D-Link DFL- 2500, Cli Reference Manual

Page 1: ...Network Security Solution http www dlink com Security Security DFL 210 800 1600 2500 DFL 260 860 1660 2560 G Ver 2 27 01 Network Security Firewall CLI Reference Guide ...

Page 2: ...uide DFL 210 260 800 860 1600 1660 2500 2560 2560G NetDefendOS version 2 27 01 D Link Corporation No 289 Sinhu 3rd Rd Neihu District Taipei City 114 Taiwan R O C http www DLink com Published 2010 06 22 Copyright 2010 ...

Page 3: ...ss for a particular purpose D Link reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D LINK OR ITS SUPPLIERS BE LIABLE FOR DAM AGES OF ANY CHARACTER E G DAMAGES FOR LOSS OF PROFIT SOFTWARE RES TORATION WORK ...

Page 4: ...c 22 2 1 5 commit 23 2 1 6 delete 23 2 1 7 pskgen 24 2 1 8 reject 24 2 1 9 reset 26 2 1 10 set 26 2 1 11 show 27 2 1 12 undelete 29 2 2 Runtime 31 2 2 1 about 31 2 2 2 alarm 31 2 2 3 arp 31 2 2 4 arpsnoop 32 2 2 5 ats 33 2 2 6 blacklist 33 2 2 7 buffers 34 2 2 8 cam 35 2 2 9 certcache 36 2 2 10 cfglog 36 2 2 11 connections 36 2 2 12 cpuid 37 2 2 13 crashdump 38 2 2 14 cryptostat 38 2 2 15 dconsole...

Page 5: ...s 63 2 2 57 rtmonitor 64 2 2 58 rules 64 2 2 59 selftest 65 2 2 60 services 67 2 2 61 sessionmanager 68 2 2 62 settings 69 2 2 63 shutdown 70 2 2 64 sipalg 70 2 2 65 sshserver 72 2 2 66 stats 73 2 2 67 sysmsgs 73 2 2 68 techsupport 73 2 2 69 time 74 2 2 70 uarules 74 2 2 71 updatecenter 75 2 2 72 userauth 76 2 2 73 vlan 77 2 2 74 vpnstats 77 2 3 Utility 78 2 3 1 ping 78 2 4 Misc 79 2 4 1 echo 79 2...

Page 6: ...3 17 2 BroadcomEthernetPCIDriver 113 3 17 3 E1000EthernetPCIDriver 113 3 17 4 E100EthernetPCIDriver 114 3 17 5 IXP4NPEEthernetDriver 114 3 17 6 MarvellEthernetPCIDriver 115 3 17 7 R8139EthernetPCIDriver 115 3 17 8 R8169EthernetPCIDriver 115 3 17 9 ST201EthernetPCIDriver 116 3 17 10 TulipEthernetPCIDriver 116 3 17 11 X3C905EthernetPCIDriver 116 3 18 DynamicRoutingRule 118 3 18 1 DynamicRoutingRuleE...

Page 7: ...nagement 173 3 48 1 RemoteMgmtHTTP 173 3 48 2 RemoteMgmtNetcon 173 3 48 3 RemoteMgmtSNMP 174 3 48 4 RemoteMgmtSSH 174 3 49 RouteBalancingInstance 176 3 50 RouteBalancingSpilloverSettings 177 3 51 RoutingRule 178 3 52 RoutingTable 179 3 52 1 Route 179 3 52 2 SwitchRoute 181 3 53 ScheduleProfile 182 3 54 Service 183 3 54 1 ServiceGroup 183 3 54 2 ServiceICMP 183 3 54 3 ServiceIPProto 184 3 54 4 Serv...

Page 8: ...gs 198 3 55 19 RoutingSettings 199 3 55 20 SSLSettings 200 3 55 21 StateSettings 201 3 55 22 TCPSettings 202 3 55 23 VLANSettings 203 3 56 SSHClientKey 204 3 57 ThresholdRule 205 3 57 1 ThresholdAction 205 3 58 UpdateCenter 207 3 59 UserAuthRule 208 Index 211 CLI Reference Guide 8 ...

Page 9: ...frags 43 2 10 List network objects which have names containing net 56 2 11 Show all monitored objects in the alg http category 64 2 12 Show a range of rules 65 2 13 Interface ping test between all interfaces 66 2 14 Interface ping test between interfaces if1 and if2 66 2 15 Start a 30 min burn in duration test testing RAM storage media and crypto the acceler ator 66 2 16 List all services which na...

Page 10: ... for the option Example 1 Command option notation One of the usages for the help command looks like this help category COMMANDS TYPES Topic This means that help has an option called category which has two possible values which are COMMANDS and TYPES There is also an optional option called Topic which in this case is a search string used to specify what help topic to display Since the topic is opti...

Page 11: ...is followed by ellipses it is possible to specify more than one routing table Since table name is optional as well the user can specify zero or more policy based routing tables gw world routes Virroute Virroute2 Notation Preface 11 ...

Page 12: ...reference for all commands and configuration object types that are available in the command line interface for NetDefendOS 1 1 Running a command The commands described in this guide can be run by typing the command name and then pressing the return key Many commands require options to be set to run If a required option is missing a brief syntax help will be displayed 12 ...

Page 13: ... gw world activate h Full help for activate gw world help activate Help for the arp command Arp is also the name of a configuration object type so it is necessary to specify that the help text for the command should be displayed gw world help category COMMANDS arp List all available commands gw world help 1 2 2 Help for object types To get help about configuration object types use the help command...

Page 14: ... of informa tion is shown Ctrl D or Delete Delete the character to the right of the cursor Ctrl E or End Move the cursor to the end of the line Ctrl F or Right Arrow Move the cursor one character to the right Ctrl K Delete from the cursor to the end of the line Ctrl N or Down Arrow Show the next entry in the command history Ctrl P or Up Arrow Show the previous entry in the command history Ctrl T T...

Page 15: ...nd lines up arrow for older command lines and down arrow to move back to a newer command line See also Section 2 4 3 history Example 1 3 Command line history Using the command line history via the arrow keys gw world show Address gw world up arrow gw world show Address the previous commandline is displayed 1 4 Command line history Chapter 1 Introduction 15 ...

Page 16: ..._ip a tab gw world add Address IP4Address example_ip Address Address was autocompleted gw world add Address IP4Address example_ip Address 1 2 3 4 Tab completion of references gw world set Address IP4Group examplegroup Members tab tab A list of valid objects is displayed gw world set Address IP4Group examplegroup Members e tab gw world set Address IP4Group examplegroup Members example_ip example_ip...

Page 17: ...o add or remove a member to the list without having to enter all the other members again Edit the default value gw world add LogReceiverSyslog example Address example_ip LogSeverity tab gw world add LogReceiverSyslog example Address example_ip LogSeverity Emergency Alert Critical Error Warning Notice Info Now it is easy to remove a log severity 1 5 3 Configuration object type categories Some objec...

Page 18: ...ds and options cannot be used unless the logged in user has administrator priviege This is indicated in this guide by a note following the command or Admin only written next to an option 1 6 User roles Chapter 1 Introduction 18 ...

Page 19: ...1 6 User roles Chapter 1 Introduction 19 ...

Page 20: ...r privilege 2 1 2 add Create a new object Description Create a new object and add it to the configuration Specify the type of object you want to create and the identifier if the type has one unless the object is identified by an index Set the properties of the object by writing the propertyname equals and then the value An optional category can be specified for some object types when using tab com...

Page 21: ...ce silent key value pair Options force Add object even if it has errors silent Do not show any errors Category Category that groups object types Identifier The property that identifies the configuration object May not be applic able depending on the specified Type key value pair One or more property value pairs i e property name value or property name value Type Type of configuration object to per...

Page 22: ...orrect context e g a LocalUserDatabase called exampledb Only objects in the current context can be accessed Example 2 2 Change context Change to a sub child context gw world cc LocalUserDatabase exampledb gw world exampledb Go back to the parent context gw world ospf1 area1 cc gw world ospf1 cc gw world Go back to the root context gw world ospf1 area1 cc gw world or gw world ospf1 area1 cc gw worl...

Page 23: ...iguration Add the force flag to delete the object even if it is referenced by other objects or if it is a context that has child objects that aren t deleted This may cause objects referring to the specified object or one of its children to get errors that must be corrected before the configuration can be activated See also undelete Example 2 3 Delete an object Delete an unreferenced object gw worl...

Page 24: ...shared key of specified size containing randomized key data If a key with the spe cified name exists the existing key is modified Otherwise a new key object is created Usage pskgen Name comments String size 64 128 256 512 1024 2048 4096 Options comments String Comments for this key size 64 128 256 512 1024 2048 4096 Number of bits of data in the generated key Default 64 Name Name of key Note Requi...

Page 25: ...ser user1 Comments Something gw world exampledb set User user2 Comments that will be gw world exampledb set User user3 Comments rejected gw world exampledb cc gw world reject LocalUserDatabase exampledb recursive Reject all changes gw world anycontext reject all All changes since the last commit will be rejected example_ip will be removed since it is newly added gw world add IP4Address example_ip ...

