1. Manuals
  2. Brands
  3. D-Link Manuals
  4. Firewall
  5. DFL-210 - NetDefend - Security Appliance
  6. Cli reference manual

D-Link NetDefend DFL-210 Cli Reference Manual

Network security firewall
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Cli Reference Manual
Network Security Firewall
CLI Reference Guide
DFL-210/ 800/1600/ 2500
DFL-260/ 860
Security
Security
Ver.
1.01
Network Security Solution
http://www.dlink.com

Advertisement

Table of Contents
loading

Related Manuals for D-Link NetDefend DFL-210

Summary of Contents for D-Link NetDefend DFL-210

  • Page 1 Network Security Firewall CLI Reference Guide DFL-210/ 800/1600/ 2500 DFL-260/ 860 Security Security Ver. 1.01 Network Security Solution http://www.dlink.com...
  • Page 2 CLI Reference Guide DFL-210/260/800/860/1600/2500 NetDefendOS version 2.12 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2007-04-17 Copyright © 2007...
  • Page 3 OF THE POSSIBILITY OF SUCH DAMAGES. FURTHERMORE, D-LINK WILL NOT BE LI- ABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. D-LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT.

  • Page 4: Table Of Contents

    Table of Contents Preface ....................... ix 1. Introduction ...................... 1 1.1. Running a command ................1 1.2. Help ..................... 2 1.2.1. Help for commands ............... 2 1.2.2. Help for object types ..............2 1.3. Function keys ..................3 1.4. Command line history ................4 1.5.
  • Page 5 CLI Reference Guide 2.2.28. ipseckeepalive ................34 2.2.29. ipsecstats ..................35 2.2.30. killsa ..................35 2.2.31. license ..................36 2.2.32. linkmon ..................36 2.2.33. lockdown ..................37 2.2.34. logout ..................37 2.2.35. memory ..................38 2.2.36. ospf ..................38 2.2.37. pipes ..................40 2.2.38. reconfigure ................40 2.2.39. routemon ..................40 2.2.40. routes ..................41 2.2.41.
  • Page 6 CLI Reference Guide 3.13. DNS ....................75 3.14. Driver ....................76 3.14.1. IXP4NPEEthernetDriver .............76 3.14.2. MarvellEthernetPCIDriver ............76 3.14.3. R8139EthernetPCIDriver .............76 3.15. DynamicRoutingRule ................78 3.15.1. DynamicRoutingRuleExportOSPF ..........79 3.15.2. DynamicRoutingRuleAddRoute ............79 3.16. EthernetDevice ..................81 3.17. HighAvailability ...................82 3.18. HTTPPoster ..................83 3.19. IDList ....................84 3.19.1. ID ...................84 3.20.
  • Page 7 CLI Reference Guide 3.39.7. IPSecTunnelSettings ..............128 3.39.8. IPSettings ................129 3.39.9. L2TPServerSettings ..............130 3.39.10. LengthLimSettings ..............131 3.39.11. LocalMgmtSettings ..............131 3.39.12. LocalReassSettings ..............132 3.39.13. LogSettings ................132 3.39.14. RemoteMgmtSettings .............. 133 3.39.15. RoutingSettings ..............133 3.39.16. SSLSettings ................134 3.39.17.
  • Page 8 List of Examples 1. Command option notation .................. ix 1.1. Help for commands ..................2 1.2. Help for object types ..................2 1.3. Command line history ..................4 1.4. Tab completion ....................5 1.5. Inline help ..................... 5 1.6. Edit an existing property value ................6 1.7.

  • Page 9: Preface

    Administrators that are responsible for configuring and managing the D-Link Firewall. • Administrators that are responsible for troubleshooting the D-Link Firewall. This guide assumes that the reader is familiar with the D-Link Firewall, and has the necessary basic knowledge in network security. Notation...
  • Page 10 Notation Preface Because the table name option is followed by ellipses it is possible to specify more than one routing table. Since table name is optional as well, the user can specify zero or more policy-based routing tables. gw-world:/> routes Virroute Virroute2...

  • Page 11: Introduction

    Chapter 1. Introduction • Running a command, page 1 • Help, page 2 • Function keys, page 3 • Command line history, page 4 • Tab completion, page 5 • User roles, page 7 This guide is a reference for all commands and configuration object types that are available in the command line interface for NetDefendOS.

  • Page 12: Help

    1.2. Help Chapter 1. Introduction 1.2. Help 1.2.1. Help for commands There are two ways of getting help about a command. A brief help is displayed if the command name is typed followed by -? or -h. This applies to all commands and is therefore not listed in the option list for each command in this guide.

  • Page 13: Function Keys

    1.3. Function keys Chapter 1. Introduction 1.3. Function keys In addition to the return key there are a number of function keys that are used in the CLI. Backspace Delete the character to the left of the cursor. Complete current word. Ctrl-A or Home Move the cursor to the beginning of the line.

  • Page 14: Command Line History

    1.4. Command line history Chapter 1. Introduction 1.4. Command line history Every time a command is run, the command line is added to a history list. The up and down arrow keys are used to access previous command lines (up arrow for older command lines and down arrow to move back to a newer command line).

  • Page 15: Tab Completion

    1.5. Tab completion Chapter 1. Introduction 1.5. Tab completion By using the tab function key in the CLI the names of commands, options, objects and object prop- erties can be automatically completed. If the text entered before pressing tab only matches one pos- sible item, e.g.

  • Page 16: Configuration Object Type Categories

    1.5.3. Configuration object type cat- Chapter 1. Introduction egories useful when editing an existing list of items or a long text value. If no value has been set yet for the property in question the default value, if one exists, will be used. Some values, such as binary data, cannot be autocompleted in this way.

  • Page 17: User Roles

    1.6. User roles Chapter 1. Introduction 1.6. User roles Some commands and options cannot be used unless the logged in user has administrator priviege. This is indicated in this guide by a note following the command or "Admin only" written next to an option.
  • Page 18 1.6. User roles Chapter 1. Introduction...

  • Page 19: Command Reference

    Chapter 2. Command Reference • Configuration, page 9 • Runtime, page 20 • Utility, page 50 • Misc, page 51 2.1. Configuration 2.1.1. activate Activate changes. Description Activate the latest changes. This will issue a reconfiguration, using the new configuration. If the reconfiguration is successful a commit command must be issued within the configured timeout interval in order to save the changes to media.

  • Page 20: Cancel

    2.1.3. cancel Chapter 2. Command Reference Example 2.1. Create a new object Add objects with an identifier property (not index): gw-world:/> add Address IP4Address example_ip Address=1.2.3.4 Comments="This is an example" gw-world:/> add IP4Address example_ip2 Address=2.3.4.5 Add an object with an index: gw-world:/main>...

  • Page 21: Change Context

    2.1.5. cd Chapter 2. Command Reference 2.1.4. cc Change the current context. Description Change the current configuration context. A context is a group of objects that are dependent on and grouped by a parent object. Many objects lie in the "root" context and do not have a specific parent. Other objects, e.g. User objects lie in a sub-context (or child context) of the root - in this case in a LocalUserDatabase.

  • Page 22: Commit

    2.1.6. commit Chapter 2. Command Reference 2.1.5. cd Alias for cc. 2.1.6. commit Save new configuration to media. Description Save the new configuration to media. This command can only be issued after a successful activate command. Usage commit Note Requires Administrator privilege. 2.1.7.

