D-Link DFL-260E Manual

Network security firewall netdefendos version 2.40.00

Hide thumbs Also See for DFL-260E:

Reference manual (948 pages)

Log reference manual (652 pages)

User manual (589 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

page of 198

/ 198
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual See also: Reference Manual, User Manual

Network Security Firewall

CLI Reference Guide

NetDefendOS

Security

Ver.

2.40.00

Network Security Solution

http://www.dlink.com

Table of Contents

Summary of Contents for D-Link DFL-260E

Page 1 Network Security Firewall CLI Reference Guide NetDefendOS Security Security Ver. 2.40.00 Network Security Solution http://www.dlink.com...
Page 2 CLI Reference Guide DFL-260E/860E/1660/2560/2560G NetDefendOS version 2.40.00 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2011-09-06 Copyright © 2011...
Page 3 D-Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes.
Page 4: Table Of Contents
Table of Contents Preface ........................ 9 1. Introduction .....................11 1.1. Running a command ................11 1.2. Help ....................12 1.2.1. Help for commands ..............12 1.2.2. Help for object types ..............12 1.3. Function keys ..................13 1.4. Command line history ................14 1.5. Tab completion ..................15 1.5.1.
Page 5 CLI Reference Guide 2.2.30. ldap ..................47 2.2.31. license ..................47 2.2.32. linkmon ..................48 2.2.33. logout ..................48 2.2.34. memory ..................48 2.2.35. natpool ..................49 2.2.36. nd ...................49 2.2.37. ndsnoop ...................50 2.2.38. netobjects .................51 2.2.39. pcapdump .................51 2.2.40. pipes ..................53 2.2.41. pptpalg ..................54 2.2.42. reconfigure ................55 2.2.43.
Page 6 CLI Reference Guide 3.6. BlacklistWhiteHost .................93 3.7. Certificate .....................94 3.8. Client ....................95 3.8.1. DynDnsClientCjbNet ..............95 3.8.2. DynDnsClientDLink ..............95 3.8.3. DynDnsClientDLinkChina ............95 3.8.4. DynDnsClientDyndnsOrg ..............96 3.8.5. DynDnsClientDynsCx ..............96 3.8.6. DynDnsClientPeanutHull ..............97 3.8.7. LoginClientBigPond ..............97 3.9. COMPortDevice ..................98 3.10. ConfigModePool ..................99 3.11. DateTime ..................100 3.12.
Page 7 CLI Reference Guide 3.37. LogReceiver ..................144 3.37.1. EventReceiverSNMP2c ............. 144 3.37.2. LogReceiverMemory ..............145 3.37.3. LogReceiverSMTP ..............145 3.37.4. LogReceiverSyslog ..............146 3.38. NATPool ..................147 3.39. Pipe ....................148 3.40. PipeRule ................... 151 3.41. PSK ....................152 3.42. RadiusAccounting ................153 3.43.
Page 8 List of Examples 1. Command option notation ................... 9 1.1. Help for commands ..................12 1.2. Help for object types ..................12 1.3. Command line history ..................14 1.4. Tab completion ....................15 1.5. Inline help ....................15 1.6. Edit an existing property value ................16 1.7.
Page 9: Preface
Administrators that are responsible for configuring and managing the D-Link Firewall. • Administrators that are responsible for troubleshooting the D-Link Firewall. This guide assumes that the reader is familiar with the D-Link Firewall, and has the necessary basic knowledge in network security. Notation...
Page 10 Notation Preface Because the table name option is followed by ellipses it is possible to specify more than one routing table. Since table name is optional as well, the user can specify zero or more policy-based routing tables. gw-world:/> routes Virroute Virroute2...
Page 11: Introduction
Chapter 1. Introduction • Running a command, page 11 • Help, page 12 • Function keys, page 13 • Command line history, page 14 • Tab completion, page 15 • User roles, page 17 This guide is a reference for all commands and configuration object types that are available in the command line interface for NetDefendOS.
Page 12: Help
1.2. Help Chapter 1. Introduction 1.2. Help 1.2.1. Help for commands There are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by -? or -h. This applies to all commands and is therefore not listed in the option list for each command in this guide.
Page 13: Function Keys
1.3. Function keys Chapter 1. Introduction 1.3. Function keys In addition to the return key there are a number of function keys that are used in the CLI. Backspace Delete the character to the left of the cursor. Complete current word. Ctrl-A or Home Move the cursor to the beginning of the line.
Page 14: Command Line History
1.4. Command line history Chapter 1. Introduction 1.4. Command line history Every time a command is run, the command line is added to a history list. The up and down arrow keys are used to access previous command lines (up arrow for older command lines and down arrow to move back to a newer command line).
Page 15: Tab Completion
1.5. Tab completion Chapter 1. Introduction 1.5. Tab completion By using the tab function key in the CLI the names of commands, options, objects and object prop- erties can be automatically completed. If the text entered before pressing tab only matches one pos- sible item, e.g.
Page 16: Configuration Object Type Categories
1.5.3. Configuration object type cat- Chapter 1. Introduction egories If "." is entered instead of a property value and tab is pressed it will be replaced by the current value of that property. This is useful when editing an existing list of items or a long text value. The "<"...
Page 17: User Roles
1.6. User roles Chapter 1. Introduction 1.6. User roles Some commands and options cannot be used unless the logged in user has administrator priviege. This is indicated in this guide by a note following the command or "Admin only" written next to an option.
Page 18 1.6. User roles Chapter 1. Introduction...
Page 19: Command Reference
Chapter 2. Command Reference • Configuration, page 19 • Runtime, page 30 • Utility, page 70 • Misc, page 71 2.1. Configuration 2.1.1. activate Activate changes. Description Activate the latest changes. This will issue a reconfiguration, using the new configuration. If the reconfiguration is successful a commit command must be issued within the configured timeout interval in order to save the changes to media.
Page 20: Cancel
2.1.3. cancel Chapter 2. Command Reference Example 2.1. Create a new object Add objects with an identifier property (not index): gw-world:/> add Address IP4Address example_ip Address=1.2.3.4 Comments="This is an example" gw-world:/> add IP4Address example_ip2 Address=2.3.4.5 Add an object with an index: gw-world:/main>...
Page 21: Change Context
2.1.4. cc Chapter 2. Command Reference Note Requires Administrator privilege. 2.1.4. cc Change the current context. Description Change the current configuration context. A context is a group of objects that are dependent on and grouped by a parent object. Many objects lie in the "root"...
Page 22: Commit
2.1.5. commit Chapter 2. Command Reference May not be applicable depending on the specified <Type>. <Type> Type of configuration object to perform operation 2.1.5. commit Save new configuration to media. Description Save the new configuration to media. This command can only be issued after a successful activate command.
Page 23: Pskgen
2.1.7. pskgen Chapter 2. Command Reference Options -force Force object to be deleted even if it's used by other objects or has children. <Category> Category that groups object types. <Identifier> The property that identifies the configuration object. May not be applicable depending on the specified <Type>.
Page 24: Reject Changes
2.1.8. reject Chapter 2. Command Reference Description Reject the changes made to the specified object by reverting to the values of the last committed con- figuration. All changes made to the object will be lost. If the object is added after the last commit, it will be re- moved.
Page 25: Reset
2.1.9. reset Chapter 2. Command Reference <Type> Type of configuration object to perform operation Note Requires Administrator privilege. 2.1.9. reset Reset unit configuration and/or binaries. Description Reset configuration or binaries to factory defaults. Usage reset -configuration Reset the configuration to factory defaults. reset -unit Reset the unit to factory defaults.
Page 26: Show
2.1.11. show Chapter 2. Command Reference See also: add Example 2.5. Set property values Set properties for objects that have an identifier property: gw-world:/> set Address IP4Address example_ip Address=1.2.3.4 Comments="This is an example" gw-world:/> set IP4Address example_ip2 Address=2.3.4.5 Comments=comment_without_whitespace gw-world:/main> set Route 1 Comment="A route" gw-world:/>...