Page 26: ...or privilege 2 1 10 set Set property values Description Set property values of configuration objects Specify the type of object you want to modify and the identifier if the type has one Set the proper ties of the object by writing the propertyname equals and then the value An optional category can be specified for some object types when using tab completion If a mandatory property hasn t been spec...

Page 27: ...s already en abled Category Category that groups object types Identifier The property that identifies the configuration object May not be applic able depending on the specified Type key value pair One or more property value pairs i e property name value or property name value Type Type of configuration object to perform operation on Note Requires Administrator privilege 2 1 11 show Show objects De...

Page 28: ... Address IP4Address example_ip gw world main show Route 1 gw world show Client DynDnsClientDyndnsOrg Show a table of all objects of a type and a selection of their properties as well as their status gw world show Address IP4Address gw world show IP4Address Show a table of all objects for each type in a category gw world show Address Show objects with changes and errors gw world show changes gw wor...

Page 29: ...lete Restore previously deleted objects Description Restore a previously deleted object This is possible as long as the activate command has not been called See also delete Example 2 7 Undelete an object Undelete an unreferenced object gw world delete Address IP4Address example_ip gw world undelete Address IP4Address example_ip Undelete a referenced object will remove the error in examplerule gw w...

Page 30: ...identifies the configuration object May not be applicable depending on the specified Type Type Type of configuration object to perform operation on Note Requires Administrator privilege 2 1 12 undelete Chapter 2 Command Reference 30 ...

Page 31: ... alarm history active Options active Show the currently active alarms history Show the 20 latest alarms 2 2 3 arp Show ARP entries for given interface Description List the ARP cache entries of specified interfaces If no interface is given the ARP cache entries of all interfaces will be presented The presented list can be filtered using the ip and hw options Usage 2 2 Runtime Chapter 2 Command Refe...

Page 32: ...dware addresses matching pattern hwsender Ethernet Address Sender ethernet address ip pattern Show only IP addresses matching pattern notify ip Send gratuitous ARP for ip num n Show only the first n entries per interface Default 20 show Show ARP entries for given interface s Interface Interface name 2 2 4 arpsnoop Toggle snooping and displaying of ARP requests Description Toggle snooping and displ...

Page 33: ...s num n Limit list to n entries Default 20 2 2 6 blacklist Blacklist Description Block and unblock hosts on the black and white list Note Static blacklist hosts cannot be unblocked If force is not specified only the exact host with the service protocol port and destiny specified is unblocked Example 2 8 Block hosts blacklist show black listtime info blacklist block 100 100 100 0 24 serv FTP dest 5...

Page 34: ...in only creationtime Show creation time dest ip address Destination address to block unblock ExceptExtablished flag is set on dynamic Show dynamic hosts only force Unblock all services for the host that matches to options info Show detailed information listtime Show time in list for dynamic hosts port port number Number of the port to block unblock prot TCP UDP ICMP OTHER TCPUDP ALL Protocol to bl...

Page 35: ... buffer buffers Num Decode buffer number Num Options recent Decode most recently freed buffer Num Decode given buffer number 2 2 8 cam CAM table information Description Show information about the CAM table s and their entries Usage cam num n Show CAM table information cam Interface num n Show interface specified CAM table information cam Interface flush Flush CAM table information of specified int...

Page 36: ... 2 2 9 certcache Show the contents of the certificate cache Description Show all certificates in the certificate cache Usage certcache 2 2 10 cfglog Display configuration log Description Display the log of the last configuration read attempt Usage cfglog 2 2 11 connections List current state tracked connections Description List current state tracked connections Usage 2 2 9 certcache Chapter 2 Comm...

Page 37: ...he filter expression Admin only destiface interface Filter on destination interface destip ip addr Filter on destination IP address destport port Show only given destination TCP UDP port num n Limit list to n connections Default 20 protocol name num Show only given IP protocol show Show connections srciface interface Filter on source interface srcip ip addr Filter on source IP address srcport port...

Page 38: ...Usage cryptostat 2 2 15 dconsole Displays the content of the diagnose console Description The diagnose console is used to help troubleshooting internal problems within the security gateway Usage dconsole clean flush date date onlyhigh blockoutput Options clean Remove all diagnose entries Admin only date date YYYY MM DD Only show entries from this date and forward flush Flush all diagnose entries t...

Page 39: ...ion about DHCP enabled interface dhcp lease RENEW RELEASE interface Modify interface lease Options lease RENEW RELEASE Modify interface lease list List all DHCP enabled interfaces show Show information about DHCP enabled interface interface DHCP Interface 2 2 17 dhcprelay Show DHCP BOOTP relayer ruleset Description Display the content of the DHCP BOOTP relayer ruleset and the current routed DHCP r...

Page 40: ...r Display filter filters relays based on interface ip ip address IP address 2 2 18 dhcpserver Show content of the DHCP server ruleset Description Show the content of the DHCP server ruleset and various information about active inactive leases Display filter filters leases based on interface mac ip example if1 192 168 Usage dhcpserver Show DHCP server leases dhcpserver show rules leases num Integer...

Page 41: ... rules Show DHCP server rules show Show ruleset display filter Display filters for leases based on interface mac ip eg if1 192 168 interface Interface ip address IP address 2 2 19 dns DNS client and queries Description Show status of the DNS client and manage pending DNS queries Usage dns query domain name list remove Options list List pending DNS queries query domain name Resolve domain name remo...

Page 42: ...iption Show the dynamic routing policy filter ruleset and current exports In the Flags field of the dynrouting exports the following letters are used o Route describe the optimal path to the network u Route is unexported Usage dynroute rules exports Options exports Show current exports rules Show dynamic routing filter ruleset 2 2 22 frags Show active fragment reassemblies 2 2 21 dynroute Chapter ...

Page 43: ...ags frags NEW frags 254 Usage frags NEW ALL reassembly id free done num n Options done List done lingering reassemblies free List free instead of active num n List n entries Default 20 NEW ALL reassembly id Show in depth info about reassembly n Default all 2 2 23 ha Show current HA status Description Show current HA status Usage ha activate deactivate Options 2 2 23 ha Chapter 2 Command Reference ...

Page 44: ...25 httpalg Commands related to the HTTP Application Layer Gateway Description Show information about the WCF cache or list the overridden WCF hosts Usage httpalg override flush List or flush hosts that have overridden the wcf filter httpalg wcfcache show url String flush verbose count server STATUS CONNECT DISCONNECT num n Display URL cache information Options count Only display cache count 2 2 24...

Page 45: ...match the specified characters verbose Verbose wcfcache Show statistics of WCF functionality 2 2 26 httpposter Display HTTPPoster_URLx status Description Display configuration and status of configured HTTPPoster_URLx targets Usage httpposter repost display Options display Display status repost Re post all URLs now Admin only 2 2 27 hwaccel List configured Hardware Accelerators Description Display ...

Page 46: ...Show and remove hosts that are piped by IDP Description Show list of currently piped hosts Usage idppipes show host ip addr Lists hosts for which new connections are piped by IDP idppipes unpipe all host ip addr Remove piping for the specified host Options all mark all hosts host ip addr Filter on source IP address show Lists hosts for which new connections are piped by IDP unpipe Remove piping fo...

Page 47: ...name Only list members of given PBR table s restart Stop and restart the interface Admin only Interface Name of interface 2 2 31 igmp IGMP Interfaces Description Show information about the current state of the IGMP interfaces Send simulated messages to test configuration of the interface Usage igmp Prints the current IGMP state igmp state Interface Prints the current IGMP state If an interface is ...

Page 48: ...ery message state Show the current IGMP state host address Host IP address Interface Interface MC address Multicast Address router address Router IP address 2 2 32 ikesnoop Enable or disable IKE snooping Description Turn IKE on screen snooping on off Useful for troubleshooting IPsec connections Usage ikesnoop Show IKE snooping status ikesnoop on ip address verbose Enable IKE snooping ikesnoop off ...

Page 49: ...y free IP assigned to subsystem ippool show verbose max n Show IP pool information Options all Free all IP addresses max n Limit list to n entries Default 10 release Forcibly free IP assigned to subsystem Admin only show Show IP pool information verbose Verbose output ip address IP address to free 2 2 34 ipsecglobalstats Show global ipsec statistics Description List global IPsec statistics Usage i...

Page 50: ... 2 2 36 ipsecstats Show the SAs in use Description List the currently active IKE and IPsec SAs optionally only showing SAs matching the pattern giv en for the argument tunnel Usage ipsecstats ike tunnel ipsec usage verbose num ALL Integer force Options force Bypass confirmation question ike Show IKE SAs ipsec Show IPsec SAs num ALL Integer Maximum number of entries to show default 40 8 2 2 35 ipse...

Page 51: ...force Show specific number if interface ipsectunnels Show interfaces Options force Bypass confirmation question iface recv iface IPsec interface to show information about num ALL Integer Maximum number of entries to show default 40 2 2 38 killsa Kill all SAs belonging to the given remote SG peer Description Kill all IPsec and IKE SAs associated with a given remote IKE peer IP or optional all SA s ...

Page 52: ...es Manage language files on disk Description Manage language files on disk Usage languagefiles Show all language files on disk languagefiles remove String Remove a language file from disk Options remove String Specify language file to delete 2 2 40 ldap LDAP information Description Status and statistics for the configured LDAP databases Usage 2 2 39 languagefiles Chapter 2 Command Reference 52 ...

