39 Snow x INIG bag aeo AAA eq KG A AA A en c AAA a IRA RU RR 343 Sew o A wena nes dd Ed died sc REEL A ad mtd ES Eg 306
190. Unlock PUK fail Your attempt to unlock a WCDMA 3G device s PUK failed because you entered an incorrect PUK Unlock PIN fail Your attempt to unlock a WCDMA 3G device s PIN failed because you entered an incorrect PIN Unlock device fail Your attempt to unlock a CDMA2000 3G device failed because you entered an incorrect device code Device unlocked You entered the correct device code and unlocked a CDMA2000 3G device Get dev info fail The ZyWALL cannot get cellular device information Get dev info ok The ZyWALL succeeded in retrieving 3G device information Searching network The 3G device is searching for a network Get signal fail The 3G device cannot get a signal from a network Network found The 3G device found a network Apply config The ZyWALL is applying your configuration to the 3G device Inactive The 3G interface is disabled Active The 3G interface is enabled Incorrect device The connected 3G device is not compatible with the ZyWALL Correct device The ZyWALL detected a compatible 3G device Set band fail Applying your band selection was not successful Set band ok The ZyWALL successfully applied your band selection Set profile fail Applying your ISP settings was not successful Set profile ok The ZyWALL successfully applied your ISP settings PPP fail The ZyWALL failed to create a PPP connection for the cellu
191. VPN users are restricted to access only web pages or files in this directory For example if you enter remote in this field emote users can only access web pages or files in the remote directory If a link contains a file that is not within this domain then SSL VPN users cannot access it no server type Remove the type of service configuration for this SSL application no webpage encrypt Turn on web encrypt to prevent users from saving the web content 274 ZyWALL ZLD CLI Reference Guide Chapter 33 SSL Application 33 1 2 SSL Application Command Examples The following commands create and display a server type SSL application object named ZW5 for a web server at IP address 192 168 1 12 Router config sslvpn application ZW5 Router sslvpn application server typ Router sslvpn application exit Router config show sslvpn application SSL Application ZW5 Server Type web server URL http 192 168 1 12 Entry Point Encrypted URL aHROcDovLzE5Mi4xNjguMS4xMi8 Web Page Encryption yes Reference 1 web server url http 192 168 1 12 275 ZyWALL ZLD CLI Reference Guide Chapter 33 SSL Application 276 ZyWALL ZLD CLI Reference Guide Endpoint Security This chapter describes how to configure endpoint security objects for use in authentication policy and SSL VPN 34 1 Endpoint Security Overview Use Endpoint Securit
192. ZyWALL ZLD CLI Reference Guide Version 2 20 2 2010 Edition 1 DEFAULT LOGIN User Name admin Password 1234 ZyXEL WWW zyxel com About This CLI Reference Guide About This CLI Reference Guide Intended Audience This manual is intended for people who want to configure ZLD based ZyWALLs via Command Line Interface CLI You should have at least a basic knowledge of TCP IP networking concepts and topology Generally it is organized by feature as outlined in the web configurator BS This guide is intended as a command reference for a series of products Therefore many commands or command options in this guide may not be available in your product See your User s Guide for a list of supported features and details about feature implementation Please refer to www zyxel com or your product s CD for product specific User Guides and product certifications How To Use This Guide 1 Read Chapter 1 on page 11 for how to access and use the CLI Command Line Interface 2 Read Chapter 2 on page 27 to learn about the CLI user and privilege modes 3 Subsequent chapters are arranged by menu item as defined in the web configurator Read each chapter carefully for detailed information on that menu item BS Some features cannot be configured in both the web configurator and CLI CLI Reference Guide Feedback Help us help you Send all Reference Guide related comments questions or suggestions for improvement to
193. _name Connects the specified PPPoE PPTP interface interface disconnect interface_nam Disconnects the specified PPPoE PPTP interface interface interface_name Creates the specified interface if necessary and enters sub command mode account profile_name Specifies the ISP account for the specified PPPoE PPTP interface The no command clears the ISP account field ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 26 interface Commands PPPoE PPTP Interfaces continued COMMAND DESCRIPTION no bind interface_name Specifies the base interface for the PPPoE PPTP interface The no command removes the base interface demand no connectivity nail up dial on Specifies whether the specified PPPoE PPTP interface is always connected nail up or connected only when used dial on demand The no command sets it to dial on demand no local address ip Specifies a static IP address for the specified PPPoE PPTP interface The no command makes the PPPoE PPTP interface a DHCP client the other computer assigns the IP address no remote address ip Specifies the IP address of the PPPoE PPTP server If the PPPoE PPTP server is not available at this IP address no connection is made The no command lets the ZyWALL get the IP address of the PPPoE PPTP server automatically when it establishes the connection no mss lt 536 1452 gt Specifies the maximum segment si
194. a name such as wan1 wan2 opt lan1 ext wlan or dmz VLAN interface vlanx x 0 4094 bridge interface brx x 2 0 N where N depends on the number of bridge interfaces your ZyWALL model supports This table lists the bridge interface commands Table 36 interface Commands Bridge Interfaces COMMAND DESCRIPTION interfac interface nam Creates the specified interface if necessary and enters sub command mode no join interface name Adds the specified Ethernet interface or VLAN interface to the specified bridge The no command removes the specified interface from the specified bridge show bridge available member Displays the available interfaces that could be added to a bridge 6 9 1 Bridge Interface Command Examples The following commands show you how to set up a bridge interface named brO with the following parameters member gel IP 1 2 3 4 subnet 255 255 255 0 MTU 598 gateway 2 2 2 2 upstream bandwidth 345 downstream bandwidth 123 and description I am br0 Router Router Router Router Router Router Router Router Router configure terminal Router config interface brO config if brg join gel config if brg config if brg config if brg config if brg upstream 345 config if brg config if brg config if brg ip address 1 2 3 4 255 255 255 0 ip gateway 2 2 2 2 mtu 598 downstream 123 description I am brO0 exit ZyWAL
195. able when you want to delete an object because you have to remove references to the object first Table 6 show reference Commands COMMAND DESCRIPTION show reference object usernam Displays which configuration settings reference the username specified user object show reference object address Displays which configuration settings reference the profile specified address object show reference object eps Displays which configuration settings reference the profile specified endpoint security object show reference object servic Displays which configuration settings reference the profile specified service object show reference object schedul Displays which configuration settings reference the profile specified schedule object show reference object interface Displays which configuration settings reference the interface name specified interface or virtual interface object virtual interface name show reference object aaa Displays which configuration settings reference the authentication default specified AAA authentication object auth method show reference object ca Displays which configuration settings reference the category local remote specified authentication method object cert name show reference object account Displays which configuration settings reference the pppoe profile specified PPPoE account object show reference object account Displays which
196. aces Table 23 interface Commands MAC Setting continued COMMAND DESCRIPTION type internal external general Sets which type of network you will connect this interface The ZyWALL automatically adds default route and SNAT settings for traffic it routes from internal interfaces to external interfaces for example LAN to WAN traffic internal Setthis to connect to a local network Other corresponding configuration options DHCP server and DHCP relay The ZyWALL automatically adds default SNAT settings for traffic flowing from this interface to an external interface external Setthis to connect to an external network like the Internet The ZyWALL automatically adds this interface to the default WAN trunk general Setthis if you want to manually configure a policy route to add routing and SNAT settings for the interface no use defined mac Has the interface use its default MAC address use defined mac Has the interface use a MAC address that you specify 6 3 2 Port Grouping Commands This section covers commands that are specific to port grouping BS In CLI representative interfaces are also called representative ports Table 24 Basic Interface Setting Commands COMMAND DESCRIPTION show port grouping Displays which physical ports are assigned to each representative interface port grouping representative interface port El ox Adds the specified physical
197. ackets are routed The no command resets next hop settings to the default aut o no schedul schedule object Sets the schedule The no command removes the schedule setting to the default none none means any time no service service name any Sets the IP protocol The no command resets service settings to the default any any means all services no snat outgoing interface pool address object Sets the source IP address of the matched packets that use SNAT The no command removes source NAT settings from the rule no source address object any Sets the source IP address that the matched packets must have The no command resets the source IP address to the default any any means all IP addresses ZyWALL ZLD CLI Reference Guide Chapter 8 Route Table 42 Command Summary Policy Route continued COMMAND DESCRIPTION no sslvpn tunnel_name Sets the incoming interface to an SSL VPN tunnel The no command removes the SSL VPN tunnel through which the incoming packets are received no trigger 1 8 incoming service name trigger service nam Sets a port triggering rule The no command removes port trigger settings from the rule trigger append incoming service name trigger service name Adds a new port triggering rule to the end of the list Removes a port triggering rule trigger delete lt 1 8 gt trigger inser
198. ade xu aue 52 ip Address rp aub MIS rara RAE OK EREREE REDE CRW A AP p See 52 PASES NASA MESE diia wie Puce bd dar dub OE ue debi dob qr ids 74 Ip dune PEGES DESEOS DONE RA eae eet a de AE EUER SUC mre AA cd 106 ip ee Pool PETT le DAN ap AA A wu md APR Ru Ned NRW SR RASA 55 ip Hhoppsol PESTE MAME iria tir ROC ORO er eens OU e eR RA E eoa s aT ip ans server a racord TIGE WIRE Suri AAA 292 ip gne server mx rfecord domain name w x y 2 fgdn zikeseedR eR ti tdia 292 ip dns server zone forwarder lt 1 32 gt append insert lt 1 32 gt domain zone name ca Me DOM aak hee a eka RAE KS DEERE RRR e NOx 293 ip BL Serven 2646 Ase ue Qua Re ed edo ddp AA x edades AUG ee Oe RARA 301 Ip fL Server cert Serle flics DAN 2G eked RES secca AD ARES SORES UC 301 Lp EDp server pork cl ROB deka oo ere kee eh ape Roe dele dict epe Road n 301 lp Ets Serres RLBCESQUIEBN LlilsgeseQ3 d cared RR diu pd Seba ded do S ra qq Rug ci 301 Im gateway LN M AAA AAA ARA AAA A AAA 52 Ip hselper sd TOSS E E SA Rae OHSS d 9T 318A CERES TAOS CEN Ad oae a Redes eee BESS 5T io http authentication AULI MOLOG serrati keke See pa Ghd cie UR OR ah ee Ge ae Pe OR A 296 ip Http port 1 203959299 uve e eh REG ii eqaewpu x ua eade AAA EE AAA 296 ip Hit securo port 1 805539 gee iw d Rr a EO Ge LER KC Ede A E SHR EELS ERED ERE SHAS 296 ip HLLD SOCGUIGSBBEUG audae kx UE o RR AC ERE OR A EOD DA og E eee er boi dol OR Rc eds 296 ip HED SScuro SGrfVvVer such Dlkent aexcsacga kk dv Rta SER KK
199. ages to pass this checking item For some anti virus software the ZyWALL can also detect whether or not the anti virus software is activated in those cases it must also be activated 278 ZyWALL ZLD CLI Reference Guide Chapter 34 Endpoint Security Table 158 Endpoint Security Object Commands COMMAND DESCRIPTION no personal firewall personal firewall software na me detect auto protection enable disable ignore Sets a permitted personal firewall If you want to enter multiple personal firewalls use this command for each of them Use the 1ist signature personal firewall command to view the available personal firewall software package options detect auto protection Setthis to enable if the specified firewall software is not only detectable for the installation but also detectable for the activation status You can check the settings for each firewall software by using the show eps signature personal firewall command The user s computer must have one of the listed personal firewalls to pass this checking item For some personal firewalls the ZyWALL can also detect whether or not the firewall is activated in those cases it must also be activated no process process_name application forbidden If you selected windows or linux as the operating system using the os type command you can use this command to set an application that a user s computer is not permitted to have running If
200. aily report no item av report Determines whether or not anti virus statistics are included in the report e mails daily report no item as report Determines whether or not anti spam statistics are included in the report e mails daily report no item traffic report Determines whether or not network traffic statistics are included in the report e mails daily report schedule hour 0 23 minute Sets the time for sending out the report e mails 00 59 no daily report reset counter Determines whether or not to clear the report statistics data after successfully sending out a report e mail daily report send now Sends the daily e mail report immediately let user actively send out the report e mails daily report reset counter now Discards all report data and starts all of the counters over at zero 39 2 1 Email Daily Report Example This example sets the ZyWALL to send a daily report e mail Router config Router config Router config Router config Router config Router config Router config Router config Router config no daily report activate daily report smtp address example SMTP mail server com daily report mail subject set test subject no daily report mail subject append system name daily report mail subject append date tim daily report mail from my email example com daily report example administrator example com no daily report mail to 2 no
201. al app patrol normal ipsec normal sessions limit normal built in service normal S connectivity check normal routing protocol normal pki normal interface statistics no 7 port grouping normal l2tp over ipsec normal white list normal ssl vpn normal traffic log no dial in normal default all ZyWALL ZLD CLI Reference Guide Chapter 38 Logs 38 1 3 Debug Log Commands This table lists the commands for the debug log settings Table 183 logging Commands Debug Log Settings COMMAND DESCRIPTION show logging debug status Displays the current settings for the debug log show logging debug entries category module_name srcip ip dstip ip service service_name begin lt 1 512 gt end lt 1 512 gt keyword keyword priority pri Displays the selected entries in the debug log pri alert crit debug emerg error info notice warn keyword You can use alphanumeric and S _ characters and it can be up to 63 characters long This searches the message Source destination and notes fields show logging debug entries field field lt 1 1024 gt end lt 1 1024 gt begin Displays the selected fields in the debug log field time msg src dst note pri cat all lt 10 600 gt no logging debug suppression Enables log consolidation in the debug log The no command disables log consolidation in the d
202. alen eee d 28 ded Vhs PST Taca usada cones RS ERA v4 eA red idu d d d a B RSS oq Ltoepolgci odo reso HAMS uu oda ween Ren ean edes are a Aloe depo CR ico dep Gk madre ic Re we 140 Ue Sever blee Seuss med eda qu daa E dari d eda d eed ed Sa eee d eed wen d eio 28 me script old file name script new file name il l m rr t RV m nan 315 me cert conf idp packet trace script tmp old file name cert conf idp packet trace script tmp new file name 315 MAA RAS Ped dq eee A xd espe SOR SORES RE eie ede miu e PE d quK ed ws 28 dhep JILSSISOD DONE i2 43 4 kde xU Re e RA GE de A dodb ALACRI EAS RC CE OR UR AAA RR aT TO GRITA AAA AAA AAA Re ARA OOS ESOS AA RAS OE wee PS BE nsb s arise vrs dtad adware ARAN AA ede C Ro e ob o RARAS Ro Ke po Ke rape Oe M e MCN 60 SF OPE audes e RAE ed ed me e Ed A AAA aes xd dq dea a dep Ed ee 98 KE eps ta wha sees meek aes SAS BOS dus Riu CARS O ee eek eae ee RR HA E Ed ES ew 99 E BE E E om ae E T E E E E E AAA Bir del emg E E RA 99 376 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical Poise Lee sac ces sa AO dba ire eet eeu anes abet dace doce ed as E edid 59 EQUAL EID isnt SS PRA ACE A A Ke RAP A U a RR db LAUR eR A AS EK CASE ER RR 98 A A a ee eee Oh Eee ew eee A 28 fuu Seer file Same Ee wed wee cence deal Sea RON Dae bee ae cae RR ol E aed 316 scan detection DIock period
203. all sub command mode to set a firewall rule See Table 64 on page 128 for the sub commands ZyWALL ZLD CLI Reference Guide Chapter 15 Firewall Table 63 Command Summary Firewall continued COMMAND DESCRIPTION firewall zone object zone_object ZyWALL rule_number Enters the firewall sub command mode to set a direction specific through ZyWALL rule or to ZyWALL rule See Table 64 on page 128 for the sub commands firewall zone_object zone_object ZyWALL append Enters the firewall sub command mode to add a direction specific through ZyWALL rule or to ZyWALL rule to the end of the global rule list See Table 64 on page 128 for the sub commands firewall zone_object zone_object ZyWALL delete lt 1 5000 gt Removes a direction specific through ZyWALL rule or to ZyWALL rule lt 1 5000 gt the index number in a direction specific firewall rule list firewall zone_object zone_object ZyWALL flush Removes all direction specific through ZyWALL rule or to ZyWALL rules firewall zone_object zone_object ZyWALL insert rule_number Enters the firewall sub command mode to add a direction specific through ZyWALL rule or to ZyWALL rule before the specified rule number See Table 64 on page 128 for the sub commands firewall zone object zone object ZyWALL move rule number to rule number Moves a direction specific through ZyWALL rule or to ZyWALL rule to the number
204. amines every TCP and UDP connection passing through the ZyWALL and identifies what application is using the connection Then you can specify by application whether or not the ZyWALL continues to route the connection ZyWALL ZLD CLI Reference Guide Chapter 19 Application Patrol 19 2 Application Patrol Commands Summary The following table describes the values required for many application patrol commands Other values are discussed with the corresponding commands Table 77 Input Values for Application Patrol Commands LABEL DESCRIPTION protocol name The name of a pre defined application These are listed by category general ftp smtp pop3 irc http im msn aol icq yahoo qq p2p bittorrent eDonkey fasttrack gnutella napster h323 sip soulseek stream rtsp rule number The number of an application patrol rule 1 X where X is the highest number of rules the ZyWALL model supports See the ZyWALL s User s Guide for details zone name The name of a zone You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive schedule name The name of a schedule You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following sections list the application patrol commands 19 2 1 Pre defined Application Commands Thi
205. an unidentified application app other move rule number to rule number Moves the specified rule first index to the specified location The process is 1 remove the specified rule from the table 2 re number 3 insert the rule at the specified location no app other rule number Deletes the specified rule 19 2 5 1 Other Rule Sub commands The following table describes the sub commands for several application patrol other rule commands Note that not all rule commands use all the sub commands listed here Table 85 app patrol other rule Sub commands COMMAND DESCRIPTION no activate Turns on this rule The no command turns off this rule no port lt 0 65535 gt Specifies the destination port 0 means any no schedule profile name Adds the specified schedule to the rule no user username Adds the specified user to the rule no from zone name Specifies the source zone no to zone name Specifies the destination zone no source profile name Adds the specified source address to the rule no destination profile name Adds the specified destination address to the rule no protocol tcp udp Adds the specified protocol to the rule access forward drop reject Specifies the action when traffic matches the rule ZyWALL ZLD CLI Reference Guide Chapter 19 Application Patrol Table 85 app patrol other rule Sub commands continued COMMAND
206. ands 135 Martinique 136 Mauritania 137 Mauritius 138 Mayotte 139 Mexico 140 Micronesia Federal State of 141 Moldova Republic of 142 Monaco 143 Mongolia 144 Montserrat 145 Morocco 146 Mozambique 147 Namibia 148 Nauru 149 Nepal 150 Netherlands 151 Netherlands Antilles 152 New Caledonia 153 New Zealand 154 Nicaragua 155 Niger 156 Nigeria 157 Niue 158 Norfolk Island 159 Northern Mariana Islands 160 Norway 161 Not Determined 162 Oman 163 Pakistan 164 Palau 165 Panama 166 Papua New Guinea 167 Paraguay 168 Peru 169 Philippines 170 Pitcairn Island 171 Poland 172 Portugal 173 Puerto Rico 174 Qatar 175 Reunion Island 176 Romania 177 Russian Federation 178 Rwanda 179 Saint Kitts and Nevis 180 Saint Lucia 181 Saint Vincent and the Grenadines 182 San Marino 183 Sao Tome and Principe 184 Saudi Arabia ZyWALL ZLD CLI Reference Guide Chapter 5 Registration Table 10 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 185 Senegal 186 Seychelles 187 Sierra Leone 188 Singapore 189 Slovak Republic 190 Slovenia 191 Solomon Islands 192 Somalia 193 South Africa 194 South Georgia and the South Sandwich Islands 185 Spain 196 Sri Lanka 197 St Pierre and Miquelon 198 St Helena 199 Suriname 200 Svalbard and Jan Mayen Islands 201 Swaziland 202 Sweden 203 Switzerland 204 Taiwan 205 Taji
207. ands Examples The following example creates a self signed X 509 certificate with IP address 10 0 0 58 as the common name It uses the RSA key type with a 512 bit key Then it displays the list of local certificates Finally it deletes the pkcs12request certification request Router configure terminal type rsa key len 512 Router config show ca category local certificate default type SELF status VALID ID ZyWALL 1050 Factory Default Certificate type EMAIL valid from 2003 01 01 00 38 30 valid to 2022 12 27 00 38 30 certificate test type REQ subject CN 1 1 1 1 issuer none status VALID TDi Ils type IP valid from none valid to none certificate pkcsl2request type REQ subject CN 1 1 1 2 issuer none status VALID IDs des diets 2 type IP valid from none valid to none certificate test_x509 type SELF subject CN 10 0 0 58 issuer CN 10 0 0 58 status VALID EDs 100350259 type IP valid from 2006 05 29 10 26 08 valid to 2009 05 28 10 26 08 Router config no ca category local pkcsl2request Router config ca generate x509 name test x509 cn type ip cn 10 0 0 58 key subject CN ZyWALL 1050 Factory Default Certificate issuer CN ZyWALL 1050 Factory Default Certificate ZyWALL ZLD CLI Reference Guide 267 Chapter 31 Certificates ZyWALL ZLD CLI Reference Guide ISP Accounts Use ISP accounts to manage Internet Service Provide
208. andwidth management show app config Displays whether or not application patrol is active show app all Displays the settings for all applications show app all defaultport Displays the default port settings for all applications show app all statistics Displays statistics for all applications show app general im p2p stream Displays protocols by category show app im support action Displays the supported actions of each Instant Messenger application show app protocol name config Displays the basic configuration of this application show app protocol name defaultport Displays the default ports of this application show app protocol name statistics Display the statistics of this application show app protocol name rule rule number Displays the rule configuration of this application show app protocol name rule rule number Displays the rule statistics of this application statistics show app protocol name rule default Displays the default rule configuration of this application show app protocol name rule default statistics Displays the default rule statistics of this application show app protocol name rule all Displays the configurations of all the rules for this application show app protocol name rule all statistics Displays all the rule statistics for this application show app other config Displays the basic configuration for other applications show app other statistics Displays statistics for other applications show app
209. aority Lll A AS 4G CETERO HL GRO cee E eR i REOR Qe Saas 153 bshaguerdgte PELOTE ALIS EA AAA AER ECCE AAA AAA AAA 165 tondgwiscoh peor LaS Sn pae et eae cat ER p ee bee SLM RAUS Doe deo E RC e ao Baa aa 167 BunOWIDUCHeGDHEN sara AREA eq e seks sheers ac uo A qa dem A dU dde E 162 Dim EDL MA 92259924 B9 x idu ma es Ret ad qe pw Sx xL 185 budget log Log alert recursive Ll 058593055 ke SOEUR cR Re ce Rede pm oo de e diee mig 69 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical budget log percentage log percentage alert recursive lt 1 65535 gt 69 budget c rrent connection keep Arop sade Koda SNe ENED Rew ee oe E GC SAK Gob Relea rd 69 budget mew connection allow ldisallow ari REOR eh bee a gre dc eee ee eee 69 budget percentage ptame pdata UT Lepsius AE RR A EORR GRE boas Re RC RR 69 budget resct GOUMEGUS 24 3 ed TORS TOLER d pure ed quee ed ew Ee aba Ow ed ead d e dde ved v 69 budget DESEAS Ord lE ela Shear G Ra X Ue ARR AR AAA RED RADE RO KOREA COR RR ORC CC 69 ca enroll cmp name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type rsa dsa key len key length num lt 0 99999999 gt password password ca ca name url is 6h Seuee Den aed baw Sakia Ee boo O6 SS oe ES OEE SORES WEAdd Ra PESE SAq ES EE SERS 264 ca enroll scep name certificate name cn type ip cn
210. apter 19 Application Patrol Router configure terminal Router config show app http rule all index default activate yes port 0 schedule none user any from zone any to zone any source address any destination address any access forward action login na action message na action audio na action video na action file transfer na DSCP inbound marking preserve DSCP outbound marking preserve bandwidth excess usage no bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no Router configure terminal Router config f show app other config bandwidth graph yes ZyWALL ZLD CLI Reference Guide Chapter 19 Application Patrol Router configure terminal Router config show app other rule all index 1 activate yes port 5963 schedule none user any from zone any to zone any source address any destination address any protocol tcp access forward DSCP inbound marking preserve DSCP outbound marking preserve bandwidth excess usage no bandwidth priority 1 bandwidth inbound 0 bandwidth outbound 0 log no index default activate yes port 0 Schedule none user any from zone any to zone any Source address any destination address any protocol any access forward DSCP inbound marking preserve DSCP outbound marking preserve bandwidth excess usage no bandwidth priority 1 bandwidth inbound 0 bandwidth ou
211. aracters Spaces are not allowed no authentication none pap chap Sets the authentication for the cellular account The no command sets the authentication to none no idle lt 0 360 gt Sets the idle timeout for the cellular account Zero disables the idle timeout The no command sets the idle timeout to zero ZyWALL ZLD CLI Reference Guide 271 Chapter 32 ISP Accounts 272 ZyWALL ZLD CLI Reference Guide SSL Application This chapter describes how to configure SSL application objects for use in SSL VPN 33 1 SSL Application Overview Configure an SSL application object to specify a service and a corresponding IP address of the server on the local network You can apply one or more SSL application objects in the VPN gt SSL VPN screen for a user account user group 33 1 1 SSL Application Object Commands This table lists the commands for creating SSL application objects You must use the configure terminal command to enter the configuration mode before you can use these commands Table 156 SSL Application Object Commands COMMAND DESCRIPTION show sslvpn application Displays SSL VPN application objects application_object no sslvpn application Enters the sub command mode to create an SSL VPN application application_object object server type file sharing Specify the type of service for this SSL application owa web server url URL file sharing create a
212. artingesddlbess Ep pegl s1se ler DII DF dabas ASE PEOR Ke Mee OR RE Rr 57 Ho SuUpSP gore GERA Ree q ea KO A R34 E XR KORR OK ab GNO e FR AA Ke qo eC RC Te RR X Ie Re A ES Do system Uelaglteshdb aded on ee eet ANA ARA A DA AAA AAA 85 no tcp decoder tcp xxx action drop reject sender reject receiver reject both 188 HO tep decoder FLOBD NEEX AOLIVACE spider s edd RR Sri E pde a SE NOD adu Erud 188 no third dns server ip interface name lst dns 2nd dns 3rd dns ZyWALL 57 Bel to xcu Ges EVERY ach bese e haves Shee lie SA tees eda ad qase adi E Nm A 128 nol to Zone IMS 64h 644 eR edo E oKCRCACM ACRCCRCE qoo DER p ec Ua Rod ACER d ROM y dos OR ee Oe ORK 164 por PS ZENS DONDE Gora RS KG ERG eto SEE XE PTeqeEER Y WE des ae d ub d WC RE LS Me DONE QOL a bp O ESR 155 AS Qe SORE ODUUNEE aesoesapdOomd AAA ASTOR SEEM CUR Cero OSE X UE SES 177 Ho LO 2808 ESOS DBTSCE amics A ede AA de A bee IR deo Ree A 212 nol Ta 2009 EME DESGESTS 2442 se hee eee eb qe S Ee Pe dod ev de EEE SO bei TEESE RE ES 185 no trigger lt 1 8 gt incoming service name trigger service name 92 nol Gunnel Camel BN nike hos Hd HEA KARE ORO AER SESE CREED EER ES COT OEE Ea A m AC 32 no udp decoder truncated header undersize len oversize len activate 188 Hol upsbream Es LU O e dea n d ARA AAA AAA RARA ee ees 52 nol user user DEDE oaa ia ds sdai eA aS A SEALE WSEAS CONSE MOSES OA EE EX GE 128 nol queer User PAME yearn Xue AC Hoe CAR
213. ault_L2TP_VPN_GW The address object in this example uses IP address 172 23 37 205 and is named L2TP_IFACE ZyWALL ZLD CLI Reference Guide 155 Chapter 18 L2TP VPN For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 It is named L2TP_HOST in this example Router config crypto map Default_L2TP_VPN_Connection Router config crypto Default_L2TP_VPN_Connection policy enforcement Router config crypto Default_L2TP_VPN_Connection Router config crypto Default_L2TP_VPN_Connection Router config crypto Default_L2TP_VPN_Connection Router config crypto Default_L2TP_VPN_Connection Router config local policy L2TP_IFACE remote policy L2TP_HOST activate exit 18 5 3 Configuring the L2TP VPN Settings Example The following commands configure and display the L2TP VPN settings Set it to use the Default_L2TP_VPN_Connection VPN connection Configure an IP address pool for the range of 192 168 10 10 to 192 168 10 20 In this example it is already created and called L2ETP_POOL This example uses the default authentication method the ZyWALL s local user data base Select a user or group of users that can use the tunnel Here a user account named L2TP test has been created The other settings are left to the defaults in this example Enable the connection Router config Router config Router config 12tp over ipsec authentication
214. av rule 1 Router config anti virus rule 1 activate from zone WAN Router config av rul Router config av rule 1 Router config av rule 1 Router config av rule 1 Router config av rule 1 Router config av rule 1 Router config av rule 1 destroy Router config av rule 1 Anti Virus Rule 1 active yes log log from zone WAN to zone LAN scan protocols http yes ftp yes smtp Yes pop3 yes imap4 yes infected action destroy yes bypass white list yes bypass black list no Router config show anti virus rule 1 send windows message file decompression yes destroy unsupported compressed file no to zone LAN scan http infected action destroy bypass white list no bypass black list file decompression no file decompression unsupported exit yes 20 2 3 White and Black Lists The following table describes the commands for configuring the white list and black list You must use the configure terminal command to enter the configuration mode before you can use these commands Table 90 Commands for Anti virus White and Black Lists COMMAND DESCRIPTION no anti virus white list activate Turn on the white list to have the ZyWALL not perform the anti virus check on files with names that match the white list patterns no anti virus white list file pattern Adds or removes a white list file pattern Turns a file pattern av_file_pattern a
215. b host key for 192 168 1 1 accepted by user Tue Aug 09 2005 07 38 28 admin s password Authentication successful 1 3 How to Find Commands in this Guide You can simply look for the feature chapter to find commands In addition you can use the List of Commands Alphabetical at the end of the guide This section lists the commands in alphabetical order that they appear in this guide If you are looking at the CLI Reference Guide electronically you might have additional options for example bookmarks or Find as well 1 4 How Commands Are Explained Each chapter explains the commands for one keyword The chapters are divided into the following sections 1 4 1 Background Information Optional BES See the User s Guide for background information about most features This section provides background information about features that you cannot configure in the web configurator In addition this section identifies related commands in other chapters 1 4 2 Command Input Values Optional This section lists common input values for the commands for the feature in one or more tables ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface 1 4 3 Command Summary This section lists the commands for the feature in one or more tables 1 4 4 Command Examples Optional This section contains any examples for the commands in this feature 1 4 5 Command Syntax The following conventions are used
216. bles all SNMP notifications informs or traps The no command disables all SNMP notifications informs or traps no snmp server host w x y z Sets the IP address of the host that receives the community string SNMP notifications The no command removes the host that receives the SNMP notifications no snmp server location description Sets the geographic location of up to 60 characters for the ZyWALL The no command removes the geographic location for the ZyWALL ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management Table 171 Command Summary SNMP continued COMMAND DESCRIPTION no snmp server port lt 1 65535 gt Sets the SNMP service port number The no command resets the SNMP service port number to the factory default 161 snmp server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for SNMP service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use pre defined zone names like
217. btacse debowsy IGXSLOPfeab D asii A ARAS e dA dod c ROS RON GRON dod CR 242 address object rename object name object name il n non koh oh Ron RR n 242 ad sefvelr password encrypted DOUSWOZO ass bodes CEG 60K SCR RE OES BRD OE OE OR RNC AA 252 algarreki qux Lit ELLE ES dqaddg ed daa apa Kus Oe ACE Hees Ree Sedans ea ide 84 anti spam dnsbl 1 5 domain dnsbl domain activate deactivate 2 nma 216 anti spam dnsBl ip shecsk order forward backward esmas a 216 Aisa Oise me quere IP Liao cir AAA ARA 20 anti spam dnsbl query timeout pop3 forward forward with teg l2 24 992 n 216 anti spam dnsbl query timeout smtp drop forward forward with tag 2 16 anti spam dnsbl query tEimecut time LL IO anco ox e 40x da A AAA RN 217 nti spam MASOL SEAT ESCILOS RISE uigbledd 4 v9 9 PY OaRYAUR SE PEU EqYqEGC R4 E NeTPI Gu eee 217 ANECA HOLS ODA 140 xcs Nue RE A Xp b eee ROLE Rod ARR UN de AL ACA eode de CR REOR A 212 antlespam able delete Ule HUME resis ACE eR Sk Od See ee eee ee EES 212 anti spam mule insert PU S TUMBES rr rid dene UAR SO AC CK RACK Rd RR don eee ee 212 anti span ule move rule number to rule nube 26h ch ee 0 derka on eRe Ro RR x Eee ee 212 SHblespaum Cole ule MUDDET Zna raesAAG3dd ed 92 522423 2345055 RA da Bd faded x eau E EA 212 antispam sbtstustics LLUSI RA eR a aye ARA A e 218 ZyWALL ZLD CLI Reference Guide 367 List of Commands Alphabetical anti spam tes Duns
218. c characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9_ The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN rule_number The priority number of a firewall rule 1 X where X is the highest number of rules the ZyWALL model supports See the ZyWALL s User s Guide for details schedule object The name of the schedule You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive service name The name of the service group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following table describes the commands available for the firewall You must use the configure terminal command to enter the configuration mode before you can use these commands Table 63 Command Summary Firewall COMMAND DESCRIPTION no connlimit max per host 1 8192 Sets he highest number of sessions that the ZyWALL will permit a host to have at one time The no command removes the settings firewall rule number Enters the firew
219. ce group name Creates the specified service group if necessary and enters sub command mode The no command removes the specified service group no service object object nam Adds the specified service to the specified service group The no command removes the specified service from the specified group ZyWALL ZLD CLI Reference Guide Chapter 27 Services Table 141 object group Commands Service Groups continued COMMAND DESCRIPTION no object group group_name Adds the specified service group second group_name to the specified service group first group_name The no command removes the specified service group from the specified service group no description description Sets the description to the specified value The no command removes the description description You can use alphanumeric and _ characters and it can be up to 60 characters long object group service rename group name group name Renames the specified service group from the first group name tothe second group name 27 2 2 1 Service Group Command Examples The following commands create service ICMP ECHO create service group SG1 and add ICMP ECHO to SGI Router configure terminal Router group service servic objec Router config service object ICMP ECHO icmp echo Router config object group service sGl E SECMP ECHO
220. ce name any unknown source iplany destination ip lany begin lt 1 128000 gt end lt 1 128000 gt pim EM Sew GUN Je creat ere eS IAE qd peg donare Eie dieu ARA AA ese wae 336 Show unm 2pebra tis SUr qudd eX A dax dd Rb E RR UR UR ADI A e Ag ded 336 SC CON DUALES Aswad hae btw X RE SERES REGE TONES A ET AA AAA wed dad d Raul 336 show cohmecttwiby check gcontrnUQUS LOg SUBLUS u aw kldacks RW CERRO EROR KORR CACHORRO 330 shov pantestivity check scOBDLIBUDUSSLOS STATUS 44993494949 3 Pebdba CH PO SH ia 62 now conil mat gqnax ped DOSE oia Fae e qe EERE SENSED AW MAR UR qud dodi E OR de Ron RC 127 SNOWN ISO LEO is diia ook ene Spe os euo d he AAA apre d ducere DAA AAA 291 Show gcohntent efrlter passed Warning sai a 434 0 3E Ed xk Re RR RON E CROP AR ne Rc 205 shov qgoNDERLEIITLGEX POLISY eu kestTQeuR t9 e gd o EP PSY ee Behe I pe e Ide d qd ect 205 Snow scontent tuilter profile Lfiitering profilo 444 Shine caw ds eed PURO SUE e de RA 207 Show gontenbt rfilters BSL AGS onerosa eee boi Sp erie deep ae Gh to s pobre ob eq a e 206 Sow CunLenbteriltes rarezas COLLEGE usura eS quU dC Mri ida Ep Wade wd dud ad 208 Show content El leer Statistice SIMS naci a de EROR SOS Rea 208 slow content fuilter sLatisticosB SUNERBEY acia Aa Rd Rue d SUE Ede cA e A me 208 Show content til UEL iaa qe Qo ngo dedo er bei dne d pe Giao ud Aq Ap eI poten e s 206 show quenLenL rrT Leg Girl uo2qu9e4 9 dob bu do UP dp EX Pa eri A ie ea e ra e deu ex t 208 ahow DER S
221. ce_name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 2 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 100 and 200 models use a name such as wan1 wan2 opt lan1 ext wlan or dmz virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example gex y x 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y 1 12 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPOE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports policy number The number of a policy route 1 X where X is the highest number of policy routes the ZyWALL model supports See the ZyWALL s User s Guide for details ZyWALL ZLD CLI Reference Guide Chapter 8 Route Table 41 Input Values for General Policy Route Commands continued LABEL DESCRIPTION schedule_object The name of the schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive service_name The name of the service group You
222. ck domain name ip default gateway timeout 1 109 L i 9e eg 62 cy policy number append insert polioy number iiesxa a e as cox ox kde RC ROS 90 CY derspDlbegULG 3ddoeres Qe ederidaesd quet 4 444 SE X qo Sea P I PIE d ud ded ee Eee 22 oy delete Polien AUDE REALES Ce Hee cee dna DO dub NA oz EF SUS wee adie X Ee 92 er tees Gale adonivicbaubcxcE quA ed DupE RDE SU eames ease OuSewauel ania od dr nie rele wd ease 92 py move policy number to POLLEY MUS iria c RB ra E SCR RU de ED RU A EORR RR Gd 92 ra e E PI dex 4oRGR 3 opidi RR S Er E RN EG wa ees theese ea ab ade te Res 64 A S EM r Real 164 dU RERO RiiGaddqudoqdeddq wee ui ieee EIN PdpRE ME RE diee ei ded epe ded ee 1585 ALS Ending porte UDI ad h4adakaq ankd d doe ACE CROP ECCE C de d RC CER RR 274 amp 1 55535x endlhg port 1 05535 91 bfograu path proegram path eese ee 274 prouping representative interface port lt la gt arriero re EROR ACER RORCH Ae PR RR 64 LeeLee da epit be PEL e weed eb We E ddr eS Ee ee EERO AAA ded ed 28 EN Ta SIS Laid oed AU E acea Eb A e RECAP AER bea SOU de die E CR er eee eee 75 c P 28 poriboute Stokic spl mebraim 052189 aura fece dene UE eee OR wes ELA SUR ee aes 98 BSS Lu Bschedqewadeadque ved Ide dicem qo d OS eds qid ADA eee ax dq ee ee h
223. cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type rsa dsa key len key length password password ca ca name url BEN AREA AAA AN AAA eee ed eee Oe es REOR RUE OMS 264 ca generate pkcs10 name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key type i rsa dsa key lon key Jenqgth i RE ated ewe ee EO RR 2625 ca generate pkeslz name name password Password 1 68 sss es be ewe Se rca SR ERS 255 ca generate x509 name certificate name cn type ip cn cn address fqdn cn cn domain name mail cn cn email ou organizational unit o organization c country key Eype rsa dsa key len key length 4 4 i49 kosek takada REX tena 265 ca rename category local remote old name new name celles 265 En yalidation omote COTE TI CSCS 212x434 de tacked wea douse arare ROBORE ER REN E RO RU 265 eus Dactgudbeldesctacvsbes Leb ah ede deeded es MERO RUE S qa REX Hee eee E d Edd ed Re T e S 265 Colette Perl LESS DANS espia ASA Ridge AAA AAA 137 channel lt wireless_channel o II AEE REESE OETA EES HRD T3 DISSE xaeackedesdeph pue deorq d qud Ed ec Ca ema duci d eu vede Ed queRP ES d qe ee eee d edv 27 Gl esr aes Authentication DEGIIIS HAM AAA Re AR OCA A RON CACHACRC ERROR RET Re 299 Clear aaa Group Server ed group Rame mms IRRADIA AAA CR AC
224. coder options where tcp xxx undersize len undersize offset oversize offset bad length options truncated options ttcp detected obsolete options experimental options tcp decoder tcp xxx log alert Sets tcp decoder log or alert options no tcp decoder tcp xxx log Deactivates tcp decoder log or alert options undersize len oversize len activate no tcp decoder tcp xxx action drop Sets tcp decoder action reject sender reject receiver reject both no udp decoder truncated header Activates or deactivates udp decoder options udp decoder truncated header undersize len oversize len log alert Sets udp decoder log or alert options no udp decoder truncated header undersize len oversize len log Deactivates udp decoder log options udp decoder truncated header undersize len oversize len action drop reject sender reject receiver reject both Sets udp decoder action no udp decoder truncated header undersize len oversize len action Deactivates udp decoder actions ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands Table 99 Editing Creating Anomaly Profiles continued COMMAND DESCRIPTION no icmp decoder truncated header truncated timestamp header truncated address header activate Activates or deactivates icmp decoder options icmp decoder
225. commands Other values are discussed with the corresponding commands Table 142 Input Values for Schedule Commands LABEL DESCRIPTION object_name The name of the schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive time 24 hour time hours and minutes lt 0 23 gt lt 0 59 gt ZyWALL ZLD CLI Reference Guide Chapter 28 Schedules The following table lists the schedule commands Table 143 schedule Commands COMMAND DESCRIPTION show schedule object Displays information about the schedules in the ZyWALL no schedule object object nam Deletes the schedule object schedule object object name date time dat Creates or updates a one time schedule time date yyyy mm dd date format yyyy lt 01 12 gt lt 01 31 gt schedule object object_name time time day Creates or updates a recurring schedule day day day day day day day 3 character day of the week sun mon tue wed thu fri sat 28 2 1 Schedule Command Examples The following commands create recurring schedule SCHEDULE and one time schedule SCHEDULE2 and then delete SCHEDULE Router configure terminal Router config schedule object SCHEDULE1 11 00 12 00 mon tue wed thu fri Router config schedule object SCHEDULE2 2006 07 29 11 00 2006 07 31
226. config if aux config if aux config if aux config if aux config if aux config if aux config if aux Router configure terminal Router config interface aux phone number 0340508888 dialing type tone port speed 115200 initial string ATZ timeout 10 retry count 2 retry interval 100 username kk password kk u2online authentication chap pap description I am aux interface exit The following commands show how to dial disconnect and stop the auxiliary interface Router interface dial aux Router interface disconnect aux ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces ZyWALL ZLD CLI Reference Guide Trunks This chapter shows you how to configure trunks on your ZyWALL 7 1 Trunks Overview You can group multiple interfaces together into trunks to have multiple connections share the traffic load to increase overall network throughput and enhance network reliability If one interface s connection goes down the ZyWALL sends traffic through another member of the trunk For example you can use two interfaces for WAN connections You can connect one interface to one ISP or network and connect the another to a second ISP or network The ZyWALL can balance the load between multiple connections If one interface s connection goes down the ZyWALL can automatically send its traffic through another interface You can use policy routing to specify through which interface t
227. configuration settings reference the pptp profile specified PPTP account object show reference object sslvpn Displays which configuration settings reference the application profile specified SSL VPN application object how reference object crypto map Displays which configuration settings reference the crypto name specified VPN connection object u ZyWALL ZLD CLI Reference Guide Chapter 3 Object Reference Table 6 show reference Commands continued COMMAND DESCRIPTION show reference object isakmp Displays which configuration settings reference the policy isakmp_name specified VPN gateway object show reference object sslvpn Displays which configuration settings reference the policy profile specified SSL VPN object show reference object zon Displays which configuration settings reference the profile specified zone object show reference object group Displays which configuration settings reference the username username specified user group object show reference object group Displays which configuration settings reference the address profile specified address group object show reference object group Displays which configuration settings reference the service profile specified service group object show reference object group Displays which configuration settings reference the interface profile specified trunk ob
228. ct an external serial modem to the DIAL BACKUP port or AUX port depending on your model to provide a remote management connection in case the ZyWALL s other WAN connections are down This is like an auxiliary interface except it is used for management connections coming into the ZyWALL instead of as a backup WAN connection 36 10 1 AT Command Strings For regular telephone lines the default Dial string tells the modem that the line uses tone dialing ATDT is the command for a switch that requires tone dialing If your switch requires pulse dialing change the string to ATDP 36 10 2 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR Data Terminal Ready signal is dropped by the DTE When the Drop DTR When Hang Up check box is selected the ZyWALL uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management 36 10 3 Response Strings The response strings tell the ZyWALL the tags or labels immediately preceding the various call parameters sent from the serial modem The response strings have not been standardized please consult the documentation of your serial modem to find the correct tags 36 10 4 Dial in Management Commands The following table describes the commands available for dial in management You must use the configure terminal command to enter the configurat