Page 27: Show Objects
2.1.11. show Chapter 2. Command Reference context, just type show. Show a table of all objects of a type by specifying a type or a category. Use the -errors or -changes flags to show what objects have been changed or have errors in the configuration.
Page 28: Undelete
2.1.12. undelete Chapter 2. Command Reference Show all changes. Options -changes Show all changes in the current configuration. -disabled Show disabled properties. -errors Show all errors in the current configuration. -references Show all references to this object from other objects. -verbose Show error details.
Page 29 2.1.12. undelete Chapter 2. Command Reference <Category> Category that groups object types. <Identifier> The property that identifies the configuration object. May not be applicable depending on the specified <Type>. <Type> Type of configuration object to perform operation Note Requires Administrator privilege.
Page 30: Runtime
2.2. Runtime Chapter 2. Command Reference 2.2. Runtime 2.2.1. about Show copyright/build information. Description Show copyright and build information. Usage about 2.2.2. alarm Show alarm information. Description Show list of currently active alarms. Usage alarm [-history] [-active] Options -active Show the currently active alarms. -history Show the 20 latest alarms.
Page 31: Arpsnoop
2.2.4. arpsnoop Chapter 2. Command Reference Show all ARP entries. arp -show [<Interface>] [-ip=<pattern>] [-hw=<pattern>] [-num=<n>] Show ARP entries. arp -hashinfo [<Interface>] Show information on hash table health. arp -flush [<Interface>] Flush ARP cache of specified interface. arp -notify=<ip> [<Interface>] [-hwsender=<Ethernet Address>] Send gratuitous ARP for IP.
Page 32: Ats
2.2.5. ats Chapter 2. Command Reference arpsnoop Show snooped interfaces. arpsnoop {ALL | NONE | <interface>} [-verbose] Snoop specified interface. Options -verbose Verbose. {ALL | NONE | <interface>} Interface name. 2.2.5. ats Show active ARP Transaction States. Description Show active ARP Transaction States. Usage ats [-num=<n>] Options...
Page 33: Blacklist
2.2.7. blacklist Chapter 2. Command Reference Show BigPond information of specified interface. Options <interface> Interface to show BigPond information. 2.2.7. blacklist Blacklist. Description Block and unblock hosts on the black and white list. Note: Static blacklist hosts cannot be unblocked. If -force is not specified, only the exact host with the service, protocol/port and destiny specified is unblocked.
Page 34: Buffers
2.2.8. buffers Chapter 2. Command Reference -creationtime Show creation time. -dest=<ip address> Destination address block/unblock (ExceptExtablished flag is set on). -dynamic Show dynamic hosts only. -force Unblock all services for the host that matches to op- tions. -info Show detailed information. -listtime Show time in list (for dynamic hosts).
Page 35: Cam
2.2.9. cam Chapter 2. Command Reference <Num> Decode given buffer number. 2.2.9. cam CAM table information. Description Show information about the CAM table(s) and their entries. Usage cam -num=<n> Show CAM table information. cam <Interface> [-num=<n>] Show interface-specified CAM table information. cam <Interface>...
Page 36: Connections
2.2.12. cpuid Chapter 2. Command Reference 2.2.11. connections List current state-tracked connections. Description List current state-tracked connections. Usage connections -show [-num=<n>] [-verbose] [-srciface=<interface>] [-destiface=<interface>] [-protocol=<name/num>] [-srcport=<port>] [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>] List connections. connections Same as "connections -show". connections -close [-all] [-srciface=<interface>] [-destiface=<interface>] [-protocol=<name/num>] [-srcport=<port>] [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]...
Page 37: Crashdump
2.2.13. crashdump Chapter 2. Command Reference Display info about the cpu. Description Display the make and model of the machine's CPU. Usage cpuid 2.2.13. crashdump Show the contents of the crash.dmp file. Description Show the contents of the crash.dmp file, if it exists. Usage crashdump 2.2.14.
Page 38: Dhcprelay
2.2.15. dhcprelay Chapter 2. Command Reference Modify interface lease. Options -lease={RENEW | RELEASE} Modify interface lease. -list List all DHCP enabled interfaces. -show Show information about DHCP enabled interface. <interface> DHCP Interface. 2.2.15. dhcprelay Show DHCP/BOOTP relayer ruleset. Description Display the content of the DHCP/BOOTP relayer ruleset and the current routed DHCP relays. Display filter filters relays based on interface/ip (example: if1 192.168.*) Usage dhcprelay...
Page 39: Dhcpserver
2.2.17. dns Chapter 2. Command Reference 2.2.16. dhcpserver Show content of the DHCP server ruleset. Description Show the content of the DHCP server ruleset and various information about active/inactive leases. Display filter filters leases based on interface/mac/ip (example: if1 192.168.*) Usage dhcpserver Show DHCP server leases.
Page 40: Dnsbl
2.2.18. dnsbl Chapter 2. Command Reference DNS client and queries. Description Show status of the DNS client and manage pending DNS queries. Usage dns [-query=<domain name>] [-list] [-remove] Options -list List pending DNS queries. -query=<domain name> Resolve domain name. -remove Remove all pending DNS queries.
Page 41: Frags
2.2.20. ha Chapter 2. Command Reference More detailed information can optionally be obtained for specific reassemblies: Newest reassembly All reassemblies 0..1023 Assembly 'N' Example 2.9. frags frags NEW frags 254 Usage frags [{NEW | ALL | <reassembly id>}] [-free] [-done] [-num=<n>] Options -done List done (lingering) reassemblies.
Page 42: Hostmon
2.2.21. hostmon Chapter 2. Command Reference -deactivate Go inactive. 2.2.21. hostmon Show Host Monitor statistics. Description Show active Host Monitor sessions. Usage hostmon [-verbose] [-num=<n>] Options -num=<n> Limit list to <n> entries. (Default: 20) -verbose Verbose output. 2.2.22. httpalg Commands related to the HTTP Application Layer Gateway. Description Show information about the WCF cache or list the overridden WCF hosts.
Page 43: Httpposter
2.2.23. httpposter Chapter 2. Command Reference -num=<n> Limit list to <n> entries. (Default: 20) -override List hosts that have overridden the wcf filter. -server[={STATUS | CONNECT | DIS- Web Content Filtering Server options. (Default: CONNECT}] status) -show Show Web Content Filtering cache data. -url=<String>...
Page 44: Idppipes
2.2.25. idppipes Chapter 2. Command Reference -all Show ALL sensors, WARNING: use at own risk, may take long time for highspeed ifaces to cope. -verbose Show sensor number, type and limits. 2.2.25. idppipes Show and remove hosts that are piped by IDP. Description Show list of currently piped hosts.
Page 45: Igmp
2.2.27. igmp Chapter 2. Command Reference -allindepth Show in-depth information about all interfaces. -filter=<expr> Filter list of interfaces. -num=<n> Limit list to <n> lines. (Default: 20) -pbr=<table name> Only list members of given PBR table(s). -restart Stop and restart the interface. (Admin only) <Interface>...
Page 46: Ippool
2.2.28. ippool Chapter 2. Command Reference <host address> Host IP address. <Interface> Interface. <MC address> Multicast Address. <router address> Router IP address. 2.2.28. ippool Show IP pool information. Description Show information about the current state of the configured IP pools. Usage ippool -release [<ip address>] [-all] Forcibly free IP assigned to subsystem.
Page 47: Ldap
2.2.30. ldap Chapter 2. Command Reference languagefiles Show all language files on disk. languagefiles -remove=<String> Remove a language file from disk. Options -remove=<String> Specify language file to delete. 2.2.30. ldap LDAP information. Description Status and statistics for the configured LDAP databases. Usage ldap List all LDAP databases.
Page 48: Linkmon
2.2.32. linkmon Chapter 2. Command Reference Show contents of the license file. Description Show contents of the license file. Usage license 2.2.32. linkmon Display link montitoring statistics. Description . If link monitor hosts have been configured, linkmon will monitor host reachability to detect link/ NIC problems.
Page 49: Natpool
2.2.35. natpool Chapter 2. Command Reference Usage memory 2.2.35. natpool Show current NAT Pools. Description Show current NAT Pools and in-depth information. Usage natpool [-verbose] [<pool name> [<IP4 Address>]] [-num=<Integer>] Options -num=<Integer> Maximum number of items to list (default: 20). -verbose Verbose (more information).
Page 50: Ndsnoop