Page 53: ...tabases reset Reset status for LDAP database show Show status and statistics LDAP Server LDAP database 2 2 41 license Show contents of the license file Description Show contents of the license file Usage license remove Options remove Remove license file from the Security Gateway Admin only 2 2 42 linkmon Display link montitoring statistics Description 2 2 41 license Chapter 2 Command Reference 53 ...

Page 54: ... not actually pass through the ruleset e g traffic allowed by IPsecBeforeRules NetconBeforeRules SNMPBeforeRules if such settings are enabled Note If local lockdown has been set by the core itself due to licensing configuration problems this command will NOT remove such a lock Usage lockdown Show lockdown status lockdown ON OFF Enable disable lockdown Options ON OFF Enable disable lockdown Note Re...

Page 55: ...ls Description Show current NAT Pools and in depth information Usage natpool verbose pool name IP4 Address num Integer Options num Integer Maximum number of items to list default 20 verbose Verbose more information IP4 Address Translated IP pool name NAT Pool name 2 2 47 netcon List all NetCon users Description Show a list of connected NetCon users 2 2 45 memory Chapter 2 Command Reference 55 ...

Page 56: ...ng net netobjects net Usage netobjects String num num Options num num Number of entries to show Default 20 String Name or pattern 2 2 49 ospf Show runtime OSPF information Description Show runtime information about the OSPF router process es Note process is only required if there are 1 OSPF router processes Usage ospf Show runtime information 2 2 48 netobjects Chapter 2 Command Reference 56 ...

Page 57: ...ocess Show troubleshooting messages on the console ospf ifacedown interface process OSPF Router Process Take specified interface offline ospf ifaceup interface process OSPF Router Process Take specified interface online ospf execute STOP START RESTART process OSPF Router Process Start stop restart OSPF process Options area Show area information database Show the LSA database execute STOP START RE ...

Page 58: ...gtable 2 2 50 pcapdump Packet capturing Description Packet capture engine Usage pcapdump Show capture status pcapdump start interface s size value snaplen value count value out out nocap eth Ethernet Address ethsrc Ethernet Address ethdest Ethernet Address ip IP4 Address ipsrc IP4 Address ipdest IP4 Address port 0 65535 srcport 0 65535 destport 0 65535 proto 0 255 icmp tcp udp promisc Start captur...

Page 59: ...hernet Address Ethernet source address filter filename String Filename for capture file icmp ICMP filter ip IP4 Address IP address filter ipdest IP4 Address Destination IP address filter ipsrc IP4 Address Source IP address filter out Realtime packet brief dumped to console out nocap Unbuffered not stored in memory realtime packet brief dumped to console port 0 65535 TCP UDP port filter promisc Set...

Page 60: ...d ethernet devices pciscan all Show all detected devices pciscan ethernet Show all detected ethernet devices pciscan cfgupdate Updates the config with detected devices pciscan force_driver Integer BROADCOM BNE2 E100 E1000 R8139 MARVELL NITROXII ST201 TULIP X3C905 Force a certain driver to a device Options all Show all detected devices cfgupdate Updates the config with detected devices Admin only e...

Page 61: ...command is not executed right away it is queued until the end of the second when pipe values are calculated Usage pipes List all pipes pipes users Pipe expr String List users of a given pipe pipes show Pipe expr String Show pipe details Options expr String Pipe wildcard expression show Show pipe details users List users of a given pipe Pipe Show pipe details 2 2 53 pptpalg Show PPTP ALG informatio...

Page 62: ...essions List all session using a PPTP tunnel verbose Verbose output PPTP ALG PPTP ALG 2 2 54 reconfigure Initiates a configuration re read Description Restart the Security Gateway using the currently active configuration Usage reconfigure Note Requires Administrator privilege 2 2 55 routemon List the currently monitored interfaces and gateways Description List the currently monitored interfaces an...

Page 63: ...o show only switched routes Explanation of Flags field of the routing tables O Learned via OSPF X Route is Disabled M Route is Monitored A Published via Proxy ARP D Dynamic from e g DHCP relay IPsec L2TP PPP servers etc H HA synced from cluster peer Usage routes all table name switched flushl3cache num n nonhost tables lookup ip address verbose Options all Also show routes for interface addresses ...

Page 64: ...he beginning of a name If no filter is specified all objects are displayed If the option monitored is specified only objects that have an associated real time monitor alert are displayed Example 2 11 Show all monitored objects in the alg http category gw world rtmonitor alg http m Usage rtmonitor filter terse monitored Options monitored Only show monitored objects terse Only show object name filte...

Page 65: ... of the throughput crypto accelerator tests are dependent on configuration values If the number of large buffers LocalReassSettings LocalReass_NumLarge too low it might lower throughput result In the field Drop Fail the Drop column contains the number of packets that were dropped before ever reaching the crypto accelerator and the Fail column contains the number of packets that for some reason fai...

Page 66: ...selftest media size Integer Check the sanity of the disk drive selftest mac Check if there are MAC address collisions on the interfaces selftest ping interfaces Interface Run a ping test over the interfaces selftest throughput interfaces Interface Run a throughput test over the interfaces selftest traffic interfaces Interface Run a traffic test over the interfaces selftest cryptoaccel Verify the c...

Page 67: ...a Check the sanity of the disk drive memory Check the sanity of the RAM minutes Integer Test duration in minutes Default 0 num Integer Number of times to execute the test Default 1 ping Run a ping test over the interfaces size Integer Size of media space to utilize in the test Set in MB Default 1 throughput Run a throughput test over the interfaces This will show the maximal achievable interface t...

Page 68: ...ntly active users Explanation of Timeout flags for sessions D Session is disabled S Session uses a timeout in its subsystem Session does not use timeout Usage sessionmanager Show Session Manager status sessionmanager status Show Session Manager status sessionmanager list num n List active sessions sessionmanager info session name database Show in depth information about session s 2 2 61 sessionman...

Page 69: ...ist List active sessions message Send message to session num n List n number of session status Show Session Manager status database Name of user database IP Address IP address message text Message to send session name Name of session LOCAL SSH NETCON HT TP HTTPS Session type 2 2 62 settings Show settings Description Show the contents of the settings section category by category Usage settings Show...

Page 70: ...econds Seconds until shutdown Default 5 Note Requires Administrator privilege 2 2 64 sipalg SIP ALG Description List running SIP ALG configurations SIP registration and call information The flags option with snoop allows any combination of the following values 0x00000001 GENERAL 0x00000002 ERRORS 0x00000004 OPTIONS 0x00000008 PARSE 0x00000010 VALIDATE 0x00000020 SDP 0x00000040 ALLOW_CHANGES 2 2 63...

Page 71: ...RRORS NOTE verbose option outputs a lot of information on the console which may lead to system in stability Use with caution Usage sipalg definition alg Show running ALG configuration parameters sipalg registration SHOW FLUSH alg Show or flush current registration table sipalg calls alg Show active calls table sipalg session alg Show active SIP sessions sipalg connection alg Show SIP connections s...

Page 72: ...sions snoop ON OFF VERBOSE Enable or disable SIP snooping NOTE verbose option out puts a lot of information on the console which may lead to system instability Use with caution statistics SHOW FLUSH Show or flush SIP counters Default show alg SIP ALG name ipaddr IP Address to snoop 2 2 65 sshserver SSH Server Description Show SSH Server status or start stop restart SSH Server Usage sshserver Show ...

Page 73: ... created verbose Verbose output ssh server SSH Server Note Requires Administrator privilege 2 2 66 stats Display various general firewall statistics Description Display general information about the firewall such as uptime CPU load resource consumption and other performance data Usage stats 2 2 67 sysmsgs System messages Description Show contents of the FWLoader sysmsg buffer Usage sysmsgs 2 2 68 ...

Page 74: ... Usage time Display current system time time set date time Set system local time YYYY MM DD HH MM SS time sync force Synchronize time with timeserver s specified in settings Options force Force synchronization regardless of the MaxAdjust setting set Set system local time YYYY MM DD HH MM SS sync Synchronize time with timeserver s specified in settings date Date YYYY MM DD time Time HH MM SS 2 2 70...

Page 75: ...and manage autoupdate information Description Show autoupdate mechanism status or force an update Usage updatecenter update ANTIVIRUS IDP ALL Initiate an update check of the specified database updatecenter removedb ANTIVIRUS IDP Remove the specified signature database updatecenter status ANTIVIRUS IDP ALL Show update status and database information updatecenter servers Show status of update server...

Page 76: ...list only privileges actually used by the policy are displayed Usage userauth List all authenticated users userauth list num n List all authenticated users userauth privilege List all known privileges usernames and groups userauth user user ip Show all information for user s with this IP address userauth remove user ip Interface Forcibly log out an authenticated user Options list List all authenti...

Page 77: ... attached Virtual LAN Interfaces or in depth information about a specified VLAN Usage vlan List attached VLANs vlan Interface Display VLANs connected to physical iface iface Options Interface Display VLAN information about this interface 2 2 74 vpnstats Alias for ipsecstats 2 2 73 vlan Chapter 2 Command Reference 77 ...