  • Page 23: Delete

    2.1.9. enter Chapter 2. Command Reference 2.1.8. delete Delete specified objects. Description Delete the specified object, removing it from the configuration. Add the force flag to delete the object even if it is referenced by other objects or if it is a context that has child objects that aren't deleted.

  • Page 24: Reject

    2.1.11. reject Chapter 2. Command Reference Description Generate a pre-shared key of specified size, containing randomized key data. If a key with the spe- cified name exists, the existing key is modified. Otherwise a new key object is created. Usage pskgen <Name>...

  • Page 25: Set

    2.1.12. set Chapter 2. Command Reference gw-world:/exampledb> set User user3 Comments="rejected" gw-world:/exampledb> cc .. gw-world:/> reject LocalUserDatabase exampledb -recursive Reject all changes: gw-world:/anycontext> reject -all All changes since the last commit will be rejected: (example_ip will be removed since it is newly added) gw-world:/>...

  • Page 26: Show

    2.1.13. show Chapter 2. Command Reference See also: add Example 2.5. Set property values Set properties for objects that have an identifier property: gw-world:/> set Address IP4Address example_ip Address=1.2.3.4 Comments="This is an example" gw-world:/> set IP4Address example_ip2 Address=2.3.4.5 Comments=comment_without_whitespace gw-world:/main> set Route 1 Comment="A route" gw-world:/>...

  • Page 27: Show Objects

    2.1.13. show Chapter 2. Command Reference the -errors or -changes flags to show what objects have been changed or have errors in the configuration. When showing a table of all objects of a certain type, the status of each object since the last time the configuration was committed is indicated by a flag.

  • Page 28: Undelete

    2.1.14. undelete Chapter 2. Command Reference Options -changes Show all changes in the current configuration. -disabled Show disabled properties. -errors Show all errors in the current configuration. -references Show all references to this object from other objects. -verbose Show error details. <Category>...
  • Page 29 2.1.14. undelete Chapter 2. Command Reference <Identifier> The property that identifies the configuration object. May not be applicable depending on the specified <Type>. <Type> Type of configuration object to perform operation on. Note Requires Administrator privilege.

  • Page 30: Runtime

    2.2. Runtime Chapter 2. Command Reference 2.2. Runtime 2.2.1. about Show copyright/build information. Description Show copyright and build information. Usage about [-verbose] Options -verbose Verbose. 2.2.2. arp Show ARP entries for given interface. Description List the ARP cache entries of specified interfaces. If no interface is given the ARP cache entries of all interfaces will be presented.

  • Page 31: Arpsnoop

    2.2.3. arpsnoop Chapter 2. Command Reference arp -notify=<ip> [<Interface>] [-hwsender=<Ethernet address>] Send gratuitous ARP for IP. Options -flush Flush ARP cache of all specified interfaces. -hashinfo Show information on hash table health. -hw=<pattern> Show only hardware addresses matching pattern. -hwsender=<Ethernet address> Sender ethernet address.

  • Page 32: Ats

    2.2.4. ats Chapter 2. Command Reference -all Snoop all interfaces. -disable Disable all snooping. -verbose Verbose. <interface> Interface name. 2.2.4. ats Show active ARP Transaction States. Description Show active ARP Transaction States. Usage ats [-num=<n>] Options -num=<n> Limit list to <n> entries. (Default: 20) 2.2.5.

  • Page 33: Block Hosts

    2.2.6. blacklist Chapter 2. Command Reference Description Block and unblock hosts on the black and white list. Note: Static blacklist hosts cannot be unblocked. If -force is not specified, only the exact host with the service, protocol/port and destiny specified is unblocked.

  • Page 34: Buffers

    2.2.7. buffers Chapter 2. Command Reference -prot={TCP | UDP | ICMP | Protocol to block/unblock. OTHER | TCPUDP | ALL} -serv=<service> Service to block/unblock. -show Show information about the blacklisted hosts. -time=<seconds> The time that the host will remain blocked. -unblock Unblock specified netobject.

  • Page 35: Certcache

    2.2.9. certcache Chapter 2. Command Reference Usage cam [-num=<n>] [<Interface>] [-flush] Options -flush Flush CAM table. If interface is specified, only entries using this interface are flushed. (Admin only) -num=<n> Limit list to <n> entries per CAM table. (Default: 20) <Interface>...

  • Page 36: Cpuid

    2.2.12. cpuid Chapter 2. Command Reference List current state-tracked connections. Usage connections -show [-num=<n>] [-verbose] [-srciface=<interface>] [-destiface=<interface>] [-protocol=<name/num>] [-srcport=<port>] [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>] List connections. connections Same as "connections -show". connections -hashinfo Show information on hash table health. connections -close [-all] [-srciface=<interface>] [-destiface=<interface>] [-protocol=<name/num>] [-srcport=<port>] [-destport=<port>] [-srcip=<ip addr>] [-destip=<ip addr>]...

  • Page 37: Crashdump

    2.2.13. crashdump Chapter 2. Command Reference Display info about the cpu. Description Display the make and model of the machine's CPU. Usage cpuid 2.2.13. crashdump Show the contents of the crash.dmp file. Description Show the contents of the crash.dmp file, if it exists. Usage crashdump 2.2.14.

  • Page 38: Dhcprelay

    2.2.16. dhcprelay Chapter 2. Command Reference Description Display information about a DHCP-enabled interface. Usage dhcp <interface> [-lease={RENEW | RELEASE}] Options -lease={RENEW | RELEASE} Modify interface's lease. <interface> DHCP Interface. 2.2.16. dhcprelay Show DHCP/BOOTP relayer ruleset. Description Display the content of the DHCP/BOOTP relayer ruleset and the current routed DHCP relays. Display filter filters relays based on interface/ip (example: if1 192.168.*) Usage dhcprelay -show [-rules] [-routes] [<display filter>]...

  • Page 39: Dhcpserver

    2.2.18. dns Chapter 2. Command Reference 2.2.17. dhcpserver Show content of the DHCP server ruleset. Description Show the content of the DHCP server ruleset and various information about active/inactive leases. Display filter filters leases based on interface/mac/ip (example: if1 192.168.*) Usage dhcpserver -show [-rules] [-leases] [-mappings] [<display filter>]...

  • Page 40: Dynroute

    2.2.19. dynroute Chapter 2. Command Reference Usage dns [-query=<domain name>] [-list] [-remove] Options -list List pending DNS queries. -query=<domain name> Resolve domain name. -remove Remove all pending DNS queries. 2.2.19. dynroute Show dynamic routing policy. Description Show the dynamic routing policy filter ruleset and current exports. In the "Flags"...

  • Page 41: Frags

    2.2.21. ha Chapter 2. Command Reference More detailed information can optionally be obtained for specific reassemblies: Newest reassembly All reassemblies 0..1023 Assembly 'N' Example 2.9. frags frags NEW frags 254 Usage frags [{NEW | ALL | <reassembly id>}] [-free] [-done] [-num=<n>] Options -done List done (lingering) reassemblies.