2.2.37. ndsnoop Chapter 2. Command Reference Show Neighbor Discovery entries. nd -hashinfo [<Interface>] Show information on hash table health. nd -flush [<Interface>] Flush Neighbor Discovery cache of specified interface. nd -query=<ip> <Interface> Send Neighbor Solicitation for IP. nd -del=<ip> <Interface> Delete ND cache entry.
Page 51: Netobjects
2.2.38. netobjects Chapter 2. Command Reference Show snooped interfaces. ndsnoop {ALL | NONE | <interface>} [-verbose] Snoop specified interface. Options -verbose Verbose. {ALL | NONE | <interface>} Interface name. 2.2.38. netobjects Show runtime values of network objects. Description Displays named network objects and their contents. Example 2.10.
Page 52 2.2.39. pcapdump Chapter 2. Command Reference pcapdump Show capture status. pcapdump -start [<interface(s)>] [-size=<value>] [-snaplen=<value>] [-count=<value>] [-out] [-out-nocap] [-eth=<Ethernet Address>] [-ethsrc=<Ethernet Address>] [-ethdest=<Ethernet Address>] [-ip=<IP4 Address>] [-ipsrc=<IP4 Address>] [-ipdest=<IP4 Address>] [-port=<0...65535>] [-srcport=<0...65535>] [-destport=<0...65535>] [-proto=<0...255>] [-icmp] [-tcp] [-udp] [-promisc] [-ipversion=<1...15>] Start capture. pcapdump -stop [<interface(s)>] Stop capture.
Page 53: Pipes
2.2.40. pipes Chapter 2. Command Reference -ipdest=<IP4 Address> Destination IP address filter. -ipsrc=<IP4 Address> Source IP address filter. -ipversion=<1...15> IP version filter. -out Realtime packet brief dumped to console. -out-nocap Unbuffered (not stored in memory) realtime packet brief dumped to console. -port=<0...65535>...
Page 54: Pptpalg
2.2.41. pptpalg Chapter 2. Command Reference pipes List all pipes. pipes -users [<Pipe>] [-expr=<String>] List users of a given pipe. pipes -show [<Pipe>] [-expr=<String>] Show pipe details. Options -expr=<String> Pipe wildcard(*) expression. -show Show pipe details. -users List users of a given pipe. <Pipe>...
Page 55: Reconfigure
2.2.42. reconfigure Chapter 2. Command Reference -verbose Verbose output. <PPTP ALG> PPTP ALG. 2.2.42. reconfigure Initiates a configuration re-read. Description Restart the Security Gateway using the currently active configuration. Usage reconfigure Note Requires Administrator privilege. 2.2.43. routemon List the currently monitored interfaces and gateways. Description List the currently monitored interfaces and/or gateways.
Page 56: Rules
2.2.45. rules Chapter 2. Command Reference show core routes also. Use the -switched switch to show only switched routes. Explanation of Flags field of the routing tables: Learned via OSPF Route is Disabled Route is Monitored Published via Proxy ARP Dynamic (from e.g.
Page 57: Selftest
2.2.46. selftest Chapter 2. Command Reference rules -verbose 1-5 7-9 Usage rules [-type={IP | ROUTING | PIPE | IDP | IGMP}] [-verbose] [-schedule] [<rules>]... Options -schedule Filter out rules that are not currently allowed by se- lected schedules. -type={IP | ROUTING | PIPE | IDP | IG- Type of rules to display.
Page 58: Start A 30 Min Burn-In Duration Test, Testing Ram, Storage Media And Crypto The Acceler- Ator
2.2.46. selftest Chapter 2. Command Reference selftest -ping -interfaces=if1,if2 Example 2.14. Start a 30 min burn-in duration test, testing RAM, storage media and crypto the accelerator selftest -burnin -minutes 30 -media -memory -cryptoaccel Usage selftest -memory [-num=<Integer>] Check the sanity of the RAM. selftest -media [-size=<Integer>] Check the sanity of the disk drive.
Page 59: Services
2.2.47. services Chapter 2. Command Reference Options -abort Abort a running self test. -burnin Run burn-in tests for a selected set of sub tests. -cryptoaccel Verify the correct functioning of available crypto ac- celerator cards. -hours[=<Integer>] Test duration in hours. (Default: 48) -interfaces=<Interface>...
Page 60: Sessionmanager
2.2.48. sessionmanager Chapter 2. Command Reference services [<String>] Options <String> Name or pattern. 2.2.48. sessionmanager Session Manager. Description Show information about the Session Manager, and list currently active users. Explanation of Timeout flags for sessions: Session is disabled Session uses a timeout in its subsystem Session does not use timeout Usage sessionmanager...
Page 61: Settings
2.2.49. settings Chapter 2. Command Reference -disconnect Forcibly terminate session(s). (Admin only) -info Show in-depth information about session. -list List active sessions. -message Send message to session. -num=<n> List <n> number of session. -status Show Session Manager status. <database> Name of user database. <IP Address>...
Page 62: Sipalg
2.2.51. sipalg Chapter 2. Command Reference Usage shutdown [<seconds>] [-normal] [-reboot] Options -normal Initiate core shutdown. -reboot Initiate system reboot. <seconds> Seconds until shutdown. (Default: 5) Note Requires Administrator privilege. 2.2.51. sipalg SIP ALG. Description List running SIP-ALG configurations, SIP registration and call information. The -flags option with -snoop allows any combination of the following values: 0x00000001 GENERAL 0x00000002 ERRORS...
Page 63 2.2.51. sipalg Chapter 2. Command Reference 0x00004000 MEDIA 0x00008000 CONTACT 0x00010000 CONN 0x00020000 PING 0x00040000 TRANSACTION 0x00080000 CALLLEG 0x00100000 REGISTRY Flags can be added in the usual way. The default value is 0x00000003 (GENERAL and ERRORS). NOTE: 'verbose' option outputs a lot of information on the console which may lead to system in- stability.
Page 64: Sshserver
2.2.52. sshserver Chapter 2. Command Reference -definition Show running ALG configuration parameters. -flags=<String> SIP snooping for certain levels. Expected number in hexadecimal notation. -registration[={SHOW | FLUSH}] Show or flush registration table. (Default: show) -session Show active SIP sessions. -snoop={ON | OFF | VERBOSE} Enable or disable SIP snooping.
Page 65: Sslvpn
2.2.53. sslvpn Chapter 2. Command Reference -status Show server status and list all connected clients. -t={RSA | DSA} Type, (default: both RSA and DSA keys will be cre- ated). -verbose Verbose output. <ssh server> SSH Server. Note Requires Administrator privilege. 2.2.53.
Page 66: Time
2.2.56. time Chapter 2. Command Reference Usage techsupport 2.2.56. time Display current system time. Description Display/set the system date and time. Usage time Display current system time. time -set <date> <time> Set system local time: <YYYY-MM-DD> <HH:MM:SS>. time -sync [-force] Synchronize time with timeserver(s) (specified in settings).
Page 67: Updatecenter
2.2.58. updatecenter Chapter 2. Command Reference Example 2.16. Show a range of rules uarules -v 1-2,4-5 Usage uarules [-verbose] [<Integer Range>] Options -verbose Verbose output. <Integer Range> Range of rules to list. 2.2.58. updatecenter Show autoupdate status and manage IDP/AV databases. Description Show autoupdate mechanism status or force an update.
Page 68: Userauth
2.2.59. userauth Chapter 2. Command Reference -status[={ANTIVIRUS | IDP | ALL}] Show update status and database information. (Admin only; Default: all) -update[={ANTIVIRUS | IDP | ALL}] Force an update now for the specified service. (Admin only; Default: all) 2.2.59. userauth Show logged-on users.
Page 69: Vlan
2.2.60. vlan Chapter 2. Command Reference 2.2.60. vlan Show information about VLAN. Description Show list of attached Virtual LAN Interfaces, or in-depth information about a specified VLAN. Usage vlan List attached VLANs. vlan <Interface> Display VLANs connected to physical iface <iface>. Options <Interface>...
Page 70: Utility
2.3. Utility Chapter 2. Command Reference 2.3. Utility 2.3.1. ping Ping host. Description Sends one or more ICMP ECHO, TCP SYN or UDP datagrams to the specified IP address of a host. All datagrams are sent preloaded-style (all at once). The data size -length given is the ICMP or UDP data size.
Page 71: Misc
2.4. Misc Chapter 2. Command Reference 2.4. Misc 2.4.1. echo Print text. Description Print text to the console. Example 2.17. Hello World echo Hello World Usage echo [<String>]... Options <String> Text to print. 2.4.2. help Show help for selected topic. Description The help system contains information about commands and configuration object types.
Page 72: History
2.4.3. history Chapter 2. Command Reference Display help about selected topic from any category. help -category={COMMANDS | TYPES} [<Topic>] Display help from a specific topic category. Options -category={COMMANDS | TYPES} Topic category. <Topic> Help topic. 2.4.3. history Dump history to screen. Description List recently typed commands that have been stored in the command history.
Page 73: Script