Page 78: ...ip address pbr table count 1 10 length 4 8192 port 0 65535 udp tcp tos 0 255 verbose Options count 1 10 Number of packets to send Default 1 length 4 8192 Packet size Default 4 pbr table Route using PBR Table port 0 65535 Destination port of UDP or TCP ping recvif interface Pass packet through the rule set simulating that the packet was re ceived by recvif srcip ip address Use this source IP tcp Se...

Page 79: ... types The fastest way to get help is to simply type help followed by the topic that you want help with A topic can be for example a command name e g set or the name of a configuration object type e g User When you don t know the name of what you are looking for you can specify the category of the wanted topic with the category option and use tab completion to display a list of matching top ics Us...

Page 80: ...sts device data accessible by SCP Description Lists device data which are available through SCP Example 2 19 Transfer script files to and from the device Upload scp myscript user sgw ip script myscript Download scp user sgw ip script myscript myscript In addition to the files listed it is possible to upload license certificates and ssh public key files Example 2 20 Upload license data scp licence ...

Page 81: ...f delete script files Script files are transfered to and from the device by the SCP protocol On the device they are stored in the script folder Example 2 23 Execute script script sgs add IP4Address Name 1 Address 2 Comment 0 100 script execute name script sgs ip_test 127 0 0 1 is executed as line add IP4Address Name ip_test Address 127 0 0 1 Comment script sgs 100 Usage script create Category Type...

Page 82: ...rce Force script execution name Name Name of script quiet Quiet script execution remove Remove script show Show script in console window store Store a script to persistent storage verbose Verbose mode Category Category that groups object types Identifier The property that identifies the configuration object May not be applicable depending on the specified Type Parameters List of input arguments Ty...

Page 83: ...2 4 5 script Chapter 2 Command Reference 83 ...

Page 84: ...ge 105 ConfigModePool page 106 DateTime page 107 Device page 108 DHCPRelay page 109 DHCPServer page 110 DNS page 112 Driver page 113 DynamicRoutingRule page 118 EthernetDevice page 121 HighAvailability page 122 HTTPALGBanners page 123 HTTPAuthBanners page 124 HTTPPoster page 125 HWM page 126 IDList page 127 IDPRule page 128 IGMPRule page 130 IGMPSetting page 132 IKEAlgorithms page 133 Interface pa...

Page 85: ...eMonitorAlert page 171 RemoteIDList page 172 RemoteManagement page 173 RouteBalancingInstance page 176 RouteBalancingSpilloverSettings page 177 RoutingRule page 178 RoutingTable page 179 ScheduleProfile page 182 Service page 183 Settings page 186 SSHClientKey page 204 ThresholdRule page 205 UpdateCenter page 207 UserAuthRule page 208 3 1 Access Description Use an access rule to allow or block spec...

Page 86: ...n that the sender must belong to for this rule to be carried out LogEnabled Enable logging Default Yes LogSeverity Specifies with what severity log events will be sent to the specified log receiv ers Default Default Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will ...

Page 87: ...n IP address with one instance for each node in the high availab ility cluster UserAuthGroups Groups and user names that belong to this object Objects that fil ter on credentials can only be used as source networks and destin ations networks in rules Optional NoDefinedCredentials If this property is enabled the object requires user authentication but has no credentials user names or groups defined...

Page 88: ...nal 3 2 1 3 EthernetAddress Description Use an Ethernet Address item to define a symbolic name for an Ethernet MAC address Properties Name Specifies a symbolic name for the network object Identifier Address Ethernet MAC address e g 12 34 56 78 ab cd Comments Text describing the current object Optional 3 2 1 4 EthernetAddressGroup Description An Ethernet Address Group is used for combining several ...

Page 89: ... but has no credentials user names or groups defined This means that the object only requires that a user is authenticated but ig nores any kind of group membership Default No Comments Text describing the current object Optional 3 2 2 EthernetAddress The definitions here are the same as in Section 3 2 1 3 EthernetAddress 3 2 3 EthernetAddressGroup The definitions here are the same as in Section 3 ...

Page 90: ...M For example 13 30 EndTime End Time of occurence in the format HH MM For example 14 15 Occurrence Specify type of occurrence Default Weekly Weekly Specifies days in week the schedule occurrence should be activated Monday cor responds to 1 and Sunday 7 Default 1 7 Monthly Specifies days in month the schedule occurrence should be activated The sched ule only occurs at days that exists in the month ...

Page 91: ... control channel Default Yes AllowResumeTransfer Allow RESUME even in case of content scanning Default No Antivirus Disabled Audit or Protect Default Disabled ScanExclude List of files to exclude from antivirus scanning Optional CompressionRatio A compression ratio higher than this value will trigger the ac tion in Compression Ratio Action a value of zero will disable all compression checks Defaul...

Page 92: ...e logical channel addresses Default Yes MaxGKRegLifeTime Max Gatekeeper Registration Lifetime Default 1800 Comments Text describing the current object Optional 3 4 3 ALG_HTTP Description Use an HTTP Application Layer Gateway to filter HTTP traffic Properties Name Specifies a symbolic name for the ALG Identifier RemoveCookies Remove cookies Default No RemoveScripts Remove Javascript VBScript Defaul...

Page 93: ...ptedZip Allow encrypted zip files even though the contents can not be scanned Default No ZDEnabled Enable ZoneDefense Block Default No ZDNetwork Hosts within this network will be blocked at switches if a vir us is found WebContentFilteringMode Disabled Audit or Enable Default Disabled FilteringCategories Web content categories to block Optional NonManagedAction Action to take for content that hasn...

Page 94: ...ile List of file types to allow or deny Optional VerifyContentMimetype Verify that file extentions correspond to the MIME type Default No Antivirus Disabled Audit or Protect Default Disabled ScanExclude List of files to exclude from antivirus scanning Optional CompressionRatio A compression ratio higher than this value will trigger the ac tion in Compression Ratio Action a value of zero will disab...

Page 95: ...mber of sessions per SIP URI Default 5 MaxRegistrationTime The maximum allowed time between registration requests Default 3600 SipSignalTmout Timeout value for last seen SIP message Default 43200 DataChannelTmout Timeout value for data channel Default 120 AllowMediaByPass Allow clients to exchange media directly when possible Default Yes AllowTCPDataChannels Allow TCP data channels Default Yes Max...

Page 96: ... Action a value of zero will disable all compression checks Default 20 CompressionRatioAction The action to take when high compression threshold is viol ated all actions are logged Default Drop AllowEncryptedZip Allow encrypted zip files even though the contents can not be scanned Default No ZDEnabled Enable ZoneDefense Block Default No ZDNetwork Hosts within this network will be blocked at switch...

Page 97: ...ified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 4 8 ALG_TFTP Description Use an TFTP Application Layer Gateway to manage TFTP traffic through the system Properties Name Specifies a symbolic name for the ALG Identifier AllowedCommands Specifies allowed commands Default ReadWrite RemoveOptions Remove opti...

Page 98: ...Name Specifies a symbolic name for the ALG Identifier HostCert Specifies the host certificate RootCert Specifies the root certificate Optional Comments Text describing the current object Optional 3 4 9 ALG_TLS Chapter 3 Configuration Reference 98 ...

Page 99: ...he ad dress shall be published on IP The IP address to be published or statically bound to a hardware address MACAddress The hardware address associated with the IP address Default 00 00 00 00 00 00 Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the l...

Page 100: ...Service Specifies the service that will be whitelisted Schedule The schedule when the whitelist should be active Optional Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 6 BlacklistWhiteHost Chapter 3 Configuration Reference 10...

Page 101: ... symbolic name for the certificate Identifier Type Local Remote or Request CertificateData Certificate data PrivateKey Private key NoCRLs Disable CRLs Certificate Revocation Lists Default No PKAType Encryption algorithm of the public key Default Unknown Comments Text describing the current object Optional 3 7 Certificate Chapter 3 Configuration Reference 101 ...

Page 102: ...e one instance of this type 3 8 2 DynDnsClientDyndnsOrg Description Configure the parameters used to connect to the dyndns org DynDNS service Properties DNSName The DNS name excluding the dyndns org suffix Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note This object type does not have an identifier and is identifi...

Page 103: ... 8 4 DynDnsClientPeanutHull Description Configure the parameters used to connect to the Peanut Hull DynDNS service Properties DNSNames Specifies the DNS names separated by Username Username Password The password for the specified username Optional Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last...

Page 104: ...ties Description TODO Default New Group Color TODO Default 9EBEE7 Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 9 CommentGroup Chapter 3 Configuration Reference 104 ...

Page 105: ...ties Port Port Identifier BitsPerSecond Bits per second Default 9600 DataBits Data bits Default 8 Parity Parity Default None StopBits Stop bits Default 1 FlowControl Flow control Default None Comments Text describing the current object Optional 3 10 COMPortDevice Chapter 3 Configuration Reference 105 ...

Page 106: ...mask Specifies the netmask to assign to VPN clients DNS Specifies the IP address of a DNS server that a VPN client should be able to connect to Optional NBNSIP Specifies the IP address of a NBNS WINS server that a VPN client should be able to connect to Optional DHCP Specifies the IP address of a DHCP that that a VPN client should be able to connect to Optional Subnets Specifies additional subnets...