  • Page 42: Httpposter

    2.2.23. hwaccel Chapter 2. Command Reference 2.2.22. httpposter Display HTTPPoster_URLx status. Description Display configuration and status of configured HTTPPoster_URLx targets. Usage httpposter [-repost] [-display] Options -display Display status. -repost Re-post all URLs now. (Admin only) 2.2.23. hwaccel List configured Hardware Accelerators. Description Display information about configured Hardware Accelarators.

  • Page 43: Ikesnoop

    2.2.25. ikesnoop Chapter 2. Command Reference -allindepth Show in-depth information about all interfaces. -filter=<expr> Filter list of interfaces. -num=<n> Limit list to <n> lines. (Default: 20) -pbr=<table name> Only list members of given PBR table(s). -restart Stop and restart the interface. (Admin only) <Interface>...

  • Page 44: Ipsecglobalstats

    2.2.27. ipsecglobalstats Chapter 2. Command Reference Usage ippool -release [<ip address>] [-all] Forcibly free IP assigned to subsystem. ippool -show [-verbose] Show IP pool information. Options -all Free all IP addresses. -release Forcibly free IP assigned to subsystem. (Admin only) -show Show IP pool information.

  • Page 45: Ipsecstats

    2.2.29. ipsecstats Chapter 2. Command Reference Usage ipseckeepalive [-num=<n>] Options -num=<n> Maximum number of entries to display (default: 48). 2.2.29. ipsecstats Show the SAs in use. Description List the currently active IKE and IPsec SAs, optionally only showing SAs matching the pattern giv- en for the argument "tunnel".

  • Page 46: License

    2.2.31. license Chapter 2. Command Reference Usage killsa <ip address> Delete SAs belonging to provided remote SG/peer. killsa -all Delete all SAs. Options -all Kill all SAs. <ip address> IP address of remote SG/peer. Note Requires Administrator privilege. 2.2.31. license Show contents of the license file.

  • Page 47: Lockdown

    2.2.33. lockdown Chapter 2. Command Reference Options -off Temporarily disable linkmon. (Admin only) Reenable linkmon. (Admin only) 2.2.33. lockdown Enable / disable lockdown. Description During local lockdown, only traffic from admin nets to the security gateway itself is allowed. Everything else is dropped. Lockdown will not affect traffic that does not actually pass through the ruleset, e.g.

  • Page 48: Memory

    2.2.35. memory Chapter 2. Command Reference logout 2.2.35. memory Show memory information. Description Show core memory consumption. Also show detailed memory use of some components and lists. Usage memory 2.2.36. ospf Show runtime OSPF information. Description Show runtime information about the OSPF router process(es). Note: -process is only required if there are >1 OSPF router processes.
  • Page 49 2.2.37. pipes Chapter 2. Command Reference ospf -lsa <lsaID> [-process=<OSPF router process>] Show details for a specified LSA. ospf -snoop={ON | OFF} [-process=<OSPF router process>] Show troubleshooting messages on the console. ospf -ifacedown <interface> [-process=<OSPF router process>] Take specified interface offline. ospf -ifaceup <interface>...

  • Page 50: Pipes

    2.2.38. reconfigure Chapter 2. Command Reference 2.2.37. pipes Show pipes information. Description Show list of configured pipes / pipe details / pipe users. Note: The "pipes" command is not executed right away; it is queued until the end of the second, when pipe values are calculated.

  • Page 51: Routes

    2.2.40. routes Chapter 2. Command Reference routemon 2.2.40. routes Display routing lists. Description Display information about the routing table(s): Contents of a (named) routing table. The list of routing tables, along with a total count of route entries in each table, as well as how many of the entries are single-host routes.

  • Page 52: Show A Range Of Rules

    2.2.41. rules Chapter 2. Command Reference -switched Only show switched routes and L3C entries. -tables Display list of named (PBR) routing tables. -verbose Verbose. <table name> Name of routing table. 2.2.41. rules Show rules lists. Description Show the contents of the various rulesets, i.e. main ruleset, pipe ruleset, etc. Example 2.10.

  • Page 53: Shutdown

    2.2.43. shutdown Chapter 2. Command Reference Session uses a timeout in its subsystem Session does not use timeout Usage sessionmanager Show Session Manager status. sessionmanager -status Show Session Manager status. sessionmanager -list [-num=<n>] List active sessions. sessionmanager -info <session name> <database> Show in-depth information about session.

  • Page 54: Sshserver

    2.2.44. sshserver Chapter 2. Command Reference Description Initiate shutdown of the core. The core will normally be restarted by an external script/application. Usage shutdown [<seconds>] Options <seconds> Seconds until shutdown. (Default: 5) Note Requires Administrator privilege. 2.2.44. sshserver SSH Server. Description Show SSH Server status, or start/stop/restart SSH Server.

  • Page 55: Stats

    2.2.45. stats Chapter 2. Command Reference -b=<bits> Bitsize. (Default: 1024) -keygen Generate SSH Server private keys. This operation may take a long time to finish, up to several minutes! -restart Stop and start the SSH Server. -start Start the SSH Server. -status Show server status and list all connected clients.

  • Page 56: Updatecenter

    2.2.47. updatecenter Chapter 2. Command Reference Set system local time: <YYYY-MM-DD> <HH:MM:SS>. time -sync [-force] Synchronize time with timeserver(s) (specified in settings). Options -force Force synchronization regardless of the MaxAdjust setting. -set Set system local time: <YYYY-MM-DD> <HH:MM:SS>. -sync Synchronize time with timeserver(s) (specified in settings). <date>...

  • Page 57: Userauth

    2.2.49. userauth Chapter 2. Command Reference List contents of the URL cache. Used for testing during development of HTTPALG. Usage urlcache [-verbose] [-count] [-num=<n>] [-server[={STATUS | CONNECT | DISCONNECT}]] Options -count Only display cache count. -num=<n> Limit list to <n> entries. (Default: 20) -server[={STATUS | CONNECT | Web Content Filtering Server options.

  • Page 58: Vlan

    2.2.50. vlan Chapter 2. Command Reference -num=<n> Limit list of authenticated users. (Default: 20) -privilege List all known privileges (usernames and groups). -remove Forcibly log out an authenticated user. (Admin only) -user Show all information for user(s) with this IP address. <Interface>...
  • Page 59 2.2.52. zonedefense Chapter 2. Command Reference Options -blockenet=<ethernet address> Block the specified ethernet address. -blockip=<ip address> Block the specified IP address/net. -eraseenet=<ethernet address> Unblock the specified ethernet address. -eraseip=<ip address> Unblock the specified IP address/net. -save Save the current zonedefense state on all switches. -show Show the current block database.

  • Page 60: Utility

    2.3. Utility Chapter 2. Command Reference 2.3. Utility 2.3.1. ping Ping host. Description Sends one or more ICMP ECHO datagrams to the specified IP address of a host. All datagrams are sent preloaded-style (all at once). The data size -length given is the ICMP data size. 1472 bytes of ICMP data results in a 1500-byte IP datagram (1514 bytes ethernet).

  • Page 61: Misc

    2.4. Misc Chapter 2. Command Reference 2.4. Misc 2.4.1. help Show help for selected topic. Description The help system contains information about commands and configuration object types. The fastest way to get help is to simply type help followed by the topic that you want help with. A topic can be for example a command name (e.g.
  • Page 62 2.4.2. history Chapter 2. Command Reference...