2.4.5. script Chapter 2. Command Reference Example 2.20. Upload certificate data scp certificate.cer user@sgw-ip:certificate/certificate_name scp certificate.key user@sgw-ip:certificate/certificate_name Example 2.21. Upload ssh public key data scp sshkey.pub user@sgw-ip:sshclientkey/sshclientkey_name Usage Options -long Enable long listing format. <File> File to list. 2.4.5. script Handle CLI scripts.
Page 74 2.4.5. script Chapter 2. Command Reference Execute script. script -show [-all] [-name=<Name>] Show script in console window. script -store [-all] [-name=<Name>] Store a script to persistent storage. script -remove [-all] [-name=<Name>] Remove script. script List script files. Options -all Apply to all scripts. -create Create configuration script from specified object, class or category.
Page 75 2.4.5. script Chapter 2. Command Reference...
Page 76: Configuration Reference
Chapter 3. Configuration Reference • Access, page 77 • Address, page 79 • AdvancedScheduleProfile, page 83 • ALG, page 84 • ARPND, page 92 • BlacklistWhiteHost, page 93 • Certificate, page 94 • Client, page 95 • COMPortDevice, page 98 •...
Page 77: Access
3.1. Access Chapter 3. Configuration Reference • IPsecAlgorithms, page 138 • LDAPDatabase, page 140 • LDAPServer, page 141 • LinkMonitor, page 142 • LocalUserDatabase, page 143 • LogReceiver, page 144 • NATPool, page 147 • Pipe, page 148 • PipeRule, page 151 •...
Page 78 3.1. Access Chapter 3. Configuration Reference Action Accept, Expect or Drop. (Default: Drop) Interface The interface the packet must arrive on for this rule to be carried out. Exception: the Expect rule. Network The IP span that the sender must belong to for this rule to be carried out.
Page 79: Address
3.2. Address Chapter 3. Configuration Reference 3.2. Address This is a category that groups the following object types. 3.2.1. AddressFolder Description An address folder can be used to group related address objects for better overview. Properties Name Specifies a symbolic name for the network object. (Identifier) Comments Text describing the current object.
Page 80 3.2.1. AddressFolder Chapter 3. Configuration Reference 3.2.1.3. EthernetAddress Description Use an Ethernet Address item to define a symbolic name for an Ethernet MAC address. Properties Name Specifies a symbolic name for the network object. (Identifier) Address Ethernet MAC address, e.g. "12-34-56-78-ab-cd". Comments Text describing the current object.
Page 81 3.2.1. AddressFolder Chapter 3. Configuration Reference NoDefinedCredentials If this property is enabled the object requires user authentication, but has no credentials (user names or groups) defined. This means that the object only re- quires that a user is authenticated, but ignores any kind of group membership.
Page 82: Ethernetaddress
3.2.2. EthernetAddress Chapter 3. Configuration Reference (Optional) NoDefinedCredentials If this property is enabled the object requires user authentication, but has no credentials (user names or groups) defined. This means that the object only re- quires that a user is authenticated, but ignores any kind of group membership.
Page 83: Advancedscheduleprofile
3.3. AdvancedScheduleProfile Chapter 3. Configuration Reference 3.3. AdvancedScheduleProfile Description An advanced schedule profile contains definitions of occurrences used by various policies in the system. Properties Name Specifies a symbolic name for the service. (Identifier) Comments Text describing the current object. (Optional) 3.3.1.
Page 84: Alg
3.4. ALG Chapter 3. Configuration Reference 3.4. ALG This is a category that groups the following object types. 3.4.1. ALG_FTP Description Use an FTP Application Layer Gateway to manage FTP traffic through the system. Properties Name Specifies a symbolic name for the ALG. (Identifier) AllowServerPassive Allow server to use passive mode (unsafe for serv- er).
Page 85: Alg_H323
3.4.2. ALG_H323 Chapter 3. Configuration Reference FileListType Specifies if the file list contains files to allow or deny. (Default: Block) FailModeBehavior Standard behaviour on error: Allow or Deny. (Default: Deny) File List of file types to allow or deny. (Optional) VerifyContentMimetype Verify that file extentions correspond to the MIME type.
Page 86 3.4.3. ALG_HTTP Chapter 3. Configuration Reference VerifyUTF8URL Verify that URLs does not contain invalid UTF8 en- coding. (Default: No) BlackURLDisplayReason Message to show when there is an attempt to access a blacklisted site. (Optional) HTTPBanners HTTP ALG HTML Banners. (Default: Default) MaxDownloadSize The maximal allowed file size in kB.
Page 87: Alg_Pop3
3.4.4. ALG_POP3 Chapter 3. Configuration Reference words in them. Properties Action Whitelist or Blacklist. (Default: Blacklist) Specifies the URL to blacklist or whitelist. Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 88: Alg_Pptp
3.4.5. ALG_PPTP Chapter 3. Configuration Reference AllowEncryptedZip Allow encrypted zip files, even though the contents can not be scanned. (Default: No) ZDEnabled Enable ZoneDefense Block. (Default: No) ZDNetwork Hosts within this network will be blocked at switches if a virus is found. Comments Text describing the current object.
Page 89: Alg_Smtp
3.4.7. ALG_SMTP Chapter 3. Configuration Reference (Default: 5) Comments Text describing the current object. (Optional) 3.4.7. ALG_SMTP Description Use an SMTP Application Layer Gateway to manage SMTP traffic through the system. Properties Name Specifies a symbolic name for the ALG. (Identifier) VerifySenderEmail Check emails for mismatching SMTP command From address and email header From address.
Page 90 3.4.7. ALG_SMTP Chapter 3. Configuration Reference ZDEnabled Enable ZoneDefense Block. (Default: No) ZDNetwork Hosts within this network will be blocked at switches if a virus is found. DNSBL Disable or Enable DNSBL. (Default: No) SpamThreshold Spam Threshold defines when an email should be considered as Spam.
Page 91: Alg_Tftp
3.4.8. ALG_TFTP Chapter 3. Configuration Reference Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list. 3.4.8.
Page 92: Arpnd
3.5. ARPND Chapter 3. Configuration Reference 3.5. ARPND Description Use an ARP/Neighbor Discovery entry to publish additional IP addresses and/or MAC addresses on a specified interface. Properties Mode Static, Publish or XPublish. (Default: Publish) Interface Indicates the interface to which the ARP entry ap- plies;...
Page 93: Blacklistwhitehost
3.6. BlacklistWhiteHost Chapter 3. Configuration Reference 3.6. BlacklistWhiteHost Description Hosts and networks added to this whitelist can never be blacklisted by IDP or Threshold Rules. Properties Addresses Specifies the addresses that will be whitelisted. Service Specifies the service that will be whitelisted. Schedule The schedule when the whitelist should be active.
Page 94: Certificate
3.7. Certificate Chapter 3. Configuration Reference 3.7. Certificate Description An X. 509 certificate is used to authenticate a VPN client or gateway when establishing an IPsec tunnel. Properties Name Specifies a symbolic name for the certificate. (Identifier) Type Local, Remote or Request. CertificateData Certificate data.
Page 95: Client
If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list. 3.8.3. DynDnsClientDLinkChina Description Configure the parameters used to connect to the D-Link DynDNS service (China only).
Page 96: Dyndnsclientdyndnsorg
3.8.4. DynDnsClientDyndnsOrg Chapter 3. Configuration Reference Properties DNSName The DNS name excluding the .dlinkddns.com suffix. Username Username. Password The password for the specified username. (Optional) Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 97: Dyndnsclientpeanuthull
3.8.6. DynDnsClientPeanutHull Chapter 3. Configuration Reference Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list. 3.8.6.
Page 98: Comportdevice
3.9. COMPortDevice Chapter 3. Configuration Reference 3.9. COMPortDevice Description A serial communication port, that is used for accessing the CLI. Properties Port Port. (Identifier) BitsPerSecond Bits per second. (Default: 9600) DataBits Data bits. (Default: 8) Parity Parity. (Default: None) StopBits Stop bits.
Page 99: Configmodepool
3.10. ConfigModePool Chapter 3. Configuration Reference 3.10. ConfigModePool Description An IKE Config Mode Pool will dynamically assign the IP address, DNS server, WINS server etc. to the VPN client connecting to this gateway. Properties IPPoolType Specifies whether a predefined IP Pool or a static set of IP addresses should be used as IP address source.
Page 100: Datetime
3.11. DateTime Chapter 3. Configuration Reference 3.11. DateTime Description Set the date, time and time zone information for this system. Properties TimeZone Specifies the time zone. (Default: GMT) DSTEnabled Enable daylight saving time. (Default: Yes) DSTOffset Daylight saving time offset in minutes. (Default: 60) DSTStartMonth What month daylight saving time starts.