Page 107: ...of server for time synchronization UDPTime or SNTP Simple Network Time Protocol Default SNTP TimeSyncServer1 DNS hostname or IP Address of Timeserver 1 TimeSyncServer2 DNS hostname or IP Address of Timeserver 2 Optional TimeSyncServer3 DNS hostname or IP Address of Timeserver 3 Optional TimeSyncInterval Seconds between each resynchronization Default 86400 TimeSyncMaxAdjust Maximum time drift in se...

Page 108: ...ation ConfigIP IP address of the user who committed the current configuration Optional ConfigDate Date when the current configuration was committed Optional DeviceID Device identification string Optional HWModel System hardware model Default SOFTWARE RegistrationKey System registration key Optional ProductionDate Device production date Optional HWSerial Device hardware serial number Optional Comme...

Page 109: ... the routing table the clients host route should be added to Default main MaxRelaysPerInterface Specifies how many relays are allowed per interface that means how many DHCP clients are allowed to be relayed through each interface Optional AgentIP Define what IP the relay should use as gateway IP when passing the requests to the DHCP server Default Recv AllowNULLOffers Accept server responses offer...

Page 110: ...sent as gateway Optional Domain Domain name used for DNS resolution Optional LeaseTime The time in seconds that a DHCP lease should be provided to a host after this the client have to renew the lease Default 86400 DNS1 IP of the primary DNS server Optional DNS2 IP of the secondary DNS server Optional NBNS1 IP of the primary Windows Internet Name Service WINS server that is used in Microsoft enviro...

Page 111: ... this type the object will be placed last in the list and the Index will be equal to the length of the list 3 15 2 DHCPServerCustomOption Description Extend the DHCP Server functionality by adding custom options that will be handed out to the DH CP clients Properties Code The DHCP option code Identifier Type What type the option is i e STRING IP4 and so on Default UINT8 Param The parameter sent wi...

Page 112: ...Server2 IP of the secondary DNS Server Optional DNSServer3 IP of the tertiary DNS Server Optional Comments Text describing the current object Optional Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type 3 16 DNS Chapter 3 Configuration Reference 112 ...

Page 113: ...s type 3 17 2 BroadcomEthernetPCIDriver Description Broadcom NE Gigabit Ethernet Properties Comments Text describing the current object Optional Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type 3 17 3 E1000EthernetPCIDriver Description Intel E1000 Gigabit Ethernet Adaptor Properties RxRingsize Rx ringsize D...

Page 114: ...only There can only be one instance of this type 3 17 4 E100EthernetPCIDriver Description Intel E100 Fast Ethernet Adaptor Properties RxRingsize Rx ringsize Default 32 TxRingsize Tx ringsize Default 128 Comments Text describing the current object Optional Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type 3 1...

Page 115: ...ified by the name of the type only There can only be one instance of this type 3 17 7 R8139EthernetPCIDriver Description RealTek 8139 Fast Ethernet Adaptor Properties Comments Text describing the current object Optional Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type 3 17 8 R8169EthernetPCIDriver Descripti...

Page 116: ...by the name of the type only There can only be one instance of this type 3 17 10 TulipEthernetPCIDriver Description Tulip Fast Ethernet Adaptor Properties Comments Text describing the current object Optional Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type 3 17 11 X3C905EthernetPCIDriver Description 3com Fa...

Page 117: ... This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type 3 17 11 X3C905EthernetPCIDriver Chapter 3 Configuration Reference 117 ...

Page 118: ...es if the route needs to match a specific network ex actly Optional DestinationNetworkIn Specifies if the route just needs to be within a specific net work Optional NextHop The next hop router on the route that this policy has to match Optional MetricRange Specifies an interval that the metric of the routes needs to be within Optional RouterID Specifies if the policy should filter on router ID Opt...

Page 119: ...te If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 18 2 DynamicRoutingRuleAddRoute Description A routing action is used to manipulate and insert new or changed routes to one or more local routing tables Properties Destination Specifies to which routing table the route changes to the O...

Page 120: ...n which the security gateway should publish routes via Proxy ARP Optional Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 18 2 DynamicRoutingRuleAddRoute Chapter 3 Configuration Reference 120 ...

Page 121: ...rnet adapter PCIPort Some Ethernet adapters have multiple ports that share the same bus and slot number This parameter specifies what port to be used Media Specifies if the link speed should be auto negotiated or locked to a static speed Default Auto Duplex Specifies if the duplex should be auto negotiated or locked to full or half duplex Default Auto MACAddress The hardware address for the interf...

Page 122: ...knowledgments from the cluster peer Default 1024 HASyncMaxPktBurst The maximum number of state sync packets to send in a burst Default 20 HAInitialSilence The number of seconds to stay silent on startup or after recon figuration Default 5 UseUniqueSharedMac Use a unique shared mac address for each interface Default Yes HADeactivateBeforeReconf Deactivate hand over before Reconfiguration if Active ...

Page 123: ...orbidden HTML for the CompressionForbidden html web page ContentForbidden HTML for the ContentForbidden html web page URLForbidden HTML for the URLForbidden html web page RestrictedSiteNotice HTML for the RestrictedSiteNotice html web page ReclassifyURL HTML for the ReclassifyURL html web page Comments Text describing the current object Optional 3 21 HTTPALGBanners Chapter 3 Configuration Referenc...

Page 124: ...age LoginAlreadyDone HTML for the LoginAlreadyDone html web page LoginChallenge HTML for the LoginChallenge html web page LoginChallengeTimeout HTML for the LoginChallenge html Timeout web page LogoutSuccess HTML for the LogoutSuccess html web page LogoutSuccessBasicAuth HTML for the LogoutSuccessBasicAuth html web page LogoutFailure HTML for the LogoutFailure html web page FileNotFound HTML for t...

Page 125: ...be posted when the security gateway is loaded Optional URL3 The third URL that will be posted when the security gateway is loaded Optional RepDelay Delay in seconds until all URLs are refetched Default 1200 Comments Text describing the current object Optional Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type...

Page 126: ... MinLimit Lower limit Optional MaxLimit Upper limit Optional EnableMonitoring Enable disable monitoring Default No Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 24 HWM Chapter 3 Configuration Reference 126 ...

Page 127: ...t Identifier Type IP DNS E Mail or Distinguished name IP IP address Hostname Host name CommonName Common name of the owner of the certificate Optional OrganizationName Organization name of the owner of the certificate Optional OrganizationalUnit Organizational unit of the owner of the certificate Optional Country Specifies the country Optional LocalityName Locality Optional EMailAddress E mail add...

Page 128: ...traffic with this rule Schedule By adding a schedule to a rule the security gateway will only al low that rule to trigger at those designated times Optional InsertionEvasion Protect against insertion evastion attacks Default Yes URIIllegalUTF8 Specifies what action to take if invalid UTF 8 characters are seen in a HTTP URI Default Log URIIllegalHex Specifies what action to take when invalid hexenc...

Page 129: ... action PipeNetwork Traffic shaping will only apply to hosts that are within this network Default 0 0 PipeNewConnections Enable piping of new connections from and to the same host Default No PipeTimeWindow Throttling of new connections to and from the triggering host will stop after the configured amount of time Default 10 LogEnabled Enable logging Default Yes LogSeverity Specifies with what sever...

Page 130: ...ed pack et MulticastSource Specifies the multicast source to be compared to the received packet RelayInterface Specifies the interface via which to relay IGMP messages TranslateMGroup Translate the multicast group for packets matching this rule Default No GrpAllToOne Rewrite all multicast groups to a single IP Default No NewGrpIP Translate the multicast group to this address TranslateMSource Trans...

Page 131: ...no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 27 IGMPRule Chapter 3 Configuration Reference 131 ...

Page 132: ...eryResponseInterval The maximum time until a host client has to send an answer to a query Default 10000 LastMemberQueryInterval The maximum time until a host client has to send an answer to a group and group and source specific query Default 10000 LastMemberQueryCount The number of group and group and source specific queries sent until the security gateway decides there are no more sub scribers to...

Page 133: ...ize Specifies the Blowfish preferred key size in bits Default 128 BlowfishMaxKeySize Specifies the maximum Blowfish key size in bits Default 448 TwofishMinKeySize Specifies the minimum Twofish key size in bits Default 128 TwofishKeySize Specifies the Twofish preferred key size in bits Default 128 TwofishMaxKeySize Specifies the maximum Twofish key size in bits Default 256 AESMinKeySize Specifies t...

Page 134: ...he default gateway of the interface Optional Broadcast The broadcast address of the connected network Optional PrivateIP The private IP address of this high availability node Optional NOCHB This will disable sending Cluster Heartbeats from this inter face used by HA to detect if a node is online and working Optional MTU Specifies the size in bytes of the largest packet that can be passed onward De...

Page 135: ...HCP lease Optional DHCPServerFilter IP address range s for the DHCP servers from which leases are accepted Optional DHCPDisallowIPConflicts Do not allow IP collisions with static routes Default Yes DHCPDisallowNetConflicts Do not allow network collisions with static routes Default Yes VLanQoSInherit Set whether VLANs using the interface should inherit the IP QoS bits Default No MemberOfRoutingTabl...