  • Page 63: Configuration Reference

    Chapter 3. Configuration Reference • Access, page 54 • Address, page 56 • AdvancedScheduleProfile, page 59 • ALG, page 60 • ARP, page 64 • BlacklistWhiteHost, page 65 • Certificate, page 66 • Client, page 67 • DateTime, page 70 •...

  • Page 64: Access

    3.1. Access Chapter 3. Configuration Reference • PSK, page 113 • RadiusServer, page 114 • RemoteManagement, page 115 • RoutingRule, page 118 • RoutingTable, page 119 • ScheduleProfile, page 121 • Service, page 122 • Settings, page 125 • SSHClientKey, page 138 •...
  • Page 65 3.1. Access Chapter 3. Configuration Reference Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.

  • Page 66: Address

    3.2. Address Chapter 3. Configuration Reference 3.2. Address This is a category that groups the following object types. 3.2.1. AddressFolder Description An address folder can be used to group related address objects for better overview. Properties Name Specifies a symbolic name for the network object. (Identifier) Comments Text describing the current object.
  • Page 67 3.2.1. AddressFolder Chapter 3. Configuration Reference Members Group members. UserAuthGroups Groups and user names that belong to this object. Objects that fil- ter on credentials can only be used as source networks and destin- ations networks in rules. (Optional) NoDefinedCredentials If this property is enabled the object requires user authentication, but has no credentials (user names or groups) defined.

  • Page 68: Ethernetaddress

    3.2.2. EthernetAddress Chapter 3. Configuration Reference but has no credentials (user names or groups) defined. This means that the object only requires that a user is authenticated, but ig- nores any kind of group membership. (Default: No) Comments Text describing the current object. (Optional) 3.2.1.5.

  • Page 69: Advancedscheduleprofile

    3.3. AdvancedScheduleProfile Chapter 3. Configuration Reference 3.3. AdvancedScheduleProfile Description An advanced schedule profile contains definitions of occurrences used by various policies in the system. Properties Name Specifies a symbolic name for the service. (Identifier) Comments Text describing the current object. (Optional) 3.3.1.

  • Page 70: Alg_Ftp

    3.4. ALG Chapter 3. Configuration Reference 3.4. ALG This is a category that groups the following object types. 3.4.1. ALG_FTP Description Use an FTP Application Layer Gateway to manage FTP traffic through the system. Properties Name Specifies a symbolic name for the ALG. (Identifier) AllowServerPassive Allow server to use passive mode (unsafe for server).

  • Page 71: Alg_H323

    3.4.3. ALG_HTTP Chapter 3. Configuration Reference 3.4.2. ALG_H323 Description Use an H.323 Application Layer Gateway to manage H.323 multimedia traffic. Properties Name Specifies a symbolic name for the ALG. (Identifier) AllowTCPDataChannels Allow TCP data channels (T.120). (Default: Yes) MaxTCPDataChannels Maximum number of TCP data channels per call. (Default: TranslateAddresses Automatic or Specific.

  • Page 72: Alg_Smtp

    3.4.4. ALG_SMTP Chapter 3. Configuration Reference (Default: No) Antivirus Disabled, Audit or Protect. (Default: Disabled) ScanExclude List of files to exclude from antivirus scanning. (Optional) CompressionRatio A compression ratio higher than this value will trigger the ac- tion in Compression Ratio Action, a value of zero will disable all compression checks.
  • Page 73 3.4.4. ALG_SMTP Chapter 3. Configuration Reference VerifySenderEmail Enable to verify sender E-mail address. (Default: No) MaxEmailPerMinute Specifies the maximum amount of E-mails per minute. (Optional) FileListType Specifies if the file list contains files to allow or deny. (Default: Block) FailModeBehavior Standard behaviour on error: Allow or Deny.
  • Page 74 3.5. ARP Chapter 3. Configuration Reference 3.5. ARP Description Use an ARP entry to publish additional IP addresses and/or MAC addresses on a specified interface. Properties Index The index of the object, starting at 1. (Identifier) Mode Static, Publish or XPublish. (Default: Publish) Interface Indicates the interface to which the ARP entry applies;...

  • Page 75: Blacklistwhitehost

    3.6. BlacklistWhiteHost Chapter 3. Configuration Reference 3.6. BlacklistWhiteHost Description Manually configured whitelist hosts are used to prevent from blocking a host/network on either by default or based on a schedule. Properties Index The index of the object, starting at 1. (Identifier) Addresses Specifies the addresses that will be whitelisted.

  • Page 76: Certificate

    3.7. Certificate Chapter 3. Configuration Reference 3.7. Certificate Description An X. 509 certificate is used to authenticate a VPN client or gateway when establishing an IPsec tunnel. Properties Name Specifies a symbolic name for the certificate. (Identifier) Type Local, Remote or Request. CertificateData Certificate data.

  • Page 77: Client

    This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.8.2. DynDnsClientDLink Description Configure the parameters used to connect to the D-Link DynDNS service. Properties DNSName The DNS name excluding the .dlinkddns.com suffix.

  • Page 78: Dyndnsclientdynscx

    3.8.4. DynDnsClientDynsCx Chapter 3. Configuration Reference Properties DNSName The DNS name excluding the .dyndns.org suffix. Username Username. Password The password for the specified username. (Optional) Comments Text describing the current object. (Optional) Note This object type does not have am identifier and is identified by the name of the type only.

  • Page 79: Loginclientbigpond

    3.8.6. LoginClientBigPond Chapter 3. Configuration Reference Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list. 3.8.6.

  • Page 80: Datetime

    3.9. DateTime Chapter 3. Configuration Reference 3.9. DateTime Description Set the date, time and time zone information for this system. Properties TimeZone Specifies the time zone. (Default: GMT) DSTEnabled Enable daylight saving time. (Default: Yes) DSTOffset Daylight saving time offset in minutes. (Default: 60) DSTStartMonth What month daylight saving time starts.

  • Page 81: Device

    3.10. Device Chapter 3. Configuration Reference 3.10. Device Description Global parameters of this device. Properties Name Name of the device. (Default: Device) ConfigVersion Version number of the configuration. (Default: 1) Comments Text describing the current object. (Optional) Note This object type does not have am identifier and is identified by the name of the type only.

  • Page 82: Dhcprelay

    3.11. DHCPRelay Chapter 3. Configuration Reference 3.11. DHCPRelay Description Use a DHCP Relay to dynamically alter the routing table according to relayed DHCP leases. Properties Name Specifies a symbolic name for the relay rule. (Identifier) Action Ignore, Relay or BootpFwd. (Default: Ignore) SourceInterface The source interface of the DHCP packet.

  • Page 83: Dhcpserver

    3.12. DHCPServer Chapter 3. Configuration Reference 3.12. DHCPServer Description A DHCP Server determines a set of IP addresses and host configuration parameters to hand out to DHCP clients attached to a given interface. Properties Name Specifies a symbolic name for the DHCP Server rule. (Identifier) Interface The source interface to listen for DHCP requests on.