Page 101: Device
3.12. Device Chapter 3. Configuration Reference 3.12. Device Description Global parameters for this device. Properties Name Name of the device. (Default: Device) LocalCfgVersion Local version number of the configuration. (Default: ConfigUser Name of the user who committed the current config- uration.
Page 102: Dhcprelay
3.13. DHCPRelay Chapter 3. Configuration Reference 3.13. DHCPRelay Description Use a DHCP Relay to dynamically alter the routing table according to relayed DHCP leases. Properties Name Specifies a symbolic name for the relay rule. (Identifier) Action Ignore, Relay or BootpFwd. (Default: Ignore) SourceInterface The source interface of the DHCP packet.
Page 103: Dhcpserver
3.14. DHCPServer Chapter 3. Configuration Reference 3.14. DHCPServer Description A DHCP Server determines a set of IP addresses and host configuration parameters to hand out to DHCP clients attached to a given interface. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the DHCP Server rule.
Page 104: Dhcpserverpoolstatichost
3.14.1. DHCPServerPoolStaticHost Chapter 3. Configuration Reference LogSeverity Specifies with what severity log events will be sent to the specified log receivers. (Default: Default) Comments Text describing the current object. (Optional) 3.14.1. DHCPServerPoolStaticHost Description Static DHCP Server host entry Properties Host IP Address of the host.
Page 105: Dns
3.15. DNS Chapter 3. Configuration Reference 3.15. DNS Description Configure the DNS (Domain Name System) client settings. Properties DNSServer1 IP of the primary DNS Server. (Optional) DNSServer2 IP of the secondary DNS Server. (Optional) DNSServer3 IP of the tertiary DNS Server. (Optional) Comments Text describing the current object.
Page 106: Driver
3.16. Driver Chapter 3. Configuration Reference 3.16. Driver This is a category that groups the following object types. 3.16.1. E1000EthernetPCIDriver Description Intel (E1000) Gigabit Ethernet Adaptor. Properties RxRingsize Rx ringsize. (Default: 64) TxRingsize Rx ringsize. (Default: 256) EnableMonitoring Enable monitoring. (Default: No) BelowCPULoad Below CPU load.
Page 107: Ixp4Npeethernetdriver
3.16.4. MarvellEthernetPCIDriver Chapter 3. Configuration Reference 3.16.3. IXP4NPEEthernetDriver Description Intel (IXP4xxNPE) Fast Ethernet Adaptor. Properties Comments Text describing the current object. (Optional) Note This object type does not have an identifier and is identified by the name of the type only.
Page 108: R8139Ethernetpcidriver
3.16.7. R8139EthernetPCIDriver Chapter 3. Configuration Reference Description WIN32 packet.dll Adaptor Properties Comments Text describing the current object. (Optional) Note This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.16.7.
Page 109 3.16.9. SwitchEthernetDriver Chapter 3. Configuration Reference Description WIN32 switch.dll Adaptor. Properties Comments Text describing the current object. (Optional) Note This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type.
Page 110: Ethernetdevice
3.17. EthernetDevice Chapter 3. Configuration Reference 3.17. EthernetDevice Description Hardware settings for an Ethernet interface. Properties Name Specifies a symbolic name for the device. (Identifier) EthernetDriver The Ethernet PCI driver that should be used by the interface. PCIBus PCI bus number where the Ethernet adapter is in- stalled.
Page 111: Highavailability
3.18. HighAvailability Chapter 3. Configuration Reference 3.18. HighAvailability Description Configure the High Availability cluster parameters for this system. Properties Enabled Enable high availability. (Default: No) ClusterID A (locally) unique cluster ID to use in identifying this group of HA security gateways. (Default: 0) SyncIface Specifies the interface used for state synchroniza- tion.
Page 112: Httpalgbanners
3.19. HTTPALGBanners Chapter 3. Configuration Reference 3.19. HTTPALGBanners Description HTTP banner files specifies the look and feel of HTTP ALG restriction web pages. Properties Name Specifies a symbolic name for the HTTP Banner Files. (Identifier) CompressionForbidden HTML for the CompressionForbidden.html web page.
Page 113: Httpauthbanners
3.20. HTTPAuthBanners Chapter 3. Configuration Reference 3.20. HTTPAuthBanners Description HTTP banner files specifies the look and feel of HTML authentication web pages. Properties Name Specifies a symbolic name for the HTTP Banner Files. (Identifier) FormLogin HTML for the FormLogin.html web page. LoginSuccess HTML for the LoginSuccess.html web page.
Page 114: Httpposter
3.21. HTTPPoster Chapter 3. Configuration Reference 3.21. HTTPPoster Description Use the HTTP poster for dynamic DNS or automatic logon to services using web-based authentica- tion. Properties The URL that will be posted when the security gate- way is loaded. RepostDelay Delay in seconds until the URL is refetched.
Page 115: Hwm
3.22. HWM Chapter 3. Configuration Reference 3.22. HWM Description Hardware Monitoring allows monitoring of hardware sensors. Properties Name Specifies a symbolic name for the object. Type Type of monitoring. Sensor Sensor index. MinLimit Lower limit. (Optional) MaxLimit Upper limit. (Optional) EnableMonitoring Enable/disable monitoring.
Page 116: Idlist
3.23. IDList Chapter 3. Configuration Reference 3.23. IDList Description An ID list contains IDs, which are used within the authentication process when establishing an IPsec tunnel. Properties Name Specifies a symbolic name for the ID list. (Identifier) Comments Text describing the current object. (Optional) 3.23.1.
Page 117: Idprule
3.24. IDPRule Chapter 3. Configuration Reference 3.24. IDPRule Description An IDP Rule defines a filter for matching specific network traffic. When the filter criterion is met, the IDP Rule Actions are evaluated and possible actions taken. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule.
Page 118 3.24.1. IDPRuleAction Chapter 3. Configuration Reference An IDP Rule Action specifies what signatures to search for in the network traffic, and what action to take if those signatures are found. Properties Action Specifies what action to take if the given signature is found.
Page 119: Igmprule
3.25. IGMPRule Chapter 3. Configuration Reference 3.25. IGMPRule Description An IGMP rule specifies how to handle inbound IGMP reports and outbound IGMP queries. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule. (Optional) Type The type of IGMP messages the rule applies to.
Page 120 3.25. IGMPRule Chapter 3. Configuration Reference Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 121: Igmpsetting
3.26. IGMPSetting Chapter 3. Configuration Reference 3.26. IGMPSetting Description IGMP parameters can be tuned for one, or a group of interfaces in order to match the characteristics of a network. Properties Name Specifies a symbolic name for the object. (Identifier) Interface The interfaces that these settings should apply to.
Page 122: Ikealgorithms
3.27. IKEAlgorithms Chapter 3. Configuration Reference 3.27. IKEAlgorithms Description Configure algorithms which are used in the IKE phase of an IPsec session. Properties Name Specifies a symbolic name for the object. (Identifier) NULLEnabled Enable plaintext. (Default: No) DESEnabled Enable DES encryption algorithm. (Default: No) DES3Enabled Enable 3DES encryption algorithm.
Page 123: Interface
3.28. Interface Chapter 3. Configuration Reference 3.28. Interface This is a category that groups the following object types. 3.28.1. DefaultInterface Description A special interface used to represent internal mechanisms in the system as well as an abstract "any" interface. Properties Name Specifies a symbolic name for the interface.
Page 124: Gretunnel
3.28.3. GRETunnel Chapter 3. Configuration Reference IPv6 is enabled. (Default: 1500) Metric Specifies the metric for the auto-created route. (Default: 100) DHCPEnabled Enable DHCP client on this interface. (Default: No) DHCPHostName Optional DHCP Host Name. Leave blank to use de- fault name.
Page 125: Interfacegroup
3.28.4. InterfaceGroup Chapter 3. Configuration Reference NAT. (Default: LocalInterface) OriginatorIP Manually specified originator IP address to use as source IP in e.g. NAT. Metric Specifies the metric for the auto-created route. (Default: 90) AutoInterfaceNetworkRoute Automatically add a route for this interface using the given remote network.
Page 126 3.28.5. IPsecTunnel Chapter 3. Configuration Reference LocalNetwork The network on "this side" of the IPsec tunnel. The IPsec tunnel will be established between this net- work and the remote network. RemoteNetwork The network connected to the remote gateway. The IPsec tunnel will be established between the local network and this network.
Page 127: L2Tpclient