229. ction destroy send win msg Sets the action to take when the ZyWALL detects a virus in a file The file can be destroyed filled with zeros from the point where the virus was found The ZyWALL can also send a message alert to the file s intended user using a Microsoft Windows computer connected to the to interface list no bypass white list black Have the ZyWALL not check files against a pattern list destroy no file decompression unsupported Enable file decompression to have the ZyWALL attempt to to decompress zipped files for further scanning You can also have it destroy the zipped files it cannot decompress due to encryption or system resource limitations show all Displays the details of the anti virus rule you are configuring or all the rules anti virus rule move lt 1 32 gt to lt 1 32 gt Moves a direction specific anti virus rule to the number that you specified anti virus rule delete lt 1 32 gt Removes a direction specific anti virus rule ZyWALL ZLD CLI Reference Guide Chapter 20 Anti Virus 178 20 2 2 1 Zone to Zone Anti virus Rule Example This example shows how to configure and display a WAN to LAN antivirus rule to scan HTTP traffic and destroy infected files The white and black lists are ignored and zipped files are decompressed Any zipped files that cannot be decompressed are destroyed Router config av rule 1 Router config
230. ctivate Turns on this rule The no command turns off this rule bandwidth inbound outbound Limits inbound or outbound bandwidth in kilobits lt 0 1048576 gt per second 0 disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 Set the priority for traffic that matches this rule The smaller the number the higher the priority no destination profile name Adds the specified destination address to the rule no from zone name Specifies the source zone no inbound dscp mark 0 63 class This is how the ZyWALL handles the DSCP value default dscp class of the outgoing packets to a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 no log alert Creates log entries and alerts for traffic that matches the rule The no command does not create any log entries no outbound dscp mark lt 0 63 gt class This is how the ZyWALL handles the DSCP value default dscp class of the outgoing packets from a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP val
231. ctivate deactivate on or off anti virus white list replac Replaces the specified white list file pattern with a new file old av file pattern new av file pattern pattern factivate deactivate ZyWALL ZLD CLI Reference Guide Chapter 20 Anti Virus Table 90 Commands for Anti virus White and Black Lists continued COMMAND DESCRIPTION no anti virus black list activate Turn on the black list to log and delete files with names that match the black list patterns no anti virus black list file pattern Adds or removes a black list file pattern Turns a file pattern av_file_pattern activate deactivate on or off anti virus black list replace Replaces the specified black list file pattern with a new file old av file pattern new av file pattern pattern activate deactivate 20 2 3 1 White and Black Lists Example This example shows how to enable the white list and configure an active white list entry for files with a exe extension It also enables the black list and configure an inactive black list entry for files with a exe extension anti virus white list activate anti virus white list file pattern anti virus white list file pattern exe activate anti virus black list activate anti virus black list file pattern exe deactivate Router config Router config Router config Router config Router config Router config show anti virus white list stat
232. d Example The following example creates an authentication profile to authentication users using the LDAP server group and then the local user database Router configure terminal Router config f aaa authentication LDAPuser group ldap local Router config show aaa authentication LDAPuser No Method 0 ldap 1 local Router config ZyWALL ZLD CLI Reference Guide Chapter 30 Authentication Objects 30 3 test aaa Command The following table lists the test aaa command you use to teat a user account on an authentication server Table 151 test aaa Command COMMAND DESCRIPTION test aaa server secure Tests whether a user account exists on the specified server ad ldap host authentication server hostname ipv4 address host hostname ipv4 address port lt 1 65535 gt base dn base dn string bind dn bind dn string password password login name attribute attribute alternative login nam attribute attribute account account name 30 3 1 Test a User Account Command Example The following example shows how to test whether a user account named userABC exists on the AD authentication server which uses the following settings P address 172 16 50 1 Port 389 Base dn DC ZyXEL DC com Bind dn zyxel engineerABC Password abcdefg Login name attribute SAMAccountName The result shows the account exists on the AD server Otherwise the ZyWALL responds an e
233. d Examples The following commands create three address objects AO A1 and A2 and add A1 and A2 to address group RD Router configure terminal Router config address object AO 192 168 1 1 Router config address object Al 192 168 1 2 192 168 2 20 Router config address object A2 192 168 3 0 24 Router config object group address RD Router group address address object Al Router group address address object A2 Router group address exit Router config show object group address Group name Reference Description TW_TEAM 5 RD 0 Router config show object group address RD Object Group name Type Reference Al Object 1 A2 Object 1 ZyWALL ZLD CLI Reference Guide 243 Chapter 26 Addresses ZyWALL ZLD CLI Reference Guide Services Use service objects to define TCP applications UDP applications and ICMP messages You can also create service groups to refer to multiple service objects in other features 27 1 Services Overview See the appendices in the web configurator s User Guide for a list of commonly used services 27 2 Services Commands Summary The following table describes the values required for many service object and service group commands Other values are discussed with the corresponding commands Table 139 Input Values for Service Commands LABEL DESCRIPTION group name The name of the service group You may use 1 31 alpha
234. d the subnet mask no ip gateway ip Adds the specified gateway using the specified interface The no command removes the gateway ip gateway ip metric lt 0 15 gt Sets the priority relative to every gateway on every interface for the specified gateway The lower the number the higher the priority no metric 0 15 Sets the PPPoE PPTP or cellular interface s priority relative to other interfaces The lower the number the higher the priority no mss lt 536 1460 gt Specifies the maximum segment size MSS the interface is to use MSS is the largest amount of data specified in bytes that the interface can handle in a single unfragmented piece The no command has the interface use its default MSS no mtu lt 576 1500 gt Specifies the Maximum Transmission Unit which is the maximum number of bytes in each packet moving through this interface The ZyWALL divides larger packets into smaller fragments The no command resets the MTU to 1500 no shutdown Deactivates the specified interface The no command activates it traffic prioritize tcp ack content filter dns ipsec vpn ssl vpn bandwidth 0 1048576 priority 1 7 maximize bandwidth usage Applies traffic priority when the interface sends TCP ACK traffic traffic for querying the content filter traffic for resolving domain names or encrypted traffic for an IPSec or SSL VPN tunnel It also sets how much band
235. d the underscore password You can use up to 64 alphanumeric characters and the underscore no host hostname Sets the domain name in the specified DDNS profile The no command clears the domain name hostname You may up to 254 alphanumeric characters dashes or periods but the first character must be alphanumeric custom no ip select iface auto custom Sets the IP address update policy in the specified DDNS profile The no command clears the policy no ip select backup iface auto Sets the alternate IP address update policy in the specified DDNS profile The no command clears the policy no custom ip Sets the static IP address in the specified DDNS profile The no command clears it no backup custom ip Sets the static IP address for the backup interface in the specified DDNS profile The no command clears it no mx ip domain_name Enables the mail exchanger and sets the fully qualified domain name of the mail server to which mail from this domain name is forwarded The no command disables the mail exchanger domain_name You may up to 254 alphanumeric characters dashes or periods but the first character must be alphanumeric ZyWALL ZLD CLI Reference Guide Chapter 11 DDNS Table 56 ip ddns Commands continued COMMAND DESCRIPTION no wan iface interface_nam Sets the WAN interface in the specified DDNS
236. d to display The no command clears this setting ad server password encrypted password Sets the encrypted password less than 32 alphanumerical characters in order to hide the real password from people behind you when you are configuring AD server password This password is displayed as what you typed when you use the show ad server command no ad server port port no Sets the AD port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no ad server search time limit Sets the search timeout period in seconds Enter a number between time 1 and 300 The no command clears this setting no ad server ssl Enables the ZyWALL to establish a secure connection to the AD server The no command disables this feature 29 2 2 Idap server Commands The following table lists the 1dap server commands you use to set the default LDAP Server Table 145 Idap server Commands COMMAND DESCRIPTION password show ldap server Displays current LDAP server settings no ldap server basedn basedn Sets a base distinguished name DN for the default LDAP server A base DN identifies an LDAP directory The no command clears this setting no ldap server binddn binddn Sets the user name the ZyWALL uses to log into the default LDAP server The no command clears this setting no ldap server cn identifier Sets the unique com
237. de edo dca E E RU Oed Cg Rr YO dC RC RE o owas 29 debug CGevice te QU diri 9 PueQ eb gd ea Ede Ed E ues ex d EAE ed Aa 29 Heid EPS vcr eb eee SOO RARE CRE DEMIR TREES ESC SRE SES RRR RO EHR Re ee eee 29 debog qpogseesuo MEL adqqesckcoxcka dpi RR Up RI RR a ene ae ea en lee aioe a o SR m ah de i OR Ruben oa ah monies 29 Menus qua dS deu buns eS ud sd equi eeu oe werde cat eder f ud uber ces duas dr wees wee se 29 deban gus LEY Piar dd V X exe dx x ag ume wes dat quie d e e d eene ee m 29 Revs Marware Bey duesbd eoe E S Ri Seq Bp RSS seda Eae Tw m dd B udis meas dee ed EE 29 o PI 29 Meus Se aps Sb OE aes 29 debug INBSBLSOS ias IS Goer eb bette oud E ee bbe aAA 29 debug interlace LPOOBLIS IDLCeELaee caked eh deed eed SEAS COR eee ee SEO 29 debug a rial OU atatid peydOe4 0Ro Bank OR c Dede tS See e qo e o e CR e CR ca eae eae 29 debug Xp Ene A qned ed uo ex Si E dp dc P eee Ode ee bet eheee eae eee de Eyed E 29 debug XB PEPE ASPE IE kde eo b RAE re 4a 8a Web ye OS owe ole eee OR A 29 Seo DENS seisid hitette oso ee E RC ee APA DR pota ewe Rr AS PORE B ROBO 25 cia Lhgduedarbaea d RR EUER qe A RR E doa b dese ea Rp ee edi o e dee Me hae ede eso 29 DEUM MARTES AMES dona pase SEG d qd ded a BR vd Ea aa x xd dde ed dem dm ag 29 peo MISS Garver DUI adria AAA DARA AAA a a A 29 debug network ALPES FI ear A RR Re eye eye iC Rp Bh eo a A 22 370 ZyWALL ZLD CLI Reference Guide List of Commands
238. decader ECHES JO eck ee 39 ex 9 UE E AA AENA MUR ORC CRURA EORR SERS 188 no udp decoder truncated header undersize len oversize len action 188 no udp decoder truncated header undersize len oversize len log 188 na Use Cerine uumezad4Ai E shi RS d Od d due SR RR ES ER S RA do A TW D See bee ESSE 64 Ho pecinan SSL RARA A AA A A AAA ARANA A O A a 234 ZyWALL ZLD CLI Reference Guide 375 List of Commands Alphabetical nslo ntp obje obje ocsp DESp or or or or os t outp out pack pack pack peer peer peer ping ping ping ping ping ping ping poli poli poli poli poli poli port port port port port port psm reau rebo redi rele rele remo rena rena rena rene rene role fout rout rout rout OU saros ees d Eddie Ede edd eu dud eden ed g dq Ren erede daas ead dd E ad 28 SNe IORRGOERO tarekatan OR QCNUS AR GUEUE Re RC E OR GC ORC o RAD EES Re Oe E ACA e e Qe COUR C 290 ct qroup address rename group name group Hate iieieksg kk ee EUR esket ORE AA 243 ct group service rename group name group name ws ies ek ee e RR RB RR REOR REOR 247 activate Me activate aqua wb be Geek x Oed edv doa SA dk vo 255 url grt id name password password deactivate isis kr rica OR EORR RC CAO 266 ER Sea ek OPNS eod e aoa A red p dE ACA IS SERE ME Fal dub dg toe dd oo dod 1539 AAA BOE E ae s a Ru dy dua eri aides paria we dua AU dew ah aaa Moor ada WEM dur Md 163
239. dial in management Router configure terminal Router config dial in Router config dial in Router config dial in Router config dial in exit Router config dial in activate Router config dial in port speed 57600 initial string ATDT description I am dial in management ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management 36 11 Vantage CNM Vantage CNM Centralized Network Management is a browser based global management solution that allows an administrator from any location to easily configure manage monitor and troubleshoot ZyXEL devices located worldwide See the Vantage CNM User s Guide for details If you allow your ZyWALL to be managed by the Vantage CNM server then you should not do any configurations directly to the ZyWALL using either the web configurator or commands without notifying the Vantage CNM administrator 36 11 1 Vantage CNM Commands The following table describes the commands available for dial in management You must use the configure terminal command to enter the configuration mode before you can use these commands Table 174 Command Summary Vantage CNM COMMAND DESCRIPTION no cnm agent manager url Sets up the URL of the Vantage server that the ZyWALL registers with Include the full HTTPS or HTTP URL For example https 1 2 3 4 vantage TRO69 no cnm agent activate Turns management
240. display when a user s computer fails the endpoint security check Use up to 1023 characters 0 9a zA Z 2 0 _1 For example Endpoint Security checking failed Please contact your network administrator for help The no command removes the setting show eps failure messages Displays the message to display when a user s computer fails the endpoint security check no eps profile profile_name Enters the sub command mode The no command removes an endpoint secruity object no anti virus firewall activate personal If you set windows as the operating system using the os type command you can set whether or not the user s computer is required to have anti virus or personal firewall software installed no anti virus anti virus software name detect auto protection enable disable ignore Sets a permitted anti virus software package If you want to enter multiple anti virus software packages use this command for each of them Use the list signature anti virus command to view the available anti virus software package options detect auto protection Set this to enable if the specified anti virus software is not only detectable for the installation but also detectable for the activation status You can check the settings for each anti virus software by using the show eps signature anti virus command The user s computer must have one of the listed anti virus software pack
241. dns server 10 1 5 1 second dns server gel 1st dns third dns server 10 1 5 2 default router 192 168 1 1 lease 0 1 30 starting address 192 168 1 10 pool size 30 hardware address 00 0F 20 74 B8 18 client identifier 00 0F 20 74 B8 18 client name TWtesterl Router config Router config if exit binding interface binding pool gel Router config ip dhcp pool Router config ip dhcp pool exit interface gel Router config if ip dhcp pool DHCP TEST Router config show ip dhcp server status DHCP TEST This table shows an example of each interface type s sub commands The sub commands vary for different interface types 6 2 3 Interface Parameter Command Examples Table 18 Examples for Different Interface Parameters ETHERNET VIRTUAL INTERFACE PPPOE PPTP Router config interface wan1 Router config interface wan1 1 Router config interface wani ppp Router config if wan1 Router config if vir Router config if ppp description description account downstream downstream bind exit exit connectivity ip ip description mac no downstream mss shutdown exit mtu upstream local address no metric ping check mss property mtu shutdown no traffic prioritize ping check type remote address upstream shutdown use defined mac traffic prioritize upstream CELLULAR WLAN VLAN ZyWALL ZLD CLI Reference Guide
242. dpoint security check as efficient as possible arrange the endpoint security objects in order with the one that the most users should match first and the one that the least users should match last no eps activate Sets to have the ZyWALL check that users computers meet the Operating System OS and security requirements of one of the SSL access policy s selected endpoint security objects before granting access The no command disables this setting eps insert 1 8 eps profile name Inserts the specified endpoint security object to the specified position for the endpoint security objects checking order ZyWALL ZLD CLI Reference Guide Chapter 17 SSL VPN Table 74 SSL VPN Commands COMMAND DESCRIPTION eps move 1 8 to 1 8 Moves the first specified endpoint security object to the second specified endpoint security object s position no eps periodical check Sets whether to have the ZyWALL repeat the endpoint security activate check at a regular interval configured using the next command The no command disables this setting no eps periodical check Sets the number of minutes to have the ZyWALL repeat the endpoint lt 1 1440 gt security check at a regular interval The no command disables this setting no network extension Use this to configure for a VPN tunnel between the authenticated activate ip pool users and the internal network This allows the users to access the add
243. dwidth usage statistics 8 2 1 Assured Forwarding AF PHB for DiffServ Assured Forwarding AF behavior is defined in RFC 2597 The AF behavior group defines four AF classes Inside each class packets are given a high medium or low drop precedence The drop precedence determines the probability that routers in the network will drop packets when congestion occurs If congestion occurs between classes the traffic in the higher class smaller numbered class is generally given priority Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43 The decimal equivalent is listed in brackets Table 43 Assured Forwarding AF Behavior Group CLASS 1 CLASS 2 CLASS 3 CLASS 4 Low Drop Precedence AF11 10 AF21 18 AF31 26 AF41 34 Medium Drop Precedence AF12 12 AF22 20 AF32 28 AF42 36 High Drop Precedence AF13 14 AF23 22 AF33 30 AF43 38 ZyWALL ZLD CLI Reference Guide Chapter 8 Route 8 2 2 Policy Route Command Example The following commands create two address objects TW_SUBNET and GW_1 and insert a policy that routes the packets with the source IP address TW_SUBNET and any destination IP address through the interface gel to the next hop router GW_1 This route uses the IP address of the outgoing interface as the matched packets source IP address TW_SUBNET 192 168 2 0 255 255 255 0 GW 1 192 168 2 250
244. e admin user guest limited admin ext user 235 Show users xdle ogetbstron sEDEEYTSOS eigo sere pex A eae ced R 236 Bhow USSES FSOLPVUCSEDLDDEES Kane eee A bee eee eee Shee eee de dq ess 236 Show users Samm Caneous 1L6qon SeLEINGS badge ak qe sede ndd earn Se AS Veco ee 236 Show users opdastce leasgd sOLLIBNGS 4s cea eed ere iti ERE E HOE RR Oe ORE eS 236 SOW Vere ines dice nace A Ue de tend EU dear A D CDU deb e eo Dd e Roe D ode Mew 22 show wpneconoencrator profile hamel scene rre PCR E ORARE LE E POPE RARA 142 Show Wph ccUDnEePS oaa dea ck RR E RUE BEER KR UNO ARORAGE OQ ROUGE ADU GRACE CA Oe e CAE RR ew Rae 143 show wrbt send device xntformatign THESES ioannes mg UR ROC ETE opm Ko n deg 332 Show wrpt Send Inher races BLSULISLIOEM Inbtervel soruda oinka d OR DEW UR RR A ELE CS DR we MC ua s 332 shov yrpe send system Status XGbBEVEL elas ca A A e e oe 332 Show Wian TaN IEO sed thn Su RddnESq AE Rd S ADA edu E BS 4 show wlan mie tie GLEEUS dns a See na Pew a Red Nope BOR be po dco Ren dite 34 Show Workspace SSEMGIUEIONE 53 Rap Ra iW eaa E d d ground a 147 SHOW WisfkbspecH SES glides acd 4 3 tak RESET Edd AE AA AA IRA 147 shov Zane peor te mane oa ea Shacces Faw Rb Sheek eo eee SEAS COMER Eee Ree Ree ae ERS 102 Show sons Singer LADO Qu A E CR ER SAGE RUE ACE RE de RE ARR AC Ke ha D RC 102 show wohne Cerda DIBICEG GSq44 9939 beatae ees ADA shee eee eee dee ds 192 Show Sone MENS bane tne se edd Eu e RE A x eq eas eee ke wd d Ke be A R
245. e master password Use 4 63 alphanumeric characters underscores _ dashes and 3 characters no device ha ap mode backup sync auto Turns on automatic synchronization according to the interval you specify in device ha ap mod backup sync interval The first synchronization begins after the specified interval not immediately interval no device ha ap mode backup sync lt 1 1440 gt When you use automatic synchronization this sets how often in minutes the ZyWALL synchronizes with the master from ap mode backup sync port port no device ha master_address Sets the address of the master ZyWALL with which this backup ZyWALL is to synchronize master_address The master ZyWALL s IP address or fully qualified domain name FQDN port The master ZyWALL s FTP port number ZyWALL ZLD CLI Reference Guide Chapter 24 Device HA Table 123 device ha ap mode Commands continued COMMAND DESCRIPTION device ha ap mode backup sync now Synchronize now show device ha ap mode interfaces Displays the device HA AP mode interface settings and status show device ha ap mode status Displays the ZyWALL s key device HA settings show device ha ap mode master sync Displays the master ZyWALL s synchronization settings show device ha ap mode backup sync Displays the backup ZyWALL s synchroni
246. e CLI Admin users can configure the ZyWALL in the web configurator or CLI At the time of writing there is not much difference between User and Privilege mode for admin users This is reserved for future use 1 6 Shortcuts and Help 1 6 1 List of Available Commands A list of valid commands can be found by typing or TAB at the command prompt To view a list of available commands within a command group enter command or command TAB ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Figure 9 Help Available Commands Example 1 Router gt cr apply atse clear configure S Snip ENE shutdown telnet test traceroute write Router gt Figure 10 Help Available Command Example 2 Router gt show lt wlan ap interface gt aaa access page account ad server address object gt Snip cone wlan workspace zone Router show 1 6 2 List of Sub commands or Required User Input To view detailed help information for a command enter command sub command Figure 11 Help Sub command Information Example Router config ip telnet server lt er gt port rule Router config ip telnet server Figure 12 Help Required User Input Example Router config ip telnet server port lt 1 65535 gt Router config ip telnet server port ZyWALL ZLD CLI Reference Guide Chapter 1 Command Lin
247. e Interface 1 6 3 Entering Partial Commands The CLI does not accept partial or incomplete commands You may enter a unique part of a command and press TAB to have the ZyWALL automatically display the full command For example if you enter config and press TAB the full command of configure automatically displays If you enter a partial command that is not unique and press TAB the ZyWALL displays a list of commands that start with the partial command Figure 13 Non Unique Partial Command Example Router c TAB clear configure copy Router co TAB configure copy 1 6 4 Entering a ina Command Typing a question mark usually displays help information However some commands allow you to input a for example as part of a string Press CTRL V on your keyboard to enter a without the ZyWALL treating it as a help query 1 6 5 Command History The ZyWALL keeps a list of commands you have entered for the current CLI session You can use any commands in the history again by pressing the up 4 or down Y arrow key to scroll through the previously used commands and press ENTER 1 6 6 Navigation Press CTRL A to move the cursor to the beginning of the line Press CTRL E to move the cursor to the end of the line 1 6 7 Erase Current Command Press CTRL U to erase whatever you have currently typed at the prompt before pressing ENTER 1 6 8 The no Commands When entering the no commands discr
248. e Rae E ACCU ADR AAA 33 a atk bck ea wae hee ew Soe ee OR UE Gee a Ee ed b aca d prc Bt 239 logging debug entries priority pri category module name srcip ip dstip ip service service name begin 1 512 end lt 1 512 gt keyword keyword sse dod logging debug entries field field begin lt 1 1024 gt end lt 1 1024 gt 331 Liogo ino debyg Beet Ne wees tas huida Dd S eub PERRA dE qdcdirip e Se RE eee Ss Pond sol logging entries priority pri category module name srcip ip dstip ip service service name begin lt 1 512 gt end lt 1 512 gt keyword keyword 329 Legging entries field field begin L1 5125 end 1 5912 caesa xS 329 logging status QORSQDEE neges eon gere Roble d AA Soa labeo ken dog rep pg iori de dibus ai d 333 Leche eas WOEL 212133 693 929 Q4 MORS Eee AED AD ME dk uet gn fuer 332 Ligne Status Syslog AA AAA AAA hue ol Legging Atatu Syse log uecepipreddewwpbeREdeS PCR AA RIO e E MOS 330 Login page Default Ertle opiat Seek AR AS DRA A A QR CR Eee eae CORN Qe Ac 289 Legin pge BOLDLIOIE ussudp ee ex bh eae eee eee Oe Reka i EE dese de ded Et 289 LOGO BREELOOS aot bel ake GF A qo EA RAE AE SOLER QN deb ACERO A Qe AS Qe eo M COR 289 WAC AAN debo e AE A eS iw cio Rf d See ee ee eee AAA aod ee ee ee Ra 33 Mem SEAS Aes ee eee do ne e dede E e deat b oen Rea o bae e e di Rab e do e dea e e EC 33 KREBS CEOE scene AS QU dC S UP RR VU Bus qo eed ado Ka ror eddie dei AA I dde dem 290 obj
249. e Tools Here are maintenance tool commands that you can use in configure mode Table 195 Maintenance Tools Commands in Configuration Mode COMMAND DESCRIPTION show arp table Displays the current Address Resolution Protocol table arp IP mac_address Edits or creates an ARP table entry no arp ip Removes an ARP table entry The following example creates an ARP table entry for IP address 192 168 1 10 and MAC address 01 02 03 04 05 06 Then it shows the ARP table and finally removes the new entry Router Router Address 192 168 TT2 23 19 254 no arp 192 168 1 10 show arp table HWtype lied Q ether Router arp 192 168 1 10 01 02 03 04 05 06 Router show arp table Address HWtype HWaddress Flags Mask Iface 192 168 1 10 ether 01 02 03 04 05 06 CM gel 172 23 19 254 ether 00 04 80 9B 78 00 C ge2 HWaddress Flags Mask Iface incomplete gel 00 04 80 9B 78 00 C ge2 42 0 1 1 Packet Capture Command Example The following examples show how to configure packet capture settings and perform a packet capture First you have to check whether a packet capture is running This example shows no other packet capture is running Then you can also check the current packet capture settings capture iface ip type host ip snaplen status off Router config Router config show packet capture config wanl lan2 wan2 any host port 0 any file suffix 1500 d
250. e next hop interface or next hop trunk command for this route you can use this command to have the ZyWALL automatically disable this policy route when the next hop s connection is down The no command disables the setting no bandwidth 1 1048576 priority Sets the maximum bandwidth and priority for the lt 1 1024 gt maximize bandwidth usage policy The no command removes bandwidth settings from the rule You can also turn maximize bandwidth usage on or off no deactivate Disables the specified policy The no command enables the specified policy no description description Sets a descriptive name for the policy The no command removes the name for the policy no destination address object any Sets the destination IP address the matched packets must have The no command resets the destination IP address to the default any any means all IP addresses 90 ZyWALL ZLD CLI Reference Guide Chapter 8 Route Table 42 Command Summary Policy Route continued COMMAND DESCRIPTION no dscp any lt 0 63 gt Sets a custom DSCP code point 0 63 This is the DSCP value of incoming packets to which this policy route applies any means all DSCP value or no DSCP marker no dscp class default dscp_class Sets a DSCP class Use default to apply this policy route to incoming packets that are marked with DSCP value 0 Use one of the pre defined AF classes including af11 af
251. e such as wan1 wan2 opt lani ext wlan or dmz virtual interface on top of Ethernet interface add a colon and the number of the virtual interface For example gex y x 1 N y 1 4 VLAN interface vlanx x 0 4094 virtual interface on top of VLAN interface vlanx y x 0 4094 y 2 1 12 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports virtual interface on top of bridge interface brx y x the number of the bridge interface y 1 4 PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports The following table describes the commands available for DNS You must use the configure terminal command to enter the configuration mode before you can use these commands Table 164 Command Summary DNS COMMAND DESCRIPTION no ip dns server a record fqdn w x y z Sets an A record that specifies the mapping of a fully qualified domain name FQDN to an IP address The no command deletes an A record ip dns server flush Clears the DNS no w x y z fqdnj ip dns server mx record domain name Sets a MX record that specifies a mail server that is responsible for handling the mail for a particular domain The no command deletes a MX record ip dns server rule 1 32 append insert lt 1 32 gt access group ALL address object zone ALL address object action accept
252. e transfer mode to binary 3 Use cd to change to the directory that contains the files you want to download 4 Use dir or Is if you need to display a list of the files in the directory 5 Use get to download files For example get vpn setup zysh vpn zysh transfers the vpn setup zysh configuration file on the ZyWALL to your computer and renames it vpn zysh ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager 37 6 4 Command Line FTP Configuration File Download Example The following example gets a configuration file named today conf from the ZyWALL and saves it on the computer as current conf Figure 30 FTP Configuration File Download Example C gt ftp 192 168 1 1 Connected to 192 168 1 1 220 FTP Server ZyWALL 192 168 1 1 User 192 168 1 1 none admin 331 Password required for admin Password 230 User admin logged in ftp bin 200 Type set to I ftp cd conf 250 CWD command successful ftp get today conf current conf 200 PORT command successful 150 Opening BINARY mode data connection for conf today conf 20220 bytes 226 Transfer complete ftp 20220 bytes received in 0 03Seconds 652 26Kbytes sec 37 7 ZyWALL File Usage at Startup The ZyWALL uses the following files at system startup Figure 31 ZyWALL File Usage at Startup 1 Boot Module Y 2 Recovery Image Y 3 Firmware 1 The boot module perform
253. e users You can purchase and enter a license key to have the ZyWALL use more SSL VPN tunnels The content filter allows or blocks access to web sites Subscribe to category based content filtering to block access to categories of web sites based on content Your ZyWALL accesses an external database that has millions of web sites categorized based on content You can have the ZyWALL block block and or log access to web sites based on these categories You will get automatic e mail notification of new signature releases from mySecurityZone after you activate the IDP AppPatrol service You can also check for new signatures at http mysecurity zyxel com See the respective chapters for more information about these features BS To update the signature file or use a subscription service you have to register the ZyWALL and activate the corresponding service at myZyXEL com through the ZyWALL ZyWALL ZLD CLI Reference Guide Chapter 5 Registration 5 2 Registration Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 8 Input Values for General Registration Commands LABEL DESCRIPTION user_name The user name of your myZyXEL com account You may use six to 20 alphanumeric characters and the underscore Spaces are not allowed password The password for the myZyXEL com account You may use six to 20
254. e_mail send Sets the e mail address for logs or alerts The no command clears the specified field e mail You can use up to 63 alphanumeric characters underscores _ or dashes and you must use the character no logging mail 1 2 subject subject Sets the subject line when the ZyWALL mails to the specified e mail profile The no command clears this field subject You can use up to 60 alphanumeric characters underscores dashes or S characters no logging mail 1 2 category module name Specifies what kind of information is logged for the level alert all specified category The no command disables logging for the specified category no logging mail 1 2 schedule full Sets the e mail schedule for the specified e mail hourly profile The no command clears the schedule field logging mail 1 2 schedule daily hour Sets a daily e mail schedule for the specified e mail 0 23 minute 0 59 profile logging mail 1 2 schedule weekly day day Sets a weekly e mail schedule for the specified e hour lt 0 23 gt minute 0 59 mail profile day sun mon tue wed thu fri sat 38 1 4 1 E mail Profile Command Examples The following commands set up e mail log 1 Router configure terminal Router config logging mail 1 address mail zyxel com tw Router config f logging mail 1 subject AAA Router confi
255. eauthentication timer on the RADIUS server has priority security mode none wep wpa wpa wpa2 wpa2 Sets what type of security the wireless interface uses none applies no security wep WEP security extremely weak wpa WPA security wpa wpa2 WPA WPA2 Enterprise or WPA WPA2 PSK security wpa2 WPA2 security strongest option security wep 64 128 default key lt 1 4 gt Sets WEP encryption to use a 64 or 128 bit key and selects the default key security wep mode lt open share gt Sets the WEP encryption to use open or shared key authentication security wpa lt tkip aes gt eap internal profile nam tls cert certificate name Configures WPA enterprise security using TKIP or AES and an existing AAA authentication method object profile name Set the certificate the ZyWALL uses to authenticate itself to the wireless clients The wireless clients must use TTLS authentication protocol and PAP inside the TTL S secure tunnel Security wpa tkip aes eap external Configures WPA enterprise security using TKIP or AES and an external server Use the security external command to specify the server s address Security wpa tkip aes psk key psk key Configures WPA security using TKIP or AES and a Pre Shared Key PSK Security wpa wpa2 tkip aes eap internal profile nam tls cert certificate name This allows users to either use WPA or WPA2 enterprise sec
256. eb excraconsanr REE REO ER 131 show sessilohelimit ulae number chek dees O04 S64 44 ONON OC ORC ACRAS OK ACC CR CN RR ACA REOR COE OO EES 133 SHOW sessrobhelcmeE SESLE uq buds AE e RR AG ee doa ee e ea sad dene eR e Rc e eode De e KCN 131 show a a LUI Bsa cue EP ERA KR RR Va RU EA BR dor deed ado Kao eid e eon de m RO Reid Alb BHO SUI LARES anno oh Tea E AAA AD dau eS EG Nu X ed dg 304 Show socket Lieten rear EA AA AA RE ESSA SE RANA OR ERROR ROR MER SUS 23 SNOW DULCE ARS anes ara nes ee uius dde M A dish ddr ES dat deus SR ud arae ie d 33 Show software westchgog trmer Jg 24444 be eonen Hanes Ge ROC EUR Ge Ea eosdem d esa eee 352 Show sofLware wabbhdog Liner gate diia 2422p GEAR RUE AAA A 352 show sslvph application Depnplrsetzoom ObDJgOGL Lae ke ee een i UE KE RHENO RC eee dod RC RE C 273 Snow SETE MONEE 2443459 ORO eh AAA 68S ORE Fic d Ee de PI dr ks do vede 146 show s51 wpn nsrwork oxtension locsSl ip duode KR KK EGER REYES RUSE CREO DEAD 146 shov asis policy DEEGIIle SOS baa end eh be kets SOROR REOR AR AAN awe ee KS 146 show system Seiault 1ntertace GrCup vie ik eden oe RARA eR EEG Rd eee Rae B5 show SUsLam HeladgLtestdl ded 9m 3o OR Sk A VERA E XQ SE FRI d ed a PE du oe eae 85 Show Syo rEN MAL IDE tote bu AAA igaara ana gaada exa wd qc Se des 33 show username Lussrhamel goana he a ke cea oe Rok dace EEE OER ETE EOE Kea Ue Box E ww mo 234 show users username all CORPSE cess baw a ow nara 239 show users default setting all user typ
257. ebug log no logging debug suppression interval Sets the log consolidation interval for the debug log The no command sets the interval to ten clear logging debug buffer Clears the debug log This table lists the commands for the remote syslog server settings Table 184 logging Commands Remote Syslog Server Settings COMMAND DESCRIPTION show logging status syslog Displays the current settings for the remote servers hostname no logging syslog lt 1 4 gt Enables the specified remote server The no command disables the specified remote server no logging syslog 1 4 address ip Sets the URL or IP address of the specified remote server The no command clears this field hostname You may up to 63 alphanumeric characters dashes or periods but the first character cannot be a period local_2 local_3 local_4 local_5 local_6 local_7 no logging syslog lt 1 4 gt disable level Specifies what kind of information if any is logged normal level all for the specified category no logging syslog lt 1 4 gt facility local_1 Sets the log facility for the specified remote server The no command sets the facility to local_1 no logging syslog lt 1 4 gt format cef vrpt Sets the format of the log information cef Common Event Format syslog compatible format vrpt ZyXEL s Vantage Report syslog compatible format
258. ec SAs COMMAND DESCRIPTION no crypto ignore df bit Fragment packets larger than the MTU Maximum Transmission Unit that have the don t fragment bit in the header turned on The no command has the ZyWALL drop packets larger than the MTU that have the don t fragment bit in the header turned on show crypto map map_name Shows the specified IPSec SA or all IPSec SAs crypto map dial map_name Dials the specified IPSec SA manually This command does not work for IPSec SAs using manual keys or for IPSec SAs where the remote gateway address is 0 0 0 0 no crypto map map_name Creates the specified IPSec SA if necessary and enters sub command mode The no command deletes the specified IPSec SA crypto map rename map_name map_name Renames the specified IPSec SA first map_name to the specified name second map_name crypto map map_name activate deactivate Activates or deactivates the specified IPSec SA ipsec isakmp policy name Specifies the IKE SA for this IPSec SA and disables manual key encapsulation tunnel transport Sets the encapsulation mode transform set esp crypto algo esp crypto algo esp crypto algo Sets the active protocol to ESP and sets the encryption and authentication algorithms for each proposal esp crypto algo esp 3des md5 esp 3des sha esp aes128 md5 esp aes128 sha esp aes192 md5 esp aes192 sha
259. ecting and displaying content filtering statistics You must use the configure terminal command to enter the configuration mode before you can use these commands Table 112 Commands for Content Filtering Statistics COMMAND DESCRIPTION no content filter statistics collect Turn the collection of content filtering statistics on or off content filter statistics flush Clears the collected statistics show content filter statistics summary Displays the collected statistics show conten t fi lter statis tics collect Displays whether the collection of content filtering statistics is turned on or off show conten t fi lter statis tics summary Displays the current content filtering statistics 22 9 1 Content Filtering Statistics Example This example shows how to collect and display content filtering statistics Router config content filter statistics collect Router config show content filter statistics summary total web pages inspected web pages warned by category service web pages blocked by category service web pages blocked by custom service restricted web features forbidden web sites url keywords web pages blocked without policy web pages passed unsafe web pages other web pages 0 0 0 0 0 0 0 0 0 e 22 10 Content Filtering Commands Example The following example shows how to limit the web access for a sales group
260. ects Table 137 address object Commands Address Objects COMMAND DESCRIPTION show address object object name Displays information about the specified address or all the addresses address object object nam ip subnet interface ip ip ip range interface subnet interface gateway interface Creates the specified address object using the specified parameters ip range lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 1 255 gt lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 1 255 gt ip_subnet lt 1 255 gt lt 0 255 gt lt 0 255 gt lt 0 255 gt lt 1 32 gt interface You only need to specify an interface with you create an object based on an interface no address object object nam Deletes the specified address address object rename obj ct name object nam Renames the specified address first object name to the second object name 26 2 1 1 Address Object Command Examples The following example creates three address objects and then deletes one Router configure terminal Router config address object AO 192 168 1 1 Router config address object Al 192 168 1 1 192 168 1 20 Router config address object A2 192 168 1 0 24 Router config show address object Object name Type Address Ref AO HOST 192 1 68 LL 0 Al RANGE 192 168 1 1 192 168 1 20 0 A2 SUBNET 192 168 1 0 24 0 Router config no address object A2 Rou
261. edia MP3s Proxy Avoidance For Kids Web Advertisements Web Hosting Unrated ZyWALL ZLD CLI Reference Guide Chapter 22 Content Filtering 22 6 General Content Filter Commands The following table lists the commands that you can use for general content filter configuration such as enabling content filtering viewing and ordering your list of content filtering policies creating a denial of access message or specifying a redirect URL and checking your external web filtering service registration status Use the configure terminal command to enter the configuration mode to be able to use these commands See Table 107 on page 202 for details about the values you can input with these commands Table 109 content filter General Commands COMMAND DESCRIPTION no content filter active Turns on content filtering The no command turns it off no content filter block message message Sets the message to display when content filtering blocks access to a web page The no command clears the setting no content filter block redirect Sets the URL of the web page to which to send redirect url users when their web access is blocked by content filtering The no command clears the setting no content filter timeout timeout Sets how long the ZyWALL is to keep an entry in the content filtering URL before discarding it The no command clears the setting no content filter default bl
262. eeu ee 74 Signature anomaly sSystesm protect activate orina Re 184 signature anomaly System protegt actiwati0H essa Ree xxm EE dae AUR RA 184 aaa authentication rename profile name old profile name new e 259 asa group server AG SEOLD HBHB arrasan OSES d ERR NIRE OR KH 3 A NAAA AS 254 aaa group server ad rename group name grOUD HAHe eones 254 daa Group Server ldap Groun Rame 446 584 4628 OR ROO TED AAA RARA RO ESS 255 aaa group server ldap rename group name group name esesta aKa b T RRA ORAE EORR A REOR Rn 255 ade Hfous berver Padis gJEOVD NAre bh as eRe d bae A NARA 256 aaa group server radius rename group name old group name new 256 access Tepeaca drop FETESE errors ie oe ORC ok ooi oii P e ei 163 Gers Conwara S695 SEEIBEEN uxeppqudgeade ena E ERR RR rbd CR dCES Lad eee 155 access ifgrward creep DETESER arar Ge dae ee SEG Ra icd des Re grab ce en NR A ds 166 access page message color color rgb color name color number 288 Accessed bate EID Logged e RACE ee om Bede qoos ended oh ee Rh are ea pose e qe Bike 288 agcess page window color color rgb color name color numbset i cues 288 ection Iellow deny feJeO 5 siria dae A deka ee AC e RR Ke SR EES e A 128 OLIM UE JAousdeucs dodo Geeks AA A Ep eode dee dant mr dog d ee ae ee 137 IEA 6643 StU Shoe a RS rrr 139 address object object name ip ip range ip subnet interface ip interface subnet znbet
263. efore the specified rule number session limit move rule number to rule number Moves a session limit to the number that you specified show session limit Shows the session limit configuration rule number show session limit begin rule number end Shows the settings for a range of session limit rules show session limit rule number Shows the session limit rule s settings show session limit status Shows the general session limit settings ZyWALL ZLD CLI Reference Guide Chapter 15 Firewall 132 ZyWALL ZLD CLI Reference Guide PART IV VPN IPSec VPN 135 SSL VPN 145 L2TP VPN 151 IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL 16 1 IPSec VPN Overview A virtual private network VPN provides secure communications between sites without the expense of leased site to site lines A secure VPN is a combination of tunneling encryption authentication access control and auditing It is used to transport traffic over the Internet or any insecure network that uses TCP IP for communication Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure
264. eg PUSE losa cee d S SER Sq d SOR dd A IE AAA eS eee Hes hea Sa 303 no Spmp ser ver comnu uonity Community string LOL ase xo memento 303 Bol en pessrver COn act uescOPIIOLtl N IA eia AAA EA A 303 ne SAmp serrer enable IrsfogrusbCraDE eed ex xRR x EUR DU Rd eO ESS del RR Rue 303 hol Snip server host MA 7 2 COMMUNIE BLEIBG serian 0 REC NAAA 303 Bo Shmp server Laca LON escript 2 AR AAA AA A AA BRASA MB 303 no onmp siver pont 1 059359 dE ARANDA PO ee e EE Ede 304 no asoftuabPe watchdod timer 10 DD ds see ke KGa oe RON ee AA A AA 291 hol cource faceress object eeu OBEN Ades y o AR Rn ORE AC Ao RUE OR 239 ho source IeUUress ODTOOCLEBNAMT duggdacekd ae eda os A HER E o Ande HE RC Re E RO qo RNC AAA od Rel SOUPES prore Hames 0 due mdp AAA dean e na OR awk aco edo Ged 164 Bol 88508 More JUS laudcm ueS dG azse4224R SX 4 dd um dd SRS edu dd ay 165 AG source profile TOME essoraskee ek QUEOXOCE A RARA RRA ORO RUNG RU UR OR Se we 166 HOM CSUs Ser eee SDUIBEL Ls GA GEN ap red ee ap WE eda e dobgurd ad odo ER woe fepe d cd 128 no sourceport tcp udp teg lt 1 65535 gt range Ll bosco Alr 8053S b wA 128 Ee Sees RETOS LS rra EA A II ba hee bo Re see eas Rew sess 65 no sslvpa applaicstioN application OO PSCE 64 64 54 0454 6 0408 REED EE ERR OE AA 213 nol ssPeph Bret le Bene 2 452 bee hs Sheba CAKES d RET PE RUE HRS EP Idi m esae dede EES ES 102 ho SS ADE UNTOL DEG ARANA d ARA Qe OREN RH KCN NS ERAS RE OR AI Ke eS 92 nol st
265. eh AR 214 d racsteNr GQNSOML GSLINdLO ora qao ACE RR EUER ERE AUC edo an qe adco EO de eo cR 216 ZyWALL ZLD CLI Reference Guide 357 List of Commands Alphabetical Pe Antas Seats tee EOTLSOL Aw ucc ES Sup enon N E Meee d d quic 218 no anti spam white list rule number mail email activate deactivate 214 no anti spam white list rule number ip address ip subnet mask activate deactivate 214 no anti spam white list rule number mail header mail header mail header value ac taa E lxauw xA dox ex Qi o e dir RO eA EC UC SED Rea XE D e EA 214 no anti spam white list rule number subject subject activate deactivate 214 nel anti span wisbB ISeSL SO D IVUMLE seria aras aa hawks Kedar wee oi dicta 214 Ben dnbtoowlrus SOtrvebu eso dE GU RR AA Cadet Md erue pde d A E 176 no anti virus anti virus software name detect auto protection enable disable ig HOLS PLvP 278 nel gnc sie DLaCk LiSe SOLggabe doeubnesedoedea d 9 3i Rudd par Qu Sica a rad ow ege fau LTS no anti virus black list file pattern av file pattern activate deactivate 179 no gneri virus Sicor Activate uda cade cheer dee SAMOS OS A ECTS SP 176 no anti virus stip unknown tile Lype activate za eee A Se E T OR ENR 176 no anti virus SLStIStoss ODIDBOR praia ARA oes PX d pude ds 131 Bo anti virus updote AMA A DIS e e so
266. ement may denote the metric value or the scientific value For example k for kilo may denote 1000 or 1024 M for mega may denote 1000000 or 1048576 and so on e g is a shorthand for for instance and i e means that is or in other words ZyWALL ZLD CLI Reference Guide Document Conventions Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyWALL icon is not an exact representation of your device ZyWALL Computer Notebook computer a NS Server Firewall Telephone an Nus zm cs cd RN NS um clue ug AS Switch Router ZyWALL ZLD CLI Reference Guide ES Document Conventions 6 ZyWALL ZLD CLI Reference Guide Contents Overview Contents Overview Ai mc 9 Cammand Line TRBI THE BE cerdas 11 Usor and Frvilege MATE eme M T 27 no 31 O LI M LM E erste soe rete E IE LL I ETE 33 acti c HON 37 A ME EL E 45 e de RE TUN UNE RT ee aseaes anus 47 Mir i eI m Um 83 Pu ane A IL M PLI ML MUI M E IE 89 FOUR POCO Mem neon aA 97 A oai a a E A 101 DENS o A EEA AEE uu EE E AN ei ICI LU 105 a E T SEDED 109 ia A Roe TI 115 opos a 119 c TETTE II IN EE NEUE TONER 123 PURO us CORDE UE UU EUM UTEM 125 Ll Eee AU EU M e ccm PW mE 133 Paesi EL TR mmm 135 icc MEE A RU n UM Lr RR P RP