  • Page 84: Dhcpservercustomoption

    3.12.2. DHCPServerCustomOption Chapter 3. Configuration Reference Index The index of the object, starting at 1. (Identifier) Host IP Address of the host. MACAddress The hardware address of the host. Comments Text describing the current object. (Optional) Note If no Index is specified when creating an instance of this type, the object will be placed last in the list and the Index will be equal to the length of the list.
  • Page 85 3.13. DNS Chapter 3. Configuration Reference 3.13. DNS Description Configure the DNS (Domain Name System) client settings. Properties DNSServer1 IP of the primary DNS Server. (Optional) DNSServer2 IP of the secondary DNS Server. (Optional) DNSServer3 IP of the tertiary DNS Server. (Optional) Comments Text describing the current object.

  • Page 86: Driver

    3.14. Driver Chapter 3. Configuration Reference 3.14. Driver This is a category that groups the following object types. 3.14.1. IXP4NPEEthernetDriver Description Intel (IXP4xxNPE) Fast Ethernet Adaptor. Properties Comments Text describing the current object. (Optional) Note This object type does not have am identifier and is identified by the name of the type only.
  • Page 87 3.14.3. R8139EthernetPCIDriver Chapter 3. Configuration Reference Note This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type.

  • Page 88: Dynamicroutingrule

    3.15. DynamicRoutingRule Chapter 3. Configuration Reference 3.15. DynamicRoutingRule Description A Dynamic Routing Policy rule creates a filter to catch statically configured or OSPF learned routes. The matched routes can be controlled by the action rules to be either exported to OSPF processes or to be added to one or more routing tables.

  • Page 89: Dynamicroutingruleexportospf

    3.15.2. DynamicRoutingRuleAddRoute Chapter 3. Configuration Reference 3.15.1. DynamicRoutingRuleExportOSPF Description An OSPF action is used to manipulate and export new or changed routes to an OSPF Router Pro- cess. Properties Index The index of the object, starting at 1. (Identifier) ExportToProcess Specifies to which OSPF Process the route change should be exported.
  • Page 90 3.15.2. DynamicRoutingRuleAddRoute Chapter 3. Configuration Reference LimitMetricRange Limits the metrics for these routes to a minimum and maximum value, if a route has a higher or lower value then specified it will be set to the specified value. (Optional) ProxyARPAllInterfaces Always select all interfaces, including new ones, for publishing routes via Proxy ARP.

  • Page 91: Ethernetdevice

    3.16. EthernetDevice Chapter 3. Configuration Reference 3.16. EthernetDevice Description Hardware settings for an Ethernet interface. Properties Name Specifies a symbolic name for the device. (Identifier) EthernetDriver The Ethernet PCI driver that should be used by the interface. PCIBus PCI bus number where the Ethernet adapter is installed. PCISlot PCI slot number used by the Ethernet adapter.

  • Page 92: Highavailability

    3.17. HighAvailability Chapter 3. Configuration Reference 3.17. HighAvailability Description Configure the High Availability cluster parameters for this system. Properties Enabled Enable high availability. (Default: No) ClusterID A (locally) unique cluster ID to use in identifying this group of HA se- curity gateways.

  • Page 93: Httpposter

    3.18. HTTPPoster Chapter 3. Configuration Reference 3.18. HTTPPoster Description Use the HTTP poster for dynamic DNS or automatic logon to services using web-based authentica- tion. Properties URL1 The first URL that will be posted when the security gateway is loaded. (Optional) URL2 The second URL that will be posted when the security gateway is loaded.

  • Page 94: Idlist

    3.19. IDList Chapter 3. Configuration Reference 3.19. IDList Description An ID list contains IDs, which are used within the authentication process when establishing an IPsec tunnel. Properties Name Specifies a symbolic name for the ID list. (Identifier) Comments Text describing the current object. (Optional) 3.19.1.

  • Page 95: Idprule

    3.20. IDPRule Chapter 3. Configuration Reference 3.20. IDPRule Description An IDP Rule defines a filter for matching specific network traffic. When the filter criteria is met, the IDP Rule Actions are evaluated and possible actions taken. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule.
  • Page 96 3.20.1. IDPRuleAction Chapter 3. Configuration Reference IDPSeverity Signature severity group. (Default: Attack) Signatures Specifies what signature(s) to search for in the network traffic. (Optional) ZoneDefense Activate ZoneDefense. (Default: No) BlackList Activate BlackList. (Default: No) BlackListTimeToBlock The number of seconds that the dynamic black list should re- main.

  • Page 97: Ikealgorithms

    3.21. IKEAlgorithms Chapter 3. Configuration Reference 3.21. IKEAlgorithms Description Configure algorithms which are used in the IKE phase of an IPsec session. Properties Name Specifies a symbolic name for the object. (Identifier) NULLEnabled Enable plaintext. (Default: No) DESEnabled Enable DES encryption algorithm. (Default: No) DES3Enabled Enable 3DES encryption algorithm.

  • Page 98: Interface

    3.22. Interface Chapter 3. Configuration Reference 3.22. Interface This is a category that groups the following object types. 3.22.1. DefaultInterface Description A special interface used to represent internal mechanisms in the system as well as an abstract "any" interface. Properties Name Specifies a symbolic name for the interface.

  • Page 99: Interfacegroup

    3.22.3. InterfaceGroup Chapter 3. Configuration Reference AutoInterfaceNetworkRoute Automatically add a route for this interface using the given network. (Default: Yes) AutoDefaultGatewayRoute Automatically add a default route for this interface using the given default gateway. (Default: Yes) DHCPDNS1 IP of the primary DNS server. (Optional) DHCPDNS2 IP of the secondary DNS server.
  • Page 100 3.22.4. IPSecTunnel Chapter 3. Configuration Reference nel will be established between the local network and this net- work. RemoteEndpoint Specifies the IP address of the remote endpoint. This is the address the security gateway will establish the IPsec tunnel to. It also dictates from where inbound IPsec tunnels are al- lowed.

  • Page 101: L2Tpclient

    3.22.5. L2TPClient Chapter 3. Configuration Reference OriginatorIP Manually specified originator IP address to use as source IP in e.g. NAT. IKEMode Specifies which IKE mode to use: main or aggressive. (Default: Main) DHGroup Specifies the Diffie-Hellman group to use when doing key ex- changes in IKE.
  • Page 102 3.22.5. L2TPClient Chapter 3. Configuration Reference Network The network from which traffic should be routed into the tun- nel. RemoteEndpoint The IP address of the L2TP/PPTP server. TunnelProtocol Specifies if PPTP or L2TP should be used for this tunnel. (Default: PPTP) OriginatorIPType Specifies what IP address to use as source IP in e.g.

  • Page 103: L2Tpserver

    3.22.6. L2TPServer Chapter 3. Configuration Reference Comments Text describing the current object. (Optional) 3.22.6. L2TPServer Description A PPTP/L2TP server interface terminates PPP (Point to Point Protocol) tunnels set up over existing IP networks. Properties Name Specifies a symbolic name for the interface. (Identifier) The IP address of the PPTP/L2TP server interface.

  • Page 104: Pppoetunnel

    3.22.7. PPPoETunnel Chapter 3. Configuration Reference ProxyARPAllInterfaces Always select all interfaces, including new ones, for publishing routes via Proxy ARP. (Default: No) ProxyARPInterfaces Specifies the interfaces on which the security gateway should publish routes via Proxy ARP. (Optional) Comments Text describing the current object. (Optional) 3.22.7.