3.28.6. L2TPClient Chapter 3. Configuration Reference NAT. (Default: LocalInterface) OriginatorIP Manually specified originator IP address to use as source IP in e.g. NAT. OriginatorHAIP Manually specified private originator IP address for use in HA. (Optional) DHGroup Specifies the Diffie-Hellman group to use when do- ing key exchanges in IKE.
Page 128 3.28.6. L2TPClient Chapter 3. Configuration Reference TunnelProtocol Specifies if PPTP or L2TP should be used for this tunnel. (Default: PPTP) OriginatorIPType Specifies what IP address to use as source IP in e.g. NAT. (Default: LocalInterface) OriginatorIP Manually specified originator IP address to use as source IP in e.g.
Page 129: L2Tpserver
3.28.7. L2TPServer Chapter 3. Configuration Reference can be passed onward. (Default: 1456) AutoInterfaceNetworkRoute Automatically add a route for this interface using the given remote network. (Default: Yes) MPPEAllowStateful Allow usage of Stateful MPPE (less secure, use only for compatibility). (Default: No) Comments Text describing the current object.
Page 130: Pppoetunnel
3.28.8. PPPoETunnel Chapter 3. Configuration Reference NBNS1 IP of the primary Windows Internet Name Service (WINS) server that is used in Microsoft environ- ments which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names. (Optional) NBNS2 IP of the primary Windows Internet Name Service (WINS) server that is used in Microsoft environ- ments which uses the NetBIOS Name Servers...
Page 131: Sslvpninterface
3.28.9. SSLVPNInterface Chapter 3. Configuration Reference PPPAuthNoAuth Allow no authentication for this tunnel. (Default: PPPAuthPAP Use PAP authentication protocol for this tunnel. User name and password are sent in plaintext. (Default: Yes) PPPAuthCHAP Use CHAP authentication protocol for this tunnel. (Default: Yes) PPPAuthMSCHAP Use MS-CHAP authentication protocol for this tun-...
Page 132: Vlan
3.28.10. VLAN Chapter 3. Configuration Reference OuterInterface The physical interface that the SSL VPN interface will listen on. ServerPort The listening port for the SSL VPN interface. (Default: 443) ServerIP Listening IP for the SSL VPN interface. ServerFQDN Optional. FQDN of the SSL VPN server given to cli- ents, eg: (sslvpn.example.com).
Page 133 3.28.10. VLAN Chapter 3. Configuration Reference interface. (Optional) EnableIPv6 TODO. (Default: No) IPv6IP Specifies the IP address of the virtual LAN interface. IPv6Network Specifies the network of the virtual LAN interface. IPv6DefaultGateway The default gateway of the virtual LAN interface. (Optional) PrivateIP The private IP address of this high availability node.
Page 134: Ippool
3.29. IPPool Chapter 3. Configuration Reference 3.29. IPPool Description An IP Pool is a dynamic object which consists of IP leases that are fetched from a DHCP Server. The IP Pool is used as an address source by subsystems that may need to distribute addresses, e.g. by IPsec in Configuration mode.
Page 135: Iprule
3.30. IPRule Chapter 3. Configuration Reference 3.30. IPRule Description An IP rule specifies what action to perform on network traffic that matches the specified filter criter- Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule. (Optional) Action Reject, Drop, FwdFast, Allow, NAT or SAT.
Page 136 3.30. IPRule Chapter 3. Configuration Reference LogEnabled Enable logging. (Default: Yes) LogSeverity Specifies with what severity log events will be sent to the specified log receivers. (Default: Default) Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
Page 137: Iprulefolder
3.31. IPRuleFolder Chapter 3. Configuration Reference 3.31. IPRuleFolder Description An IP Rule Folder can be used to group IP Rules into logical groups for better overview and simpli- fied management. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies the name of the folder.
Page 138: Ipsecalgorithms
3.32. IPsecAlgorithms Chapter 3. Configuration Reference 3.32. IPsecAlgorithms Description Configure algorithms which are used in the IPsec phase of an IPsec session. Properties Name Specifies a symbolic name for the object. (Identifier) NULLEnabled Enable plaintext. (Default: No) DESEnabled Enable DES encryption algorithm. (Default: No) DES3Enabled Enable 3DES encryption algorithm.
Page 139 3.32. IPsecAlgorithms Chapter 3. Configuration Reference Comments Text describing the current object. (Optional)
Page 140: Ldapdatabase
3.33. LDAPDatabase Chapter 3. Configuration Reference 3.33. LDAPDatabase Description External LDAP server used to verify user names and passwords. Properties Name Specifies a symbolic name for the server. (Identifier) The IP address of the server. Port The TCP port of the server. (Default: 389) Timeout The timeout, in milliseconds, used when processing requests.
Page 141: Ldapserver
3.34. LDAPServer Chapter 3. Configuration Reference 3.34. LDAPServer Description An LDAP server is used as a central repository of certificates and CRLs that the security gateway can download when necessary. Properties Host Specifies the IP address or hostname of the LDAP server.
Page 142: Linkmonitor
3.35. LinkMonitor Chapter 3. Configuration Reference 3.35. LinkMonitor Description The Link Monitor allows the system to monitor one or more hosts and take action if they are un- reachable. Properties Action Specifies what action the system should take. Addresses Specifies the addresses that should be monitored. MaxLoss A single host is considered unreachable if this num- ber of consecutive ping responses to that host are not...
Page 143: Localuserdatabase
3.36. LocalUserDatabase Chapter 3. Configuration Reference 3.36. LocalUserDatabase Description A local user database contains user accounts used for authentication purposes. Properties Name Specifies a symbolic name for the object. (Identifier) Comments Text describing the current object. (Optional) 3.36.1. User Description User credentials may be used in User Authentication Rules, which in turn are used in e.g.
Page 144: Logreceiver
3.37. LogReceiver Chapter 3. Configuration Reference 3.37. LogReceiver This is a category that groups the following object types. 3.37.1. EventReceiverSNMP2c Description A SNMP2c event receiver is used to receive SNMP events from the system. Properties Name Specifies a symbolic name for the log receiver. (Identifier) IPAddress Destination IP address.
Page 145: Logreceivermemory
3.37.3. LogReceiverSMTP Chapter 3. Configuration Reference 3.37.2. LogReceiverMemory Description A memory log receiver is used to receive and keep log events in system RAM. Properties Name Specifies a symbolic name for the log receiver. (Identifier) LogSeverity Specifies with what severity log events will be sent to the specified log receivers.
Page 146: Logreceiversyslog
3.37.4. LogReceiverSyslog Chapter 3. Configuration Reference HoldTime The hold time in seconds during which the log threshold must be reached for an email to be sent. (Default: 120) MinRepeatDelay The amount of seconds the security gateway will wait before sending another email. (Default: 600) LogThreshold The number of events that have to occur within the hold time for an email to be sent.
Page 147: Natpool
3.38. NATPool Chapter 3. Configuration Reference 3.38. NATPool Description A NAT Pool is used for NATing multiple concurrent connections to using different source IP ad- dresses. Properties Name Specifies a symbolic name for the NAT Pool. (Identifier) Type Specifies how NAT'ed connections are assigned a NAT IP address.
Page 148: Pipe
3.39. Pipe Chapter 3. Configuration Reference 3.39. Pipe Description A pipe defines basic traffic shaping parameters. The pipe rules then determines which traffic goes through which pipes. Properties Name Specifies a symbolic name for the pipe. (Identifier) LimitKbpsTotal Total bandwidth limit for this pipe in kilobits per second.
Page 149 3.39. Pipe Chapter 3. Configuration Reference 7 (the highest precedence). (Optional) LimitPPS7 Specifies the packet per second limit for precedence 7 (the highest precedence). (Optional) UserLimitKbpsTotal Total bandwidth limit per group in the pipe in kilob- its per second. (Optional) UserLimitPPSTotal Total throughput limit per group in the pipe in pack- ets per second.
Page 150 3.39. Pipe Chapter 3. Configuration Reference tion network, the size of the network has to be spe- cified by this setting. (Default: 0) Dynamic Enable dynamic balancing of groups. (Default: No) PrecedenceMin Specifies the lowest allowed precedence for traffic in this pipe.
Page 151: Piperule
3.40. PipeRule Chapter 3. Configuration Reference 3.40. PipeRule Description A Pipe Rule determines traffic shaping policy - which Pipes to use - for one or more types of traffic with the same granularity as the standard ruleset. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the object.