267. erence Guide 377 List of Commands Alphabetical buo du wenn Eg a esa aero a eh ares a ed d p ees 239 CARIDAD E TC DEEPER DE ARCU EO e AR Y aee Ob e OUR E RC EC RIO ORE CN MER AS 28 ERRADA LAK deed AAA RR ACA OR EEA ie ee Eo MEA ae rid ad PEA Rod eee Rp d 55 E e RGGore ded x RE aoo dX bd Mod E ER OO ea e cca QE Ao RCM ebbe CT e a o e a c ede RO 177 ada agthentiogtilon oFOUDp hameldefaulL ur srt AAA 259 daa Group Server Ad group Nane 0 RRA RAS ARAS 1 ERA RARA RR AA AAA 254 asa group Server LOSD group Aahe errar AAA RARA AA 233 a a group Serves npadsus ALO DEE 261 beibsuee up AAA Wed up RR sane 250 aces ge BELLAS 2 23 Reve XX dr aq ok eel ete do E Erud ap eed Rr PS ds 289 account sppoe profile same pptp profile namel eias kde o3 RR RR RUE nas iaia 269 accounc cellular prore GaU hire da cereos ek ok eee do OE Hec mode aia boi 270 digreseebgect LEPE rare ari AAA ESA de wees 242 BBC BEN UUEES Seeds wed dde spa d xd edid wd de eg MN e eda UV d eade idc eqq aav deus 2302 ia a o wees Stage ce eee eh eee eee SAA E pa cee are e eee eee ae ELI abicere Blacklist pstebus escrita as A A EG ROLE QR RR AGE Shae eds Rc 215 anti span MES COMA carre Rape REOR d PR Y RESO eb WEN Ide PR ded rd 216 g tispeN dasbil Ip gheck ordE asi A e A A See ES AA 216 Suc Lee ANSEO maxequs ED ded gets A AA pa AA eee ee A 216 anti spam dnsbol query timeout smtp POPS uiaaaa errit En a daa RR 216 anti spam dns qusty toneoUt EB 2549929 4px x E
268. erfaces Table 31 WLAN Interface Commands continued COMMAND DESCRIPTION no security dotix acct ip port Sets the IP address and port number of an external lt 1 65535 gt accounting server no security dotix auth ip port Sets the IP address and port number of an external lt 1 65535 gt authentication RADIUS server no security dotlx activate Enables IEEE 802 1x accounting and authentication lt 1 65535 gt no security external acct ip port Sets the IP address and port number of an external accounting server lt 1 65535 gt no security external auth ip port Sets the IP address and port number of an external authentication RADIUS server wpa wpa2 wpa2 no security none wep wpa Disables the specified security mode for the wireless interface ssid ssid Sets the Service Set IDentity This identifies the Service Set with which a wireless station is associated Wireless stations associating to the ZyWALL must have the same SSID ssid Use up to 32 printable 7 bit ASCII characters as a name for the wireless LAN station limit 1 255 Sets the highest number of wireless clients that are allowed to connect to the wireless interface at the same time wep key 1 4 key There are four data encryption keys to secure your data from eavesdropping by unauthorized wireless users The values for the keys must be set up exactly the same on the acces
269. erfaces in Active Passive Mode Device HA You can select which interfaces device HA monitors If a monitored interface on the ZyWALL loses its connection device HA has the backup ZyWALL take over Enable monitoring for the same interfaces on the master and backup ZyWALLs Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master ZyWALL Virtual Router and Management IP Addresses e Ifa backup takes over for the master it uses the master s IP addresses These IP addresses are know as the virtual router IP addresses Each interface can also have a management IP address You can connect to this IP address to manage the ZyWALL regardless of whether it is the master or the backup 24 4 Active Passive Mode Device HA Commands The following table identify the values required for many of these commands Other input values are discussed with the corresponding commands Table 122 Input Values for device ha Commands LABEL DESCRIPTION interface name The name of the interface This depends on the ZyWALL model For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model For the ZyWALL USG 100 and 200 models use a name such as want wan2 opt lant ext wlan or dmz Besides in HA AP mode the interface can also be a bridge interface In HA Legancy mode the interface can also be a VLAN
270. erial number Router config show fan speed FAN1 F00 rpm limit hi 6500 limit lo 1400 max 6650 min 6642 avg 6644 A limit hi 6500 limit 10 1400 max 6809 min 6783 avg 6795 FAN3 F02 rpm limit hi 6500 limit lo 1400 max 6683 min 6666 avg 6674 FAN4 F03 rpm limit hi 6500 limit lo 1400 max 6633 min 6617 avg 6627 e QM show mac MAC address 28 61 32 89 37 61 28 61 32 89 37 67 Router config show mem status memory usage 39 Router config show ram size ram size 510MB Router config show serial number serial number S060212020460 Here is an example of the command that displays the listening ports Router config show socket listen No Proto Local_Address Foreign_Address State 1 tcp 0 0 0 0 2601 0 0 0 0 0 IS 2 tcp 0 0 0 0 2602 0 0 0 0 0 IS 3 tcp 127 0 0 1 10443 0 05000 IS 4 tcp 0 0 0 0 2604 0 0 0 0 0 IS 5 tcp 0 0 0 0 80 0 0 0 0 0 IS 6 tcp 127 0 0 1 8085 0 0 0 0 0 IS 7 tcp Ld aryl 59 0 0 0 0 0 IS 8 tcp 152 23423T7 2205 53 0 0 0 0 0 IS 9 tcp 10 0 0 8 53 0 0 0 0 0 IS 10 tcp 172 23 37 240 53 0 0 0 0 0 IS 11 tcp 1792 108 1 1253 0 0 0 0 0 IS 12 tcp 12700031353 0 0 0 0 0 IS 13 tcp 0 0 0 0 21 0 0 0 0 0 IS 14 tcp 0 0 0 0 22 0 0 0 0 0 IS T5 tcp PAT 020 17953 0 00 0 80 IS 16 tcp 0 0 0 0 443 0 0 0 0 0 IS 17 tcp 12720 0 121723 0 0 0 0 0 IS
271. ert lt 1 10 gt protocol all tep udp original ip address name lt 0 65535 gt 0 0553259 Mapped 1p address name D SIS 0 555392 ea 141 i mate move LOS Ea Mus LOS ara She EROR e Ro oie eC OR AAA ee D ee RN 141 in dmat lt 1 10 gt protocol all top udp original ip address name 0 55535 lt 0 65535 gt Jippen 2p address seme U 00529 XU 65908 Linea duoc hed EP pA RSEN EARN he RA 41 in snat source address name destination address name snat address name 41 372 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical IPPO EN Ara duced A Od dub su ees RA Bete temas VS qudd d 28 interface num append insert num interface lt cr gt weight lt 1 10 gt limit Silo 0 2E JG CGEGNUPUODD tee eee eee Pek eee ee eee Seat ee eee Stas 84 APELLIDO BUM isn ede har ee ME hee A 8 6 do ei RO dene e b OR Ge ae ue ao De d e 80 iterace cellular budgetesuto sauwe 48D sessions ee Ree ee Ree EXC 70 Jerr ee Jil RUE 24d xk A RUE UL A RUE EAR ER A E Red OG EUR o AC EOS RE e o eR ER e e AL 80 interlace dial Interfsce name cece be xe EO RAR CORSA EGR MA AA ARA SE EW aOR EES 66 Inber aoe OLECHUBDSOL BUN d nde dar done a tower Rawle ulcer aug do 80 TIntertascs disconnect interfaco Mame peirera XR OY X OKOR RCRORUEUR NOR ROS KC xw ue OR NOR AO RCACR 66 interi ace ISDeFfIgcH Heme at ids eh re
272. ervice show ip ftp server status Displays FTP settings 36 7 2 FTP Commands Examples This command sets a service control rule that allowed the computers with the IP addresses matching the specified address object to access the specified zone using FTP service Router configure terminal Router config ip ftp server rul accept 4 access group Sales zone WAN action This command displays FTP settings Router configure terminal active yes port so certificate default TLS t no service control No Zone Address Router config show ip ftp server status Action 36 8 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices Your ZyWALL supports SNMP agent functionality which allows a manager station to manage and monitor the ZyWALL through the network The ZyWALL supports SNMP version one SNMPv1 and version two SNMPv2c ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management 36 8 1 Supported MIBs The ZyWALL supports MIB II that is defined in RFC 1213 and RFC 1215 The ZyWALL also supports private MIBs zywall mib and zyxel zywall ZLD Common mib to collect information about CPU and memory usage and VPN total throughput The focus of the MIBs is to let administrators collect statistical data and monitor status and performance You can download the ZyWALL s MIBs from www zy
273. es Yes Yes No No Connectivity Check Yes Yes No Yes Yes Yes No Each name consists of 2 4 letters interface type followed by a number x For most interfaces x is limited by the maximum number of the type of interface For VLAN interfaces x is defined by the number you enter in the VLAN name field For example Ethernet interface names are wan1 wan2 opt lan1 ext wlan dmz VLAN interfaces are vlanO vlan1 vlan2 and so on The names of virtual interfaces are derived from the interfaces on which they are created For example virtual interfaces created on Ethernet interface wan1 are called wan1 1 wan1 2 and so on Virtual interfaces created on VLAN interface vlan2 are called vlan2 1 vlan2 2 and so on You cannot specify the number after the colon in the web configurator it is a sequential number You can specify the number after the colon if you use the CLI to set up a virtual interface Table 13 Cellular and WLAN Interface Characteristics CHARACTERISTICS CELLULAR WLAN Name cellularx wlan x x Configurable Zone Yes Yes IP Address Assignment Static IP address Yes Yes DHCP client Yes No Routing metric Yes No Interface Parameters Bandwidth Yes Yes restrictions Packet size Yes Yes MTU Data size MSS Yes Yes DHCP DHCP server No Yes DHCP relay No Yes Connectivity Check Yes No Each name consists of lette
274. ests whether or not a web site is saved in the external content filter server s database of restricted web pages show conten t filter profile filtering profile Displays the specified content filtering profile s settings or the settings of all them if you don t specify one 22 8 Content Filter Commands The following table lists the commands that you can use to view and configure your ZyWALL s URL caching You can configure how long a categorized web site address remains in the as well as view those web site addresses to which access has been allowed or blocked based on the responses from the external content filtering server The ZyWALL only queries the external content filtering database for sites not found in the ZyWALL ZLD CLI Reference Guide 207 Chapter 22 Content Filtering Use the configure terminal command to enter the configuration mode to be able to use these commands See Table 107 on page 202 for details about the values you can input with these commands Table 111 content filter Commands COMMAND DESCRIPTION no content filter timeout timeout Sets how long the ZyWALL is to keep an entry in the content filtering URL before discarding it The no command clears the setting show content filter url Displays the contents of the content filtering URL before discarding it 22 9 Content Filtering Statistics The following table describes the commands for coll
275. f a PPP or an Ethernet interface Use the show interface name command to see the system name of interfaces user defined name This name cannot be one of the follows ethernet ppp vlan bridge virtual wlan cellular aux tunnel status o summary all This name cannot begin with one of the follows either ge ppp vlan wlan br cellular aux tunnel interface rename old_user_defined_nam new_user_defined_name Modifies the user defined name of a PPP or an Ethernet interface 6 2 1 1 Basic Interface Properties Command Examples The following commands make Ethernet interface gel a DHCP client Router configure terminal Router config interface gel Router config if ip address dhcp Router config if exit ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces This example shows how to modify the name of interface ge4 to VIP First you have to check the interface system name ge4 in this example on the ZyWALL Then change the name and display the result Router show interface name No System Name User Defined Nam 1 gel gel 2 ge2 ge2 3 ge3 ge3 4 ge4 ge4 5 ge5 ge5 Router gt configure terminal Router config interface name ge4 VIP Router config show interface name No System Name User Defined Nam 1 gel gel 2 ge2 ge2 3 ge3 ge3 4 ge4 VIP 5 ge5 ge5 Router config
276. figuration 19 2 6 General Commands for Application Patrol BS You must register for the IDP AppPatrol signature service at least the trial before you can use it See Chapter 5 on page 37 This table lists the general commands for application patrol Table 86 app Commands Pre Defined Applications COMMAND DESCRIPTION no app activate Turns on application patrol The no command turns off application patrol no app highest sip bandwidth priority Turns the option to maximize the throughput of SIP traffic on or off no app protocol name bandwidth graph Sets the specified protocol to display on the bandwidth statistics graph The no command has it not display on the bandwidth statistics graph ZyWALL ZLD CLI Reference Guide Chapter 19 Application Patrol Table 86 app Commands Pre Defined Applications continued COMMAND DESCRIPTION no app other protocol_name bandwidth graph Sets traffic for unidentified applications to display on the bandwidth statistics graph The no command it not display on the bandwidth statistics graph no bwm activate Globally enables bandwidth management You must globally activate bandwidth management to have individual policy routes or application patrol policies apply bandwidth management The no command globally disables b
277. file share application for VPN SSL entry point entry point owa Outlook Web Access to allow users to access e mails contacts calenders via an Microsoft Outlook like interface using supported web browsers The ZyWALL supports one OWA object web server to allow access to the specified web site hosted on the local network url Enter the fully qualified domain name FQDN or IP address of the application server You must enter the http or https prefix Remote users are restricted to access only files in this directory For example if you enter remote in this field emote users can only access files in the remote directory entry point Optional Specify the name of the directory or file on the local server as the home page or home directory on the user Screen ZyWALL ZLD CLI Reference Guide 273 Chapter 33 SSL Application Table 156 SSL Application Object Commands COMMAND DESCRIPTION server type file sharing share path share path Specifies the IP address domain name or NetBIOS name computer name of the file server and the name of the share to which you want to allow user access Enter the path in one of the following formats lt IP address share name gt lt domain name gt lt share name gt Ai lt computer name gt lt share name gt For example if you enter my server Tmp this allows remote users to access all files and or folders
278. g logging mail 1 authentication username lachang li password XXXXXX Router config logging mail 1 send log to lachang li8zyxel com tw Router config logging mail 1 send alerts to lachang li8zyxel com tw Router config logging mail 1 from lachang li8zyxel com tw Router config logging mail 1 schedule weekly day mon hour 3 minute 3 Router config logging mail 1 38 1 5 Console Port Logging Commands This table lists the commands for the console port settings Table 187 logging Commands Console Port Settings COMMAND DESCRIPTION Displays the current settings for the console log This log is not discussed above show logging status console no logging console Enables the console log The no command disables the console log ZyWALL ZLD CLI Reference Guide Chapter 38 Logs Table 187 logging Commands Console Port Settings continued DESCRIPTION COMMAND logging console category module_name level alert crit debug emerg rror info notice warn no Controls whether or not debugging information for the specified priority is displayed in the console log if logging for this category is enabled logging console category module_name Enables logging for the specified category in the console log The no command disables logging ZyWALL ZLD CLI Reference Guide Reports and Reboot This chapter provides information abo
279. ge message color color rgb Sets the color of the message text on the access page color name color number no access page message text Sets a note to display below the access page s title Use up to 64 message printable ASCII characters Spaces are allowed access page title titl Sets the title for the top of the access page Use up to 64 printable ASCII characters Spaces are allowed access page window color color rgb Sets the color of the access page s colored background color name color number login page background color color _ Sets the color of the login page s background rgb color name color number no login page color background Sets the login page to use a solid colored background no login page color window Sets the login page s window to use a solid colored background background login page message color color rgb Setsthe color of the message text on the login page color name color number 288 ZyWALL ZLD CLI Reference Guide Chapter 35 System Table 159 Command Summary Customization continued COMMAND DESCRIPTION no login page message text Sets a note to display at the bottom of the login screen Use up to message 64 printable ASCII characters Spaces are allowed login page title titl Sets the title for the top of the login screen Use up to 64 printable ASCII characters Spaces are allowed login page title color col
280. gesbt gro up ddudrese Lou nee 2266804454 EG ACER ua e dees SAWS WO ACRES d eS 243 Gbgestegroup Service group ASS partet t RRO ETRE AAA RO RON CR QUE NUR UR AC Hew dw 246 Sept SPEM IP pir uol LINE silicio d SUE WE neues dar apne dinde dicc que ee wens 99 pacbebecEpDHPE SOME i5R 9 Grab i ceo or SOROR YS Qa dees ep Rp did e qo deme ur ed Sew 346 POCReEC Carle SEACUS avril ewes vende eka A xe a ded AS AAA edu 346 Page USE QMERACI N partra paa ed CADRE SREB ORE DERE Lee eee Reale amp 289 pa o chesk interface name BEACUS aserrada 62 ping check piBbterface meme serseri 4 R4 RRA AAA RC ERED RR OCC Ro ROC 62 polle erouce pocliis RUNDET dE AMORE RUE Ka V C Pa o ROC EOS RE prac 92 polgssy route begin 1 2005 end L 9 005 i a EXued KE A A eR Re oO RU 92 pelleyeroute contrall lbsec dynaHiD PULGOS tbs Se rinie ko HEY SP SR RA e ee 92 policy rpute gusBPEFId6e direscL YOUUE uaenawsLbRG Gg RR dud EAE Ru WSS Re WSS RES MR c 93 pulisyescube BUDE COURE rrine tiA e gg oo oido lied dob pop Be aaa pop ei pto uide 93 polrsy roube mescla yer ales errar ug Puis Qo d amara 93 prb BSSCEEDU Parr A AA a Bra iud dee d ad epa qe acd uos er 65 percuti Ge Sadar wei ee sd RS ERA NEG mu dd dee Eq add Ea dE 65 Bere VIERI PH Eee Ged wa eer Spm Gh woth Bk are ent eye bee geo 78 Port grou DING added 4 weed ru qued pd qp ORS ORNS Bee Ow ae IPIE Pee PX os des Oh ee 64 ESAS ILEUE uud bao kx eg AERE RO e We e Rad qe a dod d AUR ROUGE CR KCN I e OR Koa 253 E
281. ghest sip bDandwrdrh DEIGOCXIEW sra e ede qoe orc ag RC pce eO d ct eris 169 App Ah Speers BOI Qurmienaosa appa dod deue dep A AA AA 168 ape DEBES GEO nia ARA ean oye a RO NU ER E rus bees nca dp adde d 168 App ries SOLO SUL caoluauwxhdi4ei d dg 04 Meee heck Base dene l eed zu M A EDAX 168 app other sube all ebatosklCS serrana A ada idis 168 app DENY Hule Geter ee koi wo RUE Seber d eq QA QE ewe Voir doa de RARA 168 epp other role detauTE statistics iii AA AS Se oes 168 app other ule Ae AGE auc whee hdd HEE SACD ESSER AAA ACA RO In 168 app ether cule mile number statisties escasa EES OR EWE RS eae Re Rede 168 Bp PENSE SUSCDLELUPS etek sere hie See eee Oe Re Ee isa Se pube d qd que 168 app protocol nama COTO ii a ted erak see Re Nod iL ACE ROME CA IC E hoe ee dd 168 app protocol name METIUIEDODE secant ss ce RC 4 ROOEOR AAA Rc A POR RR CE XD TERS 168 app protocol name tule SUL serrana a Raga Ye ROCCO CEASA HR RC OAK REGRESS CR 168 app protocol name rule all Statistics senil anb e ER d 168 app protocol name rule default iisdssxceedm RE RD ERO Rd Ad GR BA Nu e o Rubeo X ERS 168 app protocol name rule default Statistics perrea Re RR XO e ote me 168 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical show app protocol name ule PULSE RUMBDSE acia A A dda UE VOR OE HR S ewes 168 show app protocol name rule rule number SHSLISTICS nx a Ri ewe eee 168 SNOW SD protoco
282. gnature files from the update server http myupdate zywall zyxel com After the trial expires you need to purchase an iCard for the anti virus engine you want to use and enter the PIN number license key in the Registration gt Service screen You must use the ZyXEL anti virus iCard for the ZyXEL anti virus engine and the Kaspersky anti virus iCard for the Kaspersky anti virus engine If you were already using an iCard anti virus subscription any remaining time on your earlier subscription is automatically added to the new subscription Even if the earlier iCard anti virus subscription was for a different anti virus engine For example suppose you purchase a one year Kaspersky engine anti virus service subscription and use it for six months Then you purchase a one year ZyXEL engine anti virus service subscription and enter the iCard s PIN number license key in the Registration gt Service screen The one year ZyXEL engine anti virus service subscription is automatically extended to 18 months The IDP and application patrol features use the IDP AppPatrol signature files on the Zy WALL IDP detects malicious or suspicious packets and responds immediately Application patrol conveniently manages the use of various applications on the network After the service is activated the ZyWALL can download the up to date signature files from the update server http myupdate zywall zyxel com SSL VPN tunnels provide secure network access to remot
283. gnostics CLI TYPE ABILITIES LOGIN METHOD S Admin Users Admin Change ZyWALL configuration web CLI WWW TELNET SSH FTP Limited Admin Look at ZyWALL configuration web CLI WWW TELNET SSH Access Users User Access network services WWW TELNET SSH Browse user mode commands CLI Guest Access network services WWW Ext User See Section 25 2 on page 234 WWW BES The default admin account is always authenticated locally regardless of the authentication method setting See Chapter 30 on page 259 for more information about authentication methods ZyWALL ZLD CLI Reference Guide Chapter 25 User Group 25 2 User Group Commands Summary The following table identify the values required for many username groupname commands Other input values are discussed with the corresponding commands Table 129 username groupname Command Input Values LABEL DESCRIPTION username The name of the user account You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive groupname The name of the user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive It cannot be the same as the user name The following sections list the username groupname commands 25 2 1 User Commands The first table li
284. guration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the ZyWALL applies the system default conf configuration file You can change the way the startup config conf file is applied Include the setenv startup stop on error off command The ZyWALL ignores any errors in the startup config conf file and applies all of the valid commands The ZyWALL still generates a log for any errors 37 3 File Manager Commands Input Values The following table explains the values you can input with the file manager commands Table 178 File Manager Command Input Values LABEL DESCRIPTION file_name The name of a file Use up to 25 characters including a zA ZO 9 amp _ ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager 37 4 File Manager Commands Summary The following table lists the commands that you can use for file management Table 179 File Manager Commands Summary COMMAND DESCRIPTION apply conf file_name conf ignore error rollback Has the ZyWALL use a specific configuration file You must still use the write command to save your configuration changes to the flash non volatile or long term memory Use this command without specify both ignore error and rollback this is not recommended because it would leave the rest of the configuration blank If the interfaces were n
285. guration file of default settings ZyWALL ZLD CLI Reference Guide 313 Chapter 37 File Manager When you change the configuration the ZyWALL creates a startup config conf file of the current configuration The ZyWALL checks the startup config conf file for errors when it restarts If there is an error in the startup config conf file the ZyWALL copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file When the ZyWALL reboots if the startup config conf file passes the error check the ZyWALL keeps a copy of the startup config conf file as the lastgood conf configuration file for you as a back up file If you upload and apply a configuration file with an error you can apply lastgood conf to return to a valid configuration 37 2 4 Configuration File Flow at Restart If there is not a startup config conf when you restart the ZyWALL whether through a management interface or by physically turning the power off and back on the ZyWALL uses the system default conf configuration file with the ZyWALL s default settings If there is a startup config conf the ZyWALL checks it for errors and applies it If there are no errors the ZyWALL uses it and copies it to the lastgood conf configuration file If there is an error the ZyWALL generates a log and copies the startup config conf configuration file to the startup config bad conf confi
286. h dog console print slways ofhkok h acasais Xx Redo Ra doe ORE a a a 352 nol app watob seg disk thrsshold min l 10D05 Maz Llao LID sexes mote mmm toda 352 ASI ape watch dog Interval SD AOS grobni kieke d HERE E A r d Eu es 352 no app watch dog mem threshold min threshold min max threshold max 352 nol dop watot dog ESEFY CSUNE ELE aaa be ede HER ORS HES OES AAA AR 352 nol ares IP pisecub d Rees aad Ax RUE QUE CER AAA eee EES RSS OCT RAO 99 nul area TP authentication Lug peek et ad RARA d Sh be OH eee eee eee 99 no area IP authentication authentication key authkey es o 99 no area IP authentication message digest esmero Re eee od cl eels 99 no area IP authentication message digest key lt 1 255 gt md5 authkey 99 ne area IP wistuale lumke LP cri B RA ko a EE e epi m dede ues 99 nel ares IP vi cual dunke IP authentication sara sai Goa Rd Donc pad eA N 99 no area IP virtual link IP authentication authentication key authkey 100 nol area IP virtual lr nk IP authentication message digesb ils Rd wedded woo RU aa 100 no area IP virtual link IP authentication message digest key 1 255 md5 authkey 100 no area IP virtual link IP authentication sSame as ar s asesor OR EAR RO 100 no artes IP virtusl lrn amp IP authenticetiohn Key agthE8y serias e HOT EY AG 100 to authentication ohap pap chap pap mschap mschap w2 l2 krass 269 nol authentication ehap papb chap pap
287. hanges from one anti virus engine to the other show device register status Displays whether the device is registered and account information show service register status all content filterlidp sslvpnlav Displays service license information 5 2 1 Command Examples The following commands allow you to register your device with an existing account or create a new account and register the device at one time and activate a trial service subscription Router configure terminal Router config devic register usernam alexctsui password 123456 Router config servic register servic type trial service content filter ZyWALL ZLD CLI Reference Guide Chapter 5 Registration The following command displays the account information and whether the device is registered Router configure terminal Router config show device register status username alexctsui password 123456 device register status yes expiration self check no The following command displays the service registration status and type and how many days remain before the service expires Router configure terminal Router config show servic register status all Service Status Type Count Expiration IDP Signature Licensed Standard N A 176 Anti Virus Not Licensed None N A 0 SSLVPN Not Licensed None 5 N A Content Filter Not Licensed None N A 0 5 3 Cou
288. he LAN_IDP profile containing the text worm within the signature name ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands Table 101 Signature Search Command COMMAND DESCRIPTION show idp search signature my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask service service_mask activate any yes no log any no log log alert action action_mask Searches for signature s in a profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN_IDP name WORM sid 0 severity O platform O policytype O service 0 activate any log any action searches for all signatures in the LAN_IDP profile containing the text worm within the signature name show idp search system protect my_profile name quoted_string sid SID severity severity_mask platform platform_mask policytype policytype_mask Service service mask activate any yes no log any no log log alert action action_mask Searches for signature s in a system protect profile by the parameters specified The quoted string is any text within the signature name in quotes for example idp search LAN_IDP name WORM sid 0 severity 0 platform O policytype 0 service 0 activate any log any action searches for all signatures in the LAN_IDP profile containing the text worm within the signature
289. he Hardware Clock as reference Systen Clock set Local time Wed May 9 03 26 53 UTC 200 Cleaning tmp var lock var run Initializing random number generator done Initializing Debug Account Authentication Seed DAAS done Lionic device init successfully caviun nitrox device CN505 init complete INIT Entering runlevel 3 Starting zylog daemon zylogd zylog starts Starting syslog ng Starting uan daenon Starting app patrol daemon Starting periodic command scheduler cron Start ZyWALL system daemon Got LINK_CHANGE Port 1 is up gt Group 1 is up Got LINK_CHANGE Port 0 is up Group 0 is up Applying system configuration file please wait ZyWALL system is configured successfully with startup conf ig conf Velcone to ZyWALL 1050 Usernane ZyWALL ZLD CLI Reference Guide Logs This chapter provides information about the ZyWALL s logs BS When the system log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first See the User s Guide for the maximum number of system log messages in the ZyWALL 38 1 Log Commands Summary The following table describes the values required for many log commands Other values are discussed with the corresponding commands Table 180 Input Values for Log Commands LABEL DESCRIPTION module_name The name of the category kernel
290. he USB ports and the names of any connected devices show fan speed Displays the current fan speed show led status Displays the status of each LED on the ZyWALL show mac Displays the ZyWALL s MAC address show mem status Displays what percentage of the ZyWALL s memory is currently being used show ram size Displays the size of the ZyWALL s on board RAM show redundant Displays the status of the ZyWALL s power modules The ZyWALL has two power modules It can continue operating on a single power module if one fails show serial number Displays the serial number of this ZyWALL show socket listen Displays the ZyWALL s listening ports show socket open Displays the ports that are open on the ZyWALL show system uptime Displays how long the ZyWALL has been running since it last restarted or was turned on show version Displays the ZyWALL s model firmware and build information Here are examples of the commands that display the CPU and disk utilization Router config show cpu status CPU utilization 0 CPU utilization for 1 min 0 CPU utilization for 5 min O Router config show disk oe oe H lt cr gt Router config show disk No Disk Size MB Usage 1 image 67 83 2 onboard flash 163 15 ZyWALL ZLD CLI Reference Guide Chapter 4 Status Here are examples of the commands that display the fan speed MAC address memory usage RAM size and s
291. he host command You can still set them however network IP 1 32 network ip mask no network Specifies the IP address and subnet mask of the specified DHCP pool The subnet mask can be written in w x y z format or in 1 32 format Note The DHCP pool must have the same subnet as the interface to which you plan to bind it The no command clears these fields no default router ip Specifies the default gateway DHCP clients should use The no command clears this field no description description Specifies a description for the DHCP pool for identification The no command removes the description no domain name domain name Specifies the domain name assigned to DHCP clients The no command clears this field ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 17 interface Commands DHCP Settings continued COMMAND DESCRIPTION no starting address ip pool size 1 65535 Sets the IP start address and maximum pool size of the specified DHCP pool The final pool size is limited by the subnet mask Note You must specify the network number first and the start address must be in the same subnet The no command clears the IP start address and maximum pool size no first dns server ip interface name lst dns 2nd dns 3rd dns ZyWALL Sets the first DNS server to the specified IP address the specified interface s first second o
292. he search timeout period in seconds Enter a time number between 1 and 300 The no command clears this setting and set this to the default setting of 5 seconds no server ssl Enables the ZyWALL to establish a secure connection to the LDAP server The no command disables this feature 29 2 7 aaa group server radius Commands The following table lists the aaa group server radius commands you use to configure a group of RADIUS servers Table 149 aaa group server radius Commands COMMAND DESCRIPTION Clear aaa group server radius group name Deletes all RADIUS server groups or the specified RADIUS server group Note You can NOT delete a server group that is currently in use show aaa group server radius group name Displays the specified RADIUS server group settings no group name aaa group server radius Sets a descriptive name for the RADIUS server group The no command deletes the specified server group aaa group server radius rename group name old group name new Sets the server group name aaa group server radius group name Enter the sub command mode no server description description Sets the descriptive information for the RADIUS server group You can use up to 60 printable ASCII characters The no command clears the setting ZyWALL ZLD CLI Reference Guide Chapter 29 AAA Server Table 149 aaa group server radius Commands continued
293. he web site was made in the past a record of that web site s category will be in the ZyWALL s The ZyWALL blocks blocks and logs or just logs the request based on your configuration Use the Anti X gt Content Filter screen to configure how long a web site address remains in the as well as view those web site addresses All of the web site address records are also cleared from the local when the ZyWALL restarts If the ZyWALL has no record of the web site it queries the external content filtering database and simultaneously sends the request to the web server The external content filtering server sends the category information back to the ZyWALL which then blocks and or logs access to the web site based on the settings in the content filtering profile The web site s address and category are then stored in the ZyWALL s content filtering 22 4 Content Filtering Reports See the web configurator User s Guide to see how to view content filtering reports after you have activated the category based content filtering subscription service 22 5 Content Filter Command Input Values The following table explains the values you can input with the content filter commands Table 107 Content Filter Command Input Values LABEL DESCRIPTION policy number The number of the policy 0 X gt where X depends on the number of content filtering policies the ZyWALL model supports See the CLI help for details address The name up to
294. hey are created For example virtual interfaces created on Ethernet interface ge1 are called ge1 1 ge1 2 and so on Virtual interfaces created on VLAN interface vlan2 are called vlan2 1 vlan2 2 and so on You cannot specify the number after the colon in the web configurator it is a sequential number You can specify the number after the colon if you use the CLI to set up a virtual Interface Parameters Table 12 Ethernet VLAN Bridge PPP and Virtual Interface Characteristics ZyWALL USG 100 and 200 Models CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE PPP VIRTUAL Name opt wan1 wan2 lant ext vlanx brx pppx wlan dmz Configurable Zone Yes No No Yes Yes No No IP Address Assignment Static IP address Yes Yes Yes Yes Yes Yes Yes ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 12 Ethernet VLAN Bridge PPP and Virtual Interface Characteristics ZyWALL USG 100 and 200 Models continued CHARACTERISTICS ETHERNET ETHERNET ETHERNET VLAN BRIDGE PPP VIRTUAL DHCP client Yes Yes No Yes Yes Yes No Routing metric Yes Yes Yes Yes Yes Yes Yes Interface Parameters Bandwidth Yes Yes Yes Yes Yes Yes Yes restrictions Packet size Yes Yes Yes Yes Yes Yes No MTU Data size MSS Yes Yes Yes Yes Yes Yes No DHCP DHOP server Yes No Yes Yes Yes No No DHCP relay Yes No Y
295. hough you could substitute a question mark See Section 23 2 3 2 on page 215 for more details Use the white list to identify legitimate e mail and the black list to identify spam e mail The following table describes the commands for configuring the white list and black list You must use the configure terminal command to enter the configuration mode before you can use these commands Table 117 Commands for Anti spam White and Black Lists COMMAND DESCRIPTION no anti spam white list activate Turns the white list checking on or off Turn on the white list to forward e mail that matches an active white list entry without doing any more anti spam checking on that individual e mail no anti spam white list ip address ip subnet mask activate deactivate rule_number Adds edits or removes a white list entry to check e mail for a specific source or relay IP address Also turns the entry on or off no anti spam white list rule_number Adds edits or removes a white list entry to check e mail for e mail email activate deactivate a specific source e mail address or domain name Also turns the entry on or off no anti spam white list value activate deactivate rule_number Adds edits or removes a white list entry to check e mail for mail header mail header mail header specific header fields and values Also turns the entry on or off no anti spam white list rule
296. how app watch dog config Application Watch Dog Setting activate yes alert yes console print retry count 3 interval 60 mem threshold disk threshold Router config app_name means unlimited uamd firewalld policyd contfltd appd classify ospfd ripd resd zyshd wd sshipsecpm zylogd syslog ng zylogger ddns_had 1 1 tpd 1 1 wdtd zebra link updown aux config al fauthd 5 decomp server 1 a lavd 1 sslvpn 1 1 wan 1 1 sslvpnpptp 1 1 dnsrd 1 1 signal wrapper 1 i always 80 90 80 90 show app watch dog monitor list min process count awa wk O01 1 0 max process count negativ integer ZyWALL ZLD CLI Reference Guide Chapter 43 Watchdog Timer ZyWALL ZLD CLI Reference Guide PART XI Command List mmands Alphabetical 357 List of Commands Alphabetical List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no This section lists the commands and sub commands in alphabetical order Commands and sub commands appear at the same level fanti vyieue perscnel far ewall ectliVSte susi senda ORC ACE GN P aid ebar A RA 278 aaa authentication default memberl member2 member3 member4 260 a a puLhenticstqoN PEGAS baked
297. how interface summary all Displays basic information about the interfaces show interface summary all status Displays the connection status of the interfaces interface interfac gt nam Creates the specified interface if necessary and enters sub command mode The no command deletes the specified interface ZyWALL ZLD CLI Reference Guide ES Chapter 6 Interfaces Table 16 interface General Commands Basic Properties and IP Address Assignment continued COMMAND DESCRIPTION no description description Specifies the description for the specified interface The no command clears the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long no downstream lt 0 1048576 gt This is reserved for future use Specifies the downstream bandwidth for the specified interface The no command sets the downstream bandwidth to 1048576 Leaves the sub command mode no ip address dhcp Makes the specified interface a DHCP client the DHCP server gives the specified interface its IP address subnet mask and gateway The no command makes the IP address static IP address for the specified interface See the next command to set this IP address no ip address ip subnet_mask Assigns the specified IP address and subnet mask to the specified interface The no command clears the IP address an
298. hows you how to display all details of a custom signature Router config show idp signatures custom signature all details sid 9000000 message test policy type severity platform all no Win95 98 WinNT no WinXP 2000 Linux no FreeBSD Solaris SGI no other Unix no network device dit no no no no no service outbreak no This example shows you how to display the number of custom signatures on the ZyWALL signatures 1 Router config show idp signatures custom signature number 21 5 Update IDP Signatures Use these commands to update new signatures You register for IDP service before you can update IDP signatures although you do not have to register in order to update system protect signatures BS You must use the web configurator to import a custom signature file Table 105 Update Signatures DESCRIPTION Immediately downloads IDP or system protect signatures from an update server COMMAND idp signature system protect update signatures no idp signature system protect update auto Enables disables automatic signature downloads at regular times and days idp signature system protect update hourly Enables automatic signature download every hour idp signature 04 23 gt system protect update daily Enables automatic signature download every day at the time specified idp signature system
299. ibed in this document you may not need to type the whole command For example with the no mss lt 536 1452 gt command you use mss 536 to specify the MSS value But to disable the MSS setting you only need to type no mss instead of no mss 536 ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface 1 7 Input Values You can use the or TAB to get more information about the next input value that is required for a command In some cases the next input value is a string whose length and allowable characters may not be displayed in the screen For example in the following example the next input value is a string called lt description gt Router configure terminal Router config interface gel Router config if ge description lt description gt When you use the example above note that ZyWALL USG 100 and 200 models use a name such as wanl wan2 opt lanl ext wlan or dmz The following table provides more information about input values like description Table3 Input Value Formats for Strings in CLI Commands TAG VALUES LEGAL VALUES 1 all gt ALL authentication key Used in IPSec SA 32 40 Ox or OX 32 40 hexadecimal values 16 20 alphanumeric or G4 amp NN Used in MD5 authentication keys for RIP OSPF and text authentication key for RIP 0 16 a
300. ica 061 Dominican Republic 062 East Timor 063 Ecuador 064 Egypt 065 El Salvador 066 Equatorial Guinea 067 Eritrea 068 Estonia 069 Ethiopia 070 Falkland Islands Malvina 071 Faroe Islands 072 Fiji 073 Finland 074 France 075 France Metropolitan 076 French Guiana 077 French Polynesia 078 French Southern Territories 079 Gabon 080 Gambia 081 Georgia 082 Germany 083 Ghana 084 Gibraltar 085 Great Britain 086 Greece 087 Greenland 088 Grenada 089 Guadeloupe 090 Guam 091 Guatemala 092 Guernsey 093 Guinea 094 Guinea Bissau 095 Guyana 096 Haiti 097 Heard and McDonald Islands 098 Holy See City Vatican State 099 Honduras 100 Hong Kong 101 Hungary 102 Iceland 103 India 104 Indonesia 105 Ireland 106 Isle of Man 107 Italy 108 Jamaica ZyWALL ZLD CLI Reference Guide Chapter 5 Registration Table 10 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 109 Japan 110 Jersey 111 Jordan 112 Kazakhstan 113 Kenya 114 Kiribati 115 Korea Republic of 116 Kuwait 117 Kyrgyzstan 118 Lao People s Democratic Republic 119 Latvia 120 Lebanon 121 Lesotho 122 Liberia 123 Liechtenstein 124 Lithuania 125 Luxembourg 126 Macau 127 Macedonia Former Yugoslav 128 Madagascar Republic 129 Malawi 130 Malaysia 131 Maldives 132 Mali 133 Malta 134 Marshall Isl
301. icate owner belongs You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore country Identify the nation where the certificate owner is located You can use up to 31 characters You can use alphanumeric characters the hyphen and the underscore key_length Type a number to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space password When you have the ZyWALL enroll for a certificate immediately online the certification authority may want you to include a key password to identify your certification request Use up to 31 of the following characters a zA Z0 9 amp _ lt gt ca name When you have the ZyWALL enroll for a certificate immediately online you must have the certification authority s certificate already imported as a trusted certificate Specify the name of the certification authority s certificate It can be up to 31 alphanumeric and amp _ characters url When you have the ZyWALL enroll for a certificate immediately online enter the IP address or URL of the certification authority server You can use up to 511 of the following characters a zA Z0 9 _ 31 4 Certificates Commands Summary The following table lists the commands that you can use to display and manage the ZyWALL s summary
302. if a master ZyWALL A fails Figure 25 Device HA Backup Taking Over for the Master m A qu A a ps Internet Y 24 1 Device HA Overview Active Passive Mode and Legacy Mode Active passive mode lets a backup ZyWALL take over if the master ZyWALL fails Legacy mode uses VRRP Virtual Router Redundancy Protocol groups and allows for more complex relationships between the master and backup ZyWALLs such as active active or using different ZyWALLs as the master ZyWALL for individual interfaces Legacy mode configuration involves a greater degree of complexity Active passive mode is recommended for general failover deployments The ZyWALLs must all support and be set to use the same device HA mode either active passive or legacy Management Access You can configure a separate management IP address for each interface You can use it to access the ZyWALL for management whether the ZyWALL is the master or a backup The management IP address should be in the same subnet as the interface IP address Synchronization Use synchronization to have a backup ZyWALL copy the master ZyWALL s configuration signatures anti virus IDP application patrol and system protect and certificates ZyWALL ZLD CLI Reference Guide 223 Chapter 24 Device HA BES Only ZyWALLs of the same model and firmware version can synchronize Otherwise you must manually configure the master ZyWALL s settings on the back
303. ignature anti virus firewall personal Displays Anti Virus or personal firewall signatures that have been added to the specified endpoint security object ZyWALL ZLD CLI Reference Guide Chapter 34 Endpoint Security Table 158 Endpoint Security Object Commands COMMAND DESCRIPTION show eps signature anti virus Displays all the anti virus software packages personal firewall personal firewall status software packages or EPS signature information respectively The status command displays the EPS signature version release date and the total number of software packages for which the ZyWALL s endpoint security can check no eps rename profile_name Changes an endpoint security object name new_profile_name 34 1 3 Endpoint Security Object Command Example Peter wants to create and display an endpoint security object named EPS Example Only the computers that match the following criteria can access the company s SSL VPN Operating system Windows XP Windows auto update enabled Windows service pack 2 or above Personal firewall Windows firewall installed and enabled Anti Virus Kaspersky Anti Virus v2010 installed and enabled However he needs to check the Anti Virus software name defined on the ZyWALL The following example shows how to check all available Anti Virus software packages for which the ZyWALL s endpoint security can check Copy and paste the name of the output item 20
304. ill initiate sessions to the outside clients and a range of public IP addresses use many 1 1 NAT to have the ZyWALL translate the source IP address of each server s outgoing traffic to the same one of the public IP addresses that the outside clients use to access the server The private and public ranges must have the same number of IP addresses One many 1 1 NAT rule works like multiple 1 1 NAT rules but it eases the configuration effort since you only create one rule 12 2 Virtual Server Commands Summary The following table describes the values required for many virtual server commands Other values are discussed with the corresponding commands Table 57 Input Values for Virtual Server Commands LABEL DESCRIPTION service object The name of a service You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive profile name The name of the virtual server You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive ZyWALL ZLD CLI Reference Guide Chapter 12 Virtual Servers The following table lists the virtual server commands Table 58 ip virtual server Commands COMMAND DESCRIPTION show ip virtual server profile name Displays information about the specified virtual server or about all the virtual servers no