  • Page 105: Vlan

    3.22.8. VLAN Chapter 3. Configuration Reference IdleTimeout Idle timeout in seconds for dial-on-demand. (Default: 3600) Metric Specifies the metric for the auto-created route. (Default: 90) AutoInterfaceNetworkRoute Automatically add a route for this interface using the given remote network. (Default: Yes) Schedule The schedule defines when the PPPoE tunnel should be act- ive.
  • Page 106 3.22.8. VLAN Chapter 3. Configuration Reference Comments Text describing the current object. (Optional)

  • Page 107: Iprule

    3.23. IPRule Chapter 3. Configuration Reference 3.23. IPRule Description An IP rule specifies what action to perform on network traffic that matches the specified filter criter- Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule. (Optional) Action Reject, Drop, FwdFast, Allow, NAT, SAT or SLB_SAT.
  • Page 108 3.23. IPRule Chapter 3. Configuration Reference SLBMonitorTCP Enable monitoring using TCP packets. (Default: No) SLBPingUseSharedIP Use the shared IP of a HA cluster instead of the private IP of the node. (Default: Yes) SLBTCPUseSharedIP Use the shared IP of a HA cluster instead of the private IP of the node.

  • Page 109: Iprulefolder

    3.24. IPRuleFolder Chapter 3. Configuration Reference 3.24. IPRuleFolder Description An IP Rule folder can be used to group IP Rules into logical groups for better overview and simpli- fied management. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies the name of the folder.

  • Page 110: Ipsecalgorithms

    3.25. IPSecAlgorithms Chapter 3. Configuration Reference 3.25. IPSecAlgorithms Description Configure algorithms which are used in the IPsec phase of an IPsec session. Properties Name Specifies a symbolic name for the object. (Identifier) NULLEnabled Enable plaintext. (Default: No) DESEnabled Enable DES encryption algorithm. (Default: No) DES3Enabled Enable 3DES encryption algorithm.

  • Page 111: Ldapserver

    3.26. LDAPServer Chapter 3. Configuration Reference 3.26. LDAPServer Description An LDAP server is used as a central repository of certificates and CRLs that the security gateway can download when necessary. Properties Index The index of the object, starting at 1. (Identifier) Host Specifies the IP address or hostname of the LDAP server.

  • Page 112: Localuserdatabase

    3.27. LocalUserDatabase Chapter 3. Configuration Reference 3.27. LocalUserDatabase Description A local user database contains user accounts used for authentication purposes. Properties Name Specifies a symbolic name for the object. (Identifier) Comments Text describing the current object. (Optional) 3.27.1. User Description User credentials may be used in User Authentication Rules, which in turn are used in e.g.

  • Page 113: Logreceiver

    XMailer Specifies the X-mailer information to write in the E-mail header. (Optional) Subject The subject of the E-mail. (Default: "Log event from D-Link DFL Fire- wall") HoldTime The hold time in seconds during which the log threshold must be reached for an E-mail to be sent.

  • Page 114: Logreceiversyslog

    3.28.3. LogReceiverSyslog Chapter 3. Configuration Reference other E-mail. (Default: 600) LogThreshold The number of events that have to occur within the hold time for an E-mail to be sent. (Default: 2) Comments Text describing the current object. (Optional) 3.28.3. LogReceiverSyslog Description A Syslog receiver is used to receive log events from the system in the standard Syslog format.

  • Page 115: Ospfprocess

    3.29. OSPFProcess Chapter 3. Configuration Reference 3.29. OSPFProcess Description An OSPF Router Process defines a group of routers exchanging routing information via the Open Shortest Path First routing protocol. Properties Name Specifies a symbolic name for the OSPF process. (Identifier) RouterID Specifies the IP address that is used to identify the router.

  • Page 116: Ospfarea

    3.29.1. OSPFArea Chapter 3. Configuration Reference cifies the details of the log. (Default: Off) DebugRoute Enables or disabled logging of routing table manipulation events and also specifies the details of the log. (Default: Off) AuthType Specifies the authentication type for the OSPF protocol exchanges. (Default: Null) AuthPassphrase Specifies the passphrase used for authentication.
  • Page 117 3.29.1. OSPFArea Chapter 3. Configuration Reference Properties Interface Specifies which interface in the security gateway will be used for this OS- PF interface. (Identifier) Type Auto, Broadcast, Point-to-point or Point-to-multipoint. (Default: Auto) MetricType Metric value or Bandwidth. (Default: MetricValue) Metric Specifies the routing metric for this OSPF interface.
  • Page 118 3.29.1. OSPFArea Chapter 3. Configuration Reference For point-to-point and point-to-multipoint networks, specify the IP addresses of directly connected routers. Properties Interface Specifies the OSPF interface of the neighbor. (Identifier) IPAddress IP Address of the neighbor. Metric Specifies the metric of the neighbor. (Optional) Comments Text describing the current object.

  • Page 119: Pipe

    3.30. Pipe Chapter 3. Configuration Reference 3.30. Pipe Description A pipe defines basic traffic shaping parameters. The pipe rules then determines which traffic goes through which pipes. Properties Name Specifies a symbolic name for the pipe. (Identifier) LimitKbpsTotal Total bandwidth limit for this pipe in kilobits per second. (Optional) LimitPPSTotal Total packet per second limit for this pipe.
  • Page 120 3.30. Pipe Chapter 3. Configuration Reference UserLimitPPS0 Specifies the throughput limit per group in PPS for precedence 0 (the lowest precedence). (Optional) UserLimitKbps1 Specifies the bandwidth limit per group in kbps for precedence 1. (Optional) UserLimitPPS1 Specifies the throughput limit per group in PPS for precedence 1. (Optional) UserLimitKbps2 Specifies the bandwidth limit per group in kbps for precedence 2.
  • Page 121 3.30. Pipe Chapter 3. Configuration Reference (Default: 7) Comments Text describing the current object. (Optional)

  • Page 122: Piperule

    3.31. PipeRule Chapter 3. Configuration Reference 3.31. PipeRule Description A Pipe Rule determines traffic shaping policy - which Pipes to use - for one or more types of traffic with the same granularity as the standard ruleset. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the object.
  • Page 123 3.32. PSK Chapter 3. Configuration Reference 3.32. PSK Description PSK (Pre-Shared Key) authentication is based on a shared secret that is known only by the parties involved. Properties Name Specifies a symbolic name for the pre-shared key. (Identifier) Type Specifies the type of the shared key. PSKAscii Specifies the PSK as a passphrase.

  • Page 124: Radiusserver

    3.33. RadiusServer Chapter 3. Configuration Reference 3.33. RadiusServer Description External RADIUS server used to verify user names and passwords. Properties Name Specifies a symbolic name for the server. (Identifier) IPAddress The IP address of the server. Port The UDP port of the server. (Default: 1812) RetryTimeout The retry timeout, in seconds, used when trying to contact the RADIUS ac- counting server.