Page 136: ... Specifies the PBR table to insert the interface IP route into It also means that the specified routing table will be used for all routing lookups unless overridden by a PBR rule Default main Comments Text describing the current object Optional 3 30 4 InterfaceGroup Description Use an interface group to combine several interfaces for a simplified security policy Properties Name Specifies a symboli...

Page 137: ...8800 IPsecLifeTimeSeconds The lifetime of the IPsec connection in seconds Whenever it s exceeded a re key will be initiated providing new IPsec encryption and authentication session keys Default 3600 IPsecLifeTimeKilobytes The lifetime of the IPsec connection in kilobytes Default 0 EncapsulationMode Specifies if the IPsec tunnel should use Tunnel or Transport mode Default Tunnel AuthMethod Certifi...

Page 138: ...d be used or not Default None PFSDHGroup Specifies which Diffie Hellman group to use with PFS Default 2 SetupSAPer Setup security association per network host or port Default Net DeadPeerDetection Enable Dead Peer Detection Default Yes NATTraversal Enable or disable NAT traversal Default OnIfNeeded KeepAlive Disabled Auto or Manual Default Disabled KeepAliveSourceIP Source IP address used when sen...

Page 139: ...dress to use as source IP in e g NAT DNS1 IP of the primary DNS server Optional DNS2 IP of the secondary DNS server Optional Username Specifies the username to use for this PPTP L2TP interface Password The password to use for this PPTP L2TP interface PPPAuthNoAuth Allow no authentication for this tunnel Default No PPPAuthPAP Use PAP authentication protocol for this tunnel User name and password ar...

Page 140: ...gTable Specifies the PBR table to insert the interface IP route into It also means that the specified routing table will be used for all routing lookups unless overridden by a PBR rule Default main Comments Text describing the current object Optional 3 30 7 L2TPServer Description A PPTP L2TP server interface terminates PPP Point to Point Protocol tunnels set up over existing IP networks Properties...

Page 141: ...al AllowedRoutes Restricts networks for which routes may automatically be added Default all nets MPPEAllowStateful Allow usage of Stateful MPPE less secure use only for compat ibility Default No MemberOfRoutingTable All or Specific Default All RoutingTable Specifies the PBR table to insert the interface IP route into It also means that the specified routing table will be used for all routing looku...

Page 142: ...is dynamically assigned Properties Name Specifies a symbolic name for the interface Identifier EthernetInterface The physical Ethernet interface that connects to the PPPoE server network IP The host name to store the assigned IP address in Network The network from which traffic should be routed into the tun nel DNS1 IP of the primary DNS server Optional DNS2 IP of the secondary DNS server Optional...

Page 143: ...e to manually specify IP Address object Default No MTU Specifies the size in bytes of the largest packet that can be passed onward Default 1492 MemberOfRoutingTable All or Specific Default All RoutingTable Specifies the PBR table to insert the interface IP route into It also means that the specified routing table will be used for all routing lookups unless overridden by a PBR rule Default main Com...

Page 144: ... No AutoInterfaceNetworkRoute Automatically add a route for this virtual LAN interface using the given network Default Yes AutoDefaultGatewayRoute Automatically add a default route for this virtual LAN inter face using the given default gateway Default Yes PrioCopyPolicy Set the QoS to VLAN priority copy policy Default Inherit FromPhys MemberOfRoutingTable All or Specific Default All RoutingTable ...

Page 145: ...ace Which interface to use when communicating with the DHCP server Optional PrefetchLeases Specifies the number of leases an IP Pool will keep prefetched Default 3 MaxFree Maximum number of free address that the IP pool will keep others will be returned back to DCHP server Optional MaxClients Maximum number clients that the IP pool is allowed to contain Optional MacRangeStart Specifies the lower b...

Page 146: ...he received packet DestinationInterface Specifies the the destination interface to be compared to the received packet DestinationNetwork Specifies the span of IP addresses to be compared to the des tination IP of the received packet Service Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rule the security gateway w...

Page 147: ...ecifies the maximum number of failed ping attempts until host is considered to be unreachable Default 2 SLBPingMaxAverageLatency Specifies the max average latency for the sample attempts Default 800 SLBMonitorTCP Enable monitoring using TCP handshakes Default No SLBTCPPorts Specifies the ports that will be monitored SLBTCPPollingInterval Delay in milliseconds between each TCP handshake Default 100...

Page 148: ...e all destination IPs to a single IP Default No RuleSet Assuming action is Goto where to redirect rule lookup LogEnabled Enable logging Default Yes LogSeverity Specifies with what severity log events will be sent to the spe cified log receivers Default Default Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will b...

Page 149: ...3 32 2 1 IPRule The definitions here are the same as in Section 3 32 1 IPRule 3 32 2 IPRuleFolder Chapter 3 Configuration Reference 149 ...

Page 150: ...bits Default 128 BlowfishKeySize Specifies the Blowfish preferred key size in bits Default 128 BlowfishMaxKeySize Specifies the maximum Blowfish key size in bits Default 448 TwofishMinKeySize Specifies the minimum Twofish key size in bits Default 128 TwofishKeySize Specifies the Twofish preferred key size in bits Default 128 TwofishMaxKeySize Specifies the maximum Twofish key size in bits Default ...

Page 151: ...DAP database Default userPassword GroupsAttr Specifies the group membership attribute used in the LDAP database Default memberOf GetGroups Retrieve group membership for users Default Yes DomainName The domain name of the server Optional BaseObject Specifies a base object to search Optional UserName Specifies a user name Optional Password Specifies a user password Optional Type Add domain name to u...

Page 152: ...me to use when accessing the LDAP server Optional Password Specifies the password to use when accessing the LDAP server Optional Port Specifies the LDAP service port number Default 389 Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the l...

Page 153: ...seconds between each monitor attempt Default 250 InitGracePeriod Do not allow triggering of the link monitor for this number of seconds after the last reconfiguration Default 45 RoutingTable Routing table used for link monitoring Default main UseSharedIP Use the shared IP of a HA cluster instead of the private IP of the node Default No Comments Text describing the current object Optional Note If n...

Page 154: ... etc Properties Name Specifies the username to add into the user database Identifier Password The password for this user Groups Specifies the user groups that this user is a member of e g Adminis trators Optional IPPool If the user is logging in over PPTP L2TP it will be assigned this stat ic IP Optional AutoAddRouteNet PPTP L2TP networks behind the user Optional AutoAddRouteMetric Metric for the ...

Page 155: ...clients host route should be added to Default main Comments Text describing the current object Optional 3 38 1 1 LogReceiverMessageException Description A log message exception is used to override the severity filter in the log receiver Properties LogCategory The Category of the log message LogID The ID number of the log message a empty value selects all messages of this category Optional LogType ...

Page 156: ...ess The IP address of the SMTP server Port Specifies the which port to use to connect to the SMTP server Default 25 Receiver1 The email address that the event information is sent to Receiver2 Alternate email receiver Optional Receiver3 Alternate email receiver Optional Sender Specifies which sender the email will have Default hostmaster Identity Specifies which identity to write in the email heade...

Page 157: ... 514 Facility Specifies what facility is used when logging Default local0 LogSeverity Specifies with what severity log events will be sent to the specified log receiv ers Optional Default Emergency Alert Critical Error Warning Notice Info RoutingTable Specifies the routing table the clients host route should be added to Default main Comments Text describing the current object Optional 3 38 4 1 Log...

Page 158: ...the IP Pool IPRange Specifies the range of IP addresses used for NAT translation StateKeepAlive The number of seconds that stateful NAT state will be kept in absence of new connections Default 120 MaxStates Maximum number of statefully tracked NATPool states Default 16384 ProxyARPAllInterfaces Always select all interfaces including new ones for publishing routes needed for receiving traffic on NAT...

Page 159: ...ies the time in seconds that the routing table will be kept unchanged after a reconfiguration of OSPF entries or a HA failover Default 45 RefBandwidthValue Set the reference bandwidth that is used when calculating the default interface cost for routes Default 1 RefBandwidthUnit Sets the reference bandwidth unit Default Gbps MemoryMaxUsage Maximum amount in kilobytes of RAM that the OSPF process is...

Page 160: ...lects OSPF interfaces neighbors aggregates and virtual links Properties Name Specifies a symbolic name for the area Identifier AreaID Specifies the area id if 0 0 0 0 is specified this is the backbone area Stub Enable to make the router automatically advertises a default route so that routers in the stub area can reach destinations outside the area Default No StubSummarize Become a default router ...

Page 161: ...ace Default 10 RtrDeadInterval If no HELLO packets are received from a neighbor within this interval in seconds that neighbor router will be declared to be down Default 40 RxmtInterval Specifies the number of seconds between retransmissions of LSAs to neighbors on this interface Default 5 RtrPrio Specifies the router priority a higher number increases this routers chance of becoming DR or BDR if 0...

Page 162: ...longing to the local intra area with one contiguous network which may then be advertised or hidden Properties Network The aggregate network used to combine several small routes Advertise Advertise the aggregate Default Yes Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Inde...