305. in the Tmp share on the my server computer server type rdp server address server address starting port 1 65535 ending port lt 1 65535 gt program path program path Creates an SSL application object to allow users to manage LAN computers that have Remote Desktop Protocol remote desktop server software installed Specify the listening ports of the LAN computer s running remote desktop server software The ZyWALL uses a port number from this range to send traffic to the LAN computer that is being remotely managed program path specify an application to open when a remote user logs into the remote desktop application server type vnc server address server address starting port lt 1 65535 gt ending port lt 1 65535 gt Creates an SSL application object to allow users to manage LAN computers that have Virtual Network Computing remote desktop server software installed Specify the listening ports of the LAN computer s running remote desktop server software The ZyWALL uses a port number from this range to send traffic to the LAN computer that is being remotely managed server type weblink url url Sets this to create a link to a web site you specified that you expect the SSL VPN users to commonly use url Enter the fully qualified domain name FQDN or IP address of the application server You must enter the http or https 7 prefix For example https 1 2 3 4 SSL
306. in this User s Guide A command or keyword in courier new must be entered literally as shown Do not abbreviate Values that you need to provide are in italics Required fields that have multiple choices are enclosed in curly brackets A range of numbers is enclosed in angle brackets lt gt Optional fields are enclosed in square brackets The symbol means OR For example look at the following command to create a TCP UDP service object service object object name tcp udp eq lt 1 65535 gt range lt 1 65535 gt S1 69553525 Enter service object exactly as it appears Enter the name of the object where you see ob ject name Enter tcp or udp depending on the service object you want to create Finally do one of the following Ao MN Enter eq exactly as it appears followed by a number between 1 and 65535 Enter range exactly as it appears followed by two numbers between 1 and 65535 1 4 6 Changing the Password It is highly recommended that you change the password for accessing the ZyWALL See Section 25 2 on page 234 for the appropriate commands 1 5 CLI Modes You run CLI commands in one of several modes Table 2 CLI Modes USER PRIVILEGE CONFIGURATION SUB COMMAND What Guest users Unable to access Unable to access Unable to access Unable to access can do What User users Look at but not Unable to access Unable to access Unable to access can do run available
307. ination IP addresses for detected intrusion attempts 21 6 1 IDP Statistics Example This example shows how to collect and display IDP statistics It also shows how to sort the display by the most common signature name source IP address or destination IP address Router configure terminal Router config idp statistics collect Router config no idp statistics activate Router config idp statistics flush Router config show idp statistics collect status IDP collect statistics status yes Router config show idp statistics summary Scanned session 268 packet dropped 0 packet reset 0 Router config show idp statistics ranking signature name ranking 1 Signature id 8003796 signature name ICMP L3retriever Ping type Scan severity verylow occurence 22 ranking 2 Signature id 8003992 signature name ICMP Large ICMP Packet type DDOS severity verylow occurence 4 Router config show idp statistics ranking destination ranking 1 destination ip 172 23 5 19 occurence 22 ranking 2 destination ip 172 23 5 1 occurence 4 Router config show idp statistics ranking source ranking 1 Source ip 192 168 1 34 occurence 26 ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands ZyWALL ZLD CLI Reference Guide Content Filtering This chapter covers how to use the content filtering feature to control web access 22 1 Content Filtering Overview Conte
308. ing after you have obtained the recovery image file You only need to use this section if you need to restore the recovery image 1 Restart the ZyWALL 2 When Press any key to enter debug mode within 3 seconds displays press a key to enter debug mode Figure 35 Enter Debug Mode BootModule Version U1 011 i 2007 03 30 12 22 57 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version V2 4 2 kernel 2006 08 21 i 2006 08 21 19 54 00 ZLD Version U1 01 XL 0 2006 09 11 17 41 56 Press any key to enter debug mode within 3 seconds Enter Debug Mode 3 Enter at uk to initialize the recovery process If the screen displays ERROR enter atur to initialize the recovery process You only need to use the atuk or atur command if the recovery image is damaged ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager Figure 36 atuk Command for Restoring the Recovery Image gt atuk This command is for restoring the recovery image xxx ri se This command only uhen 1 the console displays Invalid Recovery Image or 2 the console freezes at Press any key to enter debug mode within 3 seconds for more than one ninute ote Please exit this command innediateluy if you do not need to restore the recovery image Do you want to start the recovery process Y N default ME 4 Enter Y and wait for the Starting XMODEM upload message bef
309. ion mode before you can use these commands Table 173 Command Summary Dial in Management COMMAND DESCRIPTION dial in Enters sub command mode no activate Turns dial in management on The no command turns it off no answer rings Sets how many times the ZyWALL lets the incoming dial in management session ring before processing it The no command sets it to one description description Specifies the description for the dial in management connection The no command clears the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long initial string initial_string Specifies the initial string of the auxiliary interface The no command removes the initial string initial_string You can use up to 64 characters Semicolons and backslashes are not allowed mute Stops the external serial modem from making audible sounds during a dial in management session The no command turns the sounds back on no port speed 9600 19200 38400 57600 115200 Specifies the baud rate of the auxiliary interface The no command sets the baud rate to 115200 show dial in Displays dial in management settings 36 10 4 1 Dial in Management Command Examples The following commands show you how to set up dial in management with the following parameters active port speed 57600 initial string ATDT and description I am
310. ions apply in content filtering Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important 26 2 Address Commands Summary The following table describes the values required for many address object and address group commands Other values are discussed with the corresponding commands Table 136 Input Values for Address Commands LABEL DESCRIPTION object name The name of the address You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive group name The name of the address group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive interface name The name of the interface This depends on the ZyWALL model For the USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model For the ZyWALL USG 100 and 200 models use a name such as want wan2 opt lant ext wlan or dmz ZyWALL ZLD CLI Reference Guide Chapter 26 Addresses The following sections list the address object and address group commands 26 2 1 Address Object Commands This table lists the commands for address obj
311. ip virtual server profile name Deletes the specified virtual server interfac ip virtual server profile nam interface name original ip any ip address object map to address object ip map type any nat loopback nat 1 1 map deactivate nat 1 1 map deactivate deactivate Creates or modifies the specified virtual server and maps the specified destination IP address for all destination ports to the specified destination address object or IP address The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address ob ject NAT loopback allows local users to use a domain name to access this virtual server Select what kind of NAT this rule is to perform nat 1 1 map means the NAT type is either 1 1 NAT or many 1 1 NAT See Section 12 1 1 on page 109 for more information Using this command without nat 1 1 map means the NAT type is Virtual Server This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL like the Internet The deactivate command disables the virtual server rule interfac ip virtual server profile nam interface name original ip any IP address object map to address object ip map type port protocol any tcp udp original port 1 65535 mapped port lt 1 65535 gt nat loopback nat 1 1 map deactivate nat 1 1 map deactivate deac
312. ipsecr session Lunn el r g lt 0 ESOS e se ke Oe Rhee Sh eee ee HR In 154 BD NND ERA AAA eek A hee e RS ORS Balke a Ob ibd PP e x ee dea ed Se 63 no MELHOR canbe deuk esd Oe red Oba a AIEO EA eGo beteyae d RE AC ed LACER E de Kc RE Ree eS 56 Bo PAIS E LEDOOS xpo 9E WO 3C PU SOS A n A TR eR Ree RR Se AAA Se 28 No port Lii seek ets shod Mee hae Oea SAEED E QUO R e qox a o de URS PURER LEER RS SRR e dC QI 64 Det Be Bee DE VIA e bed eae Meee eee Sh A 143 no sa tunnel name Map HABD paver A ROCEOK NOR CREEK RARER ARAS e MESS e FERRER DEW RRR ESE OS 143 HS Bosucldstectl1en SEAGULL arras Shee ee Bak Gee Sea ane ase 187 ns Sebedule ph ece OOJ CE Noe Gig ped doe Sub eons ds ADS AAA Neq A 250 ADS security jnene wep woe wpscecwpss paz escri bases nex RR duces ds 76 KE Server EXDS 25 se0de edna eS SAREE GOS AAA AE xu wa dene d dudes oes Reese RE 274 Ho ServiceecbIqemcb SUJSECE_ MAME eso ia eee keea ea e de ea be noe a oe an 245 npo Siono ure JH GOL AAN Ramesses cerca aes oar ed era md E beu 186 nu sgignabutcue SED SOLION ir xq 44 4 uq pex SR S PRA Rd ad sa x45 191 dud Sitar ie EIS DOS jcc aS hanes puede d ed ECHOS ORARE NUES GER og EUR HER E EA IE oS RARE oU ed 186 Ro Signature X DO sah eed eet heeds ex AER RE Eau RE EC RUE RE qoa x Roos Bae E dcs 191 na sn p sabrver rale rule DUmbDEYX aga bak 4 RO rue o EHR EP REE ES LOWE ee SOROR ue 3 Oe go eRe RC 304 nu Ssivon QolLIGU DESEAMOS SANE Guided 32x bad dpa qe ee Beebe Meee ACC EORR eee wee 147 ne Ecpe
313. irtual link no area IP virtual link IP Enables text authentication in the specified virtual authentication link The no command disables authentication in the specified virtual link ZyWALL ZLD CLI Reference Guide Chapter 9 Routing Protocol Table 50 router Commands Virtual Links in OSPF Areas continued COMMAND DESCRIPTION no area IP virtual link IP authentication message digest Enables MD5 authentication in the specified virtual link The no command disables authentication in the specified virtual link no area IP virtual link IP authentication authentication key authkey Sets the password for text authentication in the specified virtual link The no command clears the password in the specified virtual link no area IP virtual link IP authentication message digest key 1 255 md5 authkey Sets the MD5 ID and password for MD5 authentication in the specified virtual link The no command clears the MD5 ID and password in the specified virtual link no area IP virtual link IP authentication same as area Sets the virtual link s authentication method to the area s default authentication no area IP virtual link IP authentication key authkey Sets the password for text authentication in the specified virtual link The no command clears the password area IP virtual link IP message digest key lt 1 255 gt md5 authkey Sets the MD
314. ith a zone yet show zone system default Displays the pre configured default zones that you cannot delete from the ZyWALL show zone user define Displays all customized zones zone profile name Creates the zone if necessary and enters sub command mode The no command deletes the zone zone profile name Enter the sub command mode no block Blocks intra zone traffic The no command allows intra zone traffic no interface interface nam Adds the specified interface to the specified zone The no command removes the specified interface from the specified zone See Section 6 2 on page 51 for information about interface names no crypto profile name Adds the specified IPSec VPN tunnel to the specified zone The no command removes the specified IPSec VPN tunnel from the specified zone no sslvpn profile name Adds the specified SSL VPN tunnel to the specified zone The no command removes the specified SSL VPN tunnel from the specified zone ZyWALL ZLD CLI Reference Guide Chapter 10 Zones 10 2 1 Zone Command Examples The following commands add Ethernet interfaces gel and ge2 to zone A and block intra zone traffic Router configure terminal Router config zone A Router zone interface gel Router zone interface ge2 Router zone block Router zone exit Router config show zone No Name Block Member 1 A ye
315. ject show reference object group aaa Displays which configuration settings reference the ad group name specified AAA AD group object show reference object group aaa Displays which configuration settings reference the ldap group name specified AAA LDAP group object show reference object group aaa Displays which configuration settings reference the radius group name specified AAA RADIUS group object 3 1 1 Object Reference Command Example This example shows how to check which configuration is using an address object named LANI SUBNET For the command output firewall rule 3 named LANI to USG 2000 is using the address object Router config show reference object address LAN1 SUBNET LAN1 SUBNET References Category Rule Priority Rule Name Description Firewall 3 N A LAN1 to USG 2000 Router config ZyWALL ZLD CLI Reference Guide Status This chapter explains some commands you can use to display information about the ZyWALL s current operational state Table 7 Status Show Commands power status COMMAND DESCRIPTION show boot status Displays details about the ZyWALL s startup state show comport status Displays whether the console and auxiliary ports are on or off show cpu status Displays the CPU utilization show disk Displays the disk utilization show extension slot Displays the status of the extension card slot and t
316. kistan 206 Tanzania 207 Thailand 208 Togo 209 Tokelau 210 Tonga 211 Trinidad and Tobago 212 Tunisia 213 Turkey 214 Turkmenistan 215 Turks and Caicos Islands 216 Tuvalu 217 US Minor Outlying Islands 218 Uganda 219 Ukraine 220 United Arab Emirates 221 United Kingdom 222 United States 223 Uruguay 224 Uzbekistan 225 Vanuatu 226 Venezuela 227 Vietnam 228 Virgin Islands British 229 Virgin Islands USA 230 Wallis And Futuna Islands 231 Western Sahara 232 Western Samoa 233 Yemen 234 Yugoslavia 235 Zambia 236 Zimbabwe ZyWALL ZLD CLI Reference Guide Chapter 5 Registration ZyWALL ZLD CLI Reference Guide Interfaces 47 Trunks 83 Route 89 Routing Protocol 97 Zones 101 DDNS 105 Virtual Servers 109 HTTP Redirect 115 ALG 119 Interfaces This chapter shows you how to use interface related commands 6 1 Interface Overview In general an interface has the following characteristics An interface is a logical entity through which layer 3 packets pass An interface is bound to a physical port or another interface Many interfaces can share the same physical port An interface is bound to at most one zone Many interface can belong to the same zone Layer 3 virtualization IP alias for example is a kind of interface Some characteristics do not apply to some types of interfaces 6 1 1 Types of Interfaces You can create several types of interfaces in the ZyWALL
317. know a command listed here well before you use it Otherwise it may cause undesired results Table 5 Debug Commands COMMAND SYNTAX DESCRIPTION LINUX COMMAND EQUIVALENT debug alg FTP SIP ALG debug commands debug anti spam Anti Spam debug commands debug app Application patrol debug command debug app show l7protocol Shows app patrol protocol list gt cat etc 17 protocols protocol list debug ca Certificate debug commands debug content filter Content Filtering debug commands debug device ha Device HA debug commands debug eps Endpoint security debug commands debug force auth Authentication policy debug commands debug gui GUI cgi related debug commands debug gui Web Configurator releated debug commands debug hardware Hardware debug commands debug idp IDP debug commands debug idp av IDP and Anti Virus debug commands debug interface Interface debug commands debug interface ifconfig Shows system interfaces detail ifconfig interface interface debug interface group Port grouping debug commands debug ip dns DNS debug commands debug ip virtual server Virtual Server NAT debug commands debug ipsec IPSec VPN debug commands debug logging System logging debug commands debug manufacture Manufacturing related debug commands debug myzyxel server Myzyxel com debug commands debug network arpignore
318. l Router config ip ssh server cert Default 36 5 Telnet You can configure your ZyWALL for remote Telnet access 36 6 Telnet Commands The following table describes the commands available for Telnet You must use the configure terminal command to enter the configuration mode before you can use these commands Table 168 Command Summary Telnet COMMAND DESCRIPTION no ip telnet server Allows Telnet access to the ZyWALL CLI The no command disables Telnet access to the ZyWALL CLI no ip telnet server port 1 65535 Sets the Telnet service port number The no command resets the Telnet service port number back to the factory default 23 ip telnet server rul rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for Telnet service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN ip telnet server rul rule number move rule number to
319. l REUS BDSLISUDOS its ERA A UE ce tate deu eee eens 168 Show anp Wat Chido SONES er Ed E X UE QUE Ke e edo EO e CR AAN e BR e CRI hale D b ae a2 show spp ovatolh deg NHOHNLDLOF IYXSE aed bed eri 352 Show arp Cable iv RAS CARES EUN DUC ARR 1 AAA E URL RC Re A ERNE SSN EOE EME SE OR Raw Re 348 Show BOSE BOSE PIAR AAA d diei i EIER AS PO IA RA OR AAA SUE hp 39 shov peice Jal Lale MEDSE 242449 b Spe dca wd ua fep A donc qo Bowes qoe quil de T2 Show Du GBOUIWHLEDGSM epa ENRIQUE ax kx dE ER EP aeu da ib ace d e Wade qne xem sess 169 pow DID Aree uocadubd ea A seg sw QS dads RR dE dd 93 show bwm usage policy route policy number interface interface name 23 show ca category local remote name certificate name format text pem 266 show ca category local remote name certificate name certpath 266 Show 1 SDSODUAQQS dar d TSS CES HOE OE Se ROSE COREE AEE OOS a AA ER Ew 266 Show qa validation hane Hee 64 sua owen AAA AA OE Ee ee ee hed ee eae 266 Show RISER CALE leu sid eu des qd bee ee A eee AGRA ARA oe AA A PE de Eds 290 Snow Clock Status uad ace GE T xo d X edi Monee qe doe he M dod A AS Soe AS RS Coe 290 Show CIOE Cie ERAS o qo dca e ewe RU SU E ea qa pl d Ed AA AR RUE 290 show q iesgeur Ccomtaqgudet E td seu x dex ERE dud ho de Rs Ro OE e e CUERO Rede Rod 307 Sow COMPRE Seals qnie DOR RUE ERU CARN OER os Ires Roe d ERR EAE OY See eae A dg DO 33 show conn user username any unknown service servi
320. l interface name Adds or deletes an interface or a virtual interface for which to capture packets to the capture interfaces list esp vrrp udp tcp any ip type icmp igmp igrp pim Sets the protocol of traffic for which to capture packets any means to capture packets for all types of traffic snaplen lt 68 1512 gt Specifies the maximum number of bytes to capture per packet The ZyWALL automatically truncates packets that exceed this size As a result when you view the packet capture files in a packet analyzer the actual size of the packets may be larger than the size of captured packets show packet capture status Displays whether a packet capture is ongoing show packet capture config Displays current packet capture settings ZyWALL ZLD CLI Reference Guide Chapter 42 Maintenance Tools 42 0 1 Command Examples Some packet trace command examples are shown below 07 07 07 07 2264 26 720 264 51 52 53 s 54 and src host 192 168 105 tcpdump listening on ethl 731558 742666 752774 762887 T92 192 1 925 192 168 168 168 168 105 105 105 105 8 packets received by filter 0 packets dropped by kernel 133 and dst host 192 133 192 168 105 40 133 192 168 105 40 133 192 168 105 40 133 192 168 105 40 168 105 40 s 500 n icmp icmp
321. lar interface Need auth password You need to enter the password for the 3G card in the cellular edit screen Device ready The ZyWALL successfully applied all of your configuration and you can use the 3G connection 6 6 2 Cellular Interface Command Examples This example shows the configuration of a cellular interface named cellular2 for use with a Sierra Wireless AC850 3G card It uses only a 3G or 3 5G connection PIN code 1234 an MTU of 1200 bytes a description of This is cellular2 and sets the connection to be nailed up Router config interface cellular2 Router config if cellular device AC850 Router config if cellular band wcdma Router config if cellular pin 1234 Router config if cellular connectivity nail up Router config if cellular description This is cellular2 Router config if cellular mtu 1200 Router config if cellular exit ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces This second example shows specifying a new PIN code of 4567 Router config interface cellular2 Router config if cellular pin 4567 Router config if cellular exit This example shows the 3G and SIM card information for interface cellular2 on the ZyWALL Router config show interface cellular2 device status interface name cellular2 extension slot USB 1 service provider Chunghwa Telecom cellular system WCDMA signal strength 95 dBm
322. lays the current link sticking settings 7 8 Link Sticking Command Example This example shows how to activate link sticking and set the timeout to 600 seconds ten minutes Router config f ip load balancing link sticking activate Router config f ip load balancing link sticking timeout 600 Router config show ip load balancing link sticking status active yes timeout 300 ZyWALL ZLD CLI Reference Guide Route This chapter shows you how to configure policies for IP routing and static routes on your ZyWALL 8 1 Policy Route Traditionally routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing 8 2 Policy Route Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 41 Input Values for General Policy Route Commands LABEL DESCRIPTION address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive interfa
323. le TEMS 100 A nee RR IR AAN A A ER DOE ORC QC Re Y A 111 ie TACTIL ESSE DINS Da TT ip virtual server profile name interface interface name original ip any ip address object map to address object ip map type any nat loopback nat 1 1 map deactivate net l l map deactivate deactivate 2 22 3 110 ip virtual server profile_name interface interface_name original ip any IP address_object map to address_object ip map type original service service_object mapped service service_object nat loopback nat 1 1 map deacti satel dat i l map ldgactivatel deactivabel ized onc ha aan 111 ip virtual server profile_name interface interface_name original ip any IP address_object map to address_object ip map type port protocol any tcp udp original port lt 1 65535 gt mapped port lt 1 65535 gt nat loopback nat 1 1 map deactivate nat l 1 map deactivate desctivatel 6e 9 m eg I19 ip virtual server profile name interface interface name original ip any IP address object map to address object ip map type ports protocol any tcp udp otiginal port begin lt 1 65535 gt origilnal port end lt 1 65535 gt mapped port be gin lt 1 65535 gt nat loopback nat 1 1 map deactivate nat 1 1 map deacti sete Adel label soriana A ETE ip virtual server rename profile name profile name celles JT ISE II ADS a EA A AA d wes fq ER
324. lients no hide Obscures the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning idle lt 30 30000 gt Sets the WPA2 idle timeout The ZyWALL automatically disconnects a wireless station that has been inactive for this number of seconds The wireless station needs to enter the username and password again before access to the wired network is allowed no ip address ip subnet mask Assigns the specified IP address and subnet mask to the specified interface The no command clears the IP address and the subnet mask no ip gateway ip metric lt 0 15 gt Adds the specified gateway for the interface Sets the priority relative to every gateway on every interface for the specified gateway The lower the number the higher the priority The no command removes the gateway no mtu 576 2304 Specifies the Maximum Transmission Unit which is the maximum number of bytes in each packet moving through this interface The ZyWALL divides larger packets into smaller fragments The no command resets the MTU to 1500 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 31 WLAN Interface Commands continued COMMAND DESCRIPTION reauth lt 30 30000 gt Sets the WPA2 reauthentication timer This is at what interval wireless stations have to resend usernames and passwords in order to stay connected If a RADIUS server authenticates wireless stations the r
325. ll details asii de dew ROWER o RC Oe ee 194 show idp signatures custom signature custom sid details contents non contents 194 show idp signatures custom sTOBRSture NOME rlo x44 4 4X4 E eX A RE EROR DEEDES 194 BOW tap Statistics GOLIGOL 24veteoSd3 bb ep qd sted d Que x RE dede dup Pe ad qe dde ee ars 199 show idp statistics ranking signatu ure name source destination 2 22 n 199 Shov 20b SLISPIBLLOS SUN duds do E ACE EORR TOS A Qc RA a RP Medio AA 198 show ido sysbenm psobeoct all gestis exar do x X dX eek EEO AA CUR Ree had e RRS 191 show interface ethernet vlan bridge ppp auxiliary status gi show interface interface_name ethernet vlan bridge ppp virtual ethernet virtual wlan virtual bridge auxiliary all sirios 51 show interface cellular corresponding slot device status support device 70 show 2ntvertace cellular b dgst aUtQO SEVE ironia ed EORR RR A KOeee RORCRUR RO Gee eS T7 show interface cellular GOrTeSPpODglHng Blob Wvuaaaukbeemauwaage Ads Ru Roewodok mawads WORK SUR RUS 70 show interface cellular devi ce statis uw xdauonrag exo eee tO ee Qe RO UR a NG 70 shov interface cellular SEACUS 26655 84640 Se AAA ea 70 show interface cellular SUpport device pridani adea NENE ACE OCA ER RON E RU EENS 70 Show interface santerrare names DOOSOeLt sisi EA ROC OR RC eee eS 70 show interface Interfaces name device profile ize AG Gk RAOX RAO EORR A ACH GEORG X DORR 70 show interface i
326. lphanumeric spaces or _ fqdn Used in ip dns server 0 252 alphanumeric or first character alphanumeric or and interface Used in ip ddns tim ping check server device HA VPN certificates 0 254 alphanumeric or first character alphanumeric or full file name 0 256 alphanumeric or _ hostname Used in hostname command 0 63 alphanumeric or _ first character alphanumeric or Used in other commands 0 252 alphanumeric or first character alphanumeric or import configuration 1 alphanumeric or 8G 2 amp file 26 cont Wicont at the end import shell script 26t zysh alphanumeric or PoveiQSRSS amp 1 0 zysh at the end initial string 1 64 alphanumeric spaces or S_ amp isp account password 0 63 alphanumeric or e Q amp N t2 V isp account username 0 30 alphanumeric or Q key length 512 768 1024 1536 2048 license key 25 S 6 upper case letters or numbers 16 upper case letters or numbers mac address aa bb cc dd ee ff hexadecimal mail server fqdn lower case letters numbers or name 1 31 alphanumeric or _ notification message 1 81 alphanumeric spaces or _ ZyWALL ZLD CLI Reference Guide Chap
327. lphanumeric or Used in text authentication keys for OSPF 0 8 alphanumeric or certificate name 1 31 alphanumeric or 8G 2 amp NJ community string 0 63 alphanumeric or first character alphanumeric or connection id 1 alphanumeric or contact 1 61 alphanumeric spaces or S_ country code 0 or 2 alphanumeric custom signature file 0 30 alphanumeric or name first character letter description Used in keyword criteria for log entries 1 64 alphanumeric spaces or S _ Used in other commands 1 61 alphanumeric spaces or _ distinguished name 1 511 alphanumeric spaces or _ ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Table 3 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES domain name Used in content filtering O lower case letters numbers or Used in ip dns server 0 247 alphanumeric or first character alphanumeric or Used in domainname ip dhcp pool and ip domain 0 254 alphanumeric or T first character alphanumeric or email 1 63 alphanumeric or Q8 e mail 1 64 alphanumeric or Q8 encryption key 16 64 Ox or OX 16 64 hexadecimal values 8 32 alphanumeric or amp _4 lt gt file name 0 31 alphanumeric or filter extension 1 256 a
328. ltiple configuration files and shell script files on the ZyWALL When you apply a configuration file the ZyWALL uses the factory default settings for any features that the configuration file does not include Shell scripts are files of commands that you can store on the ZyWALL and run when you need them When you run a shell script the ZyWALL only applies the commands that it contains Other settings do not change You can edit configuration files or shell scripts in a text editor and upload them to the ZyWALL Configuration files use a conf extension and shell scripts use a zysh extension ZyWALL ZLD CLI Reference Guide EI Chapter 37 File Manager These files have the same syntax which is also identical to the way you run CLI commands manually An example is shown below Figure 28 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure ge3 interface ge3 ip address 172 23 37 240 255 255 255 0 ip gateway 172 23 37 254 metric 1 exit create address objects for remote management to ZyWALL firewall rules use the address group in case we want to open up remote management later address object TW SUBNET 172 23 37 0 24 object group address TW TEAM address object TW SUBNE exit enable Telnet access not enabled by default unlike other services ip telnet server open WAN to ZyWALL firewall
329. m all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no This example shows you how to display custom signature details Router config show idp signatures custom signature 9000000 details sid 9000000 message test edit policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands This example shows you how to display custom signature contents Router config show idp signatures custom signature 9000000 contents sid 9000000 Router config show idp signatures custom signature 9000000 non contents sid 9000000 ack dport 0 dsize dsize rel flow direction flow state flow stream fragbits reserve fragbits dontfrag fragbits morefrag fragoffset fragoffset rel icmp id icmp seq icode icode rel id ipopt itype itype rel sameip seq sport O0 tcp flag ack tcp flag fin tcp flag push tcp flag r1 tcp flag r2 tcp flag rst tcp flag syn tcp flag urg threshold type threshold track threshold count threshold second tos tos rel transport tcp UL ttl rel window window rel ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands This example s
330. mand to have the ZyWALL forward packets that match a policy route according to the policy route instead of sending the packets to a directly connected network Use the no command to disable it show policy route policy number Displays all or specified policy route settings show policy route begin 1 200 end 1 200 Displays the specified range of policy route settings show policy route controll ipsec dynamic rules Displays whether the ZyWALL checks policy routes first before IPSec dynamic rules ZyWALL ZLD CLI Reference Guide Chapter 8 Route Table 42 Command Summary Policy Route continued COMMAND DESCRIPTION show policy route override direct rout Displays whether or not the ZyWALL forwards packets that match a policy route according to the policy route instead of sending the packets to a directly connected network o how policy route rule count Displays the number of policy routes that have been configured on the ZyWALL o how policy route underlayer rules Displays all policy route rule details for advanced debugging show bwm activation Displays whether or not the global setting for bandwidth management on the ZyWALL is enabled show bwm usage interfac interface name policy route policy number Displays the specified policy route or interface s bandwidth allotment current bandwidth usage and ban
331. may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive user_name The name of a user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive The following table describes the commands available for policy route You must use the configure terminal command to enter the configuration mode before you can use these commands Table 42 Command Summary Policy Route COMMAND DESCRIPTION no bwm activate Globally enables bandwidth management You must globally activate bandwidth management to have individual policy routes or application patrol policies apply bandwidth management The no command globally disables bandwidth management policy policy_number append insert Enters the policy route sub command mode to policy_number configure add or insert a policy no auto destination When you set tunnel as the next hop type using the next hop tunnel command for this route you can use this command to have the ZyWALL use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy instead of what you configure by using the destination command The no command disables the setting no auto disable When you set interface or trunk as the next hop type using th
332. me authentication method and password The no command disables authentication string Use a plain text password for authentication key Use up to eight characters including alphanumeric characters the underscore and some punctuation marks amp ah md5 Use an encrypted MD5 password for authentication key Use up to eight characters including alphanumeric characters the underscore and some punctuation marks amp no device ha ap mode interface_nam ip ip subnet_mask manag Sets the management IP address for an interface interfac activate no device ha ap mod gt nam Has device HA monitor the status of an interface s connection ap mode master sync password password no device ha authentication This is for a master ZyWALL It specifies the password to require from synchronizing backup ZyWALLs Every router in the virtual router must use the same password The no command sets the password setting to blank which means no backups can synchronize with this master password Use 4 63 alphanumeric characters underscores _ dashes and 3 characters ap mode backup sync password password no device ha authentication Sets the password the backup ZyWALL uses when synchronizing with the master The no command sets the password setting to blank which means this backup ZyWALL cannot synchronize with th
333. mmands to create a new anomaly profile or edit an existing one It is recommended you use the web configurator to create edit profiles If you do not specify a base profile the default base profile is none BS You CANNOT change the base profile later Table 99 Editing Creating Anomaly Profiles COMMAND DESCRIPTION idp anomaly newpro base all none Creates a new IDP anomaly profile called newpro newpro uses the base profile you specify Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode Scan detection sensitivity low medium high Sets scan detection sensitivity no scan detection sensitivity Clears scan detection sensitivity The default sensitivity is medium scan detection block period lt 1 3600 gt Sets for how many seconds the ZyWALL blocks all packets from being sent to the victim destination of a detected anomaly attack no scan detection tcp xxx activate log alert block Activates TCP scan detection options where tcp xxx tcp portscan tcp decoy portscan tcp portsweep tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep Also sets TCP scan detection logs or alerts and blocking no deactivates TCP scan detection its logs alerts or blocking no scan detection udp xxx activate log alert
334. mmary Displays an overview of the collected statistics ZyWALL ZLD CLI Reference Guide Chapter 23 Anti Spam Table 120 Commands for Anti spam Statistics continued COMMAND DESCRIPTION show anti spam statistics collect Displays whether the collection of anti spam statistics is turned on or off show anti spam statistics ranking source mail address Query and sort the anti spam statistics entries by source IP address or mail address source lists the source IP addresses of the most spam mail address lists the most common source mail address for spam 23 3 1 Anti Spam Statistics Example This example shows how to collect anti spam statistics and display a summary Router config anti spam statistics collect Router config show anti spam statistics collect collect statistics yes collect statistics time Router config show anti spam statistics summary total mails scanned 0 total clear mails 0 total spam mails 0 spam detected by blacklist 0 spam detected by dnsbl 0 dnsbl timeout 0 mail session forwarded 0 mail session dropped 0 since 2008 03 11 07 16 01 to 2008 03 11 07 16 13 ZyWALL ZLD CLI Reference Guide Chapter 23 Anti Spam ZyWALL ZLD CLI Reference Guide PART VII Device HA Device HA Use device HA to increase network reliability Device HA lets a backup ZyWALL B automatically take over
335. mon name cn to identify a record uid The no command clears this setting no ldap server host Sets the LDAP server address Enter the IP address in dotted decimal ldap server notation or the domain name The no command clears this setting no ldap server password Sets the bind password The no command clears this setting 252 ZyWALL ZLD CLI Reference Guide Chapter 29 AAA Server Table 145 Idap server Commands continued COMMAND DESCRIPTION no ldap server port port no Sets the LDAP port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no ldap server search time limit time Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting no ldap server ssl Enables the ZyWALL to establish a secure connection to the LDAP server The no command disables this feature 29 2 3 radius server Commands The following table lists the radius server commands you use to set the default RADIUS Server Table 146 radius server Commands COMMAND DESCRIPTION show radius server Displays the default RADIUS server settings no radius server host radius server auth port auth port Sets the RADIUS server address and service port number Enter the IP address in dotted decimal notation or the domain name of a RADIUS server The no command clears the settings
336. mples The following commands show you how to set up VLAN vlan100 with the following parameters VLAN ID 100 interface gel IP 1 2 3 4 subnet 255 255 255 0 MTU 598 gateway 2 2 2 2 description I am vlan100 upstream bandwidth 345 and downstream bandwidth 123 Router configure terminal Router config interface vlan100 Router config if vlan vlan id 100 Router config if vlan port gel Router config if vlan ip address 1 2 3 4 255 255 255 0 Router config if vlan ip gateway 2 2 2 2 Router config if vlan mtu 598 Router config if vlan upstream 345 Router config if vlan downstream 123 Router config if vlan description I am vlan100 Router config if vlan exit 6 9 Bridge Specific Commands This section covers commands that are specific to bridge interfaces Bridge interfaces also use many of the general interface commands discussed at the beginning of Section 6 2 on page 51 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 35 Input Values for Bridge Interface Commands LABEL DESCRIPTION interface_name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 2 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 100 and 200 models use
337. n local ip Displays the IP address that the ZyWALL uses in setting up the SSL VPN show sslvpn monitor Displays a list of the users who are currently logged into the VPN SSL client portal sslvpn network extension local ip ip Sets the IP address that the ZyWALL uses in setting up the SSL VPN sslvpn policy profile name profile name append profile name insert lt 1 16 gt Enters the SSL VPN sub command mode to add or edit an SSL VPN access policy no activate Turns the SSL VPN access policy on or off no application application object Adds the SSL application object to the SSL VPN access policy no cache clean activate Cleans the cookie history and temporary Internet files in the user s browser s cache when the user logs out The ZyWALL returns them to the values present before the user logged in The no command disables this setting no description description Adds information about the SSL VPN access policy Use up to 60 characters 0 9 a z A Z and _ no eps lt 1 8 gt eps profile name Sets endpoint security objects to be used for the SSL VPN access policy The ZyWALL checks authenticated users computers against the policy s selected endpoint security objects in the order from 1 to 8 you specified When a user s computer meets an endpoint security object s requirements the ZyWALL grants access and stops checking To make the en
338. n U2 4 27 kernel 2006 08 21 i 2006 08 21 19 54 00 ZLD Version U1 01 XL 0 2006 09 11 17 41 56 Press any key to enter debug mode within 3 seconds Enter Debug Mode gt E 3 Enteratkz u to start the recovery process Figure 50 atkz u Command for Restoring the Default System Database gt atkz u 4 Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen Connect your computer to the ZyWALL s port 1 only port 1 can be used Figure 51 Use FTP with Port 1 and IP 192 168 1 1 to Upload File Done Connect a computer to port 1 and FIP to 192 168 1 1 to upload the neu file 5 The ZyWALL s FTP server IP address for firmware recovery is 192 168 1 1 so set your computer to use a static IP address from 192 168 1 2 192 168 1 254 6 Use an FTP client on your computer to connect to the ZyWALL For example in the Windows command prompt type ftp 192 168 1 1 Keep the console session connected in order to see when the default system database recovery finishes 7 Hit enter to log in anonymously ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager 8 Set the transfer mode to binary type bin 9 Transfer the firmware file from your computer to the ZyWALL Type put followed by the path and name of the firmware file This examples uses put e ftproot ZLD FW N1 01 XL 0 CO db Figure 52 FTP Default System Database Transfer Command C gt ftp 192 168 1 1 Connected to
339. nLerfsce HAMS Q4 A AS OR UE Won cR ACA Oe SECRETE SS 107 hardware a 0dress MAC address onis 2x X ORES KEES OROMACROX ROR ACA CSOR ROROR A 56 Hardwesre wetoHdegetimer ALLI ade ep eee Hed eee de eG ad Ged ae Ge mm ere e qi 351 AUS AA E iow aie gins Dux EA DEAN ee a ca pk A 74 NOSE MOStMAMS yak bike RARE SR ERS ES Sa q Aq E AR MERE GR RW ERR ON CR CR RR RO KOC Rep Rd 106 ROSE IE AAA Nac ad RE E FORE COREE DAA e Ped Prec p ae E 56 hostname DOSES Laud x a eee bas POR ACA Y ORO RARAS AR RRA ARA AAA AA RRA ee Eee eee 289 http inspection http xxx action drop reject sender reject receiver reject Bou P Gad pads e eX d edd d S dci bate dae A ACORDE Rd cR b eee AR 188 httpelnaspecrtionm IBLPGOSEXXD SOLLVRES ci de eee ESO ee eee A M Pak NOR eh eee eS 188 icmp decoder truncated header truncated timestamp header truncated address heasdef Activate As kh ko 3 Kod ewe AA VICE OK DOR AAA c eR RC REAR ORE 189 DELS o gee eae a dude d CIE SI seres BS WS Dea 454 4 4 540 9 oie s sg qiue 259 LAS UMEN 1o MENT AAA dn ln den AA an here eit dh boo hp ie a ee a ae 271 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no neo no no no no no no no no no no no no no no no no no no no no no no no no no no no Ee EU QUEM uubsequpsuPE RUNS A E
340. nature Displays all IDP signature or system protect base profiles anomaly base profile 184 ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands Table 96 Global Profile Commands COMMAND DESCRIPTION show idp signature base profile all none wan lan dmz settings Lists the specified signature base profile s settings Use more to display the settings page by page show idp profiles Displays all IDP signature profiles 21 3 1 1 Example of Global Profile Commands In this example we rename an IDP signature profile from old profile to new profile delete the bye profile and show all base profiles available Router configure terminal No Base Profile Name Router config idp rename signature old profile new profile Router config no idp signature bye profile Router config show idp signature base profile 1 none 2 all 3 wan 4 lan 5 dmz Router config 21 3 2 IDP Zone to Zone Rules Use the following rules to apply IDP profiles to specific directions of packet travel Table 97 DP Zone to Zone Rule Commands COMMAND DESCRIPTION idp signature anomaly rule append Create an IDP signature or anomaly rule and enter the sub lt 1 32 gt insert lt 1 32 gt command mode bind profile Binds the IDP profile to the entry s traffic direction no bind Removes the IDP profile s binding no from zone
341. nd string enclosed in quotes for example alert tcp any any lt gt any any msg test sid 9000000 idp customize signature edit quoted_string Edits an existing custom signature no idp customize signature custom_sid Deletes a custom signature show idp signatures custom signature custom sid Displays custom signature information details contents non contents show idp signatures custom signature all details Displays all custom signatures information show idp signatures custom signature number Displays the total number of custom signatures 21 4 1 Custom Signature Examples These examples show how to create a custom signature edit one display details of one all and show the total number of custom signatures Router configure terminal Router config idp customize signature alert tcp any any lt gt any any msg test sid 9000000 sid 9000000 message test policy type severity platform all no Win95 98 no WinNT no WinXP 2000 no Linux no FreeBSD no Solaris no SGI no other Unix no network device no service outbreak no ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands This example shows you how to edit a custom signature Router config idp customize signature edit alert tcp any any lt gt any any msg test edit sid 9000000 y sid 9000000 message test edit policy type severity platfor
342. nds on the number of PPPoE PPTP interfaces your ZyWALL model supports profile_name value is case sensitive The name of the DHCP pool You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This domain_name Fully qualified domain name You may up to 254 alphanumeric characters dashes or periods but the first character cannot be a period The following sections introduce commands that are supported by several types of interfaces See Section 6 6 on page 68 for the unique commands for each type of interface 6 2 1 Basic Interface Properties and IP Address Commands This table lists basic properties and IP address commands Table 16 interface General Commands Basic Properties and IP Address Assignment COMMAND DESCRIPTION show interface ethernet auxiliary status vlan bridge ppp Displays the connection status of the specified type of interfaces show interface interface name thernet vlan bridge ppp virtual ethernet virtual vlan virtual bridge auxiliary all Displays information about the specified interface specified type of interfaces or all interfaces See Section 6 6 1 on page 70 for all possible cellular status description show interface send statistics interval Displays the interval for how often the ZyWALL refreshes the sent packet statistics for the interfaces s
343. nds use all the sub commands listed here Table 80 app protocol rule Sub commands COMMAND DESCRIPTION access forward drop reject Specifies the action when traffic matches the rule no action block login message audio video file transfer Blocks use of a specific feature no activate Turns on this rule The no command turns off this rule bandwidth inbound outbound lt 0 1048576 gt Limits inbound or outbound bandwidth in kilobits per second 0 disables bandwidth management for traffic matching this rule no bandwidth excess usage Enables maximize bandwidth usage to let the traffic matching this policy borrow any unused bandwidth on the out going interface bandwidth priority 1 7 Set the priority for traffic that matches this rule The smaller the number the higher the priority no destination profile name Adds the specified destination address to the rule no from zone name Specifies the source zone ZyWALL ZLD CLI Reference Guide Chapter 19 Application Patrol Table 80 app protocol rule Sub commands continued COMMAND DESCRIPTION no inbound dscp mark lt 0 63 gt class This is how the ZyWALL handles the DSCP value default dscp class of the outgoing packets to a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the cla
344. ne RN ERLE EREDAR COMER OR REC GR RR RSS MGR RR 52 HE Fe ees Shoe a ded due edd Pure EP dd dp Edu b Gare Oe eae a dew ae ae 137 ASCO Tany 20 6655 IAS ARA XE EORR RUE CRT CO RICERCA GU e CR ACA AA 91 usen class fdolault SGE OISSS iria Skee Hee AA ARA AA 91 unes SEGEL hale dec dedos e A A arem A AA eee 64 encryption Inomppe mppea20 mppe i28 ir A e Re ee 270 Epes ALINEADO arriban da d 49 529 neces cHE RAS e EE edd E Tusce dq dm 146 epa GCUI age sry sao ep aha a ae om dd ane he a aid Ae he te 238 eps failyre messages facture Messages sion Rok Re RU Nes Bakes V RUP E Ena 279 eps periodiesdesheck ACLOFADE burrada Gs Ret I Rx dE dE SE RUE Ta eR 147 eps perrodisal RSE EL SIMAO sarria rei uk dog dog d eRe p StS 147 eps periodical cheok Clos 585400 geek Ahad RA E RAE Reed EUR e IC Ee RR A 238 eps Profile profile mane pied 1h de eee p v RE SOR de a b Ede dog REG 278 eps rename profile name new profile name ee ee II 281 eps lente pe o A 238 gos cel D ES DEDTIIB A 146 PSS aaa eG ht 4 Da qe T Yee d d Rd de tides Haake Re eee ee eee 137 file decompression unsupported destroy airada ees don BAR Soe ee X RO LEUR MUS Som icy fzxle einfo rile path fle Dat eges senex ace RR AAA A RE DOSER ERED E OUR 279 file info file path file_path eq gt lt ge 1 neq file siz eX 40 e A Ee teats e A ap aa i qs xe ee dd nd de deam de sm 279 file info file path file path eq gt it ge 1 neq file siz 1 1073741824 eq gt