Page 152: Psk
3.41. PSK Chapter 3. Configuration Reference 3.41. PSK Description PSK (Pre-Shared Key) authentication is based on a shared secret that is known only by the parties involved. Properties Name Specifies a symbolic name for the pre-shared key. (Identifier) Type Specifies the type of the shared key. PSKAscii Specifies the PSK as a passphrase.
Page 153: Radiusaccounting
3.42. RadiusAccounting Chapter 3. Configuration Reference 3.42. RadiusAccounting Description External RADIUS server used to collect user statistics. Properties Name Specifies a symbolic name for the server. (Identifier) IPAddress The IP address of the server. Port The UDP port of the server. (Default: 1813) RetryTimeout The retry timeout, in seconds, used when trying to contact the RADIUS accounting server.
Page 154: Radiusserver
3.43. RadiusServer Chapter 3. Configuration Reference 3.43. RadiusServer Description External RADIUS server used to verify user names and passwords. Properties Name Specifies a symbolic name for the server. (Identifier) IPAddress The IP address of the server. Port The UDP port of the server. (Default: 1812) RetryTimeout The retry timeout, in seconds, used when trying to contact the RADIUS accounting server.
Page 155: Remoteidlist
3.44. RemoteIDList Chapter 3. Configuration Reference 3.44. RemoteIDList Description List of Remote IDs that are allowed access when using Pre Shared Keys as authentication method. Properties Type Specifies the type of the shared key. PSKAscii Specifies the PSK as a passphrase. PSKHex Specifies the PSK as a hexadecimal key.
Page 156: Remotemanagement
3.45. RemoteManagement Chapter 3. Configuration Reference 3.45. RemoteManagement This is a category that groups the following object types. 3.45.1. RemoteMgmtHTTP Description Configure HTTP/HTTPS management to enable remote management to the system. Properties Name Specifies a symbolic name for the object. (Identifier) Interface Specifies the interface for which remote access is granted.
Page 157: Remotemgmtssh
3.45.3. RemoteMgmtSSH Chapter 3. Configuration Reference 3.45.3. RemoteMgmtSSH Description Configure a Secure Shell (SSH) Server to enable remote management access to the system. Properties Name Specifies a symbolic name for the SSH server. (Identifier) Interface Specifies the interface for which remote access is granted.
Page 158 3.45.3. RemoteMgmtSSH Chapter 3. Configuration Reference LoginGraceTime When the user has supplied the username, the pass- word has to be provided within this number of seconds or the session will be closed. (Default: 30) AuthenticationRetries The number of retires allowed before the session is closed.
Page 159: Routebalancinginstance
3.46. RouteBalancingInstance Chapter 3. Configuration Reference 3.46. RouteBalancingInstance Description A route balancing instance is assoicated with a routingtable and defines how to make use of multiple routes to the same destination. Properties RoutingTable Specify routingtable to deploy route load balancing in.
Page 160: Routebalancingspilloversettings
3.47. RouteBalancingSpilloverSetting Chapter 3. Configuration Reference 3.47. RouteBalancingSpilloverSettings Description Settings associated with the spillover algorithm. Properties Interface Interface to threshold limit. (Identifier) HoldTime Number of consecutive seconds over/under the threshold limit to trigger state change for the af- fected routes. (Default: 30) OutboundThreshold Outbound threshold limit.
Page 161: Routingrule
3.48. RoutingRule Chapter 3. Configuration Reference 3.48. RoutingRule Description A Routing Rule forces the use of a routing table in the forward and/or return direction of traffic on a connection. The ordering parameter of the routing table determines if it is consulted before or after the main routing table.
Page 162: Routingtable
3.49. RoutingTable Chapter 3. Configuration Reference 3.49. RoutingTable Description The system has a predefined main routing table. Alternate routing tables can be defined by the user. Properties Name Specifies a symbolic name for the routing table. (Identifier) Ordering Specifies how a route lookup is done in a named routing table.
Page 163: Route
3.49.2. Route Chapter 3. Configuration Reference Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list. 3.49.2.
Page 164 3.49.2. Route Chapter 3. Configuration Reference ReachabilityCount Minimum number of reachable hosts to consider the route to be active. Metric Specifies the metric for this route. (Default: 0) ProxyARPAllInterfaces Always select all interfaces, including new ones, for publishing routes via Proxy ARP. (Default: No) ProxyARPInterfaces Specifies the interfaces on which the security gate- way should publish routes via Proxy ARP.
Page 165: Switchroute
3.49.3. SwitchRoute Chapter 3. Configuration Reference Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list. 3.49.3.
Page 166: Scheduleprofile
3.50. ScheduleProfile Chapter 3. Configuration Reference 3.50. ScheduleProfile Description A Schedule Profile defines days and dates and are then used by the various policies in the system. Properties Name Specifies a symbolic name for the service. (Identifier) Specifies during which intervals the schedule profile is active on Mondays.
Page 167: Service
3.51. Service Chapter 3. Configuration Reference 3.51. Service This is a category that groups the following object types. 3.51.1. ServiceGroup Description A Service Group is a collection of service objects, which can then be used by different policies in the system. Properties Name Specifies a symbolic name for the service.
Page 168: Serviceicmpv6
3.51.3. ServiceICMPv6 Chapter 3. Configuration Reference ParameterProblemCodes Specifies which Parameter Problem message codes should be matched. (Default: 0-255) EchoReply Enable matching of Echo Reply messages. (Default: EchoReplyCodes Specifies which Echo Reply message codes should be matched. (Default: 0-255) SourceQuenching Enable matching of Source Quenching messages. (Default: No) SourceQuenchingCodes Specifies which Source Quenching message codes...
Page 169: Serviceipproto
3.51.4. ServiceIPProto Chapter 3. Configuration Reference be matched. (Default: 0-255) DestinationUnreachable Enable matching of Destination Unreachable mes- sages. (Default: No) DestinationUnreachableCodes Specifies which Destination Unreachable message codes should be matched. (Default: 0-255) PacketTooBig Enable matching of Packet Too Big messages. (Default: No) PacketTooBigCodes Specifies which Packet Too Big message codes...
Page 170: Servicetcpudp
3.51.5. ServiceTCPUDP Chapter 3. Configuration Reference managing advanced protocols, can be specified for this service. (Optional) MaxSessions Specifies how many concurrent sessions that are per- mitted using this service. (Default: 200) Comments Text describing the current object. (Optional) 3.51.5. ServiceTCPUDP Description A TCP/UDP Service is a definition of an TCP or UDP protocol with specific parameters.
Page 171: Settings
3.52. Settings Chapter 3. Configuration Reference 3.52. Settings This is a category that groups the following object types. 3.52.1. ARPNDSettings Description Advanced ARP/Neighbor Discovery-table settings. Properties ARPMatchEnetSender The Ethernet Sender address matching the hardware address in the ARP data. (Default: DropLog) ARPQueryNoSenderIP If the IP source address of an ARP query (NOT re- sponse!) is "0.0.0.0".
Page 172: Authenticationsettings
3.52.2. AuthenticationSettings Chapter 3. Configuration Reference MaxAnycastDelayTime Randomized time to delay proxied and anycast ad- vertimesements. (Default: 100) ProxyClearOverrideFlag Clear the Override flag on proxy ND advertisements. (Default: Yes) NDMatchEnetSender Ignore ND packets with mismatching sender- and options MAC-addresses. (Default: Yes) NDValSenderIP Validate the IP source address of the ND packet.
Page 173: Conntimeoutsettings
3.52.3. ConnTimeoutSettings Chapter 3. Configuration Reference AllowAuthIfNoAccountingResponse Allow an authenticated user to still have access even if no response is received by the Accounting Server. (Default: Yes) LogALGUser Log authenticated user together with URL in ALG log messages. (Default: Yes) MaxRADIUSContexts Maximum number of RADIUS communication con- texts.
Page 174: Dhcpserversettings
3.52.5. DHCPServerSettings Chapter 3. Configuration Reference MaxTransactions Maximum number of concurrent BOOTP/DHCP transactions. (Default: 32) TransactionTimeout Timeout for each transaction (in seconds). (Default: MaxPPMPerIface Maximum packets per minute that are relayed from clients to the server, per interface. (Default: 500) MaxHops Requests/responses that have traversed more than this many relays will not be relayed.