  • Page 125: Remotemanagement

    3.34. RemoteManagement Chapter 3. Configuration Reference 3.34. RemoteManagement This is a category that groups the following object types. 3.34.1. RemoteMgmtHTTP Description HTTP/HTTPS management. Properties Name Specifies a symbolic name for the object. (Identifier) AccessLevel The access level to grant the user that logs in. (Default: Admin) LocalUserDatabase Specifies the local user database to use for login.
  • Page 126 3.34.3. RemoteMgmtSSH Chapter 3. Configuration Reference Secure Shell (SSH) Server. Properties Name Specifies a symbolic name for the SSH server. (Identifier) Port The listening port for the SSH server. (Default: 22) AllowAuthMethodPassword Allow password client authentication. (Default: Yes) AllowAuthMethodPublicKey Allow public key client authentication. (Default: Yes) AllowHostKeyDSA Allow DSA public key algorithm.
  • Page 127 3.34.3. RemoteMgmtSSH Chapter 3. Configuration Reference Network Specifies the network for which remote access is granted. Comments Text describing the current object. (Optional)

  • Page 128: Routingrule

    3.35. RoutingRule Chapter 3. Configuration Reference 3.35. RoutingRule Description A Routing Rule forces the use of a routing table in the forward and/or return direction of traffic on a connection. The ordering parameter of the routing table determines if it is consulted before or after the main routing table.

  • Page 129: Routingtable

    3.36. RoutingTable Chapter 3. Configuration Reference 3.36. RoutingTable Description The system has a predefined main routing table. Alternate routing tables can be defined by the user. Properties Name Specifies a symbolic name for the routing table. (Identifier) Ordering Specifies how a route lookup is done in a named routing ta- ble.

  • Page 130: Switchroute

    3.36.2. SwitchRoute Chapter 3. Configuration Reference MonitorGatewayARPInterval Specifies the ARP lookup interval in milliseconds. (Default: 1000) Network Specifies the network address for this route. Metric Specifies the metric for this route. (Default: 0) ProxyARPAllInterfaces Always select all interfaces, including new ones, for publish- ing routes via Proxy ARP.

  • Page 131: Scheduleprofile

    3.37. ScheduleProfile Chapter 3. Configuration Reference 3.37. ScheduleProfile Description A Schedule Profile defines days and dates and are then used by the various policies in the system. Properties Name Specifies a symbolic name for the service. (Identifier) Specifies during which intervals the schedule profile is active on Mondays. (Optional) Specifies during which intervals the schedule profile is active on Tuesdays.

  • Page 132: Service

    3.38. Service Chapter 3. Configuration Reference 3.38. Service This is a category that groups the following object types. 3.38.1. ServiceGroup Description A Service Group is a collection of service objects, which can then be used by different policies in the system. Properties Name Specifies a symbolic name for the service.

  • Page 133: Serviceipproto

    3.38.3. ServiceIPProto Chapter 3. Configuration Reference EchoReplyCodes Specifies which Echo Reply message codes should be matched. (Default: 0-255) SourceQuenching Enable matching of Source Quenching messages. (Default: SourceQuenchingCodes Specifies which Source Quenching message codes should be matched. (Default: 0-255) TimeExceeded Enable matching of Time Exceeded messages. (Default: No) TimeExceededCodes Specifies which Time Exceeded message codes should be matched.
  • Page 134 3.38.4. ServiceTCPUDP Chapter 3. Configuration Reference Properties Name Specifies a symbolic name for the service. (Identifier) DestinationPorts Specifies the destination port or the port ranges applicable to this ser- vice. Type Specifies whether this service uses the TCP or UDP protocol or both. (Default: TCP) SourcePorts Specifies the source port or the port ranges applicable to this service.

  • Page 135: Settings

    3.39. Settings Chapter 3. Configuration Reference 3.39. Settings This is a category that groups the following object types. 3.39.1. ARPTableSettings Description Advanced ARP-table settings. Properties ARPMatchEnetSender The Ethernet Sender address matching the hardware address in the ARP data. (Default: DropLog) ARPQueryNoSenderIP If the IP source address of an ARP query (NOT response!) is "0.0.0.0".

  • Page 136: Dhcprelaysettings

    3.39.3. DHCPRelaySettings Chapter 3. Configuration Reference Description Timeout settings for various protocols. Properties ConnLife_TCP_SYN Connection idle lifetime for TCP connections being formed. (Default: ConnLife_TCP Connection idle lifetime for TCP. (Default: 262144) ConnLife_TCP_FIN Connection idle lifetime for TCP connections being closed. (Default: ConnLife_UDP Connection idle lifetime for UDP.

  • Page 137: Dhcpserversettings

    3.39.4. DHCPServerSettings Chapter 3. Configuration Reference Note This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.4. DHCPServerSettings Description Advanced DHCP server settings. Properties AutoSaveLeasePolicy Policy for saving the lease database to disk.

  • Page 138: Icmpsettings

    3.39.6. ICMPSettings Chapter 3. Configuration Reference ReassTimeout Timeout of a reassembly, since previous received fragment. (Default: 65) ReassTimeLimit Maximum lifetime of a reassembly, since first received frag- ment. (Default: 90) ReassDoneLinger How long to remember a completed reassembly (watching for old dups).

  • Page 139: Ipsettings

    3.39.8. IPSettings Chapter 3. Configuration Reference IKECRLValidityTime Maximum number of seconds a CRL is considered valid (0=obey the 'next update' field in the CRL). (Default: 86400) IKEMaxCAPath Maximum number of CA certificates in a certificate path. (Default: 15) IPsecCertCacheMaxCerts Maximum number of entries in the certificate cache. (Default: 1024) IPsecBeforeRules Pass IKE &...

  • Page 140: L2Tpserversettings

    3.39.9. L2TPServerSettings Chapter 3. Configuration Reference TTLOnLow What action to take on too low TTL values. (Default: DropLog) DefaultTTL The default IP Time-To-Live of packets originated by the se- curity gateway (32-255). (Default: 255) LayerSizeConsistency TCP/UDP/ICMP/etc layer data and header sizes matching lower layer size information.

  • Page 141: Lengthlimsettings

    3.39.10. LengthLimSettings Chapter 3. Configuration Reference Note This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.10. LengthLimSettings Description Length limitations for various protocols. Properties MaxTCPLen TCP;...

  • Page 142: Localreasssettings

    3.39.12. LocalReassSettings Chapter 3. Configuration Reference Properties IdleTimeout Number of seconds of inactivity until the local console user is automatically logged out. (Default: 900) Note This object type does not have am identifier and is identified by the name of the type only.

  • Page 143: Remotemgmtsettings

    3.39.15. RoutingSettings Chapter 3. Configuration Reference 3.39.14. RemoteMgmtSettings Description Setup and configure methods and permissions for remote management of this system. Properties NetconBiDirTimeout Specifies the amount of seconds to wait for the administrator to log in before reverting to the previous configuration. (Default: 30) WebUIBeforeRules Enable HTTP(S) traffic to the security gateway regardless of con- figured IP Rules.

  • Page 144: Sslsettings

    3.39.16. SSLSettings Chapter 3. Configuration Reference RouteFailOver_IfacePollInterval Time (ms) between polling of interface failure. (Default: 500) RouteFailOver_ARPPollInterval Time (ms) between ARP-lookup of gateways. May be over- ridden for each route. (Default: 1000) RouteFailOver_PingPollInterval Time (ms) between PING'ing of gateways. (Default: 1000) RouteFailOver_GraceTime Time (s) between startup/reconfigure and monitoring start.