345. net 255 255 255 0 gateway 4 6 7 8 upstream bandwidth 345 downstream bandwidth 123 and description I am vir interface Router configure terminal Router config interface gel 1 Router config if vir 4 ip address 1 2 3 4 Router config if vir ip gateway 4 6 7 8 Router Router Router Router 255 255 255 0 config if vir upstream 345 downstream 123 config if vir description I am vir interface exit config if vir config if vir 6 5 PPPoE PPTP Specific Commands This section covers commands that are specific to PPPoE PPTP interfaces PPPoE PPTP interfaces also use many of the general interface commands discussed at the beginning of Section 6 2 on page 51 The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 25 Input Values for PPPoE PPTP Interface Commands LABEL DESCRIPTION interface name PPPoE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports profile_name The name of the ISP account You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive This table lists the PPPoE PPTP interface commands Table 26 interface Commands PPPoE PPTP Interfaces COMMAND DESCRIPTION interface dial interface
346. new P Renews DHCP information for an interface run P Runs a script setenv U P Turns stop on error on terminates booting if an error is found in a configuration file or off ignores configuration file errors and continues booting show U P Displays command statistics See the associated command chapter in this guide shutdown P Writes all d data to disk and stops the system processes It does not turn off the power telnet U P Establishes a connection to the TCP port number 23 of the specified host name or IP address test aaa U P Tests whether the specified user name can be successfully authenticated by an external authentication server traceroute Traces the route to the specified host name or IP address write Saves the current configuration to the ZyWALL All unsaved changes are lost after the ZyWALL restarts ZyWALL ZLD CLI Reference Guide Chapter 2 User and Privilege Modes Subsequent chapters in this guide describe the configuration commands User privilege mode commands that are also configuration commands for example show are described in more detail in the related configuration command chapter 2 1 1 Debug Commands Debug commands marked with an asterisk are not available when the debug flag is on and are for ZyXEL service personnel use only The debug commands follow a syntax that is Linux based so if there is a Linux equivalent it is displayed in this chapter for your reference You must
347. nfig show port grouping No Representative Name Portl Port2 Port3 Port4 Port5 1 gel yes no no no no 2 ge2 no yes no no no 3 ge3 no no yes no no 4 ge4 no no no yes no 5 ge5 no no no no yes Router config port grouping gel Router config port grouping port 5 Router config port grouping exit Router config show port grouping No Representative Name Portl Port2 Port3 Port4 Port5 1 gel yes no no no yes 2 ge2 no yes no no no 3 ge3 no no yes no no 4 ge4 no no no yes no 5 ge5 no no no no no The following commands set port 1 to use auto negotiation auto and port 2 to use a 10 Mbps connection speed and half duplex Router config port status Portl Router config port status negotiation auto Router config port status exit Router config port status Port2 Router config port status duplex half Router config port status speed 10 Router config port status exit Router config exit ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 4 Virtual Interface Specific Commands Virtual interfaces use many of the general interface commands discussed at the beginning of Section 6 2 on page 51 There are no additional commands for virtual interfaces 6 4 1 Virtual Interface Command Examples The following commands set up a virtual interface on top of Ethernet interface gel The virtual interface is named gel 1 with the following parameters IP 1 2 3 4 sub
348. nfig if wanl ping check 1 1 1 2 method tcp port 8080 Router config if wanl exit Router config show ping check Interface wanl Check Method tcp IP Address 1 1 1 2 Period 30 Timeout 5 Fail Tolerance 5 Activate yes Port 8080 Router config 6 3 Ethernet Interface Specific Commands This section covers commands that are specific to Ethernet interfaces The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 22 Input Values for Ethernet Interface Commands LABEL DESCRIPTION interface_name The name of the Ethernet interface This depends on the ZyWALL model For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 100 and 200 models use a name such as wan1 wan2 opt lan ext wlan or dmz 6 3 1 MAC Address Setting Commands This table lists the commands you can use to set the MAC address of an interface On the ZyWALL USG 100 and 200 models these commands only apply to a WAN or OPT interface Table 23 interface Commands MAC Setting COMMAND DESCRIPTION interface interface nam Enters sub command mode no mac Has the interface use its default MAC address mac mac Specifies the MAC address the interface is to use ZyWALL ZLD CLI Reference Guide Chapter 6 Interf
349. ng owa web server url URL entry point entry point 273 sServer type fils sHarring sharte path share path seri a kiker kinie one ee RUE RR RC 274 server type rdp server address server address starting 274 server type vnc server address server address starting 274 Bprusr pype webli k DL QUE eueveae4d9p 3bu e eS Hee TORRES A dod iex ders 274 service object object name tcp udp eq lt 1 65535 gt range lt 1 65535 gt lt 1 65535 gt 245 seluvies objeocrt obgect name imp ASMP VelUB 4 c4 648404004 s Bee RAKE EROR E SR eee Rd KC 246 se tvica 50 s0t object Hace protocol lt l s2557 arrasa eke e bene P Ede ed qa vis 246 service object rename object name object name cele 246 Service Pegis ter DHHESRKQGXPI B ino qoe so ehe go ede oed Robo er dio opo dedo we Rie 39 Service register service type standard license key key value 39 service register service type trial av engine kav zav 2 c o a Rr e Rs 39 service register service type trial service content filter idp 39 Sservice register service type trial service all kav zav m mew 39 service register service Lype trial service av kav zav amp s ekese hex x 9 Rp YS 39 session timeout udp connect lt 1 300 gt udp deliver lt 1 300 gt icmp lt 1 300 gt 341 session timeout session tcp established tcp synrecv tcp close tcp finwait tcp synsent tep cl
350. nge original ip to the specified IP address and port range mapped ip ZyWALL ZLD CLI Reference Guide Chapter 16 IPSec VPN 16 2 3 IPSec SA Commands for Manual Keys This table lists the additional commands for IPSec SAs using manual keys VPN connections using manual keys Table 70 crypto map Commands IPSec SAs Manual Keys COMMAND DESCRIPTION crypto map map_name set session key ah lt 256 4095 gt auth key esp lt 256 4095 gt cipher enc_key authenticator auth_key Sets the active protocol SPI lt 256 4095 gt authentication key and encryption key if any auth_key You can use any alphanumeric characters or S amp _ The length of the key depends on the algorithm md5 16 20 characters sha 20 characters enc key You can use any alphanumeric characters or gt S 6 _ lt gt The length of the key depends on the algorithm des 8 32 characters 3des 24 32 characters aes128 16 32 characters aes192 24 32 characters aes256 32 characters If you want to enter the key in hexadecimal type Ox at the beginning of the key For example 0x0123456789ABCDEF is in hexadecimal format in 0123456789ABCDEF is in ASCII format If you use hexadecimal you must enter twice as many characters The ZyWALL automatically ignores any characters above the minimum number of characters required by the algorithm F
351. nse WU V Pc bern dope SP eu a pd d V NE 338 daily report nol item CPEBDOEE as cee seeded A RA CAR ACER QR AS ea 337 HasclyerebDort mel ES RUSSO aiii beh SAS r A E 337 ssrilyerepprt nol AGS 30D EZEDOUG usque meos A anes Rina wee de eee 338 dadglyversenort me item MENUS 2244645 A a do Rod dee Kes S xx RP dde eds do dacglyerepbrt nel Item DOIXLt UBSUE nar m x ERAS ER RR Bd estes a tad bewad du 338 daglyveresorsbt mo be SOESIOA SADS error dea cec ie god rote b po fash Re d din 338 susrIlverepext aol teu EXAtEIS TERDES arar rebasa a Reese we dudas 338 daxlyveresport no m marll subject append date Lime 22624 4 954 a a ud d Y dajslyevebott nol ma lles bject append systel nae ascii aa OSES eee OR 337 daily report no SRbp snph ACELFAIES ciiid hdt had E Rb Ed E A d Re ROCCO A AA E e UR ake eu daily report altro amp Mall secos spp EP Gea Pee X ERE Y Eu pr P PE E Ede d xe CES IST daily report mall s bjegct Set SUDICE crisis exo NGC LACE ACRAS Wa ER A a 331 UuGTVyemnebDODt wmaslerposel Bets secs ose Sa be ee Oe LO d AA eiie oboe d AAA 337 daily report NOJSLepo 9 e Mall 6 oa exc XR XE X GC pa ob d Ua E o ACE Rd HC Re RA Re dod RR de we 337 gaily report mall E 0 IIS Aad eee A A e A A REE CORE HRS SaF daily Peper NatleLg d B ESI seeks kes ben deg Sb 3d o EC RS d Rd DAN AAA sot daglyveresuEt Mmall ED gt 2 IBIZA AA AAA REED ORR ED oO amp dw doy puagllv rBDDIL ne dalles gest BOE dps dx baee i A AA dopo doce a adt wee eG 337 dadlye5eHUrt I
352. nt filtering allows you to block certain web features such as cookies and or block access to specific web sites It can also block access to specific categories of web site content You can create different content filtering policies for different addresses schedules users or groups and content filtering profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and another policy that lets him access them after work 22 2 Content Filtering Policies A content filtering policy allows you to do the following Use schedule objects to define when to apply a content filtering profile Use address and or user group objects to define to whose web access to apply the content filtering profile Apply a content filtering profile that you have custom tailored 22 3 External Web Filtering Service When you register for and enable the external web filtering service your ZyWALL accesses an external database that has millions of web sites categorized based on content You can have the ZyWALL block block and or log access to web sites based on these categories The content filtering lookup process is described below ZyWALL ZLD CLI Reference Guide Chapter 22 Content Filtering 1 2 Figure 24 Content Filtering Lookup Procedure A computer behind the ZyWALL tries to access a web site The ZyWALL looks up the web site in its If an attempt to access t
353. nt link monitoring setting device ha stop stub interface activate Has the master ZyWALL shut down any 3G or wireless LAN interfaces if one of its VRRP interface links goes down no device ha stop stub interfac Has the master ZyWALL not shut down any 3G or wireless LAN interfaces if one of its VRRP interface links goes down show device ha stop stub interfac Displays whether or not the ZyWALL is set to have the master ZyWALL shut down any 3G or wireless LAN interfaces if one of its VRRP interface links goes down ZyWALL ZLD CLI Reference Guide PART VI Objects User Group 233 Addresses 241 Services 245 Schedules 249 AAA Server 251 Authentication Objects 259 Certificates 263 ISP Accounts 269 SSL Application 273 Endpoint Security 277 User Group This chapter describes how to set up user accounts user groups and user settings for the ZyWALL You can also set up rules that control when users have to log in to the ZyWALL before the ZyWALL routes traffic for them 25 1 User Account Overview A user account defines the privileges of a user logged into the ZyWALL User accounts are used in firewall rules and application patrol in addition to controlling access to configuration and services in the ZyWALL 25 1 1 User Types There are the types of user accounts the ZyWALL uses Table 128 Types of User Accounts Perform basic dia
354. nterface interface_name redirect to w x y z lt 1 65535 gt 11 ip http redirect description interface interface name redirect to w x y z 1 65535 de Coe rs M H H 116 MEP Sl Senet 09539 2 a eS qu RR Gu ee RW Nd we ma ud 116 Lib pept authentication e a MESS dae OSPR de RA SERS MEAS ow ESR HEL ORC ARAS 60 ip espi authentication message IES es hb beh dq poe AAA ACE E RC ER EOS eR 60 ip spf authentication Sale ds HPOR sis pias osas WR Sain KON cae cece keke Seed ee bas eas 60 ip ospf message digast key lt 1 255 gt MOS Password 2 donee Seeds ER EROR ARA 61 ip route replace w x y z w x y z interface w x y z lt 0 127 gt with w x y z C2 o cr Wiese A O gut dos UE ee edema CHO AE 95 ip ssh server rule rule number append insert rule number access group ALL address object zone ALL zone object action accept deny 299 ip ssh server rule move rule number to rule number ili ialia Rr RR RO RU AARON aa 299 ip telnet server rule rule number append insert rule number access group ZyWALL ZLD CLI Reference Guide 373 List of Commands Alphabetical ALL address object zone ALL zone_object action accept deny 300 ip telnet server rule move rule number to rule number eere 300 ip virtual server activate deactivate profile name locoeeev e x9 estos OR RO REG 111 ip Wirtusl servrer delete profi
355. nterface name device Status eid x9 RA E Wok OE CE h SO X do EORR ACC 70 Siew interface DB gyebemn JQerault es ae hee med cE eds we oe wa mawe AAA 67 show interfete DDp USES ADE aserrada eo ede dto C cin Se el oci ee cia gt 67 glow interface Send Statistics IDDOIN4l Lake EI ORO QUK Baw ee ee EM Lid SL Show IDDOFIBSGOG summary Cll orita AAA AE AAA a A SL shew abertacs Sumar ml Ree sida E ARANA SEE SS Ace 51 show interface group system default user define group name 84 A issued ee ene Geet Sha SEC Re x qi SERRE SE awe Oe i ed dex e dd a sedes 53 Snow Xp thee Dinding ES sisi carr di A SAN ECKE RE ee Reo UR c shov up dhep peel pror iie naie sx cee eet ee oe UR OUR NR eww Ro HORT RO ae lr 55 show GS US PUE Leth queque A de dea de MR Choe hae ba ede eee a 293 show ip dna Server database score d bb eOERFRdedne d SES OER Ee de M P EC d Rd deux Ps 293 200 26 Ana Server EDELDUS ra uk itie RA A e ALARM CA e dodo b oe dir eoi 293 Show ip ILP Server Beas qaos wend ANA op e See aer AR ma Ea wie ae dag 302 stew xp HEB Server SERIOS SENS caer desde dead ue E pd ae wor du ip ORE od wed in eats Zor show ip hee SALES SEALS sepia RI a A ER ERO Won RS A eoi dep eee bee 297 Showy xp HLbtp redirect Neeser Iter qzeddedscaeqada R34 Rink x mur dene d de A RUE hon ad acace DL 116 show ip load balancing linkesbickling SEALUS eges ria v Reb ace Roe ok eR pop dodo we aha im 88 show ip route kernel connected static espf rip BOP eee R
356. nternet In L2TP VPN an IPSec VPN tunnel is established first see Chapter 16 on page 135 for information on IPSec and then an L2TP tunnel is built inside it At the time of writing the L2TP remote user must have a public IP address in order for L2TP VPN to work the remote user cannot be behind a NAT router or a firewall 18 2 IPSec Configuration You must configure an IPSec VPN connection for L2TP VPN to use see Chapter 16 on page 135 for details The IPSec VPN connection must Beenabled Use transport mode ZyWALL ZLD CLI Reference Guide 154 Chapter 18 L2TP VPN Not be a manual key VPN connection Use Pre Shared Key authentication Use a VPN gateway with the Secure Gateway set to 0 0 0 0 if you need to allow L2TP VPN clients to connect from more than one IP address 18 2 1 Using the Default L2TP VPN Connection Default L2TP VPN Connection is pre configured to be convenient to use for L2TP VPN If you use it edit the following Configure the local and remote policies as follows For the Local Policy create an address object that uses host type and contains the My Address IP address that you configured in the Default L2TP VPN GW Use this address object in the local policy For the Remote Policy create an address object that uses host type and an IP address of 0 0 0 0 Use this address object in the remote policy You must also edit the Default L2TP VPN GW gateway entry Configu
357. nti spam white list status Displays the current anti spam white list Use status to show the activation status only ZyWALL ZLD CLI Reference Guide Chapter 23 Anti Spam Table 117 Commands for Anti spam White and Black Lists continued COMMAND DESCRIPTION show anti spam black list status Displays the current anti spam black list Use status to show the activation status only show anti spam tag black list Show the configured anti spam black list tag 23 2 3 1 White and Black Lists Example This example shows how to configure and enable a white list entries for e mails with testwhite in the subject e mails from whitelist ourcompany com e mails with the Date header set to 2007 and e mails from or forwarded by IP address 192 168 1 0 with subnet 255 255 255 0 Router config anti spam white list subject testwhite activate Router config anti spam white list e mail whitelist ourcompany com activate Router config anti spam white list mail header Date 2007 activate Router config f anti spam white list ip address 192 168 1 0 255 255 255 0 activate Router config show anti spam white list No Type Status Content 1 subject yes testwhite 2 e mail yes whitelist ourcompany com 3 mail header yes Date 2007 4 ip address yes 192 168 100 255 255 255 0 23 2 3 2 Regular Expressions in Black or White List Entries The following applies for a black
358. ntry Code The following table displays the number for each country Table 10 Country Codes COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 001 Afghanistan 002 Albania 003 Algeria 004 American Samoa 005 Andorra 006 Angola 007 Anguilla 008 Antarctica 009 Antigua amp Barbuda 010 Argentina 011 Armenia 012 Aruba 013 Ascension Island 014 Australia 015 Austria 016 Azerbaijan 017 Bahamas 018 Bahrain 019 Bangladesh 020 Barbados 021 Belarus 022 Belgium 023 Belize 024 Benin 025 Bermuda 026 Bhutan 027 Bolivia 028 Bosnia and Herzegovina 029 Botswana 030 Bouvet Island 031 Brazil 032 British Indian Ocean Territory ZyWALL ZLD CLI Reference Guide Chapter 5 Registration Table 10 Country Codes continued COUNTRY CODE COUNTRY NAME COUNTRY CODE COUNTRY NAME 033 Brunei Darussalam 034 Bulgaria 035 Burkina Faso 036 Burundi 037 Cambodia 038 Cameroon 039 Canada 040 Cape Verde 041 Cayman Islands 042 Central African Republic 043 Chad 044 Chile 045 China 046 Christmas Island 047 Cocos Keeling Islands 048 Colombia 049 Comoros 050 Congo Democratic Republic of the 051 Congo Republic of 052 Cook Islands 053 Costa Rica 054 Cote d lvoire 055 Croatia Hrvatska 056 Cyprus 057 Czech Republic 058 Denmark 059 Djibouti 060 Domin
359. number Adds edits or removes a white list entry to check e mail for subject subject activate deactivate specific content in the subject line Also turns the entry on or off no anti spam black list activate Turns the black list checking on or off Turn on the black list to treat e mail that matches an active black list entry as spam no anti spam black list ip address ip subnet mask activate deactivate rule_number Adds edits or removes a black list entry to check e mail for a specific source or relay IP address Also turns the entry on or off no anti spam black list rule number Adds edits or removes a black list entry to check e mail for e mail email activate deactivate a specific source e mail address or domain name Also turns the entry on or off no anti spam black list value activate deactivate rule number Adds edits or removes a black list entry to check e mail for mail header mail header mail header specific header fields and values Also turns the entry on or off no anti spam black list rule number Adds edits or removes a black list entry to check e mail for subject subject activate deactivate specific content in the subject line Also turns the entry on or off anti spam tag black list tag Configures a message or label up to 15 ASCII characters to add to the mail subject of e mails that match an anti spam black list entry show a
360. numeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive object name The name of the service You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive The following sections list the service object and service group commands 27 2 1 Service Object Commands The first table lists the commands for service objects Table 140 service object Commands Service Objects COMMAND DESCRIPTION show service object obje ct name Displays information about the specified service or about all the services no service object object name Deletes the specified service service object object nam lt 1 65535 gt range lt 1 65 tcp udp eq Creates the specified TCP service or UDP service 535 lt 1 65535 gt using the specified parameters ZyWALL ZLD CLI Reference Guide Chapter 27 Services Table 140 service object Commands Service Objects continued COMMAND DESCRIPTION service object object name icmp icmp value Creates the specified ICMP message using the specified parameters icmp value lt 0 255 gt alternate address conversion error echo echo reply information reply information request mask reply mask request mobile redirect parameter problem redirect router adver
361. nv startup stop on error off Has the ZyWALL ignore any errors in the startup config conf file and apply all of the valid commands show setenv startup Displays whether or not the ZyWALL is set to ignore any errors in the startup config conf file and apply all of the valid commands write Saves your configuration changes to the flash non volatile or long term memory The ZyWALL immediately uses configuration changes made via commands but if you do not use the write command the changes will be lost when the ZyWALL restarts 37 5 File Manager Command Example This example saves a back up of the current configuration before applying a shell script file Router config copy running config conf backup conf Router config run script vpn setup zysh 37 6 FTP File Transfer You can use FTP to transfer files to and from the ZyWALL for advanced maintenance and support 37 6 1 Command Line FTP File Upload 1 Connect to the ZyWALL 2 Enter bin to set the transfer mode to binary 3 You can upload the firmware after you log in through FTP To upload other files use cd to change to the corresponding directory 4 Use put to transfer files from the computer to the ZyWALL For example In the conf directory use put config conf today conf to upload the configuration file config conf to the ZyWALL and rename it today conf put 1 00 XL 0 bin transfers the fi
362. o GER oo dre gogo doe eR Bee 59 pesssiva rubterfack amp ALOE Hae 1222492225959 9 0 AA dice Rd AAA 60 pausivoernterface Interface Dav edad AUR CR EUR UR SEC Pew m 98 pesssrvo interfase inber Joe DUEB Li bee eek ab ADA db KU DJ COWES Dee OSRRSe TERS 99 password DISEASE ee ed OR 269 passuord SessWOFU iii AE Eu SEES CRS ORR Wee Ede DORE Ee E WES 271 password DGSSWOEU Lu eH kha ACCES CARRERA SS ROCCO SEAR RADE LR AA IA A RR 80 personal firewall personal firewall software name detect auto protection enable disable Igne uade 40 dede CER deb eal E CRUCE de E CERO Ke dra NOR U bd a a Ca 279 phong phone EMS agb Gev4 a Reged ew qu qd wa vede d ede bd mi cd d dei qe E ESE 270 PROS IIED PROMS RA RA AAA ARA AA ES ROCCO SS TRAE A ORG Se ORS 80 DIR CLORO ir a AAA IA a mn neat DARAS A ee era TU Pano Cue Sete ddr pd d AERE EJ Red ce heb wen Baus db aba A dca ee wae we ees 62 polity obontprbpll spserc dynamto rfules activate usd x E RR q X UEM ARP ax RR Pede E 92 policy gwverviss drrect fPoudLe SOLTVALEB Darren aaa dai a SS see 92 polity oreen sikaa rrie Rd Boro RUE p a obedece aibi nk o Bep dos Um det dvi a 140 prt SHC ee DEDE AA e i RE Deke Cesta Sakae ewes Bom QUE CO ab do dur dd 78 Sore SULLANA Lis dd x deg bia a Sek a eRe See eae E Pad Ree 4 24 166 bort spoed 9600 19200 1 39400 37600 TUSZAGUOA escri aan saws 306 portespeegd 9600 19200 3594300 27600 XII5Z0D0 uezxkraxkdex de RE RERO RA EUR E 80 pret seras rro ee Soe Wade AAA ES RSE O
363. o send specific traffic types You can use trunks in combination with policy routing You can also define multiple trunks for the same physical interfaces This allows you to send specific traffic types through the interface that works best for that type of traffic and if that interface s connection goes down the ZyWALL can still send its traffic through another interface 7 2 Trunk Scenario Examples Suppose one of the ZyWALL s interfaces is connected to an ISP that is also your Voice over IP VoIP service provider You may want to set that interface as active and set another interface connected to another ISP to passive This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface s connection is up Another example would be if you use multiple ISPs that provide different levels of service to different places Suppose ISP A has better connections to Europe while ISP B has better connections to Australia You could use policy routing and trunks to send traffic for your European branch offices primarily through ISP A and traffic for your Australian branch offices primarily through ISP B ZyWALL ZLD CLI Reference Guide Chapter 7 Trunks 7 3 Trunk Commands Input Values The following table explains the values you can input with the interface group commands Table 38 interface group Command Input Values LABEL DESCRIPTION group name A descriptive name for the tr
364. ock Has the ZyWALL block sessions that do not match a content filtering policy The no command allows sessions that do not match a content filtering policy no content filter license licens Sets the license key for the external web filtering service The no command clears the setting content filter passed warning flush Clears the ZyWALL s record of sessions for which it has given the user a warning before allowing access content filter passed warning timeout Sets how long to keep records of sessions for lt 1 1440 gt which the ZyWALL has given the user a warning before allowing access no content filter policy policy_number Sets a content filtering policy The no command address sch dule filtering profile removes it content fil ter policy policy number shutdown Disables a content filtering policy content fil ter url test url Tests whether or not a web site is saved in the ZyWALL s database of restricted web pages content fil rating serv ter url server test url server er timeout query timeout Tests whether or not a web site is saved in the external content filter server s database of restricted web pages content fil ter zsb port lt 1 65535 gt Sets the port the ZyWALL uses to check if requested web pages pose a threat to users or their computers show conten t filter passed warning Displays the ZyWALL s record of sessions for which it has given the u
365. of 1000 kbps The ZyWALL sends anything over 1000 kbps through ge3 Router configure terminal Router config interface group spill example Router if group mode trunk Router if group algorithm spill over Router if group interface 1 gel limit 1000 Router if group interface 2 ge3 limit 1000 Router if group exit config Router 86 ZyWALL ZLD CLI Reference Guide Chapter 7 Trunks 7 6 Link Sticking You can have the ZyWALL send each local computer s traffic through a single WAN interface for a specified period of time This is useful when a redirect server forwards a user request for a file and informs the file server that a particular WAN IP address is requesting the file If the user s subsequent sessions came from a different WAN IP address the file server would deny the request Here is an example Figure 14 Link Sticking 7 e Internet di p 7 i a AS ine Y ae Y V M s ni s A M 1 r j in N hb 4 a VA 3 P E B 4 WANi WAN2 4 2 NUN rd N 4 e x 7 P rd P LAN cu EB a i Sa 1 LAN user A tries to download a file from server B on the Internet The ZyWALL uses WAN to send the request to server B 2 However remote server B is actually a redirect server So server B sends a file list to LAN user A The file list lets LAN user A s computer know that the desired file is actually on file server C At the same time register server B info
366. ol 9 2 1 RIP Commands Table 47 This table lists the commands for RIP router Commands RIP COMMAND DESCRIPTION router rip Enters sub command mode no network interface_name Enables RIP on the specified Ethernet interface The no command disables RIP on the specified interface no redistribute static ospf Enables redistribution of routing information learned from the specified source The no command disables redistribution from the specified source redistribute static 0 16 ospf metric Sets the metric when redistributing routing information learned from the specified source no version 1 2 Sets the default RIP version for all interfaces with RIP enabled If the interface RIP version is blank the interface uses the default version This is not available in the GUI The no command sets the default RIP version to 2 no passive interface interface nam Sets the direction to In Only for the specified interface The no command sets the direction to bi directional no authentication mode md5 text Sets the authentication mode for RIP The no command sets the authentication mode to none no authentication string authkey Sets the password for text authentication The no command clears the password authentication authkey key lt 1 255 gt key string Sets the MD5 ID and password for MD5 authentication no authen
367. ommands Table 89 Commands for Zone to Zone Anti Virus Rules COMMAND DESCRIPTION anti virus rule append Enters the anti virus sub command mode to add a direction specific rule anti virus rule insert lt 1 32 gt Enters the anti virus sub command mode to add a direction specific rule ZyWALL ZLD CLI Reference Guide Chapter 20 Anti Virus Table 89 Commands for Zone to Zone Anti Virus Rules continued COMMAND DESCRIPTION anti virus rule lt 1 32 gt Enters the anti virus sub command mode to edit the specified direction specific rule no activate Turns a direction specific anti virus rule on or off no log alert Sets the ZyWALL to create a log and optionally an alert when packets match this rule and are found to be virus infected The no command sets the ZyWALL not to create a log or alert when packets match this rule no from zone_object Sets the zone on which the packets are received The no command removes the zone on which the packets are received and resets it to the default any any means all interfaces or VPN tunnels no to zone_object Sets the zone to which the packets are sent The no command removes the zone to which the packets are sent and resets it to the default any any means all interfaces or VPN tunnels no scan http ftp imap pop3 Sets the protocols of traffic to scan for viruses no infected a
368. on on the external server RADIUS RADIUS Remote Authentication Dial In User Service authentication is a popular protocol used to authenticate users by means of an external or built in RADIUS server RADIUS authentication allows you to validate a large number of users from a central location 29 2 Authentication Server Command Summary This section describes the commands for authentication server settings ZyWALL ZLD CLI Reference Guide 251 Chapter 29 AAA Server 29 2 1 ad server Commands The following table lists the ad server commands you use to set the default AD server Table 144 ad server Commands COMMAND DESCRIPTION show ad server Displays the default AD server settings no ad server basedn basedn Sets a base distinguished name DN for the default AD server A base DN identifies an AD directory The no command clears this setting no ad server binddn binddn Sets the user name the ZyWALL uses to log into the default AD server The no command clears this setting no ad server cn identifier uid Setsthe unique common name cn to identify a record The no command clears this setting no ad server host ad server Sets the AD server address Enter the IP address in dotted decimal notation or the domain name The no command clears this setting no ad server password password Sets the bind password This password will be encrypted when you use the show ad server comman
369. onds the ZyWALL checks if the primary address is available mode main aggressive Sets the negotiating mode ZyWALL ZLD CLI Reference Guide Chapter 16 IPSec VPN Table 68 isakmp Commands IKE SAs continued COMMAND DESCRIPTION trans form set isakmp algo isakmp_algo isakmp algo Sets the encryption and authentication algorithms for each proposal ISAKMP ALGO des md5 des sha 3des md5 3des sha aes128 md5 aes128 sha aes192 md5 aes192 sha aes256 mdb aes256 sha interfac interface name lifetime lt 180 3000000 gt Sets the IKE SA life time to the specified value groupl Sets the DHx group to the specified group group2 group5 no natt Enables NAT traversal The no command disables NAT traversal local ip ip ip domain_name Sets the local gateway address to the specified IP address domain name or interface peer ip ip domain_name ip Sets the remote gateway address es to the domain_name specified IP address es or domain name s keystring pre_shared_key Sets the pre shared key that can be used for authentication The PRE_SHARED_KEY can be 8 32 alphanumeric characters or ORG BO 4 16 64 hexadecimal 0 9 A F characters preceded by Ox The pre shared key is case sensitive local id type ip ip fqdn domain name Sets the local ID type and content to the specified
370. or must follow sub commands if it is to make the ZyWALL exit sub command mode Line 3 in the following example exits sub command mode interface gel ip address dhcp Lines 1 and 3 in the following example are comments and line 4 exits sub command mode interface gel this interface is a DHCP client Lines 1 and 2 are comments Line 5 exits sub command mode this is from Joe on 2006 06 05 interface gel ip address dhcp 37 2 2 Errors in Configuration Files or Shell Scripts When you apply a configuration file or run a shell script the Zy WALL processes the file line by line The ZyWALL checks the first line and applies the line if no errors are detected Then it continues with the next line If the ZyWALL finds an error it stops applying the configuration file or shell script and generates a log You can change the way a configuration file or shell script is applied Include setenv stop on error off inthe configuration file or shell script The ZyWALL ignores any errors in the configuration file or shell script and applies all of the valid commands The ZyWALL still generates a log for any errors 37 2 3 ZyWALL Configuration File Details You can store multiple configuration files on the ZyWALL You can also have the ZyWALL use a different configuration file without the ZyWALL restarting When you first receive the Zy WALL it uses the system default conf confi
371. or example if you enter 1234567890XYZ for a DES encryption key the ZyWALL only uses 12345678 The ZyWALL still stores the longer key local ip ip Sets the local gateway address to the specified IP address peer ip ip Sets the remote gateway address to the specified IP address 16 2 4 VPN Concentrator Commands This table lists the commands for the VPN concentrator Table 71 vpn concentrator Commands VPN Concentrator COMMAND DESCRIPTION show vpn concentrator profile name Shows the specified VPN concentrator or all VPN concentrators Creates the specified VPN concentrator if necessary and enters sub command mode The no command deletes the specified VPN concentrator no vpn concentrator profile name ZyWALL ZLD CLI Reference Guide Chapter 16 IPSec VPN Table 71 vpn concentrator Commands VPN Concentrator continued COMMAND DESCRIPTION no crypto map_name Adds the specified IPSec SA to the specified VPN concentrator The no command removes the specified IPSec SA from the specified VPN concentrator vpn concentrator rename profile_name profile_name Renames the specified VPN concentrator first profile_name to the specified name second profile_name 16 2 5 SA Monitor Commands This table lists the commands for the SA monitor Table 72 sa Commands SA Monitor COMMAND DESCRIPTION show sa monitor begin lt 1 1000
372. or rgb color name color number Sets the title text color of the login page login page window color color rgb color name color number Sets the color of the login page s window border logo background color color rgb color name color number Sets the color of the logo banner across the top of the login screen and access page show access page settings Lists the current access page settings show login page default titl Lists the factory default title for the login page show login page settings Lists the current login page settings show logo settings Lists the current logo background banner and floor line below the banner settings show page customization Lists whether the ZyWALL is set to use custom login and access pages or the default ones 35 3 Host Name Commands The following table describes the commands available for the hostname and domain name You must use the configure terminal command to enter the configuration mode before you can use these commands Table 160 Command Summary Host Name COMMAND DESCRIPTION Sets the domain name The no command removes the domain no domainname domain name name domain name This name can be up to 254 alphanumeric characters long Spaces are not allowed but dashes and underscores are accepted no hostname hostname Sets a descriptive name to identify your ZyWALL The no command remo
373. or the e mail profiles no logging mail 1 2 Enables the specified e mail profile The no command disables the specified e mail profile no logging mail 1 2 address ip Sets the URL or IP address of the mail server for hostname the specified e mail profile The no command clears the mail server field hostname You may up to 63 alphanumeric characters dashes or periods but the first character cannot be a period logging mail lt 1 2 gt sending now Sends mail for the specified e mail profile immediately according to the current settings no logging mail 1 2 authentication Enables SMTP authentication The no command disables SMTP authentication no logging mail 1 2 authentication Sets the username and password required by the username username password password SMTP mail server The no command clears the username and password fields username You can use alphanumeric characters underscores and dashes and it can be up to 31 characters long password You can use most printable ASCII characters You cannot use square brackets double quotation marks question marks tabs or spaces It can be up to 31 characters long ZyWALL ZLD CLI Reference Guide Chapter 38 Logs Table 186 logging Commands E mail Profile Settings continued COMMAND DESCRIPTION no logging mail 1 2 send log to alerts to
374. or white list entry based on an e mail subject e mail address or e mail header value Use a question mark to let a single character vary For example use a c without the quotation marks to specify abc acc and so on You can also use a wildcard For example if you configure def com any e mail address that ends in def com matches So mail def com matches The wildcard can be anywhere in the text string and you can use more than one wildcard You cannot use two wildcards side by side there must be other characters between them The ZyWALL checks the first header with the name you specified in the entry So if the e mail has more than one Received header the ZyWALL checks the first one 23 2 4 DNSBL Anti Spam Commands This section describes the commands for checking the sender and relay IP addresses in e mail headers against DNS Domain Name Service based spam Black Lists DNSBLs You must use the configure terminal command to enter the configuration mode before you can use these commands ZyWALL ZLD CLI Reference Guide Chapter 23 Anti Spam The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 118 Input Values for DNSBL Commands LABEL DESCRIPTION dnsbl_domain A domain that is maintaining a DNSBL You may use 0 254 alphanumeric characters or dashes This
375. ore activating XMODEM upload on your terminal Figure 37 Starting Xmodem Upload Do you want to start the recovery process Y N default N Starting XMODEM upload CRC mode C 5 This is an example Xmodem configuration upload using HyperTerminal Click Transfer then Send File to display the following screen Figure 38 Example Xmodem Upload Send File Folder C Product Filename C Product Firmware bin Type the firmware file s location or click Browse to search for it Browse Choose the 1K Xmodem protocol Protocol 1K Xmodem Cancel Then click Send 6 Wait for about three and a half minutes for the Xmodem upload to finish Figure 39 Recovery Image Upload Complete 7 Enter atgo The ZyWALL starts up If Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen the firmware file is damaged and you need to use the procedure in to recover the firmware ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager Figure 40 atgo Debug Command 37 10 Restoring the Firmware BS This procedure requires the ZyWALL s firmware Download the firmware package from www zyxel com and unzip it The firmware file uses a bin extension for example 1 01 XL 0 CO bin Do the following after you have obtained the firmware file This section is not for normal firmware uploads You only need to use this
376. orm setc risskmp aslgo isakmp_ algo pisskmp algo adexa kd A A 138 trigger append incoming service name trigger service name eee 92 atole o a EL 4 oaa 66 Se CES dpa ados d S aede d bd dd dues adl Eg ES mes 92 trigger insert 1 8 incoming service name trigger service name 92 CELOS MOVE Lea DO ey uo ari AREAS due Nod wes qid ard 92 type internal external general sins RA xke cO 9 RC RUE REOR AAA YR ead RA HR 64 udp decoder truncated header undersize len oversize len action drop reject send rejeut vrecBilver cejecb BBEN qnseqea eene RC Ec m deo RR Ro d 188 udp decoder truncated header undersize len oversize len log alert 138 udp filtered distributed portscan udp filtered portsweep details 189 nbosk dlockcureusebs I9 SEINS lt A SAMO PSEA o Eo OR d ARS 239 USES ISO tok dc eke bad Edo de CREASE LAV Ree E RR qe h eae see RE 64 username rename Username USEENAMS 6024664 9x ax OR o ETE OP AAA REE OR AA 234 username username no description description sic c6 04k eb A NEN 234 username username no logon lease time lt 0 1440 gt J cece ee eee ee ee 2339 username username Ine Jlogon re aubh tiqge 0 14409 m Linz anuedosk a UTR 235 username username no logon time setting default manual 234 username username nopassword user type admin guest limited admin user 234 username username password password user type admin
377. os wait tep lastack tep timewalt 1 300 2 341 session limit SDDORI deux QE Rig d es REP PE d Sed qx pae T e b RE qe eb IA 131 session limito delete SULTS AUDE 46 64 k kae quA A OCC E OP DUC oo NCC A ECCE On RC ORC A 131 session Tire dini p FC Lor Sesso TIME 3nsert sue Meee duque domwedokeacs A AAA NEUF PON CR eee 131 Sessile LEE UA PIS NR A AA AAA eee ee 131 gessson lrtmit move rule number bo rule HEmDOYX ul RhezRm xx RUE OR SC ANA bon MUR ACE RC CRT LAN 132 sessrdpelrmoeb Ule FEE seasea pea d qox OK SUE opt e A Hom Read e Coq d le de Rh aOR t E A an hom JL Sek wis group groupe groupn Pete dug AAA CEU oic 140 set security association lifetime seconds 180 30000009 acomodar aa 140 set session key ah lt 256 4095 gt auth_key esp lt 256 4095 gt cipher enc_key authenticator BUEN BAY waqaeya aae X GOR SPREE TERRA SDEAS BER EASES ESE ES ERE RES OR RAS 142 ESCENU EIA be RG Pedo c SW TOSS SELES AT A AA AA Ot Edu ed x ad eee Oa ee 28 set env startup stop oBH eESOE OLE ers CSREES OS RENNES ESHEETS CoN AAA 316 cic sanas a ASES AAA ARAS AA DAR AED T ek 164 A RARE AA RAR A AE A ta E ah RE ARA AAA A A ah al AA E A 165 SHOW A A oh cig doe a vada cal See a Rd ec 167 SHOW pds cecks Pesos See eE ee SAE BOSSES A ROSSA SS COWES ESSER als clo A Sg ZyWALL ZLD CLI Ref
378. ot configured before the first error the console port may be the only way to access the device Use ignore error Without rollback this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the ZyWALL apply most of your configuration and you can refer to the logs for what to fix Use both ignore error and rollback this applies the valid parts of the configuration file generates error logs for all of the configuration file s errors and starts the ZyWALL with a fully valid configuration file Use rollback without ignore error this gets the ZyWALL started with a fully valid configuration file as quickly as possible You can use the apply conf system default conf command to reset the ZyWALL to go back to its system defaults copy cert conf idp packet trace script tmp file name a conf cert conf idp packet trace script tmp file name b conf Saves a duplicate of a file on the ZyWALL from the source file name to the target file name Specify the directory and file name of the file that you want to copy and the directory and file name to use for the duplicate Always copy the file into the same directory copy running config startup config Saves your configuration changes to the flash non volatile or long term memory The ZyWALL immediately uses configuration changes made via commands but if you do not use
379. ou use to configure a group of LDAP servers Table 148 aaa group server Idap Commands COMMAND DESCRIPTION clear aaa group server ldap group name Deletes all LDAP server groups or the specified LDAP server group Note You can NOT delete a server group that is currently in use show aaa name group server ldap group Displays the specified LDAP server group settings no aaa name group server ldap group Sets a descriptive name for an LDAP server group Use this command to enter the sub command mode The no command deletes the specified server group aaa group server ldap rename group name group name Changes the descriptive name for an LDAP server group aaa group server ldap group name Enter the sub command mode no server alternative cn Sets the second type of identifier that the users can identifier uid use to log in if any For example name or e mail address The no command clears this setting no server basedn basedn Sets the base DN to point to the LDAP directory on the LDAP server group The no command clears this setting no server binddn binddn Sets the user name the ZyWALL uses to log into the LDAP server group The no command clears this setting no server cn identifier uid Setsthe user name the ZyWALL uses to log into the LDAP server group The no command clears this setting no server description Sets the descripti
380. ource address_name destination address_name snat address_name Configures in bound traffic SNAT in the IPSec SA no in dnat activate Enables in bound traffic DNAT in the IPSec SA The no command disables in bound traffic DNAT in the IPSec SA in dnat delete 1 10 Deletes the specified rule for in bound traffic DNAT in the specified IPSec SA in dnat move 1 10 to lt 1 10 gt Moves the specified rule first rule number to the specified location second rule number for in bound traffic DNAT in dnat append protocol all tcp udp original ip address name 0 65535 lt 0 65535 gt mapped ip address name 0 65535 0 65535 Maps the specified IP address and port range original ip to the specified IP address and port range mapped ip and appends this rule to the end of the rule list for in bound traffic DNAT in dnat insert 1 10 protocol all tcp udp original ip address name lt 0 65535 gt lt 0 65535 gt mapped ip address name 0 65535 0 65535 Maps the specified IP address and port range original ip to the specified IP address and port range mapped ip and inserts this rule before the specified rule in dnat lt 1 10 gt protocol all tcp udp original ip address name lt 0 65535 gt lt 0 65535 gt mapped ip address name 0 65535 0 65535 Creates or revises the specified rule and maps the specified IP address and port ra
381. outer config idp anomaly profile test tcp decoder oversize offset action drop Router config idp anomaly profile test tcp decoder oversize offset log alert Router config idp anomaly profile test tcp decoder oversize offset activate Router config idp anomaly profile test no tcp decoder oversize offset activate Router config idp anomaly profile test xit Router config show idp anomaly test tcp decoder oversize offset details message tcp_decoder OVERSIZE OFFSET ATTACK keyword tcp decoder oversize offset activate no action drop log log alert ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands 21 3 5 Editing System Protect Use these commands to edit the system protect profiles Table 100 Editing System Protect Profiles COMMAND DESCRIPTION idp system protect Configure the system protect profile Enters sub command mode All the following commands relate to the new profile Use exit to quit sub command mode no signature sid activate Activates or deactivates an IDP signature signature sid log alert Sets log or alert options for an IDP signature no signature sid log Deactivates log options for an IDP signature signature sid action drop reject sender reject receiver reject both Sets an action for an IDP signature no signature SID action Deactivates an action for an IDP signature show idp system protect all details
382. outer configure terminal Router config anti virus update signatures ANTI VIRUS signature update in progress Please check system log for future information Router config anti virus update auto Router config no anti virus update auto Router config anti virus update hourly Router config anti virus update daily 10 anti virus update weekly fri 13 show anti virus update Router config Router config auto yes schedule weekly at Friday 13 o clock Router config show anti virus update status current status Anti Virus Current signature version 1 046 on device is latest at Tue Apr 17 10 18 00 2007 last update time 2007 04 07 10 41 01 Router config show anti virus signatures status current version 1 046 release date 2007 04 06 10 41 29 Signature number 4124 20 4 Anti virus Statistics The following table describes the commands for collecting and displaying anti virus statistics You must use the configure terminal command to enter the configuration mode before you can use these commands Table 93 Commands for Anti virus Statistics COMMAND DESCRIPTION no anti virus statistics collect Turn the collection of anti virus statistics on or off anti virus statistics flush Clears the collected statistics show anti virus statistics summary Displays the collected statistics show anti virus statistics collect Displays whether the collection of anti vir