Page 175 3.52.6. FragSettings Chapter 3. Configuration Reference Properties PseudoReass_MaxConcurrent Maximum number of concurrent fragment reas- semblies. Set to 0 to drop all fragments. (Default: 1024) IllegalFrags Illegaly constructed fragments; partial overlaps, bad sizes, etc. (Default: DropLog) DuplicateFragData On receipt of duplicate fragments, verify matching data...
Page 176: Hwmsettings
3.52.7. HWMSettings Chapter 3. Configuration Reference (watching for old dups). (Default: 20) IP6ReassIllegalLinger How long to remember an illegal reassembly (watching for more fragments). (Default: 60) Note This object type does not have an identifier and is identified by the name of the type only.
Page 177: Ipsectunnelsettings
3.52.9. IPsecTunnelSettings Chapter 3. Configuration Reference ICMPSendPerSecLimit Maximum number of ICMP responses that will be sent each second. (Default: 500) SilentlyDropStateICMPErrors Silently drop ICMP errors regarding statefully tracked open connections. (Default: Yes) Note This object type does not have an identifier and is identified by the name of the type only.
Page 178: Ipsettings
3.52.10. IPSettings Chapter 3. Configuration Reference aliveness sign before activating IKE DPD. (Default: IPsecHardwareAcceleration IPsec hardware acceleration. (Default: Inline) IPsecDisablePKAccel Disable hardware acceleration for public-key opera- tions. (Default: No) Note This object type does not have an identifier and is identified by the name of the type only.
Page 179 3.52.10. IPSettings Chapter 3. Configuration Reference DropLog) IP6ValidateSyntax Validate ipv6 syntax violation. (Default: ValidateLo- gBad) IP6OPT_PADN Validate when ipv6 padn option data fields are non- zero. (Default: StripLog) IP6OPT_JUMBO Validate jumbogram packets. (Default: ValidateLog) IP6OPT_RA Validate Router Alert packets. (Default: Ignore) IP6OPT_HA Validate Home Address option packets.
Page 180: L2Tpserversettings
3.52.11. L2TPServerSettings Chapter 3. Configuration Reference UDP total length field specifies -- Checkpoint Se- cuRemote violates NAT-T drafts. (Default: No) IPOptionSizes Validity of IP header option sizes. (Default: Valid- ateLogBad) IPOPT_SR How to handle IP packets with contained source or return routes.
Page 181: Lengthlimsettings
3.52.13. LocalReassSettings Chapter 3. Configuration Reference 3.52.12. LengthLimSettings Description Length limitations for various protocols. Properties MaxTCPLen TCP; Sometimes has to be increased if tunneling protocols are used. (Default: 1480) MaxUDPLen UDP; Many interactive applications use large UDP packets, may otherwise be decreased to 1480. (Default: 60000) MaxICMPLen ICMP;...
Page 182: Logsettings
3.52.14. LogSettings Chapter 3. Configuration Reference Parameters use for local fragment reassembly. Properties LocalReass_MaxConcurrent Maximum number of concurrent local reassemblies. (Default: 256) LocalReass_MaxSize Maximum size of a locally reassembled packet. (Default: 10000) LocalReass_NumLarge Number of large (>2K) local reassembly buffers (of the above size).
Page 183: Multicastsettings
3.52.16. MulticastSettings Chapter 3. Configuration Reference Note This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.52.16. MulticastSettings Description Advanced Multicast Settings. Properties AutoAddMulticastCoreRoute Auto...
Page 184: Remotemgmtsettings
3.52.17. RemoteMgmtSettings Chapter 3. Configuration Reference Note This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.52.17. RemoteMgmtSettings Description Setup and configure methods and permissions for remote management of this system. Properties NetconBiDirTimeout Specifies the amount of seconds to wait for the ad-...
Page 185: Routingsettings
3.52.18. RoutingSettings Chapter 3. Configuration Reference Note This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.52.18. RoutingSettings Description Configure the routing capabilities of the system. Properties RouteFailOver_IfacePollInterval Time (ms) between polling of interface failure.
Page 186: Sslsettings
3.52.19. SSLSettings Chapter 3. Configuration Reference Note This object type does not have an identifier and is identified by the name of the type only. There can only be one instance of this type. 3.52.19. SSLSettings Description Settings related to SSL (Secure Sockets Layer). Properties SSL_ProcessingPriority The amount of of CPU time that SSL processing is...
Page 187: Statesettings
3.52.21. StateSettings Chapter 3. Configuration Reference Properties SSLVPNBeforeRules Pass SSL VPN connections sent to the security gate- way directly to the SSL VPN engine without con- sulting the ruleset. (Default: Yes) Note This object type does not have an identifier and is identified by the name of the type only.
Page 188 3.52.22. TCPSettings Chapter 3. Configuration Reference Properties TCPOptionSizes Validity of TCP header option sizes. (Default: Valid- ateLogBad) TCPMSSMin Minimum allowed TCP MSS (Maximum Segment Size). (Default: 100) TCPMSSOnLow How to handle too low MSS values. (Default: DropLog) TCPMSSMax Maximum allowed TCP MSS (Maximum Segment Size).
Page 189: Vlansettings
3.52.23. VLANSettings Chapter 3. Configuration Reference valid (strip=strip RST). (Default: DropLog) TCPSynFin The TCP FIN flag together with SYN; normally in- valid (strip=strip FIN). (Default: DropLog) TCPFinUrg The TCP URG flag together with FIN; normally in- valid (strip=strip URG). (Default: DropLog) TCPUrg The TCP URG flag;...
Page 190: Sshclientkey
3.53. SSHClientKey Chapter 3. Configuration Reference 3.53. SSHClientKey Description The public key of the client connecting to the SSH server. Properties Name Specifies a symbolic name for the key. (Identifier) Type DSA or RSA. (Default: DSA) Subject Value of the Subject header tag of the public key file.
Page 191: Updatecenter
3.54. UpdateCenter Chapter 3. Configuration Reference 3.54. UpdateCenter Description Configure automatical updates. Properties AVEnabled Automatic updates of antivirus definitions and en- gine. (Default: No) IDPEnabled Automatic updates of IDP maintenance signatures. (Default: No) AdvancedIDPEnabled Automatic updates of Advanced IDP signatures. (Default: No) UpdateInterval Specifies the interval at which the automatic update...
Page 192: Userauthrule
3.55. UserAuthRule Chapter 3. Configuration Reference 3.55. UserAuthRule Description The User Authentication Ruleset specifies from where users are allowed to authenticate to the sys- tem, and how. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule. (Optional) Agent HTTP, HTTPS, XAUTH, PPP or EAP.
Page 193 3.55. UserAuthRule Chapter 3. Configuration Reference way sends to the client. Only RSA certificates are supported. RootCertificate Specifies the root certificate that was used to sign the host certificate. Only RSA certificates are supported. (Optional) PPPAuthNoAuth Allow no authentication. (Default: No) PPPAuthPAP Use PAP authentication protocol.
Page 194 3.55. UserAuthRule Chapter 3. Configuration Reference Yes) InterimValue The interval in seconds in which interim accounting events should be sent. (Default: 600) LogEnabled Enable logging. (Default: Yes) LogSeverity Specifies with what severity log events will be sent to the specified log receivers. (Default: Default) Comments Text describing the current object.
Page 195 3.55. UserAuthRule Chapter 3. Configuration Reference...
Page 196: Index
ippool, 46 Index languagefiles, 46 Commands ldap, 47 license, 47 linkmon, 48 logout, 48 ls, 72 about, 30 activate, 19 add, 19 alarm, 30 memory, 48 arp, 30 arpsnoop, 31 ats, 32 natpool, 49 nd, 49 ndsnoop, 50 bigpond, 32 netobjects, 51 blacklist, 33 buffers, 34...
Page 197 Index EthernetDevice, 110 EventReceiverSNMP2c, 144 vlan, 69 Object types FragSettings, 174 GRETunnel, 124 Access, 77 AddressFolder, 79 AdvancedScheduleOccurrence, 83 HighAvailability, 111 AdvancedScheduleProfile, 83 HTTPALGBanners, 112 ALG_FTP, 84 HTTPAuthBanners, 113 ALG_H323, 85 HTTPPoster, 114 ALG_HTTP, 85 HWM, 115 ALG_HTTP_URL, 86 HWMSettings, 176 ALG_POP3, 87 ALG_PPTP, 88 ALG_SIP, 88...
Page 198 Index MarvellEthernetPCIDriver, 107 VLAN, 132 MiscSettings, 182 VLANSettings, 189 MonitoredHost, 164 MulticastSettings, 183 NATPool, 147 NullEthernetDriver, 107 PacketEthernetDriver, 107 Pipe, 148 PipeRule, 151 PPPoETunnel, 130 PSK, 152 R8139EthernetPCIDriver, 108 R8169EthernetPCIDriver, 108 RadiusAccounting, 153 RadiusServer, 154 RemoteIDList, 155 RemoteMgmtHTTP, 156 RemoteMgmtSettings, 184 RemoteMgmtSNMP, 156 RemoteMgmtSSH, 157 Route, 163...

This manual is also suitable for:

Dfl-860e Dfl-1660 Dfl-2560 Dfl-2560g

D-Link DFL-260E Manual

1 Introduction

2 Command Reference

3 Configuration Reference

Quick Links

Related Manuals for D-Link DFL-260E

Summary of Contents for D-Link DFL-260E