Page 163: ...the authentication type for the OSPF protocol exchanges Default None AuthPassphrase Specifies the passphrase used for authentication Optional AuthMD5ID Specifies the MD5 key ID used for MD5 digest authentication AuthMD5Key A 128 bit key used to produce the MD5 digest Optional Comments Text describing the current object Optional 3 40 1 OSPFArea Chapter 3 Configuration Reference 163 ...

Page 164: ...bps for precedence 3 Optional LimitPPS3 Specifies the packet per second limit for precedence 3 Optional LimitKbps4 Specifies the bandwidth limit in kbps for precedence 4 Optional LimitPPS4 Specifies the packet per second limit for precedence 4 Optional LimitKbps5 Specifies the bandwidth limit in kbps for precedence 5 Optional LimitPPS5 Specifies the packet per second limit for precedence 5 Optiona...

Page 165: ...mitPPS6 Specifies the throughput limit per group in PPS for precedence 6 Optional UserLimitKbps7 Specifies the bandwidth limit per group in kbps for precedence 7 the highest precedence Optional UserLimitPPS7 Specifies the throughput limit per group in PPS for precedence 7 the highest precedence Optional Grouping Grouping enables per port IP network static bandwidth limits as well as dynamic balanc...

Page 166: ... Default 7 Comments Text describing the current object Optional 3 41 Pipe Chapter 3 Configuration Reference 166 ...

Page 167: ...destina tion IP of the received packet Service Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rule the security gateway will only al low that rule to trigger at those designated times Optional ForwardChain Specifies one or more pipes to be used for forward traffic Optional ReturnChain Specifies one or more pipes t...

Page 168: ...s involved Properties Name Specifies a symbolic name for the pre shared key Identifier Type Specifies the type of the shared key PSKAscii Specifies the PSK as a passphrase PSKHex Specifies the PSK as a hexadecimal key Comments Text describing the current object Optional 3 43 PSK Chapter 3 Configuration Reference 168 ...

Page 169: ... used when trying to contact the RADIUS ac counting server If no response has been given after for example 2 seconds the security gateway will try again by sending a new AccountingRequest packet Default 2 SharedSecret The shared secret phrase for the Authenticator generation RoutingTable Specifies the routing table the clients host route should be added to Default main Comments Text describing the...

Page 170: ...onds used when trying to contact the RADIUS ac counting server If no response has been given after for example 2 seconds the security gateway will try again by sending a new AccountingRequest packet Default 2 SharedSecret The shared secret phrase for the Authenticator generation RoutingTable Specifies the routing table the clients host route should be added to Default main Comments Text describing...

Page 171: ... if statistical value goes above this threshold Optional BackoffInterval The minimum number of seconds between consecutive log messages Default 60 Continuous If set generate event if the value goes from being outside the threshold values back to within acceptable limits again Default No LogMessageID ID of generated log messages Optional Comments Text describing the current object Optional Note If ...

Page 172: ...PSKHex Specifies the PSK as a hexadecimal key IDType Selects the type of remote identity to use IDValue Specify the remote identity of the tunnel ID Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 47 RemoteIDList Chapter 3 Conf...

Page 173: ...HTTPS Default No Network Specifies the network for which remote access is granted Comments Text describing the current object Optional 3 48 2 RemoteMgmtNetcon Description Configure Netcon management to enable remote management to the system Properties Name Specifies a symbolic name for the object Default NetconMgmt Interface Specifies the interface for which remote access is granted Mode Configure...

Page 174: ...SSH Server to enable remote management access to the system Properties Name Specifies a symbolic name for the SSH server Identifier Interface Specifies the interface for which remote access is granted Port The listening port for the SSH server Default 22 AllowAuthMethodPassword Allow password client authentication Default Yes AllowAuthMethodPublicKey Allow public key client authentication Default ...

Page 175: ...ients that can be connected at the same time Default 5 SessionIdleTime The number of seconds a user can be idle before the session is closed Default 1800 LoginGraceTime When the user has supplied the username the password has to be provided within this number of seconds or the session will be closed Default 30 AuthenticationRetries The number of retires allowed before the session is closed Default...

Page 176: ...multiple routes to the same destination Properties RoutingTable Specify routingtable to deploy route load balancing in Identifier Algorithm Specify which algorithm to use when balancing the routes Default RoundRobin Comments Text describing the current object Optional 3 49 RouteBalancingInstance Chapter 3 Configuration Reference 176 ...

Page 177: ... seconds over under the threshold limit to trig ger state change for the affected routes Default 30 OutboundThreshold Outbound threshold limit Optional OutboundUnit TODO Default kbps InboundThreshold Inbound threshold limit Optional InboundUnit TODO Default kbps Comments Text describing the current object Optional 3 50 RouteBalancingSpilloverSetting s Chapter 3 Configuration Reference 177 ...

Page 178: ...der span of IP addresses to be compared to the re ceived packet DestinationInterface Specifies the the destination interface to be compared to the re ceived packet DestinationNetwork Specifies the span of IP addresses to be compared to the destina tion IP of the received packet Service Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By addi...

Page 179: ...ter hop used to reach the destination network If the network is directly connected to the security gateway interface no gateway address is spe cified Optional LocalIP The IP address specified here will be automatically published on the corresponding interface This address will also be used as the sender address in ARP queries If no address is spe cified the security gateway s interface IP address ...

Page 180: ...ibing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will be equal to the length of the list 3 52 1 1 MonitoredHost Description Specify a host and a monitoring method Properties Method Monitoring method Default ICMP IPAddress Specifies the IP address of the host to monitor Port Specifies the ...

Page 181: ... object Optional Interface Specifies which interface packets destined for this route shall be sent through Network Specifies the network address for this route Metric Specifies the metric for this route Default 0 ProxyARPAllInterfaces Always select all interfaces including new ones for publishing routes via Proxy ARP Default No ProxyARPInterfaces Specifies the interfaces on which the security gate...

Page 182: ...ctive on Wednesdays Optional Thu Specifies during which intervals the schedule profile is active on Thursdays Optional Fri Specifies during which intervals the schedule profile is active on Fridays Optional Sat Specifies during which intervals the schedule profile is active on Saturdays Optional Sun Specifies during which intervals the schedule profile is active on Sundays Optional StartDate The d...

Page 183: ...e to this service Default All EchoRequest Enable matching of Echo Request messages Default No EchoRequestCodes Specifies which Echo Request message codes should be matched Default 0 255 DestinationUnreachable Enable matching of Destination Unreachable messages Default No DestinationUnreachableCodes Specifies which Destination Unreachable message codes should be matched Default 0 255 Redirect Enabl...

Page 184: ...rvice Default 200 Comments Text describing the current object Optional 3 54 3 ServiceIPProto Description An IP Protocol Service is a definition of an IP protocol with specific parameters Properties Name Specifies a symbolic name for the service Identifier IPProto IP protocol number or range e g 1 4 7 will match the protocols ICMP IGMP GGP IP in IP and CBT Default 0 255 PassICMPReturn Enable passin...

Page 185: ...Default 0 65535 SYNRelay Enable SYN flood protection SYN Relay Default No PassICMPReturn Enable passing an ICMP error message only if it is related to an existing connection using this service Default No ALG An Application Layer Gateway ALG capable of managing advanced protocols can be specified for this service Optional MaxSessions Specifies how many concurrent sessions that are permitted using t...

Page 186: ... changed Default DropLog ARPExpire Lifetime of an ARP entry in seconds Default 900 ARPExpireUnknown Lifetime of an unknown ARP entry in seconds Default 3 ARPMulticast ARP packets claiming to be multicast addresses may need to be enabled for some load balancers redundancy solutions Default DropLog ARPBroadcast ARP packets claiming to be broadcast addresses should never need to be enabled Default Dr...

Page 187: ...d is identified by the name of the type only There can only be one instance of this type 3 55 3 ConnTimeoutSettings Description Timeout settings for various protocols Properties ConnLife_TCP_SYN Connection idle lifetime for TCP connections being formed Default 60 ConnLife_TCP Connection idle lifetime for TCP Default 262144 ConnLife_TCP_FIN Connection idle lifetime for TCP connections being closed ...

Page 188: ... seconds allowed from the DHCP server too high times will be lowered silently Default 10000 MaxAutoRoutes Maximum number of DHCP client IPs automatically added to the routing table Default 256 AutoSaveRelayPolicy Policy for saving the relay list to disk Default ReconfShut AutoSaveRelayInterval Seconds between auto saving the relay list to disk Default 86400 Note This object type does not have an i...

Page 189: ...Default 256 Ringsize_e100_rx Size of e100 receive ring per interface Default 32 Ringsize_e100_tx Size of e100 send ring per interface Default 128 Ringsize_yukonii_rx Size of Yukon II receive ring per interface Default 128 Ringsize_yukonii_tx Size of Yukon II send ring per interface Default 128 Ringsize_yukon_rx Size of Yukon receive ring per interface Default 256 Ringsize_yukon_tx Size of Yukon se...

Page 190: ...ted packets Properties PseudoReass_MaxConcurrent Maximum number of concurrent fragment reassemblies Set to 0 to drop all fragments Default 1024 IllegalFrags Illegaly constructed fragments partial overlaps bad sizes etc Default DropLog DuplicateFragData On receipt of duplicate fragments verify matching data Default Check8 FragReassemblyFail Failed packet reassembly attempts due to timeouts or packe...