383. ow long the system s core firmware can be unresponsive before resetting The no command turns the timer off ZyWALL ZLD CLI Reference Guide 351 Chapter 43 Watchdog Timer Table 197 software watchdog timer Commands continued COMMAND DESCRIPTION show software watchdog timer status Displays the settings of the software watchdog timer show software watchdog timer log Displays a log of when the software watchdog timer took effect 43 3 Application Watchdog The application watchdog has the system restart a process that fails These are the app watchdog commands Use the configure terminal command to enter the configuration mode to be able to use these commands Table 198 app watchdog Commands COMMAND DESCRIPTION no app watch dog activate Turns the application watchdog timer on or off no app watch dog console print always once Display debug messages on the console every time they occur or once The no command changes the setting back to the default no app watch dog interval lt 5 60 gt Sets how frequently in seconds the ZyWALL checks the system processes The no command changes the setting back to the default no app watch dog retry count lt 1 5 gt Set how many times the ZyWALL is to re check a process before considering it failed The no command changes the setting back to the default no app watch dog alert Has the Z
384. ox ERROR ORC boda se ee ke Rod LACE CRUS OCCORRE CER CR C RC C 74 groupneme eonaho Groubnnmatde geONDHIAHG 1 44444 C 9c AA CRESS ODER SORE OREO TOR TSS 235 host ip lipadaress profile name UE lodge obs Gx E Reed a RCNH R AC RC NR aaa 346 HoscepoFb EL IDO A Red ae T dena d pea QUEEN Bd eq dires d minua x Ree MR S A eee 346 PM ariel AAA RS EAS A Ra dum da di MA d S Sd 28 http inspeotion ihttp xkx lod alere s m heat WORCNCE RARA S EORR RR de ex 188 icmp decoder truncated header truncated timestamp header truncated address header action drop reject sender reject receiver reject both 189 icmp decoder truncated header truncated timestamp header truncated address header tog E A kp tk xp x E GRO IRA e KHER deaur e RIC CUR EIC ede RO QUA CAU ORC ECRIRE RD 199 dele w 30 200009 lii deexqed Re EEEDU YR d dede de deeveds e redeam d eap de ded vb ed 74 idp stanatures system protect update daily U0 239 resarcir chad AA 197 idp istgnatnere syscemn DpDrotecL update MOUELY i660 4skee ceudeadieed EEEREN EEE 197 idp signature system protect update sig stufeS 1444 448 o eee o 3 X RROUR a AA L97 idp signature system protect update weekly sun mon tue wed thu fri sat a SS A A SAD AS A a eee oe 15 idp fsignature anomaly rule f append 1 32 Insert lt 1 32 gt ce mn 185 idp signature anomaly rule delete lt 1 32 gt move lt 1 32 gt to lt 1 32 gt 185 idp anomaly
385. p name Sets a descriptive name for an AD server group Use this command to enter the sub command mode The no command deletes the specified server group aaa group server ad rename group name group name Changes the descriptive name for an AD server group aaa group server ad group name Enter the sub command mode to configure an AD server group no server alternative cn identifier uid Sets the second type of identifier that the users can use to log in if any For example name or e mail address The no command clears this setting no server basedn basedn Sets the base DN to point to the AD directory on the AD server group The no command clears this setting no server binddn binddn Sets the user name the ZyWALL uses to log into the AD server group The no command clears this setting no server cn identifier uid Sets the user name the ZyWALL uses to log into the AD server group The no command clears this setting no server description description Sets the descriptive information for the AD server group You can use up to 60 printable ASCII characters The no command clears the setting no server group attribute group attribute Sets the name of the attribute that the ZyWALL is to check to determine to which group a user belongs The value for this attribute is called a group identifier it determines to which group a user belongs You can add ext grou
386. p over ipsec pool Specifies the address object that defines the pool of IP addresses that the address object ZyWALL uses to assign to the L2TP VPN clients ZyWALL ZLD CLI Reference Guide 153 Chapter 18 L2TP VPN Table 76 L2TP VPN Commands COMMAND DESCRIPTION l2tp over ipsec authentication aaa authentication profile name Specifies how the ZyWALL authenticates a remote user before allowing access to the L2TP VPN tunnel The authentication method has the ZyWALL check a user s user name and password against the ZyWALL s local database a remote LDAP RADIUS a Active Directory server or more than one of these no l2tp over ipsec user name user Specifies the user or user group that can use the L2TP VPN tunnel If you do not configure this any user with a valid account and password on the ZyWALL to log in The no command removes the user name setting no 12tp over ipsec The ZyWALL sends a Hello message after waiting this long without keepalive timer 1 180 receiving any traffic from the remote user The ZyWALL disconnects the VPN tunnel if the remote user does not respond The no command returns the default setting no 12tp over ipsec first Specifies the first DNS server IP address to assign to the remote users You dns server ip can specify a static IP address or a DNS server that an interface received interface name 1st from its DHC
387. p user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create an ext group user user object for each group One with sales as the group identifier another for RD and a third for management The no command clears the setting no server host ad server Enter the IP address in dotted decimal notation or the domain name of an AD server to add to this group The no command clears this setting no server password password Sets the bind password up to 15 alphanumerical characters The no command clears this setting ZyWALL ZLD CLI Reference Guide Chapter 29 AAA Server Table 147 aaa group server ad Commands continued COMMAND DESCRIPTION no server port port no Sets the AD port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no time server search time limit Sets the search timeout period in seconds Enter a number between 1 and 300 The no command clears this setting and set this to the default setting of 5 Seconds no server ssl Enables the ZyWALL to establish a secure connection to the AD server The no command disables this feature 29 2 6 aaa group server Idap Commands The following table lists the aaa group server ldap commands y
388. passive legate ccc k kate e de den CORK DEERME RRR OR A 224 dewlpe ha stopestubelsberrtace AEC AALE caridad AA AA eas RR ped URN UR I UR 230 deuwicas reulsber gheckuBEBE veer Name bia ar ia RA XA Re AA 39 device register username user name password password e mail user domainname country COGS SETAS MONS uaa ique SHE eI cS EHE A ck wg pac dard ur bau auk wc d P euh dE 39 ier MT AAA AAA AAA AAA A IAS AAA A E 28 a site ed O ewe qi S ahud asia 2 acd ohooh Ae au ed eS Poo sma ashe de d 20 Aia tas SUSE isidro de AA ed o dica 343 dalsim uRgdexnide depend d ee ee ek RUPEE Shah a ed reb ed dE ded ok d A 306 QUE aA ALEX do Ies Wes eh abc dodi o ee ac eee eee ates wae Aa ERE db elle E o rti ae 28 dir Ifesrt Jeonf ap fpacket traces Jscoript Sime ascii 315 GADIS opheisGacdWag GR AG Aid Eu ed REOR AC RA EE ea n eb hee ode dob dE ee e C Ra e eo b d 28 dscpemsrtkrng class detault dep OTSSS eese do VERRE E AAA 91 pechoudrkrocg USE cd ADA CHASES Oe deu NA 91 ESELON US perea E ENANA ne a ee a er 346 SUS sc wow ee 5 Edda IIA ABRA geni Nd ASA 28 encepsulstagomn anne BIXeneBDEDl pels ARANA A AA AAA S Re 139 Spe NNSEEL EILID Gps CIRIO Tere 266556 06S SS45S boa Xd dar RR od AN Pea autour CR LA 239 eps insert LBS eps profile TOMES ia a e hae A EORR AI E A a ae dO 146 spe move lt Lo ds LO AleiGe doux 44x te wq AAN wed ad eser pad AA 147 ens move dlr b gt 0 Sle BS OL Reg AAN AA RA RANAS SHEERS RE GR ERR 238 EXE 62 O Cee hee P EE H
389. passive interface interface_nam Sets the RIP direction of the specified interface to in only The no command makes RIP bi directional in the specified interface no outonly interface interface nam Sets the RIP direction of the specified interface to out only The no command makes RIP bi directional in the specified interface interface interface nam Enters sub command mode ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 19 interface Commands RIP Settings continued COMMAND DESCRIPTION no ip rip send receive version Sets the send or receive version to the specified lt 1 2 gt version number The no command sets the send or received version to the current global setting for RIP See Chapter 9 on page 97 for more information about routing protocols no ip rip v2 broadcast Enables RIP 2 packets using subnet broadcasting The no command uses multi casting show rip global interface all interface name Displays RIP settings 6 2 5 OSPF Commands This table lists the commands for OSPF settings Table 20 interface Commands OSPF Settings COMMAND DESCRIPTION router ospf Enters sub command mode no network interface_name area ip Makes the specified interface part of the specified area The no command removes the specified interface from the specified area disabling OSPF in this interface
390. phanumeric or Q spi 2 8 hexadecimal string less than 15 1 15 alphanumeric or chars string less than 63 1 63 alphanumeric or Qd4 amp N amp 7 chars string 1 alphanumeric or _ subject 1 61 alphanumeric spaces or S_ system type 0 2 hexadecimal timezone hh 12 through 12 with or without url 1 511 alphanumeric or 2 4Q0 ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Table 3 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES url Used in content filtering redirect SEEP Lit alphanumeric or amp _ https starts with http or https may contain one pound sign Used in other content filtering commands http alphanumeric or amp _ starts with http may contain one pound sign 4 user name Used in VPN extended authentication 1 31 alphanumeric or Used in other commands 0 30 alphanumeric or _ first character letters or username 6 20 alphanumeric or _ registration user name LE alphanumeric or _ logging commands user domainname 1 80 alphanumeric or _ vrrp group name less 1 15 alphanumeric or _ than 15 chars week day sequence 1 4 i e 1 first 2 second xauth method 1 31 alphanumeric or _ xauth password 1 31 alphanumeric or
391. profile The no command clears it no backup iface interface_nam Sets the backup WAN interface in the specified DDNS profile The no command clears it no ha iface interface_nam Sets the HA interface in the specified DDNS profile The no command clears it no backmx Enables the backup mail exchanger The no command disables it no wildcard Enables the wildcard feature The no command disables it ZyWALL ZLD CLI Reference Guide Chapter 11 DDNS ZyWALL ZLD CLI Reference Guide Virtual Servers This chapter describes how to set up manage and remove virtual servers Virtual server commands configure NAT 12 1 Virtual Server Overview Virtual server is also known as port forwarding or port translation Virtual servers are computers on a private network behind the ZyWALL that you want to make available outside the private network If the ZyWALL has only one public IP address you can make the computers in the private network available by using ports to forward packets to the appropriate private IP address 12 1 1 1 1 NAT and Many 1 1 NAT 1 1 NAT If the private network server will initiate sessions to the outside clients use 1 1 NAT to have the ZyWALL translate the source IP address of the server s outgoing traffic to the same public IP address that the outside clients use to access the server Many 1 1 NAT If you have arange of private network servers that w
392. protect update weekly sun mon tue wed thu fri sat 0 23 Enables automatic signature download once a week ZyWALL ZLD CLI Reference Guide at the time and day specified Chapter 21 IDP Commands Table 105 Update Signatures COMMAND DESCRIPTION show idp signature system protect update Displays signature update schedule show idp signature system protect update Displays signature update status status show idp signature system protect Displays signature information Signatures version date number 21 5 1 Update Signature Examples These examples show how to enable disable automatic IDP downloading schedule updates display the schedule display the update status show the new updated signature version number show the total number of signatures and show the date time the signatures were created Router config Router config Router config Router config Router config Router config Router config auto yes Router configure terminal IDP signature update in progress Please check system log for future information schedule weekl Router config current status 22 47 47 2003 last update tim idp signature update signatures idp update auto no idp update auto idp update hourly idp update daily 10 idp update weekly fri 13 show idp update y at Friday 13 o clock show idp signature update sta
393. ps no device ha vrrp group vrrp_group_name Creates the specified VRRP group if necessary and enters sub command mode The no command deletes the specified VRRP group no vrid 1 254 Sets the specified VRRP group s ID to the specified VR ID The no command clears the VR ID no interface interface nam Specifies the interface that is part of the specified VRRP group The no command removes the specified interface from the specified VRRP group no role master backup Specifies the role of the specified VRRP group in the virtual router The no command clears the role which makes the configuration incomplete no priority lt 1 254 gt Sets the priority of the specified VRRP group in the virtual router The no command resets the priority to 100 no preempt Lets the ZyWALL preempt lower priority routers in the virtual router The no command prevents the ZyWALL from preempting lower priority routers no manage ip IP Specifies the IP address of the specified VRRP group when it is not the master The no command clears the IP address ZyWALL ZLD CLI Reference Guide Chapter 24 Device HA Table 125 device ha Commands VRRP Groups continued COMMAND DESCRIPTION no authentication string password ah md5 password Specifies the authentication method and password for the specified VRRP group The no command means that the specified VRRP group does not use
394. r ISP account information for PPPoE PPTP interfaces 32 1 ISP Accounts Overview An ISP account is a profile of settings for Internet access using PPPoE or PPTP 32 1 1 PPPoE and PPTP Account Commands The following table lists the PPPoE and PPTP ISP account commands Table 154 PPPoE and PPTP ISP Account Commands COMMAND DESCRIPTION show account pppoe profile_name pptp profile_name Displays information about the specified account s no account pppoe pptp profile name Creates a new ISP account with name profile name if necessary and enters sub command mode The no command deletes the specified ISP account profile_name use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive no user username Sets the username for the specified ISP account The no command clears the username username You can use alphanumeric underscores dashes and characters and it can be up to 30 characters long no password password Sets the password for the specified ISP account The no command clears the password password You can use up to 63 printable ASCII characters Spaces are not allowed no authentication chap pap chap pap mschap mschap v2 Sets the authentication for the specified ISP account The no command sets the authentication to chap pap no compression on off
395. r third DNS server or the ZyWALL itself The no command resets the setting to its default value no second dns server ip interface_name lst dns 2nd dns 3rd dns ZyWALL Sets the second DNS server to the specified IP address the specified interface s first second or third DNS server or the ZyWALL itself The no command resets the setting to its default value no third dns server ip interface name lst dns 2nd dns 3rd dns ZyWALL Sets the third DNS server to the specified IP address the specified interface s first second or third DNS server or the ZyWALL itself The no command resets the setting to its default value no first wins server ip Specifies the first WINS server IP address to assign to the remote users The no command removes the setting no second wins server ip Specifies the second WINS server IP address to assign to the remote users The no command removes the setting no lease lt 0 365 gt lt 0 23 gt lt 0 59 gt infinite Sets the lease time to the specified number of days hours and minutes or makes the lease time infinite The no command resets the first DNS server setting to its default value interface interface_nam Enters sub command mode no ip dhcp pool profile name Binds the specified interface to the specified DHCP pool You have to remove any DHCP relays first The no command removes the binding no
396. r Roi qon ecd doe Goh o ge RN A 307 Bol e uuu adgsnb perzosic icone acEITaLa cues A AAA A 307 Bel eompressien Qon WEL Carrer AAA ARAS A A d A RSV SEES 269 nol bB6nnealiton tal Connection S0 Janes bod6G 80 40 EE aaa bd 270 AG connectivity heil wp Cial on dehand sa seco senda d om CER d box Ren epee Ma eR MER es 67 noel senmspstiurty chesk eontihnubpUS lq GCIS tek ee Se Reed a d pud eS 330 no connectivity check gontinugogus log Activate esa kew cd eede ee Soe eR ERR CK OR RES OS 62 noel eonastamark maxeper hosL SL DUES sesh ARA eeu NOR seeded ee eee aS 126 hol console baud Dagda CAS AAA EIRAN EREATARA EPA EEEE ER OR 291 nel gonbtenteriltet ALIVE derrior riki deseo be dee ORES aer A AA d ed qe e 205 no econtent filter block message Message Like ue KORR ebm awe wae RACK AS od C 20S no eontent filter block redirect redirect Uri sae swag owen xo OY eee eee a ew RR 205 DAI Content Elto doran it GIs er uq qu s eter arse dae d Caw es Cer eens 2 Ho eonbpenbc frilters ligens LISTE iria A x Rene RR RENE dep Chad 205 Hol Sontent trlcer liesnse License adams Saige cok bared sbawes AREA 206 no content filter policy policy number address schedule filtering profile 205 nol eontent filcer profile filtering profile Custom BOLIVOX essa aceras 206 no content filter profile filtering profile custom c oOKli oscar sra 206 no content filter profile filtering profile custom forbid forbid_hosts 206 ho eohtent filter profile filtering p
397. re the My Address setting according to your requirements Replace the default Pre Shared Key 18 3 Policy Route You must configure a policy route to let remote users access resources on a network behind the ZyWALL Set the policy route s Source Address to the address object that you want to allow the remote users to access LAN SUBNET in the following figure Set the Destination Address to the IP address pool that the ZyWALL assigns to the remote users L2TP POOL in the following figure Figure 22 Policy Route for L2TP VPN bx 3 EET m l mL S n NAS i l l uw l m L2TP POOL Wee LAN SUBNET 152 ZyWALL ZLD CLI Reference Guide Chapter 18 L2TP VPN 18 4 L2TP VPN Commands The following table describes the values required for some L2TP VPN commands Other values are discussed with the corresponding commands Table 75 Input Values for L2TP VPN Commands LABEL DESCRIPTION address object The name of an IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive interface name The name of the interface Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALLUSG 100 and 200 models use a name such as wan1 wan2 opt lant ext wlan or dmz VLAN interface vlanx x 0 4094 bridge
398. re the ZyWALL After you configure the ZyWALL it automatically sends updated IP addresses to the DDNS ZyWALL ZLD CLI Reference Guide service provider which helps redirect traffic accordingly Chapter 11 DDNS 11 2 DDNS Commands Summary The following table describes the values required for many DDNS commands Other values are discussed with the corresponding commands Table 55 Input Values for DDNS Commands LABEL DESCRIPTION profile_name value is case sensitive The name of the DDNS profile You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This The following table lists the DDNS commands Table 56 ip ddns Commands COMMAND DESCRIPTION show ddns profile name Displays information about the specified DDNS profile or about all DDNS profiles no ip ddns profile profile name Creates the specified DDNS profile if necessary and enters sub command mode The no command deletes it no service type dyndns dyndns static dyndns custom dynu basic dynu premium no ip peanut hull 3322 dyn 3322 static Sets the service type in the specified DDNS profile The no command clears it no username username password password Sets the username and password in the specified DDNS profile The no command clears these fields username You can use up to 31 alphanumeric characters an
399. ress in dotted decimal notation or the domain name of the directory server The domain name can use alphanumeric characters periods and hyphens Up to 255 characters port Specify the LDAP server port number You must use the same server port number that the directory server uses 389 is the default server port number for LDAP The ZyWALL may need to authenticate itself in order to access the CRL directory server Type the login name up to 31 characters from the entity maintaining the server usually a certification authority You can use alphanumeric characters the underscore and the dash Type the password up to 31 characters from the entity maintaining the CRL directory server usually a certification authority You can use the following characters a zA Z0 9 amp _ lt gt ocsp activate deactivate Has the ZyWALL check or not check incoming certificates that are signed by this certificate against a directory server that uses OCSP Online Certificate Status Protocol ZyWALL ZLD CLI Reference Guide Chapter 31 Certificates Table 153 ca Commands Summary continued COMMAND DESCRIPTION ocsp url url id name password password deactivate Sets the validation configuration for the specified remote trusted certificate where the directory server uses OCSP url Type the protocol IP address and pathname of the OCSP server name The ZyWALL may need to
400. ress object 1st dns resources on the network as if they were on the same local network address object ip 2nd ip pool specify the name of the pool of IP addresses to assign to dns address object ip the user computers for the VPN connection lst wins address object ip Specify the names of the DNS or WINS servers to assign to the y 2nd wins address object remote users This allows them to access devices on the local network using domain names instead of IP addresses ip network address object network specify a network users can access no user user name Specifies the user or user group that can use the SSL VPN access policy sslvpn policy move 1 16 to Moves the specified SSL VPN access policy to the number that you lt 1 16 gt specified sslvpn no connection username Terminates the user s SSL VPN connection and deletes user_name corresponding session information from the ZyWALL no sslvpn policy profile_name Deletes the specified SSL VPN access policy sslvpn policy rename profile name Renames the specified SSL VPN access policy profile name show workspace application Displays the SSLVPN resources available to each user when logged into SSLVPN show workspace cifs Displays the shared folders available to each user when logged into SSLVPN 17 2 2 Setting an SSL VPN Rule Tutorial Here is an example SSL VPN configuration The SSL VPN rule defines e Only users u
401. returns it to the default value The following table lists valid input for IDP commands Table 94 Input Values for IDP Commands LABEL DESCRIPTION zone profile The name of a zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN idp profile The name of an IDP profile It can consist of alohanumeric characters the underscore and the dash and it is 1 31 characters long Spaces are not allowed 21 2 General IDP Commands 21 2 1 IDP Activation BS You must register for the IDP AppPatrol signature service at least the trial before you can use it See Chapter 5 on page 37 ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands This table shows the IDP signature anomaly and system protect activation commands Table 95 IDP Activation COMMAND DESCRIPTION no idp Enables IDP signatures anomaly detection and or system protect IDP signatures signature anomaly use requires IDP service registration If you don t have a standard license you can system protect register for a once off trial one Anomaly detection and the self protect feature do aetivate not require registration The no command disables the specified service idp system protect Disables system protec
402. rewall zone object zone_object ZyWALL insert rule number T27 ZyWALL ZLD CLI Reference Guide 371 List of Commands Alphabetical firewall zone object zone_object ZyWALL move rule number to rule number l27 firewall zone object zone object ZyWALL rule number oo ooo ooooo o 127 cosas detection Dock period ed 0 24 E 9c p RUE REA CR MUR RP o RUP BOE EORR TES 188 CISCO amba 4pdo R a AA ES ah dede de Kb d dia e doo doce de UAM doe e diced EG d do ue e De Dodo RE B5 farce auLk no exesptionel serviboe Service MAME qQLlgsbleaodb e 4 ee bed A 231 force auth default rule authentication required unnecessary no log log alert 237 Eocsosesno o BDDSHS sorn EQUO OR eti ude dedo 29d Porcseaurb poliey delebpe Lo LOSE aida ta ova Ra RP EUR RO ICE RR P Pa de Ss ao Ecco pole LHE patnee shed cbs A BRA x e AS AA AA 221 Forcsesuti policy Inser L J YE reinar dog S na Kr cre Grn ae ea dete Rp pog ool depu dis 237 Eoscsesubh palzey move Sl 18245 Dir She ele sarria Reed E EO tds AA S e onn d 29d EPROS AUER Palta AL LOGO xd ec xe Oe Y Bo coh eRe BORA A PORC I EO CRGO ACAD ROC IA RS LT SEL iso Es A EA SES EES HESS ER ORE ux dE DE d OER ER E ES 138 SPs ear sees ned Ck Ga CURES a Eq Re Yu x dq xx RA E C RW E REESE xe p E Kk RR E RA 3 RR 138 Ceo Sa aekes Heh seed Tq Xd qax ead qd ie qid ep Oe Ee PRESS awa baka eee pde d e diede 138 groupekey 30 300008 juga q
403. rfaces you create on the WLAN card Table 30 WLAN General Commands COMMAND DESCRIPTION wlan slot_name Specifies the slot the WLAN card is installed in and enters sub command mode slot_name The name of the slot where the WLAN card is installed in the ZyWALL Use slot x where x equals the number of the card slot no activate Turns the wireless device on The no command turns it off band lt b g bg gt Sets whether wireless clients can connect to the ZyWALL using IEEE 802 11b IEEE 802 11g or both channel lt wireless_channel auto gt Sets the wireless operating channel wireless channel Specify the channel number The numbers available vary by region no ctsrts 256 2346 Sets the Clear To Send Request To Send threshold CTS RTS reduces data collisions caused by wireless clients that are associated with the same AP but out of range of one another The no command turns off CTS RTS no frag 256 2346 Sets the threshold number of bytes for the fragmentation boundary for directed messages It is the maximum data fragment size that can be sent no super Enables super mode fast frame and packet bursting role ap Sets the ZyWALL to act as an AP only the AP role is supported at the time of writing output power 100 50 25 Sets the wireless output power Reducing output power can 12 5 help reduce interference with other nearby APs exit
404. ring anti spam rule move rule_number to rule_number Moves a direction specific anti spam rule to the number that you specified anti spam rule delete rule_number Removes a direction specific anti spam rule show anti spam rule rule_number Displays the details of all the configured anti spam rules or a specific anti spam rule ZyWALL ZLD CLI Reference Guide Chapter 23 Anti Spam 23 2 2 1 Zone to Zone Anti spam Rule Example This example shows how to configure and display a WAN to DMZ anti spam rule to scan POP3 and SMTP traffic SMTP spam is forwarded POP3 spam is marked with a spam tag The ZyWALL logs the event when an e mail matches the DNSBL see Section 23 2 4 on page 215 for more on DNSBL The white and black lists are ignored bypass white list bypass black list bypass dnsbl no Router config anti spam rule 1 Router config as rule 1 activate Router config as rule 1 from zone WAN Router config as rul to zone DMZ Router config as rule 1 scan smtp Router config as rule 1 scan pop3 Router config as rule 1 match action smtp forward Router config as rule 1 match action pop3 forward with tag Router config as rule 1 log Router config as rule 1 bypass white list Router config as rule 1 bypass black list Router config as rule 1 it Router config show anti spam rule 1 Anti Spam Rule 1 active yes log log from zone WAN
405. rminal Router config ip http redirect examplel interface gel redirect to 10 10 2 3 80 Router config f ip http redirect examplel interface gel redirect to 10 10 2 3 80 deactivate Router config show ip http redirect Name Interface Proxy Server Port Active examplel gel TOS 2 3 80 no ZyWALL ZLD CLI Reference Guide Chapter 13 HTTP Redirect ZyWALL ZLD CLI Reference Guide ALG This chapter covers how to use the ZyWALL s ALG feature to allow certain applications to pass through the ZyWALL 14 1 ALG Introduction The ZyWALL can function as an Application Layer Gateway ALG to allow certain NAT un friendly applications such as SIP to operate properly through the ZyWALL s NAT Some applications cannot operate through NAT are NAT un friendly because they embed IP addresses and port numbers in their packets data payload The ZyWALL examines and uses IP address and port number information embedded in the VoIP traffic s data stream When a device behind the ZyWALL uses an application for which the ZyWALL has VoIP pass through enabled the ZyWALL translates the device s private IP address inside the data stream to a public IP address It also records session port numbers and allows the related sessions to go through the firewall so the application s traffic can come in from the WAN to the LAN The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL
406. rms file server C that a computer located at the WANI s IP address will download a file 3 The ZyWALL is using active active load balancing So when LAN user A tries to retrieve the file from file server C the request goes out through WAN2 4 File server C finds that the request comes from WAN2 s IP address instead of WANI s IP address and rejects the request 5 If link sticking had been configured the ZyWALL would have still used WANI to send LAN user A s request to file server C and the file server would have given the file to A ZyWALL ZLD CLI Reference Guide Chapter 7 Trunks 7 7 Link Sticking Commands Summary The following table lists the ip load balancing link sticking commands for link sticking The link sticking commands have the prefix ip load balancing because they affect the ZyWALL s load balancing behavior You must use the configure terminal command to enter the configuration mode before you can use these commands See Table 38 on page 84 for details about the values you can input with these commands Table 40 ip load balancing link sticking Commands Summary COMMAND DESCRIPTION no ip load balancing link sticking activate Turns link sticking on or off no ip load balancing link sticking timeout timeout Sets for how many seconds 30 3600 the ZyWALL sends all of each local computer s traffic through one WAN interface show ip load balancing link sticking status Disp
407. rmware 1 00 XL 0 bin to the ZyWALL 1 When you upload a custom signature the ZyWALL appends it to the existing custom signatures stored in the custom rules file ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager The firmware update can take up to five minutes Do not turn off or reset the ZyWALL while the firmware update is in progress If you lose power during the firmware upload you may need to refer to Section 37 8 on page 319 to recover the firmware 37 6 2 Command Line FTP Configuration File Upload Example The following example transfers a configuration file named tomorrow conf from the computer and saves it on the ZyWALL as next conf BS Uploading a custom signature file named custom rules overwrites all custom signatures on the ZyWALL Figure 29 FTP Configuration File Upload Example C gt ftp 192 168 1 1 Connected to 192 168 1 1 220 FTP Server ZyWALL 192 168 1 1 User 192 168 1 1 none admin 331 Password required for admin Password 230 User admin logged in ftp cd conf 250 CWD command successful ftp bin 200 Type set to I ftp put tomorrow conf next conf 200 PORT command successful 150 Opening BINARY mode data connection for next conf 226 Post action ok 226 Transfer complete ftp 20231 bytes sent in 0 00Seconds 20231000 00Kbytes sec 37 6 3 Command Line FTP File Download 1 Connect to the ZyWALL 2 Enter bin to set th
408. rofile cUSLON JAVA cick kek cae ed yo ok ee piae 206 no content filter profile filtering profile custom keyword keyword 206 ho eontent filter profile filtering profile CUStOM pEOXY iaekdk cade be wee Re CR 206 no content filter profile filtering profile custom trust trust hosts 99 206 no content filter profile filtering profile custom trust allow features 206 no eontent frilter profile filtering profile custom Ltr ust onuly l c n en 207 nol eontent frlter profile fiitering profile GUSTOM essa nara aa 206 no content filter profile filtering profile url category category_name 207 ZyWALL ZLD CLI Reference Guide List of Commands Alphabetical no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no content tilter profile Ilbering profile url match block log cases a ADT content filter profile filtering profile url match unsafe block log warn 207 content filter profile filtering profile url offline block log warn 207 content filter profile filtering profile url unrate block log warn 207 content filter profile filtering profilo url rl serVer sesos no n o rhon 207 ponbenctefilteb profile ELEGIR DESTILA us xA se eee coo AO S
409. rresponding commands Table 73 Input Values for SSL VPN Commands LABEL DESCRIPTION profile name The descriptive name of an SSL VPN access policy You may use up to 31 characters a z A Z 0 9 with no spaces allowed address object The name of an IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive application object The name of an SSL application object You may use up to 31 characters 0 9 a z A Z and No spaces are allowed ZyWALL ZLD CLI Reference Guide Chapter 17 SSL VPN Table 73 Input Values for SSL VPN Commands continued LABEL DESCRIPTION user_name The name of a user group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive eps_profile_name The name of an endpoint security object The following sections list the SSL VPN commands 17 2 1 SSL VPN Commands This table lists the commands for SSL VPN You must use the configure terminal command to enter the configuration mode before you can use these commands Table 74 SSL VPN Commands COMMAND DESCRIPTION show sslvpn policy profile_name Displays the settings of the specified SSL VPN access policy show ssl vpn network extensio
410. rror Router test aaa server ad host 172 16 50 1 port 389 base dn DC ZyXEL DC com bind dn zyxel engineerABC password abcdefg login name attribute sAMAccountName account userABC dn QO49MTIzZNzco546L5a0r56uRKSXPVT1XaXROTWFpbCxEQzlaeVhFTCxXEQz14jb20 objectClass top objectClass person objectClass organizationalPerson objectClass user cn MTIzNzco546L5a0r5 6uRKQ sn User 1 2341100 FEE SNIP BEEN ZyWALL ZLD CLI Reference Guide Chapter 30 Authentication Objects ZyWALL ZLD CLI Reference Guide Certificates This chapter explains how to use the Certificates 31 1 Certificates Overview The ZyWALL can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs A certificate contains the certificate owner s identity and public key Certificates provide a way to exchange public keys for use in authentication A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities You can use the ZyWALL to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority 31 2 Certificate Commands This section describes the commands for configuring certificates
411. rs interface type followed by a number x For most interfaces x is limited by the maximum number of the type of interface For WLAN interfaces the first number identifies the slot and the second number identifies the individual interface ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Cellular interfaces can be added to the WAN zone or no zone 6 1 2 Relationships Between Interfaces In the ZyWALL interfaces are usually created on top of other interfaces Only Ethernet interfaces are created directly on top of the physical ports or port groups The relationships between interfaces are explained in the following table Table 14 Relationships Between Different Types of Interfaces REQUIRED PORT INTERFACE INTERFACE auxiliary interface auxiliary port port group physical port Ethernet interface physical port port group VLAN interface Ethernet interface bridge interface Ethernet interface WLAN interface VLAN interface PPPoE PPTP interface Ethernet interface ZyWALL USG 300 and above VLAN interface bridge interface PPPoE PPTP interface WAN1 WAN2 OPT ZyWALL USG 100 and 200 models virtual interface virtual Ethernet interface Ethernet interface virtual VLAN interface VLAN interface virtual bridge interface bridge interface trunk Ethernet interface Cellular interface VLAN interface bridge interface PPPoE PPTP interface auxiliary interface
412. rs ip console Unlocks the specified IP address users force logout ip username Logs out the specified logins ZyWALL ZLD CLI Reference Guide 239 Chapter 25 User Group 25 2 5 1 Additional User Command Examples The following commands display the users that are currently logged in to the ZyWALL and forces the logout of all logins from a specific IP address Router configure terminal Router config show users all No Name Type From Service Session Time Idle Time Lease Timeout Re Auth Timeout 1 admin admin 192 168 1 34 http https 00 33 27 unlimited 23 45 18 23 26 33 2 admin admin 192 168 1 34 http https 00 14 31 unlimited 23 48 38 23545529 3 admin admin 172 23 23 83 http https 00 04 07 unlimited 23 58 32 23599253 4 admin admin 223 023 9838 telnet 00 03 30 unlimited 23 7 992 59 23 56 30 Router config users force logout 192 168 1 34 Logout user admin from 192 168 1 34 OK Logout user admin from 192 168 1 34 OK Total 2 users have been forced logout Router config show users all No Name Type From Service Session Time Idle Time Lease Timeout Re Auth Timeout 1 admin admin 1424223722483 http https 00 04 31 unlimited 23 58 08 23155229 2 admin admin 172 23 23 83 telnet 00 03 54 unlimited 24 00 00 23 56 06 The following commands display the users that are currently locked out and then unlocks the user who is displayed Router configure terminal
413. rs sub command mode See Table 82 on page 165 for the sub commands app protocol_name exception rule_number Enters sub command mode for editing the rule at the specified row See Table 82 on page 165 for the sub commands to rule_number app protocol_name exception rule_number Enters sub command mode for editing the rule at or the specified row See Table 82 on page 165 for the app protocol name exception modify rule number Sub commands app protocol name exception default Enters sub command mode for editing the default or rule for the application See Table 82 on page 165 app protocol name exception modify default for the sub commands app protocol name exception move rule number Moves the specified rule first index to the specified location The process is 1 remove the specified rule from the table 2 re number 3 insert the rule at the specified location ZyWALL ZLD CLI Reference Guide Chapter 19 Application Patrol 19 2 3 1 Exception Rule Sub commands The following table describes the sub commands for several application patrol exception rule commands Note that not all rule commands use all the sub commands listed here Table 82 app patrol exception rule Sub commands COMMAND DESCRIPTION access forward drop reject Specifies the action when traffic matches the rule no action block Blocks use of a specific feature login message audio video file transfer no a
414. rtual server virtual server WAN LAN H323 active yes interface wanl NAT loopback active yes NAT 1 1 no original IP 10 0 0 8 mapped IP 192 168 1 56 mapping type port protocol type tcp original service mapped service original start port 1720 original end port mapped start port 1720 mapped end port Router config 12 2 2 Tutorial How to Allow Public Access to a Server This is an example of making an HTTP web server in the DMZ zone accessible from the Internet the WAN zone You will use a public IP address of 1 1 1 2 on the ge2 or wanl on USG 100 and 200 models interface and map it to the HTTP server s private IP address of 192 168 3 7 Figure 17 Public Server Example Network Topology 192 168 3 7 WAN PN Internet Y Follow the following steps for the setting 1 Configure Address object ZyWALL ZLD CLI Reference Guide Chapter 12 Virtual Servers Create two address objects One is named DMZ HTTP for the HTTP server s private IP address of 192 168 3 7 The other one is named ge2 HTTP for the ge2 wan1 public IP address of 1 1 1 2 Router configure terminal Router config address object DMZ HTTP 192 168 3 7 Router config address object ge2 HTTP 1 1 1 2 Router config 2 Configure NAT You need a NAT rule to send HTTP traffic coming to IP address 1 1 1 2 on ge2 wan1 to the HTTP server s private IP address of 192 168 3 7 Use
415. rvice pack number the user s computer must have installed The user s computer must have this service pack or higher For example 2 means service pack 2 The no command means to have the ZyWALL ignore the Windows service pack number no windows security patch security patch If you set windows as the operating system using the os type command you can use this command to set a Windows security patch that the user s computer must have installed If you want to enter multiple security patches use this command for each of them The user s computer must have all of the set Windows security patches installed to pass the checking item no windows registry registry key eq gt lt g 1 neq registry value If you set windows as the operating system using the os type command you can use this command to set a Windows registry value to check on the user s computer If you want to enter multiple registry values use this command for each of them Set whether the value for the registry item in the user s computer has to be equal to eq greater than gt less than 1t greater than or equal to ge less than or equal to le or not equal to neq the value specified The user s computer must pass all of the set Windows registry value checks to pass the checking item show eps profile profile name Displays the settings of all or the specified endpoint security object show eps profile profile name S
416. s description WIZ_VPN user any schedule none interface gel tunnel none sslvpn none source PC_SUBNET destination L2TP_POOL service any nexthop type Tunnel nexthop Default_L2TP_VPN_Connection bandwidth 0 bandwidth priority 0 maximize bandwidth usage no SNAT none amount of port trigger 0 ZyWALL ZLD CLI Reference Guide 157 Chapter 18 L2TP VPN ZyWALL ZLD CLI Reference Guide PART V Application Patrol Application Patrol This chapter describes how to set up application patrol for the ZyWALL 19 1 Application Patrol Overview Application patrol provides a convenient way to manage the use of various applications on the network It manages general protocols for example http and ftp and instant messenger IM peer to peer P2P Voice over IP VoIP and streaming RSTP applications You can even control the use of a particular application s individual features like text messaging voice video conferencing and file transfers Application patrol also has powerful bandwidth management including traffic prioritization to enhance the performance of delay sensitive applications like voice and video The ZyWALL checks firewall rules before application patrol rules for traffic going through the ZyWALL To use a service make sure both the firewall and application patrol allow the service s packets to go through the ZyWALL Application patrol ex
417. s NAT The firewall allows related sessions for VoIP applications that register with a server The firewall allows or blocks peer to peer VoIP traffic based on the firewall rules You do not need to use a TURN Traversal Using Relay NAT server for VoIP devices behind the ZyWALL when you enable the SIP ALG ZyWALL ZLD CLI Reference Guide Chapter 14 ALG 14 2 ALG Commands The following table lists the alg commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 61 alg Commands COMMAND DESCRIPTION no alg sip inactivity timeout signal port lt 1025 65535 gt signal extra port lt 1025 65535 gt media timeout lt 1 86400 gt signal timeout lt 1 86400 gt transformation Turns on or configures the ALG Use inactivity timeout to have the ZyWALL apply SIP media and signaling inactivity time out limits Use signal port with a listening port number 1025 to 65535 if you are using SIP on a port other than UDP 5060 Use signal extra port With a listening port number 1025 to 65535 if you are also using SIP on an additional UDP port number enter it here Use media timeout and a number of seconds 1486400 for how long to allow a voice session to remain idle without voice traffic before dropping it Use signal timeout and a number of seconds 1786400 for how long to allow a SIP signaling session to remain idle without SIP packets
418. s ls MET rcrum 212 A A ereere 229 BOLD A A E dod diede Bd du et d S Shas S Re EUR 238 A O nn om ae a I adr Re ee Gow Shae aeOd Birk armed ap ager E eee 306 Bou IAE A dedu dt nnn Gewese oraque esas no ee her dua gorda eee aes eer ees T3 ALATESS qOUISNES ON EOC Bas hadetedd A Qu RN CIA Idae eO E d Ea ER A131 PUCTESS OC IES APTO Sane ALA A BA SG ee ed del fu aad ded we x BR 243 ag ecrvenr Iesum BSOSUE Gees eee SOREL HEE e ce ow ha Re vr Rew Eee ee ae 252 BlsBEUOT DIERON DISBQUE ae kess shes wea He OES eS ORE Ee bw P PEE d eee eee A 252 ad server GH lJambITI ZPO ugue xaX A A AA ANA RC RR GRON GC CAN dod a oe 252 SU SerVver MOST cd SOIUBE 64 66 05 6S 6 AAA IAEA AAA RARA EA 252 ad server password Password ir see RAK RA ARA RS RNA CR SER AR AA 252 SU SErver POLE Port DO Ancaster oes esa AA AAN ADA AAA d RS 252 Ag Server Sesrch time l3muft Cine AR A ee beeen RE CS Roe A A ee oS d 252 pe Stat ai SSL Pr 252 Seer LIne or add E AS 306 anc isa HOLD Avie ess BREESE AY V BR DI ERA r da e A dece EE SRR ol anti spam black list rule_number mail email activate deactivate 214 anti spam black list rule number ip address ip subnet mask activate deactivate 214 anti spam black list rule number mail header mail header mail header value ac tiwvateldesotivdbGl sienta o ACORN AGE OR ORE LACE CREER ACCRUE a eR GEORG NOE NOR 214 anti spam black list rule number subject subject activate deactivate 214 antci a pan black llsSk GEILE stb cases d
419. s points as they are on the wireless stations If you set WEP encryption to use a 64 bit key using the security mode and security wep 64 commands type any 5 characters ASCII string or 5 pairs of hexadecimal characters 0 9 A F preceded by Ox for each key If you set WEP encryption to use a 128 bit key using the security mode and security wep 128 commands type 13 characters ASCII string or 13 pairs of hexadecimal characters 0 9 A F preceded by Ox for each key 6 7 2 1 WLAN Interface Commands Example This example configures WLAN AP interface 2 for slot 1 to use SSID WLAN_test WPA security modes with a pre shared key of 12345678 IP address 1 1 1 1 netmask 255 255 255 0 and a gateway IP address of 1 2 3 4 with a priority of 10 Router config if wlan Router config if wlan Router config if wlan Router config if wlan Router config if wlan Router config if wlan f Router config interfac wlan 1 2 ssid WLAN_test security wpa tkip psk key 12345678 security mode wpa ip address 1 1 1 1 255 255 255 0 ip gateway 1 2 3 4 metric 10 exit ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces 6 7 3 WLAN MAC Filter Commands Use these commands to give specific wireless clients exclusive access to the ZyWALL allow association or block specific devices from accessing the ZyWALL deny association based on the devices MAC addresses Table 32 WLAN
420. s ICMP TCP and UDP session timeouts The following example sets the UDP session connect timeout to 10 seconds the UDP deliver session timeout to 15 seconds and the ICMP timeout to 15 seconds Router config Router config Router config Router config Router config session timeout udp connect 10 session timeout udp deliver 15 session timeout icmp 15 show session timeout udp UDP session connect timeout 10 seconds UDP session deliver timeout 15 seconds show session timeout icmp ICMP session timeout 15 seconds ZyWALL ZLD CLI Reference Guide Chapter 40 Session Timeout ZyWALL ZLD CLI Reference Guide Diagnostics This chapter covers how to use the diagnostics feature 41 1 Diagnostics The diagnostics feature provides an easy way for you to generate a file containing the ZyWALL s configuration and diagnostic information You may need to generate this file and send it to customer support during troubleshooting 41 2 Diagnosis Commands The following table lists the commands that you can use to have the ZyWALL collect diagnostics information Use the configure terminal command to enter the configuration mode to be able to use these commands Table 193 diagnosis Commands COMMAND DESCRIPTION diag info collect Has the ZyWALL create a new diagnostic file show diag info Displays the name size and creation date in yyyy mm dd hh mm ss format of the