  • Page 145: Statesettings

    3.39.17. StateSettings Chapter 3. Configuration Reference TLS_RSA_EXPORT1024_WITH Enable cipher _RC4_56_SHA1 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA1. (Default: Yes) TLS_RSA_EXPORT512_WITH_ Enable cipher RC4_40_MD5 TLS_RSA_EXPORT1024_WITH_RC4_40_MD5. (Default: TLS_RSA_EXPORT512_WITH_ Enable cipher RC2_40_MD5 TLS_RSA_EXPORT1024_WITH_RC2_40_MD5. (Default: TLS_RSA_EXPORT_WITH_NU Enable cipher TLS_RSA_EXPORT_WITH_NULL_SHA1 LL_SHA1 (no encryption, just message validation). (Default: No) TLS_RSA_EXPORT_WITH_NU Enable cipher TLS_RSA_EXPORT_WITH_NULL_MD5 (no LL_MD5 encryption, just message validation).

  • Page 146: Tcpsettings

    3.39.18. TCPSettings Chapter 3. Configuration Reference Note This object type does not have am identifier and is identified by the name of the type only. There can only be one instance of this type. 3.39.18. TCPSettings Description Settings related to the TCP protocol. Properties TCPOptionSizes Validity of TCP header option sizes.

  • Page 147: Vlansettings

    3.39.19. VLANSettings Chapter 3. Configuration Reference TCPSynUrg The TCP URG flag together with SYN; normally invalid (strip=strip URG). (Default: DropLog) TCPSynPsh The TCP PSH flag together with SYN; normally invalid but always used by some IP stacks (strip=strip PSH). (Default: StripSilent) TCPSynRst The TCP RST flag together with SYN;...

  • Page 148: Sshclientkey

    3.40. SSHClientKey Chapter 3. Configuration Reference 3.40. SSHClientKey Description The public key of the client connecting to the SSH server. Properties Name Specifies a symbolic name for the key. (Identifier) Type DSA or RSA. (Default: DSA) Subject Value of the Subject header tag of the public key file. (Optional) PublicKey Specifies the public key.

  • Page 149: Thresholdrule

    3.41. ThresholdRule Chapter 3. Configuration Reference 3.41. ThresholdRule Description A Threshold Rule defines a filter for matching specific network traffic. When the filter criteria is met, the Threshold Rule Actions are evaluated and possible actions taken. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule.
  • Page 150 3.41.1. ThresholdAction Chapter 3. Configuration Reference Threshold Specifies the threshold. ThresholdUnit Specifies the threshold unit. (Default: ConnsSec) ZoneDefense Activate ZoneDefense. (Default: No) BlackList Activate BlackList. (Default: No) BlackListTimeToBlock The number of seconds that the dynamic black list should re- main. (Optional) BlackListBlockOnlyService Only block the service that triggered the blacklisting.

  • Page 151: Updatecenter

    3.42. UpdateCenter Chapter 3. Configuration Reference 3.42. UpdateCenter Description Configure automatical updates. Properties AVEnabled Automatic updates of antivirus definitions and engine. (Default: No) IDPEnabled Automatic updates of IDP maintenance signatures. (Default: No) AdvancedIDPEnabled Automatic updates of Advanced IDP signatures. (Default: No) UpdateInterval Specifies the interval at which the automatic update runs.

  • Page 152: Userauthrule

    3.43. UserAuthRule Chapter 3. Configuration Reference 3.43. UserAuthRule Description The User Authentication Ruleset specifies from where users are allowed to authenticate to the sys- tem, and how. Properties Index The index of the object, starting at 1. (Identifier) Name Specifies a symbolic name for the rule. (Optional) Agent HTTP, HTTPS, XAUTH, PPP or EAP.
  • Page 153 3.43. UserAuthRule Chapter 3. Configuration Reference SessionTimeout If a user has successfully been authenticated, he/she will auto- matically be logged out after this many seconds, regardless of if there has been activity from the user or not. (Optional) UseServerTimeouts Use timeouts received from the authentication server. If no values are received, the manually specified values will be used.

  • Page 154: Zonedefenseblock

    3.44. ZoneDefenseBlock Chapter 3. Configuration Reference 3.44. ZoneDefenseBlock Description Manually configured blocks are used to block a host/network on the switches either by default or based on schedule. Properties Index The index of the object, starting at 1. (Identifier) Addresses Specifies the addresses to block.

  • Page 155: Zonedefenseexcludelist

    3.45. ZoneDefenseExcludeList Chapter 3. Configuration Reference 3.45. ZoneDefenseExcludeList Description The exclude list is used exclude certain hosts/networks from being blocked out by IDP/Threshold rule violations. Properties Addresses Specifies the addresses that should not be blocked. (Optional) Comments Text describing the current object. (Optional) Note This object type does not have am identifier and is identified by the name of the type only.

  • Page 156: Zonedefenseswitch

    3.46. ZoneDefenseSwitch Chapter 3. Configuration Reference 3.46. ZoneDefenseSwitch Description A ZoneDefense switch will have its ACLs controlled and hosts/networks violating the IDP/ Threshold rules will be blocked directly on the switch. Properties Name Specifies a symbolic name for the ZoneDefense switch. (Identifier) SwitchModel Specifies the switch model type.
  • Page 157 3.46. ZoneDefenseSwitch Chapter 3. Configuration Reference...

  • Page 158: Index

    ifstat, 32 ikesnoop, 33 Index ippool, 33 ipsecglobalstats, 34 ipseckeepalive, 34 Commands ipsecstats, 35 killsa, 35 about, 20 activate, 9 add, 9 arp, 20 license, 36 arpsnoop, 21 linkmon, 36 ats, 22 lockdown, 37 logout, 37 bigpond, 22 blacklist, 22 memory, 38 buffers, 24 ospf, 38...
  • Page 159 Index zonedefense, 48 Object types ICMPSettings, 128 ID, 84 IDList, 84 IDPRule, 85 IDPRuleAction, 85 Access, 54 IKEAlgorithms, 87 AddressFolder, 56 InterfaceGroup, 89 AdvancedScheduleOccurrence, 59 IP4Address, 57, 58 AdvancedScheduleProfile, 59 IP4Group, 57, 58 ALG_FTP, 60 IP4HAAddress, 58, 58 ALG_H323, 61 IPRule, 97, 99 ALG_HTTP, 61 IPRuleFolder, 99...
  • Page 160 Index RemoteMgmtSNMP, 115 RemoteMgmtSSH, 115 Route, 119 RoutingRule, 118 RoutingSettings, 133 RoutingTable, 119 ScheduleProfile, 121 ServiceGroup, 122 ServiceICMP, 122 ServiceIPProto, 123 ServiceTCPUDP, 123 SSHClientKey, 138 SSLSettings, 134 StateSettings, 135 SwitchRoute, 120 TCPSettings, 136 ThresholdAction, 139 ThresholdRule, 139 UpdateCenter, 141 User, 102 UserAuthRule, 142 VLAN, 95 VLANSettings, 137...

This manual is also suitable for:

Dfl-1600Dfl-800Netdefend dfl-2500Netdefend dfl-260Netdefend dfl-860Netdefend dfl-1600 ... Show all

Table of Contents