Page 191: ... use percentage as unit for monitoring else it is megabyte Default Yes MemoryLogRepetition Should we send a log message for each poll result that is in the Alert Critical or Warning level or should we only send when a new level is reached Default No MemoryAlertLevel Alert log message if free memory is below this value disable by us ing 0 Default 0 MemoryCriticalLevel Critical log message if free m...

Page 192: ... the next update field in the CRL Default 86400 IKEMaxCAPath Maximum number of CA certificates in a certificate path Default 15 IPsecCertCacheMaxCerts Maximum number of entries in the certificate cache Default 1024 IPsecBeforeRules Pass IKE IPsec ESP AH traffic sent to the security gate way directly to the IPsec engine without consulting the rule set Default Yes IPsecGWNameCacheTime Amount of time...

Page 193: ...IP Time To Live value accepted on receipt Default 3 TTLOnLow What action to take on too low unicast TTL values Default DropLog TTLMinMulticast The minimum IP multicast Time To Live value accepted on receipt Default 3 TTLOnLowMulticast What action to take on too low multicast TTL values Default DropLog DefaultTTL The default IP Time To Live of packets originated by the se curity gateway 32 255 Defa...

Page 194: ...ccepted on re ceipt Default 1 TTLOnLowBroadcast What action to take on too low broadcast TTL values Default DropLog Note This object type does not have an identifier and is identified by the name of the type only There can only be one instance of this type 3 55 12 L2TPServerSettings Description PPTP L2TP server settings Properties L2TPBeforeRules Pass L2TP connections sent to the security gateway ...

Page 195: ...fault 1480 MaxIPIPLen IPIP FWZ Encapsulated tunneled transport used by VPN 1 Default 2000 MaxIPCompLen IPsec IPComp Compressed communication Default 2000 MaxL2TPLen L2TP Layer 2 Tunneling Protocol Default 2000 MaxOtherSubIPLen Others sometimes has to be increased if unknown tunneling proto cols are used Default 1480 LogOversizedPackets Log occurrences of oversized packets Default Yes Note This obj...

Page 196: ... the type only There can only be one instance of this type 3 55 16 MiscSettings Description Miscellaneous Settings Properties UDPSrcPort0 How to treat UDP packets with source port 0 Default DropLog Port0 How to treat TCP UDP packets with destination port 0 and TCP packets with source port 0 Default DropLog WatchdogTimerTime Number of non responsive seconds before watchdog is triggered 0 disable De...

Page 197: ... MulticastSettings Description Advanced Multicast Settings Properties AutoAddMulticastCoreRoute Auto generate core route for 224 0 0 1 239 255 255 255 Default Yes IGMPBeforeRules Allows IGMP traffic to enter the Security Gateway by de fault Default Yes IGMPMaxGlobalRequestsPer Second Maximum number of requests per second Default 1000 IGMPMaxRequestsPerSecond Maximum number of requests per interfac...

Page 198: ... log in before reverting to the previous configuration Default 30 WebUIBeforeRules Enable HTTP S traffic to the security gateway regardless of configured IP Rules Default Yes WWWSrv_HTTPPort Specifies the HTTP port for the web user interface Default 80 WWWSrv_HTTPSPort Specifies the HTTP S port for the web user interface Default 443 SSHBeforeRules Enable SSH traffic to the security gateway regardl...

Page 199: ...be one instance of this type 3 55 19 RoutingSettings Description Configure the routing capabilities of the system Properties RouteFailOver_IfacePollInterval Time ms between polling of interface failure Default 500 RouteFailOver_ARPPollInterval Time ms between ARP lookup of gateways May be over ridden for each route Default 1000 RouteFailOver_PingPollInterval Time ms between PING ing of gateways De...

Page 200: ...ender Action to take if sender MAC in the ethernet header is the null address 0000 0000 0000 Default DropLog BroadcastEnetSender Action to take if sender MAC in the ethernet header is the broadcast ethernet address FFFF FFFF FFFF Default DropLog MulticastEnetSender Action to take if sender MAC in the ethernet header is a mul ticast ethernet address Default DropLog Note This object type does not ha...

Page 201: ... type 3 55 21 StateSettings Description Parameters for the state engine in the system Properties ConnReplace What to do when the connection table is full Default Re placeLog LogOpenFails Log packets that are neither part of open connections nor valid new connections Default Yes LogReverseOpens Log reverse connection attempts through an established con nection Default Yes LogStateViolations Log pac...

Page 202: ...ult 7000 TCPMSSAutoClamping Automatically clamp TCP MSS according to MTU of involved inter faces in addition to TCP MSS max Default Yes TCPZeroUnusedACK Force unused ACK fields to zero helps prevent connection spoofing Default Yes TCPZeroUnusedURG Force unused URG fields to zero prevents small information leak Default Yes TCPOPT_WSOPT The WSOPT Window Scale option common Default Validate LogBad TC...

Page 203: ...ing Default StripLog TCPRF The TCP Reserved field should be zero Used in OS fingerprinting Also part of ECN extension Default StripLog TCPNULL TCP NULL packets without SYN ACK FIN or RST normally in valid used by scanners Default DropLog TCPSequenceNumbers Validation of TCP sequence numbers Default ValidateLogBad TCPAllowReopen Allow clients to re open TCP connections that are in the closed state ...

Page 204: ...s Name Specifies a symbolic name for the key Identifier Type DSA or RSA Default DSA Subject Value of the Subject header tag of the public key file Optional PublicKey Specifies the public key Comments Text describing the current object Optional 3 56 SSHClientKey Chapter 3 Configuration Reference 204 ...

Page 205: ... to the destina tion IP of the received packet Service Specifies a service that will be used as a filter parameter when matching traffic with this rule Schedule By adding a schedule to a rule the security gateway will only al low that rule to trigger at those designated times Optional Comments Text describing the current object Optional Note If no Index is specified when creating an instance of th...

Page 206: ...istIgnoreEstablished Do not drop existing connection Default No LogEnabled Enable logging Default Yes LogSeverity Specifies with what severity log events will be sent to the spe cified log receivers Default Default Comments Text describing the current object Optional Note If no Index is specified when creating an instance of this type the object will be placed last in the list and the Index will b...

Page 207: ...Specifies the day of month when the automatic update is runs UpdateWeekday Specifies the day of week when the automatic update is runs Default mon Hourly Specififes the number of hours between periodical updates UpdateHour Specifies the hour when the update is run Default 0 UpdateMinute Specifies the minute when the update is run Default 0 Comments Text describing the current object Optional Note ...

Page 208: ...hentication servers that will be used to au thenticate users matching this rule RadiusMethod Specifies the authentication method used for encrypting the user password Default PAP LocalUserDB Specifies the local user database that will be used to authen ticate users matching this rule LoginType HTML form or Basic authentication Default HTMLForm HTTPBanners HTTP Authentication HTML Banners Default D...

Page 209: ...g of the number of bytes sent by the user Default Yes PacketsSent Enable reporting of the number of packets sent by the user Default Yes BytesReceived Enable reporting of the number of bytes received by the user Default Yes PacketsReceived Enable reporting of the number of packets received by the user Default Yes SessionTime Enable reporting of the number of seconds the session lasted Default Yes ...

Page 210: ...3 59 UserAuthRule Chapter 3 Configuration Reference 210 ...

Page 211: ...istory 80 hostmon 44 httpalg 44 httpposter 45 hwaccel 45 hwm 46 I idppipes 46 ifstat 47 igmp 47 ikesnoop 48 ippool 49 ipsecglobalstats 49 ipseckeepalive 50 ipsecstats 50 ipsectunnels 51 K killsa 51 L languagefiles 52 ldap 52 license 53 linkmon 53 lockdown 54 logout 54 ls 80 M memory 55 N natpool 55 netcon 55 netobjects 56 O ospf 56 P pcapdump 58 pciscan 60 ping 78 pipes 61 pptpalg 61 pskgen 24 R r...

Page 212: ... DHCPRelay 109 DHCPRelaySettings 188 DHCPServer 110 DHCPServerCustomOption 111 DHCPServerPoolStaticHost 110 DHCPServerSettings 188 DNS 112 DynamicRoutingRule 118 DynamicRoutingRuleAddRoute 119 DynamicRoutingRuleExportOSPF 119 DynDnsClientCjbNet 102 DynDnsClientDyndnsOrg 102 DynDnsClientDynsCx 102 DynDnsClientPeanutHull 103 E E1000EthernetPCIDriver 113 E100EthernetPCIDriver 114 Ethernet 134 Etherne...

Page 213: ...2 P Pipe 164 PipeRule 167 PPPoETunnel 142 PSK 168 R R8139EthernetPCIDriver 115 R8169EthernetPCIDriver 115 RadiusAccounting 169 RadiusServer 170 RealTimeMonitorAlert 171 RemoteIDList 172 RemoteMgmtHTTP 173 RemoteMgmtNetcon 173 RemoteMgmtSettings 198 RemoteMgmtSNMP 174 RemoteMgmtSSH 174 Route 179 RouteBalancingInstance 176 RouteBalancingSpilloverSettings 177 RoutingRule 178 RoutingSettings 199 Routi...