421. s a basic hardware test You cannot restore the boot module if it is damaged The boot module also checks and loads the recovery image The ZyWALL notifies you if the recovery image is damaged 2 The recovery image checks and loads the firmware The ZyWALL notifies you if the firmware is damaged ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager 37 8 Notification of a Damaged Recovery Image or Firmware The ZyWALL s recovery image and or firmware could be damaged for example by the power going off during a firmware upgrade This section describes how the ZyWALL notifies you of a damaged recovery image or firmware file Use this section if your device has stopped responding for an extended period of time and you cannot access or ping it Note that the ZyWALL does not respond while starting up It takes less than five minutes to start up with the default configuration but the start up time increases with the complexity of your configuration 1 Useaconsole cable and connect to the Zy WALL via a terminal emulation program such as HyperTerminal Your console session displays the Zy WALL s startup messages If you cannot see any messages check the terminal emulation program s settings see Section 1 2 1 on page 12 and restart the Zy WALL 2 The system startup messages display followed by Press any key to enter debug mode within 3 seconds BES Do not press any keys at this point Wait to see what displays next Fig
422. s a content filtering profile to block or allow and log access to web pages that match the profile s selected managed categories The no command clears the setting no content filter profile filtering profile url offline block log warn Sets the action for attempted access to web pages if the external content filtering database is unavailable The no command clears the setting Block access allow and log access or display a warning message before allowing access no content filter profile filtering profile url unrate block log warn Sets the action for attempted access to web pages that the external web filtering service has not categorized The no command clears the setting Block access allow and log access or display a warning message before allowing access no conten url url server t filter profile filtering profile Sets a content filtering profile to use the external web filtering service The no command has the profile not use the external web filtering service no content filter service timeout Sets how many seconds the ZyWALL is to wait for service timeout a response from the external content filtering server The no command clears the setting content filter url test url Tests whether or not a web site is saved in the ZyWALL s database of restricted web pages content fil rating server ter url server test url server timeout query timeout T
423. s gel ge2 Router config show zone A blocking intra zone traffic yes No Type Member 1 interface gel 2 interface ge2 ZyWALL ZLD CLI Reference Guide Chapter 10 Zones ZyWALL ZLD CLI Reference Guide DDNS This chapter describes how to configure dynamic DNS DDNS services for the ZyWALL 11 1 DDNS Overview DNS maps a domain name to a corresponding IP address and vice versa Similarly dynamic DNS maps a domain name to a dynamic IP address As a result anyone can use the domain name to contact you in NetMeeting CU SeeMe etc or to access your FTP server or Web site regardless of the current IP address You must have a public WAN IP address to use Dynamic DNS Set up a dynamic DNS account with a supported DNS service provider to be able to use Dynamic DNS services with the ZyWALL When registration is complete the DNS service provider gives you a password or key At the time of writing the ZyWALL supports the following DNS service providers See the listed websites for details about the DNS services offered by each Table 54 Network gt DDNS DDNS SERVICE SERVICE TYPES SUPPORTED WEBSITE NOTES DynDNS Dynamic DNS Static DNS and Custom www dyndns com DNS Dynu Basic Premium www dynu com No IP No IP www no ip com Peanut Hull Peanut Hull www oray cn Chinese website Record your DDNS account s user name password and domain name to use to configu
424. s table lists the commands for each pre defined application Table 78 app Commands Pre Defined Applications COMMAND DESCRIPTION no app protocol name activate Enables application patrol for the specified application The no command disables application patrol for the specified application no app protocol name allowport lt 1 65535 gt If the default action is drop or reject Adds the specified port to the list of ports that are forwarded in spite of the default action The no command removes the specified port from the list app protocol name bandwidth lt 0 102400 gt Specifies the bandwidth limit in kilobits per second for the specified application bandwidth graph no app protocol name bwm Turns on bandwidth management for the specified application The no command turns off bandwidth management for the specified application no app protocol name defaultport 1 65535 For port base applications Adds the specified port to the list of ports used to identify the specified application This port number can only be included in one application s list The no command removes the specified port from the list app protocol name forward drop reject Specifies what action the ZyWALL should take when it identifies this application ZyWALL ZLD CLI Reference Guide Chapter 19 Application Patrol Table 78 app Commands Pre Defined Applications continued COMMAND DESCRIPT
425. ser a warning before allowing access show conten t filter policy Displays the content filtering policies ZyWALL ZLD CLI Reference Guide Chapter 22 Content Filtering Table 109 content filter General Commands continued COMMAND DESCRIPTION show content filter settings Displays the general content filtering settings show content filter url Displays the contents of the content filtering URL before discarding it 22 7 Content Filter Filtering Profile Commands The following table lists the commands that you can use to configure a content filtering policy A content filtering policy defines which content filter profile should be applied when it should be applied and to whose web access it should be applied Use the configure terminal command to enter the configuration mode to be able to use these commands See Table 107 on page 202 for details about the values you can input with these commands Table 110 content filter Filtering Profile Commands Summary custom cookie COMMAND DESCRIPTION no content filter license licens Sets the license key for the external web filtering service The no command clears the setting no content filter profile filtering profile Creates a content filtering profile The no command removes the profile no content filter profile filtering profile Setsa content filtering profile to use a profile s custom custom se
426. ser type for each new user The no command sets the default user type to user show users retry settings Displays the current retry limit settings for users no users retry limit Enables the retry limit for users The no command disables the retry limit users retry count lt 1 99 gt Sets the number of failed login attempts a user can have before the account or IP address is locked out for lockout period minutes The no command sets the retry count to five users lockout period lt 1 65535 gt Sets the amount of time in minutes a user or IP address is locked out after retry count number of failed login attempts The no command sets the lockout period to thirty minutes show users simultaneous logon settings Displays the current settings for simultaneous logins by users no users simultaneous logon administration l access enforce Enables the limit on the number of simultaneous logins by users of the specified account type The no command disables the limit or allows an unlimited number of simultaneous logins no users simultaneous logon administration l access limit lt 1 1024 gt Sets the limit for the number of simultaneous logins by users of the specified account type The no command sets the limit to one show users update lease settings Displays whether or not access users can automatically renew their lease time no users update lease automation Lets users
427. setting commands DHCP is based on DHCP pools Create a DHCP pool if you want to assign a static IP address to a MAC address or if you want to specify the starting IP address and pool size of a range of IP addresses that can be assigned to DHCP clients There are different commands for each configuration Afterwards in either case you have to bind the DHCP pool to the interface Table 17 interface Commands DHCP Settings COMMAND DESCRIPTION show ip dhcp pool profile name Shows information about the specified DHCP pool or about all DHCP pools ip dhcp pool rename profile name profile name Renames the specified DHCP pool from the first profile name to the second profile name no ip dhcp pool profile name Creates a DHCP pool if necessary and enters sub command mode You can use the DHCP pool to create a static entry or to set up a range of IP addresses to assign dynamically About the sub command settings e If you use the host command the ZyWALL treats this DHCP pool as a static DHCP entry If you do not use the host command and use the network command the ZyWALL treats this DHCP pool as a pool of IP addresses If you do not use the host command or the network command the DHCP pool is not properly configured and cannot be bound to any interface The no command removes the specified DHCP pool show Shows information about the specified DHCP pool Use the following commands if you want to create a
428. sing the tester account can use the SSL VPN The ZyWALL will assign an IP address from 192 168 100 1 to 192 168 100 10 defined in object IP POOL to the computers which match the rule s criteria The ZyWALL will assign two DNS server settings 172 16 1 1 and 172 16 1 2 defined in objects DNS1 and DNS2 to the computers which match the rule s criteria The SSL VPN users are allowed to access the ZyWALL s local network 172 16 10 0 24 defined in object Network1 Users have to access the SSL VPN using a computer that complies with all the following criteria defined in object EPS 1 Windows XP is installed TrendMicro PC Cillin Internet Security 2007 is installed and activated ZyWALL ZLD CLI Reference Guide Chapter 17 SSL VPN 1 First of all configure 10 1 1 254 24 for the IP address of interface ge2 which is an external interface for public SSL VPN to access Configure 172 16 10 254 24 for the IP address of interface ge3 which is an internal network Router config interface ge2 Router config if ge ip address 10 1 1 254 255 255 255 0 Router config if ge exit Router config interface ge3 Router config if ge ip address 172 16 10 254 255 255 255 0 Router config if ge exit 2 Create four address objects for the SSL VPN DHCP pool DNS servers and the local network for SSL VPN authenticated users to access Router config address object IP POOL 192 168 100 1
429. sion interval 10 0009 lae e x RR ween ewes e deos dol Legging Mall Cleese ALEIDA AAA Sh eee de Ed A34 logging mail lt 1 2 gt send log to send alerts to e mail i t n bh mnn 333 legging mail 1 29 Address 1P BOSLNHGDO assi sed socaeeedesawete cs 332 Logging mairi x1 29 eu thentication adag xe xe eee chee weds eka el 332 logging mail 1 2 authentication username username password password 332 logging mail 1 2 category module name level alert all 333 Logging mail lt l 2 gt gebedule iol hourly sms a pages eee en 333 Logging Maii Loo Subiect Su JODE accio ra ceux deu itd 333 logging Syslog Aliant 22d 4x 4x3 Re A Ko p Nu qp E Re eq xax ee P sess ol logging syslog lt 1 4 gt disable level normal level all 331 Logging syslog Ll address 20 Hostname mars aia oa io 331 legging syslog L 4 facility lecal_1 local 2 looal 3 local 4 looal 5 bocal e ts eee 3 XCEdOE XC CUR IRR REOR OCURRA AGRO AIC e ADU Ce Ob o CU b 231 logging syslog 1 45 forest ESE VIDE deed go hk RACE RAR AA 331 begging swstemn log SUDDEESSTONR cens E cq EUR X ACE A AAA A ERAS SRE OES eS 330 logging eystem log suppression interval 10 600 as rossi ee eee eee tas 330 Logdineueus colcrhacEb cud II eaves sa kaw qub AA RO A Qe Rei x EO e eo CR 288 loginm paus color w 0dow HaGEgTadUd udagdebep oc y EORR OE RON UR Ro ECC eR Re SS 288 loginepaege message text MESSAGE sos iadh
430. sk See Table 67 on page 136 for other parameter description show isakmp sa Displays current IKE SA and the status of each one no sa spi spi Deletes the SA specified by the SPI spi 2 8 hexadecimal 0 9 A F characters no sa tunnel name map name Deletes the specified IPSec SA show vpn counters Displays VPN traffic statistics ZyWALL ZLD CLI Reference Guide Chapter 16 IPSec VPN ZyWALL ZLD CLI Reference Guide SSL VPN This chapter shows you how to set up secure SSL VPN access for remote user login 17 1 SSL Access Policy An SSL access policy allows the ZyWALL to perform the following tasks limit user access to specific applications or files on the network allow user access to specific networks assign private IP addresses and provide DNS WINS server information to remote users to access internal networks 17 1 1 SSL Application Objects SSL application objects specify an application type and server that users are allowed to access through an SSL tunnel See Chapter 33 on page 273 for how to configure SSL application objects 17 1 2 SSL Access Policy Limitations You cannot delete an object that is used by an SSL access policy To delete the object you must first unassociate the object from the SSL access policy 17 2 SSL VPN Commands The following table describes the values required for some SSL VPN commands Other values are discussed with the co
431. specified to make sure it is still available You specify how often the interface checks the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the ZyWALL stops routing to the gateway The ZyWALL resumes routing to the gateway the first time the gateway passes the connectivity check This table lists the ping check commands Table 24 interface Commands Ping Check COMMAND DESCRIPTION show ping check interface name status Displays information about ping check settings for the specified interface or for all interfaces status displays the current connectivity check status for any interfaces upon which it is activated show ping check interface name Displays information about ping check settings for the specified interface or for all interfaces no connectivity check continuous log Use this command to have the ZyWALL logs activate connectivity check result continously The no command disables the setting show connectivity check continuous log status Displays the continuous log setting about connectivity check interface interface name Enters sub command mode no ping check activate Enables ping check for the specified interface The no command disables ping check for the specified interface ping check domain name ip default Specifies what the ZyWALL pings for the ping gateway check you
432. splays the message or label to add to the mail subject of e mails that the ZyWALL forwards if queries to the DNSBL domains time out show anti spam dnsbl statistics Displays anti spam DNSBL statistics for each configured DNSBL domain anti spam dnsbl statistics flush Clears the anti spam DNSBL statistics for each configured DNSBL domain anti spam dnsbl query timeout time Sets how long the ZyWALL waits for a reply from the DNSBL 1 10 domains show anti spam dnsbl query timeout Displays how long the ZyWALL waits for a reply from the time DNSBL domains 23 2 4 4 DNSBL Example This example Sets the ZyWALL to use DNSBL example com as a DNSBL Turns DNSBL checking on Sets the ZyWALL to forward POP3 mail with a tag if the queries to the DNSBL domains time out Sets the ZyWALL to check up to 4 sender and relay server IP addresses in e mail headers against the DNSBL Sets the ZyWALL to start DNSBL checking from the first IP address in the mail header Sets the DNSBL tag to DNSBL Sets the DNSBL timeout tag to DNSBL timeout Displays the DNSBL statistics ZyWALL ZLD CLI Reference Guide 217 Chapter 23 Anti Spam Router config anti spam dnsbl domain DNSBL example com activate Router config show anti spam dnsbl domain No Status Domain 1 yes DNSBL example com Router config Router config anti spam dnsbl activate dnsbl status anti spam dnsbl show anti spam status yes
433. ss default to have the ZyWALL set the DSCP value to 0 no log alert Creates log entries and alerts for traffic that matches the rule The no command does not create any log entries no outbound dscp mark 0 63 class This is how the ZyWALL handles the DSCP value default dscp class of the outgoing packets from a connection s initiator that match this policy Enter a DSCP value to have the ZyWALL apply that DSCP value Set this to the class default to have the ZyWALL set the DSCP value to 0 port 0 65535 Specifies the destination port 0 means any no schedule profile name Adds the specified schedule to the rule show Displays the rule s configuration no source profile name Adds the specified source address to the rule no to zone name Specifies the destination zone no user username Adds the specified user to the rule 19 2 3 Exception Commands for Pre defined Applications This table lists the commands for exception rules for application access controls These commands are used for backward compatible only Table 81 app Commands Exception Rules in Pre Defined Applications COMMAND DESCRIPTION app protocol name exception insert rule number Creates a new rule at the specified row and enters sub command mode See Table 82 on page 165 for the sub commanas app protocol name exception append Creates a new rule appends it to the end of the list and ente
434. stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified using the iles size command below 0 means there is no time limit file suffix profile name Specifies text to add to the end of the file name before the dot and filename extension to help you identify the packet capture files Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name The file name format is interface name file suffix cap for example vlan2 packet capture cap files size 1 10000 Specify a maximum size limit in kilobytes for the total combined size of all the capture files on the ZyWALL including any existing capture files and any new capture files you generate The ZyWALL stops the capture and generates the capture file when either the file reaches this size or the time period specified using the duration command above expires Note If you have existing capture files you may need to set this size larger or delete existing capture files host ip ip address profile name Sets a host IP address or a host IP address object for which to capture packets any means to capture packets for all hosts host port 0 65535 If you set the IP Type to any tcp or udp using the ip type command below you can specify the port number of traffic to capture iface add del interface name virtua
435. sts the commands for users Table 130 username groupname Commands Summary Users COMMAND DESCRIPTION show username username Displays information about the specified user or about all users set up in the ZyWALL username username nopassword user type admin Creates the specified user if necessary disables guest limited admin user the password and sets the user type for the specified user username username password password user type Creates the specified user if necessary enables admin guest limited admin user and sets the password and sets the user type for the specified user password You can use 1 63 printable ASCII characters except double quotation marks and question marks username username user typ xt user Creates the specified user if necessary and sets the user type to Ext User no username usernam Deletes the specified user username rename username usernam Renames the specified user first username to the specified username second username username username no description description Sets the description for the specified user The no command clears the description description You can use alphanumeric and _ characters and it can be up to 60 characters long username username no logon time setting Sets the account to use the factory default lease default manual and reauthentication times or custom ones
436. suwb hones Saones EEG XR REX qudd ge y dd eub dE E A 57 inter ace IhntgrfIacu ETE x sm pao xke ROR RUE A HR o ae Reap rb OR qoo HR a do o doge om C 59 Incertacs 20 eri ISS SIDE ui 3 54 94 4 22 NL AE bakes SHE ER CER EG ud EE MORIS CEU ad wee SO RR 60 incer ace Inbgrflape Hane uade A EA EUR RARA QUU Ka CO NOE RC cR SECO D eo s RR 62 interface Interface FEMS sii A ES HS ER TOMER EGR OSES AAA SSR AAA 63 InP SEL eeCS Shor eee ete any Kk RARE NR aD ARAS DARAN oe ee ee a CC o de Ac AR 66 interface Interlace HEME ie 93 we hx bu RAE SOE SSS RA Ee eX E AUR d VOR A RE RE ES 78 interlace Inher ace ONE ahh epar RE E e CE RAO O ac Ra D DOR ae EN dob RU 19 interface reset interface name virtual interface _namelall oo oooooooo aS interlace Send statasti s interval 15 380059 dera ideas POR ee cae vehi awe dad ERR 53 interface name ppp interface thernet interface user defined name 53 interface rename old user defined name new user defined name ce 53 ip dhcp pool rename profile name profile FAME aneeecmiews e on no R eee RARA cease wears 55 gb aie Sorre SEUS cr eer eaves uua RN UR Gc qc d prp haus ees aie aui ded 292 ip dns server rule lt 1 32 gt append insert lt 1 32 gt access group ALL address object zone ALL address object action faccept deny accede cesdesadeeteahaaa cela 292 ip dis server rule move 1 225 LO Sl DS ciaadesgdacee REX RUE SEE OER A REC EERE OC REOR EORR ACA 292 ip dns server zone
437. syslog The default category includes debugging messages generated by open source software The al 1 category includes all messages in all categories The following sections list the logging commands 38 1 1 Log Entries Commands This table lists the commands to look at log entries Table 181 logging Commands Log Entries COMMAND DESCRIPTION show logging entries priority pri category Displays the selected entries in the system log module name srcip ip dstip ip service PRI alert crit debug emerg error info notice service name begin 1 512 end 1 512 warn keyword keyword keyword You can use alphanumeric and S _ characters and it can be up to 63 characters long This searches the message source destination and notes fields show logging entries field field begin Displays the selected fields in the system log lt 1 512 gt end lt 1 512 gt field time msg src dst note pri cat all ZyWALL ZLD CLI Reference Guide Chapter 38 Logs 38 1 2 System Log Commands Table 182 logging Commands System Log Settings This table lists the commands for the system log settings COMMAND DESCRIPTION show logging status system log Displays the current settings for the system log disable logging system log category module_name level normal level all Specifies what kind of information if
438. t deactivate show idp Displays IDP signature anomaly detection or system protect service status signature anomaly system protect activation idp reload Recovers the IDP signatures You should only need to do this if instructed to do so by a support technician 21 2 1 1 Activate Deactivate IDP Example This example shows how to activate and deactivate signature based IDP on the ZyWALL Router configure terminal Router config idp signature activate Router config show idp signature activation idp signature activation yes Router config no idp signature activate Router config show idp signature activation idp signature activation no 21 3 IDP Profile Commands 21 3 1 Global Profile Commands Use these commands to rename or delete existing profiles and show IDP base profiles Table 96 Global Profile Commands COMMAND DESCRIPTION idp rename signature Rename an IDP signature or anomaly profile originally named profilel anomaly profilel profile2 to profile2 no idp signature anomaly Delete an IDP signature or system protect profile named profile3 profile3 show idp signature profile Lists the settings for all of the specified profile s signatures Use more to signature all details display the settings page by page show idp signature all Lists the settings for all of the signatures Use more to display the details settings page by page show idp sig
439. t 1 8 incoming service name trigger service nam Adds a new port triggering rule before the specified number trigger move 1 8 to lt 1 8 gt Moves a port triggering rule to the number that you specified no tunnel tunnel nam Sets the incoming interface to an IPSec VPN tunnel The no command removes the IPSec VPN tunnel through which the incoming packets are received no user user name Sets the user name The no command resets the user name to the default any any means all users no policy controll ipsec dynamic rules activate Enables the ZyWALL to use policy routes to manually specify the destination addresses of dynamic IPSec rules You must manually create these policy routes The ZyWALL automatically obtains source and destination addresses for dynamic IPSec rules that do not match any of the policy routes The no command has the ZyWALL automatically obtain source and destination addresses for all dynamic IPSec rules policy default route Enters the policy route sub command mode to set a route with the name default route policy delete policy number Removes a routing policy policy flush Clears the policy routing table policy list table Displays all policy route settings policy move policy number to policy number Moves a routing policy to the number that you specified activate no policy override direct rout Use this com
440. t o organization c country key type rsa dsa key len key length Generates a PKCS 10 certification request ca generate pkcs12 name name password password Generates a PKCS 12 certificate ca generate x509 name certificate name cn typ ip cn cn address fqdn cn cn domain name mail cn cn emailj ou organizational unit o organization c country key type rsa dsa key len key length Generates a self signed x509 certificate ca rename category local remote old name new name Renames a local my certificates or remote trusted certificates certificate ca validation remote certificate Enters the sub command mode for validation of certificates signed by the specified remote trusted certificates cdp activate deactivate Has the ZyWALL check or not check incoming certificates that are signed by this certificate against a Certificate Revocation List CRL or an OCSP server You also need to configure the OSCP or LDAP server details ldap activate deactivate Has the ZyWALL check or not check incoming certificates that are signed by this certificate against a Certificate Revocation List CRL ona LDAP Lightweight Directory Access Protocol directory server ldap ip ip fqdn port lt 1 65535 gt password password deactivate id name Sets the validation configuration for the specified remote trusted certificate where the directory server uses LDAP ip Type the IP add
441. t s computer against the endpoint security objects one by one The client s computer must match one of the force authentication or SSL VPN policy s endpoint security policies in order to gain access ZyWALL ZLD CLI Reference Guide 271 Chapter 34 Endpoint Security Requirements User computers must have Sun s Java Java Runtime Environment or JRE installed and enabled with a minimum version of 1 4 34 1 1 Endpoint Security Commands Summary The following table describes the values required for many endpoint security object commands Other values are discussed with the corresponding commands Table 157 Input Values for Endpoint Security Commands LABEL DESCRIPTION profile name The name of the endpoint security object You may use 1 31 characters 0 9 a Z A Z with no spaces allowed file path This is a file with the full directory path in quotation marks C Program Files Internet Explorer iexplore exe p For example The following sections list the endpoint security object commands 34 1 2 Endpoint Security Object Commands This table lists the commands for creating endpoint security objects You must use the configure terminal command to enter the configuration mode before you can use these commands Table 158 Endpoint Security Object Commands COMMAND DESCRIPTION no eps failure messages failure_messages Specify a message to
442. t 1 1073741824 gt the file specified no file info file path Sets whether the version of the file on the user s computer has to be file path eq gt lt ge equal to eq greater than gt less than 1t greater than or equal 1 neg file version to ge less than or equal to 1e or not equal to neq the version of file version the file specified no file info file path Sets whether the size and version of the file on the user s computer file path eq gt 1t ge hasto be equal to eq greater than gt less than 1t greater 1 neq file siz than or equal to ge less than or equal to 1e or not equal to neq lt 1 1073741824 gt eq gt 1t the size and version of the file specified ge 1 neq file version ZyWALL ZLD CLI Reference Guide 279 Chapter 34 Endpoint Security Table 158 Endpoint Security Object Commands COMMAND DESCRIPTION os type windows linux mac osx others Select the type of operating system the user s computer must be using Use the windows version command to configure the checking items according to the set operating system If you set this to mac osx there are no other checking items others allows access for computers not using Windows Linux or Mac OSX operating systems For example you create Windows Linux and Mac OSX endpoint security objects to apply to your LAN users An others policy allows access for LAN computers using Solaris HP
443. t force users to log in to the ZyWALL before the ZyWALL routes traffic for them The no command means the user authentication is not required force auth default rule authentication required unnecessary no log log alert Sets the default authentication policy that the ZyWALL uses on traffic that does not match any exceptional service or other authentication policy required Users need to be authenticated They must manually go to the ZyWALL s login screen The ZyWALL will not redirect them to the login Screen unnecessary Users do not need to be authenticated no log log alert Select whether to have the ZyWALL generate a log 10g log and alert log alert or not no log for packets that match this default policy force auth no service_name exceptional service Sets a service which you want users to be able to access without user authentication The no command removes the specified service from the exceptional list force auth policy lt 1 1024 gt Creates the specified condition for forcing user authentication if necessary and enters sub command mode The conditions are checked in sequence starting at 1 See Table 134 on page 238 for the sub commandas force auth policy append Creates a new condition for forcing user authentication at the end of the current list and enters sub command mode See Table 134 on page 238 for the sub commands force auth policy insert lt 1 1
444. t mask to binary and add all of the 1 s together Take 255 255 255 0 for example 255 converts to eight 1 s in binary There are three 255 s so add three eights together and you get the bit number 24 An example is 192 168 2 1 24 You can enter an IP address range by entering the start and end IP addresses separated by a hyphen for example 192 168 2 5 192 168 2 23 forbid hosts The IP address or domain name of a forbidden web site Use a host name such as www bad site com into this text field Do not use the complete URL of the site that is do not include http All subdomains are also blocked For example entering bad site com also blocks www bad site com partner bad site com press bad site com etc Use up to 63 case insensitive characters 0 9a z You can enter a single IP address in dotted decimal notation like 192 168 2 5 You can enter a subnet by entering an IP address in dotted decimal notation followed by a slash and the bit number of the subnet mask of an IP address The range is 0 to 32 To find the bit number convert the subnet mask to binary and add all of the 1 s together Take 255 255 255 0 for example 255 converts to eight 1 s in binary There are three 255 s so add three eights together and you get the bit number 24 An example is 192 168 2 1 24 You can enter an IP address range by entering the start and end IP addresses separated by a hyphen for example 192 168
445. t trunks your default user define own user configuration trunks or a specified trunk s group name settings no interface group group name Creates a trunk name and enters the trunk sub command mode where you can configure the trunk The no command removes the trunk interface num append This subcommand adds an interface to a trunk Sets insert num interface cr theinterface s number It also sets the interface s weight 1 10 limit weight and spillover limit or sets it to be passive lt 1 1048576 gt passive no interface num Removes an interface from the trunk interface mode normal trunk Sets the mode for a trunk Do this first in the trunk s sub command mode over algorithm wrr 11f spill Sets the trunk s load balancing algorithm move 1 8 to 1 8 Changes a the interface order in a trunk ZyWALL ZLD CLI Reference Guide Chapter 7 Trunks Table 39 interface group Commands Summary continued COMMAND DESCRIPTION flush Deletes a trunk s interface settings exit Leaves the trunk sub command mode system default interface group group_name Sets the ZyWALL to first attempt to use the the specified WAN trunk no system default snat Enables or disables Source NAT SNAT When SNAT is enabled the ZyWALL uses the IP address of the outgoing interface as the source IP address of the packets it sends out through
446. tbound 0 log no ZyWALL ZLD CLI Reference Guide Chapter 19 Application Patrol ZyWALL ZLD CLI Reference Guide PART VI Anti X Anti Virus 175 IDP Commands 183 Content Filtering 201 Anti Spam 211 Anti Virus This chapter introduces and shows you how to configure the anti virus scanner 20 1 Anti Virus Overview A computer virus is a small program designed to corrupt and or alter the operation of other legitimate programs A worm is a self replicating virus that resides in active memory and duplicates itself The effect of a virus attack varies from doing so little damage that you are unaware your computer is infected to wiping out the entire contents of a hard drive to rendering your computer inoperable 20 2 Anti virus Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 87 Input Values for General Anti Virus Commands LABEL DESCRIPTION zone_object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN av file pattern Use up to 80 characters to specify a file pattern Alphanumeric characters underscores dashes question marks and as
447. te Figure 15 Example of Static Routing Topology N1 a A i P B Z Y N2 N3 8 4 Static Route Commands The following table describes the commands available for static route You must use the configure terminal command to enter the configuration mode before you can use these commands Table 44 Command Summary Static Route COMMAND DESCRIPTION no ip route w x y z w x y z Sets a static route The no command disables a interface w x y z lt 0 127 gt static route ip route replace w x y z w x y z Changes an existing route s settings interface w x y z 0 127 with w x y z w x y z interface w x y z lt 0 127 gt show ip route settings Displays static route information Use show ip route to see learned route information See Section 9 2 5 on page 100 8 4 1 Static Route Co mmands Example The following command sets a static route with IP address 10 10 10 0 and subnet mask 255 255 255 0 and with the next hop interface gel Then use the show command to display the setting Router config Router config Router config Route ip route 10 10 10 0 255 255 255 0 gel show ip route settings Netmask Nexthop Metric 10 10 10 0 255 255 255 0 gel 0 ZyWALL ZLD CLI Reference Guide Chapter 8 Route ZyWALL ZLD CLI Reference Guide Routing Protocol This chap
448. ter config show address object Object name Type Address Ref AQ HOST 192 168 1 1 0 A1 RANGE 192 168 1 1 192 168 1 20 0 ZyWALL ZLD CLI Reference Guide Chapter 26 Addresses 26 2 2 Address Group Commands This table lists the commands for address groups Table 138 object group Commands Address Groups COMMAND DESCRIPTION show object group address group name Displays information about the specified address group or about all address groups no object group address group name Creates the specified address group if necessary and enters sub command mode The no command deletes the specified address group no address object object nam Adds the specified address to the specified address group The no command removes the specified address from the specified group no object group group name Adds the specified address group second group name to the specified address group first group name The no command removes the specified address group from the specified address group no description description Sets the description to the specified value The no command clears the description description You can use alphanumeric and S_ characters and it can be up to 60 characters long object group address rename group name Renames the specified address group from the first group name group name to the second group name 26 2 2 1 Address Group Comman
449. ter 1 Command Line Interface Table 3 Input Value Formats for Strings in CLI Commands continued TAG VALUES LEGAL VALUES password less than 15 1 15 alphanumeric or 6 amp _ 1 pi lt gt chars password less than 8 1 8 alphanumeric or amp _ chars password Used in user and ip ddns 1 63 alphanumeric or amp _ j 2 lt gt Used in e mail log profile SMTP authentication 1 63 alphanumeric or amp _ 1 j 2 lt gt Used in device HA synchronization 1 63 alphanumeric or 4 Used in registration 6 20 alphanumeric or Q8 phone number 1 20 numbers or preshared key 16 64 Ox or OX 16 64 hexadecimal values alphanumeric or Qf amp N profile name 0 30 alphanumeric or _ first character letters or proto name 1 16 lower case letters numbers or protocol name 0 30 alphanumeric or first character letters or quoted string less 1 255 alphanumeric spaces or amp S _ than 127 chars quoted string less 1 63 alphanumeric spaces or amp S _ than 63 chars quoted string O alphanumeric spaces or punctuation marks enclosed in double quotation marks must put a backslash before double quotation marks that are part of input value itself service name 0 63 al
450. ter 2 User and Privilege Modes Table 4 User U and Privilege P Mode Commands continued COMMAND MODE DESCRIPTION diag P Provided for support personnel to collect internal system information It is not recommended that you use these diag info P Has the ZyWALL create a new diagnostic file dir P Lists files in a directory disable U P Goes from privilege mode to user mode enable U P Goes from user mode to privilege mode exit U P Goes to a previous mode or logs out htm U P Goes to htm hardware test module mode for testing hardware components You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting Note These commands are for ZyXEL s internal manufacturing process interface U P Dials or disconnects an interface no packet trace U P Turns of packet tracing nslookup U P Resolves an IP address to a host name and vice versa packet trace U P Performs a packet trace ping U P Pings an IP address or host name psm U P Goes to psm product support module mode for setting product parameters You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting Note These commands are for ZyXEL s internal manufacturing process reboot P Restarts the device release P Releases DHCP information from an interface rename P Renames a configuration file re
451. ter describes how to set up RIP and OSPF routing protocols for the ZyWALL 9 1 Routing Protocol Overview Routing protocols give the ZyWALL routing information about the network from other routers The ZyWALL then stores this routing information in the routing table which it uses when it makes routing decisions In turn the ZyWALL can also provide routing information via routing protocols to other routers The ZyWALL supports two standards RIP and OSPF for routing protocols RIP and OSPF are compared in Table 45 on page 97 and they are discussed further in the next two sections Table 45 OSPF vs RIP OSPF RIP Network Size Large Small with up to 15 routers Metric Bandwidth hop count throughput round Hop count trip time and reliability Convergence Fast Slow 9 2 Routing Protocol Commands Summary The following table describes the values required for many routing protocol commands Other values are discussed with the corresponding commands Table 46 Input Values for Routing Protocol Commands LABEL DESCRIPTION ip The 32 bit name of the area or virtual link in IP address format authkey The password for text or MD5 authentication You may use alphanumeric characters or underscores _ text password 1 8 characters long MD5 password 1 16 characters long The following sections list the routing protocol commands ZyWALL ZLD CLI Reference Guide Chapter 9 Routing Protoc
452. terisks are allowed A question mark lets a single character in the file name vary For example use a zip without the quotation marks to specify aa zip ab zip and so on Wildcards let multiple files match the pattern For example use a zip without the quotation marks to specify any file that ends with a zip A file named testa zip would match There could be any number of any type of characters in front of the a zip at the end and the file name would still match A file named test zipa for example would not match A in the middle of a pattern has the ZyWALL check the beginning and end of the file name and ignore the middle For example with abc zip any file starting with abc and ending in zip matches no matter how many characters are in between The whole file name has to match if you do not use a question mark or asterisk If you do not use a wildcard the ZyWALL checks up to the first 80 characters of a file name ZyWALL ZLD CLI Reference Guide Chapter 20 Anti Virus 20 2 1 General Anti virus Commands BS Table 88 General Anti virus Commands The following table describes general anti virus commands You must use the configure terminal command to enter the configuration mode before you can use these commands on page 37 You must register for the ant virus service before you can use it see Chapter 5 CO
453. that you specified no firewall activate Enables the firewall on the ZyWALL The no command disables the firewall firewall append Enters the firewall sub command mode to add a global firewall rule to the end of the global rule list See Table 64 on page 128 for the sub commands firewall default rule action allow deny reject no log log alert Sets how the firewall handles packets that do not match any other firewall rule firewall delete rule number Removes a firewall rule firewall flush Removes all firewall rules firewall insert rule number Enters the firewall sub command mode to add a firewall rule before the specified rule number See Table 64 on page 128 for the sub commands firewall move rule number to rule number Moves a firewall rule to the number that you specified show connlimit max per host Displays the highest number of sessions that the ZyWALL will permit a host to have at one time show firewall Displays all firewall settings show firewall rule number Displays a firewall rule s settings show firewall zone object zone_object ZyWALL Displays all firewall rules settings for the specified packet direction show firewall zone object zone_object ZyWALL rule number Displays a specified firewall rule s settings for the specified packet direction show firewall status Displays whether
454. the following address or use e mail instead Thank you The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan E mail techwriters 9 zyxel com tw ZyWALL ZLD CLI Reference Guide 3 Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User s Guide gt Warnings tell you about things that could harm you or your device BS Notes tell you other important information for example other things you may need to configure or helpful tips or recommendations Syntax Conventions The ZLD based ZyWALL may be referred to as the ZyWALL the device the system or the product in this User s Guide Product labels screen names field labels and field choices are all in bold font A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket gt within a screen name denotes a mouse click For example Maintenance gt Log gt Log Setting means you first click Maintenance in the navigation panel then the Log sub menu and finally the Log Setting tab to get to that screen Units of measur
455. the following settings This NAT rule is for any HTTP traffic coming in on ge2 wan1 to IP address 1 1 1 2 The NAT rule sends this traffic to the HTTP server s private IP address of 192 168 3 7 defined in the DMZ HTTP object HTIP traffic and the HTTP server in this example both use TCP port 80 So you set the port mapping type to port the protocol type to TCP and the original and mapped ports to 80 Router config ip virtual server To VirtualServer WWW interface ge2 original ip ge2 HTTP map to DMZ HTTP map type port protocol tcp original port 80 mapped port 80 Router config 3 Configure firewall Create a firewall rule to allow HTTP traffic from the WAN zone to the DMZ web server Router config firewall insert 1 Router firewall description To VirtualServer WWW Router firewall from WAN Router firewall to DMZ Router firewall destinationip DMZ_HTTP Router firewall service HTTP Router firewall exit Router config write Router config Now the public can go to IP address 1 1 1 2 to access the HTTP server ZyWALL ZLD CLI Reference Guide 113 Chapter 12 Virtual Servers ZyWALL ZLD CLI Reference Guide HTTP Redirect This chapter shows you how to configure HTTP redirection on your ZyWALL 13 1 HTTP Redirect Overview HTTP redirect forwards the client s HTTP request except HTTP traffic destined for the ZyW
456. thods AES 3DES Archfour and Blowfish The SSH server is implemented on the ZyWALL for remote management on port 22 by default 36 4 2 Requirements for Using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connect to the ZyWALL over SSH ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management 36 4 3 SSH Commands The following table describes the commands available for SSH You must use the configure terminal command to enter the configuration mode before you can use these commands Table 167 Command Summary SSH COMMAND DESCRIPTION no ip ssh server Allows SSH access to the ZyWALL CLI The no command disables SSH access to the ZyWALL CLI no ip ssh server cert certificate_name Sets a certificate whose corresponding private key is to be used to identify the ZyWALL for SSH connections The no command resets the certificate used by the SSH server to the factory default default certificate_name The name of the certificate You can use up to 31 alphanumeric and amp _ characters no ip ssh server port lt 1 65535 gt Sets the SSH service port number The no command resets the SSH service port number to the factory default 22 ip ssh server rul rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a
457. through Vantage CNM on or off cnm agent keepaliv Sets the keepalive interval interval lt 10 90 gt no cnm agent periodic Turns the periodic inform on or off inform activate cnm agent periodic inform Sets the periodic inform interval interval 10 86400 cnm agent trigger inform initiates a TRO69 connection to the server You can also specify the interval for interval the inform messages no cnm agent auth Enables or disables authentication of the server when using HTTPS activate show cnm agent Displays the Vantage CNM configuration configuration ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management 36 11 1 1 Vantage CNM Command Examples The following example turns on Vantage CNM management and sets the ZyWALL to register with a server at https 1 2 3 4 vantage TRO69 Router configure terminal Router config cnm agent activate Router config cnm agent manager https 1 2 3 4 vantage TRO69 Router config show cnm agent configuration Activate YES ACS URL https 1 2 3 4 vantage TR069 Keepalive ENABLE Keepalive Interval 60 Periodic Inform DISABLE Periodic Inform Interval 3600 Custom IP NO HTTPS Authentication NO Vantage Certificate zw1050 cer456 36 12 Language Commands Usethe language commands to display what language the web configurator is using or change it You must use the configure terminal command
458. tication key Clears the MD5 ID and password interfac no outonly interfac gt nam Sets the direction to Out Only for the specified interface The no command sets the direction to BiDir 9 2 2 General OSPF Commands This table lists the commands for general OSPF configuration Table 48 router Commands General OSPF Configuration COMMAND DESCRIPTION router ospf Enters sub command mode no redistribute static rip Enables redistribution of routing information learned from the specified non OSPF source The no command disables redistribution from the specified non OSPF source no redistribute static rip metric type lt 1 2 gt metric lt 0 16777214 gt Sets the metric for routing information learned from the specified non OSPF source The no command clears the metric ZyWALL ZLD CLI Reference Guide Chapter 9 Routing Protocol Table 48 router Commands General OSPF Configuration continued COMMAND DESCRIPTION no passive interface interface_nam Sets the direction to In Only for the specified interface The no command sets the direction to BiDir no router id IP Sets the 32 bit ID in IP address format of the ZyWALL The no command resets it to default or the highest available IP address 9 2 3 OSPF Area Commands This table lists the commands for OSPF areas Table 49 router Commands OSPF
459. tion allow status yes 4 user any schedule none from WAN to LAN source IP any source port any destination IP any service any log log action deny status yes Router config show firewall WAN LAN 2 4 user any schedule none from WAN to LAN source IP any source port any destination IP any service any log no action deny status yes Router config 15 3 Session Limit Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 65 Input Values for General Session Limit Commands LABEL DESCRIPTION rule number The priority number of a session limit rule 1 1000 address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive user name The name of a user group You may use 1 31 alphanumeric characters underscores or dashes but the first character cannot be a number This value is case sensitive ZyWALL ZLD CLI Reference Guide Chapter 15 Firewall The following table describes the session limit commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 66 Command Summary Session Limit COMMAND DESCRIPTION
460. tion profile name Deletes all authentication profiles or the specified authentication profile Note You can NOT delete a profile that is currently in use show aaa authentication group name default Displays the specified authentication server profile settings no aaa authentication profile name Sets a descriptive name for the authentication profile The no command deletes a profile ZyWALL ZLD CLI Reference Guide Chapter 30 Authentication Objects Table 150 aaa authentication Commands continued COMMAND DESCRIPTION no aaa authentication default memberl member2 member3 member4 Sets the default profile to use the authentication method s in the order specified member group ad group Idap group radius or local Note You must specify at least one member for each profile Each type of member can only be used once in a profile The no command clears the specified authentication method s for the profile no aaa authentication profile name memberl member2 member3 member4 Sets the profile to use the authentication method s in the order specified member group ad group Idap group radius or local Note You must specify at least one member for each profile Each type of member can only be used once in a profile The no command clears the specified authentication method s for the profile 30 2 1 aaa authentication Comman
461. tions show interface interface_name budget Displays the budget control settings for the specified cellular interface show interface interface_name devic Displays the 3G card and SIM card information for the status specified cellular interface show interface interface_name devic Displays the 3G connection profile settings of the specified cellular interface 6 6 1 Cellular Status The following table describes the different kinds of cellular connection status on the ZyWALL Table 28 Cellular Status STATUS DESCRIPTION No device no 3G device is connected to the ZyWALL Device detected displays when you connect a 3G device Device error a 3G device is connected but there is an error Probe device fail the ZyWALL s test of the 3G device failed Probe device ok the ZyWALL s test of the 3G device failed Init device fail the ZyWALL was not able to initialize the 3G device Init device ok the ZyWALL initialized the 3G card Check lock fail the ZyWALL s check of whether or not the 3G device is locked failed Device locked the 3G device is locked SIM error there is a SIM card error on the 3G device SIM locked PUK the PUK is locked on the 3G device s SIM card SIM locked PIN the PIN is locked on the 3G device s SIM card ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 28 Cellular Status STATUS DESCRIPTION
462. tisement router solicitation source quench time exceeded timestamp reply timestamp request unreachable service object object name protocol 1 255 Creates the specified user defined service using the specified parameters service object rename object name object nam Renames the specified service from the first object name to the second object name 27 2 1 1 Service Object Command Examples The following commands create four services displays them and then removes one of them Router configure terminal Router config service object TELNET tcp eq 23 Router config service object FTP tcp range 20 21 Router config service object ICMP ECHO icmp echo Router config f service object MULTICAST protocol 2 Router config show service object Object name Protocol Minmum port Maxmum port Ref TELNET TCP 23 23 0 FTP TCP 20 21 0 ICMP ECHO ICMP 0 0 0 MULTICAST 2 0 0 0 Router config no service object ICMP ECHO Router config show service object Object name Protocol Minmum port Maxmum port Ref TELNET TCP 23 23 0 FTP TCP 20 21 0 MULTICAST 2 0 0 0 27 2 2 Service Group Commands The first table lists the commands for service groups Table 141 object group Commands Service Groups COMMAND DESCRIPTION show object group service group name Displays information about the specified service group no object group servi
463. tivate Creates or modifies the specified virtual server and maps the specified destination IP address protocol and destination port to the specified destination IP address and destination port The original destination IP is defined by the specified interface any the specified IP address IP or the specified address object address object NAT loopback allows local users to use a domain name to access this virtual server nat 1 1 map means the NAT type is either 1 1 NAT or many 1 1 NAT See Section 12 1 1 on page 109 for more information Using this command without nat 1 1 map means the NAT type is Virtual Server This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL like the Internet The deactivate command disables the virtual server rule ZyWALL ZLD CLI Reference Guide Chapter 12 Virtual Servers Table 58 ip virtual server Commands continued COMMAND DESCRIPTION ip virtual server profile_name interfac interface name original ip any IP address object map to address object ip map type ports protocol any tcp udp original port begin lt 1 65535 gt original port end 1 65535 mapped port begin 1 65535 nat loopback nat 1 1 map deactivate nat 1 1 map deactivate deactivate Creates or modifies the specified virtual server and maps the specified destination IP address protocol and range of
464. to be used to identify the ZyWALL The no command resets the certificate used by the FTP server to the factory default no ip ftp server port lt 1 65535 gt Sets the FTP service port number The no command resets the FTP service port number to the factory default 21 no ip ftp server tls required Allows FTP access over TLS The no command disables FTP access over TLS ZyWALL ZLD CLI Reference Guide Chapter 36 System Remote Management Table 169 Command Summary FTP continued COMMAND DESCRIPTION ip ftp server rul rule number append insert rule number access group ALL address object zone ALL zone object action accept deny Sets a service control rule for FTP service address object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive zone_object The name of the zone For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use pre defined zone names like DMZ LAN1 SSL VPN WLAN IPSec VPN OPT and WAN ip ftp server rule move rule number to rule number Changes the index number of a service control rule no ip ftp server rule rule number Deletes a service control rule for FTP s
465. to zone DMZ scan protocols smtp yes pop3 yes match action smtp forward pop3 forward with tag yes yes 23 2 3 White and Black Lists The following table identifies values used in these commands Other input values are discussed with the corresponding commands Table 116 Input Values for White and Black list Anti Spam Commands LABEL DESCRIPTION mail header The name part of an e mail header the part that comes before the colon Use up to 63 ASCII characters For example if you want the entry to check the Received header for a specific mail server s domain use Received mail header value The value part of an e mail header the part that comes after the colon Use up to 63 ASCII characters For example if you want the entry to check the Received header for a specific mail server s domain specify the mail server s domain See Section 23 2 3 2 on page 215 for more details ZyWALL ZLD CLI Reference Guide Chapter 23 Anti Spam Table 116 Input Values for White and Black list Anti Spam Commands continued LABEL DESCRIPTION rule_number The index number of an anti spam white or black list entry 1 X where X is the highest number of entries the ZyWALL model supports See the ZyWALL s User s Guide for details subject A keyword in the content of the e mail Subject headers Use up to 63 ASCII characters Spaces are not allowed alt
466. truncated header truncated timestamp header truncated address header log alert Sets icmp decoder log or alert options no icmp decoder truncated header truncated timestamp header truncated address header log Deactivates icmp decoder log options icmp decoder truncated header truncated timestamp header truncated address header action drop reject sender reject receiver reject both Sets icmp decoder action no icmp decoder truncated header truncated timestamp header truncated address header action Deactivates icmp decoder actions show idp anomaly profile scan detection all details Shows all scan detection settings of the specified IDP profile show idp anomaly profile scan detection tcp portscan tcp decoy portscan tcp distributed portscan tcp filtered portscan tcp filtered decoy portscan tcp filtered distributed portscan tcp filtered portsweep details tcp portsweep Shows selected TCP scan detection settings for the specified IDP profile show idp anomaly profile scan detection udp portscan udp decoy portscan udp portsweep udp distributed portscan udp filtered portscan udp filtered decoy portscan udp filtered distributed portscan filtered portsweep details udp Shows UDP scan detection settings for the specified IDP profile show idp anomaly profile scan detection ip
467. ts the new time in hour minute and second format no clock time zone hh Sets your time zone The no command removes time zone settings no ntp Saves your date and time and time zone settings and updates the data and time every 24 hours The no command stops updating the data and time every 24 hours no ntp server fgdn w x y z Sets the IP address or URL of your NTP time server The no command removes time server information ntp sync Gets the time and date from a NTP time server how clock date 0 Displays the current date of your ZyWALL how clock status 0 Displays your time zone and daylight saving settings how clock time 0 Displays the current time of your ZyWALL 0 how ntp server Displays time server settings ZyWALL ZLD CLI Reference Guide Chapter 35 System 35 5 Console Port Speed This section shows you how to set the console port speed when you connect to the ZyWALL via the console port using a terminal emulation program The following table describes the console port commands You must use the configure terminal command to enter the configuration mode before you can use these commands Table 162 Command Summary Console Port Speed COMMAND DESCRIPTION no console baud baud_rate Sets the speed of the console port The no command resets the console port speed to the default 115200 baud rate 9600 19
468. ttings lists of trusted web sites and forbidden web sites and blocking of certain web features The no command has the profile not use the custom settings no content filter profile filtering profile Sets a content filtering profile to block ActiveX custom activex controls The no command sets the profile to allow ActiveX no content filter profile filtering profile Sets a content filtering profile to block Cookies The no command sets the profile to allow Cookies no content filter profile custom forbid forbid hosts filtering profile Adds a web site to a content filtering profile s forbidden list The no command removes a web site from the forbidden list no content filter profile custom java filtering profile Sets a content filtering profile to block Java The no command sets the profile to allow Java no content filter profile custom keyword keyword filtering profile Has a content filtering profile block access to Web sites with URLs that contain the specified keyword or IP address in the URL The no command removes the keyword no content filter profile custom proxy filtering profile Sets a content filtering profile to block access to web proxy servers The no command sets the profile to allow access to proxy servers no content filter profile custom trust trust hosts filtering profile Adds a web site to a content filtering profile s trusted list The no command
469. tus IDP signature download failed do 1 retry at Sat Jan 4 2003 01 01 01 34 39 Router config show idp signature signatures version version 1 2000 Router config show idp signature signatures number signatures 2000 Router config show idp signature signatures date date 2005 11 13 13 56 03 21 6 IDP Statistics The following table describes the commands for collecting and displaying IDP statistics You must use the configure terminal command to enter the configuration mode before you can use these commands Table 106 Commands for IDP Statistics COMMAND DESCRIPTION no idp statistics collect Turn the collection of IDP statistics on or off idp statistics flush Clears the collected statistics show idp statistics summary Displays the collected statistics ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands Table 106 Commands for IDP Statistics continued COMMAND DESCRIPTION show idp statistics collect Displays whether the collection of IDP statistics is turned on or off show idp statistics ranking signature Query and sort the IDP statistics entries by signature name source destination name source IP address or destination IP address signature name lists the most commonly detected signatures source lists the source IP addresses from which the ZyWALL has detected the most intrusion attempts destination lists the most common dest
470. type is either 1 1 NAT or many 1 1 NAT See Section 12 1 1 on page 109 for more information Using this command without nat 1 1 map means the NAT type is Virtual Server This makes computers on a private network behind the ZyWALL available to a public network outside the ZyWALL like the Internet The deactivate command disables the virtual server rule ip virtual server activate deactivate profile name Activates or deactivates the specified virtual server ip virtual server delete profile name Deletes the specified virtual server ip virtual server flush Deletes all virtual servers ip virtual server rename profile name profile name Renames the specified virtual server from the first profile name to the second profile name ZyWALL ZLD CLI Reference Guide Chapter 12 Virtual Servers 12 2 1 Virtual Server Command Examples The following command creates virtual server WAN LAN H323 on the wanl interface that maps IP addresses 10 0 0 8 to 192 168 1 56 for TCP protocol traffic on port 1720 It also adds a NAT loopback entry Router configure terminal Router config ip virtual server WAN LAN H323 interface wanl original ip 10 0 0 8 map to 192 168 1 56 map type port protocol tcp original port 1720 mapped port 1720 nat loopback Router config The following command shows information about all the virtual servers in the ZyWALL Router config show ip vi
471. ue to 0 port 0 65535 Specifies the destination port 0 means any no schedule profile name Adds the specified schedule to the rule show Displays the rule s configuration no source profile name Adds the specified source address to the rule no to zone name Specifies the destination zone no user username Adds the specified user to the rule ZyWALL ZLD CLI Reference Guide Chapter 19 Application Patrol 19 2 4 Other Application Commands This table lists the commands for other applications in application patrol Table 83 app Commands Other Applications COMMAND DESCRIPTION app other del forward drop reject Specifies the default action for other applications no app other log alert Creates log entries and alerts for other applications The no command does not create any log entries 19 2 5 Rule Commands for Other Applications This table lists the commands for rules in other applications Table 84 app Commands Rules in Other Applications COMMAND DESCRIPTION app other insert rule number Creates a new rule at the specified row and enters sub command mode app other append Creates a new rule appends it to the end of the list and enters sub command mode app other 1 64 Enters sub command mode for editing the rule at the specified row app other default Enters sub command mode for editing the default rule for traffic of
472. ule name level alert crit debug emerg error info Wotclose SEEN Sasa eck wq e koe OE A EA Qd OE Sok AS E e EP deb a ga de e Oe 334 logging mail lt 1 2 gt schedule daily hour 0 23 minute 0 598 eriat riiai sbs nox 333 logging mail 1 2 schedule weekly day day hour 0 23 minute lt 0 59 gt 333 Legging haa hee See ONU A O ead a Sr Rea 332 logging system log category module name disable level normal level all 330 login page background color colior rgb color name color number i s 298 login page message color color rgb color name color number 288 ia tie PIRE Cr eae eed we A a Le eee wees AER 299 login page title color oolorf rgb color name color nu umbor i b ee x m anm aen 289 login page window color color rgb colaer name ocolor number escenas es 289 logo background color color rgb color name color number escurrir as cows 289 QE AMAC Keele ee se kee eS oA Ra edP a d e a ed dq ed des veas qa ei ax V up PRX du doa de doe EV ex E 63 mascehing eripberts any elle orar setae oe 2s No E A EN ROUEN a S VS A 280 mace mata CaCrEssSive akan x dc Or os one o e are hee eek OCA GE o ARA eek SS 137 moss Pormal ESUE 263644 e 53 UC RC Re 9 OR don ARRANCAR AAA AAA AS 84 Mr Ls e E Lo aad gorda d ede d d RR A ano reu eee eee M a RR dee eS 84 ED EIE Ie Seedy eee hes SRS ARS rd RS OE RI EN E Qaare qid ds qu qut Ma wanes 67 Wee S EN I bake ace Cha AAA AA AS
473. unk For the ZyWALL USG 300 and above use up to 31 characters a zA Z0 9 The name cannot start with a number This value is case sensitive The ZyWALL USG 100 and 200 models use WAN TRUNK or WAN TRUNKO2 5 interface The name of an interface it could be an Ethernet PPP VLAN or bridge interface The possible number of each interface type and the abbreviation to use are as follows Ethernet interface For the ZyWALL USG 300 and above use gex x 1 N where N equals the highest numbered Ethernet interface for your ZyWALL model The ZyWALL USG 100 and 200 models use a name such as wan1 wan2 opt lani ext wlan or dmz PPPOE PPTP interface pppx x 0 N where N depends on the number of PPPoE PPTP interfaces your ZyWALL model supports VLAN interface vlanx x 2 0 4094 bridge interface brx x 0 N where N depends on the number of bridge interfaces your ZyWALL model supports num The interface s position in the trunk s list of members 1 8 gt CR Carriage Return the enter key 7 4 Trunk Commands Summary The following table lists the interface group commands You must use the configure terminal command to enter the configuration mode before you can use these commands See Table 38 on page 84 for details about the values you can input with these commands Table 39 interface group Commands Summary COMMAND DESCRIPTION show interface group system Displays pre configured system defaul
474. up by editing copies of the configuration files in a text editor for example 24 1 1 Before You Begin Configure a static IP address for each interface that you will have device HA monitor BS Subscribe to services on the backup ZyWALL before synchronizing it with the master ZyWALL e Synchronization includes updates for services to which the master and backup ZyWALLs are both subscribed For example a backup subscribed to IDP AppPatrol but not anti virus gets IDP AppPatrol updates from the master but not anti virus updates It is highly recommended to subscribe the master and backup ZyWALLs to the same services 24 2 General Device HA Commands This table lists the general commands for device HA Table 121 device ha General Commands COMMAND DESCRIPTION show device ha status Displays whether or not device HA is activated the configured device HA mode and the status of the monitored interfaces no device ha activate Turns device HA on or off device ha mode active passive legacy Sets the ZyWALL to use active passive or legacy VRRP group based device HA 24 3 Active Passive Mode Device HA Virtual Router The master and backup ZyWALL form a single virtual router Cluster ID You can have multiple ZyWALL virtual routers on your network Use a different cluster ID to identify each virtual router ZyWALL ZLD CLI Reference Guide Chapter 24 Device HA Monitored Int
475. uration file size Example 150 10000 Router config show packet capture status Then configure the following settings to capture packets going through the ZyWALL s WANI interface only this means you have to remove LAN2 and WAN2 from the iface list P address any Host IP any Host port any then you do not need to configure this setting File suffix Example File size 10000 byes ZyWALL ZLD CLI Reference Guide Chapter 42 Maintenance Tools Duration 150 seconds Router config packet capture configure Router packet capture iface add wanl Router packet capture iface del lan2 Router packet capture iface del wan2 Router packet capture ip type any Router packet capture host ip any Router packet capture file suffix Example Router packet capture files size 10000 Router packet capture duration 150 Router packet capture Exit the sub command mode and have the ZyWALL capture packets according to the settings you just configured Router packet capture exit Router config packet capture activate Router config Manually stop the running packet capturing Router config no packet capture activate Router config Check current packet capture status and list all stored packet captures Router config show packet capture status capture
476. uration the ZyWALL keeps dumping traffic until you use Ctrl C Use the extension filter to extend the use of this command protocol name You can use the name instead of the number for some IP protocols such as t cp udp icmp and so on The names consist of 1 16 alphanumeric characters underscores or dashes The first character cannot be a number hostname You can use up to 252 alphanumeric characters dashes or periods The first character cannot be a period filter extension You can use 1 256 alphanumeric characters spaces or 49 96 characters traceroute ip hostname Displays the route taken by packets to the specified destination Use Ct r1 c when you want to return to the prompt no packet capture activate Performs a packet capture that captures network traffic going through the set interface s Studying these packet captures may help you identify network problems The no command stops the running packet capture on the ZyWALL Note Use the packet capture configure command to configure the packet capture settings before using this command packet capture configure Enters the sub command mode ZyWALL ZLD CLI Reference Guide Chapter 42 Maintenance Tools Table 194 Maintenance Tools Commands in Privilege Mode continued COMMAND DESCRIPTION duration lt 0 300 gt Sets a time limit in seconds for the capture The ZyWALL
477. ure 18 Default Firewall Action WAN m m Internet ZyWALL ZLD CLI Reference Guide 125 Chapter 15 Firewall Your customized rules take precedence and override the ZyWALL s default settings The ZyWALL checks the schedule user name user s login name on the ZyWALL source IP address destination IP address and IP protocol type of network traffic against the firewall rules in the order you list them When the traffic matches a rule the ZyWALL takes the action specified in the rule For example if you want to allow a specific user from any computer to access one zone by logging in to the ZyWALL you can set up a rule based on the user name only If you also apply a schedule to the firewall rule the user can only access the network at the scheduled time A user aware firewall rule is activated whenever the user logs in to the ZyWALL and will be disabled after the user logs out of the ZyWALL 15 2 Firewall Commands The following table identifies the values required for many of these commands Other input values are discussed with the corresponding commands Table 62 Input Values for General Firewall Commands LABEL DESCRIPTION address_object The name of the IP address group object You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive user_name The name of a user group You may use 1 31 alphanumeri
478. ure 32 System Startup Stopped BootModule Version V1 08 05 05 2006 11 42 55 DRAM Size 510 Mbytes DRAM POST Testing 522240K OK DRAM Test SUCCESS Kernel Version 2 4 2 KL 2006 05 29 2006 05 29 15 23 46 ZLD Version V7Z41050 180 DailyBuild New 2006 05 29 15 18 32 seconds 3 Ifthe console session displays Invalid Firmware or Invalid Recovery Image or the console freezes at Press any key to enter debug mode within 3 seconds for more than one minute go to Section 37 9 on page 320 to restore the recovery image Figure 33 Recovery Image Damaged Press any key to enter debug mode within 3 seconds Invalid Recovery Image ERROR Enter Debug Mode gt 4 If Connect a computer to port 1 and FTP to 192 168 1 1 to upload the new file displays on the screen the firmware file is damaged Use the procedure in Section 37 10 ZyWALL ZLD CLI Reference Guide Chapter 37 File Manager on page 322 to restore it If the message does not display the firmware is OK and you do not need to use the firmware recovery procedure Figure 34 Firmware Damaged Building Connect a computer to port 1 and FIP to 192 168 1 1 to upload the neu file 37 9 Restoring the Recovery Image BS This procedure requires the ZyWALL s recovery image Download the firmware package from www zyxel com and unzip it The recovery image uses a ri extension for example 1 01 XL 0 CO ri Do the follow
479. ure the interface does not use the GSM network no budget active Sets a monthly limit for the user account of the installed 3G card You can set a limit on the total traffic and or call time The ZyWALL takes the actions you specified when a limit is exceeded during the month Use the no command to disable budget control upload download upload lt 1 100000 gt no budget time active lt 1 672 gt Sets the amount of time in hours that the 3G connection can be used within one month If you change the value the ZyWALL resets the statistics Use the no command to disable time budget control no budget data active download Sets how much downstream and or upstream data in Mega bytes can be transmitted via the 3G connection within one month download set a limit on the downstream traffic from the ISP to the ZyWALL upload set a limit on the upstream traffic from the ZyWALL to the ISP download upload set a limit on the total traffic in both directions If you change the value the ZyWALL resets the statistics Use the no command to disable data budget control ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 27 Cellular Interface Commands continued COMMAND DESCRIPTION budget reset day lt 0 31 gt Sets the date on which the ZyWALL resets the budget every month If the date you selected is not available in a month such as 30th or 31th the ZyWAL
480. urity to connect to the wireless interface You have to also configure to use either TKIP or AES and an existing AAA authentication method object profile name Setthe certificate the ZyWALL uses to authenticate itself to the wireless clients The wireless clients must use TTL S authentication protocol and PAP inside the TTLS secure tunnel Security wpa wpa2 tkip aes eap external Configures WPA or WPA2 enterprise security using TKIP or AES and an external server Use the security external command to specify the server s address Security wpa wpa2 tkip aes psk key psk key Configures WPA or WPA2 security using TKIP or AES and a Pre Shared Key PSK security wpa2 lt tkip aes eap internal profile nam tls cert certificate name Configures WPA2 enterprise security using TKIP or AES and an existing AAA authentication method object profile name Select the certificate the ZyWALL uses to authenticate itself to the wireless clients The wireless clients must use TTLS authentication protocol and PAP inside the TTL S secure tunnel security wpa2 lt tkip aes eap external Configures WPA2 enterprise security using TKIP or AES and an external server Use the security external command to specify the server s address security wpa2 tkip aes psk key psk key Configures WPA2 security using TKIP or AES and a Pre Shared Key PSK ZyWALL ZLD CLI Reference Guide Chapter 6 Int
481. us anti virus white list status yes Router config show anti virus white list No Status File Pattern 1 yes exe Router config show anti virus black list status anti virus black list status yes Router config show anti virus black list No Status File Pattern 1 no exe ZyWALL ZLD CLI Reference Guide 179 Chapter 20 Anti Virus 20 2 4 Signature Search Anti virus Command The following table describes the command for searching for signatures You must use the configure terminal command to enter the configuration mode before you can use this command Table 91 Command for Anti virus Signature Search COMMAND DESCRIPTION anti virus search signature all Search for signatures by their ID name severity or category category id id name name category severity severity from id to id all displays all signatures category select whether you want to see virus signatures or spyware signatures id type the ID or part of the ID of the signature you want to find name type the name or part of the name of the signature s you want to find This search is not case sensitive severity type the severity level of the signatures you want to find high medium or low 20 2 4 1 Signature Search Example This example shows how to search for anti virus signatures with MSN in the name Router config anti virus search signature
482. us statistics is turned on or off show anti virus statistics ranking Query and sort the anti virus statistics entries by destination source virus name destination IP address source IP address or virus name virus name lists the most common viruses detected source lists the source IP addresses of the most virus infected files destination lists the most common destination IP addresses for virus infected files ZyWALL ZLD CLI Reference Guide Chapter 20 Anti Virus 20 4 1 Anti virus Statistics Example This example shows how to collect and display anti virus statistics It also shows how to sort the display by the most common destination IP addresses Router config anti virus statistics collect Router config show anti virus statistics collect collect statistics yes Router config show anti virus statistics summary file scanned 0 virus detected 0 Router config show anti virus statistics ranking destination 182 ZyWALL ZLD CLI Reference Guide IDP Commands This chapter introduces IDP related commands 21 1 Overview Commands mostly mirror web configurator features It is recommended you use the web configurator for IDP features such as searching for web signatures creating editing an IDP profile or creating editing a custom signature Some web configurator terms may differ from the command line equivalent BES The no command negates the action or
483. ussed with the corresponding commands Table 67 Input Values for IPSec VPN Commands LABEL DESCRIPTION profile_name The name of a VPN concentrator You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive policy_name The name of an IKE SA You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive map_name The name of an IPSec SA You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive domain_name Fully qualified domain name You may use up to 254 alphanumeric characters dashes or periods but the first character cannot be a period e_mail An e mail address You can use up to 63 alphanumeric characters underscores _ dashes or characters ZyWALL ZLD CLI Reference Guide Chapter 16 IPSec VPN Table 67 Input Values for IPSec VPN Commands continued LABEL DESCRIPTION distinguished_name A domain name You can use up to 511 alphanumeric characters spaces or _ characters sort_order Sort the list of currently connected SAs by one of the following classifications algorithm encapsulation inbound name outbound policy timeout uptime The following sections list the
484. ut the report associated commands and how to restart the ZyWALL using commands It also covers the daily report e mail feature 39 1 Report Commands Summary The following sections list the report and session commands 39 1 1 Report Commands This table lists the commands for reports Table 188 report Commands COMMAND DESCRIPTION no report Begins data collection The no command stops data collection show report status Displays whether or not the ZyWALL is collecting data and how long it has collected data clear report interface_name Clears the report for the specified interface or for all interfaces show report interface_name ip service url Displays the traffic report for the specified interface and controls the format of the report Formats are ip traffic by IP address and direction service traffic by service and direction url hits by URL ZyWALL ZLD CLI Reference Guide Chapter 39 Reports and Reboot 39 1 2 Report Command Examples The following commands start collecting data display the traffic reports and stop collecting data Router configure terminal Router config show report gel ip No IP Address User Amount Direction 1 192 168 1 4 admin 1273 bytes Outgoing 2 192 168 1 4 admin 711 bytes Incoming Router config show report gel servic No Port Service Amount Direction 1 21 ftp 1273 bytes Outgoing
485. uthentication time lease time or idle timeout is reached See Chapter 25 on page 233 for more information about these settings 1 2 1 Console Port The default settings for the console port are as follows Table 1 Managing the ZyWALL Console Port SETTING VALUE Speed 115200 bps Data Bits 8 Parity None Stop Bit 1 Flow Control Off When you turn on your ZyWALL it performs several internal tests as well as line initialization You can view the initialization information using the console port Garbled text displays if your terminal emulation program s speed is set lower than the ZyWALL s No text displays if the speed is set higher than the ZyWALL s If changing your terminal emulation program s speed does not get anything to display restart the ZyWALL If restarting the ZyWALL does not get anything to display contact your local customer support Figure 1 Console Port Power on Display FLASH AMD 16M BootModule Version V1 08 12 04 2007 15 36 17 DRAM Size 256 Mbytes DRAM POST Testing 262144K After the initialization the login screen displays Figure 2 Login Screen Welcome to ZyWALL 1050 Username ZyWALL ZLD CLI Reference Guide Chapter 1 Command Line Interface Enter the user name and password at the prompts BS and password are case sensitive The default login username is admin and password is 1234 The username
486. ve information for the LDAP server description group You can use up to 60 printable ASCII characters The no command clears this setting ZyWALL ZLD CLI Reference Guide Chapter 29 AAA Server Table 148 aaa group server Idap Commands continued COMMAND DESCRIPTION no server group attribute group attribute Sets the name of the attribute that the ZyWALL is to check to determine to which group a user belongs The value for this attribute is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create an ext group user user object for each group One with sales as the group identifier another for RD and a third for management The no command clears the setting no server host ldap server Enter the IP address in dotted decimal notation or the domain name of an LDAP server to add to this group The no command clears this setting no server password password Sets the bind password up to 15 characters The no command clears this setting no server port port no Sets the LDAP port number Enter a number between 1 and 65535 The default is 389 The no command clears this setting no server search time limit Sets t
487. ves the host name show fqdn Displays the fully qualified domain name 35 4 Time and Date For effective scheduling and logging the ZyWALL system time must be accurate The ZyWALL s Real Time Chip RTC keeps track of the time and date There is also a software mechanism to set the time manually or get the current time and date from an external server ZyWALL ZLD CLI Reference Guide Chapter 35 System 35 4 1 Date Time Commands The following table describes the commands available for date and time setup You must use the configure terminal command to enter the configuration mode before you can use these commands Table 161 Command Summary Date Time COMMAND DESCRIPTION clock date yyyy mm dd time hh mm ss Sets the new date in year month and day format manually and the new time in hour minute and second format p 1I213 4 1ast fri mon sat sun thu tue wed hh mm end apr aug dec feb jan jul jun mar may nov oct se p 1 2 3 4 last fril mon sat sun thu tue wed hh mm offset no clock daylight saving Enables daylight saving The no command disables daylight saving no clock saving interval begin Configures the day and time when Daylight apr aug dec eb jan jul jun mar may nov oct se Saving Time starts and ends The no command removes the day and time when Daylight Saving Time starts and ends offset a number from 1 to 5 5 by 0 5 increments clock time hh mm ss Se
488. width the traffic can use and can turn on maximize bandwidth usage traffic prioritize tcp ack content filter dns ipsec vpn ssl vpn deactivate Turns off traffic priority settings for when the interface sends the specified type of traffic no upstream lt 0 1048576 gt Specifies the upstream bandwidth for the specified interface The no command sets the upstream bandwidth to 1048576 ZyWALL ZLD CLI Reference Guide Chapter 6 Interfaces Table 16 interface General Commands Basic Properties and IP Address Assignment continued COMMAND DESCRIPTION interface reset interface_name virtual_interface_name all Resets the interface statistics TxPkts transmitted packets and RxPkts received packets counts to 0 You can use the show interface summary all status command to see the interface statistics interface send statistics interval lt 15 3600 gt Sets how often the ZyWALL sends interface statistics to external servers For example syslog server and Vantage Report server show interface name Displays all PPP and Ethernet interface system name and user defined name mappings interface name ppp_interface ethernet_interface user_defined_nam Specifies a name for a PPP or an Ethernet interface It can use alphanumeric characters hyphens and underscores and it can be up to 11 characters long ppp interface ethernet interface This must be the system name o
489. wise use the interface command to set the interface through which the ZyWALL sends DNS queries to a DNS server The auto means any interface that the ZyWALL uses to send DNS queries to a DNS server according to the routing rule ip dns server zone forwarder move lt 1 32 gt to ai 2m Changes the index number of a zone forwarder record no ip dns server rule 1 32 Deletes a service control rule show ip dns server Displays all DNS entries show ip dns server database Displays all configured records show ip dns server status Displays whether this service is enabled or not 35 6 3 DNS Command Example This command sets an A record that specifies the mapping of a fully qualified domain name www abc com to an IP address 210 17 2 13 Router configure terminal Router config ip dns server a record www abc com 210 17 2 13 35 7 SNAT Overview DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it ZyWALL ZLD CLI Reference Guide Chapter 35 System ZyWALL ZLD CLI Reference Guide System Remote Management This chapter shows you how to determine which services protocols can access which ZyWALL zones if any from which computers BS To allow the ZyWALL to be accessed from a
490. xel com 36 8 2 SNMP Traps The ZyWALL will send traps to the SNMP manager when any one of the following events occurs Table 170 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1 3 6 1 6 3 1 1 5 1 This trap is sent when the ZyWALL is turned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap is sent when the Ethernet link is up authenticationFailure 1 3 6 1 6 3 1 1 5 5 This trap is sent when an SNMP request comes from non authenticated hosts 36 8 3 SNMP Commands The following table describes the commands available for SNMP You must use the configure terminal command to enter the configuration mode before you can use these commands Table 171 Command Summary SNMP COMMAND DESCRIPTION no snmp server Allows SNMP access to the ZyWALL The no command disables SNMP access to the ZyWALL no snmp server community community string Enters up to 64 characters to set the password ro rw for read only ro or read write rw access The no command resets the password for read only ro or read write xw access to the default no snmp server contact description Sets the contact information of up to 60 characters for the person in charge of the ZyWALL The no command removes the contact information for the person in charge of the ZyWALL no snmp server enable informs traps Ena
491. y s SSL VPN Router config eps profile EPS Example Router eps EPS Example windows version windows xp Router eps EPS Example personal firewall activate Router eps EPS Example anti virus activate Router eps EPS Example windows auto updat nabl Router eps EPS Example windows service pack 2 Router eps EPS Exampl protection enable personal firewall Windows_Firewall detect auto Router eps EPS Example anti virus Kaspersky_Anti Virus_v2010 detect auto protection enabl Router eps EPS Example matching criteria all Router eps EPS Example exit Router config ZyWALL ZLD CLI Reference Guide Chapter 34 Endpoint Security Then he leaves the sub command mode and uses the show command to view the EPS object settings Router eps EPS Example exit Router config show eps profile name EPS Exampl description os type windows windows version windows xp matching criteria all anti virus activation yes anti virus 1 name Kaspersky Anti Virus v2010 detect auto protection enable personal firewall activation yes personal firewall 1 name Windows Firewall detect auto protection enable windows update enable windows service pack 2 windows security patch windows registry trusted application forbidden application file information reference count
492. y EPS also known as endpoint control to make sure users computers comply with defined corporate policies before they can access the network or an SSL VPN tunnel After a successful user authentication a user s computer must meet the endpoint security object s Operating System OS option and security requirements to gain access You can configure the endpoint security object to require a user s computer to match just one of the endpoint security object s checking criteria or all of them Configure endpoint security objects to use with the authentication policy and SSL VPN features What Endpoint Security Can Check The settings endpoint security can check vary depending on the OS of the user s computer Depending on the OS EPS can check user computers for the following Operating System Windows Linux Mac OSX or others Windows version and service pack version Windows Auto Update setting and installed security patches Personal firewall installation and activation Anti virus installation and activation Windows registry settings Processes that the endpoint must execute Processes that the endpoint cannot execute The size and version of specific files Multiple Endpoint Security Objects You can configure an authentication policy or SSL VPN policy to use multiple endpoint security objects This allows checking of computers with different OSs or security settings When a client attempts to log in the ZyWALL checks the clien
493. y which can become a single point of failure Virtual Router Redundancy Protocol VRRP allows you to create redundant backup gateways to ensure that the default gateway is always available The ZyWALL uses a custom VRRP implementation and is not compatible with standard VRRP ZyWALL ZLD CLI Reference Guide 227 Chapter 24 Device HA VRRP Group Overview In the ZyWALL you should create a VRRP group to add one of its interfaces to a virtual router You can add any Ethernet interface VLAN interface or virtual interface created on top of Ethernet interfaces or VLAN interfaces with a static IP address You can only enable one VRRP group for each interface and you can only have one active VRRP group for each virtual router 24 6 Legacy Mode VRRP Device HA Commands The following table identify the values required for many device ha commands Other input values are discussed with the corresponding commands Table 124 Input Values for device ha Commands LABEL DESCRIPTION vrrp_group_name The name of the VRRP group The name can consist of alphanumeric characters the underscore and the dash and may be up to fifteen alphanumeric characters long The following sections list the device ha commands 24 6 1 VRRP Group Commands This table lists the commands for VRRP groups Table 125 device ha Commands VRRP Groups COMMAND DESCRIPTION show device ha vrrp group Displays information about all VRRP grou
494. yWALL send an alert the user when the system is out of memory or disk space no app watch dog disk threshold min lt 1 100 gt max lt 1 100 gt Sets the percentage thresholds for sending a disk usage alert The ZyWALL starts sending alerts when disk usage exceeds the maximum the second threshold you enter The ZyWALL stops sending alerts when the disk usage drops back below the minimum threshold the first threshold you enter The no command changes the setting back to the default no app watch dog mem threshold min threshold_min max threshold_max Sets the percentage thresholds for sending a memory usage alert The ZyWALL starts sending alerts when memory usage exceeds the maximum the second threshold you enter The ZyWALL stops sending alerts when the memory usage drops back below the minimum threshold the first threshold you enter The no command changes the setting back to the default show app watch dog config Displays the application watchdog timer settings show app watch dog monitor list Display the list of applications that the application watchdog is monitoring ZyWALL ZLD CLI Reference Guide Chapter 43 Watchdog Timer 43 3 1 Application Watchdog Commands Example The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring Router configure terminal Router config s
495. zation settings show device ha ap mode backup sync status Displays the backup ZyWALL s current synchronization status show device ha ap mode backup sync summary Displays the backup ZyWALL s synchronization settings show device ha ap mode forwarding port If you apply Device HA on a bridge interface on a interface name backup ZyWALL you can use this command to see which port in the bridge interface is chosen to receive VRRP packets used to monitor if the master ZyWALL goes down interface name This is a bridge interface For example brx 24 4 2 Active Passive Mode Device HA Command Example This example configures a ZyWALL to be a master ZyWALL for active passive mode device HA There is a management IP address of 192 168 1 3 on lanl wanl and lan1 are monitored The synchronization password is set to mySyncPassword Router config device ha ap mode lanl manage ip 192 168 1 3 255 255 255 0 Router config device ha ap mode role master Router config device ha ap mode master sync authentication password mySyncPassword Router config device ha ap mode wanl activate Router config device ha ap mode lanl activate Router config device ha activate 24 5 Legacy Mode VRRP Device HA This section covers device HA using VRRP VRRP groups and synchronization Virtual Router Redundancy Protocol VRRP Overview Every computer on a network may send packets to a default gatewa
496. ze MSS the interface can use MSS is the largest amount of data specified in bytes that the interface can handle in a single unfragmented piece The no command has the ZyWALL use its default MSS setting mtu lt 576 1492 gt Sets the Maximum Transmission Unit in bytes show interface ppp system default Displays system default PPP interfaces non deletable that come with the ZyWALL show interface ppp user define Displays all PPP interfaces that were manually configured on the ZyWALL 6 5 1 PPPoE PPTP Interface Command Examples The following commands show you how to configure PPPoE PPTP interface pppO with the following characteristics base interface gel ISP account Hinet local address 1 1 1 1 remote address 2 2 2 2 MTU 1200 upstream bandwidth 345 downstream bandwidth 123 description I am ppp0 and dialed only when used Router Router Router Router Router Router Router Router Router Router config if ppp config if ppp config if pp config if pp config if pp config if pp config if pp config if ppp p O O O p Router configure terminal Router config interface pppO config if ppp config if ppp account Hinet bind gel local address 1 1 1 1 remote address 2 2 2 2 mtu 1200 upstream 345 downstream 123 connectivity dial on demand description I am pppO exit ZyWALL ZLD CLI Reference Guide
497. zone profile Specifies the zone the traffic is coming from The no command removes the zone specification no to zone zone profile Specifies the zone the traffic is going to The no command removes the zone specification no activate Turns on the IDP profile to traffic direction binding The no command turns it off idp signature anomaly rule delete lt 1 32 gt move lt 1 32 gt to lt 1 32 gt Remove or move an IDP profile to traffic direction entry no idp signature lt 1 32 gt anomaly rule Removes an IDP profile to traffic direction entry show idp signature anomaly rules Displays the IDP zone to zone rules ZyWALL ZLD CLI Reference Guide Chapter 21 IDP Commands 21 3 2 1 Example of IDP Zone to Zone Rule Commands The following example creates IDP zone to zone rule one The rule applies the LAN_IDP profile to all traffic going to the LAN zone Router configure terminal Router config idp signature rule 1 Router config idp signature 1 Router config idp signature 1 exit Router config Router config idp signature 1 Router config idp signature 1 Router config idp signature 1 Router config idp signature 1 Router config show idp signature rules Signature rules idp rule 1 from zone any to zone LAN profile LAN_IDP activate yes from zone any to zone LAN bind LAN_IDP activate 21 3 3
Download Pdf Manuals
Related Search